HIPAA Update. Jamie Sorley U.S. Department of Health and Human Services Office for Civil Rights

Similar documents
Omnibus Components. Not in Omnibus. HIPAA/HITECH Omnibus Final Rule

HIPAA Omnibus Final Rule and Research

Legal and Privacy Implications of the HIPAA Final Omnibus Rule

HIPAA: Final Omnibus Rule is Here Arizona Society for Healthcare Risk Managers November 15, 2013

To: Our Clients and Friends January 25, 2013

HIPAA Omnibus Rule. Critical Changes for Providers Presented by Susan A. Miller, JD. Hosted by

HIPAA THE NEW RULES. Highlights of the major changes under the Omnibus Rule

8/14/2013. HIPAA Privacy & Security 2013 Omnibus Final Rule update. Highlights from Final Rules January 25, 2013

HIPAA Training. HOPE Health Facility Administrators June 2013 Isaac Willett and Jason Schnabel

HIPAA Compliance. PART I: HHS Final Omnibus HIPAA Rules

The Impact of Final Omnibus HIPAA/HITECH Rules. Presented by Eileen Coyne Clark Niki McCoy September 19, 2013

Coping with, and Taking Advantage of, HIPAA s New Rules!! Deven McGraw Director, Health Privacy Project April 19, 2013!

HIPAA OMNIBUS RULE. The rule makes it easier for parents and others to give permission to share proof of a child s immunization with a school

Management Alert Final HIPAA Regulations Issued

ARE YOU HIP WITH HIPAA?

HIPAA Compliance Under the Magnifying Glass

Highlights of the Omnibus HIPAA/HITECH Final Rule

HHS, Office for Civil Rights. IAPP October 11, 2012

Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates

HIPAA: Impact on Corporate Compliance

Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates

Preparing for a HIPAA Audit & Hot Topics in Health Care Reform

The wait is over HHS releases final omnibus HIPAA privacy and security regulations

AFTER THE OMNIBUS RULE

HITECH/HIPAA Omnibus Final Rule: Implications for Hospices. Elizabeth S. Warren May 3, 2013

HIPAA in the Digital Age. Anisa Kelley and Rachel Procopio Maryan Rawls Law Group Fairfax, Virginia

Fifth National HIPAA Summit West

HEALTHCARE BREACH TRIAGE

SATINSKY CONSULTING, LLC FINAL OMNIBUS HIPAA PRIVACY AND SECURITY RULE

HIPAA & The Medical Practice

GUIDE TO THE OMNIBUS HIPAA RULE: What You Need to Know and Do

Saturday, April 28 Medical Ethics: HIPAA Privacy and Security Rules

Changes to HIPAA Under the Omnibus Final Rule

HIPAA OMNIBUS FINAL RULE

The HIPAA Omnibus Rule

HIPAA Privacy Overview

Determining Whether You Are a Business Associate

Health Law Diagnosis

Getting a Grip on HIPAA

New HIPAA-HITECH Proposed Regulations Issued

HIPAA Basic Training for Health & Welfare Plan Administrators

NPRM: Modifications to the HIPAA Privacy, Security, and Enforcement Rules under HITECH

Compliance Steps for the Final HIPAA Rule

HIPAA HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT

HIPAA PRIVACY AND SECURITY RULES APPLY TO YOU! ARE YOU COMPLYING? RHODE ISLAND INTERLOCAL TRUST LINN F. FREEDMAN, ESQ. JANUARY 29, 2015.

ACC Compliance and Ethics Committee Presentation February 19, 2013

HIPAA Compliance Guide

HIPAA AND YOU 2017 G E R A L D E MELTZER, MD MSHA

HIPAA COMPLIANCE ROADMAP AND CHECKLIST FOR BUSINESS ASSOCIATES

LEGAL ISSUES IN HEALTH IT SECURITY

Omnibus HIPAA Rule: Impact on Covered Entities

AMA Practice Management Center, What you need to know about the new health privacy and security requirements

503 SURVIVING A HIPAA BREACH INVESTIGATION

NOTIFICATION OF PRIVACY AND SECURITY BREACHES

2013 HIPAA Omnibus Regulations: New Rules for Healthcare Providers and Collections Partners

Preparing to Comply With the HITECH Final Rule Tuesday, March 19, 2013

Hayden W. Shurgar HIPAA: Privacy, Security, Enforcement, HITECH, and HIPAA Omnibus Final Rule

HIPAA Privacy and Security Breaches 10 Things To Know

HIPAA Enforcement Under the HITECH Act; The Gloves Come Off

CLIENT UPDATE. HIPAA s Final Rule: The Impact on Covered Entities, Business Associates and Subcontractors

New HIPAA Rules and Implications for the Industry January 29, 2013

HIPAA Omnibus Rule Compliance

True or False? HIPAA Update: Avoiding Penalties. Preliminaries. Kim C. Stanger IHCA (7/15)

HIPAA PRIVACY REQUIREMENTS. Dana L. Thrasher Robert S. Ellerbrock, III Constangy, Brooks & Smith, LLP

New. To comply with HIPAA notice requirements, all Providence covered entities shall follow, at a minimum, the specifications described below.

HITECH Privacy, Security, Enforcement, Breach, and GINA The Final Rule

Conduct of covered entity or business associate. Did not know and, by exercising reasonable diligence, would not have known of the violation

Colorado Medical Society. June 3, Presented by David A. Ginsberg President, PrivaPlan Associates, Inc.

HITECH and HIPAA: Highlights for Health Departments. Aimee Wall UNC School of Government

H E A L T H C A R E L A W U P D A T E

Compliance Steps for the Final HIPAA Rule

New HIPAA Rules Meeting Requirements for New Patient Rights and New Restrictions on Disclosures

What Does The New Omnibus HIPAA/HITECH Final Rule Really Mean For Employers And Their Service Providers?

ICAHN Presentation. Final Omnibus Rule and Security Risk Analysis. July 26, David Ginsberg

HIPAA Background and History

2016 Business Associate Workforce Member HIPAA Training Handbook

What Brown County employees need to know about the Federal legislation entitled the Health Insurance Portability and Accountability Act of 1996.

Highlights of the Final Omnibus HIPAA Rule

Assessing and Mitigating Risk Under the HIPAA Omnibus Rule

Assessing and Mitigating Risk Under the HIPAA Omnibus Rule

"HIPAA RULES AND COMPLIANCE"

MEMORANDUM. Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

HIPAA and Lawyers: Your stakes have just been raised

ARRA s Amendments to HIPAA Privacy & Security Rules

HIPAA Training for Small Providers

AROC 2015 HIPAA PRIVACY AND SECURITY RULES

OMNIBUS RULE ARRIVES

HIPAA BUSINESS ASSOCIATE AGREEMENT BEST PRACTICES: A COMPLIANCE SOLUTION FOR THE TICKING CLOCK AND THE DRACONIAN CIVIL AND CRIMINAL PENALTIES

The HIPAA Omnibus Rule and the Enhanced Civil Fine and Criminal Penalty Regime

"HIPAA FOR LAW FIRMS" WHAT EVERY LAW FIRM NEEDS TO KNOW ABOUT HIPAA

Industry leading Education. Certified Partner Program. Please ask questions Todays slides are available group.

HIPAA Omnibus Final Rule Has Important Changes for Business Associates and Covered Entities

HIPAA Breach Notification Case Studies on What to Do and When to Report

CROOK COUNTY POLICY AND PROCEDURES FOR COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF

HIPAA AND ONLINE BACKUP WHAT YOU NEED TO KNOW ABOUT

2011 Miller Johnson. All rights reserved. 1. HIPAA Compliance: Privacy and Security Changes under HITECH HITECH. What is HITECH? Mary V.

HIPAA, Privacy, and Security Oh My!

Nancy Davis, Ministry Health Care Peg Schmidt, Aurora Health Care Teresa Smithrud, Mercy Health System

The HIPAA/HITECH Final Rule: Time to Get More Serious About Compliance. Patricia A. Markus, Esq.

Business Associate Risk

Transcription:

HIPAA Update Jamie Sorley U.S. Department of Health and Human Services Office for Civil Rights New Mexico Health Information Management Association Conference April 11, 2014 Albuquerque, NM

Recent Enforcement Activities U.S. Department of Health and Human Services, Office for Civil Rights April 11, 2014 page 2

HIPAA Privacy, Security, Breach Compliance and Enforcement Resolution Agreements/Corrective Action Plans 5 RA/CAPs in CY13 Total Resolution Amounts of $3,740,780 Investigated Complaints/Compliance Reviews 4,459 investigative closures in CY13 3,467 closed with corrective action Breach Reports 930 Breaches involving 500 or more individuals Over 113,000 Breaches involving fewer than 500 individuals U.S. Department of Health and Human Services, Office for Civil Rights April 11, 2014 page 3

Breach Notification: 500+ Breaches by Type of Breach Unknown 2% Improper Disposal 4% Other 10% Hacking/IT Incident 8% Theft 47% Unauthorized Access/Disclosure 18% Loss 11% Data as of March 25, 2014. U.S. Department of Health and Human Services, Office for Civil Rights April 11, 2014 page 4

Breach Notification: 500+ Breaches by Location of Breach Email 5% EMR 3% Other 11% Paper Records 21% Network Server 12% Desktop Computer 14% Portable Electronic Device 11% Laptop 23% Data as of March 25, 2014. U.S. Department of Health and Human Services, Office for Civil Rights April 11, 2014 page 5

Recent Large Breaches Hacking network server 780,000 affected Backup tapes stored at hospital cannot be found and are presumed lost 315,000 affected Unencrypted emails sent to employee s unsecured email address -- 228,435 affected Theft of laptop from employee s vehicle 116,506 affected Unauthorized access to e-phi stored in database-- 105,646 affected Hacking database stored on network server 70,000 affected U.S. Department of Health and Human Services, Office for Civil Rights October 28, 2013 page 6

Recent Major Enforcement Actions Adult & Pediatric Dermatology, P.C. ($150,000) Unencrypted thumb drive stolen from employee vehicle affecting 2,200 patients Covered entity did not have breach policies and procedures Affinity Health Plan, Inc. ($1.2M) Breach affecting up to 344,000 individuals Covered entity had not properly erased photocopier hard drives prior to sending the photocopiers to a leasing company Massachusetts Eye and Ear Institute ($1.5M) Stolen personal laptop of physician using device as desktop substitute Covered entity had not implemented a program to mitigate identified risks to e-phi U.S. Department of Health and Human Services, Office for Civil Rights October 28, 2013 page 7

Recent Major Enforcement Actions Hospice of Northern Idaho ($50K) Breach affecting 400 individuals when laptop stolen Provider had not conducted a risk assessment or taken other measures to safeguard e-phi as required by Security Rule Idaho State University ($400,000) Disabled firewall left the PHI of approx. 17,500 patients unsecured Risk analyses and risk management plans were incomplete or out of date Shasta Regional Medical Center ($275,000) Senior management disclosed patient information to the media and to the workforce without patient authorization CE failed to sanction workforce members in accordance with its internal policy U.S. Department of Health and Human Services, Office for Civil Rights October 28, 2013 page 8

HIPAA Omnibus Changes U.S. Department of Health and Human Services, Office for Civil Rights April 11, 2014 page 9

Omnibus Final Rule Important Dates Published in Federal Register January 25, 2013 Effective Date March 26, 2013 Compliance Date September 23, 2013 Conform BA contracts September 22, 2014 U.S. Department of Health and Human Services, Office for Civil Rights April 11, 2014 page 10

Omnibus Components HITECH Privacy & Security Business associates (BA) Marketing & Fundraising Sale of protected health information (PHI) Right to request restrictions Electronic access HITECH Breach Notification HITECH Enforcement GINA Privacy Other Modifications Research Notice of privacy practices (NPP) Decedents Student immunizations U.S. Department of Health and Human Services, Office for Civil Rights April 11, 2014 page 11

Not in Omnibus HITECH Accounting of Disclosures Rule HITECH Distribution of Penalties/Settlements to Harmed Individuals Rule HITECH Minimum Necessary Guidance HIPAA/CLIA Patient Access to Laboratory Test Reports Rule U.S. Department of Health and Human Services, Office for Civil Rights April 11, 2014 page 12

Omnibus Final Rule What s New for Consumers Right to Electronic Copy of Electronic Health Record Right to direct copy to designated third party Prohibition on Sale of PHI without Authorization Marketing Communications Paid for by Third Party Require Authorization Limited exceptions for refill reminders and current prescriptions Right to Restrict Disclosures to Health Plans of Treatment/Services Paid for Out of Pocket U.S. Department of Health and Human Services, Office for Civil Rights April 11, 2014 page 13

GINA Provisions Requires Genetic Information to be treated as PHI Prohibits Health Plans from using/disclosing genetic information for underwriting purposes Terms and definitions track regulations prohibiting discrimination in provision of health insurance based on genetic information U.S. Department of Health and Human Services, Office for Civil Rights April 11, 2014 page 14

Omnibus Final Rule Non-statutory Provisions Student Immunization Makes it easier for parents to permit providers to release student immunization records to schools Research Allows researchers to use single authorization for more than one research purpose Relaxes policy on authorizations for future research Notice of Privacy Practices Updates required to Notices of Privacy Practices Relaxes distribution requirements for Health Plans Decedent Information Protections limited to 50 years after death Eases access to friends and families U.S. Department of Health and Human Services, Office for Civil Rights October 28, 2013 page 15

Omnibus Final Rule What s New for Breach Breach Notification Provisions Replaces harm to individual with more objective measure of compromise to the data as threshold for breach notification Other provisions of 2009 IFR adopted without major change U.S. Department of Health and Human Services, Office for Civil Rights October 28, 2013 page 16

Omnibus Final Rule What s New for Enforcement Enforcement Provisions Adopts increased CMP amounts and tiered levels of culpability from 2009 IFR Clarifies Reasonable Cause Tier Willful Neglect Penalties do not require informal resolution Intentional wrongful disclosures may be subject to civil, rather than criminal, penalties U.S. Department of Health and Human Services, Office for Civil Rights April 11, 2014 page 17

HITECH Enforcement Raises CMP Levels Violation Category Each Violation All Identical Violations per Calendar Year Did Not Know $100 - $50,000 Reasonable Cause $1,000 - $50,000 Willful Neglect- Corrected Willful Neglect-Not Corrected $10,000 - $50,000 $1,500,000 $1,500,000 $1,500,000 $50,000 $1,500,000 U.S. Department of Health and Human Services, Office for Civil Rights April 11, 2014 page 18

Omnibus Final Rule What s New for Business Associates New definition of Business Associate (45 C.F.R. 160.103): (1) Except as provided in paragraph (4) of this definition, business associate means, with respect to a covered entity, a person who: (i) On behalf of such covered entity or of an organized health care arrangement (as defined in this section) in which the covered entity participates, but other than in the capacity of a member of the workforce of such covered entity or arrangement, creates, receives, maintains, or transmits protected health information for a function or activity regulated by this subchapter, including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, patient safety activities listed at 42 CFR 3.20, billing, benefit management, practice management, and repricing; or (ii) Provides, other than in the capacity of a member of the workforce of such covered entity, legal, actuarial, accounting, consulting, data aggregation (as defined in 164.501 of this subchapter), management, administrative, accreditation, or financial services to or for such covered entity, or to or for an organized health care arrangement in which the covered entity participates, where the provision of the service involves the disclosure of protected health information from such covered entity or arrangement, or from another business associate of such covered entity or arrangement, to the person. U.S. Department of Health and Human Services, Office for Civil Rights April 11, 2014 page 19

Omnibus Final Rule What s New for Business Associates New definition of Business Associate, cont. (2) A covered entity may be a business associate of another covered entity. (3) Business associate includes: (i) A Health Information Organization, E-prescribing Gateway, or other person that provides data transmission services with respect to protected health information to a covered entity and that requires access on a routine basis to such protected health information. (ii) A person that offers a personal health record to one or more individuals on behalf of a covered entity. (iii) A subcontractor that creates, receives, maintains, or transmits protected health information on behalf of the business associate. U.S. Department of Health and Human Services, Office for Civil Rights April 11, 2014 page 20

Omnibus Final Rule What s New for Business Associates BAs must comply with the technical, administrative, and physical safeguard requirements under the Security Rule Must conduct a security risk analysis and implement a risk management plan Must implement safeguards to protect EPHI Liable for Security Rule violations BAs must comply with use or disclosure limitations expressed in its contract and those in the Privacy Rule Criminal and civil liabilities for violations Clarification that BAs are liable whether or not they have an agreement in place with the CE If CE delegates Privacy Rule obligation to BA (e.g., providing NPPs to individuals), contract must require BA to perform in compliance with Rule U.S. Department of Health and Human Services, Office for Civil Rights April 11, 2014 page 21

Omnibus Final Rule What s New for Business Associates Direct liability Impermissible uses and disclosures (including more than minimum necessary) Failure to comply with Security Rule Failure to provide breach notification Failure to provide e-access as provided in BA contract Failure to disclose PHI to HHS for compliance and enforcement Failure to provide HITECH accounting (final rule not issued) Contractual liability for requirements of the BA contract U.S. Department of Health and Human Services, Office for Civil Rights October 28, 2013 page 22

Marketing Communications about health-related products/services by covered entity (CE) to individuals now marketing & require authorization if paid for by third party Applies to receipt of financial remuneration only; does not include receipt of non-financial benefits Authorization must state that communication is paid for Authorization can be obtained to make subsidized communications generally Scope of authorization need not be limited to single product/service or products/services of one third party U.S. Department of Health and Human Services, Office for Civil Rights October 28, 2013 page 23

Marketing Limited exception for refill reminders (and similar communications) Includes generic equivalents, adherence communications, drug delivery systems Payment must be reasonably related to cost of communication Face to face marketing communications and promotional gifts of nominal value still permitted without authorization U.S. Department of Health and Human Services, Office for Civil Rights October 28, 2013 page 24

Sale of PHI Even where disclosure is permitted, CE is prohibited from disclosing PHI (without individual authorization) in exchange for remuneration Includes remuneration received directly or indirectly from recipient Not limited to financial remuneration If authorization obtained, authorization must state that disclosure will result in remuneration U.S. Department of Health and Human Services, Office for Civil Rights April 11, 2014 page 25

Sale of PHI Exceptions: Treatment & payment Sale of business Remuneration to BA for services rendered Disclosure required by law Public health Research, if remuneration limited to cost to prepare and transmit PHI Providing access or accounting to individual Any other permitted disclosure where only receive reasonable, cost-based fee to prepare and transmit PHI U.S. Department of Health and Human Services, Office for Civil Rights April 11, 2014 page 26

Electronic Access If individual requests e-copy of PHI maintained electronically in designated record set, CE: Must provide access in electronic form/format requested, if readily producible, otherwise in readable electronic form/format as agreed to by CE and individual If requested, CE must transmit copy of PHI to individual s designee (not limited to electronic access) Request must be in writing & signed Must clearly identify designated person and where to send U.S. Department of Health and Human Services, Office for Civil Rights April 11, 2014 page 27

Electronic Access CE may charge for: Labor for copying Time attributable to reviewing request and producing copy Cost of electronic media CD, USB drive, or similar portable media/device, if individual requests copy on portable media CE has 30 days (with one 30-day extension) to act on request for access Provision allowing initial 60 days for off-site PHI removed U.S. Department of Health and Human Services, Office for Civil Rights October 28, 2013 page 28

Definition of Breach Harm standard removed New standard impermissible use/disclosure of (unsecured) PHI presumed to require notification, unless CE/BA can demonstrate low probability that PHI has been compromised based on a risk assessment of at least: Nature & extent of PHI involved Who received/accessed the information Potential that PHI was actually acquired or viewed Extent to which risk to the data has been mitigated U.S. Department of Health and Human Services, Office for Civil Rights April 11, 2014 page 29

Definition of Breach Exceptions for inadvertent, harmless mistakes remain Exception for limited data sets without dates of birth & zip codes removed U.S. Department of Health and Human Services, Office for Civil Rights April 11, 2014 page 30

Breach Notification Makes permanent the notification and other provisions of the 2009 interim final rule (IFR), with only minor changes/clarifications E.g., clarifies that notification to Secretary of smaller breaches to occur within 60 days of end of calendar year in which breaches were discovered (versus occurred) U.S. Department of Health and Human Services, Office for Civil Rights April 11, 2014 page 31

Guidance and Compliance Tools U.S. Department of Health and Human Services, Office for Civil Rights April 11, 2014 page 32

De-identification Guidance http://www.hhs.gov/ocr/privacy/hipaa/understanding/c overedentities/de-identification/guidance.html Sample Business Associate Contract Language http://www.hhs.gov/ocr/privacy/hipaa/understanding/c overedentities/contractprov.html Security Rule Guidance http://www.hhs.gov/ocr/privacy/hipaa/administrative/s ecurityrule/index.html Risk Analysis Guidance NIST HIPAA Security Rule Toolkit NIST Guidelines for Media Sanitation FTC Guidance on Copier Data Security Educational paper series Security for Mobile Devices (video/web) http://www.healthit.gov/mobiledevices U.S. Department of Health and Human Services, Office for Civil Rights April 11, 2014 page 33

ONC/OCR Mobile Device Program Instructional Video Series The videos explore mobile device risks and discuss privacy and security safeguards providers and professionals can put into place to mitigate risks. Securing Your Mobile Device is Important! Dr. Anderson's Office Identifies a Risk A Mobile Device is Stolen Can You Protect Patients' Health Information When Using a Public Wi-Fi Network? Worried About Using a Mobile Device for Work? Here's What To Do! U.S. Department of Health and Human Services, Office for Civil Rights October 28, 2013 page 34

Downloadable Materials www.healthit.gov/mobiledevices Fact sheets Posters Brochures U.S. Department of Health and Human Services, Office for Civil Rights October 28, 2013 page 35

Mobile Device Program: Tips to Protect and Secure Health Information Use a password or other user authentication. Install and enable encryption. Install and activate wiping and/or remote disabling. Disable and do not install file- sharing applications. Install and enable a firewall. Install and enable security software. Keep security software up to date. Research mobile apps before downloading. Maintain physical control of your mobile device. Use adequate security to send or receive PHI over public Wi-Fi networks. Delete all stored health information before discarding or reusing the mobile device. U.S. Department of Health and Human Services, Office for Civil Rights October 28, 2013 page 36

Sample Notices of Privacy Practices http://www.hhs.gov/ocr/privacy/hipaa/modelnotices.html Versions for Providers and for Health Plans Multiple formats Customizable In English and Spanish U.S. Department of Health and Human Services, Office for Civil Rights April 11, 2014 page 37

Medscape: Free CME and CE Training HIPAA: Creating Awareness and Educating Providers on the Importance of Compliance http://www.medscape.org/viewarticle/762170?src=cmsocr U.S. Department of Health and Human Services, Office for Civil Rights April 11, 2014 page 38

Security Rule Assessment Tool http://www.healthit.gov/providers-professionals/security-riskassessment U.S. Department of Health and Human Services, Office for Civil Rights April 11, 2014 page 39

Questions? OCR website www.hhs.gov/ocr Jamie Sorley jamie.sorley@hhs.gov (214) 767-8908 U.S. Department of Health and Human Services, Office for Civil Rights April 11, 2014 page 40

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback