HIPAA: Final Omnibus Rule is Here Arizona Society for Healthcare Risk Managers November 15, 2013

Similar documents
HIPAA Omnibus Rule. Critical Changes for Providers Presented by Susan A. Miller, JD. Hosted by

HIPAA Training. HOPE Health Facility Administrators June 2013 Isaac Willett and Jason Schnabel

Omnibus Components. Not in Omnibus. HIPAA/HITECH Omnibus Final Rule

HITECH Privacy, Security, Enforcement, Breach, and GINA The Final Rule

AFTER THE OMNIBUS RULE

Fifth National HIPAA Summit West

Legal and Privacy Implications of the HIPAA Final Omnibus Rule

HITECH and HIPAA: Highlights for Health Departments. Aimee Wall UNC School of Government

Management Alert Final HIPAA Regulations Issued

HHS, Office for Civil Rights. IAPP October 11, 2012

HIPAA PRIVACY REQUIREMENTS. Dana L. Thrasher Robert S. Ellerbrock, III Constangy, Brooks & Smith, LLP

To: Our Clients and Friends January 25, 2013

HIPAA OMNIBUS RULE. The rule makes it easier for parents and others to give permission to share proof of a child s immunization with a school

ARRA s Amendments to HIPAA Privacy & Security Rules

GUIDE TO THE OMNIBUS HIPAA RULE: What You Need to Know and Do

Getting a Grip on HIPAA

BREACH NOTIFICATION POLICY

Hayden W. Shurgar HIPAA: Privacy, Security, Enforcement, HITECH, and HIPAA Omnibus Final Rule

The wait is over HHS releases final omnibus HIPAA privacy and security regulations

HIPAA Omnibus Final Rule and Research

HIPAA Compliance. PART I: HHS Final Omnibus HIPAA Rules

8/14/2013. HIPAA Privacy & Security 2013 Omnibus Final Rule update. Highlights from Final Rules January 25, 2013

Coping with, and Taking Advantage of, HIPAA s New Rules!! Deven McGraw Director, Health Privacy Project April 19, 2013!

CLIENT UPDATE. HIPAA s Final Rule: The Impact on Covered Entities, Business Associates and Subcontractors

NPRM: Modifications to the HIPAA Privacy, Security, and Enforcement Rules under HITECH

HIPAA The Health Insurance Portability and Accountability Act of 1996

Changes to HIPAA Under the Omnibus Final Rule

Changes to HIPAA Privacy and Security Rules

HIPAA OMNIBUS FINAL RULE

Highlights of the Omnibus HIPAA/HITECH Final Rule

HIPAA COMPLIANCE ROADMAP AND CHECKLIST FOR BUSINESS ASSOCIATES

HIPAA Update. Jamie Sorley U.S. Department of Health and Human Services Office for Civil Rights

Interim Date: July 21, 2015 Revised: July 1, 2015

OMNIBUS RULE ARRIVES

The Impact of Final Omnibus HIPAA/HITECH Rules. Presented by Eileen Coyne Clark Niki McCoy September 19, 2013

HIPAA & HITECH Privacy & Security. Volunteer Annual Review 2017

Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates

Omnibus HIPAA Rule: Impact on Covered Entities

SATINSKY CONSULTING, LLC FINAL OMNIBUS HIPAA PRIVACY AND SECURITY RULE

Preparing to Comply With the HITECH Final Rule Tuesday, March 19, 2013

NOTIFICATION OF PRIVACY AND SECURITY BREACHES

Health Law Diagnosis

AROC 2015 HIPAA PRIVACY AND SECURITY RULES

Interpreters Associates Inc. Division of Intérpretes Brasil

Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates

HITECH/HIPAA Omnibus Final Rule: Implications for Hospices. Elizabeth S. Warren May 3, 2013

H E A L T H C A R E L A W U P D A T E

The HIPAA Omnibus Rule

Breach Policy. Applicable Standards from the HITRUST Common Security Framework. Applicable Standards from the HIPAA Security Rule

Saturday, April 28 Medical Ethics: HIPAA Privacy and Security Rules

HIPAA THE NEW RULES. Highlights of the major changes under the Omnibus Rule

Practical Guidance and Proposed Solutions in Response to the HIPAA Final Omnibus Rule

HIPAA & The Medical Practice

HIPAA, 42 CFR PART 2, AND MEDICAID COMPLIANCE STANDARDS POLICIES AND PROCEDURES

The Impact of the Stimulus Act on HIPAA Privacy and Security

ACC Compliance and Ethics Committee Presentation February 19, 2013

GUIDE TO PATIENT PRIVACY AND SECURITY RULES

OVERVIEW OF RECENT CHANGES IN HIPAA AND OHIO PRIVACY LAWS

Business Associate Agreement

The Guild for Exceptional Children HIPAA Breach Notification Policy and Procedure

ARRA 2009: Privacy and Security Provisions. Deven McGraw

HIPAA Omnibus Final Rule Has Important Changes for Business Associates and Covered Entities

OCR Phase II Audit Protocol Breach Notification. HIPAA COW Spring Conference 2017 Page 1 Boerner Consulting, LLC

HIPAA Privacy Overview

HIPAA HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT

Highlights of the Final Omnibus HIPAA Rule

Colorado Medical Society. June 3, Presented by David A. Ginsberg President, PrivaPlan Associates, Inc.

HIPAA Enforcement Under the HITECH Act; The Gloves Come Off

HIPAA Compliance Under the Magnifying Glass

"HIPAA FOR LAW FIRMS" WHAT EVERY LAW FIRM NEEDS TO KNOW ABOUT HIPAA

HIPAA: Impact on Corporate Compliance

SUBCONTRACTOR BUSINESS ASSOCIATE AGREEMENT

HIPAA, HITECH & Meaningful Use

New HIPAA-HITECH Proposed Regulations Issued

HIPAA Breach Notification Case Studies on What to Do and When to Report

1641 Tamiami Trail Port Charlotte, Fl Phone: Fax: Health Insurance Portability and Accountability Act of 1996

Preparing for a HIPAA Audit & Hot Topics in Health Care Reform

Compliance Steps for the Final HIPAA Rule

The HIPAA/HITECH Final Rule: Time to Get More Serious About Compliance. Patricia A. Markus, Esq.

Assessing and Mitigating Risk Under the HIPAA Omnibus Rule

Assessing and Mitigating Risk Under the HIPAA Omnibus Rule

UNDERSTANDING HIPAA & THE HITECH ACT. Heather Deixler, Esq. Associate, Morgan, Lewis & Bockius LLP

ICAHN Presentation. Final Omnibus Rule and Security Risk Analysis. July 26, David Ginsberg

HIPAA. What s New & What Do I Have To Do? Presented by Leslie Canham, CDA, RDA, CSP (Certified Speaking Professional)

45 CFR Part 164. Interim Final Rule Breach Notification for Unsecured Protected Health Information

What is HIPAA? (1 of 2)

Determining Whether You Are a Business Associate

Palmetto Paralegal Association

VOL. 0, NO. 0 JANUARY 23, 2013

2013 HIPAA Omnibus Regulations: New Rules for Healthcare Providers and Collections Partners

HIPAA BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATES AND SUBCONTRACTORS

An Overview of the Impact of the American Recovery and Reinvestment Act of 2009 on the HIPAA Medical Privacy and Security Rules

COMMONWEALTH OF PENNSYLVANIA BUSINESS ASSOCIATE ADDENDUM

New HIPAA Rules and Implications for the Industry January 29, 2013

NOTICE OF PRIVACY PRACTICES

PATTERSON MEDICAL SUPPLY, INC. HIPAA BUSINESS ASSOCIATE AGREEMENT WITH CUSTOMERS

HIPAA Omnibus Rule Compliance

HIPAA Breach Notice Rules New notice requirements for HIPAA covered entities when there is a breach of Protected Health Information (PHI)

Omnibus Rule: HIPAA 2.0 for Law Firms

What Brown County employees need to know about the Federal legislation entitled the Health Insurance Portability and Accountability Act of 1996.

Transcription:

HIPAA: Final Omnibus Rule is Here Arizona Society for Healthcare Risk Managers November 15, 2013 Pat Henrikson, Banner Health HIPAA Compliance Program Director, Chief Privacy Officer

Agenda Background Notice of Privacy Practices Increased Patient Rights New Limits on Uses and Disclosures of PHI Business Associates and Subcontractors Breach Notification Rule Increased Enforcement Questions 2

Timeline 2003 Privacy Rule 2006 Enforcement Rule September 2009 Interim Final Breach Notification Rule July 2010 Proposed Omnibus Rule September 23, 2013 Compliance Date 1996 Health Insurance Portability and Accountability Act (HIPAA) 2005 Security Rule February 2009 American Recovery and Reinvestment Act (ARRA), including Title XIII Health Information Technology for Economic and Clinical Health (HITECH) Act October 2009 Interim Final Enforcement Rule January 25, 2013 Final Omnibus Rule Published 3

NOTICE OF PRIVACY PRACTICES 4

Notice of Privacy Practices Describes how medical information is used within the Covered Entity (CE) Describes how medical information is disclosed to others outside the CE Describes how patient s can get access to their health information Describes the rights patient s have regarding their health information CE legal duties with respect to Protected Health Information (PHI) Notifies the patient of a breach of their unsecured PHI Which healthcare providers does the notice cover Where concerns, complaints or questions may be sent Effective date

Notice of Privacy Practices Change in Content Requirements Authorization Description of the types of uses and disclosures that require an authorization HHS clarifies that to mean a statement that most uses and disclosures of psychotherapy notes (where appropriate), for marketing, and sale of PHI need authorization Statement that other uses and disclosures (other than as provided in the NPP) will be made only with authorization Statement that individual may revoke authorization Make sure NPP accurately describes actual privacy practices (e.g., reflects Omnibus Rule changes, dayto-day operations) 6

Notice of Privacy Practices Change in Content Requirements Prohibition on sale of PHI Duty to notify affected individuals of a breach of unsecured PHI Right to opt out of fundraising (if applicable) Right to restrict disclosures of PHI when paid out of pocket Limit on use of genetic information (certain health plans only for underwriting) Deletion of appointment reminders or information about treatment alternatives 7

Notice of Privacy Practices Distribution Requirements - Providers Requirements have not changed No later than the date of the first service delivery, including service delivered electronically OR Emergency treatment situation, as soon as reasonably practicable after the emergency treatment situation Post the notice is a clear and prominent location When revised, make available upon request on or after effective date If CE has web site, must post and make notice available Organized Health Care Arrangement (OHCA) Joint Notice 8

Notice of Privacy Practices Distribution Requirements Health Plan Reprieve for health plans on distributing NPP Post on consumer-facing web site by date of material change Include revised NPP (or information about NPP) in next annual mailing If no web site must provide NPP (or information about NPP) to covered individuals within 60 days of material change 9

INCREASED PATIENT RIGHTS 10

Patient Rights Right to request information about you Right to request to amend or supplement information that you believe incorrect Right to get a list of certain disclosures of Information about you Right to request restrictions for TPO Right to request confidential communications Right to a copy of the provider s or health plan s Notice of Privacy Practices 11

Electronic Copy of PHI Old Rule Form or format requested, if readily producible If not readily producible, then readable hard copy New Rule If maintained electronically, produced electronically, unless patient requests hard copy 12

Electronic Copy of PHI Individual may designate third party to receive copy Must be in writing Clearly identify the designated person Clearly identify where to send the copy 13

Restriction for Out-of-Pocket Payments Covered entity must agree to individual s request to restrict disclosure to health plan For payment or health care operations Unless required by law Individual or person on individual s behalf pays for item or service out of pocket in full 14

NEW LIMITS ON USES AND DISCLOSURES OF PHI 15

Uses and Disclosures of PHI General rules for CE/BA permitted uses or disclosures according to HIPAA Rules To the individual For treatment, payment, health care operations (TPO) To HHS Secretary to investigate/determine compliance Prohibited uses Several for health plan Sale of PHI 16

The Good News: Fundraising Adds categories of PHI that may be used or disclosed for fundraising: Department of service Treating physician Outcome information Health insurance status 17

The Good News: Research Covered entities may combine conditioned and unconditioned authorizations For example, conditioned authorization for clinical trial may be combined with unconditioned authorization for tissue specimen repository 18

The Good News: Research Authorization must differentiate between conditioned and unconditioned portions Unconditioned authorization must be opt in, e.g., Check box Second signature line 19

The Good News: Research HHS changed interpretation on authorization for future research: Prior interpretation Authorization for research must be study specific New interpretation Authorization may govern future research Authorization must reasonably put individual on notice of potential future research 20

The Good News: Student Immunization Records Covered entity may release student immunization records to school without authorization If state law requires school to have immunization record Written or oral agreement (must be documented) 21

The Good News: Decedent Information No longer PHI 50 years after death Covered entity may disclose PHI to persons involved in decedent s care or payment if not contrary to prior expressed preference 22

The Bad News: Marketing Question 1: Communication about a product or service that encourages purchase or use? If yes, marketing. Question 2: Describes health-related item or service offered by covered entity or treatment alternative? If yes, no longer marketing. (New) Question 3: Financial remuneration received from third party whose item or service is described? If yes, marketing again (authorization required). 23

The Bad News: Sale of PHI Covered entity may not receive remuneration in exchange for PHI Exceptions (no limit): Treatment Payment Sale of covered entity and related due diligence Public Health Required by law 24

The Bad News: Sale of PHI Exceptions (no limit) Business associate activities Exceptions (limits) Any other permissible purpose if remuneration limited to reasonable, cost-based fee for preparation and transmittal (not in HITECH Act) Research To an individual for access and accounting 25

The Bad News: Genetic Information Clarification that genetic information is health information Health plan (other than long-term care plan) may not use or disclose genetic information for underwriting purposes 26

BUSINESS ASSOCIATES AND SUBCONTRACTORS 27

Who Is a Business Associate? Old definition Function, activity or service which required individually identifiable health information New definition Creates, receives, maintains, or transmits protected health information 28

Who Is a Business Associate? Business associates include Health Information Organization e-prescribing Gateway Other provider of data transmission services Offerer of PHR on behalf of covered entities Subcontractor 29

Welcome to the HIPAA Party, Subcontractors! Contractor + PHI = Business Associate Subcontractor = person to whom a business associate delegates a function, activity, or service and receives PHI All the way down the chain Subcontractor workforce member 30

Liability of Business Associates Impermissible uses and disclosures Breach notification to covered entity Failure to provide e-copy of ephi as specified in the business associate contract Failure to disclose PHI to HHS for HIPAA investigation Failure to provide an accounting of disclosures Failure to comply with the applicable requirements of the Security Rule 31

Business Associate Contracts Must specify compliance with Breach Notification Rule Should specify to whom BA provides electronic access If CE delegates HIPAA responsibility, must specify that BA will comply with HIPAA Grandfathering may be available 32

Who Contracts with Whom? Covered entities must have business associate contracts with their direct business associates Business associates must have business associate contracts with their subcontractors Covered entities do not need business associate contracts with subcontractors 33

BREACH NOTIFICATION RULE 34

Breach Notification HITECH: First federal breach notification law Basic requirements stay the same Upon the discovery of a Breach of Unsecured PHI Covered entities and business associates must make required notifications 35

Notice Requirements Covered Entities must provide notice to: 1. Individuals whose PHI was compromised 2. Office for Civil Rights (OCR) 3. Prominent media outlet(s) if breach involved more than 500 patients Business Associates must provide notice to CEs

Encryption or Destruction HHS emphasized that encryption and destruction are the only two methods for rendering PHI unusable, unreadable, or indecipherable to unauthorized individuals or secured and thus, exempt from the breach notification requirements. (Safe Harbor Provision)

Breach Notification Breach Unauthorized acquisition, access, use, disclosure of unsecured PHI In a manner not permitted by the HIPAA Privacy Rule That compromises the security or privacy of the PHI So far so good, but... 38

New Compromise Standard Significant risk of financial, reputational, or other harm Exception for limited data set without ZIP codes or dates of birth An impermissible acquisition, access, use, or disclosure of PHI is Presumption of reportable breach, UNLESS the entity demonstrates that there is a low probability that PHI has been compromised after risk assessment 39

What is compromised? Comment to interim final rule suggesting compromise standard indicates that it is whether PHI is inappropriately viewed, re-identified, rediscovered, or otherwise misused 40

Exceptions to Breach Definition First Exception a. Unintentional acquisition, access or use of PHI by a workforce member or individual acting under the authority of CE or BA, b. if such access or use was made in good faith and within the scope of authority c. and does not result in a further unauthorized use or disclosure;

Exceptions to Breach Definition Second Exception a. Any inadvertent disclosure by a person who is authorized to access PHI at a CE or BA b. to another person authorized to access PHI at the same CE or BA, or organized health care arrangement in which the CE participates, c. and the PHI received as a result of such disclosure is not further used or disclosed in an impermissible manner; and

Exceptions to Breach Definition Third Exception a. A disclosure of PHI b. where a CE or BA has a good faith belief c. that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information.

Risk Assessment - Four Required Elements 1. Nature and extent of PHI involved 2. The unauthorized person who used the PHI or to whom the disclosure was made 3. Whether the PHI actually was acquired or viewed 4. The extent to which the risk to the PHI has been mitigated 44

Breach Notification: Spirit of the Rule The intent behind the obligation to notify Put pressure on the healthcare industry to better safeguard patient privacy by protecting PHI use encryption Increase patient/consumer confidence in privacy protection Mitigate harm to the affected individuals when consequential events occur 45

Action Items to Comply Evaluate use of encryption by the entity PHI at rest and transit Review and if necessary, revise BAA Revise Notice of Privacy Practices Implement or revise policies and procedures Train and educate workforce members and other agents

Consequences If CE or BA does not comply with Breach Notification Rule HIPAA violation Subject to HHS enforcement actions and Civil money penalties

INCREASED ENFORCEMENT 48

Increased Civil Penalties and Enforcement Violation Type Pre-Final Rule New Final Omnibus Rule Pre-Final Rule Annual Max/Repeated Violations Did Not Know $100 - $25,000 $50,000 / $1.5 million Reasonable Cause Willful Neglect (Corrected) Willful Neglect (Not Corrected) $100 - $25,000 $25,000 / $1.5 million $10,000 - $250,000 $50,000 - $1.5 million $250,000 / $1.5 million $1.5 million / $1.5 million New Civil Penalties Annual Max/Repeated Violations $100 - $50,000 $1.5 million $1,000 - $50,000 $10,000 - $50,000 $50,000 (minimum $1.5 million $1.5 million $1.5 million

Focus on Willful Neglect Willful neglect: Conscious, intentional failure or reckless indifference OCR will investigate all cases of possible willful neglect OCR will impose penalty on all violations due to willful neglect 50

Other Enforcement Changes Revised definition of reasonable cause (fills gap between did not know and willful neglect) Greater OCR discretion to proceed directly to penalty without seeking informal resolution Vicarious liability for business associate agents Factors impacting CMP calculation 51

Four Drivers of Increased Risk 1. Direct application of HIPAA s Security Rule to Business Associates (BA s) 2. New Breach Notification Requirements Under ARRA (HITECH Act) Distinct from the Act s attempt to encourage adoption of Electronic Health Records (EHR s) by incentive payments for meaningful use 3. New State Enforcement Authority under HIPAA and Trend of State Legislated Private Right of Action 4. Government Audits 52

Other HITECH HIPAA Impacts Extension of Key Security Provisions to BA o Direct exposure to HIPAA civil & criminal penalties Penalties increased & willful neglect standard now included HHS Sec, based on recommendation from GAO Comptroller, required to develop mechanism whereby harmed individuals may obtain a percentage of the penalties by 2/17/12 Tightening definition of minimum necessary o Secretary to issue guidance o Implication for access controls under Security Rule & will impact BA

What s Still Missing? Accounting of disclosures/access reports Minimum necessary guidance Distribution of penalties/settlements to harmed individuals 54

Questions 55

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback