HIPAA HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT

Similar documents
Hayden W. Shurgar HIPAA: Privacy, Security, Enforcement, HITECH, and HIPAA Omnibus Final Rule

HIPAA Omnibus Rule. Critical Changes for Providers Presented by Susan A. Miller, JD. Hosted by

Legal and Privacy Implications of the HIPAA Final Omnibus Rule

HIPAA: Final Omnibus Rule is Here Arizona Society for Healthcare Risk Managers November 15, 2013

HIPAA Enforcement Under the HITECH Act; The Gloves Come Off

The wait is over HHS releases final omnibus HIPAA privacy and security regulations

HIPAA Privacy Overview

NOTIFICATION OF PRIVACY AND SECURITY BREACHES

What is HIPAA? (1 of 2)

Omnibus Components. Not in Omnibus. HIPAA/HITECH Omnibus Final Rule

The Impact of Final Omnibus HIPAA/HITECH Rules. Presented by Eileen Coyne Clark Niki McCoy September 19, 2013

"HIPAA RULES AND COMPLIANCE"

HIPAA: Impact on Corporate Compliance

HIPAA & The Medical Practice

To: Our Clients and Friends January 25, 2013

UNDERSTANDING HIPAA & THE HITECH ACT. Heather Deixler, Esq. Associate, Morgan, Lewis & Bockius LLP

HIPAA 102a. Presented by Jack Kolk President ACR 2 Solutions, Inc.

Saturday, April 28 Medical Ethics: HIPAA Privacy and Security Rules

Fifth National HIPAA Summit West

CROOK COUNTY POLICY AND PROCEDURES FOR COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF

HIPAA Compliance Under the Magnifying Glass

HIPAA Compliance. PART I: HHS Final Omnibus HIPAA Rules

HIPAA PRIVACY REQUIREMENTS. Dana L. Thrasher Robert S. Ellerbrock, III Constangy, Brooks & Smith, LLP

Highlights of the Omnibus HIPAA/HITECH Final Rule

HIPAA Training. HOPE Health Facility Administrators June 2013 Isaac Willett and Jason Schnabel

HIPAA PRIVACY REQUIREMENTS. Dana L. Thrasher Constangy, Brooks & Smith, LLP (205)

HHS, Office for Civil Rights. IAPP October 11, 2012

HIPAA OMNIBUS RULE. The rule makes it easier for parents and others to give permission to share proof of a child s immunization with a school

HIPAA Update. Jamie Sorley U.S. Department of Health and Human Services Office for Civil Rights

Health Law Diagnosis

HIPAA Basic Training for Health & Welfare Plan Administrators

2013 HIPAA Omnibus Regulations: New Rules for Healthcare Providers and Collections Partners

IACT Medical Trust. June 28, Jim Hamilton (317) HIPAA Privacy Training Bose McKinney & Evans LLP

NPRM: Modifications to the HIPAA Privacy, Security, and Enforcement Rules under HITECH

HIPAA, 42 CFR PART 2, AND MEDICAID COMPLIANCE STANDARDS POLICIES AND PROCEDURES

HIPAA BUSINESS ASSOCIATE AGREEMENT BEST PRACTICES: A COMPLIANCE SOLUTION FOR THE TICKING CLOCK AND THE DRACONIAN CIVIL AND CRIMINAL PENALTIES

HITECH/HIPAA Omnibus Final Rule: Implications for Hospices. Elizabeth S. Warren May 3, 2013

HIPAA THE NEW RULES. Highlights of the major changes under the Omnibus Rule

Preparing for a HIPAA Audit & Hot Topics in Health Care Reform

What Brown County employees need to know about the Federal legislation entitled the Health Insurance Portability and Accountability Act of 1996.

8/14/2013. HIPAA Privacy & Security 2013 Omnibus Final Rule update. Highlights from Final Rules January 25, 2013

Coping with, and Taking Advantage of, HIPAA s New Rules!! Deven McGraw Director, Health Privacy Project April 19, 2013!

Presented by Marti Arvin Chief Compliance Officer UCLA Health Sciences

The HIPAA Omnibus Rule and the Enhanced Civil Fine and Criminal Penalty Regime

It s as AWESOME as You Think It Is!

Getting a Grip on HIPAA

Breach Policy. Applicable Standards from the HITRUST Common Security Framework. Applicable Standards from the HIPAA Security Rule

HIPAA Compliance Guide

HIPAA COMPLIANCE ROADMAP AND CHECKLIST FOR BUSINESS ASSOCIATES

Effective Date: 4/3/17

HIPAA Omnibus Final Rule and Research

"HIPAA FOR LAW FIRMS" WHAT EVERY LAW FIRM NEEDS TO KNOW ABOUT HIPAA

HIPAA Data Breach ITPC

HIPAA COMPLIANCE. for Small & Mid-Size Practices

Changes to HIPAA Under the Omnibus Final Rule

HIPAA PRIVACY AND SECURITY RULES APPLY TO YOU! ARE YOU COMPLYING? RHODE ISLAND INTERLOCAL TRUST LINN F. FREEDMAN, ESQ. JANUARY 29, 2015.

GUIDE TO PATIENT PRIVACY AND SECURITY RULES

2016 Business Associate Workforce Member HIPAA Training Handbook

HIPAA PRIVACY AND SECURITY AWARENESS

CHAPTER 33 HIPAA PRIVACY REGULATIONS

2011 Miller Johnson. All rights reserved. 1. HIPAA Compliance: Privacy and Security Changes under HITECH HITECH. What is HITECH? Mary V.

Compliance Steps for the Final HIPAA Rule

x Major revision of existing policy Reaffirmation of existing policy

Executive Policy, EP HIPAA. Page 1 of 25

New. To comply with HIPAA notice requirements, all Providence covered entities shall follow, at a minimum, the specifications described below.

What Does The New Omnibus HIPAA/HITECH Final Rule Really Mean For Employers And Their Service Providers?

OCR Phase II Audit Protocol Breach Notification. HIPAA COW Spring Conference 2017 Page 1 Boerner Consulting, LLC

COMPLIANCE TRAINING 2015 C O M P L I A N C E P R O G R A M - F W A - H I P A A - C O D E O F C O N D U C T

Preparing to Comply With the HITECH Final Rule Tuesday, March 19, 2013

HIPAA AND YOU 2017 G E R A L D E MELTZER, MD MSHA

Texas Tech University Health Sciences Center HIPAA Privacy Policies

OMNIBUS COMPLIANT BUSINESS ASSOCIATE AGREEMENT RECITALS

HIPAA and Lawyers: Your stakes have just been raised

Conduct of covered entity or business associate. Did not know and, by exercising reasonable diligence, would not have known of the violation

GUIDE TO THE OMNIBUS HIPAA RULE: What You Need to Know and Do

HIPAA Redux 2013 Kim Cavitt, AuD Audiology Resources, Inc. Expert e-seminar 4/29/2013. HIPAA Redux Presented by: Kim Cavitt, AuD

The Audits are coming!

ARE YOU HIP WITH HIPAA?

Privacy Sleuths: Solving the Mystery of Wellness Program Privacy Compliance. Agenda. Health Data Exposure National Wellness Conference

ARRA s Amendments to HIPAA Privacy & Security Rules

HIPAA, Privacy, and Security Oh My!

Texas Tech University Health Sciences Center El Paso HIPAA Privacy Policies

HIPAA Privacy & Security Plan October 2016

Determining Whether You Are a Business Associate

[Name of Organization] HIPAA Incident/Breach Investigation Procedure 4

ChoiceNet/InterCare Health Plans Getting Your Arms Around HIPAA Compliance

HIPAA AND ONLINE BACKUP WHAT YOU NEED TO KNOW ABOUT

HIPAA, HITECH & Meaningful Use

HIPAA 2014: Recent Changes from HITECH and the Omnibus Rule. Association of Corporate Counsel Houston Chapter October 14, 2014.

HIPAA PRIVACY POLICY AND PROCEDURES FOR PROTECTED HEALTH INFORMATION THE APPLICABLE WELFARE BENEFITS PLANS OF MICHIGAN CATHOLIC CONFERENCE

Non-Union. Health Plan Notices IMPORTANT NOTICE

HITECH and HIPAA: Highlights for Health Departments. Aimee Wall UNC School of Government

Highlights of the Final Omnibus HIPAA Rule

HIPAA Privacy and Security: Surviving Heightened Enforcement Crafting and Implementing Data Security Policies and Responding to Breaches

HIPAA Breach Notice Rules New notice requirements for HIPAA covered entities when there is a breach of Protected Health Information (PHI)

COUNTY SOCIAL SERVICES POLICIES AND PROCEDURES FOR COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 HIPAA

HITECH Privacy, Security, Enforcement, Breach, and GINA The Final Rule

LEGAL ISSUES IN HEALTH IT SECURITY

Compliance Steps for the Final HIPAA Rule

New HIPAA Rules and Implications for the Industry January 29, 2013

Transcription:

HIPAA HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT

HIPAA OMNIBUS FINAL RULE HITECH GINA

TERMINOLOGY OMNIBUS FINAL RULE Issued January 23, 2013 Effective March 26, 2013 Modified HIPAA privacy and security rule HITECH modified to strengthen HIPAA and implemented breach notification rule and raised the civil monetary penalties. Included Genetic Information Nondiscrimination Act of 2008 (GINA) Genetic information can t be used for underwriting Is treated like PHI

TERMINOLOGY HIPAA Health insurance Portability & Accountability Act. Enacted in 1996 so health insurance would be portable Compliance by October 16, 2002 for EMR/EHR Compliance by April 14, 2003 for privacy rules

PRIVACY RULE Establishes national standard for protection of PHI Addresses the use/disclosure of an individual s PHI Gives individuals rights with respect to their PHI Policies and procedures must be in place to ensure that reasonable steps are taken to protect individual PHI.

SECURITY RULE Establishes national standard for protection of PHI that is held or transferred in electronic form. Address the technical and non-technical safeguards Implement three safeguards: 1. Administrative assignment of individual to train and be responsible for security. 2. Physical how the electronic systems are protected in the environment. 3. Technical password protections; encryption

TERMINOLOGY HITECH Health Information Technology for Economic & Clinical Health Act Provision under the Social Security Act Modified to strengthen HIPAA Modifications made significant changes

HOW HITECH AFFECTS HIPAA Applies the same requirements and penalties for Covered Entities and Business Associates. Establishes mandatory federal privacy and security breach reporting requirements Creates new privacy requirements including new accounting disclosure requirements. Establishes new criminal and civil penalties for non-compliance and new enforcement methods. All these apply equally to Covered Entities and Business Associates

TERMINOLOGY PHI Protected Health Information Identifiable health information Includes written, verbal or electronic form used in records, social media, internet, intranet

PHI IDENTIFIERS This is the information that requires protection: Name and address including zip code or other geographic codes Date of birth and age Telephone number, fax number, e-mail address Social security number, medical record number Health plan beneficiary number Account number Certificate/license number; license plate number Web URL; IP address Finger or voice prints Photographs Any other unique identifying characteristic

DE-IDENTIFICATION When the identifiers are removed from a patient s information, it is considered deidentified. No longer considered PHI No restrictions on the use/disclosure There is no information that could easily identify the individual.

TERMINOLOGY Minimum Necessary Standard Only the minimum necessary PHI is made to use, disclose and request PHI to accomplish the intended purpose. Breach PHI has been used in a manner that compromises the security or privacy of the PHI.

TERMINOLOGY Incidental Use and Disclosure The use/disclosure of PHI that is a result of or incident to permitted use of PHI. ELECTRONIC MEDIA revised definition hard drives, tapes, disks, memory cards, removable medium internet, intranet, private networks does not include fax, telephone as electronic media transmission

BUSINESS ASSOCIATE Person/entity, other than a member of the workforce, who performs functions/activities on behalf of or for a Covered Entity that involves the use/disclosure of PHI. A BA is also a subcontractor that creates, receives, transmits, or maintains PHI on behalf of another BA. BAs and subcontractors have to safeguard PHI down the stream. Typical BAs: billing service, collection agencies, answering service, EMR software vendor, labs, transcription

BUSINESS ASSOCIATE AGREEMENT An agreement between a Covered Entity and Business Associate or between 2 BAs. Clarifies and limits permissible use/disclosure of PHI. Deadlines: If currently have a BAA as of 1/25/13 and not due for renewal by 9/23/13, have until 9/23/14.. Otherwise, update by 9/23/13

BUSINESS ASSOCIATE EXCEPTIONS Health care providers concerning treatment of individual. Doctor to doctor; nurse to nurse; referrals Banking and financial institutions Government agencies determining eligibility, enrollment or benefits Medicare, Medicaid, VA Pharmacies

COVERED ENTITY Health Care Providers Conduct transactions in electronic form Physicians, clinics, dentists, nursing homes Health Care Clearinghouses Entities that process non-standard health information Health Plans Health insurance companies, HMOs Government health programs

NOTICE OF PRIVACY PRACTICE Statements set out in a written document for patients regarding the use/disclosure of PHI that is allowed without authorization and that which requires authorization. Has to be displayed in a clear and prominent location Must be provided to new patients and a hardcopy has to be provided to anyone who asks for one. Has to be posted on Covered Entity s website, if applicable. Established patients must be made aware of changes. Requires a signed acknowledgement of receipt.

PATIENT RIGHTS Under the Final Rule and stated in the NPP: Right to request a restriction of uses/disclosures CE may consider which restrictions to honor Right to access PHI Only if maintained in electronic form Do not have right to direct access to system Can copy onto external device

PATIENT RIGHTS Right to have an accounting of disclosures An accounting is a record of each disclosure of each patient s PHI for purposes other than treatment, payment or health care operations. Can include 6 years prior to the date of which the accounting is requested and not before 2003. Disclosures that do not need to be recorded: treatments, payments, disclosures made to the patient

PATIENT RIGHTS Right to ask for a change in their medical record If the individual believes there is an error or disagrees with what is in their EMR, they may ask for a change. The Covered Entity, upon investigation, may or may not agree with the change. Communication of the decision must be made in writing to the individual. If there is a change, the original is not destroyed, but an addendum is made.

AUTHORIZED PHI DISCLOSURES DECEDENT S PHI: The healthcare provider may disclose PHI to family members/others involved in care prior to death using minimum necessary standard. After 50 years, PHI is no longer protected. Arkansas: spouse or parent may receive autopsy report Student Immunizations to Schools Only require verbal authorization for release Public Health Activities May report for the public health and safety. E.g., communicable diseases

AUTHORIZATION REQUIRED Must have valid written authorization for: Use/disclosure of psychotherapy notes. Use/disclosure for marketing purposes. The sale of PHI

BREACH NOTIFICATION RULE This Rule did not exist prior to the HITECH Act. If a breach occurs, a Risk Assessment has to be performed to determine if there was a low probability of compromised PHI. The risk of harm to the individual is not part of the assessment. Affected individuals have to be notified of the breach within 60 days from discovery of the breach. If more than 500 individuals have been affected, notice through prominent media outlets must occur; this is in additions to individual notices. HHS has to be notified if > 500 involved.

Breach Notification Notifications to individuals are to be sent via first class mail to last known address. Can be sent via e-mail or telephone if address is out of date. Parents of minors, personal representatives of adults without capacity and next of kin of deceased patients may be notified. If there is insufficient information for 10 or more individuals, the CE must put up a notice on their web site or major print or broadcast media where the individuals reside. BA has same requirements and must notify CE.

BURDEN OF PROOF The CE and BA have to demonstrate there is a low probability that the information used/disclosed was compromised. If it cannot clearly make this determination, it is treated as a breach. CE and BA must also demonstrate that all notifications were made.

INVESTIGATION OF BREACH Office of Civil Rights (OCR) under the Department of Health and Human Services (HHS) enforces HIPAA. OCR is required to formally investigate a complaint. Complaint has to be filed within 180 days of alleged violation. If the preliminary investigation indicates a possible violation further investigation will expand into a compliance investigation. OCR tries to determine whether willful neglect is indicated.

INVESTIGATION (CON T) The entity has 30 days to respond to OCR. If a violation or willful neglect is found, a civil monetary penalty for each violation can be imposed.

CIVIL MONETARY PENALTIES Failure to comply with HIPAA can result in civil and criminal penalties. The HITECH Act: significantly increased the amount of civil monetary penalties (CMP); Reduced the number of available affirmative defenses; and Required imposition of CMPs for all violations due to willful neglect under a tiered liability structure. Prior to February 18, 2009, HIPAA violations were $100/each violation and the most in one year for same violation was $25,000. Now up to $50,000/each violation and $1.5 million in one year for same violation.

TIERED LIABILITY STRUCTURE Unknowing: The CE or BA did not know and reasonably should not know of the violation Reasonable Cause: The CE or BA knew, or by exercising reasonable diligence would have known, that the act or omission was a violation, but the CE or BA did not act with willful neglect. Willful Neglect: Corrected. The violation was the result of conscious, intentional failure or reckless indifference to fulfill the obligation to comply with HIPAA. However, the CE or BA corrected the violation within 30 days of discovery. Willful Neglect: Uncorrected. The violation was the result of conscious, intentional failure or reckless indifference to fulfill the obligation to comply with HIPAA, and the CE or BA did not correct the violation within 30 days of discovery.

MONETARY PENALTIES Violation Category Each Violation Not less than Or more than Total CMP for Violations of an Identical Provision in a Calendar Year Unknowing $100 - $50,000 $1,500,000 Reasonable Cause $1,000 - $50,000 $1,500,000 Willful Neglect - Corrected Willful Neglect Uncorrected $10,000 - $50,000 $1,500,000 At least $50,000 $1,500,000

TOP 5 HIPAA VIOLATIONS Year #1 Violation #2 Violation #3 Violation #4 Violation #5 Violation 2010 Impermissible Uses & Disclosure 2009 Impermissible Uses & Disclosure 2008 Impermissible Uses & Disclosure 2007 Impermissible Uses & Disclosure Safeguards Access Minimum Necessary Safeguards Access Minimum Necessary Safeguards Access Minimum Necessary Safeguards Access Minimum Necessary Notice Complaints to Covered Entity Complaints to Covered Entity Notice

ADMINISTRATIVE REQUIREMENTS Written policies and procedures to comply with the administrative requirements must include: 1. A designated contact person to handle complaints and provide further information about the Notice of Privacy Practice. 2. A designated privacy officer who is responsible for development and implementation of the policies and procedures. 3. Required annual training of all workforce members with documentation of the training. 4. Safeguards to protect the privacy of PHI and limit incidental uses or disclosures. 5. Procedures for individuals to submit complaints regarding HIPAA compliance.

ADMINISTRATIVE REQUIREMENTS 6. Must have and apply appropriate sanctions against workforce members who violate privacy policies and procedures. 7. Must document sanctions that are applied, if any. 8. Must mitigate to the extent practicable any harmful effect due to violation. 9. Cannot take intimidating or retaliatory acts against any individual for filing a complaint or exercising his/her right. 10. Must retain policies and procedures, NPPs, disposition of complaints and other actions/activities for 6 years after the later of the date of their creation or last effective date. 11. Maintain documentation sufficient to meet the burden of proof.

CASES

Impermissible Use/Disclosure Removal and Loss of Medical Records A Massachusetts hospital employee took work home, and accidentally left 192 billing records containing detailed PHI on the subway. Even though an accident, severe penalties were imposed on hospital: $1 million fine 3 year corrective action plan with oversight by OCR. Requirements to develop comprehensive policies and procedures using encryption. Implementation of a comprehensive training program and written certification from all staff.

Accessing PHI Without Legitimate Purpose Accessing Celebrity Records Researcher at UCLA School of Medicine received notice of termination. In retaliation, he accessed superior and co-workers medical records. Over the next 4 weeks, he accessed UCLA patient records including many celebrities a total of 323. Penalty: sentenced to 4 years in prison.

Accessing & Leaking PHI to Media AR. M.D. and 2 hospital employees accessed records of slain Arkansas TV reporter. Details of the attack were leaked to the media. The 3 pled guilty in federal court to misdemeanors. Federal judge fined all 3 and sentenced them to 1 year of probation. Hospital suspended M.D. s privileges for 2 weeks and terminated the 2 employees + an account rep. and Emergency Department coordinator.

Lack of HIPAA Safeguards Small Phoenix surgery practice group (5 doctors) posted clinical and surgical appointments for its patients on Internet-based calendar that was publicly accessible. OCR began investigation and noted the following violations: Failure to: Implement adequate policies and procedures; Document employee training; Identify clinic security officer and conduct risk analysis, and Obtain BAA with the internet-based email and calendar services. OCR fined practice $100,000 and required implementation of corrective action plan that included compliance with violations listed above.

Improper Disposal of PHI First of its kind joint investigation by OCR and Federal Trade Ccommission over allegations that CVS Pharmacy was disposing of PHI such as prescription bottle labels and old prescriptions in public dumpsters. Joint investigation revealed the following violations: Failure to: Implement adequate policies and procedures to protect PHI during disposal; Adequately train employees on proper disposal methods; Have a sanctions policy. CVS entered into a Resolution Agreement that required CVS to: Revise and distribute its policies and procedures regarding disposal of PHI; Train employees; sanction those that did not follow policies; Engage a third party assessor to conduct assessments and submit reports to Health and Human Services.

Improper Disposal of PHI Create new internal reporting procedures requiring employees to report all violations of the new policies and procedures Submit compliance reports to HHS for 3 years AND CVS was fined $2.5 million. CVS is required to submit to 3 rd part audits every 2 years for 20 years (part of its agreement with the FTC).

Willful Intent Arkansas LPN accessed PHI for personal gain. While working in an Arkansas clinic the LPN accessed a patient s medical record and gave the information to her husband. Husband called the patient and said he intended to use the information against him/her in an upcoming legal proceeding. Upon discovery, the clinic fired the LPN. A federal indictment charged her with wrongful disclosure of individually identifiable health information for personal gain and malicious harm. Charges were dropped against her and husband for guilty plea. Faced a maximum of 10 years in prison and a fine of up to $250,000 Sentenced to 2 years probation 100 hours of community service Revocation of nursing license.

INSURANCE Malpractice insurance does not cover HIPAA violations. General liability insurance does not cover HIPAA violations. May purchase cyber liability insurance for HIPAA.

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback