HITECH/HIPAA (privacy) 2013 Omnibus Final Rule Rita Bowen Senior Vice President of HIM and Privacy Officer HealthPort

Similar documents
To: Our Clients and Friends January 25, 2013

HIPAA OMNIBUS RULE. The rule makes it easier for parents and others to give permission to share proof of a child s immunization with a school

The wait is over HHS releases final omnibus HIPAA privacy and security regulations

Rule. Research Changes to the Privacy Rule and GINA. Heather Pierce, JD, MPH Senior Director and Regulatory Counsel, Scientific Affairs

GUIDE TO THE OMNIBUS HIPAA RULE: What You Need to Know and Do

HIPAA: Final Omnibus Rule is Here Arizona Society for Healthcare Risk Managers November 15, 2013

Omnibus Components. Not in Omnibus. HIPAA/HITECH Omnibus Final Rule

Preparing to Comply With the HITECH Final Rule Tuesday, March 19, 2013

HIPAA Compliance. PART I: HHS Final Omnibus HIPAA Rules

1.) The Privacy Rule (Part 164, Subpart E)

SATINSKY CONSULTING, LLC FINAL OMNIBUS HIPAA PRIVACY AND SECURITY RULE

Highlights of the Omnibus HIPAA/HITECH Final Rule

THE CITY AND COUNTY OF SAN FRANCISCO SECTION 125 CAFETERIA PLAN HIPAA PRIVACY POLICIES & PROCEDURES

HITECH/HIPAA Omnibus Final Rule: Implications for Hospices. Elizabeth S. Warren May 3, 2013

Compliance. TODAY May Meet Scott Killingsworth. Partner in the Atlanta offices of Bryan Cave LLP. See page 16

Highlights of the Final Omnibus HIPAA Rule

Saturday, April 28 Medical Ethics: HIPAA Privacy and Security Rules

Health Law Diagnosis

HHS, Office for Civil Rights. IAPP October 11, 2012

"HIPAA RULES AND COMPLIANCE"

HIPAA & The Medical Practice

HIPAA Omnibus Rule. Critical Changes for Providers Presented by Susan A. Miller, JD. Hosted by

PEDRO J. MORALES, M.D. & TIM P. CARLSON, M.D., P.A. NOTICE OF PRIVACY PRACTICES UPDATED 01/01/2014

Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates

North Shore LIJ Health System, Inc. Facility Name. CATEGORY: Effective Date: 8/15/13

4/5/2013 I. BACKGROUND HIPAA OMNIBUS FINAL RULE. Background. Webinar Series Part II Research and Marketing April 9, 2013

HIPAA Update. Jamie Sorley U.S. Department of Health and Human Services Office for Civil Rights

Compliance Steps for the Final HIPAA Rule

Notice of Privacy Practices Linn County Employee Health Care and Health Related Benefits Programs

Fifth National HIPAA Summit West

Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates

1641 Tamiami Trail Port Charlotte, Fl Phone: Fax: Health Insurance Portability and Accountability Act of 1996

8/14/2013. HIPAA Privacy & Security 2013 Omnibus Final Rule update. Highlights from Final Rules January 25, 2013

MEMORANDUM. Kirk J. Nahra, or

Coping with, and Taking Advantage of, HIPAA s New Rules!! Deven McGraw Director, Health Privacy Project April 19, 2013!

Tuesday, April 16, :00-2:15 pm Eastern. Presenters. Melissa Markey, Esquire Hall Render Killian Heath & Lyman PC Troy, MI

UNIVERSITY POLICY. Access of Individuals to Their Protected Health Information. Adopted: 01/23/2003 Reviewed: 3/11/2016

Legal and Privacy Implications of the HIPAA Final Omnibus Rule

UNIVERSITY OF WYOMING STUDENT HEALTH SERVICE NOTICE OF PRIVACY PRACTICES

Effective Date: March 23, 2016

New HIPAA-HITECH Proposed Regulations Issued

HIPAA PRIVACY POLICY AND PROCEDURES FOR PROTECTED HEALTH INFORMATION THE APPLICABLE WELFARE BENEFITS PLANS OF MICHIGAN CATHOLIC CONFERENCE

Effective Date: 08/2013

HIPAA Training. HOPE Health Facility Administrators June 2013 Isaac Willett and Jason Schnabel

Alfred University Effective Date: January 1, 2019

Management Alert Final HIPAA Regulations Issued

Compliance Steps for the Final HIPAA Rule

New HIPAA Rules and Implications for the Industry January 29, 2013

Managing Information Privacy & Security in Healthcare. When an Authorization is Required

O n Jan. 25, the Office for Civil Rights (OCR) of the. Privacy and Security Law Report

HIPAA Privacy: PHI Disclosure Accounting (Changes) and Access Report (New)

What Brown County employees need to know about the Federal legislation entitled the Health Insurance Portability and Accountability Act of 1996.

Kay Concrete Materials, Inc.

HIPAA FUNDAMENTALS For Substance abuse Treatment Industry

NOTICE OF PRIVACY PRACTICES Total Sports Care, P.C.

Getting a Grip on HIPAA

ACC Compliance and Ethics Committee Presentation February 19, 2013

HITECH Privacy, Security, Enforcement, Breach, and GINA The Final Rule

NOTICE OF PRIVACY PRACTICES

Central Florida Regional Transportation Authority Table of Contents A. Introduction...1 B. Plan s General Policies...4

2013 HIPAA Omnibus Regulations: New Rules for Healthcare Providers and Collections Partners

VOL. 0, NO. 0 JANUARY 23, 2013

HIPAA THE NEW RULES. Highlights of the major changes under the Omnibus Rule

HIPAA Omnibus Final Rule and Research

POLICY REGARDING NOTICE OF PRIVACY PRACTICES

Changes to HIPAA Under the Omnibus Final Rule

COLUMBIA UNIVERSITY MEDICAL CENTER INSTITUTIONAL REVIEW BOARD (IRB)

Patient Registration

CROOK COUNTY POLICY AND PROCEDURES FOR COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF

UHIN Dental WG Mini-Clinic. March 14, 2014

TRIPLE C HOUSING, INC.

AUTHORIZATION TO RELEASE PROTECTED HEALTH INFORMATION

KENT COUNTY EMPLOYEE NOTICE OF PRIVACY PRACTICES

Individuals Right under HIPAA to Access their Health Information 45 CFR

COMMONWEALTH OF PENNSYLVANIA BUSINESS ASSOCIATE ADDENDUM

Ottawa Children s Dentistry

ReedSmith. The HITECH Final Rule: The New Privacy/Security Rules of the Road Have Finally Arrived. Reed Smith Client Alert

HIPAA Information. Who does HIPAA apply to? What are Sync.com s responsibilities? What is a Business Associate?

1. INTRODUCTION AND PURPOSE OF THIS DOCUMENT:

DEPARTMENT OF VERMONT HEALTH ACCESS GENERAL PROVIDER AGREEMENT

USES AND DISCLOSURES OF YOUR PROTECTED HEALTH INFORMATION

Washington County Request for Proposal Group Health Plan 2015

HIPAA HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT

USE AND DISCLOSURE REQUIRING AUTHORIZATION. Identifies when Facilities may use and disclose PHI of patients pursuant to an Authorization.

CLIENT UPDATE. HIPAA s Final Rule: The Impact on Covered Entities, Business Associates and Subcontractors

Notice of Privacy Practices

Omnibus HIPAA Rule: Impact on Covered Entities

HRA Administration - SummaCare Plan Getting Started Checklist

The Impact of Final Omnibus HIPAA/HITECH Rules. Presented by Eileen Coyne Clark Niki McCoy September 19, 2013

HARDING S MARKETS NOTICE OF PRIVACY PRACTICES

Texas Tech University Health Sciences Center HIPAA Privacy Policies

Business Associate Agreement

Sample Privacy Notice

WELLNESS PROGRAMS UNDER FINAL HIPAA/PPACA, ADA, AND GINA REGULATIONS

Do You Want To Know A Secret? HIPAA s Medical Privacy Regulations

HIPAA Privacy Compliance Checklist

Welcome to today s Webinar

MEMORANDUM. Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

Grayson and Associates, P. C.

NPRM: Modifications to the HIPAA Privacy, Security, and Enforcement Rules under HITECH

Transcription:

Slide 1 HITECH/HIPAA (privacy) 2013 Omnibus Final Rule Rita Bowen Senior Vice President of HIM and Privacy Officer HealthPort

Slide 2 Electronic Copy of PHI Form and Format requested, if readily producible electronically (patients can receive their information in a more convenient and accessible format) If not readily producible and maintained in paper, then readable hard copy

Slide 3 ACTION/Discussion: Educate staff and train for appropriate response to the individuals request. In HITECH, Congress made it clear that when a patient s information is stored electronically, patients have the right to obtain an electronic copy and to have that copy sent at their request to another person, entity, or personal health record or mobile health application.

Slide 4 Patient may make request for their health information in a specific form or format, but only if: Provider or plan is capable of producing in requested format, for example: MS Word Excel Text HTML PDF

Slide 5 Questions/Discussion: The provider or plan and patient are expected to come to an agreement on an acceptable, machine-readable format? Can a patient demand a specific machine-readable format?

Slide 6 Copy of PHI to Third Parties Individual may designate third party to receive copy Must be in writing Clearly identify the designated person Clearly identify where to send the copy Request VS Authorization: Who is making the request?

Slide 7 ACTION/Discussion: Note that a request letter is a separate document from an authorization Assure that the patient requests clearly indicate that the records are to be sent to someone else Update or Introduce new patient request form Be sure to obtain the mailing address of the third party for shipping

Slide 8 Question/Discussion: Providers or plans are required to take steps to verify the identity of the patient or implement safeguards to protect the information in transit? A patient does have the right to ask a provider or plan to send information to a them unencrypted?

Slide 9 If the patient opts out of secure transmission/e-mail The covered entity or plan must notify the patient that there is some level of risk that the information in the e-mail could be read by a third party Suggest that you maintain notification with the patient s indication to opt out New form may need to be introduced and location for documentation to be maintained

Slide 10 Fees for all Costs, or State law s per page rate WHICH EVER IS LESS

Slide 11 Question/Discussion: How do you determine cost-based fee for copies of information, covering the cost of both the labor and supplies?

Slide 12 Question/discussion: Can a patient be charged for digital copies of their health data?

Slide 13 Response Time Expectations The final rule shortens the turnaround time for producing records (i) to a patient or (ii) by patient request to be sent to someone else to 60 days. Previously the law allowed a total of 90 days to produce records when a patient requested them 30 days if the records were on-site at the facility, plus 60 days if the record was stored off-site. The new law still allows (no change) 30 days if the records are on-site, but shortens the time for producing records that are off-site to 30 additional days, for a total of 60 days.

Slide 14 ACTION/Discussion: As always with HIPAA, state law governs if it produces a better result for the patient, so be sure you know your state s requirement for producing records. If the state law does not specify such a time period, the default becomes HIPAA rule 30 + 30 standard.

Slide 15 Question/Discussion: Facilities should prioritize all patient requests so that response is not forthcoming before the required 30 day response time? With the Meaningful Use Stage 2 requirements for patient access, does the Omnibus rule become non-relevant on the timeline topic?

Slide 16 Restriction for Out-of Pocket Payments Covered entity must agree to individual s request to restrict disclosure to health plan For payment or health care operations Unless disclosure is required by law If individual (or third party) pays for item or service out of pocket in full

Slide 17 ACTION/Discussion: How will you facility manage such information, both in its paper form and electronically? Perhaps this provides an opportune time to move to centralized/enterprise focused release of information services.

Slide 18 Health Information of Deceased Individuals Standard 164.502 (f) A covered entity must comply with the requirements of the HIPAA privacy rule with respect to the protected health information of a deceased individual for a period of 50 years following the death of the individual

Slide 19 No longer PHI 50 years after death - EXCEPTIONS The Rule does not override or interfere with State or other laws that provide greater protection of such information or the professional responsibilities of mental health or other providers. This is not a record retention requirement..covered entities may choose to destroy decedent information although other applicable law may prescribe or limit such destruction.

Slide 20 Exception Disclosures permitted under other provisions of the Privacy Rule For example: Research.. 45 CFR 164.512 (i) (l) (iii) Uses and disclosures for which an authorization or opportunity to agree or object is not required, without regard to how long the individual has been deceased.

Slide 21 The challenges in interpretation Determining the date of death of an individual One cannot merely assume based on age of the patient s health record Accounting of disclosures remain as long as the records are maintained

Slide 22 Decedent Information to family member or other involved in care Covered entity may disclose PHI to persons involved in decedent s care or payment unless prior expressed preference of the individual is known to the covered entity 164.501 (b) (5) and provided the information released is relevant to such person s involvement

Slide 23 Questions/Discussion: A covered entity may disclose to a close personal friend who was identified by the individual, the protected health information relevant to said person s involvement with the individual s health care or payment related to the individual s health care? A covered entity may not use or disclose protected health information to locate a family member regarding an individual s location?

Slide 24 Questions/Discussion: A covered entity or health care provider could describe the circumstances that led to an individual s passing with the decedent s sister who is asking about her sibling s death? A distant relative calls to inquire about billing information to determine if assistance should be offered to the family?

Slide 25 Questions/Discussion: A decedent s brother is asking about medical history of his brother? May a facility elect not to provide information to a family member even if they present legitimate need for relevant information?

Slide 26 Student Covered entity may release student immunization records to school without authorization If state law requires school to have immunization record (state where school is located) Written or oral agreement (must be documented)

Slide 27 Questions/Discussion: Does the regulation require that verbal consent be documented within the medical record of the child? If a parent emails the practice to release immunization information to the school, will this serve as sufficient documentation? May a parent call the practice to request immunization information be released to a school? Any provision to the above types of requests?

Slide 28 Questions/Discussion: May you release information directly to the school, if the school contacts the covered entity requesting immunization records of a child? May a covered entity continue to disclose protected health information to State immunization registries? If the immunization information is contained on the same form with medical history, may this be released as well?

Slide 29 Disclosure and Sale of PHI New restriction on disclosures that describe item or service when covered entity receives financial remuneration from third party whose item or service is described.

Slide 30 Sale of PHI Covered entities may not receive remuneration in exchange for PHI (45 CFR 164.502 (1)(): (ii) 78 Fed. Reg. 5696-5697) EXCEPTIONS Treatment Payment Public Health Sale of Covered Entity and related due diligence Required by Law

Slide 31 Questions/Discussion: Would research purposes be considered an exception? Would PHI to or by a business associate for activities that the business associate undertakes on behalf of a covered entity, or on behalf of a business associate in case of a subcontractor be consider remuneration? What about providing an accounting of disclosures to an individual?

Slide 32 Questions/Discussion: Communication about a product or service and encourage use or purchase? Payment for refill reminders about drug that is currently prescribed with remuneration reasonably related to cost of communication? A covered entity is offered computers for data collection purposes/research, but they are allowed to keep the computers after the research is completed. Is this acceptable?

Slide 33 Types of Cost: May include both direct and indirect costs including: Labor and supplies to ensure the PHI is disclosed in a permissible manner Related capital and overhead costs Excluded are: Fees charged to incur a profit from the disclosure of PHI (profit margin is not allowed via HITECT Act section 13405)

Slide 34 Genetic Information Nondiscrimination Act (GINA) Signed into law in 2008 Employers and Health Insurers can no longer discriminate against individuals based upon their genetic information. Encouraged patients to seek out medical care that is specifically tailored to his or her genetic makeup

Slide 35 GINA Sets a minimum standard of protection that must be met across the country. It does not weaken the protections by any state law that may be more stringent. The law did not cover life insurance, disability insurance or long-term care insurance.

Slide 36 Genetic Information Clarification that genetic information is health information Health plan (other than long-term care plan) may not sue or disclose genetic information for underwriting purposes

Slide 37 Omnibus rule impact to GINA Prohibits use and disclosures of genetic information for underwriting purposes 78 Federal Register 6596-45 CFR 164.502 (a) (5) A health plan, excluding an issuer of a long-term care policy falling within paragraph (1) (viii) of the definition of health plan, shall not use or disclose protected health information that is genetic information for underwriting purposes.

Slide 38 Omnibus/Gina exceptions As provided in paragraph (a) (5) (i) (B) of section 164.502 Rules for, or determination of, eligibility for, or determination of, benefits under the plan, coverage, or policy.(including deductibles, other cost sharing, risk assessments or participating in a wellness program); The computation of premium or contribution amounts under the plan, coverage, or policy

Slide 39 This prohibition does not limit Ability of a health plan to adjust premiums or contribution amounts Ability of establishing rules for eligibility of an individual to enroll in coverage Ability to adjust premium or contribution amounts for an individual based on the manifestation of a disease or disorder

Slide 40 Example/Question: If a health insurance issuer, with respect to an employer-sponsored group health plan, uses an individual s family medical history or the results of genetic tests maintained in the group health plan s claims experience information to adjust the plan s blended, aggregate premium rate for the upcoming year Is this a violation?

Slide 41 Answer/response YES The issuer would be using protected health information that is genetic information for underwriting purposes in violation of 45 CFR 164.502(1)(5)(i)

Slide 42 Example/Question: A group health plan uses family medical history provided by an individual incidental to the collection of other information on a health risk assessment to grant a premium reduction to the individual.. Is this a violation?

Slide 43 Answer/Response Yes The group health plan would be using genetic information for underwriting purposes in violation of 164.502 (1)(5) (i)

Slide 44 Example/Question: A health care provider uses or discloses genetic information as it sees fit for treatment of an individual is this a violation?

Slide 45 Answer/Response: NO The prohibition is limited to health plans. A health care provider may use or disclose genetic information.

Slide 46 Example/Question An Health Maintenance Organization (HMO), acts as both a health plan and health care provider is it a violation if they use genetic information?

Slide 47 Answer/Response: NO and YES NO If used for purposes of treatment, to determine the medical appropriateness of a benefit, and as otherwise permitted by the Privacy Rule YES If using the genetic information for underwriting purposes

Slide 48 Operationally Covered Entities (HMOs) that may serve also has a health plan.. And other organizations of this nature should ensure that appropriate staff members are trained on the permissible and impermissible uses of genetic information Refer to: 78 Federal Register 5666-5667

Slide 49 Questions

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback