ACC Compliance and Ethics Committee Presentation February 19, 2013

Similar documents
The wait is over HHS releases final omnibus HIPAA privacy and security regulations

HIPAA Training. HOPE Health Facility Administrators June 2013 Isaac Willett and Jason Schnabel

Omnibus Components. Not in Omnibus. HIPAA/HITECH Omnibus Final Rule

UNDERSTANDING HIPAA & THE HITECH ACT. Heather Deixler, Esq. Associate, Morgan, Lewis & Bockius LLP

HIPAA THE NEW RULES. Highlights of the major changes under the Omnibus Rule

Legal and Privacy Implications of the HIPAA Final Omnibus Rule

To: Our Clients and Friends January 25, 2013

Getting a Grip on HIPAA

HIPAA Omnibus Rule Compliance

NPRM: Modifications to the HIPAA Privacy, Security, and Enforcement Rules under HITECH

Preparing to Comply With the HITECH Final Rule Tuesday, March 19, 2013

HIPAA: Final Omnibus Rule is Here Arizona Society for Healthcare Risk Managers November 15, 2013

Highlights of the Omnibus HIPAA/HITECH Final Rule

Management Alert Final HIPAA Regulations Issued

Compliance Steps for the Final HIPAA Rule

HIPAA OMNIBUS RULE. The rule makes it easier for parents and others to give permission to share proof of a child s immunization with a school

Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates

Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates

HIPAA Enforcement Under the HITECH Act; The Gloves Come Off

The Impact of Final Omnibus HIPAA/HITECH Rules. Presented by Eileen Coyne Clark Niki McCoy September 19, 2013

Health Law Diagnosis

HIPAA COMPLIANCE ROADMAP AND CHECKLIST FOR BUSINESS ASSOCIATES

GUIDE TO THE OMNIBUS HIPAA RULE: What You Need to Know and Do

HIPAA Omnibus Final Rule and Research

AFTER THE OMNIBUS RULE

8/14/2013. HIPAA Privacy & Security 2013 Omnibus Final Rule update. Highlights from Final Rules January 25, 2013

Coping with, and Taking Advantage of, HIPAA s New Rules!! Deven McGraw Director, Health Privacy Project April 19, 2013!

HIPAA Compliance. PART I: HHS Final Omnibus HIPAA Rules

"HIPAA RULES AND COMPLIANCE"

HHS, Office for Civil Rights. IAPP October 11, 2012

Changes to HIPAA Under the Omnibus Final Rule

CLIENT UPDATE. HIPAA s Final Rule: The Impact on Covered Entities, Business Associates and Subcontractors

Compliance Steps for the Final HIPAA Rule

ARRA s Amendments to HIPAA Privacy & Security Rules

What is HIPAA? (1 of 2)

HITECH/HIPAA Omnibus Final Rule: Implications for Hospices. Elizabeth S. Warren May 3, 2013

New HIPAA-HITECH Proposed Regulations Issued

HIPAA PRIVACY REQUIREMENTS. Dana L. Thrasher Robert S. Ellerbrock, III Constangy, Brooks & Smith, LLP

HIPAA Update. Jamie Sorley U.S. Department of Health and Human Services Office for Civil Rights

Business Associate Agreement

Assessing and Mitigating Risk Under the HIPAA Omnibus Rule

Assessing and Mitigating Risk Under the HIPAA Omnibus Rule

Omnibus HIPAA Rule: Impact on Covered Entities

HITECH and HIPAA: Highlights for Health Departments. Aimee Wall UNC School of Government

GUIDE TO PATIENT PRIVACY AND SECURITY RULES

Practical Guidance and Proposed Solutions in Response to the HIPAA Final Omnibus Rule

MEMORANDUM. Kirk J. Nahra, or

IT'S COMING: THE HIPAA/HITECH RULE; WHAT TO EXPECT AND WHAT TO DO NOW [OBER KALER]

New HIPAA Rules and Implications for the Industry January 29, 2013

Fifth National HIPAA Summit West

O n Jan. 25, the Office for Civil Rights (OCR) of the. Privacy and Security Law Report

Negotiating Business Associate Agreements

HIPAA OMNIBUS FINAL RULE

HIPAA Compliance for Business Associates ISBA Health Law Symposium October 10, 2017

LEGAL ISSUES IN HEALTH IT SECURITY

Determining Whether You Are a Business Associate

Saturday, April 28 Medical Ethics: HIPAA Privacy and Security Rules

What Brown County employees need to know about the Federal legislation entitled the Health Insurance Portability and Accountability Act of 1996.

Preparing for a HIPAA Audit & Hot Topics in Health Care Reform

HIPAA Privacy Overview

Highlights of the Final Omnibus HIPAA Rule

HIPAA Special Considerations: Individual Right to Request Restriction of Uses and Disclosures of PHI Voluntary and Mandatory

MEMORANDUM. Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

2011 Miller Johnson. All rights reserved. 1. HIPAA Compliance: Privacy and Security Changes under HITECH HITECH. What is HITECH? Mary V.

ALERT. November 20, 2009

HITECH Privacy, Security, Enforcement, Breach, and GINA The Final Rule

HIPAA Omnibus Final Rule Has Important Changes for Business Associates and Covered Entities

HIPAA & The Medical Practice

HIPAA 2014: Recent Changes from HITECH and the Omnibus Rule. Association of Corporate Counsel Houston Chapter October 14, 2014.

IACT Medical Trust. June 28, Jim Hamilton (317) HIPAA Privacy Training Bose McKinney & Evans LLP

SATINSKY CONSULTING, LLC FINAL OMNIBUS HIPAA PRIVACY AND SECURITY RULE

Breach Policy. Applicable Standards from the HITRUST Common Security Framework. Applicable Standards from the HIPAA Security Rule

HITECH and Stimulus Payment Update

Hayden W. Shurgar HIPAA: Privacy, Security, Enforcement, HITECH, and HIPAA Omnibus Final Rule

HIPAA Compliance Under the Magnifying Glass

Omnibus Rule: HIPAA 2.0 for Law Firms

Conduct of covered entity or business associate. Did not know and, by exercising reasonable diligence, would not have known of the violation

HIPAA Omnibus Rule. Critical Changes for Providers Presented by Susan A. Miller, JD. Hosted by

HIPAA The Health Insurance Portability and Accountability Act of 1996

HEALTHCARE BREACH TRIAGE

The HIPAA Omnibus Rule

VOL. 0, NO. 0 JANUARY 23, 2013

Privacy Rule Primer. 45 CFR Part 160 and Subparts A and E of Part CFR , 45 CFR CFR

Business Associate Agreement Health Insurance Portability and Accountability Act (HIPAA)

OMNIBUS RULE ARRIVES

PATTERSON MEDICAL SUPPLY, INC. HIPAA BUSINESS ASSOCIATE AGREEMENT WITH CUSTOMERS

True or False? HIPAA Update: Avoiding Penalties. Preliminaries. Kim C. Stanger IHCA (7/15)

SUBCONTRACTOR BUSINESS ASSOCIATE AGREEMENT

Compliance. TODAY May Meet Scott Killingsworth. Partner in the Atlanta offices of Bryan Cave LLP. See page 16

Key Legal Issues in EMR, EMR Subsidy and HIPAA and Privacy Click Issues to edit Master title style

HIPAA FUNDAMENTALS For Substance abuse Treatment Industry

Effective Date: 4/3/17

H E A L T H C A R E L A W U P D A T E

HIPAA Background and History

The HIPAA/HITECH Final Rule: Time to Get More Serious About Compliance. Patricia A. Markus, Esq.

HIPAA BUSINESS ASSOCIATE AGREEMENT BEST PRACTICES: A COMPLIANCE SOLUTION FOR THE TICKING CLOCK AND THE DRACONIAN CIVIL AND CRIMINAL PENALTIES

HIPAA Breach Notification Case Studies on What to Do and When to Report

The American Recovery and Reinvestment Act of 2009: Health Information Privacy and Security Provisions Here We Go Again

ARRA 2009: Privacy and Security Provisions. Deven McGraw

HIPAA PRIVACY REQUIREMENTS. Dana L. Thrasher Constangy, Brooks & Smith, LLP (205)

Transcription:

ACC Compliance and Ethics Committee Presentation February 19, 2013 Melinda G. Murray Associate General Counsel, Holy Cross Hospital and Jill M. Girardeau Partner, Womble Carlyle Sandridge & Rice, LLP HIPAA Background Originally, HIPAA applied only to Covered Entities Covered Entities (sometimes called CEs ) Health care providers conducting certain transactions electronically Health plans Health care clearinghouses 1

HIPAA Background HIPAA has various parts Today s topics Privacy Rule Security Rule Breach Notification Rule HITECH Act The HITECH Act part of the American Recovery and Reinvestment Act of 2009 expanded the scope of HIPAA and made other changes Since HITECH, we have been waiting on additional HIPAA regulations 2

Final HIPAA Regulations Final HIPAA regulations were published on January 25, 2013 As expected, these regulations expanded the scope of HIPAA and made other significant changes to the rules governing uses of disclosures of PHI Business Associates HIPAA s Privacy Rule did not apply to BAs HITECH (Section 13404) creates direct liability on BAs for noncompliance with their agreements civil & criminal penalties Privacy Rule limits on CE automatically extend to BA 3

Business Associates Definition Creates, receives, maintains, or transmits PHI For claims, data analysis, utilization, quality assurance, billing, benefits, practice management Legal, actuarial, accounting, consulting, financial services, management, data aggregation Subcontractor that creates, receives etc. PHI on behalf of a business associate Exception for mere conduits only for those that merely transmit PHI, not for storers (e.g. cloud vendors) Business Associates Direct liability for: Impermissible uses and disclosures Failure to provide breach notification to the Covered Entity Failure to provide access to a copy of electronic PHI to Entity or individual Failure to disclose PHI in response to an HHS investigation Failure to provide accounting of disclosures Failure to comply with Security Rule 4

Business Associates Business Associate Agreement Business Associate may create or receive PHI on behalf of the Covered Entity Assurances that it will safeguard the information Same responsibility to a subcontractor of Business Associate Implement security measures to protect information All the way down the chain of subcontractors Business Associates Business Associate Agreement Establish the scope of permitted disclosures Subcontractor s agreement must be as stringent or more than the agreement above Establish what activities the Business Assocaite is required to perform who handles what under HIPAA Document the satisfactory assurances required Other provisions re: compliance or indemnification 5

Business Associates Business Associate Agreement-Time Frame New agreements-6 months, by September 23, 2013 Existing agreements-one year, by September 23, 2014 Sale of PHI Sale : Disclosure of PHI by CE or BA Where CE or BA directly or indirectly receives remuneration From or on behalf of the recipient of PHI in exchange for the PHI Requires an authorization Specifically states that disclosing the PHI will result in remuneration Language by BA to describe the type of remuneration 6

Sale of PHI Remuneration Not just financial In kind benefits E.g. computers Health information exchange (HIE) paid by fees assessed on participants for services not for data Sale of PHI De-identified health information not subject to prohibition because not PHI Limited data sets are subject to prohibition 7

Sale of PHI Excluded Public health activity Research or grants Remuneration is cost of preparation and transmittal Treatment Sale, transfer, merger due diligence BA services at request of CE Charging for providing individual access to his/her PHI Marketing Individual authorization required Disclosure of PHI in order to communicate about a product or service CE receives financial remuneration Includes BA of a Covered Entity (e.g. health plan promotion) Face-to-face okay 8

Marketing Authorization not necessary Refill reminders Communication of other information about drugs even if paid Reasonable Promoting health, health diet Government programs Fundraising Communication by CE, BA, institution-related foundation Permissible with opt out provision CE can decide on scope of opt out Single campaign All fundraising 9

Fundraising No authorization necessary to disclose to a related foundation or BA for fundraising: Demographic information (name, address, other contact information, age, gender, d.o.b.) Dates of care provided Department where service provided Treating physician Outcome (including death or sub-optimal treatment) Health insurance status Fundraising Requirements Notice of Privacy Practices must include intent to make fundraising communications and how individual can opt out (once received) All communications (even phone) must include a clear, conspicuous, easy opt out (eg prepaid post card, email) 10

Fundraising Other conditions Minimum necessary Can t condition treatment Right to opt back in Challenge=Tracking the opt-outs Right to Request Restrictions Prior Rule Covered Entity didn t have to agree to restrictions 11

Right to Request Restrictions Covered Entity must agree to request for restrictions on disclosing PHI to a health plan if: Disclosure is for purposes of payment or healthcare operations It is not required by law PHI relates to healthcare services for which the individual has paid in full Right to Request Restrictions Covered Entity issues Does not have to create a separate record Can determine on its own how to flag the restriction (but must create a good system so not disclosed inadvertently) Counsels the patient if he requests restrictions on one service in a single encounter; give patient the option to pay for all Does not have to inform downstream providers of restrictions Does not have to comply if payment is dishonored 12

Right to Request Restrictions Additional Covered Entity exceptions Follow-up care: If not restricted and patient doesn t pay out of pocket, provider can disclose if necessary for billing (medically necessary) HMO contractual provisions: provider still has obligation to adhere to request Government health plan=required by law Patient may choose not to authorize submission of bill to Medicare Notice of Privacy Practices Material changes to Notices of Privacy Practices (NPPs) Business Associates are not required to have NPPs 13

Notice of Privacy Practices Must revise to include new provisions: Disclosures of psychotherapy notes and disclosures for marketing and sale of PHI require authorization Opt out of fundraising New right to request restrictions Individuals rights to be notified of a breach of unsecured PHI Breach Notification Rule Breaches of unsecured PHI require notice from Covered Entity to affected individuals, government, and (in some cases) the media Business Associates must report breaches to Covered Entities But not all impermissible uses and discloses of PHI are breaches 14

Breach Notification Rule Risk assessment must be conducted to determine if a breach occurred Significant changes to definition of breach Breach Notification Rule Previously, an impermissible use or disclosure of unsecured (i.e., unencrypted) PHI that resulted in a significant risk of financial, reputational, or other harm was a breach Now, an impermissible use or disclosure of PHI is presumed to be a breach unless the CE or BA can demonstrate a low probability that the PHI has been compromised 15

Breach Notification Rule Risk assessment required to demonstrate a low probability that the PHI has been compromised Risk assessment must consider Types and extent of PHI involved Who used or received the PHI Whether PHI was actually acquired or viewed Extent to which risks have been mitigated Breach Notification Rule Business Associates report breaches to Covered Entities Covered Entities notify individuals, government, and the media (in some cases) When drafting BAAs, consider Timeframe for BA reports of breaches Payment/reimbursement for breaches caused by BA or subcontractor 16

Security Rule Applies to electronic PHI Requires administrative, physical, and technical safeguards to protected electronic PHI Security Rule Now applies to Business Associates as well as Covered Entities Specific steps: Appoint security officer Conduct risk analysis Develop policies and procedures Implement safeguards Train workforce 17

18

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback