HIPAA Privacy of Health Information Claudia Allen, Esq. General Counsel HealthBridge.

Slides:

Advertisements

Similar presentations

H OGAN & H ARTSON, L.L.P.

Advertisements

HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.

An Overview for In-Home Service Providers Legal advice must be tailored to specific circumstances. Information provided in this presentation should not.

“Reaching across Arizona to provide comprehensive quality health care for those in need” Our first care is your health care Arizona Health Care Cost Containment.

Presented by Elena Chan, UCSF Pharm.D. Candidate Tiffany Jew, USC Pharm.D. Candidate March 14, 2007 P HARMACEUTICAL C ONSULTANTS, I NC. P RO P HARMA HIPAA.

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.

Steps to Compliance: Managing Business Associates PRESENTED BY.

HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.

HIPAA Privacy Rule Training

The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.

1 Navigating the Privacy and Security Issues: HITECH Overview Rebecca L. Williams, RN, JD Partner Co-chair of HIT/HIPAA Practice Davis Wright Tremaine.

1 TECO ENERGY, INC. HIPAA PRIVACY AND SECURITY REQUIREMENTS April 29, 2014 Dana L. Thrasher Constangy, Brooks & Smith, LLP (205)

Key Changes to HIPAA from the Stimulus Bill (ARRA) Children’s Health System Department Leadership Meeting October 28, 2009 Kathleen Street Privacy Officer/Risk.

HIPAA CHANGES: HITECH ACT AND BREACH NOTIFICATION RULES February 3, 2010 Kristen L. Gentry, Esq. Catherine M. Stowers, Esq.

W W W. L E C L A I R R Y A N. C O M Revisiting the PHI Breach Under HIPAA and HITECH and Considerations for Ophthalmologists Neil H. Ekblom, Esq. 885 Third.

Before reviewing the following presentation click on the links below and print off the documents: NAM-43 The Bair Foundation HIPAA Policy NAM- 89 HIPAA.

HIPAA Regulations What do you need to know?.

Importance of the Information Risk Assessment. Compliance Programs are intended to proactively audit and assess an organization’s operations to detect.

COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.

HIPAA THE PRIVACY RULE Reviewed December HISTORY In 2000, many patients that were newly diagnosed with depression received free samples of anti-

2014 HIPAA Refresher Omnibus Rule & HIPAA Security.

Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.

Are you ready for HIPPO??? Welcome to HIPAA

What You Don’t Know Can Cost You HIPAA in a HITECH World Alaina N. Crislip, Esq. October 10, 2013.

Privacy, Security and Compliance Concerns for Management and Boards November 15, 2013 Carolyn Heyman-Layne, Esq. 1.

Health Insurance Portability Accountability Act of 1996 HIPAA for Researchers: IRB Related Issues HSC USC IRB.

Health Insurance Portability & Accountability Act (HIPAA)

POP QUIZ!! What does CMS stand for? What does HIPAA stand for?

Responding to a Data Security Breach

March 19, 2009 Changes to HIPAA Privacy and Security Requirements Joel T. Kopperud Scott A. Sinder Rhonda M. Bolton.

© Copyright 2014 Saul Ewing LLP The Coalition for Academic Scientific Computation HIPAA Legal Framework and Breach Analysis Presented by: Bruce D. Armon,

Version 6.0 Approved by HIPAA Implementation Team April 14, HIPAA Learning Module The following is an educational Powerpoint presentation on the.

HIPAA COMPLIANCE IN YOUR PRACTICE MARIBEL VALENTIN, ESQUIRE.

COMPLYING WITH HIPAA BUSINESS ASSOCIATE REQUIREMENTS Quick, Cost Effective Solutions for HIPAA Compliance: Business Associate Agreements.

HIPAA PRIVACY AND SECURITY AWARENESS.

HIPAA and HITECH The Latest Developments Presented By: Michele Madison Partner, Healthcare Practice Morris, Manning & Martin, LLP

Confidentiality, Consents and Disclosure Recent Legal Changes and Current Issues Presented by Pam Beach, Attorney at Law.

Dealing with Business Associates Business Associates Business Associates are persons or organizations that on behalf of a covered entity: –Perform any.

LAW SEMINARS INTERNATIONAL CLOUD COMPUTING: LAW, RISKS AND OPPORTUNITIES Developing Effective Strategies for Compliance With the HITECH Act and HIPAA’s.

Copyright ©2011 by Pearson Education, Inc. Upper Saddle River, New Jersey All rights reserved. Health Information Technology and Management Richard.

Overview of the Omnibus Final HIPAA Rule Kohler HealthCare Consulting, Inc. Deanna Turner

HITECH Act and HIPAA: Important Compliance Update Susan E. Ziel Gerald “Jud” DeLoss.

HIPAA Michigan Cancer Registrars Association 2005 Annual Educational Conference Sandy Routhier.

Medical Law and Ethics, Third Edition Bonnie F. Fremgen Copyright ©2009 by Pearson Education, Inc. Upper Saddle River, New Jersey All rights reserved.

Advanced Issues in Privacy: Drafting and Negotiating Business Associate Contracts Thomas E. Jeffry, Jr. Partner Davis Wright Tremaine LLP Los Angeles,

FleetBoston Financial HIPAA Privacy Compliance Agnes Bundy Scanlan Managing Director and Chief Privacy Officer FleetBoston Financial.

HIPAA BASIC TRAINING Presented by Anderson Health Information Systems, Inc.

HIPAA PRACTICAL APPLICATION WORKSHOP Orientation Module 1B Anderson Health Information Systems, Inc.

HIPAA THE PRIVACY RULE. 2 HISTORY In 2000, many patients that were newly diagnosed with depression received free samples of anti- depressant medications.

HealthBridge is one of the nation’s largest and most successful health information exchange organizations. Tri-State REC: Privacy and Security Issues for.

Rhonda Anderson, RHIA, President  …is a PROCESS, not a PROJECT 2.

HITECH and HIPAA Presented by Rhonda Anderson, RHIA Anderson Health Information Systems, Inc

Lessons Learned from Recent HIPAA Breaches HHS Office for Civil Rights.

We’ve Had A Breach – Now What? Garfunkel Wild, P.C. 411 Hackensack Avenue 6 th Floor Hackensack, New Jersey Broadway Albany,

Top 10 Series Changes to HIPAA Devon Bernard AOPA Reimbursement Services Coordinator.

Finally, the Final HIPAA/HITECH Regulations are Here! By LYNDA M. JOHNSON Friday, Eldredge & Clark.

HIPAA: Breach Notification By: Office of University Counsel For: Jefferson IRB Continuing Education September 2014.

AND CE-Prof, Inc. January 28, 2011 The Greater Chicago Dental Academy 1 Copyright CE-Prof, Inc

HIPAA TRIVIA Do you know HIPAA?. HIPAA was created by?  The Affordable Care Act  Health Insurance companies  United States Congress  United States.

HIPAA Training. What information is considered PHI (Protected Health Information)  Dates- Birthdays, Dates of Admission and Discharge, Date of Death.

HIPAA Privacy Rule Training

Enforcement, Business Associates and Breach Notification. Oh my!

What is HIPAA? HIPAA stands for “Health Insurance Portability & Accountability Act” It was an Act of Congress passed into law in HEALTH INSURANCE.

HIPAA CONFIDENTIALITY

HIPAA Administrative Simplification

HIPPA/HITECH Act Requirements Under the Business Associate Agreement Between CNI and Military Health Services.

HIPAA PRIVACY AWARENESS, COMPLIANCE and ENFORCEMENT

Disability Services Agencies Briefing On HIPAA

The Health Insurance Portability and Accountability Act

Presentation transcript:

HIPAA Privacy of Health Information Claudia Allen, Esq. General Counsel HealthBridge

Federal Privacy Legislation a.State laws requiring privacy and confidentiality have existed for many years b.Federal law – HIPAA – was enacted in 1996, but the regulations containing the Privacy and Security Rules were not in place until 2003 c.HIPAA creates a minimum threshold of confidentiality – but does not pre-empt state law if the state law requires a higher standard

Federal Privacy Legislation d. “Covered Entities” are subject to the rules protecting the privacy/confidentiality of “Protected Health Information” i. Covered Entities: 1. Providers of health care services (e.g., labs, physicians, dentists, chiropractors, psychologists) 2. Health Plans 3. Health Clearinghouses

Federal Privacy Legislation ii. PHI is health related information that is 1. Identifiable to an individual (contains name, address, phone, SSN, medical record number, date of birth, etc.) 2. Transmitted or maintained by electronic or any other media

A. HIPAA sets standards for security, use and disclosure of PHI and permits disclosure or use of PHI without patient consent for the following purposes: i. Treatment ii. Payment iii. Health Care Operations iv. Research: Limited data set or IRB v. Public health vi. As otherwise required by law I. HIPAA Privacy Rule (1)

B. HIPAA rules for Business Associates of CEs (e.g., HealthBridge, the Collaborative, EMR vendors) i. Covered Entities may authorize disclosure of PHI to BA for a specific permitted purpose ii. CE required to enter into a Business Associate Agreement with BAs to protect PHI security iii. Originally, a breach of the BAA would only subject the CE to liability to third parties iv. CE would recover cost from BA in a breach of contract lawsuit I. HIPAA Privacy Rule (2)

II. 2009: ARRA and HITECH Extended Privacy & Security Rules to Business Associates (“BA”) a.Business Associates became directly subject to privacy/confidentiality requirements and some security rules (can be held liable) b.BA can be held liable for privacy non- compliance by a subcontractor who is acting as an “agent” of a BA c.BA Agreements are now required with entities that provide data to a CE such as Health Information Exchanges

III: 2013: Omnibus Final Regulations A. Definition of “Business Associate” Expanded i.Entities that create, receive, maintain, transmit PHI to perform functions or activities for a CE ii.Health Information Organizations, e-prescribing gateways, entities maintaining personal health records for a CE iii. Subcontractors receiving PHI on behalf of BAs Subcontractors are now subject to the same obligations as BAs with respect to the CE – need BAAs Subs must have HIPAA compliant security policies

III. Omnibus Final Regulations (2) B. New Breach Standard: When it is discovered that there has been an unauthorized use or disclosure of Unsecured PHI, notice is presumed necessary EXCEPT where CE or BA demonstrates that “there is a low probability that PHI has been compromised.”

III. Omnibus Final Regulations (3) i. Final Rule does not define “Compromised” but specifies what the risk assessment must consider: Nature and extent of PHI, types of identifiers (likelihood of re-identification) The unauthorized person to whom PHI was disclosed Was the PHI actually used/viewed? Extent to which the risk has been mitigated

C. Notification requirements upon determination of Breach: i. CEs must notify each individual whose UPHI is breached ii. BA must notify the CE (CE may delegate to BA by BAA) iii. Time period: without unreasonable delay but no later than 60 calendar days after discovery (first day known or should have been known) III. Omnibus Final Regulations (4)

III. Omnibus Final Regulations (5) 1. Burden on discoverer to notify 2. Written notice by mail unless urgent 3. If more than 9 individuals involved, posting on web 4. Notice to media if over 500 residents in state or jurisdiction affected 5. Immediate notice to Secretary if over 500 affected 6. Breach log required to be sent to Secretary annually

D. Notice must contain 1. Description of what happened 2. Description of types of data involved 3. Steps individuals should take to protect themselves 4. What CE is doing to investigate, mitigate losses, and protect from further breaches 5. Contact procedures III. Omnibus Final Regulations (6)

IV. Patient Rights re Disclosures a.Individuals may restrict disclosure to a health plan for payment or operations if individual has paid out of pocket in full for services b.Patient may request an accounting of all 3 years’ disclosures of his/her ePHI to any third party including TPO – i.e., to the billing company, to the insurance company, to another provider for a consult.

V. HHS Audit Initiative Pilot Audit of 115 CEs uncovered violations – All but 13 had some type of violation – 60 violations were security related Missing: risk assessments, documentation of decisions Privacy violations include no notice of privacy practices – Notices must be revised to include new breach notification and disclosure rules – Policies and procedures (such as patient access to disclosure information, breach assessment and notification, restriction where paid) must be formulated and written – Employee training missing to inform them of rules and procedures

VI. Practical Steps to Avoid Liability: Show How You Secure PHI a.Appoint a Privacy Officer to establish policies, field questions and monitor compliance b.Review company policies and procedures with your staff to ensure compliance with ARRA privacy and security requirements – update as needed c.Make sure you have signed BAAs with those from whom you are receiving PHI (as from other physicians, clinics, hospitals, labs) and those you are sending/disclosing PHI to (e.g., billing company, insurance company, etc.) d.Conduct a general risk assessment to determine if procedures are protecting PHI. Document review.

VI. Practical Steps (2) e.Take steps to see that: i.Doors are locked except for business entrances and exits during business hours ii.Employee access is restricted/logged during non- business hours iii.Visitors are not in a position to see or access data iv.Employees understand the importance of not disclosing patient information outside of work- and at work, only as necessary v.All remote access to data is limited, inventoried vi.All portable electronics are encrypted

VI. Practical Steps (3) vii. Keys, pass codes are inventoried/changed frequently viii. Workstations are secured, screens not in view of public ix. Procedures are implemented for ending data access by terminated employees x. Procedures are implemented for reporting suspicious activity xi. Hiring practices are implemented that help minimize risk –(i.e., checking references and background) xii. Regular training on privacy and security requirements is conducted xiii. Decisive action is taken if a breach is suspected: procedures are followed and actions documented.

HIPAA Privacy QUESTIONS?