HIPAA: Impact on Corporate Compliance

Similar documents
HIPAA Compliance Under the Magnifying Glass

8/14/2013. HIPAA Privacy & Security 2013 Omnibus Final Rule update. Highlights from Final Rules January 25, 2013

The Impact of Final Omnibus HIPAA/HITECH Rules. Presented by Eileen Coyne Clark Niki McCoy September 19, 2013

AFTER THE OMNIBUS RULE

HIPAA Training. HOPE Health Facility Administrators June 2013 Isaac Willett and Jason Schnabel

Compliance Steps for the Final HIPAA Rule

NOTIFICATION OF PRIVACY AND SECURITY BREACHES

To: Our Clients and Friends January 25, 2013

HIPAA Omnibus Rule. Critical Changes for Providers Presented by Susan A. Miller, JD. Hosted by

HIPAA Update. Jamie Sorley U.S. Department of Health and Human Services Office for Civil Rights

HIPAA: Final Omnibus Rule is Here Arizona Society for Healthcare Risk Managers November 15, 2013

Legal and Privacy Implications of the HIPAA Final Omnibus Rule

HIPAA Privacy Overview

HIPAA Compliance. PART I: HHS Final Omnibus HIPAA Rules

The wait is over HHS releases final omnibus HIPAA privacy and security regulations

Management Alert Final HIPAA Regulations Issued

SDM Health Insurance Portability and Accountability Act (HIPAA) Terms and Conditions For Business Associates

HIPAA The Health Insurance Portability and Accountability Act of 1996

LEGAL ISSUES IN HEALTH IT SECURITY

Highlights of the Omnibus HIPAA/HITECH Final Rule

HIPAA Compliance Guide

Hayden W. Shurgar HIPAA: Privacy, Security, Enforcement, HITECH, and HIPAA Omnibus Final Rule

HIPAA and Lawyers: Your stakes have just been raised

Compliance Steps for the Final HIPAA Rule

Health Insurance Portability and Accountability Act (HIPAA) Terms and Conditions For Business Associates

HIPAA HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT

ARE YOU HIP WITH HIPAA?

Assessing and Mitigating Risk Under the HIPAA Omnibus Rule

Assessing and Mitigating Risk Under the HIPAA Omnibus Rule

Saturday, April 28 Medical Ethics: HIPAA Privacy and Security Rules

HIPAA THE NEW RULES. Highlights of the major changes under the Omnibus Rule

CLIENT UPDATE. HIPAA s Final Rule: The Impact on Covered Entities, Business Associates and Subcontractors

HIPAA & The Medical Practice

Coping with, and Taking Advantage of, HIPAA s New Rules!! Deven McGraw Director, Health Privacy Project April 19, 2013!

HIPAA Enforcement Under the HITECH Act; The Gloves Come Off

What Brown County employees need to know about the Federal legislation entitled the Health Insurance Portability and Accountability Act of 1996.

HIPAA COMPLIANCE ROADMAP AND CHECKLIST FOR BUSINESS ASSOCIATES

Getting a Grip on HIPAA

MEMORANDUM. Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

CROOK COUNTY POLICY AND PROCEDURES FOR COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF

Determining Whether You Are a Business Associate

HHS, Office for Civil Rights. IAPP October 11, 2012

HIPAA 2014: Recent Changes from HITECH and the Omnibus Rule. Association of Corporate Counsel Houston Chapter October 14, 2014.

HIPAA Omnibus Final Rule Has Important Changes for Business Associates and Covered Entities

SATINSKY CONSULTING, LLC FINAL OMNIBUS HIPAA PRIVACY AND SECURITY RULE

True or False? HIPAA Update: Avoiding Penalties. Preliminaries. Kim C. Stanger IHCA (7/15)

Omnibus Components. Not in Omnibus. HIPAA/HITECH Omnibus Final Rule

Conduct of covered entity or business associate. Did not know and, by exercising reasonable diligence, would not have known of the violation

HIPAA Basic Training for Health & Welfare Plan Administrators

HIPAA Privacy Compliance Checklist

OMNIBUS RULE ARRIVES

2013 HIPAA Omnibus Regulations: New Rules for Healthcare Providers and Collections Partners

NPRM: Modifications to the HIPAA Privacy, Security, and Enforcement Rules under HITECH

HIPAA Background and History

HITECH and HIPAA: Highlights for Health Departments. Aimee Wall UNC School of Government

HIPAA. What s New & What Do I Have To Do? Presented by Leslie Canham, CDA, RDA, CSP (Certified Speaking Professional)

Texas Tech University Health Sciences Center HIPAA Privacy Policies

Central Florida Regional Transportation Authority Table of Contents A. Introduction...1 B. Plan s General Policies...4

March 1. HIPAA Privacy Policy

Preparing for a HIPAA Audit & Hot Topics in Health Care Reform

Nancy Davis, Ministry Health Care Peg Schmidt, Aurora Health Care Teresa Smithrud, Mercy Health System

HIPAA PRIVACY REQUIREMENTS. Dana L. Thrasher Robert S. Ellerbrock, III Constangy, Brooks & Smith, LLP

Business Associate Agreement

HTKT.book Page 1 Monday, July 13, :59 PM HIPAA Tool Kit 2017

Texas Tech University Health Sciences Center El Paso HIPAA Privacy Policies

Disclaimer LEGAL ISSUES IN PHYSICAL THERAPY

HIPAA Omnibus Final Rule and Research

HIPAA OMNIBUS RULE. The rule makes it easier for parents and others to give permission to share proof of a child s immunization with a school

HIPAA OMNIBUS FINAL RULE

"HIPAA RULES AND COMPLIANCE"

HITECH/HIPAA Omnibus Final Rule: Implications for Hospices. Elizabeth S. Warren May 3, 2013

ARRA s Amendments to HIPAA Privacy & Security Rules

The Privacy Rule. Health insurance Portability & Accountability Act

HEALTHCARE BREACH TRIAGE

[Name of Organization] HIPAA Incident/Breach Investigation Procedure 4

HIPAA COMPLIANCE. for Small & Mid-Size Practices

HIPAA PRIVACY AND SECURITY RULES APPLY TO YOU! ARE YOU COMPLYING? RHODE ISLAND INTERLOCAL TRUST LINN F. FREEDMAN, ESQ. JANUARY 29, 2015.

Effective Date: 4/3/17

Privacy Sleuths: Solving the Mystery of Wellness Program Privacy Compliance. Agenda. Health Data Exposure National Wellness Conference

Omnibus Rule: HIPAA 2.0 for Law Firms

GUIDE TO PATIENT PRIVACY AND SECURITY RULES

HIPAA PRIVACY POLICY AND PROCEDURES FOR PROTECTED HEALTH INFORMATION THE APPLICABLE WELFARE BENEFITS PLANS OF MICHIGAN CATHOLIC CONFERENCE

New HIPAA Rules and Implications for the Industry January 29, 2013

BUSINESS ASSOCIATE AGREEMENT Between THE NORTH CENTRAL TEXAS COUNCIL OF GOVERNMENTS and

Health Law Diagnosis

Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates

HIPAA PRIVACY AND SECURITY AWARENESS

HIPAA BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATES AND SUBCONTRACTORS

The Guild for Exceptional Children HIPAA Breach Notification Policy and Procedure

"HIPAA FOR LAW FIRMS" WHAT EVERY LAW FIRM NEEDS TO KNOW ABOUT HIPAA

COUNTY SOCIAL SERVICES POLICIES AND PROCEDURES FOR COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 HIPAA

THE CITY AND COUNTY OF SAN FRANCISCO SECTION 125 CAFETERIA PLAN HIPAA PRIVACY POLICIES & PROCEDURES

HIPAA Privacy, Breach, & Security Rules

IACT Medical Trust. June 28, Jim Hamilton (317) HIPAA Privacy Training Bose McKinney & Evans LLP

The HIPAA Omnibus Rule

BREACH NOTIFICATION POLICY

New. To comply with HIPAA notice requirements, all Providence covered entities shall follow, at a minimum, the specifications described below.

Industry leading Education. Certified Partner Program. Please ask questions Todays slides are available group.

Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates

HIPAA Omnibus Rule Compliance

Transcription:

HIPAA: Impact on Corporate Compliance AAPC HEALTHCON April 2014 Stacy Harper, JD, MHSA, CPC Disclaimer The information provided is for educational purposes only and is not intended to be considered legal advice or create an attorney-client relationship. Opinions expressed are those of the speaker and do not represent the opinions or position of the AAPC. 1

Overview Current State of HIPAA Recent Regulations Recent Enforcement Litigation Trends Interaction of HIPAA Safeguards with Billing/Coding Compliance Strategies for Improvement Statutory Background Health Insurance Portability and Accountability Act of 1996 (Administrative Simplification Provisions) August 21, 1996 Health Information Technology for Economic and Clinical Health Act of 2009 February 17, 2009 Regulatory Background HIPAA Electronic Transaction Standards August 17, 2000 HIPAA Privacy Standards December 28, 2000 and August 14, 2002 HIPAA Unique Employer Identifier Standard May 31, 2002 HIPAA Security Standards February 20, 2003 HIPAA/HITECH Breach Notification Standards August 24, 2009 Omnibus HIPAA Regulatory Modifications January 25, 2013 2

Basic Structure of HIPAA HIPAA Privacy Applies to all protected health information Determines when PHI can be used/disclosed Minimal Safeguard Requirements Provides Patients Rights to Information HIPAA Security Applies to electronic protected health information Additional layers of safeguards for ephi HIPAA Breach Notification Spans Privacy and Security Adds transparency to the process If state law differs from HIPAA, the more restrictive law applies Who is a Covered Entity A health plan A health care clearinghouse A health care provider who transmits any health information in electronic form in connection with a transaction covered by HIPAA. Transaction means the transmission of information between two parties to carry out financial or administrative activities related to healthcare including claims or encounter information, healthcare payment or remittance advice, coordination of benefits, health care claims status, enrollment and disenrollment in a health plan, eligibility for a health plan, health plan premium payments, referral certification and authorization, first report of injury, health claim attachments, and other transactions prescribed by regulation. 3

Who is a Business Associate A person/entity who, with respect to a covered entity: On behalf of such covered entity or an organized health care arrangement, but other than as a member of the workforce of the covered entity, creates, receives maintains or transmits PHI for an activity regulated by HIPAA, including claims processing or administration; data analysis, processing or administration; utilization review; quality assurance; patient safety activities; benefit management; practice management and repricing; or Provides, other than as a member of the workforce, legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services to or for the covered entity or organized health care arrangement where the performance of service involves the disclosure of PHI. BA includes a health information organization, e-prescribing gateway, or other person that provides data transmission services that requires access on a routine basis to such PHI; a person that offers a personal health record on behalf of a covered entity; and a subcontractor that receives, creates, maintains or transmits PHI on behalf of a BA. Certain exceptions What is Protected Health Information Individually identifiable health information that is transmitted in electronic media, maintained in electronic media, or transmitted or maintained in any other form, but not including education records covered by FERPA, certain higher education records, employment records held by a covered entity in its role as employer, and regarding a person who has been deceased more than 50 years. Health information means any information, including genetic information, that is created or received by a healthcare provider, health plan, public health authority, employer, life insurer, school or university, or healthcare clearinghouse and relates to past, present, or future physical or mental health or condition of an individual, provision of health care, or past, present or future payment for the provision of health care. Individually identifiable means information that identifies an individual or with respect to which there is a reasonable basis to believe the information can be used to identify the individual 4

What Did the Omnibus Regulations Change? Application of HIPAA to Business Associates HIPAA Privacy Standards Notice of Privacy Practices Use of PHI for Marketing Sale of PHI Use of PHI for Fundraising Disclosure of PHI to Decedent s Family Members HIPAA/HITECH Breach Notification Standards Definition of Breach HIPAA Enforcement Business Associates 5

Business Associates Definition revised to add Patient safety organizations Health information exchange, e-prescribing and other data transmission companies Personal health records offered by covered entities Subcontractors of Business Associates Business Associates required to implement HIPAA Security Policies Application of Minimum Necessary to Business Associates Agreements with Subcontractors Revisions to Business Associate Agreements Model Business Associate Agreement from Office of Civil Rights New terms Written agreement with subcontractor Comply with HIPAA Security as if Covered Entity Notification of breaches If carry out Covered Entity obligation under HIPAA, comply with terms of HIPAA If Business Associate is considered an agent, knowledge of breach may be imputed to the Covered Entity 6

Enforcement- Liability for Business Associates Covered Entity is liable for violations of Business Associate IF Business Associate is considered an agent of the Covered Entity. Factors to determine scope of agency Time, place, and purpose of Business Associate conduct Whether Business Associate engaged in course of conduct subject to Covered Entity s control Whether Business Associate-agent s conduct is commonly done by a Business Associate to accomplish the service performed on behalf of the Covered Entity Whether or not the Covered Entity reasonably expected that a Business Associateagent would engage in the conduct in question Business Associate can be an agent Despite the fact that Covered Entity does not retain right or authority to control every aspect of Business Associate s activities Even if Covered Entity does not exercise right of control but evidence exists it holds the authority to exercise the right HIPAA Privacy Standards 7

Notice of Privacy Practices Revised Notice of Privacy Practices must be available to patients and provided to new patients New notice must be posted in location where care provided Revisions include: Specific statement of need for authorization for use/disclosure of psychotherapy notes Specific statement of need for authorization to use/disclose PHI for marketing or for sale of PHI Specific statement regarding use/disclosure of PHI for fundraising Specific statement regarding use/disclosure of PHI to Plan Sponsor Specific statement that Health Plan may not use genetic information in connection with its underwriting activities (consistent with GINA) Specific statement regarding the requirement that a Covered Entity notify an individual in the event of breach with respect to his/her PHI Other Changes Use of PHI for Marketing Sale of PHI Use of PHI for Fundraising Disclosure of PHI to Decedent s Family Members 8

HIPAA/HITECH Breach Notification Standards Definition of Breach Breach means the acquisition, access, or use of PHI in a manner not permitted by the HIPAA Privacy Standard which compromises the security or privacy of the protected health information. 9

Exclusions to Breach Workforce Use Unintentional acquisition, access or use of PHI by a workforce member if the PHI is not further used or disclosed in a manner that violates the Privacy Rule Workforce Disclosure - Unintentional disclosure of PHI by a workforce member if the PHI is not further used or disclosed in a manner that violates the Privacy Rule No Way to Retain Info Unauthorized disclosure to which the CE or BA has a good faith belief that the unauthorized person to whom the PHI is disclosed would not reasonably have been able to retain info. Substantial Harm Element Replaced Unauthorized access/disclosure is presumed to be a breach Covered Entity has option of performing breach risk assessment Risk assessment must include analysis of: Nature and extent of PHI involved, including types of identifiers and likelihood of re-identification Unauthorized person who used/received the PHI Whether PHI was actually acquired or viewed Extent to which the risk to PHI has been mitigated If risk assessment determines low probability that the PHI was compromised, then no notification required. 10

Enforcement Enforcement Tier 1 Violation not known or reasonably known Tier 2 Violation due to reasonable cause, but not willful neglect Tier 3 Violation due to willful neglect, if corrected Tier 4 Violation due to willful neglect, if not corrected Old HIPAA None $100 per violation, $25,000 max for identical violations in calendar year $100 per violation, $25,000 max for identical violations in calendar year $100 per violation, $25,000 max for identical violations in calendar year New HIPAA At least $100 per violation, $25,000 max for identical violations in calendar year At least $1,000 per violation, $100,000 max for identical violations in calendar year At least $10,000 per violation, $250,000 max for identical violations in calendar year At least $50,000 per violation, $1.5 million max for identical violations in calendar year 11

Results of OCR Audit Demonstration Program 60% of deficiencies identified were related to HIPAA Security 58 of 59 providers audited had at least one HIPAA Security deficiency 47 out of 59 providers; 20 out of 35 health plans; and 2 of 7 clearing houses had not conducted a complete and accurate risk assessment Top three deficiencies were related to contingency planning and back-ups; audit controls and monitoring; and access management Most common cause of deficiency: entity was unaware of the requirement Next round of audits are expected to affect business associates and be scheduled following the September 23, 2013 effective date Enforcement Activities Settlements may originate with complaint or breach report Primary breaches include Stolen or lost laptops or media Unsecured firewall Employee s access of information Disclosure of information Business Associates were responsible for more breaches than Covered Entitites Most frequent deficiencies mentioned include: Failure to perform risk assessment Inadequate training Insufficient policies and procedures Incomplete security measures Failure to safeguard media Most involve corrective action plan with ongoing monitoring in addition to penalties 12

Litigation Trends Litigation Trends No private cause of action under HIPAA New Development of State Law Claims HIPAA is the standard of care Results vary by state Proof of actual disclosure/damage Automatic damages Punitive damages Vicarious liability 13

Interaction with Corporate Compliance Access and Authorities - HIPAA Workforce Security Information Access Management Minimum Necessary 14

Access and Authorities - Compliance Performance of a Service Ordering/Prescribing a Service or Supply Entry of Documentation Amendment of Documentation Verification of Identity - HIPAA Access Control- Unique User Identification Log-in Monitoring Password Management 15

Verification of Identity - Compliance Signature Requirements Electronic Signature Policy Malpractice Impact Integrity of Data - HIPAA Integrity at Rest Integrity in Transmission Security Awareness and Training 16

Integrity of Data - Compliance Authenticity of Documentation Amendments, Corrections, and Delayed Entries Availability of Records - HIPAA Back-Up Plan Disaster Recovery Plan Emergency Mode Operations 17

Availability of Records - Compliance Record Retention Requirements Medicare/Medicaid/Payors Malpractice State licensure Availability Upon Request Audits Litigation Strategy for Improvement 18

Development of a Robust Compliance Program Learn the rules Identification and control of PHI within the organization Performance of a Risk Assessment Develop a schedule to implement security measures to resolve identified risks Customize Privacy and Security Policies to guide workforce compliance Implement a training program Create an ongoing monitoring program Create a process for identification, investigation, and resolution of incidents Continually re-evaluate and improve Questions? Stacy Harper Lathrop & Gage LLP sharper@lathropgage.com 913-451-5125 19

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback