HIPAA PRIVACY REQUIREMENTS. Dana L. Thrasher Constangy, Brooks & Smith, LLP (205)

Similar documents
HIPAA PRIVACY REQUIREMENTS. Dana L. Thrasher Robert S. Ellerbrock, III Constangy, Brooks & Smith, LLP

ARRA s Amendments to HIPAA Privacy & Security Rules

HIPAA Basic Training for Health & Welfare Plan Administrators

Determining Whether You Are a Business Associate

2011 Miller Johnson. All rights reserved. 1. HIPAA Compliance: Privacy and Security Changes under HITECH HITECH. What is HITECH? Mary V.

HIPAA Training. HOPE Health Facility Administrators June 2013 Isaac Willett and Jason Schnabel

HITECH and HIPAA: Highlights for Health Departments. Aimee Wall UNC School of Government

Fifth National HIPAA Summit West

NOTIFICATION OF PRIVACY AND SECURITY BREACHES

HIPAA PRIVACY AND SECURITY RULES APPLY TO YOU! ARE YOU COMPLYING? RHODE ISLAND INTERLOCAL TRUST LINN F. FREEDMAN, ESQ. JANUARY 29, 2015.

UNDERSTANDING HIPAA & THE HITECH ACT. Heather Deixler, Esq. Associate, Morgan, Lewis & Bockius LLP

What Brown County employees need to know about the Federal legislation entitled the Health Insurance Portability and Accountability Act of 1996.

HIPAA Privacy Overview

Texas Health and Safety Code, Chapter 181 Medical Records Privacy Law, HB 300

HIPAA Breach Notice Rules New notice requirements for HIPAA covered entities when there is a breach of Protected Health Information (PHI)

ALERT. November 20, 2009

It s as AWESOME as You Think It Is!

The Impact of Final Omnibus HIPAA/HITECH Rules. Presented by Eileen Coyne Clark Niki McCoy September 19, 2013

IACT Medical Trust. June 28, Jim Hamilton (317) HIPAA Privacy Training Bose McKinney & Evans LLP

HIPAA / HITECH. Ed Massey Affiliated Marketing Group

HIPAA HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT

Hayden W. Shurgar HIPAA: Privacy, Security, Enforcement, HITECH, and HIPAA Omnibus Final Rule

HIPAA COMPLIANCE ROADMAP AND CHECKLIST FOR BUSINESS ASSOCIATES

ARE YOU HIP WITH HIPAA?

HIPAA: Final Omnibus Rule is Here Arizona Society for Healthcare Risk Managers November 15, 2013

HIPAA Enforcement Under the HITECH Act; The Gloves Come Off

HIPAA Background and History

Legal and Privacy Implications of the HIPAA Final Omnibus Rule

AMA Practice Management Center, What you need to know about the new health privacy and security requirements

BREACH NOTIFICATION POLICY

Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates

Changes to HIPAA Privacy and Security Rules

HIPAA COMPLIANCE. for Small & Mid-Size Practices

What is HIPAA? (1 of 2)

HIPAA Basics: IMPORTANT HIPAA CONCEPTS. What We re going to Cover. Training for Employee Benefits Staff

HIPAA Privacy & Security. Transportation Providers 2017

2016 Business Associate Workforce Member HIPAA Training Handbook

HIPAA 2014: Recent Changes from HITECH and the Omnibus Rule. Association of Corporate Counsel Houston Chapter October 14, 2014.

Preparing for a HIPAA Audit & Hot Topics in Health Care Reform

OCR Phase II Audit Protocol Breach Notification. HIPAA COW Spring Conference 2017 Page 1 Boerner Consulting, LLC

The Guild for Exceptional Children HIPAA Breach Notification Policy and Procedure

HIPAA PRIVACY AND SECURITY AWARENESS

PATTERSON MEDICAL SUPPLY, INC. HIPAA BUSINESS ASSOCIATE AGREEMENT WITH CUSTOMERS

GUIDE TO PATIENT PRIVACY AND SECURITY RULES

Coping with, and Taking Advantage of, HIPAA s New Rules!! Deven McGraw Director, Health Privacy Project April 19, 2013!

Industry leading Education. Certified Partner Program. Please ask questions Todays slides are available group.

The Privacy Rule. Health insurance Portability & Accountability Act

The American Recovery and Reinvestment Act of 2009: Health Information Privacy and Security Provisions Here We Go Again

HHS, Office for Civil Rights. IAPP October 11, 2012

New. To comply with HIPAA notice requirements, all Providence covered entities shall follow, at a minimum, the specifications described below.

Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates

Interim Date: July 21, 2015 Revised: July 1, 2015

OVERVIEW OF RECENT CHANGES IN HIPAA AND OHIO PRIVACY LAWS

HIPAA Privacy and Security for Employers in the Age of Common Data Breaches. April 30, 2015

View the Replay on YouTube. HIPAA Enforcement 2.0: Minimizing Exposure with Affirmative Defense

HIPAA, 42 CFR PART 2, AND MEDICAID COMPLIANCE STANDARDS POLICIES AND PROCEDURES

HIPAA The Health Insurance Portability and Accountability Act of 1996

HIPAA Privacy and Security Rules

RISK TRACK. Privacy and Data Protection

HIPAA Omnibus Rule. Critical Changes for Providers Presented by Susan A. Miller, JD. Hosted by

HIPAA Data Breach ITPC

The Audits are coming!

HIPAA Privacy and Security Rules: Overview and Update HIPAA. Health Insurance Portability and Accountability Act ( HIPAA )

H E A L T H C A R E L A W U P D A T E

ARRA 2009: Privacy and Security Provisions. Deven McGraw

Effective Date: 4/3/17

NPRM: Modifications to the HIPAA Privacy, Security, and Enforcement Rules under HITECH

The HIPAA Omnibus Rule and the Enhanced Civil Fine and Criminal Penalty Regime

The Impact of the Stimulus Act on HIPAA Privacy and Security

ACC Compliance and Ethics Committee Presentation February 19, 2013

True or False? HIPAA Update: Avoiding Penalties. Preliminaries. Kim C. Stanger IHCA (7/15)

Breach Policy. Applicable Standards from the HITRUST Common Security Framework. Applicable Standards from the HIPAA Security Rule

2. HIPAA was introduced in There are many facets to the law. Which includes the facets of HIPAA that have been implemented?

Privacy Rule Primer. 45 CFR Part 160 and Subparts A and E of Part CFR , 45 CFR CFR

[Name of Organization] HIPAA Incident/Breach Investigation Procedure 4

Containing the Outbreak: HIPAA Implications of a Data Breach. Jason S. Rimes. Orlando, Florida

Getting a Grip on HIPAA

Privacy in Health Care

HIPAA & HITECH Privacy & Security. Volunteer Annual Review 2017

HIPAA Privacy Compliance Checklist

8/14/2013. HIPAA Privacy & Security 2013 Omnibus Final Rule update. Highlights from Final Rules January 25, 2013

HIPAA, HITECH & Meaningful Use

Presented by Marti Arvin Chief Compliance Officer UCLA Health Sciences

AFTER THE OMNIBUS RULE

Disclaimer LEGAL ISSUES IN PHYSICAL THERAPY

HIPAA in the Digital Age. Anisa Kelley and Rachel Procopio Maryan Rawls Law Group Fairfax, Virginia

HIPAA Compliance Guide

HIPAA AND ONLINE BACKUP WHAT YOU NEED TO KNOW ABOUT

HIPAA Compliance Under the Magnifying Glass

Privacy Policy Training

LEGAL ISSUES IN HEALTH IT SECURITY

Key Legal Issues in EMR, EMR Subsidy and HIPAA and Privacy Click Issues to edit Master title style

What Does The New Omnibus HIPAA/HITECH Final Rule Really Mean For Employers And Their Service Providers?

HEALTHCARE BREACH TRIAGE

New Federal Legislation Affecting Health Plans

Privacy Sleuths: Solving the Mystery of Wellness Program Privacy Compliance. Agenda. Health Data Exposure National Wellness Conference

CROOK COUNTY POLICY AND PROCEDURES FOR COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF

HIPAA and Lawyers: Your stakes have just been raised

Business Associate Agreement

New HIPAA Breach Rules NAHU presents the WHAT and WHYs. Agenda

Transcription:

HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Constangy, Brooks & Smith, LLP dthrasher@constangy.com (205) 226-5464 1

REASONS FOR HIPAA PRIVACY RULES Perceived need for protection of individual health information Potential for abuse and concern that employers would misuse health information 2

What are the Purposes of the Privacy Rule? Consumer Control Over Health Information - Participant education on privacy protections. - Ensuring patient access to medical records. - Receiving patient authorization before information is released. - Providing recourse if privacy protections are violated. 3

What are the Purposes of the Privacy Rule? To Establish Boundaries on the Use and Release of Medical Records - Ensuring that health information is not used for improper purposes. - Providing the minimum amount of information necessary. 4

What are the Purposes of the Privacy Rule? To Establish Accountability for the Use and Release of Medical Records - Civil penalties - Federal criminal penalties 5

What Information Is HIPAA Designed to Protect? Protected Health Information ( PHI ) Protected Health Information encompasses all individually identifiable health information transmitted or maintained by a covered entity, regardless of form. 6

PHI Covered Entity A health plan, a health plan provider, and health care clearinghouse. Note: Employers are NOT covered entities, and employment files are not subject to the HIPAA privacy requirements. 7

How Does HIPAA Impact Employment Medical Files? HIPAA does not cover the employer s medical files containing ADA, FMLA, Workers Compensation, Sick Leave, Doctor s Excuses for Absences, etc. In applying normal procedures for those leave/accommodation requests, medical providers will require an authorization from the individual to release information to Mohawk (because providers are subject to HIPAA). 8

HEALTH PLAN Health Plan Any plan or program that provides or pays the cost of medical care. 9

Mohawk HIPAA Plans: Group Health Plan Group Dental Plan Health Care Flexible Spending Account Plan Others 10

Mohawk Plans Not Subject to HIPAA Other plans or programs that do not provide coverage for medical expenses 11

What are the Authorization Requirements? PHI may be used by covered entities for purposes of treatment, payment and health care operations ( TPO ) without authorization. PHI must be disclosed to the government in the case of a HIPAA investigation. Otherwise, participant authorization is required. 12

What Must a Plan do to Ensure Privacy? Privacy policies must be developed to ensure that only the minimum necessary amount of information to achieve the purpose of the disclosure is provided to a third person and that the other HIPAA requirements are satisfied. 13

What Must a Plan do to Ensure Privacy? A Notice of Privacy Practices must be distributed to inform Plan participants of their rights under HIPAA. Physical security measures must be put in place to protect PHI (secured file cabinets, software encryption, password protected databases). 14

What Must a Plan do to Ensure Privacy? Designate a Privacy Officer to be in charge of monitoring compliance with HIPAA requirements. 15

What Must a Plan do to Ensure Privacy? HIPAA covered plans must train individuals who may come into contact with PHI as to the HIPAA requirements and employer and plan procedures for maintaining the privacy of PHI. E.g., all PHI information, questions or problems should be faxed, e-mailed or directed to the Privacy Officer at private fax numbers. 16

Procedures for Handling Employee Inquiries Employees will be advised to contact the appropriate Privacy Officer or designated individuals for help with plan issues. Other Human Resources staff, supervisors, etc. will not have access to PHI and cannot provide assistance. Any inquiry that may involve PHI should be referred to the Privacy Officer. 17

CIVIL PENALTIES Tier 1: If person is not aware of the violation (and would not have known with reasonable diligence), penalty is at least $100/violation, not to exceed $25,000 for all violations of the same requirement in the same calendar year. Tier 2: If violation is due to reasonable cause (but not willful neglect), penalty is at least $1,000/violation, not to exceed $100,000 for all violations of the same requirement in the same calendar year. 18

CIVIL PENALTIES Tier 3: If violation is due to willful neglect and is corrected in 30 days, penalty is at least $10,000/violation, not to exceed $250,000 for all violations of the same requirement in the same calendar year. Tier 4: If violation is due to willful neglect and is not corrected in 30 days, penalty is at least $50,000/violation, not to exceed $1.5 million for all violations of the same requirement in the same calendar year. 19

CIVIL PENALTIES State AGs. State AGs are authorized to bring a civil action for HIPAA violations to enjoin violations and seek damages on behalf of residents. Damages calculated by multiplying number of violations by $100. Not to exceed $25,000 for all violations of an identical requirement during a calendar year. Court may award costs and reasonable attorneys fees to State. 20

CIVIL PENALTIES Individual Compensation. Mechanism for individuals to recover portion of HHS civil penalty or monetary settlements. Effective Date: Regulations relating to methodology were to be issued by February 2012, but have yet to be released. 21

CRIMINAL PENALTIES Up to $50,000 and 1 year in prison for obtaining or disclosing PHI Up to $100,000 and up to 5 years in prison for obtaining PHI under false pretenses Up to $250,000 and up to 10 years in prison for obtaining or disclosing PHI with the intent to sell, transfer or use it for commercial advantage, personal gain or malicious harm 22

Increased Enforcement Mechanisms Increased Audits. HHS will conduct periodic audits of CEs and BAs, even if no complaint filed. Willful Neglect: Audit required if preliminary investigation of complaint indicates willful neglect. HHS is required to impose a penalty for violations due to willful neglect. 23

Notification of Breach Requirements If security is breached, Plan must provide notice without unreasonable delay and within 60 days after discovery of breach: To the impacted individual: Individual written notice sent to last known address (with special rules if imminent misuse is possible or individual s address is unknown). To the Media: If breach involves more than 500 individuals in state or jurisdiction, notice through major media outlets. 24

Notification of Breach Requirements To HHS: If breach involves more than 500 individuals, Plan notifies HHS immediately, and HHS will identify CE on its website. If breach involves less than 500 individuals, Plan logs the breach and provides the log to HHS on an annual basis. If BA discovers breach, notifies Plan. 25

Conclusion Compliance with the HIPAA privacy requirements requires significant cultural and procedural changes. Some employees will require additional training. Training is MANDATED for all individuals who may have access to PHI. Update all BAA s and policies for HITECH. 26

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback