The Revolution Will Be Worn on Your Wrist (Part 2) Deven McGraw Deputy Director, Health Information Privacy HHS Office for Civil Rights

Similar documents
GUIDANCE ON HIPAA & CLOUD COMPUTING

Charging Patients for Copies of Their Records: OCR Guidance

Individuals Right under HIPAA to Access their Health Information 45 CFR

Individuals Right under HIPAA to Access their Health Information 45 CFR

ARRA 2009: Privacy and Security Provisions. Deven McGraw

1 Security 101 for Covered Entities

Effective Date: 4/3/17

RIGHT TO ACCESS AND SECURITY RISK ANALYSIS. K a t h r y n A y e r s W i c k e n h a u s e r, M B A, C H P C, C H T S

Patient Right of Access/ Compliant and Patient-Centered ROI

Individuals Right under HIPAA to Access their Health Information 45 CFR

Individual and Third-Party Access to Medical Records

HHS, Office for Civil Rights. IAPP October 11, 2012

Determining Whether You Are a Business Associate

AMA Practice Management Center, What you need to know about the new health privacy and security requirements

Industry leading Education. Certified Partner Program. Please ask questions Todays slides are available group.

HIPAA Background and History

LEGAL ISSUES IN HEALTH IT SECURITY

The Audits are coming!

Coping with, and Taking Advantage of, HIPAA s New Rules!! Deven McGraw Director, Health Privacy Project April 19, 2013!

Privacy Rule - Complaint Investigations

ACCESS TO ELECTRONIC HEALTH RECORDS AGREEMENT WITH THE DOCTORS CLINIC, PART OF FRANCISCAN MEDICAL GROUP

Upper Bay Counseling & Support Services, Inc. (Administration)

2. HIPAA was introduced in There are many facets to the law. Which includes the facets of HIPAA that have been implemented?

Privacy and Security: To HIPAA and Beyond

Flexible Spending Account (FSA) Frequently Asked Questions

Privacy and Security Concerns with EHRs and PHRs

HIPAA Privacy and Security Breaches 10 Things To Know

PREMIUM REWARDS PROGRAM FAQ

Georgia Health Information Network, Inc. Georgia ConnectedCare Policies

North Shore LIJ Health System, Inc. Facility Name. CATEGORY: Effective Date: 8/15/13

Texas Health and Safety Code, Chapter 181 Medical Records Privacy Law, HB 300

HIPAA in the Digital Age. Anisa Kelley and Rachel Procopio Maryan Rawls Law Group Fairfax, Virginia

American Bar Association. Technical Session Between the Department of Health and Human Services and the Joint Committee on Employee Benefits

Consent for Purposes of Treatment, Payment and Healthcare Operations

What Brown County employees need to know about the Federal legislation entitled the Health Insurance Portability and Accountability Act of 1996.

Auditing for HIPAA Compliance: Evaluating security and privacy compliance in an organization that provides health insurance benefits to employees

Outline. Outline. What is HIPAA? I. What is HIPAA? II. Why Should You Care? III. What Should You Do Now? I. What is HIPAA? II. Why Should You Care?

HIPAA: Final Omnibus Rule is Here Arizona Society for Healthcare Risk Managers November 15, 2013

The Privacy Rule. Health insurance Portability & Accountability Act

Frequently Asked Questions (FAQ s)

Health Insurance Portability and Accountability Act (HIPAA) West Virginia State Government Covered Entity Survey

Rule. Research Changes to the Privacy Rule and GINA. Heather Pierce, JD, MPH Senior Director and Regulatory Counsel, Scientific Affairs

Getting Started with Insurance Billing for CHIP

H E A L T H C A R E L A W U P D A T E

MEMORANDUM. Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

AGREEMENT FOR ACCESS TO PROTECTED HEALTH INFORMATION

RESTRICTIONS ON FEES UNDER THE PROPOSED RULE

HIPAA AND YOU 2017 G E R A L D E MELTZER, MD MSHA

Legal and Privacy Implications of the HIPAA Final Omnibus Rule

University of Puget Sound Medical, HRA and FSA Benefits Frequently Asked Questions October 9, 2014

Do You Want To Know A Secret? HIPAA s Medical Privacy Regulations

Omnibus HIPAA Rule: Impact on Covered Entities

HIPAA Compliance Guide

AmeriHealth Website Privacy Policy and AmeriHealth Website Terms and Conditions of Access

ARE YOU HIP WITH HIPAA?

Getting a Grip on HIPAA

PSYCHIATRY AND FAMILY COUNSELING, LLP Leominster Westborough Worcester

Any recent Laboratory (blood work) results related to your visit with us. A list of your current medications with dosage and frequency taken

HIPAA PRIVACY MONITORING REQUIREMENTS

HIPAA COMPLIANCE ROADMAP AND CHECKLIST FOR BUSINESS ASSOCIATES

HIPAA & HITECH Privacy & Security. Volunteer Annual Review 2017

The Health Insurance Portability and Accountability Act (HIPAA) A guided tutorial for GVSU employees

Privacy & Security in 2011

HIPAA and Payment Reform ACOs, Medical Home & Bundled Payments

2016 Business Associate Workforce Member HIPAA Training Handbook

Frequently Asked Questions

EXCERPT. Do the Right Thing R1112 P1112

HIPAA Omnibus Rule Compliance

HIPAA PRIVACY AND SECURITY RULES APPLY TO YOU! ARE YOU COMPLYING? RHODE ISLAND INTERLOCAL TRUST LINN F. FREEDMAN, ESQ. JANUARY 29, 2015.

6/7/2018. HIPAA Compliance Simplified. HHS Wall of Shame. Marc Haskelson, President Compliancy Group

Health and Welfare Plan Compliance Checklist

Legislative Update HIPAA/HITECH

City and County of San Francisco Department of Public Health DPH Health Information Data Use Agreement

HIPAA AND LANGUAGE SERVICES IN HEALTH CARE 1

HIPAA Update. Jamie Sorley U.S. Department of Health and Human Services Office for Civil Rights

HIPAA Electronic Transactions & Code Sets

HIPAA OMNIBUS FINAL RULE

Key Legal Issues in EMR, EMR Subsidy and HIPAA and Privacy Click Issues to edit Master title style

[Name of Organization] HIPAA Incident/Breach Investigation Procedure 4

Personal Health Records. Data Transfer of PHR for Health Plans

Business Associate Risk

HIPAA Compliance. PART I: HHS Final Omnibus HIPAA Rules

The Impact of the Stimulus Act on HIPAA Privacy and Security

New HIPAA Rules and Implications for the Industry January 29, 2013

8/14/2013. HIPAA Privacy & Security 2013 Omnibus Final Rule update. Highlights from Final Rules January 25, 2013

Health Law Diagnosis

ChoiceNet/InterCare Health Plans Getting Your Arms Around HIPAA Compliance

Flexible Spending Account Enrollment Guide

HIPAA Policy Minimum Necessary Use December 1, 2015

ACC Compliance and Ethics Committee Presentation February 19, 2013

HIPAA Data Breach ITPC

HIPAA HITECH POLICY OVERVIEW OF THE HIPAA HITECH ACT OF Effective March 1, 2010

Privacy Rule Primer. 45 CFR Part 160 and Subparts A and E of Part CFR , 45 CFR CFR

CHAPTER 33 HIPAA PRIVACY REGULATIONS

Cardholder FAQs

HelloWay Terms and Conditions

HIPAA, Privacy, and Security Oh My!

To: Our Clients and Friends January 25, 2013

HIPAA Omnibus Rule. Critical Changes for Providers Presented by Susan A. Miller, JD. Hosted by

QUICK TIP: Download a Quick Reference Guide from the Resource Center to help you use the PayFlex member website.

Transcription:

The Revolution Will Be Worn on Your Wrist (Part 2) Deven McGraw Deputy Director, Health Information Privacy HHS Office for Civil Rights

Who is covered by HIPAA rules? HIPAA does not cover all health information. HIPAA rules protect the privacy and security of individually identifiable health information (called protected health information or PHI) maintained by HIPAA covered entities and their business associates.

HIPAA s scope (2) PHI = Individually identifiable health information is information, including demographic data, that relates to: the individual s past, present or future physical or mental health or condition, the provision of health care to the individual, or the past, present, or future payment for the provision of health care to the individual, and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual. Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number).

Determining HIPAA Coverage Facts and circumstances test HIPAA applies when an app or other personal health tool is offered by a covered entity (and functions at least in part for the covered entity s behalf), or a business associate on behalf of a covered entity.

OCR Health App Developer Guidance Available on OCR s portal for engaging app developers, http://hipaaqsportal.hhs.gov/ To help app developers understand when they may be acting as a business associate of a covered entity, the guidance offers 6 scenarios, describing a range of relationships between the developer and the covered entity Offers key questions for an API vendor and other HIT organization to consider Three sample scenarios follow 5

Health App Use Scenarios & HIPAA These scenarios address two questions under the Health Insurance Portability and Accountability Act (HIPAA): How does HIPAA apply to health information that a patient creates, manages or organizes through the use of a health app? When might an app developer need to comply with the HIPAA Rules? 6

An app developer may be a business associate If the developer is creating or offering the app on behalf of a covered entity (or one of the covered entity s other business associates ). In that case the developer is required to comply with certain provisions of the HIPAA Rules, including entering into and comply with a business associate agreement with the covered entity or business associate, and complying with the Security Rule. 7

Sample Scenario 1 Scenario Consumer downloads a health app to her smartphone. She populates it with her own information. For example, the consumer inputs blood glucose levels and blood pressure readings she obtained herself using home health equipment. Based on the Facts Presented in the Scenario, Is App Developer a HIPAA Business Associate? No. Developer is not creating, receiving, maintaining or transmitting protected health information (PHI) on behalf of a covered entity or another business associate. The consumer is using the developer s app to help her manage and organize her information without any involvement of her health care providers. 8

Sample Scenario 2 Scenario Consumer downloads a health app to her smartphone that is designed to help her manage a chronic condition. She downloads data from her doctor s EHR through a patient portal, onto her computer and then uploads it into the app. She also adds her own information to the app. Based on the Facts Presented in the Scenario, Is App Developer a HIPAA Business Associate? No. Developer is not creating, receiving, maintaining or transmitting protected health information (PHI) on behalf of a covered entity or another business associate. Instead, the consumer obtains health information from her provider, combines it with health information she inputs, and uses the app to organize and manage that information for her own purposes. There is no indication the provider or a business associate of the provider hired the app developer to provide or facilitate this service. 9

Scenario 3 Scenario At direction of her provider, patient downloads a health app to her smart phone. Provider has contracted with app developer for patient management services, including remote patient health counseling, monitoring of patients food and exercise, patient messaging, EHR integration and application interfaces. Information the patient inputs is automatically incorporated into provider EHR. Based on the Facts Presented in the Scenario, Is App Developer a HIPAA Business Associate? Yes, the developer is a business associate of the provider, because it is creating, receiving, maintaining and transmitting protected health information (PHI) on behalf of a covered entity. In this case, the provider contracts with the app developer for patient management services that involve creating, receiving, maintaining and transmitting PHI, and the app is a means for providing those services. 10

Sample Scenario 4 Scenario Consumer downloads a health app to her smartphone that is designed to help her manage a chronic condition. Health care provider and app developer have entered into an interoperability arrangement at the consumer s request that facilitates secure exchange of consumer information between the provider EHR and the app. The consumer populates information on the app and directs the app to transmit the information to the provider s EHR. The consumer is able to access test results from the provider through the app. Based on the Facts Presented in the Scenario, Is App Developer a HIPAA Business Associate? No. Developer is not creating, receiving, maintaining or transmitting protected health information (PHI) on behalf of a covered entity or another business associate. The interoperability arrangement alone does not create a BA relationship because the arrangement exists to facilitate access initiated by the consumer. The app developer is providing a service to the consumer, at the consumer s request and on her behalf. The app developer is transmitting data on behalf of the consumer to and from the provider; this activity does not create a BA relationship with the covered entity. 11

Scenario 5 Scenario At direction of her provider, patient downloads a health app to her smart phone. Provider has contracted with app developer for patient management services, including remote patient health counseling, monitoring of patients food and exercise, patient messaging, EHR integration and application interfaces. Information the patient inputs is automatically incorporated into provider EHR. Based on the Facts Presented in the Scenario, Is App Developer a HIPAA Business Associate? Yes, the developer is a business associate of the provider, because it is creating, receiving, maintaining and transmitting protected health information (PHI) on behalf of a covered entity. In this case, the provider contracts with the app developer for patient management services that involve creating, receiving, maintaining and transmitting PHI, and the app is a means for providing those services. 12

Scenario 6 Scenario Consumer downloads to her smart phone a mobile PHR app offered by her health plan that offers users in its network the ability to request, download and store health plan records and check the status of claims and coverage decisions. The app also contains the plan s wellness tools for members, so they can track their progress in improving their health. Health plan analyzes health information and data about app usage to understand effectiveness of its health and wellness offerings. App developer also offers a separate, direct-toconsumer version of the app that consumers can use to store, manage, and organize their health records, to improve their health habits and to send health information to providers. Based on the Facts Presented in the Scenario, Is App Developer a HIPAA Business Associate? Yes, with respect to the app offered by the health plan, and no, when offering the direct-to-consumer app. Developer is a business associate of the health plan, because it is creating, receiving, maintaining or transmitting protected health information (PHI) on behalf of a covered entity. Developer must comply with applicable HIPAA Rules requirements with respect to the PHI involved in its work on behalf of the health plan. But its direct-to-consumer product is not provided on behalf of a covered entity or other business associate, and developer activities with respect to that product are not subject to the HIPAA Rules. Therefore, as long as the developer keeps the health information attached to these two versions of the app separate, so that information from the direct-toconsumer version is not part of the product offering to the covered entity health plan, the developer does not need to apply HIPAA protections to the consumer information obtained through the direct-to- consumer app. 13

HIPAA Right of Individual Access New Guidance on Access Right http://www.hhs.gov/hipaa/forprofessionals/privacy/guidance/access/ Fact Sheet FAQ topics include: Scope Form and Format and Manner of Access Right to send directly to third party Fees Timeliness Scope FAQs 14

MOBILE DEVICES http://www.healthit. gov/mobiledevices 15

QUESTIONS? OCR Activity Update 16

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback