SATINSKY CONSULTING, LLC FINAL OMNIBUS HIPAA PRIVACY AND SECURITY RULE

Similar documents
To: Our Clients and Friends January 25, 2013

HIPAA Compliance. PART I: HHS Final Omnibus HIPAA Rules

Highlights of the Omnibus HIPAA/HITECH Final Rule

HIPAA: Final Omnibus Rule is Here Arizona Society for Healthcare Risk Managers November 15, 2013

The wait is over HHS releases final omnibus HIPAA privacy and security regulations

Legal and Privacy Implications of the HIPAA Final Omnibus Rule

Health Law Diagnosis

Getting a Grip on HIPAA

8/14/2013. HIPAA Privacy & Security 2013 Omnibus Final Rule update. Highlights from Final Rules January 25, 2013

GUIDE TO THE OMNIBUS HIPAA RULE: What You Need to Know and Do

Omnibus Components. Not in Omnibus. HIPAA/HITECH Omnibus Final Rule

HIPAA Omnibus Rule. Critical Changes for Providers Presented by Susan A. Miller, JD. Hosted by

HIPAA THE NEW RULES. Highlights of the major changes under the Omnibus Rule

CLIENT UPDATE. HIPAA s Final Rule: The Impact on Covered Entities, Business Associates and Subcontractors

What Brown County employees need to know about the Federal legislation entitled the Health Insurance Portability and Accountability Act of 1996.

Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates

HIPAA OMNIBUS RULE. The rule makes it easier for parents and others to give permission to share proof of a child s immunization with a school

Management Alert Final HIPAA Regulations Issued

HIPAA Update. Jamie Sorley U.S. Department of Health and Human Services Office for Civil Rights

HITECH and HIPAA: Highlights for Health Departments. Aimee Wall UNC School of Government

Compliance Steps for the Final HIPAA Rule

New HIPAA-HITECH Proposed Regulations Issued

HHS, Office for Civil Rights. IAPP October 11, 2012

Highlights of the Final Omnibus HIPAA Rule

Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates

2013 HIPAA Omnibus Regulations: New Rules for Healthcare Providers and Collections Partners

MEMORANDUM. Kirk J. Nahra, or

"HIPAA RULES AND COMPLIANCE"

The Impact of Final Omnibus HIPAA/HITECH Rules. Presented by Eileen Coyne Clark Niki McCoy September 19, 2013

Saturday, April 28 Medical Ethics: HIPAA Privacy and Security Rules

HIPAA: Impact on Corporate Compliance

HIPAA & The Medical Practice

NEWSLETTER. Volume Nine - Number One January The Final HIPAA HITECH Regulations: Making the Business Case for ERM

HEALTH LAW ALERT January 21, 2013

HIPAA Compliance Under the Magnifying Glass

Coping with, and Taking Advantage of, HIPAA s New Rules!! Deven McGraw Director, Health Privacy Project April 19, 2013!

The Audits are coming!

Compliance Steps for the Final HIPAA Rule

AFTER THE OMNIBUS RULE

The HIPAA/HITECH Final Rule: Time to Get More Serious About Compliance. Patricia A. Markus, Esq.

What is HIPAA? (1 of 2)

Hayden W. Shurgar HIPAA: Privacy, Security, Enforcement, HITECH, and HIPAA Omnibus Final Rule

NOTIFICATION OF PRIVACY AND SECURITY BREACHES

HIPAA Training. HOPE Health Facility Administrators June 2013 Isaac Willett and Jason Schnabel

Changes to HIPAA Under the Omnibus Final Rule

HIPAA Redux 2013 Kim Cavitt, AuD Audiology Resources, Inc. Expert e-seminar 4/29/2013. HIPAA Redux Presented by: Kim Cavitt, AuD

UHIN Dental WG Mini-Clinic. March 14, 2014

HIPAA Omnibus Final Rule and Research

Industry leading Education. Certified Partner Program. Please ask questions Todays slides are available group.

The HIPAA Omnibus Rule

HIPAA Final Omnibus Rule Playbook

1641 Tamiami Trail Port Charlotte, Fl Phone: Fax: Health Insurance Portability and Accountability Act of 1996

ACC Compliance and Ethics Committee Presentation February 19, 2013

New HIPAA Rules and Implications for the Industry January 29, 2013

Compliance. TODAY May Meet Scott Killingsworth. Partner in the Atlanta offices of Bryan Cave LLP. See page 16

Preparing to Comply With the HITECH Final Rule Tuesday, March 19, 2013

NPRM: Modifications to the HIPAA Privacy, Security, and Enforcement Rules under HITECH

UNIVERSITY POLICY. Access of Individuals to Their Protected Health Information. Adopted: 01/23/2003 Reviewed: 3/11/2016

CROOK COUNTY POLICY AND PROCEDURES FOR COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF

ReedSmith. The HITECH Final Rule: The New Privacy/Security Rules of the Road Have Finally Arrived. Reed Smith Client Alert

HIPAA PRIVACY REQUIREMENTS. Dana L. Thrasher Robert S. Ellerbrock, III Constangy, Brooks & Smith, LLP

ALERT. November 20, 2009

HIPAA Omnibus Final Rule Has Important Changes for Business Associates and Covered Entities

ICAHN Presentation. Final Omnibus Rule and Security Risk Analysis. July 26, David Ginsberg

Preparing for a HIPAA Audit & Hot Topics in Health Care Reform

HIPAA Data Breach ITPC

Notice of Privacy Practices Linn County Employee Health Care and Health Related Benefits Programs

HIPAA HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT

HITECH/HIPAA (privacy) 2013 Omnibus Final Rule Rita Bowen Senior Vice President of HIM and Privacy Officer HealthPort

HITECH/HIPAA Omnibus Final Rule: Implications for Hospices. Elizabeth S. Warren May 3, 2013

ARRA 2009: Privacy and Security Provisions. Deven McGraw

Conduct of covered entity or business associate. Did not know and, by exercising reasonable diligence, would not have known of the violation

HIPAA OMNIBUS FINAL RULE

O n Jan. 25, the Office for Civil Rights (OCR) of the. Privacy and Security Law Report

HIPAA Omnibus Rule Compliance

HIPAA Enforcement Under the HITECH Act; The Gloves Come Off

HIPAA The Health Insurance Portability and Accountability Act of 1996

ARE YOU HIP WITH HIPAA?

Fifth National HIPAA Summit West

VOL. 0, NO. 0 JANUARY 23, 2013

HIPAA Compliance Guide

HIPAA & HITECH Privacy & Security. Volunteer Annual Review 2017

HIPAA BUSINESS ASSOCIATE AGREEMENT BEST PRACTICES: A COMPLIANCE SOLUTION FOR THE TICKING CLOCK AND THE DRACONIAN CIVIL AND CRIMINAL PENALTIES

HIPAA FUNDAMENTALS For Substance abuse Treatment Industry

IT'S COMING: THE HIPAA/HITECH RULE; WHAT TO EXPECT AND WHAT TO DO NOW [OBER KALER]

HIPAA. What s New & What Do I Have To Do? Presented by Leslie Canham, CDA, RDA, CSP (Certified Speaking Professional)

Practical Guidance and Proposed Solutions in Response to the HIPAA Final Omnibus Rule

The American Recovery and Reinvestment Act of 2009: Health Information Privacy and Security Provisions Here We Go Again

Rule. Research Changes to the Privacy Rule and GINA. Heather Pierce, JD, MPH Senior Director and Regulatory Counsel, Scientific Affairs

Colorado Medical Society. June 3, Presented by David A. Ginsberg President, PrivaPlan Associates, Inc.

HITECH Privacy, Security, Enforcement, Breach, and GINA The Final Rule

Effective Date: 4/3/17

Assessing and Mitigating Risk Under the HIPAA Omnibus Rule

Assessing and Mitigating Risk Under the HIPAA Omnibus Rule

Breach Policy. Applicable Standards from the HITRUST Common Security Framework. Applicable Standards from the HIPAA Security Rule

2011 Miller Johnson. All rights reserved. 1. HIPAA Compliance: Privacy and Security Changes under HITECH HITECH. What is HITECH? Mary V.

LEGAL ISSUES IN HEALTH IT SECURITY

OMNIBUS RULE ARRIVES

HIPAA COMPLIANCE ROADMAP AND CHECKLIST FOR BUSINESS ASSOCIATES

HIPAA 102a. Presented by Jack Kolk President ACR 2 Solutions, Inc.

Transcription:

SATINSKY CONSULTING, LLC FINAL OMNIBUS HIPAA PRIVACY AND SECURITY RULE This newsletter summarizes the highlights of the Final Omnibus HIPAA Privacy and Security Rule announced by the Department of Health and Human Services (DHHS) on January 17, 2013 and published in the Federal Register on January 25, 2013. The Rule modifies HIPAA Privacy, Security, and Enforcement Rules, implements statutory amendments under the HITECH Act of 2009, strengthens privacy and security protection for individuals health information, modifies the Breach Notification Rule, and strengthens privacy protections for genetic information. When the HIPAA Privacy and Security Rules went into effect, we saw a flurry of compliance activity by Covered Entities, including but not limited to medical practices. The inclusion of HIPAA compliance in the requirements for Meaningful Use stimulated additional interest by Eligible Providers seeking financial incentives. Business Associates, including many software manufacturers who work with Covered Entities, have also developed HIPAA compliance programs. Nonetheless, many practices and Business Associates have yet to establish or modify their HIPAA compliance programs. Hopefully this new Rule, which ties together many of the disparate pieces of the program, will stimulate all to take action. There s a lot more to HIPAA compliance than hanging a Notice of Privacy Practices on the wall! HIPAA REMINDERS AND NEW INFORMATION 1. What is HIPAA? In 1996, the federal government passed the Health Insurance Portability and Accountability Act (HIPAA). Its purpose was to provide assurances that the healthcare system would keep personal health information private. The Administrative Simplification portion of the law had five parts: the Privacy Rule, Transactions and Code Sets Standards, the Security Rule, the Employer Identifier Standard, and the National Provider Identifier Standards. The HITECH Act of 2009, part of the American Recovery and Reinvestment Act (ARRA), both modified some of the provisions of the Privacy and Security Rules and added requirements. Other relevant statues are the Interim Final Regulations on implementation of Breach Notification, Federal Trade Commission (FTC) Final Regulations on implementation of Breach Notification, the Interim Final Rule addressing Breach Notification and monetary penalties, the 2010 Notice of Proposed Rule Making, and the Genetic Information Nondiscrimination Act of 2008. The intent of the Final Omnibus Rule is to eliminate inconsistencies among some of these statutes and bring everything together. 2. Who are the important parties affected by HIPAA Privacy and Security? Covered Entities (e.g. health plans, healthcare clearinghouses, or healthcare providers that transmit health information in electronic form); Business Satinsky Consulting, LLC, 2013 1

Associates; and Agents. When HIPAA first went into effect, emphasis was on the responsibilities and liability of Covered Entities. By 2009, there was more emphasis on Business Associates. Now the definition of Business Associate is broader and includes a person who creates, receives, maintains, or transmits PHI on behalf of a Covered Entity on a routine (as opposed to a random) basis. Business Associates must comply with all requirements of the Security Rule and with most but not all requirements of the Privacy Rule. The requirements for Business Associates apply to their subcontractors too, and it s the responsibility of the Business Associate, not the Covered Entity, to make sure that subcontractors are in compliance. 3. What are the civil monetary penalties for non compliance? Four categories of violations reflect increasing levels of culpability and four tiers of penalty amounts. The penalty for each violation ranges from $100 to $50,000, and there is a $1.5 million maximum penalty per calendar year. The Office of Civil Rights (OCR), the enforcing agency, does not apply the maximum penalty in all cases. It considers an entity s financial condition, number of individuals affected, reputation, and prior indications of non compliance and compliance. 4. How has enforcement changed since HIPAA went into effect? First, DHHS now does a preliminary investigation of every complaint. If the preliminary review indicates a possible violation of HIPAA rules due to willful neglect, the investigation automatically proceeds. If the preliminary review does not show willful neglect, DHHS has the option of trying to achieve voluntary corrective action. Penalties apply to Covered Entities, Business Associates, and subcontractors of Business Associates. A 30 day cure period factors into the determination of the size of the penalty. The clock starts running at the time the entity (i.e. Covered Entity, Business Associate, or Subcontractor) learns of or should reasonably know of the problem. There s a formal and pro active audit program in place. We know of several medical practices that attested to being HIPAA compliant when they applied for the financial incentive under Meaningful Use and are now targets for audit. Questionable HIPAA compliance may jeopardize their receipt of the money that they seek. 5. What is the compliance date for the Omnibus Final Rule? The effective date of the Omnibus Rule is March 26, 2013. Compliance for both Covered Entities and Business Associates is 180 days from the effective date i.e. September 23, 2013. Satinsky Consulting, LLC, 2013 2

6. Should my practice revise its Notice of Privacy Practices (NPP) and redistribute it to patients? Yes there have been many changes since the passage of the HIPAA Privacy and Security Rules. Here are some of them. The NPP must have language regarding patient authorization for most uses and disclosures of psychotherapy notes, uses and disclosures of PHI for marketing purposes, and disclosures regarding the sale of PHI. There must also be a statement that regarding patient authorization for uses and disclosures not specifically described in the NPP. New language must mention an individual s right to opt out of fundraising communications. Healthcare providers must clearly acknowledge their obligation to restrict use and disclosure to a health plan upon request by an individual who has paid outof pocket in full for a specific service. Healthcare providers are not required to print and distribute a revised NPP. They must post the new NPP in a clear and prominent location and make copies available to those individuals who wish to take them. Providers may also post a summary of the revised NPP, provided that the full notice is also available. If patients have provided permission to receive practice information by email, the practice can send the revised NPP electronically. 7. How does the Omnibus Rule enhance the rights of individuals with respect to PHI? The limitations on the use and disclosure of PHI for marketing and fundraising are stronger. Individuals can now request electronic copies of PHI, and Covered Entities must provide it in the form requested by the individual if readily producible, or in a readable form and format agreed to by the Covered Entity. Individuals can request transmission of a copy of PHI directly to a designated person. In such cases, the Covered Entity must verify the identity of the individual making the request and take reasonable steps to ensure that the email address of the recipient is correct. Individuals who pay out of pocket in full for a service can restrict disclosure of that information to a health plan. To help parents and guardians, Covered Entities now have an easier process for disclosing proof of immunization to schools in those states that have school entry and other similar laws. There s greater clarity in the procedures for notifying individuals of a Breach. When individuals request PHI, Covered Entities must provide the requested information within 30 days, with a one time 30 day extension. 8. How has the definition of a Breach changed, and what are the guidelines for determining and reporting a Breach? Although the determination of a Breach remains more subjective than many in the health industry would like it to be, the Omnibus Rule modifies and clarifies the definition of Breach and the risk assessment approach. There s a new definition of a Breach: an impermissible use or disclosure of PHI unless the Satinsky Consulting, LLC, 2013 3

Covered Entity or Business Associate, as applicable, demonstrates that there is a low probability that the PHI has been compromised. Rather than focusing on potential harm to the individual, the new language speaks to the responsibility of a risk assessment, performed by the Covered Entity or Business Associate, to assess the nature and extent of the PHI, the unauthorized person who used the PHO or to whom it was disclosed, whether or not the PHI was actually acquired or viewed, and the extent to which the risk has been mitigated. A common example of a possible Breach is a lost or stolen laptop computer. The loss or theft itself does not necessarily mean a Breach. If the owner can retrieve the laptop and forensically show that there was no Breach, then there s nothing to report. But if the laptop can t be retrieved, there is a Breach that must be reported to the individuals affected and possibly to CMS. 9. How does the Omnibus Rule modify the HIPAA Privacy Rule to protect genetic information as required by the Genetic Information Nondiscrimination Act (GINA) of 2008? GINA prohibits discrimination based on an individual s genetic information in health coverage and employment contexts. Genetic information is defined as the genetic tests of an individual or an individual s family members and about diseases or disorders manifested in an individual s family members. A distinction is made between medical tests such as HIV tests, complete blood work, cholesterol testing, and liver function tests. 10. What are good resources for additional information? The Final Omnibus Rule was published in the Federal Register on January 25, 2013. The link is http://www.gpo.gov/fdsys/pkg/fr 2013 01 25/pdf/2013 01073.pdf. The material identifies modifications and additions, citing both public comment and rationale for DHHS final decisions. The North Carolina Healthcare Information and Communications Alliance (NCHICA) is working to revise the sample tools that it produces a Notice of Privacy Practices, Business Associate Agreement, and Notice of a Breach. Satinsky Consulting, LLC will participate in the revision process. Go to www.nchica.org for additional information. The website of the Office of Civil Rights contains instructions for submitting a Breach form: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/br instruction.html. WHAT S NEXT FOR YOUR PRACTICE OR ORGANIZATION? SATINSKY CONSULTING, LLC can help your practice or organization in several ways. Contact us at 919 383 5998 or Margie@satinskyconsulting.com to learn more. Satinsky Consulting, LLC, 2013 4

If you haven t started on HIPAA compliance, we provide customized Privacy and Security Rule Manuals tailored to your specific needs. Both contain assessment tools that help you determine your current situation and identify next steps. The package includes staff training. If you are a current client for whom we have already prepared the Privacy and Security Manuals, completed assessments, and conducted staff training, we can update the material and re train your staff. If we did not participate in the development of your HIPAA program, we can review current materials, make suggestions for change, and retrain your staff. Satinsky Consulting, LLC, 2013 5

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback