HIPAA OMNIBUS FINAL RULE

Similar documents
AFTER THE OMNIBUS RULE

Management Alert Final HIPAA Regulations Issued

OMNIBUS RULE ARRIVES

HIPAA COMPLIANCE ROADMAP AND CHECKLIST FOR BUSINESS ASSOCIATES

HITECH and HIPAA: Highlights for Health Departments. Aimee Wall UNC School of Government

HIPAA: Final Omnibus Rule is Here Arizona Society for Healthcare Risk Managers November 15, 2013

BREACH NOTIFICATION POLICY

HIPAA, 42 CFR PART 2, AND MEDICAID COMPLIANCE STANDARDS POLICIES AND PROCEDURES

HIPAA Training. HOPE Health Facility Administrators June 2013 Isaac Willett and Jason Schnabel

45 CFR Part 164. Interim Final Rule Breach Notification for Unsecured Protected Health Information

HIPAA Breach Notification Case Studies on What to Do and When to Report

OCR Phase II Audit Protocol Breach Notification. HIPAA COW Spring Conference 2017 Page 1 Boerner Consulting, LLC

Compliance Steps for the Final HIPAA Rule

Changes to HIPAA Privacy and Security Rules

HIPAA Omnibus Rule. Critical Changes for Providers Presented by Susan A. Miller, JD. Hosted by

Interim Date: July 21, 2015 Revised: July 1, 2015

Nancy Davis, Ministry Health Care Peg Schmidt, Aurora Health Care Teresa Smithrud, Mercy Health System

HIPAA The Health Insurance Portability and Accountability Act of 1996

HIPAA Omnibus Final Rule and Research

Coping with, and Taking Advantage of, HIPAA s New Rules!! Deven McGraw Director, Health Privacy Project April 19, 2013!

H E A L T H C A R E L A W U P D A T E

Changes to HIPAA Under the Omnibus Final Rule

8/14/2013. HIPAA Privacy & Security 2013 Omnibus Final Rule update. Highlights from Final Rules January 25, 2013

Compliance Steps for the Final HIPAA Rule

CLIENT UPDATE. HIPAA s Final Rule: The Impact on Covered Entities, Business Associates and Subcontractors

Assessing and Mitigating Risk Under the HIPAA Omnibus Rule

Assessing and Mitigating Risk Under the HIPAA Omnibus Rule

Getting a Grip on HIPAA

Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates

The HHS Breach Final Rule Is Out What s Next?

Highlights of the Omnibus HIPAA/HITECH Final Rule

ARRA s Amendments to HIPAA Privacy & Security Rules

Business Associate Agreement

The Guild for Exceptional Children HIPAA Breach Notification Policy and Procedure

Interpreters Associates Inc. Division of Intérpretes Brasil

GUIDE TO THE OMNIBUS HIPAA RULE: What You Need to Know and Do

Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates

[Name of Organization] HIPAA Incident/Breach Investigation Procedure 4

The American Recovery Reinvestment Act. and Health Care Reform Puzzle

Legal and Privacy Implications of the HIPAA Final Omnibus Rule

Containing the Outbreak: HIPAA Implications of a Data Breach. Jason S. Rimes. Orlando, Florida

Omnibus HIPAA Rule: Impact on Covered Entities

Determining Whether You Are a Business Associate

MEMORANDUM. Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

The Impact of Final Omnibus HIPAA/HITECH Rules. Presented by Eileen Coyne Clark Niki McCoy September 19, 2013

HIPAA Update. Jamie Sorley U.S. Department of Health and Human Services Office for Civil Rights

HIPAA Compliance. PART I: HHS Final Omnibus HIPAA Rules

503 SURVIVING A HIPAA BREACH INVESTIGATION

Omnibus Components. Not in Omnibus. HIPAA/HITECH Omnibus Final Rule

The HIPAA Omnibus Rule

HIPAA Compliance Under the Magnifying Glass

OVERVIEW OF RECENT CHANGES IN HIPAA AND OHIO PRIVACY LAWS

UNDERSTANDING HIPAA & THE HITECH ACT. Heather Deixler, Esq. Associate, Morgan, Lewis & Bockius LLP

FACT Business Associate Agreement

PATTERSON MEDICAL SUPPLY, INC. HIPAA BUSINESS ASSOCIATE AGREEMENT WITH CUSTOMERS

HHS, Office for Civil Rights. IAPP October 11, 2012

To: Our Clients and Friends January 25, 2013

The wait is over HHS releases final omnibus HIPAA privacy and security regulations

HIPAA BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATES AND SUBCONTRACTORS

NPRM: Modifications to the HIPAA Privacy, Security, and Enforcement Rules under HITECH

HIPAA Omnibus Final Rule Has Important Changes for Business Associates and Covered Entities

HIPAA, Privacy, and Security Oh My!

True or False? HIPAA Update: Avoiding Penalties. Preliminaries. Kim C. Stanger IHCA (7/15)

HEALTH LAW ALERT January 21, 2013

HITECH and Stimulus Payment Update

HIPAA: Impact on Corporate Compliance

HIPAA Business Associate Agreement

HIPAA and Lawyers: Your stakes have just been raised

ACC Compliance and Ethics Committee Presentation February 19, 2013

SUBCONTRACTOR BUSINESS ASSOCIATE AGREEMENT

Hayden W. Shurgar HIPAA: Privacy, Security, Enforcement, HITECH, and HIPAA Omnibus Final Rule

Practical. PPACA, HIPAA and Federal Health Benefit Mandates:

New. To comply with HIPAA notice requirements, all Providence covered entities shall follow, at a minimum, the specifications described below.

HIPAA Privacy Overview

Breach Policy. Applicable Standards from the HITRUST Common Security Framework. Applicable Standards from the HIPAA Security Rule

AROC 2015 HIPAA PRIVACY AND SECURITY RULES

HIPAA OMNIBUS RULE. The rule makes it easier for parents and others to give permission to share proof of a child s immunization with a school

GUIDE TO PATIENT PRIVACY AND SECURITY RULES

Industry leading Education. Certified Partner Program. Please ask questions Todays slides are available group.

BUSINESS ASSOCIATE AGREEMENT W I T N E S S E T H:

"HIPAA FOR LAW FIRMS" WHAT EVERY LAW FIRM NEEDS TO KNOW ABOUT HIPAA

HIPAA Information. Who does HIPAA apply to? What are Sync.com s responsibilities? What is a Business Associate?

BUSINESS ASSOCIATE AGREEMENT

HIPAA Background and History

Colorado Medical Society. June 3, Presented by David A. Ginsberg President, PrivaPlan Associates, Inc.

2016 Business Associate Workforce Member HIPAA Training Handbook

New HIPAA Breach Rules NAHU presents the WHAT and WHYs. Agenda

New HIPAA Rules and Implications for the Industry January 29, 2013

HIPAA PRIVACY AND SECURITY RULES APPLY TO YOU! ARE YOU COMPLYING? RHODE ISLAND INTERLOCAL TRUST LINN F. FREEDMAN, ESQ. JANUARY 29, 2015.

SATINSKY CONSULTING, LLC FINAL OMNIBUS HIPAA PRIVACY AND SECURITY RULE

Omnibus Rule: HIPAA 2.0 for Law Firms

Fifth National HIPAA Summit West

HIPAA STUDENT ASSOCIATE AGREEMENT

2011 Miller Johnson. All rights reserved. 1. HIPAA Compliance: Privacy and Security Changes under HITECH HITECH. What is HITECH? Mary V.

HIPAA THE NEW RULES. Highlights of the major changes under the Omnibus Rule

ICAHN Presentation. Final Omnibus Rule and Security Risk Analysis. July 26, David Ginsberg

NETWORK PARTICIPATION AGREEMENT

HIPAA & The Medical Practice

HIPAA Enforcement Under the HITECH Act; The Gloves Come Off

Be Careful What You Wish For: The Final Rule Is Out

Transcription:

HIPAA OMNIBUS FINAL RULE Webinar Series Part 3 Breach Notification April 16, 2013 I. BACKGROUND 2 1

Background > HIPAA Omnibus Final Rule: Announced on January 17, 2013 Published in Federal Register on January 25, 2013 http://www.gpo.gov/fdsys/pkg/fr-2013-01-25/pdf/2013-01073.pdf Effective on March 26, 2013 Compliance date of September 23, 2013 U.S. Department of Health & Human Services (HHS) will begin enforcing the Final Rule s provisions on the compliance date 3 Background: What is Addressed? > This Omnibus Rule includes: Final rule on Breach Notification for Unsecured PHI under HITECH (Interim Final Rule issued August 2009) Final rule modifying HIPAA Privacy Rule under GINA (Proposed Rule issued October 2009) Final rule modifying HIPAA Enforcement Rule under HITECH (Interim Final Rule issued October 2009) Final modifications to HIPAA Privacy, Security, and Enforcement Rules mandated by HITECH (Proposed Rule issued July 2010) 4 2

Background: What is Not Addressed? > The Omnibus Rule does not include: Changes to accounting of disclosures requirements HHS received many comments opposing this provision (Proposed Rule issued May 2011) Patient right to an access report requirements (Proposed Rule issued May 2011) Minimum necessary guidance (Required by the HITECH Act of 2009) 5 II. FINAL RULE OVERVIEW 6 3

Final Rule Overview (I) > Part III of the Webinar Series will address: Breach of protected health information (PHI) Notification obligations Changes to the definition of Breach Changes to the Breach risk assessment Harm standard is replaced with a low probability of PHI being compromised 7 Final Rule Overview (II) > Part I of this Webinar Series covered the significant changes to: Business Associates (BAs) Subcontractors Business Associate Agreements (BAAs) Notice of Privacy Practices (NPPs) > Part II covered changes to: Marketing restrictions Research Sale of PHI 8 4

III. BREACH NOTIFICATION 9 Breach Notification Generally (I) > Breach Notification Rule: 45 C.F.R. 164.402 et seq. Effective February 22, 2010 Requires covered entities (CE) and BAs, as applicable, to report certain Breaches of PHI to affected individuals, HHS, the media, depending on the size of the Breach 10 5

Breach Notification Generally (II) > A Breach is an unauthorized acquisition, access, use, or disclosure of PHI requiring Notification, unless: PHI is encrypted Unsecured PHI = PHI not rendered unusable, unreadable, or indecipherable to unauthorized persons through technology or methodology specified by HHS (i.e., encryption) An exception to the definition of Breach applies; or CE or BA, as applicable, demonstrates a low probability that the PHI has been compromised Based on a risk assessment (objective standard) 11 Breach Exceptions > General statutory exceptions to Breach Unchanged from Interim Rule Unintentional acquisition, access, or use of PHI by a workforce member or an authorized person, if made in good faith and within scope of authority Inadvertent disclosures of PHI from a person authorized to access to another person authorized to access at same CE, BA, or OHCA Have good faith belief that an unauthorized person to whom disclosure made would not reasonably have been able to retain such PHI 12 6

Breach Notification Key Changes > Definition > Burden of proof > Risk Assessment Entities may choose to provide Notification without conducting a risk assessment > Clarification of Notification requirements > Changes reflect HHS belief that Breaches are going unreported Shift from subjective to objective standard 13 Definition of Breach Interim Rule > Breach: Acquisition, access, use, or disclosure of [PHI] in a manner not permitted under [the Privacy Rule] which compromises the security or privacy of the [PHI] Breach may be electronic or physical > Compromises the security or privacy of the [PHI]: Poses a significant risk of financial, reputational or other harm to individual This definition was the risk of harm threshold 14 7

Definition of Breach Final Rule (I) > Compliance date: September 23, 2013 > Breach: [A]n acquisition, access, use, or disclosure of [PHI] in a manner not permitted under [the Privacy Rule] is presumed to be a Breach, unless: The covered entity (CE) or BA, as applicable, demonstrates that there is a low probability [the PHI] has been compromised based on a risk assessment, reviewing specific factors 15 Definition of Breach Final Rule (II) > demonstrates that there is a low probability that the [PHI] has been compromised Low probability remains undefined Compromised remains undefined Terms are established through the risk assessment HHS sets forth specific factors which must be considered in conducting a compliant risk assessment 16 8

Breach Risk Assessment > Breach Risk Assessment must include the following factors, at a minimum: (i) The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification (ii) The unauthorized person who used the PHI or to whom the disclosure was made (iii) Whether the PHI was actually acquired or viewed (iv) The extent to which the risk to the PHI has been mitigated > Meeting one or all of the factors does not automatically negate Notification obligations 17 Safe Harbor > CE or BA, as applicable, may decide to provide Breach Notification without conducting a risk assessment Safe Harbor considerations: Toll on: Costs, compliance audits, reputation Risk of federal/state enforcement Because Notification must be reported to HHS, these considerations are especially important on the heals of HHS recent enforcement of Breaches affecting < 500 individuals 18 9

IV. BREACH AND BUSINESS ASSOCIATES 19 BA Breach Notification Obligations > Upon discovery of a Breach, BAs are directly responsible for Breach Notification To CEs Possibly to Individuals, Media, HHS Look to BAA between CE/BA and BA/Subcontractor State Breach Notification laws > Even where no Breach, there may be A violation of the BAA A violation of HIPAA 20 10

V. OTHER NOTABLE PROVISIONS 21 Breach Notification Clarifications > Final Rule removed the exception on limited data sets that did not contain any DOB or ZIP > Notice to HHS for Breaches affecting < 500 individuals should be no later than 60 days after the end of the calendar year of discovery (rather than the year of event) When should your entity report to HHS > Entities must report to media > residents of State or jurisdiction; however > Media does not have an obligation to report/publish the notice 22 11

VI. COMPLIANCE STRATEGIES 23 Compliance Strategies > Take a breath Enforcement will not begin until September 23, 2013 Interim strategy (risk of harm v. low probability) > OCR recognizes that entities will have Breaches (rogue employee, theft), but looks to compliance infrastructure (procedures, mitigation, response, training, sanctions) > Do not aim to overachieve Where internal policies are more restrictive than HIPAA standards, HHS may determine compliance based on policies rather than legal requirements 24 12

Compliance Action Steps > Update policies and procedures: Risk assessment v. Automatic notification Consider effect on costs, compliance audits, and reputation Templates, Training, and Technology Assessment documentation, Rogue employees, Remote wiping of mobile devices Breach Insurance > BAAs BA contractually responsible for risk assessments; Notification Indemnification clauses Subcontractor responsibilities > State law enforcement Many state law equivalents maintain a risk of harm exception 25 Further Guidance > HHS plans to issue further guidance on risk assessments for Breaches before September 23, 2013, compliance date, including how to address frequently occurring Breach scenarios 26 13

VII. QUESTIONS 27 Contact Information Jennifer Breuer 312/ 569-1256 Jennifer.Breuer@dbr.com Sara Shanti 312/ 569-1258 Sara.Shanti@dbr.com Fatema Zanzi 312/ 569-1285 Fatema.Zanzi@dbr.com April 16, 2013 28 14

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback