Be Careful What You Wish For: The Final Rule Is Out

Similar documents
HIPAA Omnibus Rule. Critical Changes for Providers Presented by Susan A. Miller, JD. Hosted by

HIPAA PRIVACY AND SECURITY RULES APPLY TO YOU! ARE YOU COMPLYING? RHODE ISLAND INTERLOCAL TRUST LINN F. FREEDMAN, ESQ. JANUARY 29, 2015.

The Impact of Final Omnibus HIPAA/HITECH Rules. Presented by Eileen Coyne Clark Niki McCoy September 19, 2013

HIPAA COMPLIANCE ROADMAP AND CHECKLIST FOR BUSINESS ASSOCIATES

AFTER THE OMNIBUS RULE

IACT Medical Trust. June 28, Jim Hamilton (317) HIPAA Privacy Training Bose McKinney & Evans LLP

View the Replay on YouTube. HIPAA Enforcement 2.0: Minimizing Exposure with Affirmative Defense

HEALTHCARE BREACH TRIAGE

Preparing for a HIPAA Audit & Hot Topics in Health Care Reform

HIPAA THE NEW RULES. Highlights of the major changes under the Omnibus Rule

Omnibus Components. Not in Omnibus. HIPAA/HITECH Omnibus Final Rule

HIPAA Training. HOPE Health Facility Administrators June 2013 Isaac Willett and Jason Schnabel

"HIPAA FOR LAW FIRMS" WHAT EVERY LAW FIRM NEEDS TO KNOW ABOUT HIPAA

HIPAA OMNIBUS RULE. The rule makes it easier for parents and others to give permission to share proof of a child s immunization with a school

HIPAA BUSINESS ASSOCIATE AGREEMENT BEST PRACTICES: A COMPLIANCE SOLUTION FOR THE TICKING CLOCK AND THE DRACONIAN CIVIL AND CRIMINAL PENALTIES

Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates

Legal and Privacy Implications of the HIPAA Final Omnibus Rule

Palmetto Paralegal Association

HITECH and HIPAA: Highlights for Health Departments. Aimee Wall UNC School of Government

PATTERSON MEDICAL SUPPLY, INC. HIPAA BUSINESS ASSOCIATE AGREEMENT WITH CUSTOMERS

HIPAA Enforcement Under the HITECH Act; The Gloves Come Off

MEMORANDUM. Kirk J. Nahra, or

RISK TRACK. Privacy and Data Protection

503 SURVIVING A HIPAA BREACH INVESTIGATION

Coping with, and Taking Advantage of, HIPAA s New Rules!! Deven McGraw Director, Health Privacy Project April 19, 2013!

8/14/2013. HIPAA Privacy & Security 2013 Omnibus Final Rule update. Highlights from Final Rules January 25, 2013

HIPAA OMNIBUS FINAL RULE

LEGAL ISSUES IN HEALTH IT SECURITY

Industry leading Education. Certified Partner Program. Please ask questions Todays slides are available group.

2011 Miller Johnson. All rights reserved. 1. HIPAA Compliance: Privacy and Security Changes under HITECH HITECH. What is HITECH? Mary V.

HIPAA Compliance Under the Magnifying Glass

MEMORANDUM. Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

Fifth National HIPAA Summit West

Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates

Privacy Rule Primer. 45 CFR Part 160 and Subparts A and E of Part CFR , 45 CFR CFR

Safeguarding Your HIPAA and Personal Health Information Data. Robert Hess, Office of General Counsel Steve Cosentino, Stinson Morrison Hecker

HIPAA Update. Jamie Sorley U.S. Department of Health and Human Services Office for Civil Rights

HIPAA: Final Omnibus Rule is Here Arizona Society for Healthcare Risk Managers November 15, 2013

HIPAA Data Breach ITPC

HIPAA, HITECH & Meaningful Use

HIPAA and Lawyers: Your stakes have just been raised

TEXAS SOUTHERN UNIVERSITY HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA UPDATE/ OCR ENFORCEMENT

UNDERSTANDING HIPAA & THE HITECH ACT. Heather Deixler, Esq. Associate, Morgan, Lewis & Bockius LLP

HHS, Office for Civil Rights. IAPP October 11, 2012

Highlights of the Omnibus HIPAA/HITECH Final Rule

HIPAA Omnibus Final Rule and Research

HIPAA Final Omnibus Rule Playbook for Business Associates

OMNIBUS RULE ARRIVES

HIPAA Background and History

Changes to HIPAA Under the Omnibus Final Rule

HITECH/HIPAA Omnibus Final Rule: Implications for Hospices. Elizabeth S. Warren May 3, 2013

NPRM: Modifications to the HIPAA Privacy, Security, and Enforcement Rules under HITECH

HIPAA 102a. Presented by Jack Kolk President ACR 2 Solutions, Inc.

Management Alert Final HIPAA Regulations Issued

Business Associate Agreement For Protected Healthcare Information

HIPAA Compliance. PART I: HHS Final Omnibus HIPAA Rules

The Audits are coming!

HIPAA Final Omnibus Rule Playbook

It s as AWESOME as You Think It Is!

HIPAA: Impact on Corporate Compliance

2013 HIPAA Omnibus Regulations: New Rules for Healthcare Providers and Collections Partners

NOTIFICATION OF PRIVACY AND SECURITY BREACHES

The Privacy Rule. Health insurance Portability & Accountability Act

ACC Compliance and Ethics Committee Presentation February 19, 2013

What Does The New Omnibus HIPAA/HITECH Final Rule Really Mean For Employers And Their Service Providers?

ARRA s Amendments to HIPAA Privacy & Security Rules

Determining Whether You Are a Business Associate

HEALTH & HUMAN SERVICES OFFICE FOR CIVIL RIGHTS HIPAA COMPLIANCE AUDITS. What do I need to know?

HIPAA Business Associate Agreement

CLIENT UPDATE. HIPAA s Final Rule: The Impact on Covered Entities, Business Associates and Subcontractors

WHAT IS HB 300? HOW DOES IT AFFECT MY PRACTICE AND WHAT DO I DO TO FOLLOW THE RULES?

HIPAA HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT

HIPAA Omnibus Rule Compliance

HIPAA PRIVACY REQUIREMENTS. Dana L. Thrasher Constangy, Brooks & Smith, LLP (205)

HIPAA PRIVACY REQUIREMENTS. Dana L. Thrasher Robert S. Ellerbrock, III Constangy, Brooks & Smith, LLP

HIPAA, 42 CFR PART 2, AND MEDICAID COMPLIANCE STANDARDS POLICIES AND PROCEDURES

GUIDE TO THE OMNIBUS HIPAA RULE: What You Need to Know and Do

True or False? HIPAA Update: Avoiding Penalties. Preliminaries. Kim C. Stanger IHCA (7/15)

What Brown County employees need to know about the Federal legislation entitled the Health Insurance Portability and Accountability Act of 1996.

To: Our Clients and Friends January 25, 2013

Business Associate Agreement Health Insurance Portability and Accountability Act (HIPAA)

ARE YOU HIP WITH HIPAA?

Business Associate Agreement

Health Law Diagnosis

OCR Phase II Audit Protocol Breach Notification. HIPAA COW Spring Conference 2017 Page 1 Boerner Consulting, LLC

Business Associate Agreement

HIPAA 2014: Recent Changes from HITECH and the Omnibus Rule. Association of Corporate Counsel Houston Chapter October 14, 2014.

AMA Practice Management Center, What you need to know about the new health privacy and security requirements

Breach Policy. Applicable Standards from the HITRUST Common Security Framework. Applicable Standards from the HIPAA Security Rule

Omnibus Rule: HIPAA 2.0 for Law Firms

HIPAA Privacy Overview

Interim Date: July 21, 2015 Revised: July 1, 2015

HIPAA Omnibus Final Rule Has Important Changes for Business Associates and Covered Entities

UNDERSTANDING HIPAA COMPLIANCE IN 2014: ETHICS, TECHNOLOGY, HEALTHCARE & LIFE

Getting a Grip on HIPAA

Continuous Compliance: An Operational Approach Must Address HIPAA

Practical Guidance and Proposed Solutions in Response to the HIPAA Final Omnibus Rule

GUIDE TO PATIENT PRIVACY AND SECURITY RULES

Hayden W. Shurgar HIPAA: Privacy, Security, Enforcement, HITECH, and HIPAA Omnibus Final Rule

Transcription:

Be Careful What You Wish For: The Final Rule Is Out Theodore J. Kobus III tkobus@bakerlaw.com @tedkobus 212.271.1504 Lynn Sessions lsessions@bakerlaw.com @lynnsessions 713.646.1352 Toll Free 24-Hour Data Breach Hotline 855.217.5204 Blog: www.dataprivacymonitor.com

Theodore J. Kobus III Ted Kobus is National Co-Leader of the Privacy and Data Protection Team. Ted advises clients, trade groups and organizations regarding data security and privacy risk management, breaches, response strategies, litigation and regulatory actions affecting organizations. He has counseled clients involved in over 400 breaches, including significant breaches implicating state and federal laws, international laws and other regulations and requirements: HITECH, the Massachusetts Data Privacy Law, California privacy laws (including the California Department of Public Health Law), Connecticut Insurance Department regulations, Puerto Rico s Citizen Information on Data Banks Security Act, Mexico s Data Protection Law, Canada s data privacy requirements and PCI/CISP requirements. He has dealt with Offices of Attorneys General, state insurance departments, Office of Civil Rights (OCR)/Health and Human Services (HHS), Secret Service, FBI and local police and forensics professionals as part of their handling of data breaches.

Lynn Sessions Lynn Sessions focuses her practice on providing legal services to healthcare industry clients, including hospitals, integrated delivery systems, healthcare providers, and academic medical centers. Using her prior in-house experience at Texas Children s Hospital, Lynn represents and provides legal counsel to clients on a variety of privacy and data security matters from an in-house counsel and client perspective. Lynn works with clients to ensure they are in compliance with HIPAA/HITECH regulations, develops proactive compliance programs, provides counsel in response to a privacy or data breach, and works with clients to ensure the effective development of preventative data privacy and security measures. Lynn has worked with clients where multiple parties in various states were involved in high stake data privacy security breaches. She is experienced in applying federal HIPAA/HITECH regulations and specific state privacy and breach statutes and the OCR and other regulatory investigations that follow. Lynn has handled internal investigations on a large and small scale. These investigations are focused on protecting health care providers and their customers from privacy and data breaches, and fraud and identity theft. Ms. Sessions has also worked with clients to develop preventative data privacy and security strategies to avoid potential security breaches, including development of policies and procedures, breach response teams and training programs.

OCR Resolution Agreements Providence Health & Services ($100K) CVS Pharmacy ($2.25M) Rite-Aid ($1M) Management Services Organization of Washington ($35K) Cignet ($4.3M) Massachusetts General Hospital ($1M) UCLA Health Services ($865K) Blue Cross Blue Shield of Tennessee ($1.5M) Alaska Medicaid ($1.7M) Phoenix Cardiac Surgery, P.C. ($100K) Massachusetts Eye and Ear Infirmary ($1.5M) Hospice of North Idaho ($50K)

What Has OCR Said About Enforcement? This final omnibus rule marks the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented. These changes not only greatly enhance a patient s privacy rights and protections, but also strengthen the ability of my office to vigorously enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a health care provider, or one of their business associates. Director OCR Leon Rodriguez

Business Associates Are Now Directly Liable 160.402: Basis for a Civil Monetary Penalty. 160.402(c)(2): A business associate is liable, in accordance with the Federal common law of agency, for a civil money penalty for a violation based on the act or omission of any agent of the business associate, including a workforce member or subcontractor, acting within the scope of the agency. 160.103: A business associate includes [a] subcontractor that creates, receives, maintains, or transmits protected health information on behalf of the business associate.

Calculation of Civil Monetary Penalties (CMPs) 160.408 Factors considered in determining the amount of a civil money penalty. The Secretary MUST consider a list of mitigating or aggravating factors. The nature and extent of the violation (number of individuals affected, time period during which the violation occurred, the number of individuals affected. time period during which violation occurred. the nature and extent of resulting harm (physical harm, reputational harm, or financial harm). whether the violation hindered ability to obtain health care ( facilitated removed).

Calculation of Civil Monetary Penalties (CMPs) The Secretary MUST consider a list of mitigating or aggravating factors The history of prior compliance and attempts to correct indications of noncompliance. Response to technical assistance from the Secretary. Response to prior complaints. Financial condition of CE or BA. Size of the BA or CE. Such other matters as justice may require.

Assurances to Safeguard Information Covered Entities (CEs) must receive assurances from Business Associates (BAs). CEs do not need to receive assurances from Sub-Bas. BAs need to receive assurances from SubBAs. Sub-Business Associate Agreements (subbaa s) required. Violation if CE/BA knows of a pattern of activity or practice of the BA/subBAA that constituted a material breach or violation of the BA s/subba s obligation under the contract or other arrangement, unless the CE/BA took reasonable steps to cure the breach or end the violation, and, if such steps were unsuccessful terminated the contract or arrangement if feasible.

Disclosures by BAs BAs are limited to the scope of their contract with the CE. BAs are not engaged in healthcare operations, so there is no TPO exception. Focus on the contract with the CE. Minimum Necessary applies.

Minimum Necessary 11

What is a Breach? Baseline Definition of a Breach remains unchanged. 164.402: Breach means the acquisition, access, use, or disclosure of protected health information in a manner not permitted under subpart E of this part which compromises the security or privacy of the protected health information.

Interim Final Rule Breach Definition Compromise. Poses a significant risk of financial, reputational, or other harm. Focus was on the harm to the individual.

Definition of Breach in Final Rule An acquisition, access, use, or disclosure of protected health information in a manner not permitted... is presumed to be a breach. Unless, the CE or BA can demonstrate that there is a low probability that the PHI has been compromised based on a risk assessment. Compromise is not defined.

Definition of Breach in Final Rule Risk Assessment Documented Based on at least 4 factors The nature and extent of the PHI. The unauthorized person involved. Whether the PHI was actually acquired or viewed. Extent to which any risk has been mitigated.

Reporting/Notification Clarifications Notification, in situations where the use or disclosure is so inconsequential, is not warranted because it may cause the individual unnecessary anxiety or even eventual apathy if notifications of these types of incidents are sent routinely. Substitute notice or media notice may at times occur after the 60-day period depending on circumstances. Breaches under 500 must be reported no later than 60 days after the calendar year in which they were discovered, not when they occurred. Notification to the Secretary must occur contemporaneously with notice to individuals for breaches over 500.

A Few Things Remain the Same Timeliness and content of notification. A CE retains the ultimate obligation for proper notification. Notification by the BA can be delegated. Media notification and notification to HHS has not changed. Law enforcement delays remain available. There are no changes to the circumstances permitting preemption of state law of HITECH.

What Can You Do to Prepare? Update your Incident Response Plan (IRP) Update your Policies & Procedures Breach Analysis Forms Education & Awareness Vendor Lists & Contracts Risk Assessments & Risk Management Plans Privacy Counsel Cyber Insurance Forensics

Additional Questions? Please contact Ted Kobus 212.271.1504 tkobus@bakerlaw.com Lynn Sessions 713.646.1352 lsessions@bakerlaw.com Toll Free 24-Hour Data Breach Hotline 855.217.5204

Chicago Cincinnati Cleveland Columbus Costa Mesa Denver Houston Los Angeles New York Orlando Washington, DC www.bakerlaw.com 2013 Baker & Hostetler LLP

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback