Omnibus HIPAA Rule: Impact on Covered Entities

Similar documents
HIPAA Training. HOPE Health Facility Administrators June 2013 Isaac Willett and Jason Schnabel

Legal and Privacy Implications of the HIPAA Final Omnibus Rule

Coping with, and Taking Advantage of, HIPAA s New Rules!! Deven McGraw Director, Health Privacy Project April 19, 2013!

To: Our Clients and Friends January 25, 2013

Omnibus Components. Not in Omnibus. HIPAA/HITECH Omnibus Final Rule

HIPAA: Final Omnibus Rule is Here Arizona Society for Healthcare Risk Managers November 15, 2013

Management Alert Final HIPAA Regulations Issued

The wait is over HHS releases final omnibus HIPAA privacy and security regulations

HIPAA Omnibus Rule. Critical Changes for Providers Presented by Susan A. Miller, JD. Hosted by

AFTER THE OMNIBUS RULE

HIPAA OMNIBUS RULE. The rule makes it easier for parents and others to give permission to share proof of a child s immunization with a school

Preparing to Comply With the HITECH Final Rule Tuesday, March 19, 2013

HIPAA COMPLIANCE ROADMAP AND CHECKLIST FOR BUSINESS ASSOCIATES

Health Law Diagnosis

Fifth National HIPAA Summit West

HHS, Office for Civil Rights. IAPP October 11, 2012

Highlights of the Omnibus HIPAA/HITECH Final Rule

Getting a Grip on HIPAA

8/14/2013. HIPAA Privacy & Security 2013 Omnibus Final Rule update. Highlights from Final Rules January 25, 2013

ACC Compliance and Ethics Committee Presentation February 19, 2013

HIPAA Compliance. PART I: HHS Final Omnibus HIPAA Rules

Ensuring HIPAA Compliance When Transmitting PHI Via Patient Portals, and Texting

New HIPAA Rules and Implications for the Industry January 29, 2013

Compliance Steps for the Final HIPAA Rule

BREACH NOTIFICATION POLICY

GUIDE TO THE OMNIBUS HIPAA RULE: What You Need to Know and Do

HIPAA OMNIBUS FINAL RULE

NPRM: Modifications to the HIPAA Privacy, Security, and Enforcement Rules under HITECH

HIPAA Update. Jamie Sorley U.S. Department of Health and Human Services Office for Civil Rights

HIPAA Omnibus Final Rule and Research

HIPAA THE NEW RULES. Highlights of the major changes under the Omnibus Rule

Saturday, April 28 Medical Ethics: HIPAA Privacy and Security Rules

The HIPAA Omnibus Rule

CLIENT UPDATE. HIPAA s Final Rule: The Impact on Covered Entities, Business Associates and Subcontractors

H E A L T H C A R E L A W U P D A T E

The Impact of Final Omnibus HIPAA/HITECH Rules. Presented by Eileen Coyne Clark Niki McCoy September 19, 2013

Interim Date: July 21, 2015 Revised: July 1, 2015

Changes to HIPAA Under the Omnibus Final Rule

HIPAA & The Medical Practice

Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates

The Guild for Exceptional Children HIPAA Breach Notification Policy and Procedure

Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates

HITECH and HIPAA: Highlights for Health Departments. Aimee Wall UNC School of Government

The HHS Breach Final Rule Is Out What s Next?

HITECH Privacy, Security, Enforcement, Breach, and GINA The Final Rule

45 CFR Part 164. Interim Final Rule Breach Notification for Unsecured Protected Health Information

OMNIBUS RULE ARRIVES

OCR Phase II Audit Protocol Breach Notification. HIPAA COW Spring Conference 2017 Page 1 Boerner Consulting, LLC

HIPAA, 42 CFR PART 2, AND MEDICAID COMPLIANCE STANDARDS POLICIES AND PROCEDURES

Hayden W. Shurgar HIPAA: Privacy, Security, Enforcement, HITECH, and HIPAA Omnibus Final Rule

Data Breaches in ERISA Benefit Plans: Prevention and Response

HIPAA Compliance Under the Magnifying Glass

HIPAA PRIVACY REQUIREMENTS. Dana L. Thrasher Robert S. Ellerbrock, III Constangy, Brooks & Smith, LLP

HITECH/HIPAA Omnibus Final Rule: Implications for Hospices. Elizabeth S. Warren May 3, 2013

Compliance Steps for the Final HIPAA Rule

IT'S COMING: THE HIPAA/HITECH RULE; WHAT TO EXPECT AND WHAT TO DO NOW [OBER KALER]

HIPAA Privacy and Security: Surviving Heightened Enforcement Crafting and Implementing Data Security Policies and Responding to Breaches

ICAHN Presentation. Final Omnibus Rule and Security Risk Analysis. July 26, David Ginsberg

Compliance. TODAY May Meet Scott Killingsworth. Partner in the Atlanta offices of Bryan Cave LLP. See page 16

MEMORANDUM. Kirk J. Nahra, or

HITECH and Stimulus Payment Update

New HIPAA-HITECH Proposed Regulations Issued

Determining Whether You Are a Business Associate

ARRA s Amendments to HIPAA Privacy & Security Rules

Changes to HIPAA Privacy and Security Rules

503 SURVIVING A HIPAA BREACH INVESTIGATION

HIPAA: Impact on Corporate Compliance

Highlights of the Final Omnibus HIPAA Rule

Breach Policy. Applicable Standards from the HITRUST Common Security Framework. Applicable Standards from the HIPAA Security Rule

Colorado Medical Society. June 3, Presented by David A. Ginsberg President, PrivaPlan Associates, Inc.

Assessing and Mitigating Risk Under the HIPAA Omnibus Rule

Assessing and Mitigating Risk Under the HIPAA Omnibus Rule

"HIPAA RULES AND COMPLIANCE"

HIPAA HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT

HIPAA Enforcement Under the HITECH Act; The Gloves Come Off

HEALTH LAW ALERT January 21, 2013

NEWSLETTER. Volume Nine - Number One January The Final HIPAA HITECH Regulations: Making the Business Case for ERM

HIPAA Omnibus Final Rule Has Important Changes for Business Associates and Covered Entities

HIPAA Privacy Overview

HIPAA BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATES AND SUBCONTRACTORS

New. To comply with HIPAA notice requirements, all Providence covered entities shall follow, at a minimum, the specifications described below.

HIPAA Compliance for Business Associates

GUIDE TO PATIENT PRIVACY AND SECURITY RULES

Negotiating Business Associate Agreements

LEGAL ISSUES IN HEALTH IT SECURITY

NOTIFICATION OF PRIVACY AND SECURITY BREACHES

The HIPAA/HITECH Final Rule: Time to Get More Serious About Compliance. Patricia A. Markus, Esq.

MEMORANDUM. Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

VOL. 0, NO. 0 JANUARY 23, 2013

HIPAA Omnibus Rule Compliance

AROC 2015 HIPAA PRIVACY AND SECURITY RULES

OVERVIEW OF RECENT CHANGES IN HIPAA AND OHIO PRIVACY LAWS

O n Jan. 25, the Office for Civil Rights (OCR) of the. Privacy and Security Law Report

Rule. Research Changes to the Privacy Rule and GINA. Heather Pierce, JD, MPH Senior Director and Regulatory Counsel, Scientific Affairs

HIPAA, HITECH & Meaningful Use

1.) The Privacy Rule (Part 164, Subpart E)

The Impact of the Stimulus Act on HIPAA Privacy and Security

SUBCONTRACTOR BUSINESS ASSOCIATE AGREEMENT

SATINSKY CONSULTING, LLC FINAL OMNIBUS HIPAA PRIVACY AND SECURITY RULE

Privacy Sleuths: Solving the Mystery of Wellness Program Privacy Compliance. Agenda. Health Data Exposure National Wellness Conference

Transcription:

Presenting a live 90-minute webinar with interactive Q&A Omnibus HIPAA Rule: Impact on Covered Entities Complying with New Requirements, Managing Risk and Responding to a Data Breach TUESDAY, MARCH 12, 2013 1pm Eastern 12pm Central 11am Mountain 10am Pacific Today s faculty features: Sarah E. Swank, Principal, Ober Kaler, Washington, D.C. Gina M. Kastel, Partner, Faegre Baker Daniels, Minneapolis The audio portion of the conference may be accessed via the telephone or by using your computer's speakers. Please refer to the instructions emailed to registrants for additional information. If you have any questions, please contact Customer Service at 1-800-926-7926 ext. 10.

Sound Quality If you are listening via your computer speakers, please note that the quality of your sound will vary depending on the speed and quality of your internet connection. If the sound quality is not satisfactory and you are listening via your computer speakers, you may listen via the phone: dial 1-866-320-7825 and enter your PIN when prompted. Otherwise, please send us a chat or e-mail sound@straffordpub.com immediately so we can address the problem. If you dialed in and have any difficulties during the call, press *0 for assistance. Viewing Quality To maximize your screen, press the F11 key on your keyboard. To exit full screen, press the F11 key again.

FOR LIVE EVENT ONLY For CLE purposes, please let us know how many people are listening at your location by completing each of the following steps: In the chat box, type (1) your company name and (2) the number of attendees at your location Click the word balloon button to send

Omnibus HIPAA Rule: Impact on Covered Entities Sarah E. Swank OBER KALER Washington, DC Gina M. Kastel FAEGRE BAKER DANIELS Minneapolis, MN

Welcome History Patient Rights Immunizations Research Sale of PHI Marketing Fundraising Business Associates Notice of Privacy Practice Breach Compliance 5

History of HITECH Health Information Technology for Economic and Clinical Health Act, the HITECH Act Interim Final Rule (Data Breach) August 24, 2009 Interim Final Rule (Enforcement) October 30, 2009 Notice of Proposed Rulemaking (HITECH Rule) July 14, 2010 including Enforcement Genetic Information Nondiscrimination Act of 2008 ( GINA ) Notice of Proposed Ruling (GINA Rule) October 7, 2009 Omnibus Rule (Data Breach, Enforcement, HITECH, GINA) published January 25, 2013, effective March 26, 2013 6

Scope of Omnibus Rule Revised breach notification standard Patient access to information contained in an electronic health record Regulation of business associates ( BAs ) and subcontractors Limitations on use/disclosure of PHI for marketing without authorization Prohibition on sale of PHI without authorization Research uses of data compound, more general authorizations Patient right to restrict data sharing with payors Requirements to modify and redistribute notices of privacy practices Inclusion of limitations on use of genetic information for underwriting Clarifies HHS Secretary s role in enforcement, imposition of civil money penalties (CMPs) and CMP liability for acts of agents 7

Implementation Dates HITECH statutory provisions effective February 18, 2010, but no enforcement Omnibus Rule is effective March 26, 2013 Enforcement rule effective March 26, 2013 Covered entities (or CE) and business associates have 180 days from Effective Date - September 23, 2013 If no changes made prior to September 22, 2014, Business Associate Agreements must come into compliance by that date 8

Access - Electronic Must have reasonable safeguards in place to protect transmission of ephi but If an individual wants information by unencrypted e-mail, entity can send if they advise the individual that such transmission is risky Must have a secure mechanism can t force individuals to accept unsecure An electronic, machine readable copy digital information stored in a standard format enabling the PHI to be processed and analyzed by a computer Covered entities must accommodate individual requests for specific formats, if possible. 9

Access - Fees Fees charged are restricted to labor costs cannot include costs of retrieval, or portion of capital costs Charge can include supplies provided to individual upon request 10

Access Third Parties Individual may request a covered entity send PHI directly to another individual Request must be be in writing and signed by the individual clearly identify the designated person and where to send the copy of the PHI Information must be protected and entity must implement reasonable policies and procedures to send it to the right place (e.g., type e-mail correctly) In writing can be electronic 11

Access - Timeliness Change to 60 days Preamble urges entities to make information available sooner when possible Remember to review state law requirements 12

Immunizations Send immunization records directly to a school without written authorization Need assent by a parent, guardian or person acting in loco parentis Must comply with state law regarding the provision of immunization records Document their discussions 13

Research Future research studies may now be part of a properly executed authorization, which includes all the required core elements of an authorization Exception applies to psychotherapy notes, which may be combined only with another authorization for the use or disclosure of psychotherapy notes Outs HIPAA inline with the Common Rule 14

Decedents Permitted to disclose a decedent s information to family members and others who were involved in the care or payment for care of the decedent prior to death Unless inconsistent with any prior expressed reference of the individual that is known to the covered entity Does not change the authority of a decedent s personal representative 15

Restrictions New right to restrict certain disclosures of PHI to a health plan where the individual or a family member or other person pays out of pocket in full for the health care item or service Covered entities will be required to develop methods to create notation in an individual s medical record related to restrictions so that information is not sent to or accessible to health plans Covered entities still can submit restricted information for required Medicare and Medicaid audits under the required by law requirement Must make effort to get appropriate payment from patient if initial mechanism fails (like a bounced check) 16

Sales of PHI Sales of PHI not specifically addressed in original HIPAA rules Final rule bars the sale of PHI without an authorization Sale of PHI means: disclosure of PHI by a covered entity or business associate that directly or indirectly receives remuneration from or on behalf of the recipient in exchange for the PHI Remuneration may be cash or in kind 17

Exceptions to Sale of PHI Public health purposes Disclosures required by government grants, health exchange fees not a sale Research (but remuneration must be limited to reasonable costbased fee to cover cost to prepare and transmit the information) Includes direct and indirect costs (including capital and overhead) Business associate arrangements Treatment and payment purposes Sale of CE Disclosures to the individual for access/accounting Disclosures required by law Any other purpose permitted by HIPAA if only remuneration is a reasonable cost-based fee 18

Marketing Definition of marketing: a communication about a product or service that encourages recipient of the communication to purchase or use the product or service Includes a communication to the individual who is the subject of the PHI or a communication that uses PHI Mailing by hospital to all new moms promoting unaffiliated child care center Not an issue if no PHI is needed for the communication Business to business communications not affected if no PHI used or disclosed 19

Marketing Under original HIPAA regulations, the following communications did not require the individual s authorization: By a health care provider for case management, care coordination, recommending alternative treatments and providers To describe a health-related product or service (or payment for such product or service) provided by, or included in a plan of benefits of, the covered entity making the communication Other case management, care coordination Authorization required for those communications under final rule IF CE receives financial remuneration for making them Narrow carve out for refill reminders or other communications about a drug or biologic currently prescribed if payment is reasonably related to the CE s cost of making the communication 20

Marketing Analysis Does the communication require the use or disclosure of PHI? Does communication encourage use of product or service? Is communication for case management, care coordination, treatment alternatives, or about a health-related product or service provided by, or included in a plan of benefits of, CE making the communication? If yes and CE receives payment for the communication, use authorization (except for refills) If yes, but no payment, no authorization needed All other marketing communications require authorization If remuneration provided, authorization must say so 21

Fundraising Original rule permitted CE to use or disclose to a business associate or to an institutionally related foundation demographic information to raise funds for CE s own benefit Demographic information included name, address, other contact information, age, gender, and insurance status, not diagnostic information Had to include fundraising in Notice of Privacy Practices and tell individual how to opt out of future fundraising 22

Fundraising Final rule expands demographic information to include treating physician, outcome, department (limited diagnostic information) Individual must be given clear and conspicuous notice of right to opt out of future fundraising Method to opt out may be determined by CE, as long as it does not impose an undue burden or more than nominal cost (toll free number, email address). Written letter is an undue burden, pre-printed pre-paid post care okay Can provide process to opt back in 23

Business Associates Omnibus Rule conforms HIPAA regulations to HITECH Act changes Before HITECH, BAs regulated through business associate contracts or agreements ("BAAs") After HITECH, BAs and subcontractors are regulated directly under HIPAA Must comply with Security Rule (rule is flexible to accommodate small BAs) Must comply with some of Privacy Rule and provisions of BAA 24

Business Associates Expanded definition of "business associate Business associate means one who, on behalf of a covered entity, creates, receives, maintains or transmits PHI "Business associate" now also means "subcontractor of business associate who creates, receives, maintains or transmits PHI on behalf of a business associate Status as BA based upon role and responsibilities, not who are the parties to the contract 25

Business Associates Implications for subcontractor relationships Contract between the covered entity's BA and that BA's subcontractor must satisfy the BAA requirements Subcontractor of subcontractor is also a BA, and so on As a result, HIPAA/HITECH obligations that apply to BAs also directly apply to subcontractors 26

Business Associates Rule clarifies definition of "business associate -- included: Patient Safety Organizations Health information exchange organizations, e- prescribing gateways, covered entities' personal health record vendors (not all PHRs) Data transmission providers that require access to PHI on a routine basis Not included those who just provide transmission services, like digital couriers or mere conduits However, those who store PHI, even if they don t intend to actually view it, are BAs (implications for cloud model EHRs) 27

Business Associates Additional time allowed to enter into conforming business associate agreements (Limited Deemed Compliance Date) If BAAs comply with pre-omnibus rule, parties have 1 additional year to bring their BAAs into compliance September 22, 2014 If BAAs do not comply with pre-omnibus rule (or no BAA exists), must enter into BAAs that comply September 23, 2013 BAAs not otherwise modified or renewed prior to September 14, 2014 must be brought into compliance by that date Regardless of compliance deadlines, compliance with Omnibus Rule required when existing BAAs renew or are modified 28

Notice of Privacy Practices Includes statements regarding certain uses and disclosures requiring authorization Psychotherapy notes (where appropriate) Marketing Sales of PHI Right to restrict disclosures to health plans (provider only) Right to be notified of breach Include a general statement that all uses and disclosures not described in NPP also require authorization 29

Notice of Privacy Practice Changes in rule are material For health plans that post on website, post revised NPP by effective date and in next annual mailing If no website, health plans must provide within 60 days of material revision For providers, must post and make available upon request and still provide to and seek acknowledgement from new patients Can send by e-mail if individual agrees 30

Security Breach Notification Since 2010, CEs have been required to give notice of breaches of unsecured PHI BA has to give notice of breaches to the applicable CE 31

Key Terms Unsecured PHI: PHI not rendered unusable, unreadable or indecipherable to unauthorized persons through a technology or methodology specified by the Secretary of HHS (includes paper) Recognized methods still limited to encryption & destruction Breach: acquisition, access, use, or disclosure of PHI in a manner not permitted under Privacy Rule that compromises the security or privacy of the PHI. Excludes: Unintentional, good faith access within CE or BA In advertent disclosure within a CE, BA or OHCA Disclosures where person could not reasonably have retained PHI 32

Change to Risk Assessment Interim final rule required risk assessment to determine if the inappropriate access, use, or disclosure caused a significant risk of financial, reputational, or other harm to the individual No presumption that a breach occurred Under final rule, unauthorized access, use or disclosure is presumed to be a breach unless CE determines that there is a low probability the PHI has been compromised 33

New Assessment Criteria CE must evaluate whether privacy and security of PHI was compromised by considering: Nature and extent of PHI, including types of identifiers and likelihood of re-identification Unauthorized person who used the PHI or to whom disclosure was made Whether PHI was actually acquired or viewed Extent to which the risk to PHI has been mitigated Described by HHA as more objective Document basis for conclusions if no breach occurred 34

Breach Notification Requirements CE must always notify individual of a breach Use first class mail to individual or electronic notice if individual has consented Substitute notice required if contact information is insufficient Telephone or alternate written notice if under 10 individuals Conspicuous posting for 90 days on web or by notice to media if 10 or more individuals Notify OCR immediately if 500 or more individuals or at year end for fewer Notify media if 500 or more individuals in single state or jurisdiction 35

Timing Breach is treated as discovered as of the first day on which the breach is known to CE, or, by exercising reasonable diligence, would have been known CE is deemed to have knowledge of a breach if the breach is known, or by exercising reasonable diligence would have been known, to any person, other than the person committing the breach, who is a workforce member or agent (using federal common law of agency) of the covered entity CE must give notice to the individuals without unreasonable delay and within 60 days 36

Notice Content The notice must be written in plain language and include: A description of what happened, including the date of the breach and date of discovery, if known A description of the types of PHI involved (such as name, home address) Any steps the individual should take to protect herself from potential harm resulting from the breach A brief description of the entity s action to investigate the breach, mitigate harm to individuals, and prevent further breaches Contact procedures for individuals to ask questions, including a toll free telephone number, email address, website, or postal address. 37

Breach Notification by Business Associates BA must provide notice of a breach of unsecured PHI Notice is made to the CE, not the individual Breach is treated as discovered as of the first day on which the breach is known to the BA, or, by exercising reasonable diligence, would have been known BA is deemed to have knowledge of a breach if the breach is known, or by exercising reasonable diligence would have been known, to any person, other than the person committing the breach, who is an employee, officer, or agent (using federal common law of agency) of the BA Subcontractor BA gives notice to BA 38

Breach Notification - Limited Data Sets Interim final rule said breach reporting did not apply to limited data sets that exclude birthdates and zip codes Final rule requires evaluation of all limited data sets Probably unlikely notice requires without birthdates and zip codes 39

Questions to Ask Did the incident involve unsecured PHI? Was there an unauthorized acquisition, access, use or disclosure that violated the privacy rule? Does an exception apply? Has the privacy and security of the PHI been compromised? 40

Other Security Breach Considerations In addition to breaches, BA required to give notice to CE of security incidents and unauthorized uses and disclosures of PHI Remember to consider state security breach notification laws 41

Common HIPAA Vulnerabilities Paper files Flash drives Lap tops Social media EHRs Review of your own or others PHI Safeguards not in place (e.g., white boards, ER, elevator conversations) 42

Mobile Devices Who owns the devices Are personal devices used at work registered Virtual Privacy Network (VPN) to exchange information Back up PHI on servers Remote wipe of devices Policy and procedures Training 43

Conduct a Self Audit Policies and procedures (both privacy and security) Contracts Walk through the facility Talk to staff members Review training materials Review security risk assessments 44

HIPAA TIPS Ensure issues are immediately reported within the organization Involve counsel when appropriate who advises and directs the investigation and maintains privilege Understand when you have a breach vs. an incident Understand your reporting obligations Educate staff, management and leadership Create role based access Understand state law requirements 45

HIPAA TIPS Who is responsible speaks volume. 46

HIPAA TIPS Investigate Discipline Workforce Mitigate Document Notify 47

Curiosity Killed the Cat In 2007, George Clooney was admitted to the Palisades Medical Center in New Jersey after a motorcycle accident 27 employees looked, including physicians and nurses Information was leaked to the press 48

Culture of Compliance Compliance involves active engagement of leadership within an organization A successful compliance program includes: Employee training Vigilant implementation of policies and procedures Regular internal audits Prompt action plan to respond to incidents. Analyze, evaluate, and correct potential risk areas 49

Questions Sarah E. Swank OBER KALER Washington, DC (202) 326-5003 seswank@ober.com Gina M. Kastel FAEGRE BAKER DANIELS Minneapolis, MN (612) 766-7923 gina.kastel@faegrebd.com 50

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback