IACT Medical Trust. June 28, Jim Hamilton (317) HIPAA Privacy Training Bose McKinney & Evans LLP

Similar documents
2011 Miller Johnson. All rights reserved. 1. HIPAA Compliance: Privacy and Security Changes under HITECH HITECH. What is HITECH? Mary V.

HIPAA Privacy Compliance Checklist

HIPAA PRIVACY REQUIREMENTS. Dana L. Thrasher Robert S. Ellerbrock, III Constangy, Brooks & Smith, LLP

ALERT. November 20, 2009

ARRA s Amendments to HIPAA Privacy & Security Rules

Fifth National HIPAA Summit West

HIPAA Enforcement Under the HITECH Act; The Gloves Come Off

Compliance Steps for the Final HIPAA Rule

HIPAA PRIVACY REQUIREMENTS. Dana L. Thrasher Constangy, Brooks & Smith, LLP (205)

Privacy in Health Care

HHS, Office for Civil Rights. IAPP October 11, 2012

HIPAA & HITECH Privacy & Security. Volunteer Annual Review 2017

HIPAA HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT

HIPAA Basic Training for Health & Welfare Plan Administrators

UNITED WORKERS HEALTH FUND 50 CHARLES LINDBERGH BLVD. SUITE 207 UNIONDALE, NY 11553

AMA Practice Management Center, What you need to know about the new health privacy and security requirements

HIPAA Compliance Under the Magnifying Glass

Be Careful What You Wish For: The Final Rule Is Out

Compliance Steps for the Final HIPAA Rule

8/14/2013. HIPAA Privacy & Security 2013 Omnibus Final Rule update. Highlights from Final Rules January 25, 2013

HIPAA BUSINESS ASSOCIATE AGREEMENT BEST PRACTICES: A COMPLIANCE SOLUTION FOR THE TICKING CLOCK AND THE DRACONIAN CIVIL AND CRIMINAL PENALTIES

The American Recovery and Reinvestment Act of 2009: Health Information Privacy and Security Provisions Here We Go Again

Preparing for a HIPAA Audit & Hot Topics in Health Care Reform

Breach Policy. Applicable Standards from the HITRUST Common Security Framework. Applicable Standards from the HIPAA Security Rule

Business Associate Agreement

HITECH and HIPAA: Highlights for Health Departments. Aimee Wall UNC School of Government

Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates

SUMMARY OF PRIVACY PRACTICES

HIPAA PRIVACY AND SECURITY RULES APPLY TO YOU! ARE YOU COMPLYING? RHODE ISLAND INTERLOCAL TRUST LINN F. FREEDMAN, ESQ. JANUARY 29, 2015.

HIPAA THE NEW RULES. Highlights of the major changes under the Omnibus Rule

Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates

Legislative Update HIPAA/HITECH

ACC Compliance and Ethics Committee Presentation February 19, 2013

HIPAA UPDATE/ OCR ENFORCEMENT

Administrative Requirements

UNDERSTANDING HIPAA & THE HITECH ACT. Heather Deixler, Esq. Associate, Morgan, Lewis & Bockius LLP

New Federal Legislation Affecting Health Plans

The Impact of Final Omnibus HIPAA/HITECH Rules. Presented by Eileen Coyne Clark Niki McCoy September 19, 2013

HITECH/HIPAA Omnibus Final Rule: Implications for Hospices. Elizabeth S. Warren May 3, 2013

MEMORANDUM. Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

OVERVIEW OF RECENT CHANGES IN HIPAA AND OHIO PRIVACY LAWS

HIPAA: Impact on Corporate Compliance

ARTICLE 1. Terms { ;1}

What Brown County employees need to know about the Federal legislation entitled the Health Insurance Portability and Accountability Act of 1996.

HIPAA: Final Omnibus Rule is Here Arizona Society for Healthcare Risk Managers November 15, 2013

The HIPAA Omnibus Rule and the Enhanced Civil Fine and Criminal Penalty Regime

HIPAA The Health Insurance Portability and Accountability Act of 1996

NPRM: Modifications to the HIPAA Privacy, Security, and Enforcement Rules under HITECH

SDM Health Insurance Portability and Accountability Act (HIPAA) Terms and Conditions For Business Associates

Highlights of the Omnibus HIPAA/HITECH Final Rule

HIPAA Data Breach ITPC

Privacy Rule Primer. 45 CFR Part 160 and Subparts A and E of Part CFR , 45 CFR CFR

CHAPTER 33 HIPAA PRIVACY REGULATIONS

HIPAA PRIVACY AND SECURITY AWARENESS

ARRA 2009: Privacy and Security Provisions. Deven McGraw

The wait is over HHS releases final omnibus HIPAA privacy and security regulations

Industry leading Education. Certified Partner Program. Please ask questions Todays slides are available group.

HIPAA Training. HOPE Health Facility Administrators June 2013 Isaac Willett and Jason Schnabel

Determining Whether You Are a Business Associate

CLIENT UPDATE. HIPAA s Final Rule: The Impact on Covered Entities, Business Associates and Subcontractors

HIPAA Omnibus Rule. Critical Changes for Providers Presented by Susan A. Miller, JD. Hosted by

HIPAA COMPLIANCE ROADMAP AND CHECKLIST FOR BUSINESS ASSOCIATES

HIPAA & The Medical Practice

Central Susquehanna Region School Employees Health and Welfare Trust

Business Associate Agreement

HIPAA Notice of Privacy Practices

ARE YOU HIP WITH HIPAA?

HIPAA / HITECH. Ed Massey Affiliated Marketing Group

GUIDE TO THE OMNIBUS HIPAA RULE: What You Need to Know and Do

HIPAA Privacy Overview

HIPAA 2014: Recent Changes from HITECH and the Omnibus Rule. Association of Corporate Counsel Houston Chapter October 14, 2014.

HIPAA and Lawyers: Your stakes have just been raised

BUSINESS ASSOCIATE AGREEMENT (for use when there is no written agreement with the business associate)

Saturday, April 28 Medical Ethics: HIPAA Privacy and Security Rules

Health Insurance Portability and Accountability Act (HIPAA) Terms and Conditions For Business Associates

NOTICE OF PRIVACY PRACTICES

Do You Want To Know A Secret? HIPAA s Medical Privacy Regulations

Presented by Marti Arvin Chief Compliance Officer UCLA Health Sciences

Effective Date: March 23, 2016

Management Alert Final HIPAA Regulations Issued

Business Associate Agreement Health Insurance Portability and Accountability Act (HIPAA)

COMPLIANCE TRAINING 2015 C O M P L I A N C E P R O G R A M - F W A - H I P A A - C O D E O F C O N D U C T

RECITALS. In consideration of the mutual promises below and the exchange of information pursuant to this BAA, the Parties agree as follows:

To: Our Clients and Friends January 25, 2013

RISK TRACK. Privacy and Data Protection

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) SUMMARY OF OUR NOTICE OF PRIVACY PRACTICES. Health Plan Responsibilities

Notice of Privacy Practices

Business Associate Agreement For Protected Healthcare Information

Limited Data Set Data Use Agreement For Research

HIPAA BUSINESS ASSOCIATE AGREEMENT

LEGAL ISSUES IN HEALTH IT SECURITY

Disclaimer LEGAL ISSUES IN PHYSICAL THERAPY

GUIDE TO PATIENT PRIVACY AND SECURITY RULES

HIPAA Business Associate Agreement

The American Recovery Reinvestment Act and Health Care Reform Puzzle. Presentation Overview 2/27/2012

COMMONWEALTH OF PENNSYLVANIA BUSINESS ASSOCIATE ADDENDUM

NOTIFICATION OF PRIVACY AND SECURITY BREACHES

The Audits are coming!

OCR Phase II Audit Protocol Breach Notification. HIPAA COW Spring Conference 2017 Page 1 Boerner Consulting, LLC

HIPAA Compliance. PART I: HHS Final Omnibus HIPAA Rules

Transcription:

IACT Medical Trust HIPAA Privacy Training June 28, 2012 Jim Hamilton (317) 684-5419 jhamilton@boselaw.com 2009 Bose McKinney & Evans LLP

HIPAA Overview 2009 Bose McKinney & Evans LLP

The Privacy Rule HIPAA Privacy Rule generally covers protected health information ( PHI ) transmitted or maintained in any form or medium (electronic or otherwise). These standards apply to four types of Covered Entities : Health plans; Health care clearinghouses; Health care providers that conduct certain types of transactions in electronic form; and Enrolled sponsors of the Medicare prescription drug discount card. Trustees of the IACT Medical Trust are entitled to access PHI in connection with plan operations. 2009 Bose McKinney & Evans LLP 3

Protected Health Information Protected Health Information (PHI) is individually identifiable health information that is maintained or transmitted by a Covered Entity, subject to certain exceptions. Employers often have access to and receive individualized health information about employees in the course of employment. However, this information is not PHI unless it is maintained or transmitted by a Covered Entity. For example, worker s compensation, LTD/STD, FMLA, ADA, and OSHA information maintained by an employer is not covered by the HIPAA Privacy Rule. 2009 Bose McKinney & Evans LLP 4

Core Requirement # 1: Use and Disclosure Rules Covered Entities are prohibited from using or disclosing PHI except as permitted under the Privacy Rule. It is permissible to disclose PHI for treatment, payment and health care operations. Further disclosures generally require an authorization. Many disclosures are subject to a minimumnecessary standard. Under this standard, a Covered Entity must reasonably ensure that any PHI used, disclosed or requested is limited to the minimum information necessary to accomplish the intended purpose of the use, disclosure or request. 2009 Bose McKinney & Evans LLP 5

Core Requirement # 2: Individual Rights and Privacy Notice Under the Privacy Rule, individuals are granted certain rights with respect to their health information, including the right to: Inspect and obtain a copy of their own PHI; Amend or correct PHI that is accurate or incomplete; Obtain an accounting of certain disclosures of their PHI that were made by Covered Entities; Receive the notice of privacy practices required by the Privacy Rule; Provided at time that individual enrolls in the medical plan. Triennial notification to participants of availability of notice. Request additional restrictions on the use or disclosure of their own PHI. 2009 Bose McKinney & Evans LLP 6

Core Requirement # 3: Administrative Requirements The Privacy Rule also require Covered Entities to take the following actions to protect PHI: Designate a Privacy Official; Train workforces on privacy policies and procedures; Establish appropriate safeguards to protect privacy of PHI; Create system for individuals to lodge complaints; Mitigate, to the extent practicable, any harmful effect that is known to the Covered Entity resulting from any use or disclosure of PHI; Refrain from intimidating or retaliating against individuals or others for exercising their rights under the Privacy Rule. 2009 Bose McKinney & Evans LLP 7

Enforcement 2009 Bose McKinney & Evans LLP

HIPAA Enforcement The Office of Civil Rights of the Department of Health and Human Services (HHS) has received 68,410 complaints since enforcement began in April 2003. HHS imposed its first civil monetary penalty in January 2011 against Cignet Health Center. HHS has referred 499 cases to the United States Department of Justice for possible criminal prosecution. There have been at least 15 prosecutions under HIPAA, most of which involved actual or attempted identity theft or fraud. 2009 Bose McKinney & Evans LLP 9

HHS Resolution Agreements HHS has entered into resolution agreements with four Covered Entities. In July 2008, HHS required a resolution agreement with Providence Health & Services to settle potential violations of the privacy and security requirements. Under the agreement, Providence agreed to pay $100,000 and implement a detailed corrective plan to appropriately safeguard electronic PHI. In January 2009, HHS required a resolution agreement with CVS Pharmacy. CVS was disposing of non-electronic PHI (such as labels from prescription bottles) in dumpsters that were potentially accessible to the public. CVS made payment of $2.25 million to HHS in accordance with the agreement. Most recent resolution agreements were with Massachusetts General Hospital, the University of California and the Alaska Department of Health and Social Services. 2009 Bose McKinney & Evans LLP 10

Health Information Technology for Economic and Clinical Health (HITECH) Act 2009 Bose McKinney & Evans LLP

Overview HIPAA Privacy Rule initially effective April 14, 2003 Heath Information Technology for Economic and Clinical Health (HITECH) Act included in federal stimulus passed in 2009 HITECH allocates approximately $20 billion towards health IT infrastructure, industry standards, and incentives for health care providers and facilities to adopt electronic health record technologies. HITECH also made substantive changes to HIPAA Privacy Rule and Security Rule. Changes are generally effective one year from the date of ARRA enactment. 2009 Bose McKinney & Evans LLP 12

HIPAA: Increased Penalties under HITECH Penalties for violations in which the individual does not know, the minimum penalty is $100 per violation (up to a maximum of $25,000 for identical violations during a calendar year). For violations due to reasonable cause, the minimum penalty is $1,000 per violation, with a cap of $100,000 for identical violations during the same year; the maximum penalty is $50,000 per violation, up to $1.5 million for identical violations during the same year. For violations due to willful neglect that are corrected, the minimum penalty is $10,000 per violation, with a cap of $250,000 for identical violations during the same year; the maximum penalty is $50,000 per violation, up to $1.5 million for identical violations during the same year. 2009 Bose McKinney & Evans LLP 13

HIPAA: Expanded Enforcement under HITECH State Attorneys General now have the power to enforce HIPAA by bringing suit in federal court. The Secretary of the Department of Health and Human Services may bring both criminal and civil actions to enforce the HIPAA privacy and data security requirements. HITECH requires the Department of Health and Human Services to periodically audit Covered Entities and Business Associates to assess HIPAA compliance. Lengthy audit protocols were recently published. 2009 Bose McKinney & Evans LLP 14

Breach Notification Requirements Covered Entities with unsecured PHI are required to timely notify individuals in the event of a breach. Business Associates with unsecured PHI have an obligation to notify the Covered Entity of any breach. A breach is defined as an unauthorized acquisition, access, use or disclosure of PHI which compromises the use or disclosure of the PHI. HITECH includes specific content and timing requirements for notifications to individuals whose unsecured PHI was (or it is reasonably believed to have been) accessed, acquired or disclosed as a result of a breach. A notice must be immediately provided to the Secretary of Health and Human Services if 500 or more individuals are affected by the same breach. 2009 Bose McKinney & Evans LLP 15

New Business Associate Rules under HITECH As a result of HITECH, business associates are subject to direct regulation and enforcement under the HIPAA Privacy and Security Rules. Business associates will have to review how they create, receive, maintain or transmit electronic PHI under these standards. Business associates will have to maintain and retain written documentation of the policies and procedures implemented to comply with the HIPAA Security Rule. If a business associate violates the HIPAA Privacy or Security Rules, then such business associate will be subject to civil and criminal penalties. Plan sponsors and Covered Entities should undertake a thorough review of business associate agreements and relationships with existing business associates. 2009 Bose McKinney & Evans LLP 16

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback