HIPAA Omnibus Rule of 2013 POSA August 29, 2013 Renee H. Martin, JD, RN, MSN Tsoules, Sweeney, Martin & Orr, LLC 29 Dowlin Forge Road Exton, PA 19341 Tel.:

Slides:



Advertisements
Similar presentations
HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.
Advertisements

“Reaching across Arizona to provide comprehensive quality health care for those in need” Our first care is your health care Arizona Health Care Cost Containment.
HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
HIPAA: Privacy, Security, and HITECH, Oh My! Presented by Stephanie L. Ganucheau, Special Assistant Attorney General.
Dinsmore & Shohl, LLP Stacey Borowicz, Esq. Simi Botic, Esq. August 14, 2013.
Steps to Compliance: Managing Business Associates PRESENTED BY.
HIPAA Basics November 1, 2014.
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
HIPAA Privacy Rule Training
Navigating HIPAA & Recent Healthcare Reform: What You Need to Know.
1 Navigating the Privacy and Security Issues: HITECH Overview Rebecca L. Williams, RN, JD Partner Co-chair of HIT/HIPAA Practice Davis Wright Tremaine.
HIPAA CHANGES: HITECH ACT AND BREACH NOTIFICATION RULES February 3, 2010 Kristen L. Gentry, Esq. Catherine M. Stowers, Esq.
 July 10, 2013 Richard D. Sanders T HE S ANDERS L AW F IRM, P.C. 7 Piedmont Center, Suite Piedmont Road Atlanta, Georgia (404)
Thank You For Your Participation Kansas City   Omaha  Overland Park St. Louis  Jefferson City This Employer.
W W W. L E C L A I R R Y A N. C O M Revisiting the PHI Breach Under HIPAA and HITECH and Considerations for Ophthalmologists Neil H. Ekblom, Esq. 885 Third.
HIPAA Regulations What do you need to know?.
COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.
HIPAA THE PRIVACY RULE Reviewed December HISTORY In 2000, many patients that were newly diagnosed with depression received free samples of anti-
2014 HIPAA Refresher Omnibus Rule & HIPAA Security.
Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.
HIPAA Privacy of Health Information Claudia Allen, Esq. General Counsel HealthBridge.
What You Don’t Know Can Cost You HIPAA in a HITECH World Alaina N. Crislip, Esq. October 10, 2013.
Hot Topics Legal Update Jill D. Moore, JD, MPH University of North Carolina School of Government September 2014.
1 The Ethics of a Practicing Therapist PAMFT Membership Conference April 11, 2014 Renee H. Martin, JD, RN, MSN Rhoades & Sinon, LLP 29 Dowlin Forge Road.
Health Insurance Portability Accountability Act of 1996 HIPAA for Researchers: IRB Related Issues HSC USC IRB.
Health IT Privacy and Security Policy Jodi Daniel, J.D., M.P.H. Director, Office of Policy and Research, Office of the National Coordinator for Health.
Health Insurance Portability & Accountability Act (HIPAA)
March 19, 2009 Changes to HIPAA Privacy and Security Requirements Joel T. Kopperud Scott A. Sinder Rhonda M. Bolton.
© Copyright 2014 Saul Ewing LLP The Coalition for Academic Scientific Computation HIPAA Legal Framework and Breach Analysis Presented by: Bruce D. Armon,
Version 6.0 Approved by HIPAA Implementation Team April 14, HIPAA Learning Module The following is an educational Powerpoint presentation on the.
HIPAA Update – Significant Omnibus Rule Changes Rose Willis Billee Lightvoet Ward Dickinson Wright PLLC.
HIPAA COMPLIANCE IN YOUR PRACTICE MARIBEL VALENTIN, ESQUIRE.
HIPAA Health Insurance Portability & Accountability Act of 1996.
COMPLYING WITH HIPAA BUSINESS ASSOCIATE REQUIREMENTS Quick, Cost Effective Solutions for HIPAA Compliance: Business Associate Agreements.
HIPAA PRIVACY AND SECURITY AWARENESS.
HIPAA and HITECH The Latest Developments Presented By: Michele Madison Partner, Healthcare Practice Morris, Manning & Martin, LLP
Confidentiality, Consents and Disclosure Recent Legal Changes and Current Issues Presented by Pam Beach, Attorney at Law.
Office of the Secretary Office for Civil Rights (OCR) Indian Health Service HIPAA Training Hosted by the Aberdeen Area Office July 24, 2012.
Polsinelli Shughart PC In California, Polsinelli Shughart LLP Final HIPAA Omnibus Rule Highlights Presented to the Colorado Bar Association, Health Law.
LAW SEMINARS INTERNATIONAL CLOUD COMPUTING: LAW, RISKS AND OPPORTUNITIES Developing Effective Strategies for Compliance With the HITECH Act and HIPAA’s.
Privacy and Security Laws for Health Care Organizations Presented by Robert J. Scott Scott & Scott, LLP
Overview of the Omnibus Final HIPAA Rule Kohler HealthCare Consulting, Inc. Deanna Turner
HITECH Act and HIPAA: Important Compliance Update Susan E. Ziel Gerald “Jud” DeLoss.
Office of the Secretary Office for Civil Rights (OCR) The HITECH NPRM: Overview of Research Comments October 19, 2010 Christina Heide, JD HHS Office for.
Privacy and Security Risks to Rural Hospitals John Hoyt, Partner December 6, 2013.
Health Insurance Portability and Accountability Act (HIPAA) CCAC.
Advanced Issues in Privacy: Drafting and Negotiating Business Associate Contracts Thomas E. Jeffry, Jr. Partner Davis Wright Tremaine LLP Los Angeles,
Health Insurance Portability and Accountability Act of 1996 HIPAA Privacy Training for County Employees.
HIPAA BASIC TRAINING Presented by Anderson Health Information Systems, Inc.
HIPAA PRACTICAL APPLICATION WORKSHOP Orientation Module 1B Anderson Health Information Systems, Inc.
HIPAA THE PRIVACY RULE. 2 HISTORY In 2000, many patients that were newly diagnosed with depression received free samples of anti- depressant medications.
HealthBridge is one of the nation’s largest and most successful health information exchange organizations. Tri-State REC: Privacy and Security Issues for.
Rhonda Anderson, RHIA, President  …is a PROCESS, not a PROJECT 2.
A Professional Corporation Stinson, Mag & Fizzell (402) Business Associates 101 Jennifer Wolfe Jerram, B.S.N., J.D.
HITECH and HIPAA Presented by Rhonda Anderson, RHIA Anderson Health Information Systems, Inc
Top 10 Series Changes to HIPAA Devon Bernard AOPA Reimbursement Services Coordinator.
Finally, the Final HIPAA/HITECH Regulations are Here! By LYNDA M. JOHNSON Friday, Eldredge & Clark.
HIPAA: Breach Notification By: Office of University Counsel For: Jefferson IRB Continuing Education September 2014.
HIPAA Privacy Rule Positive Changes Affecting Hospitals’ Implementation of the Rule.
AND CE-Prof, Inc. January 28, 2011 The Greater Chicago Dental Academy 1 Copyright CE-Prof, Inc
HIPAA TRIVIA Do you know HIPAA?. HIPAA was created by?  The Affordable Care Act  Health Insurance companies  United States Congress  United States.
HIPAA: So You Think You’re Compliant September 1, 2011 Carolyn Heyman-Layne, J.D.
HIPAA Training Workshop #3 Individual Rights Kaye L. Rankin Rankin Healthcare Consultants, Inc.
HIPAA Privacy Rule Training
Enforcement, Business Associates and Breach Notification. Oh my!
HIPAA CONFIDENTIALITY
HIPAA Administrative Simplification
HIPPA/HITECH Act Requirements Under the Business Associate Agreement Between CNI and Military Health Services.
Disability Services Agencies Briefing On HIPAA
Presentation transcript:

HIPAA Omnibus Rule of 2013 POSA August 29, 2013 Renee H. Martin, JD, RN, MSN Tsoules, Sweeney, Martin & Orr, LLC 29 Dowlin Forge Road Exton, PA Tel.: (610) Fax: (610)

History of HIPAA 1996-HIPAA enacted 1999 – 2000-Initial Privacy & Security Regulations Issued 2002-Final Privacy Rules Issued 2005-Final Security Rules Issued 2009-HITECH ACT – Interim Final Rule-Breach Notification 2010-Enforcement Rules published 2013-HIPAA Final Omnibus Rule 2 Copyright © 2013 Tsoules, Sweeney, Martin & Orr, LLC

3 Who is covered under HIPAA??

Copyright © 2013 Tsoules, Sweeney, Martin & Orr, LLC 4 Who Is Subject to HIPAA? Covered Entities (direct)  Health plans: insurance companies; HMO  Health care clearinghouses (process nonstandard data elements into standard data elements)  Health care providers who transmit any health information in electronic form in connection with a covered transaction  Business Associates  Receive PHI from covered entity  Perform a function on its behalf

Copyright © 2013 Tsoules, Sweeney, Martin & Orr, LLC 5 What is a Business Associate? A person who, on behalf of a covered entity--  Performs or assists with a function or activity involving Individually Identifiable Information  Performs certain identified services

Copyright © 2013 Tsoules, Sweeney, Martin & Orr, LLC6 Business Associate Covered Entity Auditors, Lawyers, Actuaries Billing Firms Clearinghouses Management Firms Consultants, Vendors Other Covered Entities TPAs Accreditation Organizations

Copyright © 2013 Tsoules, Sweeney, Martin & Orr, LLC 7 Third Parties and Business Associates (Con’t.)  Covered entities may disclose PHI to a business associate  As necessary to permit the business associate to perform functions and activities on behalf of the covered entity  Business associate cannot use PHI for its own purposes

8 Individually Identifiable Health Information (IIHI)  Health information including demographics that:  Is created or received by a health care provider, health plan, or health care clearing house and  Relates to the past, present or future physical or mental health or condition; the provision of health care; or the past, present or future payment for the provision of health care to an individual that Identifies the individual or with respect to which there is a reasonable basis to believe the information can be used to identify the individual. Copyright © 2013 Tsoules, Sweeney, Martin & Orr, LLC

9 Protected Health Information (PHI) Individually identifiable health information that is:  Transmitted by electronic media  Maintained in any electronic media  Transmitted or maintained in any other form (including oral or written PHI) Copyright © 2013 Tsoules, Sweeney, Martin & Orr, LLC

PHI and the Medical Record The HIPAA Privacy Rule defines a Designated record set as follows: (1) A group of records maintained by or for a covered entity that is: The medical records and billing records about individuals maintained by or for a covered health care provider; Used, in whole or in part, by or for the covered entity to make decisions about individuals. (2) the term record means any item, collection, or grouping of information that includes protected health information and is maintained, collected, used, or disseminated by or for a covered entity.” 10 Copyright © 2013 Tsoules, Sweeney, Martin & Orr, LLC

11 Privacy Rule Summary  A covered entity may not use or disclose PHI except:  After it gives written Notice about its health information practices to the individual  In accordance with an individual’s written authorization  When requested by the Department of Health and Human Services Office of Civil Rights

12 General Rule: Required Disclosure  To individual upon individual’s request; some exceptions apply  To HHS in connection with its enforcement and compliance review actions Copyright © 2013 Tsoules, Sweeney, Martin & Orr, LLC

13 General Rule: Permitted Disclosures  Notice of Privacy Practices: Treatment, Payment, Health Care Operations  Authorization  Statutory/Regulatory Disclosures Copyright © 2013 Tsoules, Sweeney, Martin & Orr, LLC

Scope of the Omnibus Rule Revised breach notification standard Patient access to information contained in an electronic health record Regulation of business associates (“BAs”) and subcontractors Prohibition on “sale” of PHI without authorization 14 Copyright © 2013 Tsoules, Sweeney, Martin & Orr, LLC

Scope of the Omnibus Rule Patients’ right to restrict data sharing with payers Requirements to modify and redistribute NPP Clarifies and strengthen OCRs role in enforcement, imposition of civil monetary penalties (CMPs) and CMP liability for acts of Business Associates and subcontractors 15 Copyright © 2013 Tsoules, Sweeney, Martin & Orr, LLC

16 Duty to Notify in Case of Breach HITECH Act: Required Notification of Breach of “Unsecured PHI” What is a “breach”?  “the unauthorized acquisition, access, use, or disclosure of PHI in a manner not permitted by the Privacy Rule and which compromises the security or privacy of the PHI”  If definition is met, notification is required *Applies to both electronic and hard copy information*

Copyright © 2013 Tsoules, Sweeney, Martin & Orr, LLC17 Duty to Notify in Case of Breach What is NOT a “breach”? Determined by: 1.Definition of “breach” 2.Exceptions to definition of a breach

Copyright © 2013 Tsoules, Sweeney, Martin & Orr, LLC Not a Breach by Definition Unintentional acquisition, access or use of PHI by a workforce member or person acting under the authority of a Covered Entity (CE) or Business Associate (BA) if the acquisition, access, or use was made in good faith and within the scope of authority and does not result in further use or disclosure in a manner not permitted 18

Copyright © 2013 Tsoules, Sweeney, Martin & Orr, LLC19 Not a Breach by Definition Applies only to “Unsecured PHI”:  If CEs and BAs apply the technologies and methodologies specified in the April 17, 2009 Guidance for PHI, the PHI is “secure” and no notice required.  Per the Guidance,  “Secure PHI” is PHI that is rendered unusable, unreadable or indecipherable to unauthorized individuals (i.e., encrypted or destroyed as detailed in the exhaustive list of technologies and methodologies)

IFR Breach Notification Standard Interim Final rule (IFR) – CEs/BAs must notify of breaches of unsecured PHI that cause a significant risk of harm to the data subjects  Harm includes financial & “other” harm; standard was controversial  Data correctly encrypted per National Institute for Standards and Technology is not “unsecured PHI” 20 Copyright © 2013 Tsoules, Sweeney, Martin & Orr, LLC

Omnibus Rule Breach Notification Standard Definition of “breach” is now changed “Harm” analysis gone An impermissible use or disclosure of PHI is presumed to be a breach unless the covered entity or business associate demonstrates there is low probability that the PHI has been “compromised” Determining whether or not there is a low probability data has been “compromised” requires analysis of what happened (or may have happened) to the data Focus now switched to what happened to PHI? 21 Copyright © 2013 Tsoules, Sweeney, Martin & Orr, LLC

Breach Notification – Risk Assessment CE/BA should perform risk assessment post- breach discovery and must consider at least the following:  Nature and extent of PHI involved, including types of identifiers and likelihood of re-identification  Who was the recipient of the PHI  Was the PHI actually acquired or viewed  The extent to which the risk to misuse of the PHI has been mitigated 22 Copyright © 2013 Tsoules, Sweeney, Martin & Orr, LLC

Breach Notification – Burden of Proof If no risk assessment performed, the default is notification Burden of demonstrating low probability that PHI is compromised is on the CE/BA Decision not to notify must be documented in case of review 23 Copyright © 2013 Tsoules, Sweeney, Martin & Orr, LLC

Breach Notification – Obligations to Notify CEs must notify individuals (although can delegate this to BAs) BAs must notify CEs Subcontractors must be obligated to notify their contracting partner so the information can go back up the chain 24 Copyright © 2013 Tsoules, Sweeney, Martin & Orr, LLC

Breach Notification – Examples of Risk Analysis Criteria Likelihood of identification or re-identification:  A list of patient names on practice letterhead – high probability  Patient data on your letterhead, patients not specified – can patients be re-identified? – could be low probability (depends on the circumstances) Who is the unauthorized recipient:  A HIPAA covered entity – low probability, as long as you have evidence the risk has been mitigated  An employer – may be able to use personnel records to re-identify – not low probability PHI actually acquired or viewed:  Untampered with laptop – low probability  Information mailed to wrong person – not low probability Has improper use been mitigated  Satisfactory assurances of destruction from a known person – low probability 25 Copyright © 2013 Tsoules, Sweeney, Martin & Orr, LLC

Right to Request Restrictions to Payors The general rule is that a CE is not required to accept restrictions on the use and disclosure of PHI. Final Rule created an exception, and requires a CE to agree to a restriction if:  the disclosure is for the purpose of carrying out payment or health care operations and is not otherwise required by law; and  the PHI pertains solely to a health care item or service for which the individual, or person other than the health plan on behalf of the individual, has paid the CE in full. 26 Copyright © 2013 Tsoules, Sweeney, Martin & Orr, LLC

OCR Guidance on Disclosure Restrictions CEs are not required to create separate medical records or otherwise segregate PHI subject to a restriction. CEs will need to flag restricted PHI or make a notation in the record that the PHI has been restricted. CEs are not required to abide by a restriction if an individual’s payment fails/denied/bounces, but they must make a reasonable effort to contact the individual and obtain payment prior to billing a health plan. Providers within HMO who can’t by law accept payment from individual may counsel to use out-of-network provider If restriction sought for item of bundled services, counsel patient about ability to and effect of unbundling, and permit patient to pay for entire bundle CEs need not inform downstream providers of restrictions, but should counsel patients to seek restrictions and pay out of pocket there, too 27 Copyright © 2013 Tsoules, Sweeney, Martin & Orr, LLC

Individual Right to Access PHI HIPAA currently requires, with limited exceptions, that individuals have a right to review or obtain copies of their PHI to the extent such information is maintained in a designated record set. The Final Rule made significant changes to the individual’s right to access their PHI. 28 Copyright © 2013 Tsoules, Sweeney, Martin & Orr, LLC

Patient Access to Electronic Health Information If PHI held electronically, individual entitled to an electronic copy if in a “designated record set” (not just the information in an “EHR”) Must be in the format requested if “readily producible”; if not, in a readable electronic form and format agreed upon by the entity and the individual  Not required to buy new software to do this – but must have capability to provide some electronic copy  If individual declines to accept electronic formats entity makes available, can default to hard copy  Not required to accept patient’s device – but can’t require individuals to purchase a device from you if they don’t want to 29 Copyright © 2013 Tsoules, Sweeney, Martin & Orr, LLC

Patient Access – Reasonable Safeguards Must have reasonable safeguards in place to protect transmission of ePHI – but…  If an individual wants information by unencrypted , entity can send if they advise the individual that such transmission is risky  Can’t force individuals to accept unsecure  Not then responsible for breach – document individual acknowledgement of risk Omnibus allows 30 days to produce with one, 30 day extension for a total of 60 days-OCR urges entities to make information available sooner when possible If over 30 days must notify patient in writing and inform why extension is needed 30 Copyright © 2013 Tsoules, Sweeney, Martin & Orr, LLC

Patient Access – Third Parties, Charges Individuals can have the copy directed to another person/entity – but the choice must be in writing and clearly identify the individual/entity  Information must be protected and entity must implement reasonable policies and procedures to send it to the right place (e.g., type correctly)  “In writing” can be electronic Fees charged are restricted to labor costs of copying– cannot include cost of retrieval, or portion of capital costs Charge can include supplies provided to individual upon request 31 Copyright © 2013 Tsoules, Sweeney, Martin & Orr, LLC

Business Associates/Subcontractors Omnibus rule conforms HIPAA regulations to HITECH Act changes  Before HITECH, BAs regulated through business associate contracts or agreements (“BAAs”)  After HITECH, BAs and subcontractors are regulated directly under HIPAA  Must comply with Security Rule (rule is flexible to accommodate small BAs)  Must comply with some of Privacy Rule and provisions of BAA  Still need BAA Agreement 32 Copyright © 2013 Tsoules, Sweeney, Martin & Orr, LLC

Notice of Privacy Practices (NPP) NPPs must include:  Statements regarding certain uses and disclosures requiring authorization – e.g., psychotherapy notes (where appropriate), marketing, sales of PHI, right to restrict disclosures to health plans (provider only), and right to be notified of breach; and  General statement that all uses and disclosures not described in NPP also require authorization  New patients get revised by 9/23/13, other patients as they come in to be seen 33 Copyright © 2013 Tsoules, Sweeney, Martin & Orr, LLC

What the OCR says about Enforcement “ This final omnibus rule marks the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented. These changes not only greatly enhance a patient’s privacy rights and protections, but also strengthen the ability of my office to vigorously enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a health care provider, or one of their business associates.” Director OCR Leon Rodriguez 34 Copyright © 2013 Tsoules, Sweeney, Martin & Orr, LLC

Enforcement Rule – BAs, Investigations, Reviews Civil monetary penalties (CMPs) can be assessed directly to business associates Complaint investigations and compliance reviews  Required whenever there is evidence of a possible HIPAA violation due to willful neglect  Discretionary in the absence of possible willful neglect  Every complaint will be investigated preliminarily  Secretary has discretion to move directly to imposition of CMPs without informal resolution 35 Copyright © 2013 Tsoules, Sweeney, Martin & Orr, LLC

Enforcement - Coordination Secretary may disclose PHI to another agency on request Coordination of Department of Justice and FTC ( Coordination with State Attorneys General to assist with their direct enforcement 36 Copyright © 2013 Tsoules, Sweeney, Martin & Orr, LLC

Enforcement Violation – State of Mind Penalty Range Per Violation Maximum amount for all such violations of an identical provision in a calendar year Did Not Know$ $50,000$1,500,000 Reasonable Cause$1, $50,000$1,500,000 Willful Neglect— Corrected $10, $50,000$1,500,000 Willful Neglect— Not Corrected $50,000$1,500, Copyright © 2013 Tsoules, Sweeney, Martin & Orr, LLC

Enforcement - CMPs New definition of “Reasonable Cause” to address state of mind: knew it was a violation but without willful neglect Definition of “willful neglect” retained: “conscious, intentional failure or reckless indifference” 38 Copyright © 2013 Tsoules, Sweeney, Martin & Orr, LLC

Enforcement – CMPs – Liability for Agents Note: Workforce members liable for breach under HITECH CEs and BAs and subcontractors are liable for HIPAA violations of their agents Fact specific determination: did the principal control or have the right to control or direct the agent’s conduct in performing a contracted service? The manner and method the principal actually controls the service provided is determinative 39 Copyright © 2013 Tsoules, Sweeney, Martin & Orr, LLC

Enforcement Rule – Considerations for CMPs OCR will consider the following:  Nature and extent of violation  Nature and extent of any physical, financial or reputational harm  The covered entity’s or business associate’s history of prior noncompliance with statute  The financial condition of covered entity or business associate  Other factors as required for justice  Extent of reputational or other harm  Time period during which violations occurred  Number of individuals affected 40 Copyright © 2013 Tsoules, Sweeney, Martin & Orr, LLC

Next Steps Review policies, procedures, forms, and update Train staff on new provisions Inventory BAs and update BAAs Update breach response plan; in particular, update risk assessment and address encryption Don’t delay 41 Copyright © 2013 Tsoules, Sweeney, Martin & Orr, LLC

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.