To: Our Clients and Friends January 25, 2013

Similar documents
Omnibus Components. Not in Omnibus. HIPAA/HITECH Omnibus Final Rule

HIPAA OMNIBUS RULE. The rule makes it easier for parents and others to give permission to share proof of a child s immunization with a school

Highlights of the Omnibus HIPAA/HITECH Final Rule

The wait is over HHS releases final omnibus HIPAA privacy and security regulations

Legal and Privacy Implications of the HIPAA Final Omnibus Rule

HIPAA Compliance. PART I: HHS Final Omnibus HIPAA Rules

HIPAA: Final Omnibus Rule is Here Arizona Society for Healthcare Risk Managers November 15, 2013

Health Law Diagnosis

Highlights of the Final Omnibus HIPAA Rule

Getting a Grip on HIPAA

New HIPAA-HITECH Proposed Regulations Issued

SATINSKY CONSULTING, LLC FINAL OMNIBUS HIPAA PRIVACY AND SECURITY RULE

Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates

1.) The Privacy Rule (Part 164, Subpart E)

8/14/2013. HIPAA Privacy & Security 2013 Omnibus Final Rule update. Highlights from Final Rules January 25, 2013

Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates

Management Alert Final HIPAA Regulations Issued

GUIDE TO THE OMNIBUS HIPAA RULE: What You Need to Know and Do

Preparing to Comply With the HITECH Final Rule Tuesday, March 19, 2013

Changes to HIPAA Under the Omnibus Final Rule

HHS, Office for Civil Rights. IAPP October 11, 2012

Coping with, and Taking Advantage of, HIPAA s New Rules!! Deven McGraw Director, Health Privacy Project April 19, 2013!

HIPAA Training. HOPE Health Facility Administrators June 2013 Isaac Willett and Jason Schnabel

HIPAA Update. Jamie Sorley U.S. Department of Health and Human Services Office for Civil Rights

Compliance Steps for the Final HIPAA Rule

HIPAA THE NEW RULES. Highlights of the major changes under the Omnibus Rule

HIPAA Omnibus Rule. Critical Changes for Providers Presented by Susan A. Miller, JD. Hosted by

CLIENT UPDATE. HIPAA s Final Rule: The Impact on Covered Entities, Business Associates and Subcontractors

The HIPAA/HITECH Final Rule: Time to Get More Serious About Compliance. Patricia A. Markus, Esq.

HITECH/HIPAA Omnibus Final Rule: Implications for Hospices. Elizabeth S. Warren May 3, 2013

NPRM: Modifications to the HIPAA Privacy, Security, and Enforcement Rules under HITECH

2013 HIPAA Omnibus Regulations: New Rules for Healthcare Providers and Collections Partners

Hayden W. Shurgar HIPAA: Privacy, Security, Enforcement, HITECH, and HIPAA Omnibus Final Rule

ACC Compliance and Ethics Committee Presentation February 19, 2013

The Impact of Final Omnibus HIPAA/HITECH Rules. Presented by Eileen Coyne Clark Niki McCoy September 19, 2013

HIPAA PRIVACY POLICY AND PROCEDURES FOR PROTECTED HEALTH INFORMATION THE APPLICABLE WELFARE BENEFITS PLANS OF MICHIGAN CATHOLIC CONFERENCE

Omnibus HIPAA Rule: Impact on Covered Entities

Fifth National HIPAA Summit West

AFTER THE OMNIBUS RULE

Compliance. TODAY May Meet Scott Killingsworth. Partner in the Atlanta offices of Bryan Cave LLP. See page 16

HIPAA Compliance Under the Magnifying Glass

HITECH/HIPAA (privacy) 2013 Omnibus Final Rule Rita Bowen Senior Vice President of HIM and Privacy Officer HealthPort

VOL. 0, NO. 0 JANUARY 23, 2013

HIPAA: Impact on Corporate Compliance

HIPAA Omnibus Final Rule and Research

HEALTH LAW ALERT January 21, 2013

MEMORANDUM. Kirk J. Nahra, or

O n Jan. 25, the Office for Civil Rights (OCR) of the. Privacy and Security Law Report

Compliance Steps for the Final HIPAA Rule

NOTIFICATION OF PRIVACY AND SECURITY BREACHES

HIPAA Omnibus Rule Compliance

H E A L T H C A R E L A W U P D A T E

Texas Tech University Health Sciences Center HIPAA Privacy Policies

HIPAA Enforcement Under the HITECH Act; The Gloves Come Off

HIPAA Omnibus Final Rule Has Important Changes for Business Associates and Covered Entities

What Brown County employees need to know about the Federal legislation entitled the Health Insurance Portability and Accountability Act of 1996.

Saturday, April 28 Medical Ethics: HIPAA Privacy and Security Rules

HIPAA & The Medical Practice

Texas Tech University Health Sciences Center El Paso HIPAA Privacy Policies

NEWSLETTER. Volume Nine - Number One January The Final HIPAA HITECH Regulations: Making the Business Case for ERM

The HIPAA Omnibus Rule

"HIPAA RULES AND COMPLIANCE"

Practical Guidance and Proposed Solutions in Response to the HIPAA Final Omnibus Rule

1641 Tamiami Trail Port Charlotte, Fl Phone: Fax: Health Insurance Portability and Accountability Act of 1996

ReedSmith. The HITECH Final Rule: The New Privacy/Security Rules of the Road Have Finally Arrived. Reed Smith Client Alert

GUIDE TO PATIENT PRIVACY AND SECURITY RULES

ICAHN Presentation. Final Omnibus Rule and Security Risk Analysis. July 26, David Ginsberg

CROOK COUNTY POLICY AND PROCEDURES FOR COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF

AROC 2015 HIPAA PRIVACY AND SECURITY RULES

Managing Information Privacy & Security in Healthcare. When an Authorization is Required

HITECH Privacy, Security, Enforcement, Breach, and GINA The Final Rule

HIPAA FUNDAMENTALS For Substance abuse Treatment Industry

THE CITY AND COUNTY OF SAN FRANCISCO SECTION 125 CAFETERIA PLAN HIPAA PRIVACY POLICIES & PROCEDURES

HIPAA HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT

Conduct of covered entity or business associate. Did not know and, by exercising reasonable diligence, would not have known of the violation

Central Florida Regional Transportation Authority Table of Contents A. Introduction...1 B. Plan s General Policies...4

HIPAA PRIVACY REQUIREMENTS. Dana L. Thrasher Robert S. Ellerbrock, III Constangy, Brooks & Smith, LLP

2011 Miller Johnson. All rights reserved. 1. HIPAA Compliance: Privacy and Security Changes under HITECH HITECH. What is HITECH? Mary V.

Preparing for a HIPAA Audit & Hot Topics in Health Care Reform

NOTICE OF PRIVACY PRACTICES Total Sports Care, P.C.

Kay Concrete Materials, Inc.

Colorado Medical Society. June 3, Presented by David A. Ginsberg President, PrivaPlan Associates, Inc.

Port City Chiropractic. P.C. 11 Fourth Avenue Oswego, NY Fax HIPAA NOTICE OF PRIVACY PRACTICES

PATTERSON MEDICAL SUPPLY, INC. HIPAA BUSINESS ASSOCIATE AGREEMENT WITH CUSTOMERS

New HIPAA Rules and Implications for the Industry January 29, 2013

ARE YOU HIP WITH HIPAA?

Effective Date: 4/3/17

Rule. Research Changes to the Privacy Rule and GINA. Heather Pierce, JD, MPH Senior Director and Regulatory Counsel, Scientific Affairs

The Omnibus HIPAA Rule: A New Era of Federal Privacy Regulation

POLICY REGARDING NOTICE OF PRIVACY PRACTICES

PROMISE HOME SERVICES, INC. D/B/A PROMISE CARE AT HOME NOTICE OF PRJV ACY PRACTICES

HIPAA COMPLIANCE ROADMAP AND CHECKLIST FOR BUSINESS ASSOCIATES

OMNIBUS RULE ARRIVES

Business Associate Agreement Health Insurance Portability and Accountability Act (HIPAA)

What is HIPAA? (1 of 2)

HIPAA PRIVACY RULE POLICIES AND PROCEDURES

Effective Date: March 23, 2016

HIPAA OMNIBUS FINAL RULE

MONTCLAIR STATE UNIVERSITY HIPAA PRIVACY POLICY. Approved by the Montclair State University Board of Trustees on April 3, 2014

Business Associate Agreement

Transcription:

Life Sciences and Health Care Client Service Group To: Our Clients and Friends January 25, 2013 Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act On January 17, 2013, the Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services issued the final rule modifying the Health Insurance Portability and Accountability Act of 1996 (HIPAA) privacy, security, enforcement, and breach notification rules pursuant to the Health Information Technology For Economic And Clinical Health (HITECH) Act. The rule will be published in the Federal Register on January 25, 2013, and becomes effective on March 26, 2013. Compliance with the final rule is required by September 23, 2013. A summary of the final regulations are as follows: Definitions - 160.103 Business associate (BA) now includes Health Information Organizations, E-Prescribing Gateways, and other persons that provide data transmission services with respect to protected health information (PHI) to covered entities, and that require routine access to such PHI. It also includes entities that offer personal health records to persons on behalf of a covered entity. Entities that act as mere conduits for the transport of PHI but do not access the PHI other than on a random or infrequent basis are not BAs. However, entities that maintain and/or store PHI on behalf of a covered entity is a BA even if the entity does not actually view the PHI. A subcontractor of a BA that creates, receives, maintains, or transmits PHI on behalf of the BA is also considered a BA. Electronic media is now defined to include electronic storage material on which data is or may be recorded electronically or transmission media used to exchange information already in electronic storage media. To constitute electronic media, the information being exchanged must exist in This Client Alert is published for the clients and friends of Bryan Cave LLP. Information contained herein is not to be considered as legal advice. This Client Alert may be construed as an advertisement or solicitation. 2013 Bryan Cave LLP. All Rights Reserved.

electronic form immediately before the transmission. Therefore, transmissions of paper, via facsimile, and of voice, via telephone, are not considered to be transmissions via electronic media unless they were in electronic form initially. The preamble also noted that PHI stored in photocopiers, facsimiles, and similar devices is subject to HIPAA. Protected health information excludes individually identifiable health information in education records covered by the Family Educational Rights And Privacy Act (FERPA), in employment records held by a covered entity in its role as employer, and regarding an individual who has been deceased for more than fifty years. Workforce now includes employees, volunteers, trainees, and other persons whose conduct is under the direct control of a covered entity or BA. Investigations by the OCR - 160.306 The OCR must investigate a possible HIPAA violation due to willful neglect. Resolution of Noncompliance - 160.312 If an investigation of a complaint or compliance review indicates noncompliance with HIPAA, the OCR may attempt to resolve the matter by informal means. Imposition of Civil Money Penalties The amount of civil money penalty that may be imposed for a violation of HIPAA is based upon the level of culpability. Reasonable cause is now defined as an act or omission in which a covered entity or BA knew, or by exercising reasonable diligence would have known, that the act or omission violated HIPAA but in which the covered entity or BA did not act with willful neglect. 160.401. A covered entity has liability for the acts of a BA, under the federal common law of agency, and a BA for its subcontractors (right or authority of covered entity to control BA s conduct in the course of performing a service on behalf of the covered entity, or similarly the BA has the right to control the subcontractor s conduct). 160.402(c). The following are the categories of violations and their respective penalty amounts that may be imposed: Categories of Violations and Respective Penalty Amounts Available Violation Category Each Violation All Such Violations of an Identical Provision in a Calendar Year (A) Did Not Know $100 - $50,000 $1,500,000 (B) Reasonable Cause $1,000 - $50,000 $1,500,000-2 -

(C)(i) Willful Neglect - Corrected $10,000 - $50,000 $1,500,000 (C)(ii) Willful Neglect - Not Corrected $1,500,000 Privacy Rule Definitions - 164.501 Health care operations has been expanded to include patient safety activities. Marketing means to make a communication about a product or service that encourages individuals to purchase or use the product or service. Marketing does not include communications made: 1. To provide refill reminders or otherwise communicate about a drug or biologic that is currently being prescribed for the individual if any financial remuneration received by the covered entity in exchange for making the communication is reasonably related to the covered entity s cost of making the communication. 2. For the following treatment and healthcare operations purposes, except where the covered entity receives financial remuneration in exchange for making the communication: A. For treatment of an individual by a health care provider; B. To describe a health-related product or service that is provided by or included in a plan of benefits; or C. For case management or care coordination. Financial remuneration means a direct or indirect payment from or on behalf of a third party whose product or service is being described. The OCR clarifies that an authorization is required for all treatment and health care operation communications where the covered entity or BA receives financial remuneration from the third party whose product or service is being marketed for making the communications. However, no authorizations are required for face-to-face communications or if only promotional gifts of nominal value are provided to the individual. Business Associates A BA may not use or disclose PHI except as permitted or required by HIPAA. 164.502(a). The minimum necessary standard applies to BAs. 164.502(b). A BA must obtain satisfactory assurances from its subcontractors that the subcontractors will appropriately safeguard the PHI in accordance with HIPAA. 164.502(e). It is not the duty of the covered entity to obtain the assurances from the BA s subcontractors. BAs must also comply, where applicable, with the HIPAA Security Rule with regard to electronic PHI, report breaches of unsecured PHI to covered entities, and ensure that any subcontractors that create, maintain, or receive PHI on behalf of the BA agrees to the same restrictions and conditions that apply to the BA. 164.504(e)(2)(ii)(B) through (D). Additionally, a BA must comply with the HIPAA Privacy - 3 -

Rule provisions that apply to the contracted covered entity in the performance of the contractual obligations. 164.504(e)(2)(ii)(H). A BA is not required to have a HIPAA Privacy Officer. Covered entities may operate under existing BA Agreements for up to one year beyond the effective date of these regulations, or until the BA Agreement is modified or renewed, whichever is sooner. 164.532(d) and (e). BA Agreements that have evergreen clauses are eligible for the extension for up to one year from the effective date of the regulations. Sale of PHI - 164.502(A)(5)(ii)(B) Sale of PHI means a disclosure of PHI by a covered entity or BA where the covered entity or BA directly or indirectly receives remuneration from or on behalf of the recipient of the PHI in exchange for the PHI. There are a number of exceptions to this regulation delineated. Consents for Research - 164.508 A covered entity may combine conditioned and unconditioned authorizations for research. The consent must clearly differentiate between the research components. It must clearly allow the individual to opt in to the unconditioned research activities (it is not permissible to only allow the individual to opt out of the unconditioned research activities). HHS modified its interpretation that research authorizations must be study specific. However, no modifications were made to the authorization requirements at 164.508. A HIPAA authorization for future research must still address each of the core elements; however, the HHS will no longer interpret the purpose provision at 164.508(c)(1)(iv) as requiring that an authorization for the use or disclosure of PHI for research purposes be study specific. There must be a description of the general purpose that reflects the individual is authorizing PHI to be used or disclosed for future research. The expiration date for the authorization can be end of research study, or none, or designate a specific time limit. Disclosures about a Decedent to Family Members and Others Involved in Care - 164.510(b) The PHI of a decedent may be disclosed to those family members and others involved in the care or payment for the care of the decedent prior to death, unless doing so is inconsistent with any prior expressed preference of the decedent that is known to the covered entity. Disclosures of Student Immunizations to Schools - 164.512(b) A covered entity may disclose proof of immunizations to schools upon an oral or written authorization from the student s parent, guardian, or other person acting in loco parentis. An oral request must be documented. - 4 -

Fundraising - 164.514(f) A covered entity may decide what methods individuals can use to opt out of receiving fundraising communications. The methods can t impose an undue burden on, or more than nominal cost to, the individual. The scope of the opt out and how to opt back in is at the discretion of the covered entity. The information that can be used and disclosed for fundraising was expanded and now includes names, addresses, other contact information, age, gender, date of birth, health insurance status, department of service, the treating physician, and outcomes. The covered entity s Notice of Privacy Practices (NPP) must inform individuals that they may be contacted for fundraising and that the individual has the right to opt out of receiving fundraising materials. The opt out requirements apply to fundraising solicitations over the phone as well as by mail. It is to be noted that the notice and opt out requirements for fundraising communications apply only where the covered entity is using or disclosing PHI to target fundraising communications. Notice of Privacy Practices (NPP) - 164.520 The NPP must include a statement that most uses and disclosures of psychotherapy notes, PHI for marketing purposes, and disclosures that constitute a sale of PHI require the individual s authorization. However, if the covered entity does not record or maintain psychotherapy notes, that statement does not have to be included. There must be a statement that fundraising communications may be sent to individuals but they have the right to opt out of receiving such communications. There must be a statement that the individual has the right to restrict disclosures of PHI to a health plan if the individual pays out of pocket in full for that health care item or service. Only health care providers must include this statement. There must be a statement that individuals have the right to be notified of a breach of unsecured PHI. These modifications are determined to be significant and therefore individuals must be notified of the revised NPP. Health plans that post their NPP on their website must: (1) prominently post the material changes or revised NPP by the effective date of the regulations; and (2) provide a revised NPP or the material changes (and how to obtain a revised NPP) in their next annual mailing to plan members, such as at the beginning of the next plan year or during open enrollment. If a health plan does not have a customer service website, it must then provide the revised NPP, or the material changes and how to obtain the revised NPP, to plan members within 60 days of the revisions to the NPP. Right to Request a Restriction of Uses and Disclosures - 164.522(a) This regulation only applies to covered entity health care providers. Individuals have a right to restrict the disclosure of PHI to a health plan for a service or item that the individual pays out of pocket. Providers may require payment in full at the time of the request for a restriction to avoid payment issues. This may be especially applicable where precertification is required for a health plan to pay for an item or service to avoid a situation where the provider can t seek reimbursement from the health - 5 -

plan if the individual fails to pay for the item or service. If the provider is unable to unbundle the item or service that the individual wants to pay out of pocket, the provider must inform the individual and give the individual the opportunity to pay out of pocket for the entire bundle of items or services. It is the obligation of the individual to notify all providers of the request for the restriction and pay those providers out of pocket. Access to PHI - 164.524 If an individual requests an electronic copy of personal PHI that is maintained electronically, the covered entity must provide the PHI in electronic form if it is readily producible or, if not, in a readable electronic form as agreed to by the covered entity and the individual (such as in MS Word or Excel, text, HTML, or text-based PDF). If the individual will not accept any of the electronic formats offered by the covered entity, the individual shall be provided with a hard copy of personal PHI. A covered entity is permitted to send PHI in an unencrypted email if the individual is advised of the risks and the individual requests the unencrypted email. Fees - 164.524(c)(4) Reasonable, cost-based fees may be imposed by a covered entity for copies of PHI. Fees may now include costs for labor for copying the PHI, whether paper or electronic, such as: the time required for a skilled technician to create and copy electronic record; compiling, extracting, scanning, and burning PHI to media; distributing media; and preparing a summary of PHI. Fees may also include the cost of supplies for creating a paper copy or electronic media, and charges for postage. Charges cannot be made for labor costs to retrieve PHI. Fees associated with maintaining systems and recouping capital for data access, storage, and infrastructure are not reasonable, cost-based fees, and aren t permissible. However, a fee can be imposed for the preparation of an affidavit to accompany PHI; that is not subject to the cost-based fee limitation. If state law designates the fees that may be imposed for copies of PHI, the covered entity must still comply with HIPAA in that the fees be cost-based. Timeliness of Providing PHI - 164.524(b) The regulation that permitted an extra 60 days for timely responding to a request for PHI when it was not maintained or accessible onsite has been deleted. PHI must be provided within 30 days of the request. However, the one-time extension of 30 days is still permissible. Organized Health Care Arrangement - 164.506(c)(5) In an organized health care arrangement (OHCA), PHI may be disclosed to any other participants in the OHCA, not just to other covered entities. - 6 -

Disclosures of PHI to Family and Friends - 164.510(b)(3) Disclosures of PHI to an individual s family and friends when the individual is not present to agree or object can include PHI directly relevant to the person s involvement with the individual s care or payment related to the individual s health care or as needed for notification purposes. Disclosures to Employers for Workplace Medical Surveillance - 164.512(b)(1)(v)(A) When an employer needs PHI to comply with workplace medical surveillance laws, a covered entity may disclose the PHI to the employer, subject to certain conditions, if the covered entity is a health care provider who provides health care to the individual at the request of the employer. Breach Notification The definition of breach has been revised by deleting the harm standard ( no significant risk of harm to the individual ). The impermissible use or disclosure of PHI is presumed to be a breach unless the covered entity or BA demonstrates that there is a low probability that the PHI has been compromised based on a risk assessment that includes the following factors: (1) the nature and extent of the PHI involved, including the types of re-identifiers and the likelihood of re-identification; (2) the unauthorized person who used the PHI or to whom the disclosure was made; (3) whether the PHI was actually acquired or viewed; and (4) the extent to which the risk to the PHI has been mitigated. 164.402. In performing the risk assessment, in analyzing factor number one, the following are questions that should be addressed: (1) whether the PHI is of a more sensitive nature; (2) whether the PHI included financial information (Social Security number, credit card number, or other information that increases the risks of identity theft or financial fraud); (3) the amount of detailed clinical information and the nature of services; and (4) whether the PHI could be used by the recipient in a manner adverse to the individual or used to further the recipient s own interests. In analyzing factor number two, the following questions should be addressed: (1) whether the recipient has obligations to protect the privacy and security of the PHI; (2) whether the recipient has the ability to re-identify the PHI; and (3) whether the use or disclosure of the PHI occurred within the covered entity or BA or external to the covered entity or BA. In analyzing factor number four, determine whether the recipient s satisfactory assurance can be obtained that the PHI will not be further used or disclosed and that the PHI will be destroyed, such as through a confidentiality agreement or other similar means. It is to be noted that uses and disclosures of PHI that violate the minimum necessary standard may qualify as a breach. The OCR takes the position that if a computer is lost or stolen, it is not reasonable to delay breach notification based on the hope that the computer will be recovered. - 7 -

There was clarification that there is nothing in the regulations that requires that the notice of a breach include the names of the employees involved with the breach or the specific disciplinary action imposed. If an individual has agreed to only receive communications from the covered entity orally or by telephone, the covered entity can telephone the individual and advise the individual to pick up the breach notice. If the individual does not want to pick up the breach notice, the information contained in the notice can be given to the individual over the telephone, with the telephone call documented. A clarification was made that breaches affecting less than 500 individuals must be reported to the DHHS within 60 days after the end of the calendar year in which the breaches were discovered (previously was occurred ). 164.408. Modifications under the Genetic Information Nondiscrimination Act of 2008 (GINA) The definition of health information was modified to include genetic information. The following GINA-related definitions were added: family member ; genetic information ; genetic services ; genetic test ; manifestation or manifested ; and underwriting purposes. Health plans, other than health plans that are issuers of long term care policies, are prohibited from using or disclosing genetic information for underwriting purposes. 164.502(a)(5). Health plans that use or disclose PHI for underwriting must include a statement in their NPP that they are prohibited from using and disclosing genetic information about the individual for underwriting purposes. 164.520(b)(1)(iii)(D). This is considered a material change to the NPP. Moving Forward For questions or further information, please speak to your regular Bryan Cave contact, a member of our Life Sciences and Health Care Client Service Group, or the author of this client alert: Sheryl Feutz-Harter Kansas City 816-374-3245 Sheryl.FeutzHarter@bryancave.com - 8 -

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback