HIPAA Compliance. PART I: HHS Final Omnibus HIPAA Rules

Similar documents
Legal and Privacy Implications of the HIPAA Final Omnibus Rule

Omnibus Components. Not in Omnibus. HIPAA/HITECH Omnibus Final Rule

To: Our Clients and Friends January 25, 2013

Highlights of the Omnibus HIPAA/HITECH Final Rule

HIPAA: Final Omnibus Rule is Here Arizona Society for Healthcare Risk Managers November 15, 2013

The wait is over HHS releases final omnibus HIPAA privacy and security regulations

Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates

SATINSKY CONSULTING, LLC FINAL OMNIBUS HIPAA PRIVACY AND SECURITY RULE

Management Alert Final HIPAA Regulations Issued

Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates

2013 HIPAA Omnibus Regulations: New Rules for Healthcare Providers and Collections Partners

HIPAA Omnibus Rule. Critical Changes for Providers Presented by Susan A. Miller, JD. Hosted by

Coping with, and Taking Advantage of, HIPAA s New Rules!! Deven McGraw Director, Health Privacy Project April 19, 2013!

HIPAA OMNIBUS RULE. The rule makes it easier for parents and others to give permission to share proof of a child s immunization with a school

GUIDE TO THE OMNIBUS HIPAA RULE: What You Need to Know and Do

HIPAA Training. HOPE Health Facility Administrators June 2013 Isaac Willett and Jason Schnabel

HHS, Office for Civil Rights. IAPP October 11, 2012

Changes to HIPAA Under the Omnibus Final Rule

HIPAA Omnibus Final Rule and Research

HIPAA Update. Jamie Sorley U.S. Department of Health and Human Services Office for Civil Rights

Getting a Grip on HIPAA

New HIPAA-HITECH Proposed Regulations Issued

8/14/2013. HIPAA Privacy & Security 2013 Omnibus Final Rule update. Highlights from Final Rules January 25, 2013

Compliance Steps for the Final HIPAA Rule

Highlights of the Final Omnibus HIPAA Rule

HIPAA Compliance Under the Magnifying Glass

HIPAA THE NEW RULES. Highlights of the major changes under the Omnibus Rule

Hayden W. Shurgar HIPAA: Privacy, Security, Enforcement, HITECH, and HIPAA Omnibus Final Rule

Health Law Diagnosis

HIPAA: Impact on Corporate Compliance

Preparing to Comply With the HITECH Final Rule Tuesday, March 19, 2013

HIPAA COMPLIANCE ROADMAP AND CHECKLIST FOR BUSINESS ASSOCIATES

HIPAA Omnibus Final Rule Has Important Changes for Business Associates and Covered Entities

Compliance Steps for the Final HIPAA Rule

The Impact of Final Omnibus HIPAA/HITECH Rules. Presented by Eileen Coyne Clark Niki McCoy September 19, 2013

AFTER THE OMNIBUS RULE

NOTIFICATION OF PRIVACY AND SECURITY BREACHES

ACC Compliance and Ethics Committee Presentation February 19, 2013

MEMORANDUM. Kirk J. Nahra, or

HITECH/HIPAA Omnibus Final Rule: Implications for Hospices. Elizabeth S. Warren May 3, 2013

1.) The Privacy Rule (Part 164, Subpart E)

HIPAA Omnibus Rule Compliance

Conduct of covered entity or business associate. Did not know and, by exercising reasonable diligence, would not have known of the violation

CLIENT UPDATE. HIPAA s Final Rule: The Impact on Covered Entities, Business Associates and Subcontractors

HIPAA & The Medical Practice

New HIPAA Rules and Implications for the Industry January 29, 2013

HIPAA OMNIBUS FINAL RULE

Saturday, April 28 Medical Ethics: HIPAA Privacy and Security Rules

HEALTH LAW ALERT January 21, 2013

What is HIPAA? (1 of 2)

HIPAA PRIVACY REQUIREMENTS. Dana L. Thrasher Robert S. Ellerbrock, III Constangy, Brooks & Smith, LLP

HIPAA HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT

The Audits are coming!

NPRM: Modifications to the HIPAA Privacy, Security, and Enforcement Rules under HITECH

Practical Guidance and Proposed Solutions in Response to the HIPAA Final Omnibus Rule

The HIPAA/HITECH Final Rule: Time to Get More Serious About Compliance. Patricia A. Markus, Esq.

HIPAA Enforcement Under the HITECH Act; The Gloves Come Off

Omnibus HIPAA Rule: Impact on Covered Entities

HITECH Privacy, Security, Enforcement, Breach, and GINA The Final Rule

What Brown County employees need to know about the Federal legislation entitled the Health Insurance Portability and Accountability Act of 1996.

Fifth National HIPAA Summit West

Determining Whether You Are a Business Associate

Assessing and Mitigating Risk Under the HIPAA Omnibus Rule

Assessing and Mitigating Risk Under the HIPAA Omnibus Rule

HITECH and HIPAA: Highlights for Health Departments. Aimee Wall UNC School of Government

The American Recovery and Reinvestment Act of 2009: Health Information Privacy and Security Provisions Here We Go Again

"HIPAA RULES AND COMPLIANCE"

MEMORANDUM. Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

HIPAA Privacy Overview

ReedSmith. The HITECH Final Rule: The New Privacy/Security Rules of the Road Have Finally Arrived. Reed Smith Client Alert

"HIPAA FOR LAW FIRMS" WHAT EVERY LAW FIRM NEEDS TO KNOW ABOUT HIPAA

ARRA 2009: Privacy and Security Provisions. Deven McGraw

True or False? HIPAA Update: Avoiding Penalties. Preliminaries. Kim C. Stanger IHCA (7/15)

VOL. 0, NO. 0 JANUARY 23, 2013

LEGAL ISSUES IN HEALTH IT SECURITY

NEWSLETTER. Volume Nine - Number One January The Final HIPAA HITECH Regulations: Making the Business Case for ERM

O n Jan. 25, the Office for Civil Rights (OCR) of the. Privacy and Security Law Report

The HIPAA Omnibus Rule

HIPAA 2014: Recent Changes from HITECH and the Omnibus Rule. Association of Corporate Counsel Houston Chapter October 14, 2014.

HIPAA Final Omnibus Rule Playbook

Compliance. TODAY May Meet Scott Killingsworth. Partner in the Atlanta offices of Bryan Cave LLP. See page 16

Preparing for a HIPAA Audit & Hot Topics in Health Care Reform

Rule. Research Changes to the Privacy Rule and GINA. Heather Pierce, JD, MPH Senior Director and Regulatory Counsel, Scientific Affairs

AROC 2015 HIPAA PRIVACY AND SECURITY RULES

HITECH/HIPAA (privacy) 2013 Omnibus Final Rule Rita Bowen Senior Vice President of HIM and Privacy Officer HealthPort

HIPAA Background and History

ARE YOU HIP WITH HIPAA?

OMNIBUS RULE ARRIVES

It s as AWESOME as You Think It Is!

Palmetto Paralegal Association

Port City Chiropractic. P.C. 11 Fourth Avenue Oswego, NY Fax HIPAA NOTICE OF PRIVACY PRACTICES

Health Insurance Portability and Accountability Act (HIPAA) Terms and Conditions For Business Associates

1641 Tamiami Trail Port Charlotte, Fl Phone: Fax: Health Insurance Portability and Accountability Act of 1996

Privacy Rule Primer. 45 CFR Part 160 and Subparts A and E of Part CFR , 45 CFR CFR

Effective Date: 4/3/17

Welcome to today s Webinar

HIPAA The Health Insurance Portability and Accountability Act of 1996

HIPAA Redux 2013 Kim Cavitt, AuD Audiology Resources, Inc. Expert e-seminar 4/29/2013. HIPAA Redux Presented by: Kim Cavitt, AuD

Changes to HIPAA Privacy and Security Rules

UNDERSTANDING HIPAA & THE HITECH ACT. Heather Deixler, Esq. Associate, Morgan, Lewis & Bockius LLP

Transcription:

HIPAA Compliance PART I: HHS Final Omnibus HIPAA Rules Colin J. Zick Foley Hoag LLP (617) 832-1000 www.foleyhoag.com February 6, 2013 www.securityprivacyandthelaw.com HIPAA Compliance: PART I 1

Finally! On January 18, 2013, nearly four years after the passage of the HITECH Act and its amendments to HIPAA, and nearly three years after it proposed regulatory amendments, the U.S. Department of Health and Human Services ("HHS") has finally issued major omnibus revisions to HIPAA's privacy and security regulations. HIPAA Compliance: PART I 2

Overview of the New Omnibus HIPAA Privacy and Security Regulations In the 563 pages of the regulations and related regulatory comments, there are many substantive and technical changes. However, we distilled two major themes in these revisions: Extension of HIPAA generally, and in particular the direct extension of HIPAA to business associates and their subcontractors, so that now the entire food chain that deals with PHI falls under HIPAA s privacy and security regulations; and Ramping up the regulations on data breach, including shifting of the burden on breach notification, so that it squarely now sits on the covered entity/business associate to prove a low probability that PHI will be compromised. HIPAA Compliance: PART I 3

The Business Associate as Covered Entity HIPAA's privacy and security requirements will now directly apply to business associates: Where provided, the standards, requirements, and implementation specifications adopted under this subchapter apply to a business associate. 45 C.F.R. 160.102. Business associates now created by regulation as well as by contract. Elements of the Privacy Rule now apply to business associates Business associates don t have to do a Notice of Privacy Practices All elements of the Security Rule apply OCR has provided a new model business associate agreement. This change also includes subjecting business associates to compliance reviews. 45 C.F.R. 160.308. HIPAA Compliance: PART I 4

The definition of business associate The definition of business associate itself has been expanded to include: Entity that creates, receives, maintains or transmits PHI. Was formerly use or disclosure A subcontractor that creates, receives, maintains, or transmits PHI on behalf of the business associate. 45 C.F.R. 160.103. Solves the awkward undefined third party agreement problem between BA and subs. Clarifies who else is a business associate: A Health Information Organization, E-prescribing Gateway, or other person that provides data transmission services with respect to PHI to a covered entity and that requires access on a routine basis to such PHI. Entities involved in data transmission, if the data transmission requires access to the PHI on a routine basis (this does not mean your ISP). A person that offers a personal health record to one or more individuals on behalf of a covered entity. HIPAA Compliance: PART I 5

Uses of PHI by the Business Associates Only as permitted by the business associate agreement or required by law (not as permitted by law) Business associates can t use PHI in a way that would violate the privacy rule Subcontractors of business associates will automatically become business associates themselves, and business associates will be required to obtain satisfactory assurances that the subcontractors are complying with HIPAA. 45 C.F.R. 164.308(b)(2). Subcontractors are subject to the business associate agreement with covered entity How do you know what the business associate agreement says? Business associate agreement must follow minimum necessary rules. HIPAA Compliance: PART I 6

Breach the New Rule The definition of breach is changed, with the burden now on the covered entity to prove there was not a breach. In particular, an impermissible use or disclosure of PHI is presumed to be a breach unless the covered entity or business associate demonstrates that there is a low probability that the PHI has been compromised, based on the following factors: The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification; The identify/role of the unauthorized person who used the PHI or to whom the disclosure was made; Whether the PHI was actually acquired or viewed; and The extent to which the risk to the PHI has been mitigated. 45 C.F.R. 164.402(2). Comments indicate an excessive internal use can also be a breach. Risk of re-identification also has to be accounted for. Encrypted data is still outside the definition of a breach under this rule (but not Massachusetts law) HIPAA Compliance: PART I 7

Review and Investigations Requirement if possible violation from willful neglect; discretionary otherwise Every complaint will investigated preliminarily. HHS OCR may disclose PHI to other agencies on request. FTC, HHS OCR and DoJ are working together and can assist state AGs Levels of penalties remain the same from prior interim final rule: $100-$50,000 did not know $1,000-$50,000 reasonable cause $10,000-$50,000 willful neglect, corrected $50,000 willful neglect, NOT corrected Reasonable cause -- knew it was a violation but committed without willful neglect: Is this the stupid mistake? Willful neglect standard remains the same: conscious, intentional failure or reckless indifference HIPAA Compliance: PART I 8

Breach Notification New Rule Penalties The factors that are taken into account for imposing civil penalties have been revised to include: The number of individuals affected ; The time period during which the violation occurred ; financial harm to the affected individuals; harm to an [affected] individual s reputation ; hinder[ing] an [affected] individual s ability to obtain health care. In other words, breaches that impact more people over a longer time with resulting harm will be punished more severely. A history of previous indications of non-compliance also will be factored into this HIPAA civil penalty analysis. 45 C.F.R. 160.408. HIPAA Compliance: PART I 9

Breach Notification New Rule Penalties Business associates (and subcontractors) may also be liable for the increased penalties for noncompliance based on the level of culpability, up to a maximum penalty of $1.5 million, as HHS OCR can: Receive and investigate complaints; Submit reports to HHS OCR, cooperate with investigations Perform compliance reviews on them They must abide by whistleblower protections Liability for CMPs by covered entity for business association agreements and subcontractors is based on federal common law of agency law: did the covered entity control or have the right to control or direct the agent s conduct in performing the contracted service? If there is a business associate agreement, isn t the answer always yes? HIPAA Compliance: PART I 10

Marketing Under the new rules, prior authorization from the patient is required for using or disclosing PHI, if the covered entity or business associate receives remuneration for making a marketing communication from the third party whose product or service is being marketed. Marketing is now defined to exclude: Refill reminders; and For case management or care coordination, contacting of individuals with information about treatment alternatives, and related functions to the extent these activities do not fall within the definition of treatment. 45 C.F.R. 164.501. Face to face communications are still outside authorization requirements. Authorization must disclose that the communication is a paid one. Covered entities can use a general authorization for all communications in advance, or secure authorization on a case-by-case basis. HIPAA Compliance: PART I 11

Fundraising Defined as using PHI to promote your own entity (not for a third party that s marketing) Some new elements of PHI can be used without patient authorization: Name Address and other contact information Age and date of birth Gender Department of service information Treating physician Outcome information; and Health insurance status. Patients can opt-out of fundraising, and must be provided with the opportunity to opt out Opt out in advance Opt out with each communication. 45 C.F.R. 164.502(f)(1). Cannot discriminate against those who opt out. HIPAA Compliance: PART I 12

Sale of PHI The sale of PHI without authorization is prohibited. The rules also clarify that the prohibitions on the sale of health information do not apply to public health or research purposes, or treatment, or sale of an entity, or to a business associate. 45 C.F.R. 164.502(a)(5)(ii). You can sell PHI, with authorization and notice that discloses that payment is being made or that non-financial benefits are being provided. Exceptions where sale of PHI is permitted: Public health Research (FMV costs for preparation and transfer are ok) Treatment and payment Corporate transactions Business associates Required by law HIPAA Compliance: PART I 13

Research As noted under the fundraising discussion previous, remuneration for transfer of PHI for research is allowed (costs must be reasonable) Compound patient authorizations are now allowed. Authorizations can be for future and present research, as long as the future research is something that the individual would reasonably expect the future use. HIPAA Compliance: PART I 14

Genetic Information Huh? Strangely, these revised regulations also include an expansion of very specific genetic privacy protections (which have no basis in the original 1996 HIPAA statute). In particular, the definition of health information now includes genetic information. The final rule prohibits using or disclosing protected health information that is genetic information for underwriting purposes by all health plans that are covered entities under the HIPAA Privacy Rule, including those to which GINA does not expressly apply. Exception with regard to issuers of long term care policies, who can still use genetic information for underwriting purposes. 45 C.F.R. 164.502(a)(5)(i). This would have to be in a notice of privacy practices for a health plan. HIPAA Compliance: PART I 15

Patient Access Issues Patients can request a copy of their electronic medical record in an electronic format. 45 C.F.R. 164.524(c)(3). Must be in the requested format, if readily producible If not in requested form, must be in an agreed-upon form between covered entity and patient. No requirement to buy new software to comply with this requirement but have to be able to provide something to the patient. If cannot agree, then hard copy may be an acceptable default. Not required to accept a patient s storage device. Unsecure transfers to patients are permitted if the patient requests. If the patient asks for an email to the gmail account without encryption, and you advise them of the risks, you can do this. Need a standard form of disclosure, like informed consent. Now 60 days (formerly 90 days) to respond to such a request. In any event, sooner is always better HIPAA Compliance: PART I 16

Other Changes of Interest There are several provisions that make patient interactions with the health care system simpler and easier: Patient Safety Organizations are now included within the scope of health care operations. The definition of family member is given greater specificity and breadth. It also should be easier for family members to access records of a deceased, if they were involved in the care of that period before death. 45 C.F.R. 164.510(b)(5). It will be easier for parents and others to give permission to share proof of a child s immunization with a school; 45 C.F.R. 164.512(b)(1)(vi). HIPAA won't protect the information of individuals who have been deceased for over 50 years, as the definition of PHI has been changed to exclude such information. 45 C.F.R. 164.502(f). HIPAA Compliance: PART I 17

Limiting Data to Payors When individuals pay for their care themselves, they can instruct their provider not to share information about their treatment with their health plan. 45 C.F.R. 164.522(a)(1)(vi)(B). Payment in full for particular service Annual deductible not met. This is can be done by the patient service by service: Can foresee mental health services paid in cash by many. HIPAA Compliance: PART I 18

What is NOT in the New Rules No increase in civil monetary penalties. It remains at $1.5 million. Definition of psychotherapy notes still under study. OCR s report on personal health records that are not within the definition of PHI under HIPAA. This also is under FTC jurisdiction. Any private cause of action or damages awards to those harmed by HIPAA violations. Guidance on accounting for disclosures. HIPAA Compliance: PART I 19

Effective Dates The Omnibus Rule is generally effective March 26, 2013. Enforcement rule changes are effective March 26, 2013. Compliance date for everything else is September 23, 2013, EXCEPT for existing business associate agreements, which must be changed by September 23, 2014. Business associate agreements amended before September 23, 2014 must be amended per the new rules. HIPAA Compliance: PART I 20

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback