Hayden W. Shurgar HIPAA: Privacy, Security, Enforcement, HITECH, and HIPAA Omnibus Final Rule

Similar documents
HIPAA, 42 CFR PART 2, AND MEDICAID COMPLIANCE STANDARDS POLICIES AND PROCEDURES

HIPAA: Final Omnibus Rule is Here Arizona Society for Healthcare Risk Managers November 15, 2013

HIPAA Training. HOPE Health Facility Administrators June 2013 Isaac Willett and Jason Schnabel

Omnibus Components. Not in Omnibus. HIPAA/HITECH Omnibus Final Rule

Highlights of the Omnibus HIPAA/HITECH Final Rule

HIPAA Omnibus Rule. Critical Changes for Providers Presented by Susan A. Miller, JD. Hosted by

HIPAA HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT

HIPAA PRIVACY REQUIREMENTS. Dana L. Thrasher Robert S. Ellerbrock, III Constangy, Brooks & Smith, LLP

UNDERSTANDING HIPAA & THE HITECH ACT. Heather Deixler, Esq. Associate, Morgan, Lewis & Bockius LLP

To: Our Clients and Friends January 25, 2013

HIPAA Compliance Guide

Getting a Grip on HIPAA

HIPAA COMPLIANCE. for Small & Mid-Size Practices

Changes to HIPAA Under the Omnibus Final Rule

GUIDE TO THE OMNIBUS HIPAA RULE: What You Need to Know and Do

HITECH and HIPAA: Highlights for Health Departments. Aimee Wall UNC School of Government

8/14/2013. HIPAA Privacy & Security 2013 Omnibus Final Rule update. Highlights from Final Rules January 25, 2013

HIPAA Compliance. PART I: HHS Final Omnibus HIPAA Rules

The Impact of Final Omnibus HIPAA/HITECH Rules. Presented by Eileen Coyne Clark Niki McCoy September 19, 2013

Determining Whether You Are a Business Associate

Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates

HIPAA OMNIBUS RULE. The rule makes it easier for parents and others to give permission to share proof of a child s immunization with a school

Legal and Privacy Implications of the HIPAA Final Omnibus Rule

The wait is over HHS releases final omnibus HIPAA privacy and security regulations

COMPLIANCE TRAINING 2015 C O M P L I A N C E P R O G R A M - F W A - H I P A A - C O D E O F C O N D U C T

ARE YOU HIP WITH HIPAA?

HIPAA COMPLIANCE ROADMAP AND CHECKLIST FOR BUSINESS ASSOCIATES

HHS, Office for Civil Rights. IAPP October 11, 2012

HIPAA Redux 2013 Kim Cavitt, AuD Audiology Resources, Inc. Expert e-seminar 4/29/2013. HIPAA Redux Presented by: Kim Cavitt, AuD

2013 HIPAA Omnibus Regulations: New Rules for Healthcare Providers and Collections Partners

HIPAA: Impact on Corporate Compliance

North Shore LIJ Health System, Inc. Facility Name. CATEGORY: Effective Date: 8/15/13

Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates

CROOK COUNTY POLICY AND PROCEDURES FOR COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF

NOTIFICATION OF PRIVACY AND SECURITY BREACHES

GUIDE TO PATIENT PRIVACY AND SECURITY RULES

CLIENT UPDATE. HIPAA s Final Rule: The Impact on Covered Entities, Business Associates and Subcontractors

New HIPAA-HITECH Proposed Regulations Issued

The Audits are coming!

Management Alert Final HIPAA Regulations Issued

BREACH NOTIFICATION POLICY

HIPAA & The Medical Practice

Fifth National HIPAA Summit West

Changes to HIPAA Privacy and Security Rules

AGREEMENT PURSUANT TO THE TERMS OF HIPAA ; HITECH ; and FIPA (Business Associate Agreement) (Revised August 2015)

HIPAA Privacy & Security. Transportation Providers 2017

Saturday, April 28 Medical Ethics: HIPAA Privacy and Security Rules

Regenstrief Center for Healthcare Engineering HIPAA Compliance Policy

Interim Date: July 21, 2015 Revised: July 1, 2015

Texas Tech University Health Sciences Center El Paso HIPAA Privacy Policies

Conduct of covered entity or business associate. Did not know and, by exercising reasonable diligence, would not have known of the violation

Health Law Diagnosis

"HIPAA RULES AND COMPLIANCE"

Effective Date: 08/2013

AROC 2015 HIPAA PRIVACY AND SECURITY RULES

HIPAA Privacy Overview

HIPAA Compliance Under the Magnifying Glass

OCR Phase II Audit Protocol Breach Notification. HIPAA COW Spring Conference 2017 Page 1 Boerner Consulting, LLC

What Brown County employees need to know about the Federal legislation entitled the Health Insurance Portability and Accountability Act of 1996.

HIPAA The Health Insurance Portability and Accountability Act of 1996

Texas Tech University Health Sciences Center HIPAA Privacy Policies

HIPAA PRIVACY POLICY AND PROCEDURES FOR PROTECTED HEALTH INFORMATION THE APPLICABLE WELFARE BENEFITS PLANS OF MICHIGAN CATHOLIC CONFERENCE

It s as AWESOME as You Think It Is!

HIPAA 102a. Presented by Jack Kolk President ACR 2 Solutions, Inc.

HIPAA & HITECH Privacy & Security. Volunteer Annual Review 2017

HIPAA THE NEW RULES. Highlights of the major changes under the Omnibus Rule

AFTER THE OMNIBUS RULE

Effective Date: 4/3/17

HIPAA Omnibus Final Rule and Research

COUNTY SOCIAL SERVICES POLICIES AND PROCEDURES FOR COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 HIPAA

UAMS ADMINISTRATIVE GUIDE NUMBER: 2.1

Compliance Steps for the Final HIPAA Rule

Highlights of the Final Omnibus HIPAA Rule

MEMORANDUM. Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

Limited Data Set Data Use Agreement For Research

HIPAA Update. Jamie Sorley U.S. Department of Health and Human Services Office for Civil Rights

LEGAL ISSUES IN HEALTH IT SECURITY

HIPAA, Privacy, and Security Oh My!

THE CITY AND COUNTY OF SAN FRANCISCO SECTION 125 CAFETERIA PLAN HIPAA PRIVACY POLICIES & PROCEDURES

HIPAA Privacy & Security Considerations Student Orientation

OVERVIEW OF RECENT CHANGES IN HIPAA AND OHIO PRIVACY LAWS

Human Research Protection Program (HRPP) HIPAA and Research at Brown

HIPAA Omnibus Final Rule Has Important Changes for Business Associates and Covered Entities

"HIPAA FOR LAW FIRMS" WHAT EVERY LAW FIRM NEEDS TO KNOW ABOUT HIPAA

Business Associate Agreement

NO , Chapter 7 TALLAHASSEE, January 6, 2014 HIPAA BREACH NOTIFICATION PROCEDURES

1 Security 101 for Covered Entities

HIPAA OMNIBUS FINAL RULE

The Guild for Exceptional Children HIPAA Breach Notification Policy and Procedure

HIPAA PRIVACY AND SECURITY RULES APPLY TO YOU! ARE YOU COMPLYING? RHODE ISLAND INTERLOCAL TRUST LINN F. FREEDMAN, ESQ. JANUARY 29, 2015.

New. To comply with HIPAA notice requirements, all Providence covered entities shall follow, at a minimum, the specifications described below.

AMA Practice Management Center, What you need to know about the new health privacy and security requirements

SATINSKY CONSULTING, LLC FINAL OMNIBUS HIPAA PRIVACY AND SECURITY RULE

Coping with, and Taking Advantage of, HIPAA s New Rules!! Deven McGraw Director, Health Privacy Project April 19, 2013!

Preparing for a HIPAA Audit & Hot Topics in Health Care Reform

Breach Policy. Applicable Standards from the HITRUST Common Security Framework. Applicable Standards from the HIPAA Security Rule

HIPAA in the Digital Age. Anisa Kelley and Rachel Procopio Maryan Rawls Law Group Fairfax, Virginia

HIPAA Basic Training for Health & Welfare Plan Administrators

2016 Business Associate Workforce Member HIPAA Training Handbook

HTKT.book Page 1 Monday, July 13, :59 PM HIPAA Tool Kit 2017

Transcription:

Hayden W. Shurgar HIPAA: Privacy, Security, Enforcement, HITECH, and HIPAA Omnibus Final Rule 1

IMPORTANCE OF STAFF TRAINING HIPAA staff training is a key, required element in a covered entity's HIPAA compliance plan, at least annually, or as HIPAA Rules change, policies are updated, or job descriptions change. In April 2013, the Office of Civil Rights stated that inadequate staff training is one of the key deficiencies discovered in its auditing and enforcement activities. PRIVACY RULE SECURITY RULE HIPAA TRANSACTIONS AND CODE SETS RULE UNIQUE IDENTIFIERS RULE ENFORCEMENT RULE 2

WHAT IS HIPAA? The Health Insurance Portability and Accountability Act of 1996 and its amendments Intent: To protect privacy at the highest level HIPAA preempts state law, unless the state privacy laws are more stringent. HIPAA defers to state law on the treatment of minors, but providers must still consider both state privacy laws and HIPAA depending on the issue. WHO IS REQUIRED TO COMPLY WITH HIPAA? Healthcare providers Healthcare plan providers Business Associates* Agents* Subcontractors* Clearinghouses *Effective March 26, 2013 HIPAA Omnibus Final Rule 3

PENALTIES You can be imposed penalties for both Privacy and Security violations and HITECH violations at the same time. Simultaneous imposition of penalties is at the discretion of the OCR. Both covered entities and individuals can be penalized. Revenue earned from imposition of penalties is used by the OCR to further enforce HIPAA rules and fund the audit program. PENALTIES Unknowing The covered entity or business associate did not know and reasonably should not have known of the breach. Reasonable cause The covered entity or business associate knew, or should have known that the act was a breach, but the covered entity did not act with willful neglect. Willful neglect Conscious violation or reckless indifference to the law 4

PROBLEM Unknowing CIVIL Reasonable Cause CRIMINAL Unknowingly/reasonable cause False Pretense Intent to Sell/Malicious Intent/Personal Gain PENALTIES GENERAL PENALTY $100 - $50,000 per violation Maximum of $1.5 million annually $1,000 - $50,000 per violation Maximum of $1.5 million annually Up to $50,000 per violation Up to one year imprisonment Up to $100,000 per violation Up to five years imprisonment Up to $250,000 per violation Up to ten years in prison ADDITIONAL PENALTIES Willful Neglect Corrected in 30 days Not corrected $10,000 minimum penalty, up to $1.5 million $50,000 minimum penalty Unlimited maximum penalty Effective March, 13, 2013 5

KEY TERMS AND ACRONYMS IIHI/PHI Individually Identifiable Health Information/Protected Health Information Electronic, written, or oral Related to past, present, or future physical or mental health or condition of an individual Related to provision or payment for healthcare for an individual Created, received, or maintained by a covered entity KEY TERMS AND ACRONYMS PHI: 18 Identifiers 1. Names 2. All geographical subdivisions smaller than state (street address, city, county, zip code) (except for three initial zip code digits with exceptions) 3. All elements of dates, except year, for dates directly related to an individual 4. Phone numbers 5. Fax numbers 6

KEY TERMS AND ACRONYMS PHI: 18 Identifiers 6. Electronic mail addresses 7. Social Security numbers 8. Medical record number 9. Health plan beneficiary numbers 10. Account numbers 11. Certificate/license numbers 12. Vehicle identifiers and serial numbers 13. Device identifiers and serial numbers KEY TERMS AND ACRONYMS PHI: 18 Identifiers 14. Web Universal Resource Locators (URLs) 15. Internet Protocol (IP) address numbers 16. Biometric identifiers, including finger and voice prints 17. Full face photographic images and any comparable images 18. Any other unique, identifying number, characteristic, or code 7

KEY TERMS AND ACRONYMS TPO Treatment, payment, operations Authorization Form Direct and Indirect Treatment Relationships Disclosure Minimum Necessary Breach Notification/Risk Assessment/ Low Probability HIPAA Omnibus Rule Business Associate KEY TERMS AND ACRONYMS What is a Business Associate? Persons or organizations that Create; Receive; Maintain ; Transmit; or Access PHI on behalf of a covered entity. 8

KEY TERMS AND ACRONYMS Minimum Necessary The requirement that a covered entity make reasonable efforts to limit the PHI that it uses, discloses, or requests from another covered entity to the minimum necessary to accomplish the intended purpose of the use, disclosure or request. Justification regarding what constitutes the minimum necessary may be required in some situations. It does not apply to disclosures to or requests by a health care provider for treatment purpose. THE PRIVACY RULE Establishes national standards to protect individuals medical records and other personal health information and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically. The Rule requires appropriate safeguards to protect the privacy of personal health information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. The Rule also gives patients rights over their health information, including the right to examine and obtain a copy of their health records and to request corrections. 9

THE PRIVACY RULE Gives patients control over their PHI Gives patients the right to restrict the use of their PHI, including in relation to billing Gives patients the right to request confidential communication regarding their PHI Sets boundaries on use and disclosure of PHI Sets safeguards Holds violators accountable Limits disclosure to the Minimum Necessary Gives patients the right to notification in the event of a breach HIPAA Omnibus Final Rule Gives patients the right to file a complaint with the OCR THE PRIVACY RULE HIPAA requires that all covered entities have a Privacy Compliance Plan Privacy Officer or Privacy Committee Written privacy policies, procedures, and forms A privacy notice Gap Analysis Audits at least annually to identify privacy risks and reduce vulnerabilities HIPAA requires that all employees have privacy awareness training AT LEAST ANNUALLY 10

THE PRIVACY RULE Privacy Awareness Training Overview and basic understanding of the Privacy Rule Understanding of the Minimum Necessary standard Understanding of Privacy Policies and Procedures Documentation of all training Updated training at least annually or as job duties change All procedures, forms, Privacy Notices, staff training, Gap Analysis, Risk Analysis, and other considerations regarding compliance with the HIPAA Omnibus Final Rule must be implemented and/or updated as of September 23, 2013 THE PRIVACY RULE Day to Day Compliance Key words to remember: Common Sense Minimum Necessary Reasonable Good Faith Effort No Willful Neglect 11

THE SECURITY RULE Establishes national standards to protect individuals electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information. THE SECURITY RULE Intended to ensure three main points: Confidentiality Integrity Availability Who can see your data Data not altered or destroyed Data is accessible when needed 12

THE SECURITY RULE INFORMATION SECURITY Minimizing the vulnerability of assets and resources Controlling access to valued resources Controls, countermeasures, and procedures to ensure the appropriate protection of information assets THE SECURITY RULE Key Security Terms Asset Anything of value Vulnerability Any weakness that could be exploited to violate a system or the information it contains Threat A potential violation of security Confidentiality Preventing unauthorized disclosure of sensitive information Integrity Preventing unauthorized modification of systems and information Availability Preventing disruption of service and productivity Authentication The process of proving your identity Access Control Provides protection against the unauthorized use of resources 13

THE SECURITY RULE HIPAA requires that all covered entities have a Security Compliance Plan Security Officer or Security Committee Risk Analysis Audits to identify security risks Written privacy policies, procedures, and forms for six main sections of security rule: 1. Administrative Safeguards 2. Physical Safeguards 3. Technical Safeguards 4. Organizational Requirements 5. Policies/Procedures & Documentation Requirements 6. Sanction Policy THE SECURITY RULE Administrative Safeguards Assigned Security Officer Risk Analysis Staff Training Disaster Recovery Plan Data Backup Plan Password Management Business Associate Contracts 14

THE SECURITY RULE Physical safeguards Facility security, maintenance records, media disposal, data backup and storage Technical safeguards Unique user identification, encryption, audit trails, security software and features, automatic logoff, transmission security/encryption Organizational requirements Business Associate agreements THE SECURITY RULE HIPAA requires that all employees have security awareness training to ensure: Protection from malicious software Staff should guard against, detect, and report malicious software, downloads, or any suspicious system activity Password Management procedures for changing and safeguarding passwords Understanding of security policies and procedures Documentation of all training Updated training 15

THE SECURITY RULE Seven Areas to Maintain: 1. Assign/Reassign Security Responsibility 2. Annually Conduct a Risk Analysis 3. Implement Policies and Procedures and Review Annually 4. Remediation 5. Implement Business Associate Contracts* 6. Conduct Annual Staff Training 7. Ongoing/Annual Evaluation, Testing, and Remediation *Business Associate Agreements must be implemented as of September 23, 2013 as outlined by HITECH/Omnibus Final Rule. WHAT IS THE HITECH ACT? Health Information Technology for Economic and Clinical Health Act: Part of American Recovery and Reinvestment Act of 2009 Contains specific incentives to accelerate the adoption of electronic health record systems among providers Widens the scope of privacy and security protections available under HIPAA Increases the potential legal liability for noncompliance Mandates new disclosure rules for reporting breaches Provides for more enforcement against more parties 16

WHAT IS THE HIPAA OMNIBUS FINAL RULE? Released January 17, 2013 and effective September 23, 2013 Interprets and implements various provisions of HITECH Act, which required HHS to modify HIPAA s Enforcement Rule and HHS s approach to imposing civil money penalties (CMPs) Significantly increased the amount of CMPs, reduced the number of available affirmative defenses to CMPs, and required the imposition of CMPs for all violations due to willful neglect Extended all CMP scenarios to apply to Business Associates Strengthened patient privacy protections Provides patients with new rights to their protected health information Definitions Under the Final Rule Breach The impermissible acquisition, access, use, or disclosure of unsecured PHI is presumed a breach unless the responsible entity can demonstrate there is a low probability the PHI has been compromised, based on a risk assessment that includes a specific list of factors to be considered, as outlined by the OCR. Breach Notification If a breach occurs and there is a probability that PHI has been compromised, affected individuals and the Secretary of HHS must be notified in a very specific manner as outlined by the OCR. This applies to breaches by Business Associates and their sub-contractors. Secured PHI The only two accepted methods for rendering PHI unusable, unreadable, indecipherable, uncompromised, and secured by definition are encryption and destruction. 17

Patient Rights/Covered Entity Restrictions Sale of PHI Covered entities may not receive direct or indirect payment in exchange for PHI, unless the patient has signed a specific authorization. Exceptions: public health activities, research, treatment of the patient, sale/transfer/merger of business, business associate activities, and for fees charged to provide a patient with a copy of their PHI pursuant to request. Payment or remuneration does include in-kind value. Disclosure for the purposes of sale includes the granting of access, directly or indirectly, through licenses or lease agreements. Research The Final Rule permits covered entities to combine conditional and unconditional authorizations for research if they differentiate between the two activities and allow for an opt-in of unconditional research activities. Future research studies may now be part of a properly executed authorization that includes all the required elements. Exception: psychotherapy notes may only be combined with other authorizations for psychotherapy notes. Access to PHI Electronic Access The Final Rule allows individuals to request electronic copies of their PHI and may direct an entity to transmit a copy directly to another entity or person. Third Parties If an individual requests in writing pursuant to a valid HIPAA authorization form, and clearly identifies the designated person who is to receive the PHI, the entity must transmit the copy as requested.* Fees Covered entities can charge reasonable cost-based fees, including labor costs for both paper and electronic PHI records. Fees for maintaining systems, infrastructure, and storage are not considered reasonable, cost-based fees. * Entities need to implement policies and procedures to verify the identity of the person requesting PHI. 18

Access to PHI Timeliness The Final Rule requires entities to provide access to records within 30 days in all circumstances with a one-time 30 day extension. Marketing The Final Rule requires a patient authorization for treatment communications if the covered entity receives payment from the third party whose product/service is subject to the communication. This does not include in-kind or other nonfinancial subsidies for this purpose. Face-to-face communications, gifts of nominal value, services pertaining to case management, alternative treatments or services, or communications regarding refill reminders do not require an authorization. Disclosures Regarding Decedent The Final Rule allows entities to disclose a decedent s information to family members and others who were involved in the care or payment for care of the decedent prior to death, unless inconsistent with any prior expressed reference of the individual known to the covered entity. This change does not affect the authority of the personal representative. The IIHI of a person who has been deceased for more than 50 years is NOT PHI under the Privacy Rule. 19

Disclosures Regarding Students Covered entities are permitted to disclose proof of immunization to a school where State or other law requires the school to have such information prior to admitting the student. Written authorization is no longer required. Covered entities must obtain oral or written agreement from the parent or guardian and document the type of agreement obtained. The agreement is effective until revoked. Restrictions on Fundraising The Final Rule permits covered entities to use/disclose PHI to a business associate or related foundation for fundraising purposes without an authorization. Permitted PHI includes: Demographic information Dates of healthcare provided to individual Department providing healthcare to an individual Fundraising communications must provide a clear opportunity for the patient to opt-out of receiving future communications. Entities are provided flexibility to decide the method to allow individuals to opt-out and opt-back into the use of PHI in fundraising opportunities. Once an individual has opted-out the covered entity must take reasonable measures to ensure that no further communication is provided. 20

Restrictions A covered entity must honor a patient s request to restrict disclosure of PHI to a health plan/insurer for services that the patient paid in full, out-of-pocket. The covered entity must develop methods to prevent disclosures, such as notations in records or separate billing. Entities may still submit restricted information to Medicare and Medicaid audits are required by law. Accounting of TPO Disclosures If a covered entity uses electronic health records, the covered entity, at the patient s request, must provide an accounting of disclosures for treatment, payment, and healthcare for a three year period. 21

Business Associates & Subcontractors The Business Associate Agreement used by covered entities must be updated to include the following changes by September 23, 2013: A requirement that BAs must comply with the HIPAA Security Rule A requirement that BAs report breaches of unsecured PHI to covered entities A requirement that any subcontractors of the BA agrees to the same restrictions and conditions that apply to the BA BAs are required to enter into Business Associate agreements with their subcontractors. Covered entities can now be liable for the violations of the BA when acting as an agent of the covered entity. Training BAs regarding compliance efforts and having knowledge of their compliance activities is imperative. Changes to Notice of Privacy Practices The Notice must include statements regarding: The types of uses and disclosures that require individual authorization An individual s right to opt-out of fundraising communications An individual s right to restrict certain disclosures of PHI to a health plan where the individual pays out-of-pocket in full for health care services An individual s right to notice in the event of a breach of unsecured PHI An individual s rights with respect to the use of their genetic information for health plan underwriting purposes 22

Notice of Privacy Practices Distribution Requirements: Make the latest notice (i.e., the one that reflects any changes in privacy policies) available at the provider s office or facility for individuals to request to take with them, and post it in a clear and prominent location at the facility May email to patient if they agree Provide the notice no later than the date of first service and make a good faith effort to obtain written acknowledgement (exception is emergency treatment As previously required, a healthcare provider should retain copies of each version of its Notice and all written acknowledgements regarding receipt of the Notice by individuals. Additional Changes to Notice of Privacy Practices Additionally, covered entities must ensure that the Notice includes language stating: Most uses and disclosures of psychotherapy notes (if recorded by a covered entity) will require an authorization. Most uses and disclosures for marketing purposes will require an authorization. Most disclosures of PHI that constitute the sale of PHI will require an authorization. That uses and disclosures not described in the Notice will require an authorization 23

In response to the Final Rule, you must verify that it has undergone a recent Security Risk Analysis. The OCR views failure to conduct such an analysis as a key trigger to enforcement action. An insufficient risk analysis is among the top weaknesses discovered during the 2012 pilot audit program. Privacy and Security Clearly assign responsibilities to capable employees Update Business Associate Agreements if in existence prior to the Final rule enactment date of January 2013, must be updated when the agreement is modified or reviewed, or September 22, 2014, whichever is earlier HIPAA OMNIBUS RULE/FINAL RULE Breach Notification Rule The Final Rule removes harm standard from the definition of breach. Now, if a breach occurs and there is a probability that PHI has been compromised, affected individuals and the Secretary of HHS must be notified in a very specific manner as outlined by the OCR. This also applies to breaches by Business Associates and their subcontractors. Breaches affecting 500 or more individuals/patient records require notice to the Secretary of HHS through an online portal and prominent media outlet coverage to ensure adequate notice to affected individuals. Breaches affecting less than 500 people require the maintenance of a log of such breaches for annual submission to the Secretary of HHS within 60 days of the end of each calendar year, for breaches occurring the previous year. An online form for each breach must be completed at www.hhs.gov. 24

Breach Notification Rule Breaches affecting deceased patients require notice to next of kin. Individual notice must be given by first class mail within 60 days of the discovered breach, unless the individual has agreed to electronic notification. Notices must describe what occurred, details of the unsecured, breached PHI, steps to mitigate harm, and the covered entity s response. If there are 10+ individuals without current contact information, the covered entity must provide notice on its website for 90 days, or publish it in major print or broadcast media, and maintain a toll-free phone number for 90 days so that individuals can learn if their PHI was involved in the breach. Investigation and Resolution of Violations HHS will investigate a possible violation if a preliminary review of the facts available from a complaint or compliance review indicate the possibility of Willful Neglect. The investigation may proceed directly to an enforcement action, particularly in the case of willful neglect. Absent indications of willful neglect, HHS will seek the entity s compliance through informal, voluntary action in appropriate cases. 25

Investigation and Resolution of Violations Violations due to reasonable cause: Covers many common violations by otherwise generally compliant covered entities, such as those that occur due to human error, despite training and appropriate policies. The Final Rule modifies the definition of Reasonable Cause to specify the state of mind. Reasonable cause covers violations where the entity exercised ordinary business care and prudence to comply with the provision that was violated. Reasonable cause lacks conscious intent or reckless indifference. Risk Assessment Low probability is evaluated using, at least, the following factors: The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification The unauthorized person who used the PHI or to whom the disclosure was made Whether the PHI was actually acquired or viewed The extent to which the risk to the PHI has been mitigated 26

Risk Assessment The Final Rule includes the following as factors in determining the amount of a civil monetary penalty: The number of affected individuals The time period during which the violation occurred The nature and extent of the harm resulting from the violation, including but not limited to: Whether the violation caused physical harm Whether the violation resulted in financial harm Whether the violation resulted in harm to an individual s reputation* Whether the violation hindered an individual s ability to obtain healthcare * Points to the need to keep patient information off of social networking sites Audit Program HIPAA enforcement totals from 2011 and 2012 exceeded $10.8 million in fines. The new director of the OCR has said that audits will become a permanent and robust program. HIPAA will use money collected from fines to further enforcement activities, including audits. Covered entities need to prepare for audits, enforcement, and costly fines for non-compliance. 27

Audit Program Audit reviews are expected to include: Privacy and Security Compliance Policies Plans for complying with Breach Notification Rule Documentation of staff training Documentation of internal audits to identify operations vulnerabilities / Risk analysis AUDITS Update Privacy and Security Policies and Procedures, Business Agreements Staff Training Up-to-date and thorough Privacy Gap Analysis/Security Risk Analysis Address threats and vulnerabilities annually Document Identify areas where additional training is needed 28

RESOURCES HIPAA Audit Program Protocol Compare your compliance program against identified Security, Privacy, and Breach elements. www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/protocol.htm The National Institute of Standards and Technology http://scap.nist.gov/hipaa/ HHS provides a Privacy & Security Framework Tool as a baseline to developing a compliance plan. www.hhs.gov/ocr/privacy/hipaa/understanding/special/healthit/ HIPAA Security Rule Guidance www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/securit yruleguidance.html Compliance with mobile devices www.healthit.gov/mobiledevices HIPAA Omnibus Final Rule Resource Center http://omnibus.healthcareinfosecurity.com 29

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback