Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.

Slides:

Advertisements

Similar presentations

H OGAN & H ARTSON, L.L.P.

Advertisements

Implementing the New HIPAA Rules

HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.

An Overview for In-Home Service Providers Legal advice must be tailored to specific circumstances. Information provided in this presentation should not.

“Reaching across Arizona to provide comprehensive quality health care for those in need” Our first care is your health care Arizona Health Care Cost Containment.

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.

Dinsmore & Shohl, LLP Stacey Borowicz, Esq. Simi Botic, Esq. August 14, 2013.

Steps to Compliance: Managing Business Associates PRESENTED BY.

HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.

1 Navigating the Privacy and Security Issues: HITECH Overview Rebecca L. Williams, RN, JD Partner Co-chair of HIT/HIPAA Practice Davis Wright Tremaine.

HIPAA CHANGES: HITECH ACT AND BREACH NOTIFICATION RULES February 3, 2010 Kristen L. Gentry, Esq. Catherine M. Stowers, Esq.

Thank You For Your Participation Kansas City   Omaha  Overland Park St. Louis  Jefferson City This Employer.

W W W. L E C L A I R R Y A N. C O M Revisiting the PHI Breach Under HIPAA and HITECH and Considerations for Ophthalmologists Neil H. Ekblom, Esq. 885 Third.

HIPAA Regulations What do you need to know?.

Importance of the Information Risk Assessment. Compliance Programs are intended to proactively audit and assess an organization’s operations to detect.

COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.

2014 HIPAA Refresher Omnibus Rule & HIPAA Security.

HIPAA Privacy of Health Information Claudia Allen, Esq. General Counsel HealthBridge.

What You Don’t Know Can Cost You HIPAA in a HITECH World Alaina N. Crislip, Esq. October 10, 2013.

Hot Topics Legal Update Jill D. Moore, JD, MPH University of North Carolina School of Government September 2014.

Health Insurance Portability Accountability Act of 1996 HIPAA for Researchers: IRB Related Issues HSC USC IRB.

August 10, 2001 NESNIP PRIVACY WORKGROUP HIPAA’s Minimum Necessary Standard Presented by: Mildred L. Johnson, J.D.

March 19, 2009 Changes to HIPAA Privacy and Security Requirements Joel T. Kopperud Scott A. Sinder Rhonda M. Bolton.

Security Breach Notification © 2009 Fox Rothschild A Webinar for the Medical Society of New Jersey October 28, 2009 Presented by Helen Oscislawski, Esq.

Walking Through the Breach Notification Process - Beginning to End HIPAA COW Presentation and Panel April 8, 2011.

© Copyright 2014 Saul Ewing LLP The Coalition for Academic Scientific Computation HIPAA Legal Framework and Breach Analysis Presented by: Bruce D. Armon,

2015 User Conference HIPAA and Patient Safety: Why It Matters April 24, 2015 (GEN-AO1) Presented by: Susan J. Kressly, MD, FAAP Medical Director, Office.

Version 6.0 Approved by HIPAA Implementation Team April 14, HIPAA Learning Module The following is an educational Powerpoint presentation on the.

HIPAA COMPLIANCE IN YOUR PRACTICE MARIBEL VALENTIN, ESQUIRE.

COMPLYING WITH HIPAA BUSINESS ASSOCIATE REQUIREMENTS Quick, Cost Effective Solutions for HIPAA Compliance: Business Associate Agreements.

Notice of Privacy Practices Nebraska SNIP Privacy Subgroup July 18, 2002 Michael J. Brown, MHA, CPA Vice-President, Administrative & Regulatory Affairs,

Health Information Technology for Economic and Clinical Health Act (HITECH)

HIPAA PRIVACY AND SECURITY AWARENESS.

HIPAA and HITECH The Latest Developments Presented By: Michele Madison Partner, Healthcare Practice Morris, Manning & Martin, LLP

Confidentiality, Consents and Disclosure Recent Legal Changes and Current Issues Presented by Pam Beach, Attorney at Law.

Office of the Secretary Office for Civil Rights (OCR) Indian Health Service HIPAA Training Hosted by the Aberdeen Area Office July 24, 2012.

Dealing with Business Associates Business Associates Business Associates are persons or organizations that on behalf of a covered entity: –Perform any.

Polsinelli Shughart PC In California, Polsinelli Shughart LLP Final HIPAA Omnibus Rule Highlights Presented to the Colorado Bar Association, Health Law.

LAW SEMINARS INTERNATIONAL CLOUD COMPUTING: LAW, RISKS AND OPPORTUNITIES Developing Effective Strategies for Compliance With the HITECH Act and HIPAA’s.

Privacy and Security Laws for Health Care Organizations Presented by Robert J. Scott Scott & Scott, LLP

Overview of the Omnibus Final HIPAA Rule Kohler HealthCare Consulting, Inc. Deanna Turner

HITECH Act and HIPAA: Important Compliance Update Susan E. Ziel Gerald “Jud” DeLoss.

HIPAA Michigan Cancer Registrars Association 2005 Annual Educational Conference Sandy Routhier.

Office of the Secretary Office for Civil Rights (OCR) The HITECH NPRM: Overview of Research Comments October 19, 2010 Christina Heide, JD HHS Office for.

HIPAA SURVIVAL SKILLS: An Update University of Miami1 Marisabel Davalos, M.S.Ed., CIP Associate Director of Educational Initiatives November, 2008.

Health Insurance Portability and Accountability Act (HIPAA) CCAC.

Advanced Issues in Privacy: Drafting and Negotiating Business Associate Contracts Thomas E. Jeffry, Jr. Partner Davis Wright Tremaine LLP Los Angeles,

Health Insurance Portability and Accountability Act of 1996 HIPAA Privacy Training for County Employees.

PricewaterhouseCoopers 1 Administrative Simplification: Privacy Audioconference April 14, 2003 William R. Braithwaite, MD, PhD “Doctor HIPAA” HIPAA Today.

HIPAA BASIC TRAINING Presented by Anderson Health Information Systems, Inc.

HIPAA PRACTICAL APPLICATION WORKSHOP Orientation Module 1B Anderson Health Information Systems, Inc.

HealthBridge is one of the nation’s largest and most successful health information exchange organizations. Tri-State REC: Privacy and Security Issues for.

Rhonda Anderson, RHIA, President  …is a PROCESS, not a PROJECT 2.

HITECH and HIPAA Presented by Rhonda Anderson, RHIA Anderson Health Information Systems, Inc

Lessons Learned from Recent HIPAA Breaches HHS Office for Civil Rights.

Top 10 Series Changes to HIPAA Devon Bernard AOPA Reimbursement Services Coordinator.

Finally, the Final HIPAA/HITECH Regulations are Here! By LYNDA M. JOHNSON Friday, Eldredge & Clark.

HIPAA Privacy Rule Positive Changes Affecting Hospitals’ Implementation of the Rule.

Final HIPAA-HITECH Rules, Cybersecurity, and Privacy Dino TsibourisMehmet Munur (614) (614)

AND CE-Prof, Inc. January 28, 2011 The Greater Chicago Dental Academy 1 Copyright CE-Prof, Inc

Final HIPAA Privacy Rule: The Research Provisions Julie Kaneshiro DHHS Office for Human Research Protections Phone: Fax:

HIPAA: So You Think You’re Compliant September 1, 2011 Carolyn Heyman-Layne, J.D.

HIPAA Training Workshop #3 Individual Rights Kaye L. Rankin Rankin Healthcare Consultants, Inc.

PHI Breach PHI Breach Dealing Breach With HIPAA Guidelines Guidelines.

Select Questions to ask your HIPAA Privacy Officer

Enforcement, Business Associates and Breach Notification. Oh my!

HIPAA Administrative Simplification

HIPPA/HITECH Act Requirements Under the Business Associate Agreement Between CNI and Military Health Services.

Disability Services Agencies Briefing On HIPAA

Presentation transcript:

Jill Moore April 2013 HIPAA Update: New Rules, New Challenges

New Rules Business Associates Breach Notification Individual Rights Enforcement

Business Associates A person or entity that creates, receives, transmits, or maintains PHI in the course of providing business or administrative functions for a covered entity – Includes HIOs, HIEs, PHR vendors who work on behalf of covered entity – May include researchers in some circumstances (not automatic – analyze the particular situation)

Business Associates Changes to BA responsibilities – Now directly responsible for HIPAA compliance and directly liable for violations – Must identify their own BAs (subcontractors) and enter BA agreements with them to assure “downstream” compliance

Business Associates Review your business relationships to identify BAs or BA-like relationships within your entity Review hybrid entity designation to ensure those acting in BA-like capacity are part of covered component Execute or update BA agreements You may need to dust off your HIPAA jargon dictionary.

Breach Notification Must notify individuals of security breaches. Unauthorized access or disclosure is presumed to be a breach unless: – A specific exception in the rule applies, or – A risk analysis shows a low probability that PHI was compromised, or – You’re in a “safe harbor” as defined by the rule.

Breach? Specific exceptions PHI could not reasonably be retained PHI access is unintentional and by a workforce member or business associate acting in good faith Inadvertent disclosure is made to another person within the CE or BA who is authorized to access PHI Risk analysis factors Nature and extent of PHI, including types of identifiers & likelihood of re- identification Unauthorized person who received disclosure or used PHI Whether PHI was actually acquired and viewed Extent to which any risk to PHI has been mitigated

Safe Harbor Don’t have to notify if: – PHI was encrypted, or – PHI was disposed in keeping with HHS guidance on secure disposal

Affected individuals – within 60 days US DHHS – if > 500 individuals involved, contemporaneous notice; otherwise annual report Media, if > 500 involved – within 60 days. Recipients & timing of notice Description of incident, PHI involved, advice to individuals to minimize harm, actions you’ve taken to investigate and mitigate, contact information for more info. Content of notice Written letter (standard); if prior agreement to notification obtained; telephone if urgent (but also send written) Method of notice

Breach Notification Review and update breach notification procedures to reflect new risk analysis. Follow procedures developed under old rule until September 23, then you must follow new rule.

Individual Rights Restrictions on disclosures Access to electronic PHI Notice of Privacy Practices Other changes affecting decedents’ records, immunization records for schools, a couple of other things

Restrictions on disclosures Care paid out-of-pocket – Upon patient request, no disclosures of information to health plans (insurance) unless disclosure to health plan required by law Does not limit disclosures to public health Does not limit disclosures to other health care providers for treatment purposes

Access to electronic PHI Individuals have a right of access to their own PHI. If patient requests PHI in electronic form, must provide it if you already maintain the information electronically and the form requested is “readily producible.” If not readily producible, must reach agreement with individual on alternative form. Take a close look at the issue of providing PHI by .

Notice of Privacy Practices Must be revised to reflect rule changes, including: – Covered entity’s legal duty to give notice of breaches. – Right to request restriction of disclosure to health plans for care paid in full out-of-pocket. Revised Notice must be disseminated: – To new clients, in accordance with current policies – To existing clients on request – Via website, if you have one

Individual Rights Develop a policy about requests for restrictions on disclosure for care paid for in full out-of-pocket. Review and if necessary update policies about individual access to PHI to address electronic access and the use of to deliver PHI. Revise Notice of Privacy Practices and disseminate.

Enforcement New: HHS must investigate violations if a preliminary review of the facts suggests “willful neglect” by the covered entity or BA. Practice tip!! In an investigation, expect HHS to request copies of your policies. You will want them to be readily accessible and up-to-date.

Checklist Review business relationships and update hybrid entity designation and business associate agreements. Update breach notification policies and procedures. Update policies re individual access. Update notice of privacy practices and disseminate. Review other policies (training, workforce, etc.) and update if needed. Compliance date:  September 23, 2013 for most matters  September 22, 2014 for some existing BA agreements