HIPAA Privacy & Security Omnibus Changes 2013

Similar documents
HIPAA Privacy Rule LINKS AND RESOURCES AFFECTED ENTITIES IMPACT ON EMPLOYERS. Provided by Brown & Brown of Louisiana, LLC

JOHN L. LITTLE, D.D.S, P.A ACKNOWLEDGEMENT OF RECEIPT OF NOTICE OF PRIVACY PRACTICES. May Refuse to Sign This Acknowledgement-

Subject Access Requests

A Comprehensive Summary of the Final Omnibus HIPAA/HITECH Rules:

HIPAA Privacy. Provided by Coverys Risk Management

RENEW DERMATOLOGY NOTICE OF PRIVACY PRACTICES

HOW WE MAY USE AND DISCLOSE MEDICAL INFORMATION ABOUT YOU

TRID Rule Purchase For Applications dated on or after 10/3/2015

CONSENT FOR TREATMENT

Privacy & Data Protection Policy

What do you need? Copy of the HIPAA Policy on Amendment of Protected Health Information

Summary Plan Descriptions (SPD)

POLICY OF INSURANCE. SMSF Trustee Administrative Penalties Insurance and SMSF Tax Audit Insurance Who we are

SRI LANKA AUDITING STANDARD 580 WRITTEN REPRESENTATIONS CONTENTS

Lake Internal Medicine Associates Phone: (352) Prevatt Street ~ Eustis, FL

Purpose... 1 Definitions... 1 Policy... 2

Policy on Requesting Reasonable Accommodations from the Zoning Code

IRDA Update: Draft Guidelines on Web Aggregators

Charter Township of Oakland 4393 Collins Road, Rochester, MI Public Summary of FOIA Procedures and Guidelines

WV INCOME MAINTENANCE MANUAL. Specific Medicaid Requirements

MEDICARE FACT SHEET MEDICARE FACT SHEET

Notice of Privacy Practices for the S.U. Theatre Corporation Health Benefits Plan

TERMS AND CONDITIONS FOR APPOINTMENT OF INDEPENDENT DIRECTOR

Note this is a NPP that reflects Omnibus changes as of March Tucson Gastroenterology Specialists Tucson Gastroenterology Institute

address: Driver license number: Date of birth: Occupation:

Summary Plan Descriptions

GOVERNMENT OF THE DISTRICT OF COLUMBIA

NHCAC North Hudson Community Action Corporation

Significant Financial Disclosure Policy for Investigators

Charter Township of Orion 2525 Joslyn Road, Lake Orion, MI Public Summary of FOIA Procedures and Guidelines

What credit related information do we collect and hold and how do we collect it?

Lapeer Conservation District

Nebraska Total Care Notice of Privacy Practices

Summary of the TILA-RESPA Integrated Disclosure (TRID) Rule

Township. Public Summary of FOIA Procedures and Guidelines

HESPERIA COMMUNITY LIBRARY WRITTEN PUBLIC SUMMARY OF FOIA PROCEDURES & GUIDELINES Effective July 1, 2015

Written Representations

The UK Register of Trusts 23 October 2017

City of Southfield Written Public Summary of FOIA Procedures and Guidelines

HIPAA HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT

The UK Register of Trusts 21 December 2017

CITY OF EAST LANSING WRITTEN PUBLIC SUMMARY OF FOIA PROCEDURES AND GUIDELINES

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) COMPLIANCE TRAINING

Terms and Conditions 19 December 2018

SNAKK MEDIA LIMITED FINANCIAL PRODUCTS TRADING POLICY AND GUIDELINES

Salem Township. Public Summary of FOIA Procedures and Guidelines

THE CROWDFUND ACT OF 2012 (TITLE III OF THE JOBS ACT): SUMMARY OF LAW AND MAJOR ISSUES RAISED IN PRE-COMMENTS TO THE SEC

St. Clair County Community College s PUBLIC SUMMARY OF FOIA PROCEDURES AND GUIDELINES

How to Count Employees Determining Group Size Under the Medicare Secondary Payer Regulations

What employers need to know about The Patient Protection and Affordable Care Act (PPACA)

Questions to OSEP regarding and

A-1110 Wien. Privacy Notice

International Standard on Auditing (Ireland) 265. Communicating Deficiencies in Internal Control to Those Charged with Governance and Management

NCTJ Conflicts of Interest Policy and Procedures

Manual of Administrative Policies and Procedures

REFERENCE NUMBER: PFS.PDS.115. TITLE: Patient Billing and Collections CURRENT EFFECTIVE DATE: 01/01/2018. PAGE 1 of 8 SCOPE:

Renewing an Insurance Policy

PSNC Briefing on the NHS Complaints procedure (from 1 April 2009)

Employee Rights & Responsibilities Page 1 of 4 Traumatic Injury/Form CA-1

Institute For Orthopaedic Surgery (IOS) Subject: Healthcare Financial Assistance Policy

Privacy Notice for Applicants and Tenants

Best Execution & Client Order Execution Policy. October P age 1 6. BE31/10/17 v1

Summit Asset Managers Limited

Checklist for Revised Section 503 and VEVRAA

EPPA Update Issued September 2012 / Updated October, 2012 Defined Benefit Funding Relief Provisions

HOC Works Program Requirements

BECCLES INDOOR BOWLS CLUB

STATE OF NEW YORK MUNICIPAL BOND BANK AGENCY

Alabama Department of Revenue Driver Or Vehicle Data Information Request

CRG PATIENT REGISTRATION FORM

ABA Staff Analysis: Interim Rule Amending Regulation Z: Summary Information Regarding Interest Rates and Payment Changes

Appeal Process Overview

DEPARTMENT: Patient & Financial POLICY DESCRIPTION: 501 (c)(3) Charity Care & Financial Assistance Policy & Procedures PAGE: 1 of 7

Details of Rate, Fee and Other Cost Information

Handling Complaints at Lloyd s: Guidance for managing agents and their representatives

Client Categorisation

Closing Out Award. The PI will work with ORA in obtaining the applicable resolution. Residuals

PLAN DOCUMENT TEMPORARY DISABILITY INSURANCE PROGRAM FOR LAY EMPLOYEES DIOCESE OF METUCHEN OFFICE OF HUMAN RESOURCES. Effective January 1, 2014

PATIENT LIABILITY STATEMENT

We process personal data for some or all of the following purposes depending on our relationship with the individual data subject:

PHILADEPHIA PROMOTING HEALTHY FAMILIES AND WORKPLACES ORDINANCE (PAID SICK LEAVE LAW)

International Standard on Auditing (UK) 265

DATA PROTECTION POLICY FOR PUPILS AND PARENTS

Highlights for 2017 Compliance

Clearing arrangements

The Company is a public company incorporated in Bermuda and its securities are listed on AIM.

Windham School District Procurement Policy for Federal Funds

Intellectual Property Policy

There are two ways to submit your banking information for direct deposit into your personal bank account:

Record Keeping and Notes in Records for Claims Adjusters

UK Employment Law Changes in 2010: New Statutory Rates, Limits and Entitlements

Thank you for your consideration, and if you have further questions or you need more information, please do not hesitate to contact me.

DRAFT AUDITOR S RESPONSIBILITY UNDER AUDITING STANDARDS GENERALLY ACCEPTED IN THE UNITED STATES OF AMERICA

NEW PROCEDURES FOR ORDER MARKER CORRECTIONS

Raleigh Pediatric Associates Financial Policy

This Agreement is hereby confirmed to vary Terms & Conditions of employment between The Company and you.

Approval Process and Arrangements for University Consultancy Work

Pershing Financial Services Guide (FSG) including its Privacy Policy

LICENSEE STANDARDS. Life Insurance Advice. (including Replacement of Product Advice)

Checking and Savings Account Application

Transcription:

HIPAA Privacy & Security Omnibus Changes 2013 The Federal Gvernment has published mdificatins t 45 CFR Parts 160 and 164: Mdificatins t the HIPAA Privacy, Security, Enfrcement, and Breach Ntificatin Rules under the Health Infrmatin Technlgy fr Ecnmic and Clinical Health Act and the Genetic Infrmatin Nndiscriminatin Act; Other Mdificatins t the HIPAA Rules. The effective date f the final rule is March 26, 2013. Cvered entities and business assciates must cmply with the applicable requirements f this final rule by September 23, 2013. The fllwing prvides guidance n key changes assciated with the Final Ruling and the impact f these rules n physician practices. Impacted frms and plicy and prcedures assciated with yur purchased Medical Office Cmpliance Tlkit have been updated t reflect any applicable Final Rule changes. Please nte: The HIPAA Security Business Assciate Agreement sample frm prvided in the tlkit already cntains the updated prvisins and therefre n updates are required. Updated dcuments can be dwnladed free f charge thrugh yur nline accunt. Updated frms include the fllwing: 1. HIPAA Privacy_Ntice f Privacy Practices

All Rights Reserved, 2013 Summary f the Final Rule Changes Mdified Definitin f Breach and When a Breach Ntificatin is Required: In the event f a breach f unsecured prtected health infrmatin, a cvered entity r business assciate is required t cnduct a risk assessment. The purpse f the risk assessment was t determine whether the breach pses a significant risk f financial, reputatinal, r ther harm t the individual. A breach was nt cnsidered t have ccurred if the cvered entity r business assciate is able t demnstrate that the disclsure wuld either fall under ne f the breach exclusins r that the risk assessment determined the breach des nt pse a significant risk f financial, reputatinal, r ther harm t the individual. The Final Rule mdified the fllwing: The Final Rule changed the purpse f the risk assessment t require that the cvered entity r business assciate nw demnstrates that there is a lw prbability that the prtected health infrmatin has been cmprmised. The risk assessment is required t assess the minimum fllwing factrs: The nature and extent f the prtected health infrmatin invlved, including the types f identifiers and the likelihd f re-identificatin. In ther wrds, examine the sensitivity f the identifiers invlved and the likelihd f re-identificatin. Identifiers include: i. Names ii. Gegraphic infrmatin (e.g. state, address, zip cdes) iii. Dates related t individual (e.g. date f birth, date f admissin/discharge) iv. Phne numbers v. Email addresses vi. Scial Security Numbers vii. Accunt number r health plan numbers Whether the unauthrized persn wh received the infrmatin has bligatins t prtect the privacy and security f the infrmatin. Whether the prtected health infrmatin was actually acquired r viewed. In the risk assessment, cnsider the distinctin between actual acquisitin r view f unsecured prtected health infrmatin versus the pprtunity fr the infrmatin t be acquired r viewed, t determine the prbability f impermissible use r disclsure, as the fllwing example in the Final Rule illustrates: If a laptp cmputer was stlen and later recvered and a frensic analysis shws that the prtected health infrmatin n the cmputer was never accessed. The extent t which the risk t the prtected health infrmatin has been mitigated. Fr example, btaining a signed cnfidentiality agreement frm the recipient. There was als an exceptin that a breach ntificatin was nt required fr limited data sets that d nt cntain any dates f birth and zip cdes. This exceptin has nw been remved in the Final Rule. As such, a risk assessment is nw required fr all situatins invlving an impermissible use r disclsure f prtected health infrmatin t determine whether a breach ntificatin is nt necessary. The new rules clarify that there is n need t have an independent entity cnduct the risk assessment and that n risk assessment is required t be cnducted if a breach ntificatin is made.

Breach ntificatin requirement may als be delegated t a Business Assciate, and yur practice is encuraged t crdinate with their Business Assciate s that patients receive nly ne ntificatin f a breach. Breach ntificatin invlving fewer than 500 individuals. The Final Rule changed that cvered entities are required t ntify the Secretary f all breaches f unsecured prtected health infrmatin affecting fewer than 500 individuals nt later than 60 days after the end f the calendar year in which the breaches were discvered, instead f when the breaches ccurred. All ther reprting and timeframe requirements will remain the same. Mdified Use and Disclsures f PHI: Marketing and Sale f PHI A cvered entity must btain an authrizatin fr any use r disclsure f prtected health infrmatin fr marketing r the sale f prtected health infrmatin. Under the Final Rule, prir written authrizatin extends t licenses r any type f lease agreements and when the cvered entity r business assciate directly r indirectly will be receiving remuneratin (payment) frm r n behalf f the recipient f the prtected health infrmatin in exchange fr the prtected health infrmatin. Sale f prtected health infrmatin des nt include a disclsure f prtected health infrmatin: Fr public health purpses pursuant Fr research purpses where the nly remuneratin received by the cvered entity r business assciate is a reasnable cst-based fee t cver the cst t prepare and transmit the prtected health infrmatin fr such purpses Fr treatment and payment purpses Fr the sale, transfer, merger, r cnslidatin f all r part f the cvered entity and fr related due diligence effrts. T r by a business assciate fr activities that the business assciate undertakes n behalf f a cvered entity, r n behalf f a business assciate in the case f a subcntractr. T an individual Required by law Disclsures t Health Plans Under the Final Rule, patients may request physicians nt disclse infrmatin abut care the patient has paid fr ut-f-pcket t health plans, unless fr treatment purpses r in the rare event the disclsure is required by law. Under the previus HIPAA Privacy Rules physicians culd refuse t abide by any such request, hwever, the new rule requires physicians and ther health care prviders abide by a patient s request nt t disclse PHI t a health plan fr thse services fr which the patient has paid ut-f-pcket and requests the restrictin. Use and Disclsures fr Genetic Testing The Final Rule impses new restrictins n the disclsure f prtected health infrmatin cntaining genetic infrmatin. The Rule nw prhibits grup health plans and any insurance issuer frm using r disclsing genetic infrmatin fr underwriting purpses. Genetic infrmatin is defined as infrmatin abut: An individual's genetic tests; The genetic tests f family members f the individual; The manifestatin f a disease r disrder in family members f such individual; r Any request fr, r receipt f, genetic services, r participatin in clinical research which includes genetic services, by the individual r any family member f the individual.

Genetic infrmatin excludes infrmatin abut the sex r age f an individual. Immunizatin Recrds (UPDATED In Plicy) The final rule added new language that permits a cvered entity t disclse prf f immunizatin t a schl where State r ther law requires the schl t have such infrmatin prir t admitting the student. While written authrizatin will n lnger be required t permit this disclsure, cvered entities will still be required t btain agreement, which may be ral, frm a parent, guardian r ther persn acting in lc parentis fr the individual, r frm the individual himself r herself, if the individual is an adult r emancipated minr. The final rule additinally requires that cvered entities dcument the agreement btained under this prvisin. Fr example if a mther calls t request immunizatins recrds be disclsed t the child s schl, then the practice wuld simply make a nte in the patient recrd regarding the call. PHI f Deceased Individuals Under the Final Rule, a cvered entity must cmply with the requirements f [the HIPAA Privacy Rule] with respect t the prtected health infrmatin f a deceased individual fr a perid f 50 years fllwing the death f the individual. A pint f clarificatin thugh, the 50-year perid f prtectin is nt a requirement t retain medical recrd infrmatin fr that duratin. Medical recrd retentin requirements are still subject t standard State ther applicable laws. The new rule allws a cvered entity t disclse t a family member, r ther persns wh were invlved in the individual s care r payment fr health care prir t the individual s death, prtected health infrmatin f the individual that is relevant t such persn s invlvement, unless ding s is incnsistent with any prir expressed preference f the individual that is knwn t the cvered entity. Prviding electrnic-phi The Final Rule expands individuals rights t receive electrnic cpies f their health infrmatin. Practices must prvide access t electrnic recrds in the frmat requested by the individual, s lng as the infrmatin is readily prducible in that frmat. Cvered entities are als permitted t transmit PHI thrugh unencrypted emails as lng as the requesting individual has been advised f the risk and still requests that frm f transmissin. In additin, under the Final Rule, a cvered entity will nw have 30 days t respnd t a patient s request fr their PHI, with a ne 30-day extensin, regardless f where the recrds are being kept. Under the prir rule, practices had a 60-day timeframe fr recrds maintained ffsite. Fees fr prviding e-phi r PHI The Final Rule changed the csts that a practice may charge fr cpies f prviding PHI. A cvered entity may include labr csts fr extracting e-phi and supply csts if the patient requested paper cpies r if electrnic, the cst f the prtable media used t prvide the e-phi (e.g. thumb drive, CD). Nte: State laws may impse different rules, yur practice shuld check if State laws differ. Updates t the Ntice f Privacy Practices (NPP): Cvered entities will need t update their NPPs t reflect the changes implemented under the Final Rule. Updates shuld include the revised prvisins fr breach ntificatin, disclsures t health plans, and marketing and sale f PHI. If a cvered entity engages in fundraising they will als need t update their NPP t infrmatin patients f their right t pt-ut f thse cmmunicatins.

The Final Rule als eliminated the requirement t include infrmatin n cmmunicatins regarding appintment reminders, treatment alternatives, r health-related benefits / services in yur NPP. Hwever, practices may still prvide this infrmatin if they chse. Once the NPPs are updated make sure t pst the revised updated NPP in yur practice and als update the NPP n yur website (if applicable). Changes t Business Assciates and Business Assciate Agreements: Prir t the Final Rule the business assciate was nly required t prvide satisfactry assurances related t HIPAA Privacy and Security rules thrugh the business assciate agreement (cntract), which meant enfrcement f the HIPAA Security rules was cntractual via the cvered entity. Nw business assciates and their subcntractrs are under direct federal regulatin and have direct liability fr cmpliance with HIPAA standards. In ther wrds, the business assciate and their subcntractrs must prtect and safeguard prtected health infrmatin in the same manner as a cvered entity. A Business Assciate Agreement is still required between a cvered entity and a business assciate. Hwever, the Final rule indicates that a cvered entity is nt required t enter int a business assciate agreement with a subcntractr f a business assciate; rather, this is the bligatin f the business assciate that has engaged a subcntractr t perfrm a functin r service that invlves the use r disclsure f prtected health infrmatin. The Final Rule defines subcntractr as a persn t whm a business assciate delegates a functin, activity, r service, ther than in the capacity f a member f the wrkfrce f such business assciate. Other changes assciated with the Business Assciate include: Since BAs are nw directly liable fr vilatins, a cvered entity is n lnger required t reprt failures f their BA s t the gvernment when terminatin f the business assciate agreement is nt feasible. The Business Assciate is nw als subject t the applicatin f Civil and Criminal Penalties fr vilatins f any f the security prvisins in the same manner as apply t a cvered entity that vilates such security prvisins. The Final Rule slightly mdified the definitin f a Business Assciate as an entity r persn that creates, receives, maintains, r transmits prtected health infrmatin n behalf f a cvered entity. As such the new rule wuld include rganizatins like e-prescribing gateways, health infrmatin exchanges r persnal health recrd vendrs. Cvered entities shuld review their relatinships with current vendrs and determine if any f them shuld nw be treated as a business assciate under the new guidelines. Als, cvered entities need t evaluate their Business Assciate Agreements t determine if mdificatins r new agreement prvisins are necessary. Cvered entities have until September 23, 2014 t bring all their BA agreements int cnfrmance with the new rules. Enfrcement and Civil Mney Penalties (CMP): The Final Rule clarifies the tiered structure related t civil mnetary penalties (CMPs) that can be impsed fr vilatins f HIPAA regulatins. These penalties apply t bth medical practices and their business assciates. The tiered structure fr impsitin f CMPs under the HITECH Act and Final Rule distinguishes the level f culpability as fllws: Unknwing. The cvered entity r business assciate did nt knw and by exercising reasnable diligence wuld nt have knwn f the vilatin.

Reasnable Cause. The cvered entity r business assciate knew, r by exercising reasnable diligence wuld have knwn, that the act r missin was a vilatin, but the cvered entity r business assciate did nt act with willful neglect. Willful Neglect Crrected. The vilatin was the result f cnscius, intentinal failure r reckless indifference t fulfill the bligatin t cmply with HIPAA. Hwever, the cvered entity r business assciate crrected the vilatin within 30 days f discvery. Willful Neglect Uncrrected. The vilatin was the result f cnscius, intentinal failure r reckless indifference t fulfill the bligatin t cmply with HIPAA, and the cvered entity r business assciate did nt crrect the vilatin within 30 days f discvery. The crrespnding tiers f CMP relating t each level f culpability are as fllws: Vilatin Categry Each Vilatin Ttal CMP fr Vilatins f an Identical Prvisin in a Calendar Year Unknwing $100 t $50,000 $1,500,000 Reasnable Cause $1,000 t $50,000 $1,500,000 Willful Neglect Crrected $10,000 t $50,000 $1,500,000 Willful Neglect Nt Crrected At least $50,000 $1,500,000 Under the Final Rule, HHS des nt have the authrity t autmatically impse the maximum CMP fr any given vilatin. Rather, in determining the amunt f a CMP, HHS must cnsider the fllwing: The nature and extent f the vilatin, including the number f individuals affected and the time perid during which the vilatin ccurred; The nature and extent f the harms resulting frm the vilatin, including whether the vilatin caused physical harm, whether the vilatin resulted in financial harm, whether there was harm t an individual s reputatin and whether the vilatin hindered an individual s ability t btain healthcare; The histry f prir cmpliance, including previus vilatins; and The financial cnditin f the cvered entity r business assciate, including whether financial difficulties affected the ability t cmply and whether the impsitin f the CMP wuld jepardize the ability f the cvered entity t cntinue t prvide r pay fr healthcare. Defenses t CMPs The Final Rule limits the ability f the Secretary t impse CMPs fr certain vilatins f HIPAA ccurring after Feb. 18, 2009. Specifically, the Secretary may nt impse CMPs fr a vilatin that is nt due t willful neglect and that is crrected within 30 days f actual r cnstructive knwledge f the vilatin, r during an additinal perid, as determined by the Secretary t be apprpriate based n the nature and extent f the failure t cmply. This defense, hwever, is nt available fr vilatins due t willful neglect. Thus, t the extent pssible, a cvered entity r business assciate that discvers a vilatin f HIPAA that is nt due t willful neglect shuld endeavr t (i) crrect the vilatin within 30 days f the discvery; (ii) dcument the date n which it discvered the vilatins; and (iii) dcument the date n which it implemented the crrectin in rder t establish a basis fr asserting the affirmative defense t the impsitin f CMPs fr the vilatin.

The infrmatin cntained herein is nt intended t be legal advice prvided by AAPC and shuld be relied upn as a substitute fr legal advice r pinin. This material may nt be applicable t, r suitable fr, the specific circumstances r needs f the reader, and may require additinal cnsideratin f ther factrs r infrmatin nt described herein. Fr a cmplete cpy f 45 CFR Parts 160 and 164 Mdificatins t the HIPAA Privacy, Security, Enfrcement, and Breach Ntificatin Rules g t http://www.gp.gv/fdsys/pkg/fr-2013-01-25/pdf/2013-01073.pdf

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback