UNDERSTANDING HIPAA & THE HITECH ACT. Heather Deixler, Esq. Associate, Morgan, Lewis & Bockius LLP

Similar documents
HIPAA, 42 CFR PART 2, AND MEDICAID COMPLIANCE STANDARDS POLICIES AND PROCEDURES

ACC Compliance and Ethics Committee Presentation February 19, 2013

HIPAA Training. HOPE Health Facility Administrators June 2013 Isaac Willett and Jason Schnabel

ChoiceNet/InterCare Health Plans Getting Your Arms Around HIPAA Compliance

North Shore LIJ Health System, Inc. Facility Name. CATEGORY: Effective Date: 8/15/13

Effective Date: 08/2013

Compliance Steps for the Final HIPAA Rule

HIPAA COMPLIANCE ROADMAP AND CHECKLIST FOR BUSINESS ASSOCIATES

Determining Whether You Are a Business Associate

HIPAA Compliance Guide

Limited Data Set Data Use Agreement For Research

The wait is over HHS releases final omnibus HIPAA privacy and security regulations

Omnibus Components. Not in Omnibus. HIPAA/HITECH Omnibus Final Rule

Hayden W. Shurgar HIPAA: Privacy, Security, Enforcement, HITECH, and HIPAA Omnibus Final Rule

Breach Policy. Applicable Standards from the HITRUST Common Security Framework. Applicable Standards from the HIPAA Security Rule

MEMORANDUM. Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

AFTER THE OMNIBUS RULE

Human Research Protection Program (HRPP) HIPAA and Research at Brown

HIPAA: Final Omnibus Rule is Here Arizona Society for Healthcare Risk Managers November 15, 2013

Regenstrief Center for Healthcare Engineering HIPAA Compliance Policy

The Impact of Final Omnibus HIPAA/HITECH Rules. Presented by Eileen Coyne Clark Niki McCoy September 19, 2013

Business Associate Contracts: Time Is Running Out...

HIPAA HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT

Compliance Steps for the Final HIPAA Rule

HIPAA 102a. Presented by Jack Kolk President ACR 2 Solutions, Inc.

HIPAA OMNIBUS RULE. The rule makes it easier for parents and others to give permission to share proof of a child s immunization with a school

Highlights of the Omnibus HIPAA/HITECH Final Rule

HIPAA PRIVACY REQUIREMENTS. Dana L. Thrasher Constangy, Brooks & Smith, LLP (205)

THE CITY AND COUNTY OF SAN FRANCISCO SECTION 125 CAFETERIA PLAN HIPAA PRIVACY POLICIES & PROCEDURES

NOTIFICATION OF PRIVACY AND SECURITY BREACHES

UAMS ADMINISTRATIVE GUIDE NUMBER: 2.1

Preparing for a HIPAA Audit & Hot Topics in Health Care Reform

Business Associate Agreement

Effective Date: 4/3/17

Texas Tech University Health Sciences Center HIPAA Privacy Policies

Texas Tech University Health Sciences Center El Paso HIPAA Privacy Policies

Title: HP-53 Use and Disclosure of Protected Health Information for Purposes of Research. Department: Research

Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates

COLUMBIA UNIVERSITY DATA CLASSIFICATION POLICY

UNIVERSITY OF TENNESSEE HEALTH SCIENCE CENTER INSTITUTIONAL REVIEW BOARD USE OF PROTECTED HEALTH INFORMATION WITHOUT SUBJECT AUTHORIZATION

HIPAA PRIVACY REQUIREMENTS. Dana L. Thrasher Robert S. Ellerbrock, III Constangy, Brooks & Smith, LLP

It s as AWESOME as You Think It Is!

HIPAA Omnibus Rule. Critical Changes for Providers Presented by Susan A. Miller, JD. Hosted by

Getting a Grip on HIPAA

University of Mississippi Medical Center Data Use Agreement Protected Health Information

ARTICLE 1. Terms { ;1}

HIPAA 2014: Recent Changes from HITECH and the Omnibus Rule. Association of Corporate Counsel Houston Chapter October 14, 2014.

Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates

BUSINESS ASSOCIATE AGREEMENT

HIPAA Privacy Overview

HIPAA The Health Insurance Portability and Accountability Act of 1996

HIPAA COMPLIANCE. for Small & Mid-Size Practices

CLIENT UPDATE. HIPAA s Final Rule: The Impact on Covered Entities, Business Associates and Subcontractors

COMPLIANCE TRAINING 2015 C O M P L I A N C E P R O G R A M - F W A - H I P A A - C O D E O F C O N D U C T

Emma Eccles Jones College of Education & Human Services. Title: Business Associate Agreements

AGREEMENT PURSUANT TO THE TERMS OF HIPAA ; HITECH ; and FIPA (Business Associate Agreement) (Revised August 2015)

SDM Health Insurance Portability and Accountability Act (HIPAA) Terms and Conditions For Business Associates

ARRA s Amendments to HIPAA Privacy & Security Rules

HIPAA Enforcement Under the HITECH Act; The Gloves Come Off

HIPAA PRIVACY AND SECURITY RULES APPLY TO YOU! ARE YOU COMPLYING? RHODE ISLAND INTERLOCAL TRUST LINN F. FREEDMAN, ESQ. JANUARY 29, 2015.

CROOK COUNTY POLICY AND PROCEDURES FOR COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF

HITECH and HIPAA: Highlights for Health Departments. Aimee Wall UNC School of Government

8/14/2013. HIPAA Privacy & Security 2013 Omnibus Final Rule update. Highlights from Final Rules January 25, 2013

SUBCONTRACTOR BUSINESS ASSOCIATE AGREEMENT

Coping with, and Taking Advantage of, HIPAA s New Rules!! Deven McGraw Director, Health Privacy Project April 19, 2013!

Privacy Rule Primer. 45 CFR Part 160 and Subparts A and E of Part CFR , 45 CFR CFR

Interpreters Associates Inc. Division of Intérpretes Brasil

The Privacy Rule. Health insurance Portability & Accountability Act

HIPAA OMNIBUS FINAL RULE

HIPAA BUSINESS ASSOCIATE AGREEMENT BEST PRACTICES: A COMPLIANCE SOLUTION FOR THE TICKING CLOCK AND THE DRACONIAN CIVIL AND CRIMINAL PENALTIES

What Brown County employees need to know about the Federal legislation entitled the Health Insurance Portability and Accountability Act of 1996.

HIPAA Omnibus Final Rule and Research

HIPAA Privacy & Security Considerations Student Orientation

The HIPAA Omnibus Rule and the Enhanced Civil Fine and Criminal Penalty Regime

BUSINESS ASSOCIATE AGREEMENT

1. Does the plan exist for purposes of providing or paying for the cost of medical care?

UCLA Health System Data Use Agreement

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) BUSINESS ASSOCIATE AGREEMENT

HIPAA Redux 2013 Kim Cavitt, AuD Audiology Resources, Inc. Expert e-seminar 4/29/2013. HIPAA Redux Presented by: Kim Cavitt, AuD

HILLSBOROUGH COUNTY HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) PROCEDURES

O n Jan. 25, the Office for Civil Rights (OCR) of the. Privacy and Security Law Report

PATTERSON MEDICAL SUPPLY, INC. HIPAA BUSINESS ASSOCIATE AGREEMENT WITH CUSTOMERS

Business Associate Agreement For Protected Healthcare Information

Changes to HIPAA Privacy and Security Rules

HEALTHCARE BREACH TRIAGE

HIPAA Omnibus Final Rule Has Important Changes for Business Associates and Covered Entities

HIPAA Business Associate Agreement

University of California Group Health and Welfare Benefit Plans HIPAA Privacy Rule Policies and Procedures (Interim)

HIPAA Background and History

HIPAA & HITECH Privacy & Security. Volunteer Annual Review 2017

2013 HIPAA Omnibus Regulations: New Rules for Healthcare Providers and Collections Partners

HIPAA BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATES AND SUBCONTRACTORS

HIPAA and Lawyers: Your stakes have just been raised

Assessing and Mitigating Risk Under the HIPAA Omnibus Rule

Assessing and Mitigating Risk Under the HIPAA Omnibus Rule

This form cannot act as an authorization to assign commissions. Appointment Form Only. Steps to obtain an Appointment:

Management Alert Final HIPAA Regulations Issued

Executive Policy, EP HIPAA. Page 1 of 25

BUSINESS ASSOCIATE AGREEMENT W I T N E S S E T H:

Saturday, April 28 Medical Ethics: HIPAA Privacy and Security Rules

Transcription:

UNDERSTANDING HIPAA & THE HITECH ACT Heather Deixler, Esq. Associate, Morgan, Lewis & Bockius LLP 1

Objectives of Presentation Learn what HIPAA is Learn the purpose of HIPAA Understand who HIPAA regulates Understand what information is protected by HIPAA Understand the penalties associated with noncompliance 2

What is HIPAA? The Health Insurance Portability and Accountability Act of 1996 ( HIPAA ) is the federal medical privacy law HIPAA was enacted to: Increase efficiency and effectiveness of the health care system Protect the privacy and provide for the security of PHI Establish standards for accessing, storing and transmitting medical data and ensuring the privacy and security of PHI MOST IMPORTANT TAKE HOME OF THE DAY: It s HIPAA, NOT HIPPA. 3

The HIPAA Legal Timeline HIPAA (Aug. 21, 1996) The Health Insurance Portability and Accountability Act of 1996 ( HIPAA ) established baseline federal medical privacy and security standards. HIPAA Privacy Rule (Final Rule in Dec. 2000, modified in Aug. 2002): established rules to regulate the use or disclosure of PHI and provide individuals with certain rights with respect to such PHI. HIPAA Security Rule (Feb. 2003): established a system of reasonable and appropriate administrative, physical and technical safeguards for protecting PHI. The HITECH Act (Feb. 17, 2009): among other things, extended the reach of the HIPAA Privacy and Security Rules to business associates ( BAs ), imposed breach notification requirements on covered entities ( CE ) and BAs and created enhanced penalties. HIPAA Omnibus Final Rule ( HIPAA Final Rule ) (Jan. 25, 2013): amended the HIPAA Privacy and Security Rules and implemented requirements of the HITECH Act, extending certain HIPAA obligations to BAs and their subcontractors. - Compliance date for the HIPAA Final Rule is September 23, 2013.

What is the Purpose of the HIPAA Privacy and Security Rules? Individual Rights: To provide individuals with certain rights to their health information, including access to, and amendment of, such information. Restrict Uses and Disclosures of PHI To restrict how covered entities and business associates can use or disclose such information Security Safeguards To create a system of safeguards for securing such information 5

The HIPAA Privacy and Security Rules Privacy: refers to WHAT is protected health information about an individual, and restrictions placed on WHO may use, disclose or access the information Security: refers to HOW information is safeguarded system of administrative, physical and technical safeguards for electronic protected health information 6

What Information is Protected by HIPAA? Protected health information ( PHI ) is individually identifiable health information about an individual that is transmitted or maintained in any form (electronic, oral or written) where the information: Is created or received by a health care provider, health plan, employer or health care clearinghouse; Relates to: An individual s health or condition Provision of health care to an individual Payment for health care to an individual; and Identifies an individual, or there is a reasonable basis to believe it can be used to identify an individual But not de-identified information 7

PHI Individual Identifiers What are the individual identifiers? Names Geographic subdivisions smaller than a state: Street address City County Precinct Zip code, except for the initial 3 digits Dates, except year Birth date Admission date Discharge date Date of death Telephone numbers 8

PHI Individual Identifiers (cont d) What are the individual identifiers (cont d)? Fax numbers E-mail addresses SSN Social Security Numbers Medical Record Numbers Health plan beneficiary numbers Account numbers Certificate/license numbers VIN and serial numbers, including license plate numbers Device identifiers and serial numbers Web universal resource locations Internet protocol (IP) address numbers Biometric identifiers, including finger and voice prints Full face photographic images and any comparable images Any other unique identifying number, characteristic or code 9

Who is Regulated by HIPAA? Covered Entities Business Associates (Including Subcontractors) 10

What is a Covered Entity? Health plans (HMOs, employer group health plans) Health care clearinghouses Health care providers that engage in standard electronic transactions (hospitals, medical groups) 11

Who Is a Business Associate? A person or entity, other than a member of a covered entity s workforce, that creates, receives, maintains or transmits PHI on behalf of a covered entity for a function or activity regulated by HIPAA. Under the HIPAA Final Rule, the definition of business associate includes subcontractors of business associates. May be a covered entity. Billing Firms Clearinghouses Management Firms Lawyers, Actuaries Covered Entity Consultants, Vendors Outsourcing Vendors Accountants, Auditors Financial Services Accreditation Organizations 12

When Organizations May Act as a Business Associate Some examples of ways in which an organization may act as a business associate: Providing data management services to HIPAA covered entity customers (e.g., hospitals or health plans) Providing cloud storage services to business associates Providing legal services to a HIPAA covered entity 13

Privacy/Security Officer SECURITY OFFICER: Under the HIPAA Security Rule, covered entities and business associates are required to designate a Security Officer. PRIVACY OFFICER: Under the HIPAA Privacy Rule, covered entities are required to designate a Privacy Officer. While not required, it is highly recommended that business associates designate a Privacy Officer as well. 14

Minimum Necessary Covered entities and business associates shall request, use and disclose the minimum amount of PHI necessary to accomplish the purpose of the request use or disclosure, in accordance with HIPAA s minimum necessary standard Internal Requirements External Requirements Identify workforce who need access to PHI For each class/category of person identified, limit access based on need-toknow Limit access to what is needed to accomplish the purpose for which the request was made Each request that is nonroutine should be reviewed by the Privacy Officer 15

Uses and Disclosures Use: employment, application, utilization, examination or analysis of PHI within the covered entity/business associate. Disclosure: release, transfer, provision of access to, or divulging in any other manner, information outside of the covered entity/business associate. 16

Uses and Disclosures The HIPAA Privacy Rule permits a covered entity to use or disclose PHI without an authorization for the following purposes: Treatment Payment Health Care Operations These are often referred to as TPO 17

How May a Business Associate Use PHI? A Business Associate is generally limited to using PHI to provide services for a covered entity. this means that the business associate can use PHI ONLY for the purposes for which it was engaged by the covered entity client who provided such PHI. A business associate may expressly be permitted to: Provide data aggregation services De-identify PHI 18

Security Rule Compliance Necessary steps for Security Rule compliance: Conducting a formal security risk assessment; Implementing written policies and procedures with respect to Security Rule standards; Providing security training to workforce members Appointing a Security Officer to oversee Security Rule compliance efforts 19

The Dreaded Security Breach 20

The HIPAA Breach Notification Rule Breach is defined as the unauthorized acquisition, access, use or disclosure of PHI which compromises the security or privacy of such information. Unlike many state laws, applies to breaches involving both electronic and paper records. Risk analysis: HIPAA Final Rule: express presumption that incident is a breach UNLESS the covered entity/business associate can demonstrate that there is a low probability that the PHI has been compromised. 21

Four Factors of a Risk Analysis 1. Evaluate the nature and the extent of the PHI involved. 2. Who impermissibly used the PHI? To whom was the PHI disclosed? 3. Was PHI actually acquired or viewed or, did only the opportunity exist for the information to be acquired or viewed? 4. Consider the extent to which the risk to the PHI has been mitigated. 22

Covered Entity Reporting Obligations Covered Entities must notify: Individuals REPORTING TIMELINE: without unreasonable delay and no more than 60 days after discovery. Media (for breaches involving > 500 residents of a State or jurisdiction) REPORTING TIMELINE: without unreasonable delay and no more than 60 days after discovery. Secretary of HHS > 500 individuals: provide at same time as notice to indivs < 500 individuals: maintain a log, and provide annual notice to HHS 23

Business Associate Reporting Obligations Business Associates are required to notify covered entities whose unsecured PHI has been accessed, acquired or disclosed as a result of a breach. REPORTING TIMELINE: without unreasonable delay and no more than 60 days after discovery. Sometimes less depending upon the terms of the particular BAA. 24

Penalties Civil $100 to $50,000 per violation per person up to a maximum of $1,500,000 per person per year per standard violation Criminal Up to $50,000, 1 year in prison, or both, for inappropriate use of PHI Up to $100,000, 5 years in prison, or both for using PHI under false pretenses Up to $250,000, 10 years in prison or both, for the intent to sell or use PHI for commercial advantage, personal gain, or malicious harm 25

Drafting and Negotiating Business Associate Agreements DORIANN CAIN, ESQ. ASSOCIATE, BARNES & THORNBURG LLP

What is a Business Associate Agreement? A contract between a covered entity and business associate to ensure that the business associate will appropriately safeguard PHI. Also serves to clarify and limit the permissible uses and disclosures of PHI by the business associate A business associate may use or disclose PHI only as permitted or required by its business associate contract or as required by law.

Required Terms Establish the permitted and required uses and disclosures of PHI by the business associate; Provide that the business associate will not use or further disclose the information other than as permitted or required by the contract or as required by law; Implement appropriate privacy and security safeguards;

Required Terms Report unauthorized disclosures to the covered entity; Make available PHI under access, amendment and account of disclosures rights; Incorporate any amendments; To the extent the business associate is to carry out a covered entity s obligation under the Privacy Rule, require the business associate to comply with the requirements applicable to the obligation;

Required Terms Make available its practices, books and records to HHS for determining the covered entity s compliance; Return/destroy PHI upon termination of arrangement, if feasible; If not feasible, extend BAA protections Ensure subcontractors comply with the same BAA requirements as the business associate; and Authorize termination by covered entities.

Business Associate Agreement Form Templates HHS released a template in January of last year www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentiti es/contractprov.html Beware of particular biases in the forms Language should be changed to more accurately reflect the services being provided by the business associate

HIPAA Omnibus Final Rule & BAAs Old Rule BA not directly liable for violations Contractually liable CE must have a written contract with BA that requires BA to safeguard PHI and not use or disclose PHI other than as provided by the contract BA must ensure that any subcontractors agree to the same restrictions New Rule BA directly liable for violations of applicable provisions of HIPAA Contract between CE and BA still necessary Now BA must comply with the Security Rule requirements Report to CE any breach of unsecured PHI If CE delegates Privacy Rule obligation to BA, BAA must require BA to perform in compliance with the Rule BAA between BA and subcontractor mandated Must be as stringent as the CE-BA contract

Business Associates and the Security Rule Business associates now mandated to comply with the Security Rule s requirements and implement policies and procedures in the same manner as a covered entity Requires business associates to implement safeguards in compliance with the Security Rule Business associates must conduct risk assessment and be more proactive and diligent to monitor new rules, regulations and guidance

Subcontractors and Business Associate Agreements Subcontractors now defined as business associates Obligation to enter into a BAA with a subcontractor will rest solely with the business associate, not the covered entity Business associate liability flows downstream Does not change parties to the BAAs Covered entity must have BAA with its business associate Business associate must have BAA with its subcontractor Downstream contract must be as stringent as the one above

Amending Business Associate Agreements Evaluate entities identity Business Associate? Covered Entity? Assess how PHI is being used Does the entity already have a BAA in place?

Compliance Dates For any BAA entered into on or after 1/25/13, compliance date was 9/23/13 If was BAA was in effect prior to 1/25/13 and HIPAA compliant at the time Compliance date is 9/23/14 if BAA was not renewed or modified between 3/26/13 and 9/23/13

Covered Entities & Negotiation of BAAs Manage risk and avoid liability Business associate held to a higher level of accountability Indemnification, insurance and other assurances from business associate beyond what is mandated under HIPAA for BAAs Business associate responsible for all costs associated with breach Review underlying agreement

Covered Entities & Negotiation of BAAs Assistance from business associate in event of breach Automatic termination of BAA for material breach Small timeframe for reporting a breach Right to review BAAs between business associates and subcontractors Right to inspect/audit/investigate

Business Associates & Negotiation of BAAs Provide notice to business associate of any limitation in NPP that may effect its use or disclosure of PHI Notify business associate of changes/revocation of individual permissions Notify business associate of restrictions to which covered entity has agreed No covered entity requests for business associate to act in a non-permissible manner

Business Associates & Negotiation of BAAs Contract limited to terms required under HIPAA Least restrictions on its use and disclosure of PHI obtained from the covered entity Minimize liability; no indemnification Chance to cure material breach Review underlying agreement

Questions?

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback