HIPAA Training. HOPE Health Facility Administrators June 2013 Isaac Willett and Jason Schnabel

Similar documents
HIPAA: Final Omnibus Rule is Here Arizona Society for Healthcare Risk Managers November 15, 2013

HIPAA Omnibus Rule. Critical Changes for Providers Presented by Susan A. Miller, JD. Hosted by

AFTER THE OMNIBUS RULE

HIPAA COMPLIANCE ROADMAP AND CHECKLIST FOR BUSINESS ASSOCIATES

BREACH NOTIFICATION POLICY

Management Alert Final HIPAA Regulations Issued

Omnibus Components. Not in Omnibus. HIPAA/HITECH Omnibus Final Rule

HITECH and HIPAA: Highlights for Health Departments. Aimee Wall UNC School of Government

Fifth National HIPAA Summit West

GUIDE TO PATIENT PRIVACY AND SECURITY RULES

HIPAA PRIVACY REQUIREMENTS. Dana L. Thrasher Robert S. Ellerbrock, III Constangy, Brooks & Smith, LLP

Highlights of the Omnibus HIPAA/HITECH Final Rule

The Impact of Final Omnibus HIPAA/HITECH Rules. Presented by Eileen Coyne Clark Niki McCoy September 19, 2013

8/14/2013. HIPAA Privacy & Security 2013 Omnibus Final Rule update. Highlights from Final Rules January 25, 2013

Omnibus HIPAA Rule: Impact on Covered Entities

ARRA s Amendments to HIPAA Privacy & Security Rules

Legal and Privacy Implications of the HIPAA Final Omnibus Rule

HIPAA, 42 CFR PART 2, AND MEDICAID COMPLIANCE STANDARDS POLICIES AND PROCEDURES

Getting a Grip on HIPAA

CLIENT UPDATE. HIPAA s Final Rule: The Impact on Covered Entities, Business Associates and Subcontractors

HIPAA OMNIBUS RULE. The rule makes it easier for parents and others to give permission to share proof of a child s immunization with a school

ACC Compliance and Ethics Committee Presentation February 19, 2013

HHS, Office for Civil Rights. IAPP October 11, 2012

Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates

Business Associate Agreement

Determining Whether You Are a Business Associate

Hayden W. Shurgar HIPAA: Privacy, Security, Enforcement, HITECH, and HIPAA Omnibus Final Rule

Saturday, April 28 Medical Ethics: HIPAA Privacy and Security Rules

HIPAA & The Medical Practice

Interim Date: July 21, 2015 Revised: July 1, 2015

HIPAA OMNIBUS FINAL RULE

OVERVIEW OF RECENT CHANGES IN HIPAA AND OHIO PRIVACY LAWS

OCR Phase II Audit Protocol Breach Notification. HIPAA COW Spring Conference 2017 Page 1 Boerner Consulting, LLC

Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates

The wait is over HHS releases final omnibus HIPAA privacy and security regulations

45 CFR Part 164. Interim Final Rule Breach Notification for Unsecured Protected Health Information

OMNIBUS RULE ARRIVES

Changes to HIPAA Under the Omnibus Final Rule

HIPAA BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATES AND SUBCONTRACTORS

UNDERSTANDING HIPAA & THE HITECH ACT. Heather Deixler, Esq. Associate, Morgan, Lewis & Bockius LLP

Changes to HIPAA Privacy and Security Rules

To: Our Clients and Friends January 25, 2013

HIPAA Compliance Under the Magnifying Glass

HIPAA THE NEW RULES. Highlights of the major changes under the Omnibus Rule

NOTIFICATION OF PRIVACY AND SECURITY BREACHES

HIPAA Compliance. PART I: HHS Final Omnibus HIPAA Rules

HIPAA Omnibus Final Rule and Research

GUIDE TO THE OMNIBUS HIPAA RULE: What You Need to Know and Do

AROC 2015 HIPAA PRIVACY AND SECURITY RULES

SUBCONTRACTOR BUSINESS ASSOCIATE AGREEMENT

The Guild for Exceptional Children HIPAA Breach Notification Policy and Procedure

Breach Policy. Applicable Standards from the HITRUST Common Security Framework. Applicable Standards from the HIPAA Security Rule

HIPAA Omnibus Rule Compliance

Compliance Steps for the Final HIPAA Rule

The HIPAA Omnibus Rule

HIPAA Update. Jamie Sorley U.S. Department of Health and Human Services Office for Civil Rights

HIPAA: Impact on Corporate Compliance

HIPAA, HITECH & Meaningful Use

PATTERSON MEDICAL SUPPLY, INC. HIPAA BUSINESS ASSOCIATE AGREEMENT WITH CUSTOMERS

Interpreters Associates Inc. Division of Intérpretes Brasil

New HIPAA-HITECH Proposed Regulations Issued

"HIPAA RULES AND COMPLIANCE"

"HIPAA FOR LAW FIRMS" WHAT EVERY LAW FIRM NEEDS TO KNOW ABOUT HIPAA

H E A L T H C A R E L A W U P D A T E

CROOK COUNTY POLICY AND PROCEDURES FOR COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF

HIPAA Basic Training for Health & Welfare Plan Administrators

Palmetto Paralegal Association

Health Law Diagnosis

HITECH/HIPAA Omnibus Final Rule: Implications for Hospices. Elizabeth S. Warren May 3, 2013

Coping with, and Taking Advantage of, HIPAA s New Rules!! Deven McGraw Director, Health Privacy Project April 19, 2013!

Assessing and Mitigating Risk Under the HIPAA Omnibus Rule

Assessing and Mitigating Risk Under the HIPAA Omnibus Rule

HIPAA The Health Insurance Portability and Accountability Act of 1996

HIPAA PRIVACY AND SECURITY RULES APPLY TO YOU! ARE YOU COMPLYING? RHODE ISLAND INTERLOCAL TRUST LINN F. FREEDMAN, ESQ. JANUARY 29, 2015.

New. To comply with HIPAA notice requirements, all Providence covered entities shall follow, at a minimum, the specifications described below.

The Impact of the Stimulus Act on HIPAA Privacy and Security

NPRM: Modifications to the HIPAA Privacy, Security, and Enforcement Rules under HITECH

HIPAA 2014: Recent Changes from HITECH and the Omnibus Rule. Association of Corporate Counsel Houston Chapter October 14, 2014.

2013 HIPAA Omnibus Regulations: New Rules for Healthcare Providers and Collections Partners

Privacy Sleuths: Solving the Mystery of Wellness Program Privacy Compliance. Agenda. Health Data Exposure National Wellness Conference

Health Insurance Portability and Accountability Act (HIPAA) Terms and Conditions For Business Associates

BUSINESS ASSOCIATE AGREEMENT W I T N E S S E T H:

HIPAA PRIVACY REQUIREMENTS. Dana L. Thrasher Constangy, Brooks & Smith, LLP (205)

AMA Practice Management Center, What you need to know about the new health privacy and security requirements

HIPAA Information. Who does HIPAA apply to? What are Sync.com s responsibilities? What is a Business Associate?

HIPAA & HITECH Privacy & Security. Volunteer Annual Review 2017

MEMORANDUM. Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

x Major revision of existing policy Reaffirmation of existing policy

UNITED WORKERS HEALTH FUND 50 CHARLES LINDBERGH BLVD. SUITE 207 UNIONDALE, NY 11553

Disclaimer LEGAL ISSUES IN PHYSICAL THERAPY

HIPAA Privacy Overview

HIPAA and Lawyers: Your stakes have just been raised

COUNTY SOCIAL SERVICES POLICIES AND PROCEDURES FOR COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 HIPAA

Compliance Steps for the Final HIPAA Rule

Conduct of covered entity or business associate. Did not know and, by exercising reasonable diligence, would not have known of the violation

Central Florida Regional Transportation Authority Table of Contents A. Introduction...1 B. Plan s General Policies...4

HIPAA BUSINESS ASSOCIATE AGREEMENT

LEGAL ISSUES IN HEALTH IT SECURITY

HIPAA Enforcement Under the HITECH Act; The Gloves Come Off

HIPAA Omnibus Final Rule Has Important Changes for Business Associates and Covered Entities

Transcription:

HIPAA Training HOPE Health Facility Administrators June 2013 Isaac Willett and Jason Schnabel

Agenda HIPAA basics HITECH highlights Questions and discussion

HIPAA Basics

Legal Basics Health Insurance Portability and Accountability Act, P.L. 104-191 HIPAA, not HIPPA!!! HIPAA Regulations (Administrative Simplification), 45 C.F.R., Parts 160-164 Penalty laws, 42 U.S.C. 1320d-5 and 1320d-6 American Recovery and Reinvestment Act, P.L. 111-15

Who must comply? Only covered entities and to a limited extent business associates Who are covered entities? Health plans (insurers, etc.) Health care clearinghouses (claims processing entities) Health care providers that conduct certain electronic standard transactions Electronic submission of the various types of documents used in billing, processing, and paying for health care services Includes authorization, eligibility, claims Medical device manufacturers often not covered entities

HIPAA Privacy HIPAA protects the privacy of protected health information, which is: Individually identifiable information that relates to the past, present, or future health, health care treatment or payment for health care of an individual Medical records, name, contact information, social security numbers, billing records

HIPAA Privacy - Uses and Disclosures of PHI A covered entity may not use or disclose protected health information without individual authorization, except as permitted or required by HIPAA Common exceptions: treatment, payment, health care operations, disclosures required by law Treatment: provision, coordination, or management of health care and related services by one or more health care providers Payment: activities of health plan to get premiums or determine or fulfill coverage responsibilities; making & receiving payment for services, processing claims HCO: quality assessment, peer review, underwriting, legal, auditing, business planning, management and administration, customer service, sale of business, grievance resolution

HIPAA Privacy - Opt Outs CEs may use or disclose PHI for certain purposes if individual is informed in advance and has opportunity to opt out May orally inform individual and get verbal opt out Facility directories Persons involved in individual s care

HIPAA Privacy - Exceptions Non-TPO uses and disclosures that DO NOT require Authorization Basically, two big categories: Running a business (Incidental Disclosures) Running a society (Mandated and Permitted Disclosures) Mandated and permitted: required by law, public health, abuse reporting, health oversight, judicial and administrative proceedings, law enforcement, coroners, organ donation, research, avert threat to health or safety, specialized government functions (military/veterans, national security/intelligence, Secret Service, correctional services), workers compensation Note: special rules apply to all of these LOOK THEM UP!

All possible uses and disclosures Non-TPO U and D legally permitted or required TPO Minimum Necessary Notice of Privacy Practices I object! Get authorization 10 Day 2

HIPAA Privacy - Patient Rights Authorization for use and/or disclosure of PHI Access to PHI Amendment to PHI Accounting for disclosures Request restrictions Request confidential communications Notice of Privacy Practices

HIPAA Privacy - Business Associates BA: a person who on behalf of a CE performs or assists in the performance of an administrative function or activity involving the use of individually identifiable health information, or provides legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services to or for the covered entity CE may disclose PHI to a BA only if there is a business associate agreement (BAA) in place

HIPAA Security Rule Applies only to electronic PHI Security means that CEs must maintain the confidentiality, availability, and integrity of ephi Must protect against reasonably anticipated threats and reasonably anticipated uses or disclosures not permitted by Security Rule Ensure compliance of workforce Implement physical, technical, and administrative safeguards to protect ephi

Preemption A provision of the Privacy Rule that is contrary to a provision of state law does not preempt state law if state law is more stringent Contrary to HIPAA means: CE would find it impossible to comply with both state and federal requirements or State law stands as an obstacle to the accomplishment of HIPAA More stringent than HIPAA means: State law prohibits or restricts a use or disclosure in circumstances where permitted under HIPAA State law is more protective of an individual s privacy than the contrary HIPAA provision ALWAYS THINK THROUGH STATE LAW!

HITECH Changes

Final Rule Overview Omnibus final rule under HITECH Act Published: January 25, 2013 Effective date: March 26, 2013 Compliance date: September 23, 2013 except Up to one extra year to update business associate agreements and data use agreements if: Covered entity and business associate had a then-compliant BAA in place on January 25, 2013 Agreement is not renewed or modified from March 26, 2013 until September 23, 2013 If agreement modified after September 23, 2013, new BAA must comply with Final Rule

Business Associate Definition Expanded Specific organizations treated as BAs Health information organizations (such as health information exchanges), patient safety organizations, e-prescribing gateways, vendors that offer personal health records on behalf of a covered entity Entities that maintain PHI are BAs (in addition to those that create, receive or transmit PHI) Not ISPs Data storage companies (digital or paper) are BAs (narrows conduit exception) Subcontractors of BAs are also BAs No limit on number of links in subcontractor chain

Business Associate Compliance Obligations Business associates are subject to limited provisions of Privacy Rule BA is not a covered entity Liable for implementing and following BAA, including with subcontractors, providing access to individuals, disclosing information to HHS, complying with minimum necessary standard Business associates subject to most of Security Rule Implement physical, technical, and administrative safeguards for ephi Appoint security official OCR can investigate and impose penalties against business associates

Business Associate Agreements Failure to have agreement with CE or subcontractor is Privacy Rule violation (subcontractor agreement is between BA and subcontractor) Can use and disclose PHI only as described in BAA Be sure all functions described de-identification, data aggregation, BA s own management and administration New content requirements Notification of breaches of unsecured PHI Comply with Security Rule BA will enter into BAA with subcontractors Describe any Privacy Rule obligations BA performs for CE Minimum necessary

Individual Rights Individual can restrict disclosures to health plan of PHI related to item or service for which individual paid out of pocket in full Providers must have way to identify (flag) affected records, but do not have to segregate them Provider can disclose PHI as required by law (to Medicare for audits) Individuals can request access to PHI in electronic form Must provide the format requested by individual if readily producible in that format or another format agreed by individual and CE Individual can have information sent directly to third party Can charge costs for labor and supplies

Individual Rights Notice of Privacy Practices Updates to NPP required to address issues in Final Rule Security breach Restrictions of disclosures for self-pay items and services Fundraising Marketing Sales of PHI New NPP must be ready by compliance date (September 23, 2013) Considered material change, so must make available Plans can mail in next annual mailing

Special Uses and Disclosures Sales of PHI Requires authorization if CE or BA directly or indirectly receives remuneration (cash or in kind) from or on behalf of recipient of PHI Authorization must state that CE will be paid for PHI Various exceptions treatment, payment, public health, research (direct costs only), sale of CE, individual access, required by law Government grants, access fees for health information exchange are not a sale Marketing Requires authorization to make communications to induce purchase or use of a good or service if CE receives payment (cash) for communication Exception for refill reminders for pharmaceuticals if payment reasonable

Special Uses and Disclosures Research Can now use compound authorization for more than one study Must identify conditioned (required to participate in this study) and unconditioned (optional use/disclosure for other studies/tissue banking/registries) uses and disclosures Can include future studies if adequately described Fundraising Allows use and disclosure to related foundation of treating physician and department (new) Individual must receive clear and conspicuous notice of right to opt out of future fundraising communications

Security Breach Notification HIPAA originally did not require covered entities that improperly used or disclosed PHI to give notice to the affected individuals Since 2010, CEs have been required to give notice of breaches of unsecured PHI under HITECH

Key Terms Unsecured PHI: PHI not rendered unusable, unreadable or indecipherable to unauthorized persons through a technology or methodology specified by the Secretary of HHS (includes paper) Recognized methods still limited to encryption & destruction Breach: acquisition, access, use, or disclosure of PHI in a manner not permitted under Privacy Rule that compromises the security or privacy of the PHI. Excludes: Unintentional, good faith access within CE or BA In advertent disclosure within a CE, BA or OHCA Disclosures where person could not reasonably have retained PHI

Change to Risk Assessment Interim final rule required risk assessment to determine if the inappropriate access, use or disclosure caused a significant risk of financial, reputational, or other harm to the individual No presumption that a breach occurred Under final rule, unauthorized access, use or disclosure is presumed to be a breach unless CE determines that there is a low probability the PHI has been compromised

New Assessment Criteria CE must evaluate whether privacy and security of PHI was compromised by considering: Nature and extent of PHI, including types of identifiers and likelihood of re-identification Unauthorized person who used the PHI or to whom disclosure was made Whether PHI was actually acquired or viewed Extent to which the risk to PHI has been mitigated Described by HHA as more objective Document basis for conclusions if no breach occurred

Breach Notification Requirements CE must always notify individual of a breach Use first class mail to individual or electronic notice if individual has consented Substitute notice required if contact information is insufficient Telephone or alternate written notice if under 10 individuals Conspicuous posting for 90 days on web or by notice to media if 10 or more individuals Notify OCR immediately if 500 or more individuals or at year end for fewer Notify media if 500 or more individuals in single state or jurisdiction

Timing Breach is treated as discovered as of the first day on which the breach is known to CE, or, by exercising reasonable diligence, would have been known CE is deemed to have knowledge of a breach if the breach is known, or by exercising reasonable diligence would have been known, to any person, other than the person committing the breach, who is a workforce member or agent (using federal common law of agency) of the covered entity CE must give notice to the individuals without unreasonable delay and within 60 days

Notice Content The notice must be written in plain language and include: A description of what happened, including the date of the breach and date of discovery, if known A description of the types of PHI involved (such as name, home address) Any steps the individual should take to protect herself from potential harm resulting from the breach A brief description of the entity s action to investigate the breach, mitigate harm to individuals, and prevent further breaches Contact procedures for individuals to ask questions, including a toll free telephone number, email address, web site, or postal address.

Breach Notification by Business Associates BA must provide notice of a breach of unsecured PHI Notice is made to the CE, not the individual Breach is treated as discovered as of the first day on which the breach is known to the BA, or, by exercising reasonable diligence, would have been known BA is deemed to have knowledge of a breach if the breach is known, or by exercising reasonable diligence would have been known, to any person, other than the person committing the breach, who is an employee, officer, or agent (using federal common law of agency) of the BA Subcontractor BA gives notice to BA

Other Security Breach Considerations In addition to breaches, BA required to give notice to CE of security incidents and unauthorized uses and disclosures of PHI Remember to consider state security breach notification laws

Enforcement Civil penalties are enhanced with maximum penalties for willful neglect rising to $1.5 million in a single year State attorney general now has authority to enforce HIPAA with reason to believe the interest of one or more persons is threatened or adversely affected by a HIPAA violation May sue to enjoin a violation or for damages May be awarded attorney fees HHS has new authority to perform periodic audits Individuals may be criminally responsible

CMPs under the New Rule Violation Category CMP for Each Violation Maximum CMPs for Identical Violations in a CY Did Not Know $100 50,000 $1,500,000 Reasonable Cause $1,000 50,000 $1,500,000 Willful Neglect Corrected $10,000 50,000 $1,500,000 Willful Neglect Not Corrected $50,000 $1,500,000 34

Questions and Discussion

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback