Changes to HIPAA Privacy and Security Rules

Similar documents
45 CFR Part 164. Interim Final Rule Breach Notification for Unsecured Protected Health Information

BREACH NOTIFICATION POLICY

OVERVIEW OF RECENT CHANGES IN HIPAA AND OHIO PRIVACY LAWS

OCR Phase II Audit Protocol Breach Notification. HIPAA COW Spring Conference 2017 Page 1 Boerner Consulting, LLC

HIPAA, 42 CFR PART 2, AND MEDICAID COMPLIANCE STANDARDS POLICIES AND PROCEDURES

The Guild for Exceptional Children HIPAA Breach Notification Policy and Procedure

NOTIFICATION OF PRIVACY AND SECURITY BREACHES

Interim Date: July 21, 2015 Revised: July 1, 2015

H E A L T H C A R E L A W U P D A T E

HIPAA Breach Notice Rules New notice requirements for HIPAA covered entities when there is a breach of Protected Health Information (PHI)

New. To comply with HIPAA notice requirements, all Providence covered entities shall follow, at a minimum, the specifications described below.

HITECH and HIPAA: Highlights for Health Departments. Aimee Wall UNC School of Government

ARRA s Amendments to HIPAA Privacy & Security Rules

HIPAA: Final Omnibus Rule is Here Arizona Society for Healthcare Risk Managers November 15, 2013

Breach Policy. Applicable Standards from the HITRUST Common Security Framework. Applicable Standards from the HIPAA Security Rule

New HIPAA Breach Rules NAHU presents the WHAT and WHYs. Agenda

x Major revision of existing policy Reaffirmation of existing policy

The American Recovery Reinvestment Act. and Health Care Reform Puzzle

HIPAA The Health Insurance Portability and Accountability Act of 1996

AFTER THE OMNIBUS RULE

ALERT. November 20, 2009

HIPAA Training. HOPE Health Facility Administrators June 2013 Isaac Willett and Jason Schnabel

The HHS Breach Final Rule Is Out What s Next?

Patient Breach Letter Content Requirements

HIPAA OMNIBUS FINAL RULE

HITECH and Stimulus Payment Update

An Overview of the Impact of the American Recovery and Reinvestment Act of 2009 on the HIPAA Medical Privacy and Security Rules

HIPAA COMPLIANCE ROADMAP AND CHECKLIST FOR BUSINESS ASSOCIATES

HITECH Poses Important Challenges... Are You Compliant?

The Impact of the Stimulus Act on HIPAA Privacy and Security

Fifth National HIPAA Summit West

Management Alert Final HIPAA Regulations Issued

Containing the Outbreak: HIPAA Implications of a Data Breach. Jason S. Rimes. Orlando, Florida

2011 Miller Johnson. All rights reserved. 1. HIPAA Compliance: Privacy and Security Changes under HITECH HITECH. What is HITECH? Mary V.

HIPAA BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATES AND SUBCONTRACTORS

[Name of Organization] HIPAA Incident/Breach Investigation Procedure 4

Compliance Steps for the Final HIPAA Rule

HIPAA PRIVACY REQUIREMENTS. Dana L. Thrasher Robert S. Ellerbrock, III Constangy, Brooks & Smith, LLP

OMNIBUS RULE ARRIVES

GUIDE TO THE OMNIBUS HIPAA RULE: What You Need to Know and Do

HIPAA PRIVACY AND SECURITY RULES APPLY TO YOU! ARE YOU COMPLYING? RHODE ISLAND INTERLOCAL TRUST LINN F. FREEDMAN, ESQ. JANUARY 29, 2015.

HIPAA Omnibus Rule. Critical Changes for Providers Presented by Susan A. Miller, JD. Hosted by

GUIDE TO PATIENT PRIVACY AND SECURITY RULES

HIPAA & HITECH Privacy & Security. Volunteer Annual Review 2017

HIPAA Breach Notification Case Studies on What to Do and When to Report

Interpreters Associates Inc. Division of Intérpretes Brasil

Safeguarding Your HIPAA and Personal Health Information Data. Robert Hess, Office of General Counsel Steve Cosentino, Stinson Morrison Hecker

NOTICE OF PRIVACY PRACTICES

Changes to HIPAA Under the Omnibus Final Rule

Hayden W. Shurgar HIPAA: Privacy, Security, Enforcement, HITECH, and HIPAA Omnibus Final Rule

CLIENT UPDATE. HIPAA s Final Rule: The Impact on Covered Entities, Business Associates and Subcontractors

HIPAA OMNIBUS RULE. The rule makes it easier for parents and others to give permission to share proof of a child s immunization with a school

Nancy Davis, Ministry Health Care Peg Schmidt, Aurora Health Care Teresa Smithrud, Mercy Health System

Compliance Steps for the Final HIPAA Rule

HIPAA / HITECH. Ed Massey Affiliated Marketing Group

HIPAA Basic Training for Health & Welfare Plan Administrators

HIPAA Data Breach ITPC

Omnibus Components. Not in Omnibus. HIPAA/HITECH Omnibus Final Rule

UNITED WORKERS HEALTH FUND 50 CHARLES LINDBERGH BLVD. SUITE 207 UNIONDALE, NY 11553

Summary Comparison of Current Senate Data Security and Breach Notification Bills

NO , Chapter 7 TALLAHASSEE, January 6, 2014 HIPAA BREACH NOTIFICATION PROCEDURES

8/14/2013. HIPAA Privacy & Security 2013 Omnibus Final Rule update. Highlights from Final Rules January 25, 2013

HIPAA, HITECH & Meaningful Use

Coping with, and Taking Advantage of, HIPAA s New Rules!! Deven McGraw Director, Health Privacy Project April 19, 2013!

UNDERSTANDING HIPAA & THE HITECH ACT. Heather Deixler, Esq. Associate, Morgan, Lewis & Bockius LLP

BUSINESS ASSOCIATE AGREEMENT W I T N E S S E T H:

HIPAA PRIVACY REQUIREMENTS. Dana L. Thrasher Constangy, Brooks & Smith, LLP (205)

HIPAA Privacy Overview

Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates

Legal and Privacy Implications of the HIPAA Final Omnibus Rule

Getting a Grip on HIPAA

COMPLIANCE TRAINING 2015 C O M P L I A N C E P R O G R A M - F W A - H I P A A - C O D E O F C O N D U C T

MEMORANDUM. Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

The Impact of Final Omnibus HIPAA/HITECH Rules. Presented by Eileen Coyne Clark Niki McCoy September 19, 2013

Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates

The HIPAA Omnibus Rule

SUBCONTRACTOR BUSINESS ASSOCIATE AGREEMENT

Business Associate Agreement

HIPAA, Privacy, and Security Oh My!

UNDERSTANDING HIPAA COMPLIANCE IN 2014: ETHICS, TECHNOLOGY, HEALTHCARE & LIFE

Business Associate Agreement Health Insurance Portability and Accountability Act (HIPAA)

Business Associate Agreement For Protected Healthcare Information

The HIPAA/HITECH Final Rule: Time to Get More Serious About Compliance. Patricia A. Markus, Esq.

HEALTH & HUMAN SERVICES OFFICE FOR CIVIL RIGHTS HIPAA COMPLIANCE AUDITS. What do I need to know?

ARTICLE 1. Terms { ;1}

HIPAA Notice of Privacy Practices

HIPAA Privacy & Security Plan October 2016

Colorado Medical Society. June 3, Presented by David A. Ginsberg President, PrivaPlan Associates, Inc.

Highlights of the Omnibus HIPAA/HITECH Final Rule

HIPAA Privacy and Security Rules

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA Omnibus Final Rule Has Important Changes for Business Associates and Covered Entities

HIPAA: Impact on Corporate Compliance

FACT Business Associate Agreement

HIPAA Compliance Under the Magnifying Glass

HHS, Office for Civil Rights. IAPP October 11, 2012

AROC 2015 HIPAA PRIVACY AND SECURITY RULES

Privacy Sleuths: Solving the Mystery of Wellness Program Privacy Compliance. Agenda. Health Data Exposure National Wellness Conference

Texas Tech University Health Sciences Center El Paso HIPAA Privacy Policies

HIPAA Compliance. PART I: HHS Final Omnibus HIPAA Rules

Transcription:

Changes to HIPAA Privacy and Security Rules STEPHEN P. POSTALAKIS BLAUGRUND, HERBERT AND MARTIN 300 WEST WILSON BRIDGE ROAD, SUITE 100 WORTHINGTON, OHIO 43085 SPP@BHMLAW.COM PERSONNEL COUNCIL FRANKLIN COUNTY BOARD OF DD SEPTEMBER 22, 2009 Why these changes apply: County Boards of DD are considered covered entities under HIPAA as both Health Plans and Health Care Providers. County Boards may also function as business associates under HIPAA. Generally, providers are covered entities because they are Health Care Providers. COG s, when contracting to perform services on behalf of a County Board, are acting as business associates. 1

Definition of Breach Notification obligations only apply to breaches of unsecured PHI. Unsecured PHI is PHI that is not secured with a technology that renders it unusable, unreadable, or indecipherable to unauthorized persons (i.e., encrypted; redaction is not sufficient) Definition of Breach: Breaches involving Privacy Rule violations Breach is: unauthorized acquisition, access, use or disclosure of PHI which compromises the security or privacy of the PHI. Breach could be oral, written, or in electronic form. If breach is unauthorized but consistent with existing HIPAA regulations, no reportable breach has occurred. 2

Definition of Breach: Breaches involving significant risk of harm Once it is determined that the disclosure was impermissible under the HIPAA Privacy or Security Rule, a second harm threshold must be met: The breach must pose a significant risk of financial, reputational, or other harm to the individual. Only then is the notification requirement triggered. A use or disclosure of protected health information that does not include identifiers, date of birth, and zip code does not compromise the security or privacy of the PHI. How do you know if the breach poses a risk of significant harm? Covered entities must perform a risk assessment. Relevant factors are: Type and amount of information involved. Whether the covered entity took immediate steps to reduce risk of harm. Who impermissibly used information, or to whom it was disclosed. Whether it was returned to the covered entity prior to being used for an improper purpose. 3

Risk Assessments Covered entities carry the burden of proof to show why they did not report a disclosure. Accordingly, all risk assessments should be documented in the event the failure to report be challenged. Exceptions to definition of breach Unintentional Access in Good Faith Inadvertent disclosure within a Covered Entity Person to who PHI is disclosed is not able to retain information 4

Unintentional Access in Good Faith Unintentional access or use of PHI By a workforce member acting under authority of the covered entity/business associate Done in good faith Within the scope of employment Does not result in further use or disclosure not permitted by HIPAA Inadvertent disclosure within a Covered Entity Disclosure made inadvertently by a person authorized to access PHI to another person within the covered entity who is authorized to access PHI Information received as a result of such disclosure is not further used or disclosed in an impermissible manner 5

Person to whom PHI disclosed not able to retain information Person to whom PHI is disclosed would not reasonably have been able to retain the information. Requires good faith belief on part of disclosing individual that the unauthorized recipient is unable to retain information. Timing of Notice to Affected Individuals Covered entities that have a security breach of PHI are required to provide written notification to each individual affected and Secretary of Health and Human Services (HHS): Without unreasonable delay and no later than 60 calendar days following discovery of the breach. Business associates of a covered entity must report a breach to the covered entity within same time frame 6

Form and Content of Notice Written notice: By written communication, first class mail, to the individual. Next of kin or personal representative, if deceased. Substitute notice: involves insufficient or out-of-date contact information If the number affected is fewer than 10 people: alternative form of written notice, telephone, or other means. Form and Content of Notice If number affected is greater than 10 people, substitute notice shall: Be in the form of either a conspicuous posting for a period of 90 days on the home page of the Web site of the covered entity involved, or conspicuous notice in major print or broadcast media in geographic areas where the individuals affected by the breach likely reside; and Include a toll-free phone number that remains active for at least 90 days where an individual can learn whether the individual's unsecured protected health information may be included in the breach. 7

Form and Content of Notice Additional notice in urgent situations: In any case deemed by the covered entity to require urgency because of possible imminent misuse of unsecured PHI, the covered entity may provide information to individuals by telephone or other means, as appropriate, including written notice by first class mail Form and Content of Notice cont d. For breaches affecting 500 people or more, covered entity must: Notify prominent media outlets serving the State or jurisdiction Notify HHS in a manner specified by its website, at same time as notice of breach For breaches affecting less than 500, covered entity shall maintain a log or other documentation of such breaches and, not later than 60 days after the end of each calendar year, provide the notification to HHS for breaches occurring during the preceding calendar year, in the manner specified on the HHS Web site. 8

Form and Content of Notice cont d General Provisions for Notice: Brief description of what happened, including date of the breach and the date of the discovery of the breach, if known; Description of the types of unsecured PHI that were involved in the breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved); Form and Content of Notice cont d General Provisions for Notice: Any steps individuals should take to protect themselves from potential harm resulting from the breach; Brief description of what covered entity is doing to investigate the breach, to mitigate harm to individuals, and to protect against any further breaches; and Contact procedures for individuals to ask questions or learn additional information, which shall include a tollfree telephone number, an e-mail address, Web site, or postal address 9

Effective Date Rules go into effect September 23, 2009 HHS says it will use its enforcement discretion not to impose penalties until February 23, 2010 Covered entities nevertheless need to comply with new security breach rules Restriction Request Rules Currently, HIPAA allows individuals to request that certain PHI not be used by the covered entity. Covered entities are generally allowed to decline all such requests. As amended by ARRA, covered entities must comply with restriction requests where disclosure is: To a health plan carrying out payment or health care operations (administrative, not treatment); and The PHI pertains only to a health care item or service for which the health care provider has been paid in full. 10

Electronic Health Records ARRA creates new category called electronic health records ( EHR ) Electronic record of health-related information on an individual. Disclosure accounting requirements for EHR are greater than that of PHI Under new rules, covered entities must track disclosures of EHR for treatment, payment or healthcare operations. To be developed by rule Electronic Health Records Cont d Covered entities cannot receive remuneration in exchange for PHI or EHR unless consent is given by individual whose information is being disclosed Individual has the right to obtain a copy of PHI in electronic format if the covered entity maintains an EHR of that information. To accommodate portability of records 11

Changes to Civil Monetary Penalties Penalty when could not know of violation Penalty for each violation (if for reasonable cause, not willful neglect ) Penalty for willful neglect Penalty for willful neglect and not corrected Current Law As amended $100/$25,000 $100/$25,000 to $50,000/$1,500,000 $100/$25,000 $1,000/$1000 to $50,000/$1,500,000 $10,000/$250,000 to $50,000/$1,500,000 $50,000/$1,500.000 to no specified maximum Enforcement of civil and monetary penalties State attorney generals now authorized to bring HIPAA enforcement actions against covered entities that violate HIPAA privacy or security rules HHS will conduct more frequent periodic audits to ensure compliance. Increased penalties went into effect immediately on signing of the act, February 2009. ARRA requires HHS to create a regulation that authorizes individuals affected by a HIPAA violation to receive a percentage of any civil or monetary penalty or settlement collected for the violation. 12

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback