Welcome to today s Webinar

Similar documents
Preparing to Comply With the HITECH Final Rule Tuesday, March 19, 2013

HIPAA Enforcement Under the HITECH Act; The Gloves Come Off

Management Alert Final HIPAA Regulations Issued

The wait is over HHS releases final omnibus HIPAA privacy and security regulations

Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates

Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates

AFTER THE OMNIBUS RULE

Legal and Privacy Implications of the HIPAA Final Omnibus Rule

GUIDE TO THE OMNIBUS HIPAA RULE: What You Need to Know and Do

To: Our Clients and Friends January 25, 2013

HIPAA COMPLIANCE ROADMAP AND CHECKLIST FOR BUSINESS ASSOCIATES

HIPAA OMNIBUS RULE. The rule makes it easier for parents and others to give permission to share proof of a child s immunization with a school

HIPAA Compliance. PART I: HHS Final Omnibus HIPAA Rules

HIPAA Omnibus Rule Compliance

HIPAA Training. HOPE Health Facility Administrators June 2013 Isaac Willett and Jason Schnabel

Getting a Grip on HIPAA

ACC Compliance and Ethics Committee Presentation February 19, 2013

Health Law Diagnosis

Highlights of the Omnibus HIPAA/HITECH Final Rule

New HIPAA Rules and Implications for the Industry January 29, 2013

HITECH/HIPAA Omnibus Final Rule: Implications for Hospices. Elizabeth S. Warren May 3, 2013

Fifth National HIPAA Summit West

OMNIBUS RULE ARRIVES

Compliance Steps for the Final HIPAA Rule

Saturday, April 28 Medical Ethics: HIPAA Privacy and Security Rules

Compliance. TODAY May Meet Scott Killingsworth. Partner in the Atlanta offices of Bryan Cave LLP. See page 16

HHS, Office for Civil Rights. IAPP October 11, 2012

"HIPAA RULES AND COMPLIANCE"

Omnibus Components. Not in Omnibus. HIPAA/HITECH Omnibus Final Rule

LEGAL ISSUES IN HEALTH IT SECURITY

HIPAA & The Medical Practice

Health Care Compliance Association

Omnibus Rule: HIPAA 2.0 for Law Firms

HIPAA Omnibus Rule. Critical Changes for Providers Presented by Susan A. Miller, JD. Hosted by

Coping with, and Taking Advantage of, HIPAA s New Rules!! Deven McGraw Director, Health Privacy Project April 19, 2013!

HIPAA THE NEW RULES. Highlights of the major changes under the Omnibus Rule

New HIPAA-HITECH Proposed Regulations Issued

HITECH Privacy, Security, Enforcement, Breach, and GINA The Final Rule

The Impact of Final Omnibus HIPAA/HITECH Rules. Presented by Eileen Coyne Clark Niki McCoy September 19, 2013

HIPAA: Final Omnibus Rule is Here Arizona Society for Healthcare Risk Managers November 15, 2013

Compliance Steps for the Final HIPAA Rule

NPRM: Modifications to the HIPAA Privacy, Security, and Enforcement Rules under HITECH

MEMORANDUM. Kirk J. Nahra, or

Changes to HIPAA Under the Omnibus Final Rule

VOL. 0, NO. 0 JANUARY 23, 2013

North Shore LIJ Health System, Inc. Facility Name. CATEGORY: Effective Date: 8/15/13

O n Jan. 25, the Office for Civil Rights (OCR) of the. Privacy and Security Law Report

Preparing for a HIPAA Audit & Hot Topics in Health Care Reform

The Audits are coming!

HIPAA 2014: Recent Changes from HITECH and the Omnibus Rule. Association of Corporate Counsel Houston Chapter October 14, 2014.

Omnibus HIPAA Rule: Impact on Covered Entities

2013 HIPAA Omnibus Regulations: New Rules for Healthcare Providers and Collections Partners

HIPAA Update. Jamie Sorley U.S. Department of Health and Human Services Office for Civil Rights

Effective Date: 08/2013

HIPAA Compliance Guide

HIPAA OMNIBUS FINAL RULE

ICAHN Presentation. Final Omnibus Rule and Security Risk Analysis. July 26, David Ginsberg

HIPAA FUNDAMENTALS For Substance abuse Treatment Industry

Conduct of covered entity or business associate. Did not know and, by exercising reasonable diligence, would not have known of the violation

HIPAA Compliance Under the Magnifying Glass

HIPAA Omnibus Final Rule and Research

Auditing for HIPAA Compliance: Evaluating security and privacy compliance in an organization that provides health insurance benefits to employees

The HIPAA Omnibus Rule

8/14/2013. HIPAA Privacy & Security 2013 Omnibus Final Rule update. Highlights from Final Rules January 25, 2013

HIPAA HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT

Business Associate Agreement For Protected Healthcare Information

SATINSKY CONSULTING, LLC FINAL OMNIBUS HIPAA PRIVACY AND SECURITY RULE

UNDERSTANDING HIPAA & THE HITECH ACT. Heather Deixler, Esq. Associate, Morgan, Lewis & Bockius LLP

4/5/2013 I. BACKGROUND HIPAA OMNIBUS FINAL RULE. Background. Webinar Series Part II Research and Marketing April 9, 2013

HIPAA: Impact on Corporate Compliance

HIPAA BUSINESS ASSOCIATE AGREEMENT BEST PRACTICES: A COMPLIANCE SOLUTION FOR THE TICKING CLOCK AND THE DRACONIAN CIVIL AND CRIMINAL PENALTIES

Privacy Sleuths: Solving the Mystery of Wellness Program Privacy Compliance. Agenda. Health Data Exposure National Wellness Conference

Ensuring HIPAA Compliance When Transmitting PHI Via Patient Portals, and Texting

HITECH and Stimulus Payment Update

Privacy Rule Primer. 45 CFR Part 160 and Subparts A and E of Part CFR , 45 CFR CFR

Breach Policy. Applicable Standards from the HITRUST Common Security Framework. Applicable Standards from the HIPAA Security Rule

Determining Whether You Are a Business Associate

HIPAA Omnibus Final Rule Has Important Changes for Business Associates and Covered Entities

OMNIBUS COMPLIANT BUSINESS ASSOCIATE AGREEMENT RECITALS

Required CMS Contract Clauses Revised 8/28/14 CMS MCM Guidance Chapter 21

Negotiating Business Associate Agreements

Industry leading Education. Certified Partner Program. Please ask questions Todays slides are available group.

The HIPAA Omnibus Rule and the Enhanced Civil Fine and Criminal Penalty Regime

Highlights of the Final Omnibus HIPAA Rule

CBI Pharmaceutical Compliance Congress Washington, D.C.

IACT Medical Trust. June 28, Jim Hamilton (317) HIPAA Privacy Training Bose McKinney & Evans LLP

Hayden W. Shurgar HIPAA: Privacy, Security, Enforcement, HITECH, and HIPAA Omnibus Final Rule

HITECH/HIPAA (privacy) 2013 Omnibus Final Rule Rita Bowen Senior Vice President of HIM and Privacy Officer HealthPort

HIPAA Special Considerations: Individual Right to Request Restriction of Uses and Disclosures of PHI Voluntary and Mandatory

Assessing and Mitigating Risk Under the HIPAA Omnibus Rule

Assessing and Mitigating Risk Under the HIPAA Omnibus Rule

HIPAA Information. Who does HIPAA apply to? What are Sync.com s responsibilities? What is a Business Associate?

CROOK COUNTY POLICY AND PROCEDURES FOR COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF

Nancy Davis, Ministry Health Care Peg Schmidt, Aurora Health Care Teresa Smithrud, Mercy Health System

ANCILLARY services: How to Stay Out of Trouble. The neurosurgical minefield Informed consent

Legal Issues in the EHR Acquisition RFP Process

What Brown County employees need to know about the Federal legislation entitled the Health Insurance Portability and Accountability Act of 1996.

HEALTH LAW ALERT January 21, 2013

IBM Watson Care Manager Cloud Service

HTKT.book Page 1 Monday, July 13, :59 PM HIPAA Tool Kit 2017

Transcription:

Welcome to today s Webinar Managing Risk Exposure in Meaningful Use Stage 2 June 28 28, 2013 A A project project of of L.A. L.A. Care Care Health Health Plan Plan 1

Ralph Oyaga, Esq., J.D., MBA is the associate counsel for HITEC LA and a member of the legal team with L.A. Care Health Plan. Mr. Oyaga teaches a masters level lhealth lhlaw course at the USC Sol Price School of Public Policy. He has over 25 years experience in health care, in both non profit andfor profit organizations. Ralph held various positions; such as, Compliance Officer, Director of Contracts, and managed hospital and medical groupbusiness servicesoperationsand and inpatient admissions for hospital systems A project of L.A. Care Health Plan 2

Andrew Kan is Managing Partner of Fusion Systems North America, and head of its health care division All Medical Solutions, a HITEC LA Service Partner. A project of L.A. Care Health Plan 3

Leeann Habte, Esq. is an associate with Foley & Lardner LLP and a member of the Health Care Industry Team and Privacy, Security & Information Management Practice. She is also a Certified Information Privacy Professional. Ms. Habte has advised a variety of health care clients, including hospitals, pharmacies, healthplans plans, medical device companies and health information technology companies on federal and state privacy legal issues. Shehashadpracticalexperience has had experience in developing and implementing health care data privacy and security policies and procedures, managing git resources and human subjects protection compliance. A project of L.A. Care Health Plan 4

Agenda Meaningful Use Privacy and Security Requirements 2012 HIPAA Audit Highlights Omnibus Rule Q&A Ralph Andrew Leeann All A project of L.A. Care Health Plan 5

MU Objective: Protect Electronic Health Information Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308 (a)(1), including addressing the encryption/security of data at rest and implement security updates as necessary and correct identified security deficiencies as part of its risk management process. A project of L.A. Care Health Plan 6

MU Objective: Protect Electronic Health Information Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308 (a)(1), including addressing the encryption/security of data at rest and implement security updatesasnecessary as andcorrect identified security deficiencies as part of its risk management process. A project of L.A. Care Health Plan 7

MU Objective: Protect Electronic Health Information Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308 (a)(1), including addressing the encryption/security of data at rest and implement security updates as necessary andcorrect identifiedsecuritydeficiencies deficiencies aspartof its risk management process. A project of L.A. Care Health Plan 8

MU Objective: Protect Electronic Health Information Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308 (a)(1), including addressing the encryption/security of data at rest and implement security updates as necessary and correct identified security deficiencies as part of its risk management process. A project of L.A. Care Health Plan 9

2012 HIPAA Audit Highlights, User Activity Monitoring By Andre Kahn A A project project of of L.A. L.A. Care Care Health Health Plan Plan 10

Congress Requires Audits Section 13411 of the HITECH Act US Government Accountability Office GAO-12-481 HIPAA Omnibus HHS Contracts KPMG Pilot Audits 2012 A project of L.A. Care Health Plan 11

Audited Entities A project of L.A. Care Health Plan 12

Privacy Vs. Security Results A project of L.A. Care Health Plan 13

*Reused with permission from Adam H. Greene, JD, MPH from PPN Final Omnibus Presentation A project of L.A. Care Health Plan 14

Pilot Audit > > Official HHS Audit Privacy Audit Procedures 68 > > 81 Security Audit Procedures 77 > 78 SPHER fulfills #69 & 70 SPHER assists #2, 3, 4, 18, 23, 24 & 36 Breach Notification Audit Procedures 10 Link: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/protocol.html A project of L.A. Care Health Plan 15

HIPAA Security Rule Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports. HIPAA Security Rule 164.308(a)(1)(ii)(D) Implement procedures for monitoring log in attempts and reporting discrepancies. HIPAA Security Rule 164.308(a)(5)(ii)(C) Implement hardware, software, and/or procedural mechanisms that record andexamine activity in information systems that contain oruse electronic protected health information. HIPAA Security Rule 164.312(B) Retain required documentation of policies,,p procedures, actions, activities or assessments required by the HIPAA Security Rule for six years from the date of its creation or the date when it last was in effect, whichever is later. HIPAA Security Rule 164.316(B)(1)(ii) A project of L.A. Care Health Plan 16

Core Features AMS SPHER is a service that allows practices to review their EHR audit logs quickly and easily to meet HIPAA Security Requirements: Automated audit log review User & BA / Vendor activity Identifies and analyzes workflow Incident detection EHR specific intelligence analysis A project of L.A. Care Health Plan 17

PHI Systems Centric A project of L.A. Care Health Plan 18

Practice/Clinic/Organization Benefits Compliance Audit Log Requirement SPHER is impartial versus manual log review Activity Recording 6yrs documentation & retention requirement A project of L.A. Care Health Plan 19

Insurance Exclusions For arising out of or resulting from any act, error, omission, incident, failure of Computer Security. Based upon, arising from, or in consequence of any claim or proceeding brought by or on behalf of any federal, state, or local government agency or authority; or licensing or regulatory organization. Beazley, Chubb, Doctors Company, Lloyds A project of L.A. Care Health Plan 20

Costs for SPHER $2,300 / provider over 3 years Direct Funding: Meaningful Use Program ~4% Year 1 Mdi Medicare ~3% Year 1 Medicaid HRSA HIE Grants ACO Funds Other Grants Self Funded A project of L.A. Care Health Plan 21

Omnibus Rule By Leeann Habte A A project project of of L.A. L.A. Care Care Health Health Plan Plan

HHS Omnibus Final Rule Implementingregulations for Health Information Technology for Economic and Clinical Health (HITECH Act) & Genetic Information Nondiscrimination Act (GINA) Makesother changes to the HIPAA regulations» Effective: March 26, 2013» Compliance date: September 23, 2013» Compliance dt date for existing iti Business Associate Agreements: September 22, 2014 A project of L.A. Care Health Plan 23

Business Associate Re Defined Privacy Rule generally defines the term Business Associate to include: Entities engaged in certain administrative activities or services for or on behalf of Covered Entities which require access to PHI (i.e., claims processing, billing, benefitmanagement, utilization review, management, consulting, etc.). Under the Final Rule, Patient safety activities are also a Business Associate activity. Covered Entity can be Business Associate of another Covered Entity. A project of L.A. Care Health Plan 24

Broader Definition Adds... Health data transmission organizations, including Health Information Organizations, E Prescribing Gt Gateways, and Others that t require access on a routine basis to PHI. Except if mere conduit (i.e. ISP) Personal Health Record vendors who manage the health records for Covered Entities. Subcontractors (and their downstream subcontractors) who perform Business Associate functions or services. Subcontractor would be defined as Business Associate, even if the Business Associate has failed to enter into a Business Associate contract with the Subcontractor. A project of L.A. Care Health Plan 25

But Explicitly Excludes Health care providers, if disclosures are for treatment purposes. Government agencies that determine eligibility or enrollment in a government health plan that provides public benefits and is administered by another agency. Covered Entities participating in an Organized Health Care Arrangement that provide a Business Associate function or service for the Organized Health hcare Arrangement. A project of L.A. Care Health Plan 26

Enforcement Changes Currently, a Covered Entity is not liable for the acts of its Business Associates who meet the fd federal common law definition of an agent If HIPAA compliant Business Associate agreement is in place Covered dentity did not know of a pattern or practice of violations and fail to act. The Final Rule eliminates this exception, essentially making a Covered Entity orbusiness Associate strictly/vicariouslyliable liable for violations by its agent. The most important criterion is the right to exercise control over the Business Associate. In drafting a BAA, consider the tradeoff between the need to control the Business Associate and the liability associated with such control. A project of L.A. Care Health Plan 27

Business Associate Agreements Covered Entities must amend Business Associate Agreements to address new obligations: Compliance with HIPAA Security Rule. Contracts with downstream Subcontractors must include agreement to comply with HIPAA regulations with respect to PHI. Breach reporting to Covered Entity. Compliance with Privacy Rule for certain activities. Agreement should contemplate: Costs and liabilities associate with Subcontractors security breaches orother other violations of contract terms related to information security. Breach reporting procedures. A project of L.A. Care Health Plan 28

Transition Provisions for BAAs Allow Covered Entities and Business Associates to continue to operate under certain existing i contracts until September 22, 2014. Transition Period Applies if: Prior to January 25, 2013, the Covered Entity or Business Associate had an existing contract or other written arrangement with a Business Associate or Subcontractor that: Complied with the prior provisions of the HIPAA Rules, and Such contract or arrangement was not renewed or modified between March 26, 2013 and September 23, 2013. New agreements executed on or after January 25, 2013must be updated by September 23, 2013. A project of L.A. Care Health Plan 29

Changes to Breach Reporting Rule Existing rule: Report required for Breach of Unsecured PHI which creates a substantial risk of financial, reputational or other harm to an individual (the so called harm standard ). New rule: Report required unless Covered Entity or Business Associate can demonstrate t a low probability bilit that the information was compromised. Burden of proof is on the Covered Entity and Business Associate. A project of L.A. Care Health Plan 30

New Presumption of Breach Presumption that impermissible acquisition, access, use, or disclosures is a breach unless... Can demonstrate there is a low probability that the privacy or security of the PHI has been compromised based on a four factor risk assessment. Risk Assessment must be Thorough Completed in good faith Have reasonable conclusions. A project of L.A. Care Health Plan 31

New Four Factor Risk Analysis Mandatory evaluation of four factors: The nature and extent of the PHI involved The individual who impermissibly used the PHI or to whom the impermissible i ibl disclosure was made Whether the PHI was actually acquired, or viewed, or if only the opportunity existed for the information to be acquired or viewed, and The extent to which the risk to the PHI has been mitigated. Other factors may be considered in evaluation of overall probability. A project of L.A. Care Health Plan 32

Implications for Compliance More objective standard? HHS views the risk assessment as more objective, but there remains considerable uncertainty about how to weight factors in analysis. Likely to lead to increased number of breach reports. More documentation of breach investigation and analysis necessary. Revision of breach notification policies required. A project of L.A. Care Health Plan 33

Marketing TheFinal Omnibus Rule restricts previously permissible subsidized communications about the products or services of a third party without patient authorization. A project of L.A. Care Health Plan 34

Marketing Defined Privacy Rule requires a Covered Entity to obtain an individual authorization in order to use or disclose PHI for marketing purposes. Marketing is defined df d as a communication about a product or service that encourages recipients of the communication to purchase or use the product or service, subject to certain exceptions: Face to face communications (verbally or by handing out written materials, such as pamphlets). Gifts of nominal value. A project of L.A. Care Health Plan 35

Exceptions to Marketing Dfiiti Definition Marketing does not include thefollowing treatment and health care operations communications: Treatment of an individual by a health care provider. To describe a health related product or service provided by, or included in a plan of benefits of, the Covered Entity making the communication. For case management or care coordination, or to direct or recommend alternative therapies, treatments, providers, settings or care. A project of L.A. Care Health Plan 36

Significant Change under Final Rule Under the Omnibus Final Rule, treatment and health care operations communications are treatedas as marketing communications for which an authorization is required if a Covered Entity receives financial remuneration in exchange for making the communication from a third party whose products or services are being marketed. A project of L.A. Care Health Plan 37

Revised Framework for Marketing Definition of financial remuneration : Direct or indirect payment from or on behalf of third party whose product or service is being described. Does not include payment for treatment. Does not include in kind benefits. Authorization must state that financial remuneration is involved. Scope of authorization ti is not limited it to a single product or service. A project of L.A. Care Health Plan 38

Revised Marketing Exceptions Exception for communications to provide refill reminders or otherwise communicate about a drug or biologic being prescribed for an individual provided that any financial remuneration received is reasonably related to costs of making the communication (labor, supplies, & postage). Exception includes Communications about generic equivalent of a drug being prescribed to anindividual. Adherence communications. Prescriptions for self administered drugs or biologics. A project of L.A. Care Health Plan 39

Sale of PHI Final Omnibus Rule prohibits a Covered Entity or Business Associate from receiving direct or indirect remuneration for the disclosure of PHI without an individual authorization. Includes in kind benefits. Exceptions listed in Omnibus Rule. Authorization must state that the disclosure will lt i ti t th C de tit result in remuneration to the Covered Entity. A project of L.A. Care Health Plan 40

Compliance Physicians should: Review their contracts and other arrangements with third parties to ensure compliance with new requirements. Revise authorizations for marketing purposes. A project of L.A. Care Health Plan 41

Ralph Oyaga HITEC LA / L.A. Care Health Plan (888) 528 2256 Hitec la@lacare.org Leeann Habte Foley & Lardner LLP Los Angeles, California (213) 972 4679 lhabte@foley.com Andrew Kan Fusion Systems/All Medical Solutions AndrewKan@AllMedicalSolutions.com (310) 602 5140 A project of L.A. Care Health Plan 42

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback