Compliance Steps for the Final HIPAA Rule

Similar documents
Compliance Steps for the Final HIPAA Rule

Management Alert Final HIPAA Regulations Issued

Highlights of the Omnibus HIPAA/HITECH Final Rule

HEALTH LAW ALERT January 21, 2013

The wait is over HHS releases final omnibus HIPAA privacy and security regulations

AFTER THE OMNIBUS RULE

HIPAA Omnibus Final Rule Has Important Changes for Business Associates and Covered Entities

8/14/2013. HIPAA Privacy & Security 2013 Omnibus Final Rule update. Highlights from Final Rules January 25, 2013

HIPAA COMPLIANCE ROADMAP AND CHECKLIST FOR BUSINESS ASSOCIATES

Coping with, and Taking Advantage of, HIPAA s New Rules!! Deven McGraw Director, Health Privacy Project April 19, 2013!

Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates

Changes to HIPAA Under the Omnibus Final Rule

CLIENT UPDATE. HIPAA s Final Rule: The Impact on Covered Entities, Business Associates and Subcontractors

The Impact of Final Omnibus HIPAA/HITECH Rules. Presented by Eileen Coyne Clark Niki McCoy September 19, 2013

HIPAA OMNIBUS FINAL RULE

To: Our Clients and Friends January 25, 2013

Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates

HIPAA. What s New & What Do I Have To Do? Presented by Leslie Canham, CDA, RDA, CSP (Certified Speaking Professional)

HIPAA Omnibus Final Rule and Research

HIPAA The Health Insurance Portability and Accountability Act of 1996

OCR Phase II Audit Protocol Breach Notification. HIPAA COW Spring Conference 2017 Page 1 Boerner Consulting, LLC

HIPAA Training. HOPE Health Facility Administrators June 2013 Isaac Willett and Jason Schnabel

HIPAA OMNIBUS RULE. The rule makes it easier for parents and others to give permission to share proof of a child s immunization with a school

HIPAA Compliance Under the Magnifying Glass

BREACH NOTIFICATION POLICY

MEMORANDUM. Kirk J. Nahra, or

UNDERSTANDING HIPAA & THE HITECH ACT. Heather Deixler, Esq. Associate, Morgan, Lewis & Bockius LLP

HIPAA: Impact on Corporate Compliance

Omnibus Components. Not in Omnibus. HIPAA/HITECH Omnibus Final Rule

2011 Miller Johnson. All rights reserved. 1. HIPAA Compliance: Privacy and Security Changes under HITECH HITECH. What is HITECH? Mary V.

Getting a Grip on HIPAA

GUIDE TO THE OMNIBUS HIPAA RULE: What You Need to Know and Do

HIPAA Compliance. PART I: HHS Final Omnibus HIPAA Rules

HIPAA, 42 CFR PART 2, AND MEDICAID COMPLIANCE STANDARDS POLICIES AND PROCEDURES

2013 HIPAA Omnibus Regulations: New Rules for Healthcare Providers and Collections Partners

HIPAA Privacy Compliance Checklist

Nancy Davis, Ministry Health Care Peg Schmidt, Aurora Health Care Teresa Smithrud, Mercy Health System

ACC Compliance and Ethics Committee Presentation February 19, 2013

HIPAA PRIVACY POLICY AND PROCEDURES FOR PROTECTED HEALTH INFORMATION THE APPLICABLE WELFARE BENEFITS PLANS OF MICHIGAN CATHOLIC CONFERENCE

HITECH and HIPAA: Highlights for Health Departments. Aimee Wall UNC School of Government

New HIPAA Rules and Implications for the Industry January 29, 2013

Business Associate Agreement

Legal and Privacy Implications of the HIPAA Final Omnibus Rule

HHS, Office for Civil Rights. IAPP October 11, 2012

The American Recovery Reinvestment Act. and Health Care Reform Puzzle

MEMORANDUM. Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

HIPAA Information. Who does HIPAA apply to? What are Sync.com s responsibilities? What is a Business Associate?

What Brown County employees need to know about the Federal legislation entitled the Health Insurance Portability and Accountability Act of 1996.

HIPAA: Final Omnibus Rule is Here Arizona Society for Healthcare Risk Managers November 15, 2013

HIPAA Omnibus Rule. Critical Changes for Providers Presented by Susan A. Miller, JD. Hosted by

Breach Policy. Applicable Standards from the HITRUST Common Security Framework. Applicable Standards from the HIPAA Security Rule

Changes to HIPAA Privacy and Security Rules

NPRM: Modifications to the HIPAA Privacy, Security, and Enforcement Rules under HITECH

New. To comply with HIPAA notice requirements, all Providence covered entities shall follow, at a minimum, the specifications described below.

HIPAA & The Medical Practice

ARTICLE 1. Terms { ;1}

Saturday, April 28 Medical Ethics: HIPAA Privacy and Security Rules

OMNIBUS RULE ARRIVES

VOL. 0, NO. 0 JANUARY 23, 2013

Central Florida Regional Transportation Authority Table of Contents A. Introduction...1 B. Plan s General Policies...4

Containing the Outbreak: HIPAA Implications of a Data Breach. Jason S. Rimes. Orlando, Florida

Business Associate Agreement

Interim Date: July 21, 2015 Revised: July 1, 2015

HIPAA THE NEW RULES. Highlights of the major changes under the Omnibus Rule

Preparing for a HIPAA Audit & Hot Topics in Health Care Reform

SATINSKY CONSULTING, LLC FINAL OMNIBUS HIPAA PRIVACY AND SECURITY RULE

COBRA Setup Fact Sheet for Oswald agent

The HIPAA/HITECH Final Rule: Time to Get More Serious About Compliance. Patricia A. Markus, Esq.

BUSINESS ASSOCIATE AGREEMENT

Highlights of the Final Omnibus HIPAA Rule

O n Jan. 25, the Office for Civil Rights (OCR) of the. Privacy and Security Law Report

OVERVIEW OF RECENT CHANGES IN HIPAA AND OHIO PRIVACY LAWS

Business Associate Agreement Health Insurance Portability and Accountability Act (HIPAA)

IACT Medical Trust. June 28, Jim Hamilton (317) HIPAA Privacy Training Bose McKinney & Evans LLP

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT BUSINESS ASSOCIATE TERMS AND CONDITIONS

45 CFR Part 164. Interim Final Rule Breach Notification for Unsecured Protected Health Information

ALERT. November 20, 2009

HIPAA BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATES AND SUBCONTRACTORS

BUSINESS ASSOCIATE AGREEMENT

Preparing to Comply With the HITECH Final Rule Tuesday, March 19, 2013

HIPAA Breach Notification Case Studies on What to Do and When to Report

ARTICLE 1 DEFINITIONS

New HIPAA-HITECH Proposed Regulations Issued

Rule. Research Changes to the Privacy Rule and GINA. Heather Pierce, JD, MPH Senior Director and Regulatory Counsel, Scientific Affairs

Compliance. TODAY May Meet Scott Killingsworth. Partner in the Atlanta offices of Bryan Cave LLP. See page 16

NOTIFICATION OF PRIVACY AND SECURITY BREACHES

BUSINESS ASSOCIATE AGREEMENT (for use when there is no written agreement with the business associate)

Omnibus Rule: HIPAA 2.0 for Law Firms

HIPAA Update. Jamie Sorley U.S. Department of Health and Human Services Office for Civil Rights

Business Associate Agreement For Protected Healthcare Information

HIPAA BUSINESS ASSOCIATE AGREEMENT BEST PRACTICES: A COMPLIANCE SOLUTION FOR THE TICKING CLOCK AND THE DRACONIAN CIVIL AND CRIMINAL PENALTIES

HIPAA Final Omnibus Rule Playbook

Tech Flex. Topics Covered in this Issue:

Privacy Sleuths: Solving the Mystery of Wellness Program Privacy Compliance. Agenda. Health Data Exposure National Wellness Conference

HRA Administration - SummaCare Plan Getting Started Checklist

CROOK COUNTY POLICY AND PROCEDURES FOR COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF

Omnibus HIPAA Rule: Impact on Covered Entities

1.) The Privacy Rule (Part 164, Subpart E)

Interpreters Associates Inc. Division of Intérpretes Brasil

HIPAA Breach Notice Rules New notice requirements for HIPAA covered entities when there is a breach of Protected Health Information (PHI)

Transcription:

Brought to you by The Alpha Group for the Final HIPAA Rule On Jan. 25, 2013, the Department of Health and Human Services (HHS) issued a final rule under HIPAA s administrative simplification provisions. The final rule updates HIPAA s privacy, security, enforcement and breach notification requirements, and includes changes required by the Health Information Technology for Economic and Clinical Health Act (HITECH Act). This Legislative Brief provides an overview of key changes made by the final HIPAA rule and outlines compliance steps for health plans. OVERVIEW The final HIPAA rule creates new requirements for health plans and their business associates. To highlight important changes, the final rule: Makes business associates directly liable for complying with certain portions of the HIPAA Privacy and Security Rules; Revises the HITECH Act s breach notification requirements for unsecured protected health information (PHI) to replace the significant harm threshold with a more objective standard; and Modifies certain aspects of the HIPAA privacy standards and requires covered entities to revise their privacy notices. The deadline for complying with the changes made by the final HIPAA rule is Sept. 23, 2013. However, there is an extended compliance deadline for updating existing business associate agreements. Covered entities will need to take steps to comply with the new requirements under the final rule. To comply with the final rule, health plans will need to review and make necessary updates to: Business associate agreements HIPAA policies and procedures Workforce training programs Privacy notices In light of HHS increased enforcement of the HIPAA Privacy and Security Rules since the HITECH Act was enacted, covered entities should take their HIPAA compliance obligations seriously and periodically review whether they are adequately protecting the privacy and security of PHI. PLAN SPONSOR OBLIGATIONS The extent of a plan sponsor s privacy and security obligations under the HIPAA rules largely depends on how the health plan is funded (insured or self-funded) and whether the sponsor has access to PHI for plan administration. Sponsors of self-funded plans must generally comply with the entire scope of privacy and security provisions for health plans. Sponsors of insured plans that do not have access to PHI (other than summary health information and 1

enrollment and disenrollment information) have minimal obligations under the HIPAA rules; the health insurance issuer has the primary compliance obligation in this situation. Type of Plan Self-funded Fully insured Extent of Plan Sponsor s HIPAA Privacy/Security Obligations Full scope of HIPAA s privacy and security requirements for group health plans apply to the plan If the plan does not create or receive PHI (other than summary health information and enrollment and disenrollment information), health insurer has the primary compliance obligation FINAL HIPAA RULE Changes for Business Associates Expanded Definition The final HIPAA rule expands the definition of business associate to generally include all entities that create, receive, maintain or transmit PHI on behalf of a covered entity, including subcontractors. According to HHS, including subcontractors in the definition of business associate will ensure that the HIPAA privacy and security protections for PHI do not lapse merely because a function is performed by a subcontractor rather than an entity with a direct relationship with a covered entity. Under the final rule, the business associate that contracts with the subcontractor, and not the covered entity, is required to enter into a business associate agreement with the subcontractor. Under the final rule, a covered entity must obtain satisfactory assurances (through a business associate agreement) from its business associates that they will appropriately safeguard PHI. Business associates must do the same with regard to their subcontractors and so on, no matter how far downstream the information flows. Also, the final rule clarifies that entities that store PHI, in hardcopy or electronic format, are business associates even if they do not access, use or disclose that information. Direct Liability The HITECH Act amended HIPAA to make many privacy and security provisions directly applicable to business associates. The final HIPAA rule clarifies the privacy and security provisions that directly apply to business associates, and notes that business associates are directly liable for failing to comply with these requirements. Business associates are directly responsible for complying with: The HIPAA Security Rules administrative, physical and technical requirements for safeguarding electronic PHI and implementing policies and procedures for protecting electronic PHI; The Privacy Rules restrictions on the use and disclosure of PHI; and The terms of a business associate agreement related to the use and disclosure of PHI. In addition, business associates are directly responsible for: Reporting breaches of unsecured PHI to a covered entity in compliance with HIPAA s breach notification requirements; 2

Providing PHI to HHS upon demand so that HHS may investigate and determine the business associate s compliance with HIPAA; Making reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure or request; Disclosing PHI to the covered entity, individual or individual s designee as necessary to satisfy a covered entity s obligations with respect to an individual s request for an electronic copy of PHI; and Entering into business associate agreements with subcontractors that create or receive PHI on their behalf. Covered entities, including health plans, will need to review their business associate agreements to determine if they must be updated for the final HIPAA rule. For example, among other changes, the final HIPAA rule requires business associate agreements to state that a business associate will ensure that any subcontractors that create or receive PHI on behalf of the business associate agree to the same restrictions and conditions that apply to the business associate with respect to such information. Business associates will also be required to review their contracts with subcontractors that create or receive PHI to determine if updates are necessary. HHS has provided sample business associate agreement language for covered entities and business associates to use as a starting point in drafting their own agreements. The final HIPAA rule includes an important transition rule for business associate agreements that were in entered into prior to Jan. 25, 2013 and complied with the HIPAA requirements in effect on that date. The transition period allows existing agreements that are not renewed or modified between March 26, 2013 and Sept. 23, 2013 to remain compliant until Sept. 23, 2014 or, if earlier, the date the agreement is renewed or modified after Sept. 23, 2013. The transition rule extends the time for the paperwork only it does not extend the time allowed for the covered entity and business associate to comply with the changes made by the final HIPAA rule. Breach Notification Objective Standard for Breach Determination The HITECH Act requires covered entities to notify affected individuals following the discovery of a breach of unsecured PHI. Notification must also be provided to HHS and, in some cases, to the media. The HITECH Act defines a breach as the unauthorized acquisition, access, use or disclosure of PHI in a manner not permitted under the HIPAA Privacy Rule that compromises the security or privacy of the information. There are three exceptions to this definition: Disclosures where the recipient of the information would not reasonably have been able to retain the information; Certain unintentional acquisition, access or use of information by employees or others acting under the authority of a covered entity or business associate; and Certain inadvertent disclosures among people similarly authorized to access PHI at a business associate or covered entity. An interim final rule released in 2009 provided that a breach will compromise the security or privacy of PHI if it poses a significant risk of financial, reputational or other harm to the individual. Effective Sept. 23, 2013, the final rule replaces the significant harm threshold under the interim final rule with a more objective standard. Under the final rule, an impermissible use or disclosure of PHI is presumed to be a breach unless the covered entity or business associate demonstrates through a risk assessment that there is a low probability that the PHI has been 3

compromised (or one of the three exceptions to the definition of breach applies). The risk assessment must, at a minimum, take into account the following factors: The nature and extent of PHI involved, including the types of identifiers and the likelihood of re-identification; The unauthorized person who used the PHI or to whom the disclosure was made; Whether the PHI was actually acquired or viewed; and The extent to which the risk to the PHI has been mitigated. If an evaluation of the factors fails to demonstrate that there is a low probability that the PHI has been compromised, breach notification is required. To prepare for compliance with the final HIPAA rule, covered entities and business associates should examine their breach notification policies to ensure that they consider all of the required factors when evaluating the risk of an impermissible use or disclosure. Additional factors may also need to be considered based on the circumstances of the impermissible use or disclosure. In addition, workforce training programs should be updated to include the new risk assessment and explain the factors to be considered in the assessment. HIPAA Privacy Standards and Privacy Notice New Privacy Standards The final HIPAA rule makes certain modifications to HIPAA s privacy standards for PHI, including requiring covered entities to update their notice of privacy practices. For example, under the final rule: Covered entities must provide an individual with access to PHI in the electronic form and format requested by the individual if the PHI is maintained electronically in one or more designated record sets; Covered entities must agree to an individual s request to restrict PHI if the information pertains to a health care item or service for which the individual, or person other than the health plan on behalf of the individual, has paid in full; Covered entities must protect the PHI of a deceased individual for 50 years after the individual s death; Covered entities must comply with additional restrictions on the marketing and sale of PHI; and Health plans are prohibited from using or disclosing PHI that is genetic information for underwriting purposes (long-term care plans are exempt), as required by the Genetic Information Nondiscrimination Act of 2008 (GINA). Under the final HIPAA rule, underwriting purposes means rules for eligibility (including enrollment and continued eligibility) for benefits under the plan, the computation of premium or contribution amounts under the plan, the application of any pre-existing condition exclusion under the plan or other activities related to the creation, renewal or replacement of a contract of health insurance or health benefits. Privacy Notice In addition, the final HIPAA rule requires covered entities to revise and redistribute their HIPAA privacy notices. In general, a covered entity s privacy notice must describe the uses and disclosures of PHI that a covered entity is permitted to make, the covered entity s legal duties and privacy practices with respect to PHI and an individual s rights concerning PHI. The final HIPAA rule requires the privacy notice to also include: 4

A description of certain types of uses and disclosures that require an individual s authorization (such as uses and disclosures of PHI for marketing purposes) and a statement that other uses and disclosures not described in the privacy notice will be made only with an individual s authorization; A statement that the covered entity is required to notify affected individuals of breaches of unsecured PHI; and For health plans that engage in underwriting activities, a statement that the covered entity is prohibited from using or disclosing PHI that is genetic information for underwriting purposes. A covered entity that updated its privacy notice for the HITECH Act and distributed it does not need to revise and distribute the notice again, provided the notice already includes the information required by the final rule. In light of the final HIPAA rule, covered entities should review their HIPAA privacy policies and procedures and make any necessary updates to make sure they are consistent with the new privacy standards. Employees working with PHI should also be trained on the new standards. In addition, covered entities must review their privacy notices, make the required updates and distribute the updated notices. The final rule includes important provisions for distributing privacy notices. A health plan that posts its privacy notice on its website must post the material changes or its revised notice on the website by Sept. 23, 2013, and provide the revised notice (or information about the material change and how to obtain the revised notice) in its next annual mailing to plan participants, such as during the plan s open enrollment period. A health plan that does not have a website must provide the revised notice (or information about the material change and how to obtain the revised notice) within 60 days of the material revision to the notice. Also, it is important to remember that issuers of fully insured health plans have the primary responsibility for the privacy notice and sponsors of these plans have limited responsibilities with respect to the notice. If the sponsor of a fully insured plan has access to PHI for plan administrative functions, it is required to maintain a privacy notice and provide the notice upon request. If the sponsor of a fully insured plan does not have access to PHI, it is not required to maintain or provide a privacy notice. COMPLIANCE CHECKLIST To comply with the final HIPAA rule, health plans will need to: Review business associate agreements to determine whether amendments are necessary. Amendments to existing business associate agreements should be made before the end of the transition period. At the latest, this period will end on Sept. 23, 2014, although it may end sooner for some plans. Update HIPAA policies and procedures for the new rule s changes. For example, revisions should be made for the new breach notification standards, expanded individual rights and the prohibition on using genetic information for underwriting purposes. Update workforce training programs for the new requirements. For example, the training should be updated to include information on the risk assessment standard for breach notifications, and the significant-risk standard should be replaced with the low probability standard. Review the HIPAA privacy notice and make any necessary changes to reflect the final rule. If the health plan has a website, the updated privacy notice should be posted by Sept. 23, 2013. If not, the updated notice should be provided within 60 days of the revision to the notice. 5

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback