AROC 2015 HIPAA PRIVACY AND SECURITY RULES

Similar documents
HIPAA Training. HOPE Health Facility Administrators June 2013 Isaac Willett and Jason Schnabel

HIPAA: Final Omnibus Rule is Here Arizona Society for Healthcare Risk Managers November 15, 2013

To: Our Clients and Friends January 25, 2013

Saturday, April 28 Medical Ethics: HIPAA Privacy and Security Rules

Omnibus Components. Not in Omnibus. HIPAA/HITECH Omnibus Final Rule

HIPAA & The Medical Practice

GUIDE TO PATIENT PRIVACY AND SECURITY RULES

AFTER THE OMNIBUS RULE

HIPAA PRIVACY REQUIREMENTS. Dana L. Thrasher Robert S. Ellerbrock, III Constangy, Brooks & Smith, LLP

Hayden W. Shurgar HIPAA: Privacy, Security, Enforcement, HITECH, and HIPAA Omnibus Final Rule

Management Alert Final HIPAA Regulations Issued

Legal and Privacy Implications of the HIPAA Final Omnibus Rule

Effective Date: March 23, 2016

Fifth National HIPAA Summit West

Getting a Grip on HIPAA

The Impact of Final Omnibus HIPAA/HITECH Rules. Presented by Eileen Coyne Clark Niki McCoy September 19, 2013

Central Florida Regional Transportation Authority Table of Contents A. Introduction...1 B. Plan s General Policies...4

HIPAA Omnibus Rule. Critical Changes for Providers Presented by Susan A. Miller, JD. Hosted by

HIPAA PRIVACY POLICY AND PROCEDURES FOR PROTECTED HEALTH INFORMATION THE APPLICABLE WELFARE BENEFITS PLANS OF MICHIGAN CATHOLIC CONFERENCE

HIPAA OMNIBUS RULE. The rule makes it easier for parents and others to give permission to share proof of a child s immunization with a school

The wait is over HHS releases final omnibus HIPAA privacy and security regulations

8/14/2013. HIPAA Privacy & Security 2013 Omnibus Final Rule update. Highlights from Final Rules January 25, 2013

NOTICE OF PRIVACY PRACTICES

UNITED WORKERS HEALTH FUND 50 CHARLES LINDBERGH BLVD. SUITE 207 UNIONDALE, NY 11553

HIPAA Privacy & Security. Transportation Providers 2017

Highlights of the Omnibus HIPAA/HITECH Final Rule

HIPAA COMPLIANCE ROADMAP AND CHECKLIST FOR BUSINESS ASSOCIATES

Interpreters Associates Inc. Division of Intérpretes Brasil

THE CITY AND COUNTY OF SAN FRANCISCO SECTION 125 CAFETERIA PLAN HIPAA PRIVACY POLICIES & PROCEDURES

East Alabama Campus Health, L.L.C. d/b/a Auburn University Medical Clinic

Coping with, and Taking Advantage of, HIPAA s New Rules!! Deven McGraw Director, Health Privacy Project April 19, 2013!

"HIPAA RULES AND COMPLIANCE"

CROOK COUNTY POLICY AND PROCEDURES FOR COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF

HIPAA Update. Jamie Sorley U.S. Department of Health and Human Services Office for Civil Rights

1641 Tamiami Trail Port Charlotte, Fl Phone: Fax: Health Insurance Portability and Accountability Act of 1996

GUIDE TO THE OMNIBUS HIPAA RULE: What You Need to Know and Do

HIPAA: Impact on Corporate Compliance

NOTICE OF PRIVACY PRACTICES Total Sports Care, P.C.

Determining Whether You Are a Business Associate

Saint Louis University Notice of Privacy Practices Effective Date: April 14, 2003 Amended: September 22, 2013

HITECH and HIPAA: Highlights for Health Departments. Aimee Wall UNC School of Government

Texas Tech University Health Sciences Center HIPAA Privacy Policies

HIPAA Compliance. PART I: HHS Final Omnibus HIPAA Rules

Effective Date: 4/3/17

Texas Tech University Health Sciences Center El Paso HIPAA Privacy Policies

Health Law Diagnosis

ARRA s Amendments to HIPAA Privacy & Security Rules

1. INTRODUCTION AND PURPOSE OF THIS DOCUMENT:

Georgia Health Information Network, Inc. Georgia ConnectedCare Policies

1.) The Privacy Rule (Part 164, Subpart E)

4900 MERCER UNIVERSITY DR. SUITE 1 MACON, GA Phone: Fax:

NOTIFICATION OF PRIVACY AND SECURITY BREACHES

HIPAA FUNDAMENTALS For Substance abuse Treatment Industry

Conduct of covered entity or business associate. Did not know and, by exercising reasonable diligence, would not have known of the violation

OCR Phase II Audit Protocol Breach Notification. HIPAA COW Spring Conference 2017 Page 1 Boerner Consulting, LLC

PRIVACY NOTICE THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION.

HIPAA PRIVACY AND SECURITY RULES APPLY TO YOU! ARE YOU COMPLYING? RHODE ISLAND INTERLOCAL TRUST LINN F. FREEDMAN, ESQ. JANUARY 29, 2015.

NPRM: Modifications to the HIPAA Privacy, Security, and Enforcement Rules under HITECH

NOTICE OF PRIVACY PRACTICES

HIPAA Notice of Privacy Practices

Business Associate Agreement

COUNTY SOCIAL SERVICES POLICIES AND PROCEDURES FOR COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 HIPAA

HIPAA THE NEW RULES. Highlights of the major changes under the Omnibus Rule

HIPAA MANUAL Whole Child Pediatrics

CLIENT UPDATE. HIPAA s Final Rule: The Impact on Covered Entities, Business Associates and Subcontractors

Notice of Privacy Practices

NOTICE OF PRIVACY PRACTICES SOUTH DAYTON ACUTE CARE CONSULTANTS, INC.

NOTICE OF PRIVACY PRACTICES

Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates

HIPAA 2014: Recent Changes from HITECH and the Omnibus Rule. Association of Corporate Counsel Houston Chapter October 14, 2014.

HIPAA The Health Insurance Portability and Accountability Act of 1996

HIPAA Compliance Under the Magnifying Glass

Privacy Sleuths: Solving the Mystery of Wellness Program Privacy Compliance. Agenda. Health Data Exposure National Wellness Conference

HIPAA Privacy Overview

Port City Chiropractic. P.C. 11 Fourth Avenue Oswego, NY Fax HIPAA NOTICE OF PRIVACY PRACTICES

Changes to HIPAA Under the Omnibus Final Rule

TEXAS EAR, NOSE AND THROAT SPECIALISTS, L.L.P. NOTICE OF PRIVACY PRACTICES

SATINSKY CONSULTING, LLC FINAL OMNIBUS HIPAA PRIVACY AND SECURITY RULE

HIPAA Omnibus Rule Compliance

HIPAA Background and History

HIPAA OMNIBUS FINAL RULE

SUMMARY OF NOTICE OF PRIVACY PRACTICES. Your rights related to your medical information are as follows:

PROMISE HOME SERVICES, INC. D/B/A PROMISE CARE AT HOME NOTICE OF PRJV ACY PRACTICES

OMNIBUS RULE ARRIVES

Alfred University Effective Date: January 1, 2019

MICHIGAN HEALTHCARE PROFESSIONALS, P.C.

2016 Business Associate Workforce Member HIPAA Training Handbook

MONTCLAIR STATE UNIVERSITY HIPAA PRIVACY POLICY. Approved by the Montclair State University Board of Trustees on April 3, 2014

It s as AWESOME as You Think It Is!

HITECH/HIPAA Omnibus Final Rule: Implications for Hospices. Elizabeth S. Warren May 3, 2013

ACC Compliance and Ethics Committee Presentation February 19, 2013

THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION.

LEWIS COUNTY GENERAL HOSPITAL / RESIDENTIAL HEALTH CARE FACILITY 7785 North State Street Lowville, NY NOTICE OF PRIVACY PRACTICES

H E A L T H C A R E L A W U P D A T E

Compliance Steps for the Final HIPAA Rule

SUBCONTRACTOR BUSINESS ASSOCIATE AGREEMENT

Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates

Preparing to Comply With the HITECH Final Rule Tuesday, March 19, 2013

HHS, Office for Civil Rights. IAPP October 11, 2012

Hand & Microsurgery Medical Group, Inc. HIPAA NOTICE AND ACKNOWLEDGEMENT

Transcription:

AROC 2015 HIPAA PRIVACY AND SECURITY RULES

Presented by: Robert A. Paster, Esq. Brach Eichler L.L.C. 101 Eisenhower Parkway Roseland, NJ 07068 973-403-3144 rpaster@bracheichler.com www.bracheichler.com 2

PART I: BACKGROUND 3

Health Insurance Portability & Accountability Act Enacted by Congress and signed by Pres. Clinton in 1996 Title I protects health insurance coverage for workers and their families when they change jobs Title II, known as the Administrative Simplification provisions, requires the establishment of national standards for electronic health care transactions and national identifiers for providers, health insurance plans and employers 4

Health Insurance Portability & Accountability Act Administrative Simplification Provisions Address privacy and security of health data Intended to improve the efficiency and effectiveness of our health care system by encouraging the widespread use of electronic data interchange 5

Key Dates 8/21/1996 HIPAA enacted into law 11/3/1999 HHS Published Notice of Proposed Rulemaking for Privacy Rule 12/28/2000 Privacy Final Rule Published 8/14/2002 Final Modifications to Privacy Rule Published 2/20/2003 Security Standards Published 4/14/2003 Privacy Compliance Deadline 4/21/2005 Security Compliance Deadline 2/17/2009 Health Information Technology for Economic and Clinical Health (HITECH) Act Enacted modified certain provisions of the SSA related to the HIPAA Rules 10/30/2009 Interim Final Rule Published 1/25/2013 HIPAA Omnibus Rule Published 9/23/2013 Compliance Deadline HIPAA Omnibus Rule 6

APPLICABILITY & OVERVIEW Privacy Rule Applies to Covered Entities Many, not all, provisions apply to Business Associates Regulates the use and disclosure of Protected Health Information or PHI held by Covered Entities and their Business Associates Security Rule Applies to Covered Entities and Business Associates Complements Privacy Rule Requires administrative, physical and technical safeguards for electronic PHI, or e-phi (PHI stored in electronic media or transmitted in electronic format) 7

HIPAA Covered Entities (CEs) Covered Entities Health Plans Health Care Clearinghouses Providers if they engage in electronic transactions 8

HIPAA Business Associates (BAs) Expanded definition under Omnibus Rule: On behalf of a CE or of an organized health care arrangement (OHCA), other than in the capacity of a member of the CE s workforce, creates, receives, maintains, or transmits PHI for a function or activity regulated by the Privacy Rule, including claims processing or administration, data analysis, processing, or administration, utilization review, quality assurance, patient safety activities, billing, benefit management, practice management and repricing Provides, other than in the capacity of a member of the CE s workforce, legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services to or for the CE, or to an OHCA in which the CE participates 9

Business Associates Under the Omnibus Rule Ask the Question: Is the person or company the covered entity is engaging: creating, receiving, maintaining or transmitting PHI in order to provide the service for which engaged? 10

Business Associates Under the Omnibus Rule Common examples of BAs Billing Companies Management and Consulting Companies Audit Companies Lawyers, Accountants, Consultants Note: Your Cleaning Service is not a BA! Point: Your cleaning service does not create, receive, maintain or transmit PHI in order to clean your offices. 11

12 PART II: PREEMPTION ENFORCEMENT & PENALTIES

PREEMPTION FEDERAL HIPAA v. STATE LAW Generally speaking: If any standard, requirement or implementation specification adopted under HIPAA is contrary to state law, HIPAA will control and preempt (or supersede) the state law provision contrary the CE or BA would find it impossible to comply with both the federal and state requirement the state law impedes the purposes and objectives of health information privacy If a state law is more stringent, the state law will control 13

ENFORCEMENT Right to Complain: Individuals have the right to complain to the OCR OCR will investigate any complaint when a review of the facts indicates a possible violation due to willful neglect OCR may investigate any other complaints OCR will conduct compliance reviews when a preliminary review of the facts indicates a possible violation due to willful neglect OCR may conduct compliance reviews to determine compliance in any other circumstance 14

15 Conscious, intentional failure or reckless indifference to the obligation to comply with the HIPAA provision violated

ENHANCED PENALTIES AND ENFORCEMENT UNDER HITECH Tiered Penalty Structure VIOLATION TYPE EACH VIOLATION REPEAT SAME/YR Did Not Know $100 - $50,000 $1,500,000 Reasonable Cause $1,000 - $50,000 $1,500,000 Willful Neglect Corrected Willful Neglect Not Corrected $10,000 - $50,000 $1,500,000 $50,000 $1,500,000 16

PART III: HIPAA PRIVACY RULE 17

Information Covered by Privacy Rule Protected Health Information (PHI) Individually identifiable information in all forms: electronic, written, oral Information is individually identifiable if: It identifies the individual or offers a reasonable basis for identification It is created or received by a CE or an employer AND It relates to the past, present, or future physical or mental condition, the provision of health care, or the payment for health care De-identified information is not PHI 18

Minimum Necessary Standard The Privacy Rule contains minimum necessary standards related to the collection, maintenance, access, use and disclosure of PHI Minimum Necessary Standard A CE must make reasonable efforts to limit its uses and disclosures of and requests for PHI to the minimum necessary to accomplish the intended purpose Standard also applies to BAs 19

Exceptions to Minimum Necessary Standard Disclosures for treatment Most uses and disclosures made to the individual Disclosures pursuant to valid authorization Uses and disclosures required by law Disclosures made to the Secretary of the DHHS Uses and disclosures required for compliance w/hipaa 20

Permitted Disclosures of PHI Incidental uses and disclosures uses and disclosures that cannot reasonably be prevented, are limited in nature, and occur as a by-product of a use or disclosure otherwise permitted under the rule e.g., calling a patient s name in the waiting room; sign-in sheets; office discussions Incidental uses and disclosures are permitted only to the extent that the CE or BA has applied reasonable safeguards, including the minimum necessary standard 21

Permitted Disclosures of PHI Treatment, Payment & Health Care Operations (TPO) CEs may use or disclose PHI for TPO CE may obtain consent of the individual to use or disclose PHI to carry out TPO For the CEs own TPO For the TPO of another CE with a relationship to the individual, so long as the recipient is that CE For purposes of health care operations between CEs participating in a group health plan or other joint arrangement, including an organized health care arrangement Best practice: Have patients sign a general consent for TPO disclosures (as part of registration process) 22

Exceptions to Permitted Disclosures of PHI Need patient authorization to release: genetic information PHI received from a federally-funded drug and alcohol treatment program psychotherapy notes HIV/AIDS information may release for treatment of the individual may release for other limited reasons under AIDS Assistance Act PHI for marketing purposes PHI for sale 23

Other Permitted Disclosures Uses and disclosures permitted by regulation without authorization: Uses and disclosures required by law Uses and disclosures for public health activities Disclosures about victims of abuse, neglect or domestic violence Disclosures for judicial and administrative proceedings Disclosures for law enforcement purposes Uses and disclosures for cadaveric organ, eye and tissue donation Uses and disclosures for research purposes Uses and disclosures to avert a serious threat to health or safety Uses and disclosures for specialized government functions Disclosures for Workers Compensation 24

USES AND DISCLOSURES REQUIRING OPPORTUNITY TO AGREE OR OBJECT CE may disclose PHI to a relative or close personal friend of the individual, or any other person identified by the individual, PHI directly related to such person s involvement with the individual s care or related payment CE may also disclose to such persons the individual s PHI regarding the individual s location, general condition or death If the individual is present, CE may only use or disclose with individual s agreement (or if can infer from circumstances that may disclose) If individual not present or cannot agree or object due to incapacity or emergency circumstances, CE may determine whether disclosure is in individual s best interests 25

Patient Authorization Written patient authorization must contain: a description of the information to be used or disclosed that identifies the information in a specific and meaningful fashion the name or other specific identification of the person(s), or class of persons, to whom the CE may make the requested use or disclosure a description of each purpose of the requested use or disclosure ( at the request of the individual is sufficient) an expiration date or an expiration event that relates to the individual or the purpose of the use or disclosure signature of the individual (or authorized representative) and date (and authority of authorized rep, e.g., guardian) 26

Patient Authorization Must also contain statements: adequate to put the individual on notice that he/she may revoke the authorization (and circumstances when cannot revoke) describing when the CE may condition treatment or payment on the receipt of an authorization alerting the individual of the potential for information to be subject to re-disclosure by the recipient 27

Individual Rights Notice of Privacy Practices CE must provide patients with the CE s Notice of Privacy Practices must provide no later than the same date on which health care services are first provided to the individual must post the notice in a clear and prominent location at the CE, and make available upon request if the CE has a website, must post on the website 28

Individual Rights Notice of Privacy Practices Omnibus Rule: CE must update/revise its NPP include a description of the types of uses and disclosures that require an authorization explain that the individual may opt out of fundraising communications explain that the CE must notify individuals of a breach of their unsecured PHI 29

Individual Rights Requesting Restrictions on Uses and Disclosures General Rule: CE does not have to agree if an individual requests restrictions relating to a use or disclosure of his/her PHI that is otherwise allowed under HIPAA Omnibus Rule Exception: CE must agree to the request of an individual to restrict disclosure of PHI about the individual to a health plan if: the disclosure is for the purpose of carrying out payment or health care operations and is not otherwise required by law, AND the PHI pertains solely to a health care item or service for which the individual, or a person other than the health plan on behalf of the individual, has paid the CE in full 30

Individual Rights Confidential Communications for PHI CE must ensure individuals can receive communications regarding their PHI in a manner and location that feel is safe from unauthorized disclosure e.g., whether or not the patient will accept voice mail messages; sending PHI to alternate address, etc. 31

Individual Rights Right to Inspect and Get Copies of PHI General Rule: With some exceptions, an individual has a right of access to inspect and obtain a copy of his/her PHI Omnibus Rule Changes: If the PHI is maintained electronically and if the individual requests an electronic copy, the CE must provide the PHI in the electronic form and format requested by the individual, if it is readily producible (or, if not, in a readable electronic format as agreed by the CE and individual) If an individual s request for access directs the CE to send the copy of PHI to another person designated by the person, the CE must do so the request must be in writing, signed by the individual, and include the address 32

Individual Rights Requests for Amendment to PHI General Rule: An individuals has a right to request the CE to amend PHI about the individual Denial: CE may deny request if it determines that the PHI: is accurate and complete as stated in the CE s record would not otherwise be made available to the individual for inspecting and copying was not created by the CE, unless the individual provides a reasonable basis to believe the originator is no longer available to act on the request for amendment 33

Individual Rights Requests for Accounting of Disclosures of PHI General Rule: Individual has the right to request an accounting of disclosures made by the CE this includes disclosures by BAs Exceptions: The CE need not account for: Disclosures made for TPO Disclosures to the individual Disclosures made pursuant to valid authorization Disclosures to responsible individuals to notify of location, condition or death Disclosures for national security or intelligence purposes Disclosures to correctional facilities and law enforcement 34

Individual Rights Privacy Complaints Individuals must be given information about their right to complain (contained in Notice of Privacy Practices) Individuals may complain to CE or to Secretary of DHHS if believe privacy rights have been violated 35

Omnibus Rule: Changes to Individual Rights Limits on Fundraising A CE may use, or disclose to its BA or to an institutionally-related foundation, certain PHI for fundraising for its own benefit, w/o authorization demographic information, including name, address, other contact information, age, gender, date of birth dates of health care provided to an individual department of service information, treating physician, outcome information, health insurance status 36

Omnibus Rule: Changes to Individual Rights, Etc. Limits on Fundraising CE must include in NPP information about disclosures for fundraising purposes With each fundraising communication, the CE must provide the individual with a clear and conspicuous opportunity to elect an opt-out for future fundraising communications The method for opting out must not be burdensome The CE may also include information about how to opt back in CE may not condition treatment or payment on the individual s choice with respect to fundraising communications 37

Omnibus Rule: Changes to Individual Rights, Etc. Limits on Marketing CEs must obtain a written authorization from the individual for any use or disclosure of PHI for marketing purposes, except if the communication is in the form of: A face-to-face communication by the CE to the individual A promotional gift of nominal value provided by the CE Marketing Defined: To make a communication about a product or service that encourages recipients of the communication to purchase or use the product or service 38

Omnibus Rule: Changes to Individual Rights, Etc. Limits on Marketing Marketing does not include a communication made: To provide refill reminders or otherwise communicate about a drug or biologic currently being prescribed, if the remuneration received is reasonably related to the CE s cost of making the communication For treatment and health care operations, if the CE does not receive financial remuneration in exchange for making the communication e.g. for treatment of the individual by a health care provider, including case management or care coordination, or to direct or recommend alternative treatments, therapies, health care providers, or settings of care to the individual for case management or care coordination, contacting of individuals with information about treatment alternatives 39

Omnibus Rule: Changes to Individual Rights, Etc. Sale of PHI CE (or BA on behalf of CE) must obtain authorization for any disclosure of PHI that constitutes a sale the authorization must indicate that the CE will receive remuneration 40

Omnibus Rule: Changes to Individual Rights, Etc. Sale of PHI does not include disclosure of PHI: for public health purposes for research purposes for treatment and payment purposes for the sale, transfer, merger, etc. of the CE s business, including due diligence activities to or by a BA pursuant to its BA agreement to an individual required by law as otherwise allowed under HIPAA 41

Omnibus Rule: Changes to Individual Rights, Etc. Decedents The Omnibus Rule amends the definition of PHI to exclude individually identifiable information regarding a person who has been deceased for more than 50 years The Omnibus Rule allows CEs to disclose information about a decedent to a family member, other relative, or a close personal friend of the individual, who was involved in the individual s care prior to death, if the information is relevant to that person s involvement and disclosure is not inconsistent with prior written preferences of the individual 42

Omnibus Rule: Changes to Individual Rights, Etc. Compound Authorizations and Research General Rule: An authorization for use or disclosure of PHI may not be combined with any other document to create a compound authorization Exception: An authorization for the use or disclosure of PHI for a research study may now be combined with any other type of written permission for the same or another research study this includes combining an authorization for the use or disclosure of PHI for a research study with another authorization for the same research study, with an authorization for the creation or maintenance of a research database or repository, or with a consent to participate in research 43

Omnibus Rule: Changes to Individual Rights, Etc. Immunization Records CEs may disclose PHI to a school about a student or prospective student, if the PHI disclosed is limited to proof of immunization the school is required by State or other law to have such proof of immunization prior to admitting the student the CE obtains and documents the agreement to the disclosure from either the parent (if the student is a minor) or the adult student 44

Omnibus Rule: Changes to Individual Rights, Etc. Changes Related to GINA The Omnibus Rule prohibits most health plans from using or disclosing genetic information for underwriting purposes 45

Business Associates Omnibus Rule Security Rule and select provisions of the Privacy Rule now extend directly to Business Associates Subcontractors of Business Associates Subcontractors of Subcontractors And so on. chain of trust upstream and downstream almost infinite liability 46

Business Associates Under the Omnibus Rule Covered Entities cannot disclose PHI to a Business Associate without a written agreement in place BAs must enter into Business Associate Agreements with their Subcontractors Subcontractor: a person or entity to whom a BA delegates a function, activity or service, other than in the capacity of a member of the workforce of such BA Subcontractors must enter into Business Associate Agreements with their Subcontractors 47

BAA Contractual Requirements BA s are required to comply with the Security Rule and parts of the Privacy Rule Required elements in BA Agreements: BA must comply with the Security Rule requirements regarding e-phi BA must comply with minimum necessary standard BA must report to CE any breaches of unsecured PHI, plus any use or disclosure of PHI in violation of HIPAA If BA will carry out functions of CE (e.g., providing access or copies of PHI to the individual), BA must perform these functions in accordance with HIPAA Subcontractor agreements must contain same restrictions as BAA 48

Safeguarding PHI Privacy and Workstation Use Policy CE/BA must develop protocols for safeguarding PHI kept in workstations Privacy and Telephone Use Policy CE/BA must develop protocols for safeguarding PHI when making disclosures over the telephone Computer Use Policy CE/BA must develop protocols for acceptable computer use by workforce members Facsimile Policy CE/BA must develop protocols for safeguarding PHI when making and receiving health information via facsimile 49

50 PART IV: HIPAA SECURITY RULE

The Security Rule requires CEs and BAs to have in place safeguards for protecting e- PHI to: Ensure the confidentiality, integrity, and availability of all e-phi they create, receive, maintain or transmit Identify and protect against reasonably anticipated threats to the information Protect against reasonably anticipated, impermissible uses or disclosures Ensure compliance by their workforce Security Rule 51

Security Rule confidentiality means that e-phi is not available or disclosed to unauthorized persons integrity means that e-phi is not altered or destroyed in an unauthorized manner availability means that e-phi is accessible and usable on demand by an authorized person 52

Flexibility of Approach Security Rule Rule intended to be flexible and scalable so each CE and BA can implement policies, procedures and technologies that are appropriate for the entity s particular size, organizational structure and risks to PHI Each CE and BA must consider: Its size, complexity and capabilities Its technical, hardware and software infrastructure The costs of security measures The likelihood and possible impact of potential risks to e-phi CEs and BAs must review and modify their security measures to continue protecting e-phi in a changing environment 53

Security Rule: Standards vs. Specifications Standards CEs and BAs must comply with every Security Rule Standard Implementation Specifications the nuts and bolts Required must be implemented Addressable does not mean optional; must determine whether reasonable and appropriate for the CE or BA If it is not, the Security Rule allows the CE or BA to adopt an alternative measure that achieves the purpose of the standard, if the alternative measure is reasonable and appropriate If an implementation specification is not reasonable and appropriate in light of the CE/BA s security framework, and there is no reasonable alternative, don t adopt Document decision 54

Security Rule: Administrative Safeguards Security Management Process CE/BA must perform a risk analysis process, to include at least the following activities: evaluate the likelihood and impact of potential risks to e-phi implement appropriate security measures to address the risks identified in the risk analysis document the chosen security measures and, where required, the rationale for adopting those measures maintain continuous, reasonable and appropriate security measures 55

Security Rule: Administrative Safeguards Security Management Process Risk management security measures to reduce risk Sanction Policy address failure to comply with policy Information System Activity Review e.g., audit logs, access reports, security incident tracking Assigned Security Responsibility Identify the security official responsible for developing and implementing policies and procedures Workforce Security Implement measures to ensure members of the workforce have appropriate access to e-phi; prevent those who should not have access from gaining access (role-based access) 56

Security Rule: Administrative Safeguards Workforce Training and Management Workforce members must be granted appropriate authorization and must be appropriately supervised CE/BA must train workforce members Security Incident Procedures CE/BE must implement policies to address security incidents Contingency Plan CE/BA must have backup plans in event of emergency/disaster Evaluation CE/BA must perform periodic assessment of security policies and procedures 57

Security Rule: Physical Safeguards Facility Access and Control CE/BA must implement policies and procedures to limit physical access to its facilities while ensuring that authorized access is allowed Workstation and Device Security CE/BA must implement policies and procedures to specify proper use of and access to workstations and electronic media and devices Must also have in place policies and procedures regarding the transfer, removal, disposal and re-use of electronic media or devices, to ensure appropriate protection of e-phi 58

Security Rule: Technical Safeguards Access Control CE/BA must implement technical policies and procedures that allow only authorized persons to access e-phi Audit Control CE/BA must implement hardware, software and/or procedural mechanisms to record and examine access and other activity in information systems that contain or use e-phi 59

Security Rule: Technical Safeguards Integrity Controls CE/BA must implement policies and procedures to ensure that e-phi is not improperly altered or destroyed, and to confirm same Person or Entity Authentication CE/BA must implement procedures to verify that the person or entity seeking access to e-phi is the one claimed Transmission Security CE/BA must implement technical security measures that guard against unauthorized access to e-phi that is being transmitted over an electronic network 60

PART V: HIPAA BREACHES 61

Breach BREACH OF UNSECURED PHI the acquisition, access, use or disclosure of PHI in a manner not permitted under the HIPAA Privacy Rule which compromises the security or privacy of the PHI Unsecured PHI PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of technology or methodology specified by the Secretary of DHHS DHHS Guidance to Render Unsecured Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brguidance.html 62

DEFINITION OF BREACH EXCLUDES Unintentional acquisition or use of PHI by a workforce member when made in good faith, and no further use or disclosure is made Inadvertent disclosure by authorized person to other authorized person, and no further use or disclosure is made A disclosure of PHI where the CE or the BA has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information 63

DISCOVERY OF A BREACH Breach is deemed discovered by the CE as of the first day on which the breach is known to the CE/BA, or, by exercising reasonable diligence would have been known, to any person, other than the person committing the breach, who is a workforce member or agent of the CE/BA BAs must report breaches to the CE CE responsible for breaches by its agents 64

Upon discovery of a breach HIPAA Privacy Officer must initiate and/or oversee an investigation INVESTIGATION Governing body or upper management may need to become involved, depending upon the size of the organization, governance structure, etc., and the nature and extent of the PHI and breach involved 65

RISK ASSESSMENT Any impermissible acquisition, access, use or disclosure of unsecured PHI is presumed to be a breach, unless the CE can, through a risk assessment, demonstrate that there is a low probability that the PHI has been compromised Omnibus Rule does not define compromise Must utilize four-factor test must analyze all four factors may analyze additional factors 66

RISK ASSESSMENT FACTOR #1 The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification 67

RISK ASSESSMENT FACTOR #2 The unauthorized person who used the PHI or to whom the disclosure was made 68

RISK ASSESSMENT FACTOR #3 Whether the PHI was actually acquired or viewed 69

RISK ASSESSMENT FACTOR #4 The extent to which the risk to the PHI has been mitigated 70

RESULTS OF RISK ASSESSMENT Must be documented If, after risk analysis, the CE determines there is a low risk that the PHI has been compromised, then no notification to individual(s) is required BA assist CE in investigation and determination Otherwise, the CE must notify the affected individuals of the breach 71

BREACH NOTIFICATION Notice to affected individuals must be made without unreasonable delay, but in no case later than sixty (60) calendar days after the discovery Caveat: If law enforcement officials inform the CE that notice to the affected individuals will impede a criminal investigation or cause damage to national security, the CE must delay 72

BREACH NOTIFICATION Additional Notices To the media if a single breach event affects > 500 residents of the same state or jurisdiction (without unreasonable delay; but no later than 60 calendar days from discovery) To the Secretary of DHHS if a single breach event affects 500 individuals, regardless of the state or jurisdiction (without unreasonable delay; but no later than 60 days from discovery) if a single breach event affects < 500 individuals, on an annual basis (within 60 days of the end of the calendar year) CE must maintain a breach log 73

BREACH NOT IF, BUT WHEN In the words of Leon Rodriguez, the former Director of the Office of Civil Rights in the DHHS: Breaches and enforcement by the OCR is a little like middle school math You must show your work It s all about the process 74

BREACH HYPOTHETICAL #1 A medical provider mails a patient s written record to the patient. The patient s name is clearly on the envelope, and the envelope is sealed. However, the address is an old address for the patient. The recipient at the address calls the provider and states that she received the mail intended for the other individual, that she opened it and saw it was not for her and who it was from, and thereafter discarded the mail. She states she is just calling to let the provider know of the error. 75

BREACH HYPOTHETICAL #2 A medical provider mails a CD containing patient information. The envelope is addressed to Jane Doe at her proper address, and includes the provider s return address on the outside of the envelope. Jane stops home during her lunch break one day, and receives the mail. When Jane opens the envelope and pulls out the CD, the label on the CD says Patient John Smith. There is nothing else in the envelope. Jane immediately drives to the provider on her way back to work and hands the CD to the front desk personnel. She states she just received it, noted it was not intended for her, and is returning it to the provider. 76

BREACH HYPOTHETICAL #3 A physician carries a laptop computer from one office location to another office location, which is password protected, and contains PHI of more than 500 patients. The encrypted PHI includes names, dates of birth, Social Security numbers, patient ID numbers, dates of service, descriptions of services and other related information. The physician normally keeps the laptop in the trunk of the car when she is not using it, so as to safeguard the computer and information in it. However, one day she is careless and leaves it on the passenger seat and forgets to lock the car when running an errand. When she returns to the car, the laptop is missing. 77

78 PART VI: Disclosures Required by Law

Release of PHI when Required by Law CE/BA may release PHI as required by law a mandate contained in law that compels the CE/BA to make a use or disclosure of PHI and that is enforceable in a court of law includes court orders and subpoenas or summons issued by a court, grand jury, a governmental or tribal inspector general, or an administrative body authorized to require the production of information The release of information pursuant to such order, subpoena or summons must be limited to and only in compliance with the exact requirements contained in such document 79

Release of PHI when Required by Law Administrative Request (administrative agency subpoena or summons, civil demand or similar process) May release the requested records, provided that: the information sought is relevant and material to a legitimate law enforcement inquiry the request is specific and limited in scope to the extent reasonably practicable in light of the purpose for which the information is sought de-identified information could not reasonably be used 80

Subpoena v. Court Order A subpoena or discovery request issued/signed by someone other than a judge, such as a court clerk or an attorney in litigation, is different from a court order CE/BA may disclose information to a party issuing a subpoena only if the HIPAA notification requirements are met Often best to seek legal counsel before releasing records or information 81

Disclaimer: This presentation and outline are designed to provide accurate and authoritative information regarding the subject matter covered. This presentation and outline should not be construed as legal advice or as pertaining to specific, factual situations. If legal advice or other expert assistance is required, the services of a competent professional should be sought. 82

83 QUESTIONS

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback