HIPAA PRIVACY AND SECURITY RULES APPLY TO YOU! ARE YOU COMPLYING? RHODE ISLAND INTERLOCAL TRUST LINN F. FREEDMAN, ESQ. JANUARY 29, 2015.

Similar documents
The Impact of Final Omnibus HIPAA/HITECH Rules. Presented by Eileen Coyne Clark Niki McCoy September 19, 2013

AFTER THE OMNIBUS RULE

H E A L T H C A R E L A W U P D A T E

HIPAA Omnibus Rule. Critical Changes for Providers Presented by Susan A. Miller, JD. Hosted by

Determining Whether You Are a Business Associate

HIPAA Training. HOPE Health Facility Administrators June 2013 Isaac Willett and Jason Schnabel

HITECH and HIPAA: Highlights for Health Departments. Aimee Wall UNC School of Government

Fifth National HIPAA Summit West

The Guild for Exceptional Children HIPAA Breach Notification Policy and Procedure

2011 Miller Johnson. All rights reserved. 1. HIPAA Compliance: Privacy and Security Changes under HITECH HITECH. What is HITECH? Mary V.

8/14/2013. HIPAA Privacy & Security 2013 Omnibus Final Rule update. Highlights from Final Rules January 25, 2013

Preparing for a HIPAA Audit & Hot Topics in Health Care Reform

2016 Business Associate Workforce Member HIPAA Training Handbook

HIPAA Privacy & Security. Transportation Providers 2017

Changes to HIPAA Privacy and Security Rules

HIPAA PRIVACY REQUIREMENTS. Dana L. Thrasher Robert S. Ellerbrock, III Constangy, Brooks & Smith, LLP

Safeguarding Your HIPAA and Personal Health Information Data. Robert Hess, Office of General Counsel Steve Cosentino, Stinson Morrison Hecker

503 SURVIVING A HIPAA BREACH INVESTIGATION

HIPAA PRIVACY REQUIREMENTS. Dana L. Thrasher Constangy, Brooks & Smith, LLP (205)

OMNIBUS RULE ARRIVES

Interim Date: July 21, 2015 Revised: July 1, 2015

HIPAA Privacy Overview

Effective Date: 4/3/17

True or False? HIPAA Update: Avoiding Penalties. Preliminaries. Kim C. Stanger IHCA (7/15)

HIPAA / HITECH. Ed Massey Affiliated Marketing Group

HIPAA The Health Insurance Portability and Accountability Act of 1996

MEMORANDUM. Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

HIPAA Breach Notification Case Studies on What to Do and When to Report

HIPAA: Final Omnibus Rule is Here Arizona Society for Healthcare Risk Managers November 15, 2013

ARRA s Amendments to HIPAA Privacy & Security Rules

HIPAA, Privacy, and Security Oh My!

Be Careful What You Wish For: The Final Rule Is Out

Palmetto Paralegal Association

Containing the Outbreak: HIPAA Implications of a Data Breach. Jason S. Rimes. Orlando, Florida

UNDERSTANDING HIPAA & THE HITECH ACT. Heather Deixler, Esq. Associate, Morgan, Lewis & Bockius LLP

The HIPAA Omnibus Rule and the Enhanced Civil Fine and Criminal Penalty Regime

HIPAA & HITECH Privacy & Security. Volunteer Annual Review 2017

"HIPAA FOR LAW FIRMS" WHAT EVERY LAW FIRM NEEDS TO KNOW ABOUT HIPAA

LEGAL ISSUES IN HEALTH IT SECURITY

Presented by Marti Arvin Chief Compliance Officer UCLA Health Sciences

HIPAA Basic Training for Health & Welfare Plan Administrators

An Overview of the Impact of the American Recovery and Reinvestment Act of 2009 on the HIPAA Medical Privacy and Security Rules

HIPAA Overview Health Insurance Portability and Accountability Act. Premier Senior Marketing, Inc

Business Associate Agreement

HIPAA Data Breach ITPC

NOTIFICATION OF PRIVACY AND SECURITY BREACHES

HIPAA BUSINESS ASSOCIATE AGREEMENT BEST PRACTICES: A COMPLIANCE SOLUTION FOR THE TICKING CLOCK AND THE DRACONIAN CIVIL AND CRIMINAL PENALTIES

HIPAA Enforcement Under the HITECH Act; The Gloves Come Off

HIPAA, 42 CFR PART 2, AND MEDICAID COMPLIANCE STANDARDS POLICIES AND PROCEDURES

HITECH and Stimulus Payment Update

HIPAA Update. Jamie Sorley U.S. Department of Health and Human Services Office for Civil Rights

BREACH NOTIFICATION POLICY

HIPAA HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT

AGREEMENT PURSUANT TO THE TERMS OF HIPAA ; HITECH ; and FIPA (Business Associate Agreement) (Revised August 2015)

HIPAA COMPLIANCE ROADMAP AND CHECKLIST FOR BUSINESS ASSOCIATES

Management Alert Final HIPAA Regulations Issued

Privacy Sleuths: Solving the Mystery of Wellness Program Privacy Compliance. Agenda. Health Data Exposure National Wellness Conference

IACT Medical Trust. June 28, Jim Hamilton (317) HIPAA Privacy Training Bose McKinney & Evans LLP

New HIPAA Breach Rules NAHU presents the WHAT and WHYs. Agenda

ARE YOU HIP WITH HIPAA?

Texas Health and Safety Code, Chapter 181 Medical Records Privacy Law, HB 300

Hayden W. Shurgar HIPAA: Privacy, Security, Enforcement, HITECH, and HIPAA Omnibus Final Rule

The American Recovery Reinvestment Act. and Health Care Reform Puzzle

HIPAA AND YOU 2017 G E R A L D E MELTZER, MD MSHA

GUIDE TO PATIENT PRIVACY AND SECURITY RULES

HIPAA Compliance Under the Magnifying Glass

HIPAA Privacy and Security: Surviving Heightened Enforcement Crafting and Implementing Data Security Policies and Responding to Breaches

HIPAA FUNDAMENTALS For Substance abuse Treatment Industry

UNITED WORKERS HEALTH FUND 50 CHARLES LINDBERGH BLVD. SUITE 207 UNIONDALE, NY 11553

HIPAA: Impact on Corporate Compliance

HIPAA, HITECH & Meaningful Use

HIPAA BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATES AND SUBCONTRACTORS

HIPAA Privacy and Security Rules

OVERVIEW OF RECENT CHANGES IN HIPAA AND OHIO PRIVACY LAWS

RISK TRACK. Privacy and Data Protection

HIPAA Privacy and Security Rules: Overview and Update HIPAA. Health Insurance Portability and Accountability Act ( HIPAA )

HIPAA Background and History

HIPAA and Lawyers: Your stakes have just been raised

Texas Tech University Health Sciences Center El Paso HIPAA Privacy Policies

Getting a Grip on HIPAA

OCR Phase II Audit Protocol Breach Notification. HIPAA COW Spring Conference 2017 Page 1 Boerner Consulting, LLC

SUBCONTRACTOR BUSINESS ASSOCIATE AGREEMENT

HIPAA THE NEW RULES. Highlights of the major changes under the Omnibus Rule

HIPAA AND ONLINE BACKUP WHAT YOU NEED TO KNOW ABOUT

Interpreters Associates Inc. Division of Intérpretes Brasil

New. To comply with HIPAA notice requirements, all Providence covered entities shall follow, at a minimum, the specifications described below.

HIPAA OMNIBUS FINAL RULE

Central Florida Regional Transportation Authority Table of Contents A. Introduction...1 B. Plan s General Policies...4

Georgia Health Information Network, Inc. Georgia ConnectedCare Policies

HEALTHCARE BREACH TRIAGE

Summary Comparison of Current Senate Data Security and Breach Notification Bills

HHS, Office for Civil Rights. IAPP October 11, 2012

Highlights of the Omnibus HIPAA/HITECH Final Rule

[Name of Organization] HIPAA Incident/Breach Investigation Procedure 4

It s as AWESOME as You Think It Is!

Effective Date: March 23, 2016

What Does The New Omnibus HIPAA/HITECH Final Rule Really Mean For Employers And Their Service Providers?

HIPAA OMNIBUS RULE. The rule makes it easier for parents and others to give permission to share proof of a child s immunization with a school

AROC 2015 HIPAA PRIVACY AND SECURITY RULES

Industry leading Education. Certified Partner Program. Please ask questions Todays slides are available group.

Transcription:

HIPAA PRIVACY AND SECURITY RULES APPLY TO YOU! ARE YOU COMPLYING? RHODE ISLAND INTERLOCAL TRUST LINN F. FREEDMAN, ESQ. JANUARY 29, 2015.

PURPOSE OF PRESENTATION To Discuss Laws Governing Use and Disclosure of Medical and Personal Information HIPAA/HITECH Act Privacy and Security Rules Breach Notification Rules 42 CFR Part 2 Substance Abuse Rhode Island Health Information Privacy Laws Identity Theft Protection Act Confidentiality of Health Care Communications Act STDs Mental Health Law HIV/Aids Genetic information Enforcement Best Practices

REAL STORIES: Laptop of auditor stolen from apartment 358 names, addresses, dates of birth and SSNs Breach of 1.7 million records Farrah Fawcett s diagnosis of cancer published by National Enquirer Long-time employee accessing health records of Board Member of hospital Hacking incident of website Misaddressed health benefits excel spreadsheet

IDENTIFYING HIGH-RISK DATA Personally Identifiable Information Includes SS #, state-issued ID #, mother s maiden name, driver s license #, passport #, credit history, criminal history Name & Contact Information Includes initials, address, telephone number, e-mail address, mobile number, date of birth Personal Characteristics Includes age, gender, marital status, nationality, sexual orientation, race, ethnicity, religious beliefs 4

IDENTIFYING HIGH-RISK DATA (CONT D) Financial Institution Data Includes credit, ATM, debit card #s, bank accounts, payment card information, PINs, magnetic stripe data, security codes, access codes, passwords Health & Insurance Account Information Includes health status and history, disease status, medical treatment, diagnoses, prescriptions, insurance account #, Medicare and Medicaid information HIPAA compliance 5

IDENTIFYING HIGH-RISK DATA (CONT D) Website Traffic Notice of Privacy Practices Terms and Conditions of Use Employment Information Includes income, salary, service fees, compensation information, background check information IP Information 6

LEGAL FRAMEWORK FOR HIPAA Purpose of the Health Insurance Portability and Accountability Act of 1996: Confidentiality of personal and health information Protection against identity theft and medical theft HIPAA Privacy and Security Rules (45 C.F.R. Parts 160, 162 and 164) The Omnibus Rule revised HIPAA rules and enacted new provisions regarding privacy and security particularly related to business associates and enforcement Compliance date: September 23, 2013

COVERED ENTITIES Covered Entities are the types of entities that are directly subject to HIPAA regulation of privacy and security: Health Plans Health Care Providers (EMTs) Health Care Clearinghouses

BUSINESS ASSOCIATES A business associate is any service provider that receives PHI: Claims processing, data analysis, quality assurance, billing, practice management Legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services to or for such covered entity

PRIVACY RULE AND SECURITY RULE The Privacy Rule: Grants patient rights Sets limitations on use and disclosure Establishes administrative due process and procedural requirements What does the Privacy Rule require? The disclosure and use of PHI (paper or electronic) only as permitted by the Rule Implementation of administrative systems by covered entities Mandatory contractual provisions with business associates Notice of Privacy Practices for covered entities

PRIVACY RULE AND SECURITY RULE (CONT D) The Security Rule: e-phi Establishes a national set of security standards for protecting e-phi Requires administrative, technical, and physical safeguards for protecting e- PHI Required vs. Addressable Requires risk analysis

PRIVACY RULE DEFINITION OF PROTECTED HEALTH INFORMATION Individually identifiable health information means information: Collected from an individual; Created or received by a covered entity; That relates to the past, present or future physical or mental health or condition of an individual; provision of health care to an individual; or the past present or future payment for the provision of health care; and That identifies the individual or can be used to identify the individual.

USES AND DISCLOSURES OF PHI BY CES AND BAS General Principle: May not use or disclose protected health information, except As the Privacy Rule permits or requires, including Treatment, Payment or Health Care Operations (TPO); or Pursuant to a written authorization of the individual (or the individual s personal representative) obtained by a covered entity Required Disclosures: To individuals (or their personal representatives) specifically when they submit a request to a covered entity for access to, or an accounting of disclosures of, their protected health information; and To HHS when it is undertaking a compliance investigation or review or enforcement action

WHEN MUST A COVERED ENTITY OBTAIN AN AUTHORIZATION? Authorization is required to disclose or use PHI for purposes other than TPO and not otherwise authorized under the Rule, such as Sales Marketing Third parties (life insurance companies, employers, etc.)

REQUIREMENTS FOR AN AUTHORIZATION The covered entity s authorization form must have specific terms in it to comply with HIPAA.

MINIMUM NECESSARY RULE FOR CES AND BAS PHI accessed, used or disclosed must be the minimum needed for the required purpose The whole record is not the minimum necessary unless the entire record is required to perform the function Limit who has access to record

BUSINESS ASSOCIATES The Privacy Rule creates standards for contracting with entities, known as Business Associates, that receive PHI in the course of providing services to covered entities A business associate is any service provider that receives PHI from another entity Covered entity s subcontractors, if they have access to health information, are business associates of covered entity Business associates must ensure that it has written contracts with all of its vendors and subcontractors who have access to a covered entity s PHI

EXPANSION OF SECURITY AND PRIVACY PROVISIONS AND PENALTIES TO HIPAA BUSINESS ASSOCIATES The Omnibus Rule applies some of the administrative, physical, and technical safeguards of the HIPAA security regulations directly to business associates (any entity supporting health care industry) The Omnibus Rule imposes additional obligations upon business associates regarding policies, procedures and documentation Business Associates subject to audit and penalties

SECURITY RULE HIPAA Security Rules: 45 C.F.R. Parts 160, 162 and 164 Covered Entity and Business Associate are required to implement administrative, physical and technical safeguards to protect PHI. Protect against threats or hazards to security Protect against wrongful uses or disclosure

HIPAA OMNIBUS RULE BREACH NOTIFICATION HHS Office for Civil Rights (OCR) issued HIPAA Omnibus Rule requiring covered entities to notify individuals of a breach of unsecured protected health information, and for business associates to notify covered entity of a breach.

DEFINITION OF BREACH The acquisition, access, use or disclosure of PHI in a manner not permitted by HIPAA which compromises the security or privacy of the protected health information.

UNSECURED PHI IS PHI that is not secured through the use of a technology or methodology specified by the Secretary in guidance. Technology or methodology must render PHI unusable, unreadable or indecipherable. encryption or an encryption algorithm destruction Access controls, fire walls and redaction insufficient

THREE EXCEPTIONS TO THE DEFINITION OF BREACH: 1. The unintentional acquisition, access, or use of PHI by an employee or individual acting under the authority of a covered entity or business associate if it was made in good faith, within the course and scope of employment or professional relationship, and does not result in further use or disclosure in a manner not permitted by HIPAA. 2. Inadvertent disclosure of PHI between similarly authorized personnel or within the same facility and the information is not further used or disclosed in a manner not permitted by HIPAA. 3. A disclosure in which the covered entity or business associate has a good faith belief that an unauthorized person to whom PHI has been disclosed would not reasonably have been able to retain the information.

NOTIFICATION If breach is of Unsecured PHI does not fall with one of the three exceptions, and based on a risk assessment there is a probability that the PHI was compromised, then Covered Entity notify individuals of the breach without unreasonable delay and in no event within 60 days of discovery of the breach. Business associates must: Follow the terms of the Business Associate Agreement with the covered entity whose data was breached in accordance with notification requirements

COVERED ENTITY S NOTIFICATION TO MEDIA AND HHS If breach involves more than 500 individuals residing in the same state, notice must be made to prominent media outlets and Secretary of HHS. Document notification made to each individual, press/media.

COVERED ENTITY S NOTIFICATION TO MEDIA AND HHS (CONT D) Report all breaches of less than 500 individuals to HHS by February 28 of each year (via website). Logs must be maintained for six (6) years

HIPAA ENFORCEMENT AUDITS Secretary of HHS required under HITECH to conduct periodic audits of covered entities and business associates for compliance and enforcement purposes Secretary of HHS is required to report the number of audits and a summary of audit findings to Congress starting in 2010 Reports are available on HHS website Increased enforcement activities by OCR All civil monetary penalties go back to OCR for enforcement proceedings

PENALTIES FOR VIOLATION Penalties are tiered, depending on conduct Unknown $100 per violation up to $25,000 for all identical violations in a calendar year Reasonable cause that is not willful neglect $1,000 for each violation up to $100,000 for all identical violations in a calendar year

PENALTIES FOR VIOLATION (CONT D) Willful neglect If violation corrected within 30 days of knowledge: $10,000 for each identical violation, up to $250,000 for all identical violations in a calendar year If violation not corrected: $50,000 for each violation, up to $1.5 million for all identical or non-identical violations in a calendar year

ENFORCEMENT BY STATE ATTORNEYS GENERAL State AGs may commence civil actions in federal district court for violations of HIPAA Damages: $100 per violation with a cap of $25,000 Costs and attorneys fees may be awarded to State OCR has trained State AGs on HIPAA enforcement No private right of action to enforce HIPAA

CRIMINAL ENFORCEMENT PROVISIONS HIPAA also carries criminal penalties for persons who knowingly obtain or disclose PHI in violation of the Privacy Rule, or who improperly use unique health identifiers, under 42 U.S.C. 1320d 6(a): Fine Prison Knowingly $50,000 One year False Pretenses $100,000 Five years For Profit, Gain, or Harm $250,000 10 years

42 USC 290(DD)-2 SUBSTANCE ABUSE Confidentiality of substance abuse records Records of the identity, diagnosis, prognosis, or treatment of any patient which are maintained in connection with the performance of any program or activity relating to substance abuse education, prevention, training, treatment, rehabilitation or research Content of any substance abuse treatment record may only be disclosed with prior written consent of the patient In a treatment emergency Court Order Do not transmit any substance abuse treatment records without patient consent or Court Order

RHODE ISLAND STATE INFORMATION PRIVACY LAWS Identity Theft Prevention Act (R.I.G.L. 11.49.1) Confidentiality of Health Care Communications Act (R.I.G.L. 5-37.3-1) Mental Health Law (R.I.G.L. 40.1-5-1) HIV/Aids (R.I.G.L. 23-6.3-7) Sexually transmitted diseases (R.I.G.L. 23-11-9) Genetic Information (R.I.G.L. 27-41-53, 27-20-39, 27-19-44)

ENFORCEMENT/FINES AND PENALTIES 2008 Providence Health and Services $100,000 2009 CVS Pharmacy, Inc. $2.25M 2010 Rite Aid $1M Management Services Organization Resolution Agreement/No $ 2011 Cignet $4.3M Massachusetts General Hospital $1M UCLA $865,500

ENFORCEMENT/FINES AND PENALTIES 2012 Blue Cross Blue Shield of Tennessee $1.5M Phoenix Cardiac Surgery $100,000 Alaska Department of Social Services $1.7M Massachusetts Eye & Ear $1.5M Hospice of North Idaho $50,000 2013 Idaho State University $400,000

ENFORCEMENT/FINES AND PENALTIES 2014 Skagit County $215,000 Concentra Health $1,725,220 QCA Health Plan, Inc. $250,000 New York Presbyterian Hospital $3.3M Columbia University $1.5M Parkview Health $800,000 Anchorage Community Mental Health Services $150,00-

RISKS OF THE USE OF E-MAIL FOR COMMUNICATIONS Risks Misaddress an e-mail (or hit replay all ) sending confidential information to the wrong recipient Security in sending or receiving e-mails Hackers obtaining username and password

BEST PRACTICES WHEN USING E-MAIL Encryption Virtual Private Network/RSA Verify Selected Recipients Use Standard Confidentiality Disclaimers in Outlook Sensitive communications should be given special protections against disclosure to 3 rd parties It is the responsibility of the employee directing the communication to determine if the communication is sensitive

BEST PRACTICES TO PROTECT HIGH RISK DATA Protect High risk data Paper records Any documents with SSN and medical insurance number W-2s Benefits records Workers compensation Health records Salary and personnel information Applications/recruiting Locked filing cabinets Locked facility Only accessed by authorized personnel with a need to know Do not send via regular mail Implement a Shred Policy and shred everything Destroy any paper records that don t need to be kept/stored Witness information Suspect information

BEST PRACTICES TO PROTECT HIGH RISK DATA (CONT D) Electronic records Use encryption for sensitive data Mobile Technology Encryption Prohibition of downloading sensitive data on hard drive Loaners/erasure of laptops

BEST PRACTICES TO PROTECT HIGH RISK DATA (CONT D) Verbal information Minimum necessary Only speak to those with need to know

BEST PRACTICES FOR PAPER RECORDS (CONT D) Lock filing cabinets if available Lock facilities Only permit access by authorized individuals with a need to know Do not send full SSN via regular mail Shred Destroy paper records that do not need to be stored

THANK YOU! QUESTIONS? Linn Foster Freedman, Esq. Nixon Peabody LLP One Citizens Plaza Suite 500 Providence, RI 02903 Phone: 401-454-1108 Email: lfreedman@nixonpeabody.com

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback