The Impact of Final Omnibus HIPAA/HITECH Rules. Presented by Eileen Coyne Clark Niki McCoy September 19, 2013

Similar documents
AFTER THE OMNIBUS RULE

HIPAA COMPLIANCE ROADMAP AND CHECKLIST FOR BUSINESS ASSOCIATES

Management Alert Final HIPAA Regulations Issued

HIPAA Training. HOPE Health Facility Administrators June 2013 Isaac Willett and Jason Schnabel

8/14/2013. HIPAA Privacy & Security 2013 Omnibus Final Rule update. Highlights from Final Rules January 25, 2013

Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates

Highlights of the Omnibus HIPAA/HITECH Final Rule

Omnibus Components. Not in Omnibus. HIPAA/HITECH Omnibus Final Rule

HIPAA Compliance Under the Magnifying Glass

HIPAA Omnibus Rule. Critical Changes for Providers Presented by Susan A. Miller, JD. Hosted by

Getting a Grip on HIPAA

The wait is over HHS releases final omnibus HIPAA privacy and security regulations

HIPAA: Impact on Corporate Compliance

HIPAA: Final Omnibus Rule is Here Arizona Society for Healthcare Risk Managers November 15, 2013

Compliance Steps for the Final HIPAA Rule

HITECH and HIPAA: Highlights for Health Departments. Aimee Wall UNC School of Government

HIPAA PRIVACY AND SECURITY RULES APPLY TO YOU! ARE YOU COMPLYING? RHODE ISLAND INTERLOCAL TRUST LINN F. FREEDMAN, ESQ. JANUARY 29, 2015.

HIPAA OMNIBUS RULE. The rule makes it easier for parents and others to give permission to share proof of a child s immunization with a school

Legal and Privacy Implications of the HIPAA Final Omnibus Rule

HIPAA THE NEW RULES. Highlights of the major changes under the Omnibus Rule

HIPAA PRIVACY REQUIREMENTS. Dana L. Thrasher Robert S. Ellerbrock, III Constangy, Brooks & Smith, LLP

Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates

Coping with, and Taking Advantage of, HIPAA s New Rules!! Deven McGraw Director, Health Privacy Project April 19, 2013!

HIPAA BUSINESS ASSOCIATE AGREEMENT BEST PRACTICES: A COMPLIANCE SOLUTION FOR THE TICKING CLOCK AND THE DRACONIAN CIVIL AND CRIMINAL PENALTIES

To: Our Clients and Friends January 25, 2013

NOTIFICATION OF PRIVACY AND SECURITY BREACHES

Determining Whether You Are a Business Associate

OMNIBUS RULE ARRIVES

HIPAA Privacy Overview

Fifth National HIPAA Summit West

Hayden W. Shurgar HIPAA: Privacy, Security, Enforcement, HITECH, and HIPAA Omnibus Final Rule

HIPAA Update. Jamie Sorley U.S. Department of Health and Human Services Office for Civil Rights

HIPAA Omnibus Final Rule Has Important Changes for Business Associates and Covered Entities

Compliance Steps for the Final HIPAA Rule

HIPAA & The Medical Practice

ARRA s Amendments to HIPAA Privacy & Security Rules

Effective Date: 4/3/17

2013 HIPAA Omnibus Regulations: New Rules for Healthcare Providers and Collections Partners

Saturday, April 28 Medical Ethics: HIPAA Privacy and Security Rules

HHS, Office for Civil Rights. IAPP October 11, 2012

CLIENT UPDATE. HIPAA s Final Rule: The Impact on Covered Entities, Business Associates and Subcontractors

Breach Policy. Applicable Standards from the HITRUST Common Security Framework. Applicable Standards from the HIPAA Security Rule

The HIPAA Omnibus Rule and the Enhanced Civil Fine and Criminal Penalty Regime

LEGAL ISSUES IN HEALTH IT SECURITY

MEMORANDUM. Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

ARE YOU HIP WITH HIPAA?

ACC Compliance and Ethics Committee Presentation February 19, 2013

What Brown County employees need to know about the Federal legislation entitled the Health Insurance Portability and Accountability Act of 1996.

Preparing for a HIPAA Audit & Hot Topics in Health Care Reform

2011 Miller Johnson. All rights reserved. 1. HIPAA Compliance: Privacy and Security Changes under HITECH HITECH. What is HITECH? Mary V.

NPRM: Modifications to the HIPAA Privacy, Security, and Enforcement Rules under HITECH

UNDERSTANDING HIPAA & THE HITECH ACT. Heather Deixler, Esq. Associate, Morgan, Lewis & Bockius LLP

Business Associate Agreement

HIPAA Compliance. PART I: HHS Final Omnibus HIPAA Rules

HIPAA Enforcement Under the HITECH Act; The Gloves Come Off

Health Law Diagnosis

Assessing and Mitigating Risk Under the HIPAA Omnibus Rule

Assessing and Mitigating Risk Under the HIPAA Omnibus Rule

HIPAA Background and History

CROOK COUNTY POLICY AND PROCEDURES FOR COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF

HIPAA The Health Insurance Portability and Accountability Act of 1996

Interim Date: July 21, 2015 Revised: July 1, 2015

True or False? HIPAA Update: Avoiding Penalties. Preliminaries. Kim C. Stanger IHCA (7/15)

HIPAA HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT

HIPAA Omnibus Final Rule and Research

Omnibus Rule: HIPAA 2.0 for Law Firms

ALERT. November 20, 2009

HIPAA 102a. Presented by Jack Kolk President ACR 2 Solutions, Inc.

GUIDE TO THE OMNIBUS HIPAA RULE: What You Need to Know and Do

HIPAA Redux 2013 Kim Cavitt, AuD Audiology Resources, Inc. Expert e-seminar 4/29/2013. HIPAA Redux Presented by: Kim Cavitt, AuD

HIPAA and Lawyers: Your stakes have just been raised

HIPAA Compliance Guide

BREACH NOTIFICATION POLICY

New HIPAA-HITECH Proposed Regulations Issued

PATTERSON MEDICAL SUPPLY, INC. HIPAA BUSINESS ASSOCIATE AGREEMENT WITH CUSTOMERS

The HIPAA Omnibus Rule

HITECH/HIPAA Omnibus Final Rule: Implications for Hospices. Elizabeth S. Warren May 3, 2013

HIPAA OMNIBUS FINAL RULE

HEALTH LAW ALERT January 21, 2013

HIPAA PRIVACY REQUIREMENTS. Dana L. Thrasher Constangy, Brooks & Smith, LLP (205)

HEALTHCARE BREACH TRIAGE

Privacy Sleuths: Solving the Mystery of Wellness Program Privacy Compliance. Agenda. Health Data Exposure National Wellness Conference

[Name of Organization] HIPAA Incident/Breach Investigation Procedure 4

Conduct of covered entity or business associate. Did not know and, by exercising reasonable diligence, would not have known of the violation

SATINSKY CONSULTING, LLC FINAL OMNIBUS HIPAA PRIVACY AND SECURITY RULE

Safeguarding Your HIPAA and Personal Health Information Data. Robert Hess, Office of General Counsel Steve Cosentino, Stinson Morrison Hecker

GUIDE TO PATIENT PRIVACY AND SECURITY RULES

HIPAA Final Omnibus Rule Playbook

HIPAA / HITECH. Ed Massey Affiliated Marketing Group

Changes to HIPAA Under the Omnibus Final Rule

Business Associates: How to become HIPAA compliant, increase revenue, and gain new clients

Containing the Outbreak: HIPAA Implications of a Data Breach. Jason S. Rimes. Orlando, Florida

Texas Health and Safety Code, Chapter 181 Medical Records Privacy Law, HB 300

Industry leading Education. Certified Partner Program. Please ask questions Todays slides are available group.

Be Careful What You Wish For: The Final Rule Is Out

HIPAA. What s New & What Do I Have To Do? Presented by Leslie Canham, CDA, RDA, CSP (Certified Speaking Professional)

The American Recovery and Reinvestment Act of 2009: Health Information Privacy and Security Provisions Here We Go Again

HIPAA BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATES AND SUBCONTRACTORS

"HIPAA FOR LAW FIRMS" WHAT EVERY LAW FIRM NEEDS TO KNOW ABOUT HIPAA

Preparing to Comply With the HITECH Final Rule Tuesday, March 19, 2013

Transcription:

The Impact of Final Omnibus HIPAA/HITECH Rules Presented by Eileen Coyne Clark Niki McCoy September 19, 2013 0

Disclaimer The material in this presentation is not meant to be construed as legal advice or in any way a substitute for legal counsel. The session is intended as an overview of the highlights of the new HIPAA Omnibus rule. 1

What is HIPAA? 2

What is HIPAA? HIPAA (Health Insurance Portability and Accountability Act) is a federal law enacted in 1996 (Public Law 104-191) Required HHS to establish standards that Protects the privacy of a patient s personal and health information Provides for electronic and physical security of personal and health information Simplifies billing and other transactions 3

HIPAA Requires... Administrative Safeguards Documentation Process Requirements Technical Safeguards Organizational Requirements Physical Safeguards 4

Covered Entity Health Plans: Individual and group plans that provide or pay the cost of medical care Health Care Providers: Any provider who electronically transmits health information in connection with standardized transactions regulated by HIPAA Covers transactions conducted either directly or indirectly by the provider Includes all providers of services, (e.g., institutional providers such as home health agencies), providers of medical or health services, and any other person or organization who furnishes, bills, or is paid for health care Health Care Clearinghouses: Entities that process nonstandard information they receive from one entity into a standard format (or vice versa) Billing services, repricing companies, etc 5

Business Associate A person or organization (other than an employee of the CE) that performs certain functions or activities on behalf of the CE that involves the use or disclosure of protected information Redefined under new rules as entities that: Create Receive Maintain, and/or Transmit PHI on behalf of a covered entity 6

Protected Health Information Health information means any information, including genetic information, whether oral or recorded in any form or medium, that: (1) Is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; AND (2) Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual 7

8

What is HITECH? The Health Information Technology for Economic and Clinical Health Act Enacted as part of the American Recovery and Reinvestment Act in 2009 Required expansive changes to HIPAA: Applying HIPAA privacy and security requirements directly to BAs Establishing mandatory security breach reporting requirements Creating new privacy requirements for CEs and BAs Establishing new criminal and civil penalties for noncompliance Since HITECH, HHS issued proposed and interim final regulations to implement its changes 9

Why HITECH? HIPAA was a paper tiger looked ferocious but no teeth During ARRA we were focused on economy, unemployment, bank failures, etc During Health Care Reform, we were focused on the public debate AND NOW... It all comes around Security in general is top of mind Corporations under intense scrutiny Health Care Reform and the push for automated processes Current Administration is enforcement focused 10

What s the Difference? 11

So What? HIPAA/HITECH STATE LAW BUSINESS IMPACT Fines up to $1.5 million annually Criminal penalties up to 10 years in prison HHS will audit HHS now has subpoena power not fun! State Attorney General can file civil lawsuits Gives HHS 50 free high profile enforcers Laws and penalties in addition to HIPAA/HITECH Lawsuits already in play AND... Loss of reputation Loss of patients, clients, funding, etc. Being published on the HHS website ( Hall of Shame ) Negative publicity in local and national media 12

Notable Settlements Entity Amount Year WellPoint, Inc. $1.7 million July 2013 Walgreens $1.44 million July 2013 MN AG & Accretive Health (started from July 2011 lost laptop) $2.5 million July 2013 Shasta Regional Med Center $275,000 June 2013 Idaho State University $400,000 May 2013 Goldthwait Associates & 4 Pathology Groups $140,000 January 2013 13

The Final Omnibus HIPAA Rule On January 25, 2013, the Office of Civil Rights (OCR) published an omnibus regulation finalizing HHS previously-issued regulations: Proposed Rule modifying the Privacy, Security, and Enforcement Rules Interim Final Rule adopting changes to the Enforcement Rule Interim Final Rule on Breach Notification for Unsecured Protected Health Information Proposed Rule modifying the Privacy Rule as required by the Genetic Information Nondiscrimination Act (GINA) 14

What s Changed? Deadlines Application of the Rules Business Associates Breach Notification Enforcement and Penalties Privacy Requirements Security Requirements Genetic Information 15

Deadlines What is the significance of September 23, 2013? Deferred compliance date September 22, 2014 Applies only to certain existing business associate agreements Default compliance period now 180 days 16

Application of the Rules Numerous provisions now directly apply to Business Associates and subcontractors Big Change affecting Hybrid Entities Example - supermarket with pharmacy Before changes employer could choose how to handle support functions Now support functions must comply like a business associate 17

Business Associates The final rule makes clear that BAs include: Health Information Organization, E-prescribing Gateway, or other person that provides data transmission services to a CE and requires routine access to PHI A person that offers a PHR to one or more individual on behalf of a CE (e.g., PHR vendors) A subcontractor that creates, receives, maintains, or transmits PHI on behalf of a BA Organizations that perform certain patient safety activities (e.g., Patient Safety Organizations) 18

Subcontractors as BAs The final rule applies the BA provisions of the HIPAA Rules to subcontractors A person to whom a BA delegates a function, activity, or service, other than in the capacity of a member of the BA s workforce. Subcontractors that are involved with the creation, receipt, maintenance or transmission of PHI must be in compliance with the applicable HIPAA Rules BAs must obtain satisfactory assurances in the form of a BA agreement or otherwise that a subcontractor will comply with HIPAA requirements 19

Increased BA Liability Before Final Omnibus Rule BAs were contractually liable for failing to comply under BA agreements with covered entities After Final Omnibus Rules BAs are directly liable for: Uses and disclosures of PHI that are not in accord with its BA agreement or the Privacy Rule; Failing to disclose PHI when required for investigative purposes or when individuals request copies of their PHI; Failing to make reasonable efforts to limit information disclosed to the minimum necessary; Failing to enter into BA agreements with subcontractors, and; Contractually liable for any obligations in its BA agreements 20

Typical BA Functions Claims processing or administration Data analysis, processing or administration Utilization review Quality assurance billing Benefit management Practice management Repricing Legal Actuarial Accounting Consulting Data aggregation Management Administrative Accreditation Financial 21

Breach Defined The unauthorized acquisition, access, use or disclosure that compromises the security or privacy of the protected health information such that the use or disclosure poses a significant risk of financial, reputational, or other harm to the affected individual. 22

Four-Factor PHI Breach Assessment 1. Nature and extent of PHI involved 2. Unauthorized person who used PHI or to whom disclosure was made 3. Whether PHI was actually acquired or viewed 4. Extent to which risk to PHI has been mitigated Guilty until proven innocent Breach is now presumed 23

Breach Notification Less Than 500 Patient Records Individual notifications must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach Notify HHS on an annual basis. 500+ Patient Records Individual notifications must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach Notify the Secretary without unreasonable delay and in no case later than 60 days following a breach. Provide notice to prominent media outlets serving the State or jurisdiction 24

Breach Notification Interim Final Rule: Acquisition, access, use, or disclosure of PHI in a manner not permitted by the Privacy Rule that compromises the security or privacy of the PHI Poses a significant risk of financial, reputational, or other harm to the individual (i.e., Harm Standard). Final Rule: An impermissible use or disclosure of PHI is presumed to be a breach unless the CE or BA (as applicable) demonstrates that there is a low probability that the PHI has been compromised or an exception applies 25

New Risk Assessment Standard A CE or BA may only elect not to provide a breach notification if a full, objective analysis of certain enumerated factors, results in a demonstrable low probability that the PHI has been compromised Risk assessments must include at least the following factors: The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification; The unauthorized person who used the PHI or to whom the disclosure was made; Whether the PHI was actually acquired or viewed; and The extent to which the risk to the PHI has been mitigated 26

Steps if a Breach is Discovered Notify Counsel Notify Individuals Complete Notice of Breach Notify the Media Notify HHS If a breach is discovered by the BA the BA must notify the CE without reasonable delay and no later than 60 calendar days from the discovery of the breach 27

Fine Structure Violation Category Per Violation Per Calendar Year Did Not Know $100 - $50,000 $1,500,000 Reasonable Cause $1,000 - $50,000 $1,500,000 Willful Neglect Corrected Willful Neglect Not Corrected $10,000 - $50,000 $1,500,000 $50,000 $1,500,000 28

Blue Cross Blue Shield TN Case March 2012 $1.5M settlement related to an incident involving 57 hard drives stolen from a storage facility. The citation that drove the penalty was NOT the breach. Penalty was applied because of the failure to implement appropriate administrative safeguards, not performing a risk assessment, and failure to implement access controls for physical safeguards. HHS considers this case a great example of the lack of ongoing attention to compliance. 29

Prohibition on the Sale of PHI CEs and BAs are prohibited from receiving direct or indirect remuneration in exchange for the disclosure of PHI without authorization from the individual Exceptions: Public health purposes Research disclosures Remuneration must be a reasonable cost-based fee to cover the cost to prepare and transmit the PHI for such purposes Disclosures for the transfer, merger, or consolidation of all or part of a Covered Entity with another Covered Entity, or an entity following such activity will become a Covered Entity, and related due diligence Activities paid by a Covered Entity to a Business Associate performed on behalf of the Covered Entity 30

Street Value of Medical Records A thief downloading and stealing data can get $50 on the street for a medical identification number compared to just $1 for a Social Security number. For those receiving the medical ID number and using it to defraud a health care organization, the average payout is more than $20,000, according to Pam Dixon, executive director of the World Privacy Forum. "Compare that to just $2,000 for the average payout for regular ID theft. Protected Health Information (PHI): High Value to Hackers: Medical Facilities at Risk, http://www.prweb.com/releases/2013/2/prweb10412883.htm 31

Privacy Rule Requirements Changes affecting disclosure of PHI Communications for marketing or fundraising Exchanging PHI for fee Disclosures for patient care or payment for care Disclosures of student immunizations Rights to restrict disclosure Do you need to update? Notices of privacy practices Research authorizations Internal policies and training programs 32

Security Rule Requirements Ensure: confidentiality, availability and integrity Protect against: threats, hazards and wrongful use/disclosure Require: continual risk assessment and sanctions Implement: administrative, technical and physical safeguards 33

Genetic Information Now specifically recognized as PHI Cannot be used for underwriting 34

4 Days Are You Ready? Remember the basics: Do not share or give anyone your passwords under any circumstances Log-off computers when finished and secure paper records that contain PHI Destroy, shred or put in the designated bins all paper that could contain PHI Look at, use, share PHI only if necessary to do your job Consider Insurance policies that cover breach response and notification costs Review agreements for liability indemnification provisions 35

What to do now Ensure Business Associate Agreements (BAAs) are in place Ensure you reciprocate with the BA and they have a BAA in place for your company BAAs should be filed together in HR in a locked cabinet BAAs should be reviewed and updated each year or if there is a major change 36

Dangerous Strategies Assume this is a pure legal matter Assume the same lack of enforcement will continue Assume employees are focused on it Assume you have it covered 37

When (not if) HHS Knocks didn t know now means willful neglect Make sure policies reflect reality Have procedures in place Be sure Business Associate agreements and practices are compliant Have VISIBLE EVIDENCE 38

Questions 39

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback