Assessing and Mitigating Risk Under the HIPAA Omnibus Rule

Similar documents
Assessing and Mitigating Risk Under the HIPAA Omnibus Rule

HIPAA Training. HOPE Health Facility Administrators June 2013 Isaac Willett and Jason Schnabel

Determining Whether You Are a Business Associate

HIPAA Compliance Under the Magnifying Glass

HIPAA Omnibus Rule. Critical Changes for Providers Presented by Susan A. Miller, JD. Hosted by

HIPAA OMNIBUS FINAL RULE

AFTER THE OMNIBUS RULE

HIPAA: Final Omnibus Rule is Here Arizona Society for Healthcare Risk Managers November 15, 2013

The Impact of Final Omnibus HIPAA/HITECH Rules. Presented by Eileen Coyne Clark Niki McCoy September 19, 2013

HIPAA: Impact on Corporate Compliance

HEALTHCARE BREACH TRIAGE

HIPAA Omnibus Final Rule and Research

HIPAA Business Associate Agreement

Highlights of the Omnibus HIPAA/HITECH Final Rule

HIPAA and Lawyers: Your stakes have just been raised

LEGAL ISSUES IN HEALTH IT SECURITY

Saturday, April 28 Medical Ethics: HIPAA Privacy and Security Rules

ACC Compliance and Ethics Committee Presentation February 19, 2013

CLIENT UPDATE. HIPAA s Final Rule: The Impact on Covered Entities, Business Associates and Subcontractors

HIPAA The Health Insurance Portability and Accountability Act of 1996

GUIDE TO THE OMNIBUS HIPAA RULE: What You Need to Know and Do

HIPAA STUDENT ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATES AND SUBCONTRACTORS

Containing the Outbreak: HIPAA Implications of a Data Breach. Jason S. Rimes. Orlando, Florida

HIPAA Compliance. PART I: HHS Final Omnibus HIPAA Rules

PATTERSON MEDICAL SUPPLY, INC. HIPAA BUSINESS ASSOCIATE AGREEMENT WITH CUSTOMERS

HITECH and HIPAA: Highlights for Health Departments. Aimee Wall UNC School of Government

MEMORANDUM. Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

HIPAA COMPLIANCE ROADMAP AND CHECKLIST FOR BUSINESS ASSOCIATES

Preparing for a HIPAA Audit & Hot Topics in Health Care Reform

Coping with, and Taking Advantage of, HIPAA s New Rules!! Deven McGraw Director, Health Privacy Project April 19, 2013!

HIPAA & The Medical Practice

HIPAA Breach Notification Case Studies on What to Do and When to Report

True or False? HIPAA Update: Avoiding Penalties. Preliminaries. Kim C. Stanger IHCA (7/15)

Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates

The wait is over HHS releases final omnibus HIPAA privacy and security regulations

Nancy Davis, Ministry Health Care Peg Schmidt, Aurora Health Care Teresa Smithrud, Mercy Health System

H E A L T H C A R E L A W U P D A T E

UNDERSTANDING HIPAA & THE HITECH ACT. Heather Deixler, Esq. Associate, Morgan, Lewis & Bockius LLP

Health Insurance Portability and Accountability Act (HIPAA) Terms and Conditions For Business Associates

HIPAA THE NEW RULES. Highlights of the major changes under the Omnibus Rule

SUBCONTRACTOR BUSINESS ASSOCIATE AGREEMENT

[Name of Organization] HIPAA Incident/Breach Investigation Procedure 4

IHDE BUSINESS ASSOCIATE AGREEMENT (BAA)

503 SURVIVING A HIPAA BREACH INVESTIGATION

Compliance Steps for the Final HIPAA Rule

Business Associate Agreement

HIPAA OMNIBUS RULE. The rule makes it easier for parents and others to give permission to share proof of a child s immunization with a school

8/14/2013. HIPAA Privacy & Security 2013 Omnibus Final Rule update. Highlights from Final Rules January 25, 2013

Management Alert Final HIPAA Regulations Issued

Hayden W. Shurgar HIPAA: Privacy, Security, Enforcement, HITECH, and HIPAA Omnibus Final Rule

OMNIBUS RULE ARRIVES

Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates

Fifth National HIPAA Summit West

HIPAA Information. Who does HIPAA apply to? What are Sync.com s responsibilities? What is a Business Associate?

The Guild for Exceptional Children HIPAA Breach Notification Policy and Procedure

To: Our Clients and Friends January 25, 2013

HIPAA 2014: Recent Changes from HITECH and the Omnibus Rule. Association of Corporate Counsel Houston Chapter October 14, 2014.

HIPAA Update. Jamie Sorley U.S. Department of Health and Human Services Office for Civil Rights

ARE YOU HIP WITH HIPAA?

BUSINESS ASSOCIATE AGREEMENT

OCR Phase II Audit Protocol Breach Notification. HIPAA COW Spring Conference 2017 Page 1 Boerner Consulting, LLC

SDM Health Insurance Portability and Accountability Act (HIPAA) Terms and Conditions For Business Associates

MEMORANDUM. Kirk J. Nahra, or

HIPAA BUSINESS ASSOCIATE AGREEMENT

Business Associate Agreement

"HIPAA RULES AND COMPLIANCE"

TEXAS SOUTHERN UNIVERSITY HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA Background and History

Omnibus Components. Not in Omnibus. HIPAA/HITECH Omnibus Final Rule

HIPAA Omnibus Rule Compliance

HIPAA, Privacy, and Security Oh My!

HIPAA Basic Training for Health & Welfare Plan Administrators

Breach Policy. Applicable Standards from the HITRUST Common Security Framework. Applicable Standards from the HIPAA Security Rule

The HIPAA Omnibus Rule

HIPAA Omnibus Final Rule Has Important Changes for Business Associates and Covered Entities

Getting a Grip on HIPAA

OMNIBUS COMPLIANT BUSINESS ASSOCIATE AGREEMENT RECITALS

Negotiating Business Associate Agreements

Key Legal Issues in EMR, EMR Subsidy and HIPAA and Privacy Click Issues to edit Master title style

GUIDANCE ON HIPAA & CLOUD COMPUTING

HIPAA, 42 CFR PART 2, AND MEDICAID COMPLIANCE STANDARDS POLICIES AND PROCEDURES

HIPAA AND YOU 2017 G E R A L D E MELTZER, MD MSHA

BREACH NOTIFICATION POLICY

ICAHN Presentation. Final Omnibus Rule and Security Risk Analysis. July 26, David Ginsberg

HIPAA Compliance Guide

HEALTH LAW ALERT January 21, 2013

Compliance Steps for the Final HIPAA Rule

The Privacy Rule. Health insurance Portability & Accountability Act

BUSINESS ASSOCIATE AGREEMENT W I T N E S S E T H:

PsyBar, LLC 6600 France Avenue South, Suite 640 Edina, MN Telephone: (952) Facsimile: (952)

HIPAA Enforcement Under the HITECH Act; The Gloves Come Off

Conduct of covered entity or business associate. Did not know and, by exercising reasonable diligence, would not have known of the violation

HITECH/HIPAA Omnibus Final Rule: Implications for Hospices. Elizabeth S. Warren May 3, 2013

HIPAA Compliance for Business Associates ISBA Health Law Symposium October 10, 2017

Business Associate Agreement Health Insurance Portability and Accountability Act (HIPAA)

BUSINESS ASSOCIATE AGREEMENT

Effective Date: 4/3/17

New HIPAA Rules and Implications for the Industry January 29, 2013

BUSINESS ASSOCIATE AGREEMENT

Transcription:

Compliance Institute San Diego, CA April 1, 2014 Assessing and Mitigating Risk Under the HIPAA Omnibus Rule Darrell W. Contreras, Esq., LHRM, CHPC, CHC, CHRC Chief Legal & Compliance Officer PlusDelta Technologies, LLC Agenda 2 Omnibus Rule Critical Elements Disclosures to Health Plans Business Associates Breach Notification Addressing Risk Assessing Risk Risk Assessment Documents Mitigating Risk Corrective Action Plans Monitoring Summary/Q & A 1

HIPAA Omnibus Rule - Changes Business Associates and subcontractors Breach notification Marketing Sale of PHI Fundraising Notice of Privacy Practices Individual access to ephi Third party designation for receipt of PHI Research Decedent PHI Student Immunization Records Restriction on health plan disclosures 3 Review of Critical Elements Restrictions on Health Plan Disclosures: New Rule Patients may restrict information provided to health plans if: 1. If the patient requests the restriction; 2. The patient has paid in full for the service or healthcare item; 3. The disclosure would have been for payment or healthcare operations and is not required by law. 4 2

Application Breach Notification Requirements 5 The Challenges of Restrictions on Disclosures to Health Plans: How do you flag requests? Are staff trained on how to respond to requests? Does your record system have a mechanism to flag these disclosures? Review of Critical Elements Business Associates and Subcontractors: Maintains now included in the definition of Business Associate Anyone who stores PHI, even if it is not accessed, is a BA Privacy protection requirements are now extended to subcontractors of business associates All Business Associates must comply with the Security Rule requirements for safeguards: Administrative Physical Technical BAs now have Civil and Criminal liability Covered Entities are responsible for breaches of BAs through Agency Liability 6 3

Application Business Associate Agreements 7 The Impact of BA Changes to Covered Entities: The Covered Entities (CE) does not need a BAA with a subcontractor The BA must have a BAA with the subcontractor The subcontractor must agree to the same restrictions and conditions as the BA CEs should: Revise their BAA to require subcontractor compliance Obtain assurances (in the BAA) that the BA monitors compliance by the subcontractor Consider indemnification clause in the BAA CEs are responsible no matter what try to protect yourself Review of Critical Elements Breach Notification Rules: Old Rule A reportable breach occurs if 3 elements are present: 1. Violation of the Privacy Regulations 2. Unsecured PHI 3. Substantial risk of financial, reputational, or other harm to the individual New Rule A reportable breach is PRESUMED to have occurred if: 1. There is a violation of the Privacy Regulations that includes 2. Unsecured PHI Unless low probability that PHI has been compromised 8 4

Review of Critical Elements Breach Notification (Continued): Low Probability is based on 4 factors: 9 What was the nature and extent of the protected health information (PHI) involved, including the types of identifiers in the information and the likelihood of re-identification? To whom was the unauthorized information disclosed? Was the PHI actually acquired or viewed? What was the extent to which the risk to PHI has been mitigated? Application Breach Notification Requirements 10 The Impact of Breach Notification changes: Change your risk assessment to evaluate the 4 factors As a practical matter The outcome of your assessment may not change Obtain assurances (in the BAA) that the BA monitors compliance by the subcontractor Consider indemnification clause in the BAA CEs are responsible no matter what try to protect yourself 5

Addressing Risk 11 Assessing Risk Required by the Security Regs: Conduct an accurate and thorough assessment of the potential risks and vulnerabilities of [ephi] 45 CFR 164.308(a)(1)(ii)(A) Mitigating Risk Required by the Security Regs: Security Regs: mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity; 45 CFR 164.308(a)(6)(ii) Privacy Regs: A covered entity must mitigate any harmful effect that is known to the covered entity of a use or disclosure of [PHI] 45 CFR 164.530(f) Addressing Risk Monitoring Risk Compliance Program Guidance: An ongoing evaluation process is critical to a successful compliance program. The OIG believes that an effective program should incorporate thorough monitoring of its implementation and regular reporting to senior hospital or corporate officers. (Compliance Program Guidance for Hospitals, Section F) 12 6

Disclosures to Health Plans 13 Are we assessing, mitigating, or monitoring? Step 1: Assess the process Step 2: Identify deficiencies Step 3: Develop corrective action Step 4: Report completion of corrective action Step 5: Monitor/Test the new process Disclosures to Health Plans 14 Look at Risk Assessment Document: Risk Area: Description: Patient request for restriction on PHI disclosed to health plans. Under the HIPAA Omnibus Rule, a patient may request that a covered entity restrict the information that is provided to a health plan IF 3 conditions are satisfied: 1. The patient specifically requests the restriction of PHI; 2. The patient has paid in full for the restricted services; and 3. The disclosure to the health plan would otherwise be permitted for payment or health care operations. Who completes this document? What level of detail is required? What is the purpose of this document? 7

Disclosures to Health Plans For our purposes, assume a process is in place now what? Testing Depends on the level of risk Mitigation? Monitoring? 15 Disclosures to Health Plans Assume there is no process because, We can t track it : Why? Why? Why? Why? Why? Who s job is this? What is your role in this? Don t forget the practical How often does this happen? 16 8

Business Associate Agreements/Subcontractors 17 Are we assessing, mitigating, or monitoring? Look at the Risk Assessment document: Risk Area: Extension of BAA to subcontractors of business associates Description: The HIPAA Omnibus Rule extended to covered entities liability for uses and disclosures of PHI by subcontractors of business associates. Business associates must obtain reasonable assurances from all subcontractors that use, disclose, receive, transmit, or store PHI that privacy and security protections have been implemented. Business Associate Agreements/Subcontractors 18 Look at the Business Associate Disclosure Form Who s responsibility is this? What is your role? What is the next step? 9

Business Associate Agreements/Subcontractors 19 If no list or no confidence of subcontractor compliance Mitigation Audit/Test Sample of contracts both BAA and non-baa Follow-up with Business Associates Make sure there is a process Monitor Annual Sample testing Don t forget WHY? Breach Notification 20 Breach Notification has 2 components: 1. Process in place for breach notification 2. Methodology to avoid breaches Avoid = Assess, then Mitigate How do you avoid a breach? Know how a breach could occur: PHI leaving the organization 10

Breach Notification 21 Breach Notification has 2 components: 1. Process in place for breach notification 2. Methodology to avoid breaches Avoid = Assess, then Mitigate How do you avoid a breach? Know how a breach could occur: PHI leaving the organization Breach Notification 22 Risk areas for data to leave the organization: Employees Laptops Jump Drives CD/DVD Hard Drives External Storage Copies Paper Records Fax Machines e-mail Misdirected VPN Hacking/Intrustion 11

Media Re-Use and Disposal 23 Look at Risk Assessment for hard drives Risk Area: Media Re Use and Disposal Description: Media that is no longer in use but contains PHI must be destroyed or the retained data rendered unusable. Media Re-Use and Disposal 24 Is this automatically a problem? What happens if it is? Who s job is it? What is your role? Provide the standard/policy Development Identify the risk Quantify the risk Request updates Report 12

25 25 13

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback