Colorado Medical Society. June 3, Presented by David A. Ginsberg President, PrivaPlan Associates, Inc.

Similar documents
The HIPAA Omnibus Rule

ICAHN Presentation. Final Omnibus Rule and Security Risk Analysis. July 26, David Ginsberg

HIPAA OMNIBUS RULE. The rule makes it easier for parents and others to give permission to share proof of a child s immunization with a school

HIPAA: Final Omnibus Rule is Here Arizona Society for Healthcare Risk Managers November 15, 2013

Omnibus Components. Not in Omnibus. HIPAA/HITECH Omnibus Final Rule

HIPAA Training. HOPE Health Facility Administrators June 2013 Isaac Willett and Jason Schnabel

AFTER THE OMNIBUS RULE

The wait is over HHS releases final omnibus HIPAA privacy and security regulations

GUIDE TO THE OMNIBUS HIPAA RULE: What You Need to Know and Do

To: Our Clients and Friends January 25, 2013

Legal and Privacy Implications of the HIPAA Final Omnibus Rule

CLIENT UPDATE. HIPAA s Final Rule: The Impact on Covered Entities, Business Associates and Subcontractors

Management Alert Final HIPAA Regulations Issued

HIPAA Omnibus Rule. Critical Changes for Providers Presented by Susan A. Miller, JD. Hosted by

Fifth National HIPAA Summit West

HIPAA Update. Jamie Sorley U.S. Department of Health and Human Services Office for Civil Rights

HIPAA COMPLIANCE ROADMAP AND CHECKLIST FOR BUSINESS ASSOCIATES

The Impact of Final Omnibus HIPAA/HITECH Rules. Presented by Eileen Coyne Clark Niki McCoy September 19, 2013

Highlights of the Omnibus HIPAA/HITECH Final Rule

Coping with, and Taking Advantage of, HIPAA s New Rules!! Deven McGraw Director, Health Privacy Project April 19, 2013!

HHS, Office for Civil Rights. IAPP October 11, 2012

Health Law Diagnosis

New HIPAA Rules and Implications for the Industry January 29, 2013

Compliance Steps for the Final HIPAA Rule

Omnibus HIPAA Rule: Impact on Covered Entities

HIPAA PRIVACY REQUIREMENTS. Dana L. Thrasher Robert S. Ellerbrock, III Constangy, Brooks & Smith, LLP

New HIPAA-HITECH Proposed Regulations Issued

HITECH and HIPAA: Highlights for Health Departments. Aimee Wall UNC School of Government

NPRM: Modifications to the HIPAA Privacy, Security, and Enforcement Rules under HITECH

BREACH NOTIFICATION POLICY

OMNIBUS RULE ARRIVES

ACC Compliance and Ethics Committee Presentation February 19, 2013

Changes to HIPAA Under the Omnibus Final Rule

Changes to HIPAA Privacy and Security Rules

2013 HIPAA Omnibus Regulations: New Rules for Healthcare Providers and Collections Partners

H E A L T H C A R E L A W U P D A T E

Hayden W. Shurgar HIPAA: Privacy, Security, Enforcement, HITECH, and HIPAA Omnibus Final Rule

HITECH/HIPAA Omnibus Final Rule: Implications for Hospices. Elizabeth S. Warren May 3, 2013

HIPAA Breach Notice Rules New notice requirements for HIPAA covered entities when there is a breach of Protected Health Information (PHI)

The Guild for Exceptional Children HIPAA Breach Notification Policy and Procedure

Getting a Grip on HIPAA

Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates

Saturday, April 28 Medical Ethics: HIPAA Privacy and Security Rules

8/14/2013. HIPAA Privacy & Security 2013 Omnibus Final Rule update. Highlights from Final Rules January 25, 2013

HIPAA & The Medical Practice

HIPAA Compliance. PART I: HHS Final Omnibus HIPAA Rules

Interim Date: July 21, 2015 Revised: July 1, 2015

Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates

Compliance Steps for the Final HIPAA Rule

SATINSKY CONSULTING, LLC FINAL OMNIBUS HIPAA PRIVACY AND SECURITY RULE

HIPAA Omnibus Final Rule and Research

ARRA s Amendments to HIPAA Privacy & Security Rules

HIPAA PRIVACY COMPLIANCE MANUAL DISCLAIMER

Assessing and Mitigating Risk Under the HIPAA Omnibus Rule

Assessing and Mitigating Risk Under the HIPAA Omnibus Rule

OCR Phase II Audit Protocol Breach Notification. HIPAA COW Spring Conference 2017 Page 1 Boerner Consulting, LLC

HIPAA Compliance Guide

Breach Policy. Applicable Standards from the HITRUST Common Security Framework. Applicable Standards from the HIPAA Security Rule

Interpreters Associates Inc. Division of Intérpretes Brasil

Determining Whether You Are a Business Associate

Preparing to Comply With the HITECH Final Rule Tuesday, March 19, 2013

The HIPAA/HITECH Final Rule: Time to Get More Serious About Compliance. Patricia A. Markus, Esq.

UNDERSTANDING HIPAA & THE HITECH ACT. Heather Deixler, Esq. Associate, Morgan, Lewis & Bockius LLP

New HIPAA Breach Rules NAHU presents the WHAT and WHYs. Agenda

HIPAA Basic Training for Health & Welfare Plan Administrators

New. To comply with HIPAA notice requirements, all Providence covered entities shall follow, at a minimum, the specifications described below.

2011 Miller Johnson. All rights reserved. 1. HIPAA Compliance: Privacy and Security Changes under HITECH HITECH. What is HITECH? Mary V.

HIPAA & HITECH Privacy & Security. Volunteer Annual Review 2017

HIPAA OMNIBUS FINAL RULE

HIPAA Omnibus Rule Compliance

GUIDE TO PATIENT PRIVACY AND SECURITY RULES

HIPAA THE NEW RULES. Highlights of the major changes under the Omnibus Rule

OVERVIEW OF RECENT CHANGES IN HIPAA AND OHIO PRIVACY LAWS

True or False? HIPAA Update: Avoiding Penalties. Preliminaries. Kim C. Stanger IHCA (7/15)

HIPAA Enforcement Under the HITECH Act; The Gloves Come Off

MEMORANDUM. Kirk J. Nahra, or

LEGAL ISSUES IN HEALTH IT SECURITY

Business Associate Agreement

O n Jan. 25, the Office for Civil Rights (OCR) of the. Privacy and Security Law Report

VOL. 0, NO. 0 JANUARY 23, 2013

An Overview of the Impact of the American Recovery and Reinvestment Act of 2009 on the HIPAA Medical Privacy and Security Rules

[Name of Organization] HIPAA Incident/Breach Investigation Procedure 4

HIPAA STUDENT ASSOCIATE AGREEMENT

HIPAA Omnibus Final Rule Has Important Changes for Business Associates and Covered Entities

45 CFR Part 164. Interim Final Rule Breach Notification for Unsecured Protected Health Information

ARE YOU HIP WITH HIPAA?

Privacy Sleuths: Solving the Mystery of Wellness Program Privacy Compliance. Agenda. Health Data Exposure National Wellness Conference

The Privacy Rule. Health insurance Portability & Accountability Act

ALERT. November 20, 2009

AROC 2015 HIPAA PRIVACY AND SECURITY RULES

HIPAA Compliance Under the Magnifying Glass

HIPAA BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATES AND SUBCONTRACTORS

Highlights of the Final Omnibus HIPAA Rule

HITECH Privacy, Security, Enforcement, Breach, and GINA The Final Rule

"HIPAA RULES AND COMPLIANCE"

HIPAA, 42 CFR PART 2, AND MEDICAID COMPLIANCE STANDARDS POLICIES AND PROCEDURES

MEMORANDUM. Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

HIPAA The Health Insurance Portability and Accountability Act of 1996

HIPAA Privacy Overview

NOTIFICATION OF PRIVACY AND SECURITY BREACHES

Transcription:

Colorado Medical Society The HIPAA OMNIBUS RULE June 3, 2013 Presented by David A. Ginsberg President, PrivaPlan Associates, Inc. Agenda The HIPAA Omnibus Rule - a high level overview Effective dates SpeciLic provisions and changes Special focus on Breach notilication 2008 1

Why this seminar? January 25, 2013 the Final Rule was published The full title is: 45 CFR Parts 160 and 164 ModiLications to the HIPAA Privacy, Security, Enforcement, and Breach NotiLication Rules under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other ModiLications to the HIPAA Rules Why this seminar? These modilications pertain to four different areas of HIPAA : The Privacy Rule The Security Rule The Enforcement Rule The Breach NotiLication Rule 2008 2

Back to the Basics- context for today HIPAA covers these primary compliance areas: Privacy Security Administrative SimpliLication- Transactions and Code Sets With the 2009 ARRA/HITECH Acts- Breach NotiLication Enforcement regulations for the above ARRA and HIPAA The American Recovery and Reinvestment Act of 2009 ( ARRA ) privacy and security provisions are part of the Health Information Technology for Economic and Clinical Health Act ( HITECH Act ) within ARRA These pertain to the overall initiative to promote adoption and use of electronic health records and health information technology These recognize the vulnerabilities created by adoption of EHR and HIT and especially promotion of a personal health record and health information exchanges 2008 3

HITECH Privacy and Security- Key Provisions Breach NotiLication Rule Business Associates- Expansion of applicability New Enforcement Rules Accounting of Disclosures Access and restriction rights Limited Data Set- Minimum Necessary Marketing and fundraising restrictions PHRs Omnibus Rule The Omnibus Rule provided modilications to all of these areas except for Personal Health Records (PHR s are to some extent governed under HIPAA Privacy already, and vendors of PHR systems are governed under Federal Trade Commission law in the event of a breach of unsecured information) Accounting of Disclosures- a Linal rule will be issued later on this The Omnibus Rule also added or expanded on compliance areas 2008 4

Specific Rulemaking already released Privacy Rule- April 16, 2003 Security Rule- April 20, 2005 Transactions and Code Set Rule- October 2003 Breach NotiLication Rule- August 2009; effective September 23, 2009 with enforcement effective as of February 22, 2010 as the Interim Final Rule Enforcement Penalty Changes- IFR November 30, 2009 It took from 2010 until now for the OfLice of Civil Rights within HHS to release the Linal Breach NotiLication Rule which is one of the four major rule changes within the recently released Omnibus Rule Compliance Imelines Omnibus changes are in effect as of March 2013; however in most cases there is a 180 day implementation period During the 180 day period before compliance with this Linal rule is required (September 23, 2013), covered entities and business associates are still required to comply with the requirements of the interim Linal rule (Breach NotiLication)- and other existing requirements! 2008 5

Changes- Special Privacy ProtecIons Disclosures to health plans At the patient s request, physicians may not disclose information about care the patient has paid for out- of- pocket to health plans, unless for treatment purposes or in the rare event the disclosure is required by law. This change updates the previous HIPAA Privacy Rule individual rights to special privacy protections. Changes- Special Privacy ProtecIons Previously, physicians could refuse a request for restrictions on use and disclosure of PHI. The new law requires restrictions when the patient has paid out- of- pocket and requests the restriction This change is likely to have the greatest impact on your practice workllow both in terms of documentation and follow up to ensure the restriction is adhered to 2008 6

Changes- Special Privacy ProtecIons For example: How should you document the request? What happens if the payment made is rescinded? What about downstream releases to HIE s or other providers? And most importantly- what functionality is needed with your practice management or EHR systems to assure the restriction is followed? Changes- ImmunizaIon data Childhood immunizations Under the new rules, physicians may disclose immunizations to schools required to obtain proof of immunization prior to admitting the student so long as the physicians have and document the patient or patient s legal representative s informal agreement to the disclosure. The release cannot be to the school at their request only- aflirmative request from the parent/ guardian/patient is still necessary 2008 7

Changes- ImmunizaIon data The change is primarily to reduce the burden of documentation for such routine releases There is still a need to ensure that the release is per State or other law- otherwise revert to the use of a written authorization! And there is a stated requirement to document the agreement to release immunization information Changes- Access and Copies Decedents The new rules allow physicians to make disclosures to the deceased s family and friends under essentially the same circumstances such disclosures were permitted when the patient was alive, that is, when these individuals were involved in providing care or payment for care and the physician is unaware of any expressed preference to the contrary. The new rule also eliminates any HIPAA protection for PHI 50 years after a patient s death. 2008 8

Changes- Access and Copies Copies of ephi Under HIPAA Physicians will now have only 30 days to respond to a patient s written request for his or her PHI with one 30 day extension (compared to the current allowance under HIPAA of one 60 day extension), regardless of where the records are kept. They must provide access to EHR records in the electronic form and format requested by the individual if the records are readily reproducible in that format Changes- Access and Copies Otherwise you must provide the records in another mutually agreeable electronic format. Hard copies are permitted only when the individual rejects all readily reproducible eformats Physicians must also consider transmission security, and may send PHI in unencrypted emails only if the requesting individual is advised of the risk and still requests that form of transmission. 2008 9

Changes- Access and Copies The allowance to use email to transmit electronic copies has many associated workllow issues This pertains to PHI that is the subject of the request maintained electronically in one or more electronic designated record sets.. - NOT JUST EHR records! But it is relevant for CE s who use an EHR How will you document advisement of risk? Requests should always be handled in writing and signed by the patient/personal representative Copyright PrivaPlan Associates, Inc. 2013 Changes- Access and Copies We clarify that covered entities are permitted to send individuals unencrypted emails if they have advised the individual of the risk, and the individual still prefers the unencrypted email If individuals are notilied of the risks and still prefer unencrypted email, the individual has the right to receive protected health information in that way, and covered entities are not responsible for unauthorized access of protected health information while in transmission to the individual based on the individual s request. Further, covered entities are not responsible for safeguarding information once delivered to the individual Copyright PrivaPlan Associates, Inc. 2013 2008 10

Changes- Access and Copies Does this open the door for emailing PHI? DeLinitely NOT- just in this situation Other emailing should still be done in a secured fashion We believe the risk is too great to assume a blanket email of PHI program- without using secured email and better yet- patient portals (since you will have a Stage 2 MU benelit) Remember the risk is less about interception and more about sending to the wrong party! Copyright PrivaPlan Associates, Inc. 2013 Changes- Access and Copies Be sure to update your Designated Record Set delinition Some medical practices will have more than just EHR data in an electronic designated record set Imaging? Old practice management applications? Web applications Copyright PrivaPlan Associates, Inc. 2013 2008 11

Changes- Copies Charging for copies of ephi or PHI- The new rule modilies the costs that can modilied the section relative to the costs that may be charged to the individual for copy requests by limiting the cost to is labor costs and supply costs if the patient requests a paper copy, or if electronic the cost of any portable media (such as a USB memory stick or a CD) Labor can include the skilled time to create and copy the Lile- at a reasonable cost based rate Changes- Copies Is Colorado law more stringent regarding copy fees? 2008 12

Changes- Minimum necessary Minimum necessary is reiterated to include or apply to business associates However, we encourage all participants to review their Minimum necessary procedures and practices and ensure these are in place We also encourage all participants to update their designated record set delinitions, especially in light of current or anticipated use of EHRs Changes- Sale of PHI Sale of PHI The new rules clarify that the prohibition on the sale of PHI in the absence of the patient s written authorization extends to licenses or lease agreements, and to the receipt of Linancial or in- kind benelits It also includes disclosures in conjunction with research if the remuneration received includes any prolit margin 2008 13

Changes- Sale of PHI Prohibition on PHI sales does not extend to permitted disclosures for payment or treatment nor to permitted disclosures to patients or their designees in exchange for a reasonable cost- based fee Changes- MarkeIng Marketing communications The new rules further limit the circumstances when physicians may provide marketing communications to their patients in the absence of the patient s written authorization. Generally speaking, the only time a physician may tell a patient about a third- party s product or service without the patient s authorization is when 1) the physician receives no compensation for the communication 2008 14

Changes- MarkeIng 2) the communication involves a drug or biologic the patient is currently being prescribed and the payment is limited to reasonable reimbursement of the costs of the communication (no prolit); 3) the communication involves general health promotion, like routine diagnostic tests; or 4) the communication involves government or government- sponsored programs Changes- Fundraising This is applicable to those physicians in organizations that conduct fundraising such as not for prolit hospitals, Community Health Clinics and so forth New requirements for language in the Notice of Privacy Practices to disclose that fundraising activities take place and PHI may be used for these purposes 2008 15

Changes- Fundraising With each fundraising communication to a patient physicians must give clear and conspicuous information about how to opt out of future fundraising communications If an opt out is exercised it must be followed going forward Treatment may not be conditioned on the authorization to receive fundraising communications Changes- AuthorizaIons Research authorizations The new rules permit physicians to combine conditioned and unconditioned authorizations for research participation, provided individuals can opt- in to the unconditioned research activity. Moreover, these authorizations may encompass future research. 2008 16

Changes- NoIce of Privacy PracIces Physicians must amend their NPPs to rellect the changes set forth above including those related to breach notilication, disclosures to health plans, and marketing and sale of PHI As the rules presume these are all material changes, physicians will have to post the revised NPP, and make copies available at their oflice, to all new patients and to any one else on request. Changes- NoIce of Privacy PracIces Physicians who maintain a website, are cautioned to post the updated NPP on their website as required by the existing HIPAA Privacy rule The new rules also eliminate requirements to include information on communications concerning appointment reminders, treatment alternatives or health- related benelits or services in NPPs, but the rules do not require that that information be removed either 2008 17

Changes- NoIce of Privacy PracIces Physicians who maintain a website, are cautioned to post the updated NPP on their website as required by the existing HIPAA Privacy rule The new rules also eliminate requirements to include information on communications concerning appointment reminders, treatment alternatives or health- related benelits or services in NPPs, but the rules do not require that that information be removed either Changes- NoIce of Privacy PracIces Look for a new PrivaPlan NPP template in both English and Spanish Most of the changes are already incorporated in the most recent (2010) PrivaPlan NPP template 2008 18

Changes- Business Associates The new rules expand the universe of individuals and companies which must be treated as business associates to include Patient Safety Organizations and others involved in patient safety activities, health information organizations like eprescribing gateways or health information exchanges that transmit and maintain PHI and personal health record vendors physicians sponsor for their patients Changes- Business Associates Thus, physicians must review their relationships and determine if they must enter new BA agreements with these entities or others that create, receive, store, maintain or transmit PHI on their behalf A new delinition is created for business associates- subcontractors Physicians are not responsible for the actions of a BA subcontractor- the BA is! Physicians are still liable for the BA s conduct 2008 19

Changes- Business Associates The new emphasis on maintains in the delinition This gives rise to clarilication regarding conduits vs. storage companies The analysis is whether the access is transient (as in a conduit) or persistent (as in storage company) nature of access The preamble clearly states that a data storage company that has access to protected health information (whether digital or hard copy) qualilies as a business associate, even if the entity does not view the information or only does so on a random or infrequent basis Copyright PrivaPlan Associates, Inc. 2013 Changes- Business Associates What does this mean? Document storage companies are clearly business associates As are data storage companies or data hosts such as: A cloud based backup company A commercial data center used either as a offsite backup Lirm or actually hosting your EHR! Copyright PrivaPlan Associates, Inc. 2013 2008 20

Changes- Business Associates BA agreements will change! If you are using the PrivaPlan BAA template the impact is modest Physicians have until September 23, 2014 to bring all their BA agreements into conformance with the new rules. BA agreements that have not been renewed or modilied between March 26, 2013 and September 23, 2013 will be deemed compliant until the date the BA agreement is renewed or modilied or until September 22, 2014, whichever is earlier The Breach NoIficaIon Rule- IFR compliance When this was drafted by HHS the intent was to harmonize with the many State laws Key concepts- breach of unsecured data and notilication requirements The HITECH Act provides specilic guidance for handling notilication in case of a breach of Unsecured PHI that has been or is reasonably believed to have been: Accessed Acquired Disclosed 2008 21

Breach NoIficaIon coninued HITECH and the Breach Rule introduces the term unsecured PHI where most State law describes this as unencrypted computerized personal information ; HITECH maintains the integrity of the delinition of PHI The Rule supports the principle of unsecured as relating to unencrypted data It provides guidance on how to render PHI unusable, unreadable, or indecipherable to unauthorized individuals. This also incorporates a reference to NIST guidelines Breach NoIficaIon coninued HITECH notes data is vulnerable in multiple states such as Data in motion Data at rest Data in use Data disposed Thus the Breach NotiLication Rule improves on the HIPAA Security rule by specifying these data states 2008 22

Breach NoIficaIon coninued The Rule states encryption and destruction are suflicient to secure PHI MOST IMPORTANTLY, the Rule APPLIES TO PAPER FORMS OF PHI!!!! That is, paper PHI can be breached if it is discarded and not properly destroyed The NIST guidelines reference use of cross cut shredding or similar ways to render a very small particle size (1X5 mm or 3/32 inch security screen) Breach NoIficaIon coninued Discovery begins on the Lirst day which the breach is known either by you or your business associate! You are now required to notify individuals of any security breaches promptly and without delay and within 60 calendar days of discovery You bear the burden of proof that notilication was completed This means detailed procedures for notilication and good documentation when notilication is done 2008 23

Breach NoIficaIon coninued Required methods of notilication include: Written notilication (Lirst- class mail) E- mail if preference by the individual If insuflicient contact information to provide written notilication and >10 individuals affected, then: notilication on your company website or another type of notilication on company website Some form of notice in major print should be posted Immediately notify the Secretary, Health and Human Services if more than 500 individuals are affected If fewer than 500 individuals are affected you can submit an annual log to the Secretary Breach NoIficaIon coninued DHHS will post breach information on their website; of course this could have a major effect on reputation Entities must provide a notice to prominent media outlets within a State or jurisdiction if the breach affects more than 500 residents of such State or jurisdiction This could mean multiple notices being posted! Again, the Breach notilication provision requires detailed procedures! 2008 24

Breach- prevenion is worth We believe it is safer to encrypt data in the Lirst place and thus prevent the costly notilication requirement When it comes to HIT and EHRs beware not all vendor systems sufliciently support encryption! Inventory your shredders and shredding procedures This is a good time to do another PHI inventory and use/disclosure Llow diagram so you can also identify areas of vulnerability and remediate those Handling a Breach- PracIcal Steps If you suspect a breach you must act quickly There are a number of investigative steps to take to determine if the incident is actually a breach There are some initial steps Determining if a breach of unsecured PHI occurred; this includes establishing a) a breach occurred and b) the data breached was unsecured PHI If a breach occurred, was it to an excepted party or circumstance. For example an unintentional acquisition by a member or your workforce. 2008 25

Breach NoIficaIon coninued If the breach was not to an excepted party, conducting a risk assessment to determine if the use or disclosure compromises the security or privacy of PHI, if a violation of the HIPAA Privacy rule occurred, and if the breach poses signilicant risk of Linancial, reputational, or other harm to the individual. If the breach was a Privacy violation and there is signilicant risk of harm, determine the type and amount of PHI and determine if the breach has been already mitigated. Essentially this means conducting an investigation and risk analysis! Breach NoIficaIon coninued Who made the impermissible use or to whom was the PHI impermissibly disclosed? Did the covered entity take immediate steps to mitigate an impermissible use or disclosure? Was the impermissibly disclosed PHI returned prior to access for an improper purpose? What type and how much PHI was involved? 2008 26

Omnibus changes FINAL RULE AMENDS THE DEFINITION OF BREACH AT 45 CF 164.402 KEY CONCEPT- HARM IS REPLACED BY THE CONCEPT OF THE RISK THAT PHI WAS COMPROMISED....we have removed the harm standard and modilied the risk assessment to focus more objectively on the risk that the protected health information has been compromised. Omnibus changes- Risk Assessment (1) The nature and extent of PHI involved; (2) The unauthorized person who used the PHI or to whom the disclosure was made; (3) Whether PHI was actually acquired or viewed; and (4) The extent to which the risk to PHI has been mitigated (e.g., assurances from trusted third- parties that the information was destroyed). 2008 27

Omnibus changes- Risk Assessment HHS includes not just unauthorized access to PHI, but also impermissible uses by knowledgeable insiders as a breach requiring an assessment. Breach is not limited to electronic personal information as some identity theft laws but pertains to any PHI Omnibus changes- Risk Assessment An impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised Breach notilication is necessary in all situations except those in which the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised (or one of the other exceptions to the delinition of breach applies). 2008 28

Omnibus changes- Risk Assessment Thus, breach notilication is not required under the Linal rule if a covered entity or business associate, as applicable, demonstrates through a risk assessment that there is a low probability that the protected health information has been compromised, rather than demonstrate that there is no signilicant risk of harm to the individual as was provided under the interim Linal rule. Omnibus changes- Risk Assessment The statute acknowledges, by including a specilic delinition of breach and identifying exceptions to this delinition, as well as by providing that an unauthorized acquisition, access, use, or disclosure of protected health information must compromise the security or privacy of such information to be a breach, that there are several situations in which unauthorized acquisition, access, use, or disclosure of protected health information is so inconsequential that it does not warrant notilication. 2008 29

Omnibus changes- Risk Assessment The preamble even gives a common example: For example, if a covered entity misdirects a fax containing protected health information to the wrong physician practice, and upon receipt, the receiving physician calls the covered entity to say he has received the fax in error and has destroyed it, the covered entity may be able to demonstrate after performing a risk assessment that there is a low risk that the protected health information has been compromised. Omnibus changes- Risk Assessment As a result, instead of assessing the risk of harm to the individual, covered entities and business associates must assess the probability that the protected health information has been compromised based on a risk assessment that considers at least the following factors: (1) the nature and extent of the protected health information involved, including the types of identiliers and the likelihood of re- identilication; (2) the unauthorized person who used the protected health information or to whom the disclosure was made; 2008 30

Omnibus changes- Risk Assessment (3) whether the protected health information was actually acquired or viewed; and (4) the extent to which the risk to the protected health information has been mitigated. Omnibus changes- Risk Assessment Preamble states: As we have modilied and incorporated the factors that must be considered when performing a risk assessment into the regulatory text, covered entities and business associates should examine their policies to ensure that when evaluating the risk of an impermissible use or disclosure they consider all of the required factors. 2008 31

Omnibus changes- Risk Assessment If an evaluation of the factors discussed above fails to demonstrate that there is a low probability that the protected health information has been compromised, breach notilication is required. We do note, however, that a covered entity or business associate has the discretion to provide the required notilications following an impermissible use or disclosure of protected health information without performing a risk assessment. Omnibus changes- NoIficaIon In response to those commenters who urged that we allow breach notices to be provided orally or via telephone to individuals receiving highly conlidential treatment services where the individual has requested to receive communications in such a manner, we note that the HITECH Act specilically refers to written notice to be provided to individuals. 2008 32

Omnibus changes- NoIficaIon in the limited circumstances in which an individual has agreed only to receive communications from a covered health care provider orally or by telephone, the provider is permitted under the Rule to telephone the individual to request and have the individual pick up their written breach notice from the provider directly. Omnibus changes- NoIficaIon In cases in which the individual does not agree or wish to travel to the provider to pick up the written breach notice, the health care provider should provide all of the information in the breach notice over the phone to the individual, document that it has done so, and the Department will exercise enforcement discretion in such cases with respect to the written notice requirement. Document the aflirmative request of the patient! 2008 33

Enforcement The new rules clarify the three penalty tiers as follows: Lowest tier cases in which the physician did not and reasonably could not know of the breach Intermediate tier cases in which the physician knew, or by exercising reasonable diligence would have known of the violation, but the physician did not act with willful neglect Highest tier cases in which the physician acted with willful neglect Enforcement HHS must conduct a formal investigation and impose civil monetary penalties in cases involving willful neglect, and is now free to provide PHI to other government agencies for enforcement activities. The assessment of penalties must be based on Live principal factors: (1) the nature and extent of the violation, including the number of individuals affected (2) the nature and extent of the harm resulting from the violation, including reputational harm (3) the history and extent of prior compliance 2008 34

Enforcement (4) the Linancial condition of the covered entity or business associate (5) such other matters as justice may require. The number of violations may be based on the number of individuals affected or by the number of days of non- compliance. The rules further clarilies that the 30 day cure period begins when the physician knew or should have known of the violation. Summary- What are your next steps? Updated Privacy, Security and Breach NotiLication policies and procedures (and in some cases new workllows and forms in the medical practice); Notice of Privacy Practices; and Business Associate Agreement revisions- in some cases analyzing if there are entities (such as an eprescribing gateway or HIE) you need a BA with Workforce training 2008 35

Summary- Resources PrivaPlan HIPAA Privacy and Security Toolkit- in many cases our forms are already adequate! The ToolKit will be revised in the coming months You may be eligible for a CORHIO sponsored toolkit! Q & A Individual Questions? 2008 36

Contact informaion David Ginsberg dginsberg@privaplan.com 1-877- 218-7707 2008 37

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback