HIPAA 2014: Recent Changes from HITECH and the Omnibus Rule. Association of Corporate Counsel Houston Chapter October 14, 2014.

Similar documents
HIPAA Background and History

HIPAA Compliance Guide

ARE YOU HIP WITH HIPAA?

HIPAA Privacy and Security for Employers in the Age of Common Data Breaches. April 30, 2015

HIPAA Training. HOPE Health Facility Administrators June 2013 Isaac Willett and Jason Schnabel

HIPAA COMPLIANCE ROADMAP AND CHECKLIST FOR BUSINESS ASSOCIATES

MEMORANDUM. Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

HTKT.book Page 1 Monday, July 13, :59 PM HIPAA Tool Kit 2017

Auditing for HIPAA Compliance: Evaluating security and privacy compliance in an organization that provides health insurance benefits to employees

Determining Whether You Are a Business Associate

HIPAA Privacy & Security. Transportation Providers 2017

The Privacy Rule. Health insurance Portability & Accountability Act

HIPAA: Impact on Corporate Compliance

HIPAA COMPLIANCE. for Small & Mid-Size Practices

UNDERSTANDING HIPAA & THE HITECH ACT. Heather Deixler, Esq. Associate, Morgan, Lewis & Bockius LLP

HIPAA and Lawyers: Your stakes have just been raised

1 Security 101 for Covered Entities

HIPAA Privacy, Breach, & Security Rules

HIPAA Security. ible. isions. Requirements, and their implementation. reader has

AFTER THE OMNIBUS RULE

HIPAA COMPLIANCE PLAN FOR OHIO EYE ASSOCIATES, INC.

Compliance Steps for the Final HIPAA Rule

HIPAA PRIVACY AND SECURITY AWARENESS

NPRM: Modifications to the HIPAA Privacy, Security, and Enforcement Rules under HITECH

Conduct of covered entity or business associate. Did not know and, by exercising reasonable diligence, would not have known of the violation

Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates

Texas Health and Safety Code, Chapter 181 Medical Records Privacy Law, HB 300

HIPAA & The Medical Practice

AMA Practice Management Center, What you need to know about the new health privacy and security requirements

Eastern Iowa Mental Health and Disability Services. HIPAA Policies and Procedures Manual

Saturday, April 28 Medical Ethics: HIPAA Privacy and Security Rules

HIPAA Enforcement Under the HITECH Act; The Gloves Come Off

HIPAA Basic Training for Health & Welfare Plan Administrators

2016 Business Associate Workforce Member HIPAA Training Handbook

Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates

The Impact of Final Omnibus HIPAA/HITECH Rules. Presented by Eileen Coyne Clark Niki McCoy September 19, 2013

HIPAA PRIVACY REQUIREMENTS. Dana L. Thrasher Constangy, Brooks & Smith, LLP (205)

Effective Date: 4/3/17

OMNIBUS COMPLIANT BUSINESS ASSOCIATE AGREEMENT RECITALS

Key Legal Issues in EMR, EMR Subsidy and HIPAA and Privacy Click Issues to edit Master title style

Coping with, and Taking Advantage of, HIPAA s New Rules!! Deven McGraw Director, Health Privacy Project April 19, 2013!

Getting a Grip on HIPAA

Preparing for a HIPAA Audit & Hot Topics in Health Care Reform

ACC Compliance and Ethics Committee Presentation February 19, 2013

DELHAIZE AMERICA PHARMACIES AND WELFARE BENEFIT PLAN HIPAA SECURITY POLICY (9/1/2016 VERSION)

HIPAA PRIVACY REQUIREMENTS. Dana L. Thrasher Robert S. Ellerbrock, III Constangy, Brooks & Smith, LLP

ARRA s Amendments to HIPAA Privacy & Security Rules

HIPAA Service Description

HIPAA BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATES AND SUBCONTRACTORS

HEALTHCARE BREACH TRIAGE

Management Alert Final HIPAA Regulations Issued

Industry leading Education. Certified Partner Program. Please ask questions Todays slides are available group.

8/14/2013. HIPAA Privacy & Security 2013 Omnibus Final Rule update. Highlights from Final Rules January 25, 2013

Hayden W. Shurgar HIPAA: Privacy, Security, Enforcement, HITECH, and HIPAA Omnibus Final Rule

HIPAA Compliance. PART I: HHS Final Omnibus HIPAA Rules

Business Associate Agreement

Legal and Privacy Implications of the HIPAA Final Omnibus Rule

What Brown County employees need to know about the Federal legislation entitled the Health Insurance Portability and Accountability Act of 1996.

Assessing and Mitigating Risk Under the HIPAA Omnibus Rule

Assessing and Mitigating Risk Under the HIPAA Omnibus Rule

COUNTY SOCIAL SERVICES POLICIES AND PROCEDURES FOR COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 HIPAA

HIPAA s Medical Privacy Standards:

HIPAA Compliance Under the Magnifying Glass

HIPAA HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT

Compliance Steps for the Final HIPAA Rule

The wait is over HHS releases final omnibus HIPAA privacy and security regulations

To: Our Clients and Friends January 25, 2013

HIPAA: Final Omnibus Rule is Here Arizona Society for Healthcare Risk Managers November 15, 2013

HHS, Office for Civil Rights. IAPP October 11, 2012

The Audits are coming!

HIPAA Omnibus Rule Compliance

HIPAA Overview Health Insurance Portability and Accountability Act. Premier Senior Marketing, Inc

"HIPAA RULES AND COMPLIANCE"

HIPAA Information. Who does HIPAA apply to? What are Sync.com s responsibilities? What is a Business Associate?

HIPAA Data Breach ITPC

New HIPAA-HITECH Proposed Regulations Issued

PATTERSON MEDICAL SUPPLY, INC. HIPAA BUSINESS ASSOCIATE AGREEMENT WITH CUSTOMERS

IACT Medical Trust. June 28, Jim Hamilton (317) HIPAA Privacy Training Bose McKinney & Evans LLP

Privacy Sleuths: Solving the Mystery of Wellness Program Privacy Compliance. Agenda. Health Data Exposure National Wellness Conference

HIPAA OMNIBUS FINAL RULE

March 1. HIPAA Privacy Policy

HIPAA Update. Jamie Sorley U.S. Department of Health and Human Services Office for Civil Rights

March 29, 2018 Key Principles in HIPAA Compliance

The Basics of HIPAA Business Partner and Chain of Trust Agreements Coverage and Requirements

GUIDANCE ON HIPAA & CLOUD COMPUTING

AROC 2015 HIPAA PRIVACY AND SECURITY RULES

HIPAA AND ONLINE BACKUP WHAT YOU NEED TO KNOW ABOUT

HIPAA Privacy Overview

Privacy Rule Primer. 45 CFR Part 160 and Subparts A and E of Part CFR , 45 CFR CFR

Texas Tech University Health Sciences Center El Paso HIPAA Privacy Policies

HITECH and HIPAA: Highlights for Health Departments. Aimee Wall UNC School of Government

HIPAA FUNDAMENTALS For Substance abuse Treatment Industry

LEGAL ISSUES IN HEALTH IT SECURITY

Texas Tech University Health Sciences Center HIPAA Privacy Policies

Negotiating Business Associate Agreements

8/30/2016 HIPAA: WHAT S CHANGED?

Highlights of the Omnibus HIPAA/HITECH Final Rule

HIPAA Omnibus Rule. Critical Changes for Providers Presented by Susan A. Miller, JD. Hosted by

True or False? HIPAA Update: Avoiding Penalties. Preliminaries. Kim C. Stanger IHCA (7/15)

HIPAA HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT

Transcription:

HIPAA 2014: Recent Changes from HITECH and the Omnibus Rule Association of Corporate Counsel Houston Chapter October 14, 2014 Jeffery P. Drummond Jackson Walker L.L.P. 901 Main Street, Suite 6000 Dallas, Texas 75202 (214) 953-5781 jdrummond@jw.com www.hipaablog.blogspot.com Agenda HIPAA Background and History Are you a Covered Entity Are you a Business Associate Group Health Plan issues Special Law Firm issues 1

HIPAA Background and History Health Insurance Portability and Accountability Act of 1996 (HIPAA) Based on the Kennedy-Kassebaum bill Created to: Assure health insurance portability Reduce health care fraud and abuse Increase electronic data interchange in the healthcare industry through standardization Guarantee security and privacy of health information 2

Health Insurance Portability and Accountability Act of 1996 (HIPAA) Collateral Issues: Electronic records require greater protection Employer access to ERISA health plan information National floor for health data protection Minimize disruption to legitimate healthcare business The Health Insurance Portability and Accountability Act of 1996 HIPAA It s more than insurance portability and accountability TITLE I Health Insurance Access Insurance Portability Insurance Renewal TITLE III Medical Savings Accounts Health Insurance Tax Deductions TITLE II Fraud and Abuse Control Programs Administrative Simplification Medical Liability Reform TITLE IV Enforcement of Group Health Plan Provisions TITLE V Revenue Offset Provisions 3

Administrative Simplification Transaction and Code Sets Privacy Security A brief history of HIPAA 1996: HIPAA statute passes 2000/2001: Privacy Rule published 2003: Privacy Rule enforceable, Security Rule published 2005: Security Rule enforceable 2009: HITECH Act passes, initial regulations passed 2013: HITECH omnibus rule 4

The Privacy Rule: Who (is covered)? Direct applicability to Covered Entities Physicians, hospitals and other healthcare providers Health insurance plans Healthcare clearinghouses Prior to HITECH/Omnibus: Indirect applicability to Business Associates of CEs After HITECH/Omnibus: Direct and indirect applicability to BAs The Privacy Rule: Business Associates An entity that provides a service to a CE that involves PHI. Exceptions: courier services, workforce members HITECH change: create, receive, maintain or transmit PHI. Despite HITECH making BAs directly subject to HIPAA, BAAs are still required. 5

The Privacy Rule: What (is PHI?) Any health information relating to - - Past, present or future physical or mental health or conditions - Provision of health care or - Past, present or future payment for health care Created/received by provider, plan, employer or clearinghouse Individually identifiable or presents reasonable basis to believe the information can be used to identify the individual In any medium - Written - Verbal - Electronic - Termed Protected Health Information (PHI) The Privacy Rule: What (is NOT PHI?) Education records (mostly covered by FERPA) Employment records Records relating to someone who has been dead for at least 50 years Records entirely unrelated to a Covered Entity 6

Privacy Regulations in General Cover: Rules for the disclosure and use of PHI Individual rights regarding protected health information Administrative Safeguards (responsibilities of CEs and BAs) The Privacy Rule: The Rule An absolute prohibition with exceptions: Thou shalt not : A covered entity may not use or disclose protected health information, except For treatment, payment, or healthcare operations With the individual s authorization or to the individual As otherwise required by law or otherwise permitted or required under the privacy regulations 7

The Privacy Rule: the Rights Right to Notice of Privacy Practices - Describes individual s rights to access, inspection, accounting - Duties of covered entity - Complaints and contacts - How covered entity will use and disclose their health information Information cannot be used or disclosed for any purpose not included on the Notice. Individual must be notified if information is used in a new fashion not covered by the old Notice 8

Privacy Standards: Individual Rights Right to Access own Information Right to Request Amendment - Accepting amendments - Denying amendments - Grounds for denial Right to Request Restrictions - Can refuse* - If agree, are bound to it Right to Request Communications in alternative fashion - Correspondence sent to alternate address - Must accommodate reasonable requests Right to Receive an Accounting of Disclosures - Date and purpose - Recipient name - Description of information disclosed - Exceptions for treatment, payment and health care operations - Exception for disclosures pursuant to an Authorization The Privacy Rule: the Responsibilities Enter Business Associate Agreements Appropriate documentation (NoPP, authorizations) Policies and Procedures Training Privacy Officer and Security Officer Document complaints Comply with the Security Rule 9

The Security Rule Covered entities must establish policies and procedures and put in place safeguards to secure the PHI they maintain and transmit. A risk analysis is the first step in the process to determine what risks exist and how they can be mitigated. Then, safeguards must be put in place. The Security Rule Administrative Security officer, training, access controls, contingency planning, BAA management Physical Facility access controls, workstation use rules and security, device/media controls Technical Log-ons and passwords, audit controls, encryption 10

HITECH Act Provisions New Data Breach Rules unsecured PHI is the key Business associates are now treated like covered entities Hide rule Marketing/fundraising Accounting for disclosures if you use an EMR Increased enforcement, penalties State AGs can prosecute Omnibus Rule Provisions New Data Breach Rules harm is out, low probability of compromise is in Business associates and subcontracting business associates Enforcement: Reasonable Cause and Willful Neglect Marketing/Fundraising/Sale of PHI Dead People Increased enforcement, penalties State AGs can prosecute 11

Omnibus Rule Timetable Regulations published January 25, 2013 Primary effective date: September 23, 2013 Secondary effective date: September 22, 2014 Mainly relates to Business Associate Agreements BAAs that were fully compliant on January 25, 2013 and were not amended prior to September 23, 2013 were grandfathered until September 22, 2014 (or any sooner date that they were revised or amended). Are You a Covered Entity? 12

Covered Entities Healthcare Plans, Providers, and Clearinghouses Privacy Rule compliance: Obey the rule, respect the rights, fulfill the responsibilities Security Rule compliance: Do the risk analysis, adopt administrative, physical and technical safeguards Covered Entities Hybrid entities (e.g., in-house health clinic at a manufacturing site): Can you segregate the healthcare component from the rest of the entity? Treat healthcare component as its own separate entity for HIPAA purposes Privacy Rule compliance Security Rule compliance 13

Covered Entities OHCAs and Affiliated Covered Entities: Organized Health Care Arrangements: separate entities that operated in combined format for HIPAA compliance Affiliated Covered entities: related organizations that operate in combined fashion Organizations with some CE entities and some non-ce entities (and maybe some BAs thrown in as well) Are You a Business Associate? 14

Are you a BA? Provide service to one or more covered entities? Create, receive, maintain or transmit PHI in connection with the service? No other exception (workforce member, providing services to patient/beneficiary rather than to other party, etc.)? HITECH Act Expansion Under original HIPAA, only plans, providers and clearinghouses are CEs HITECH (legislatively) expands HIPAA to include BAs BAs are now liable for some Privacy Rule provisions BAs are now liable for virtually all Security Rule provisions 15

Privacy Rule Compliance Abide by the BAA Enter Subcontractor BAAs with any subcontractors Abide by HITECH privacy requirements Minimum necessary Data breach rules Restrict uses and disclosures of PHI Control access to PHI Security Rule Compliance Policies and procedures (45 CFR 164.3xx) Administrative (164.308) Physical (164.310) Technical (164.312) Must do a Risk Analysis to determine what policies and procedures to adopt Encryption? Special Record-keeping? Minimum Necessary? Audit/restrict access? 16

Administrative Safeguards Security Management Process Risk Analysis Risk Management Sanction Policy Information System Activity Review Assigned Security Responsibility Workforce Security Authorization and Supervision Workforce Clearance Procedure Termination Procedure Information Access Management Isolating Clearinghouse Function Access Authorization Access Establishment and Modification Administrative Safeguards (cont.) Security Awareness and Training Security Reminders Protection from Malicious Software Log-in Monitoring Password Management Security Incident Procedures Response and Reporting Contingency Plan Data Backup Plan Disaster Recovery Plan Testing and Revision Procedure Applications and Criticality Analysis Evaluation Business Associate Contracts 17

Physical Safeguards Facility Access Controls Contingency Operations Facility Security Plan Access Control and Validation Procedures Maintenance Records Workstation Use Workstation Security Device and Media Controls Disposal Media Re-use Accountability Data Backup and Storage Technical Safeguards Access control Unique User Identification Emergency Access Procedure Automatic Logoff Encryption and Decryption Audit controls Integrity Mechanism to Authenticate E-PHI Person or Entity Authentication Transmission Security (encryption) 18

Business Associate Issues Obligated under HIPAA for some Privacy Rule and all Security Rule obligations Obligated under the BAA for much of the same Obligated to downstream BAA obligations to subcontractors Indemnification obligations under the BAA? Even simple damages can be very high Do you have a Group Health Plan? 19

Group Health Plan Issues Group health plans are covered entities, even if the employer/sponsor is not. Group health plan must meet all of the Privacy Rule and Security Rule obligations of any other Covered Entity Group health plan must also ensure separation between plan and employer Special Issues relating to Law Firms 20

Lawyers as BAs Attorneys defined to be BAs if they: Represent covered entity Create, receive, maintain or transmit PHI for, from or to CE in connection with services Must sign BAA Must comply with Security Rule Special issues with lawyers and BAAs Attorneys are not like other vendors who are business associates Must be careful when negotiating contract with client (you are adverse to them) Unlike other vendors, your communications with clients are privileged BAA must require BA to allow HHS to audit books and records Watch out for indemnification provisions 21

PS: Don t forget Texas law Texas HB300 Compliance (Actually B&C Ch. 521, H&S Ch. 181) Entity is covered if it engages for profit in assembling, using, storing or transmitting protected health information Pretty much all CEs and BAs are subject to it Must reasonably protect data, report data breaches Must train staff within 90 days of employment and within 1 year of changes in law Required sign-in sheets Sales of PHI prohibited 22

And just for grins.... PS: Don t forget Texas law 23

HIPAA 2014: Recent Changes from HITECH and the Omnibus Rule Association of Corporate Counsel Houston Chapter October 14, 2014 Jeffery P. Drummond Jackson Walker L.L.P. 901 Main Street, Suite 6000 Dallas, Texas 75202 (214) 953-5781 jdrummond@jw.com www.hipaablog.blogspot.com 24

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback