Presentation is loading. Please wait.

Presentation is loading. Please wait.

Compliance Officers Forum Live

Similar presentations


Presentation on theme: "Compliance Officers Forum Live"— Presentation transcript:

1 Compliance Officers Forum Live
2017 PACE CONVENTION & EXPO | APRIL 2-5, | TAMPA, FL

2 Federal and State Updates
2017 PACE CONVENTION & EXPO | APRIL 2-5, | TAMPA, FL

3 2017 PACE CONVENTION & EXPO | APRIL 2-5, 2017 | TAMPA, FL
FCC Updates FCC Commissioners Pai named Chairman Currently 2-1 republican majority (will be 3-2 republican majority) Likely to have a more balanced TCPA agenda Appeal of 2015 Ruling Still pending in D.C. Circuit 2017 PACE CONVENTION & EXPO | APRIL 2-5, | TAMPA, FL

4 2017 PACE CONVENTION & EXPO | APRIL 2-5, 2017 | TAMPA, FL
FCC Updates 10 year rule review (TCPA) Should rules be amended or eliminated? Comments due May 4th Cunningham and Moskowitz Petition Written consent for informational calls and texts PACE filed opposing comments NPRM and Notice of Inquiry Relates to call blocking (by providers) Proposes specific regulations; requests additional information from industry 2017 PACE CONVENTION & EXPO | APRIL 2-5, | TAMPA, FL

5 2017 PACE CONVENTION & EXPO | APRIL 2-5, 2017 | TAMPA, FL
TCPA Case Law ATDS Opinions Human intervention still relevant Favorable opinions on SMS platforms Some guidance on “potential capacity” issue Several courts issuing stays pending resolution of appeal related to 2015 Ruling 2017 PACE CONVENTION & EXPO | APRIL 2-5, | TAMPA, FL

6 2017 PACE CONVENTION & EXPO | APRIL 2-5, 2017 | TAMPA, FL
Pending Legislation Federal Legislation FCC oversight and transparency bills Call center relocation bills Fairness in Class Action Litigation Act of 2017 Robo COP Act – prohibits prerecorded political messages to numbers on DNC Registry HANG-UP Act – repeals TCPA exemption for government backed debt collection calls 2017 PACE CONVENTION & EXPO | APRIL 2-5, | TAMPA, FL

7 2017 PACE CONVENTION & EXPO | APRIL 2-5, 2017 | TAMPA, FL
Pending Legislation State Legislation Call center relocation bills (several) Expand DNC laws to cover B2B calls (MA) More onerous caller ID laws (CA, MA, others) Bills regulating political calls (several) Prohibition on unsolicited text advertisements (NY) 2017 PACE CONVENTION & EXPO | APRIL 2-5, | TAMPA, FL

8 2017 PACE CONVENTION & EXPO | APRIL 2-5, 2017 | TAMPA, FL
Overview of Health Insurance Portability and Accountability Act (HIPAA) 2017 PACE CONVENTION & EXPO | APRIL 2-5, | TAMPA, FL

9 2017 PACE CONVENTION & EXPO | APRIL 2-5, 2017 | TAMPA, FL
HIPAA Protects patients’ medical records and health information that is maintained by “covered entities” and their “business associates” Protected health information (PHI) includes individually identifiable health information, including demographic data, relating to: An individual’s physical or mental health; The provision of health care to the patient; or Payment for the provision of health care to the individual PHI also includes common identifiers, such as name, address, birthday, SSN, etc. -protects patient privacy, allows access to medical records, and designates who can speak on a patient’s behalf -examples of protected information: Information your doctors, nurses, and other health care providers put in your medical record Conversations your doctor has about your care or treatment with nurses and others Information about you in your health insurer’s computer system Billing information about you at your clinic Most other health information about you held by those who must follow these laws -Health plan – health insurance companies, HMOs, company health plans, government programs that pay for health care, such as Medicare, Medicaid, and military and veterans health care programs -Health care provider: doctors, clinics, psychologists, dentists, chiropractors, nursing homes, pharmacies --- but ONLY if they transmit any information in an electronic form in connection with a transaction for which HHS has adopted a standard -Health Care Clearinghouse – entities that process nonstandard health information they receive from another entity into a standard (or vice versa) 2017 PACE CONVENTION & EXPO | APRIL 2-5, | TAMPA, FL

10 2017 PACE CONVENTION & EXPO | APRIL 2-5, 2017 | TAMPA, FL
HIPAA Covered entities include: Health plans Health care clearinghouses Health care providers  -protects patient privacy, allows access to medical records, and designates who can speak on a patient’s behalf -examples of protected information: Information your doctors, nurses, and other health care providers put in your medical record Conversations your doctor has about your care or treatment with nurses and others Information about you in your health insurer’s computer system Billing information about you at your clinic Most other health information about you held by those who must follow these laws -Health plan – health insurance companies, HMOs, company health plans, government programs that pay for health care, such as Medicare, Medicaid, and military and veterans health care programs -Health care provider: doctors, clinics, psychologists, dentists, chiropractors, nursing homes, pharmacies --- but ONLY if they transmit any information in an electronic form in connection with a transaction for which HHS has adopted a standard -Health Care Clearinghouse – entities that process nonstandard health information they receive from another entity into a standard (or vice versa) See definition of “business associate” at 45 CFR 2017 PACE CONVENTION & EXPO | APRIL 2-5, | TAMPA, FL

11 2017 PACE CONVENTION & EXPO | APRIL 2-5, 2017 | TAMPA, FL
HIPAA A “business associate” is any person or entity that performs particular functions or activities that involve using or disclosing PHI on behalf of, or provides services to, a covered entity Functions include: Claims processing/administration Data analysis Utilization review Quality assurance Billing Benefit management Practice management Repricing Services include Legal Actuarial Accounting Consulting Data aggregation Management Administrative Accreditation Financial See definition of “business associate” at 45 CFR 2017 PACE CONVENTION & EXPO | APRIL 2-5, | TAMPA, FL

12 Three Pillars of HIPAA-HITECH Compliance
HIPAA-HITECH covers the use of Personal Health Information (PHI) The regulations apply directly to healthcare related data No certification or registration requirements, audits are mandatory -HHS (Dept. of Health & Human Services) required to adopt national standards for electronic health care transactions -Rights under Privacy Rule – health insurers and providers who are covered entities have to comply with right to: ask to see and get copy of health records; have corrections added to health information; receive notice telling yo how health information may be used or shared; decide if you want to give permission before health information can be used or shared for certain purposes such as marketing; get a report on when and why health information shared for certain purposes -information can be used and shred for treatment and care; to pay doctors and hospitals; with family, friends, relatives; etc. ---above slides information taken from the HHS website

13 2017 PACE CONVENTION & EXPO | APRIL 2-5, 2017 | TAMPA, FL
HIPAA Civil Penalties Up to $50,000 per violation Annual maximum of $1.5 million Criminal Penalties Up to $250,000 per violation Up to 10 years imprisonment * civil and criminal penalties vary depending upon the type of violation and the level of intent/knowledge involved ** no private right of action (but HIPAA has been used as standard of care for negligence claims against covered entities) -HHS (Dept. of Health & Human Services) required to adopt national standards for electronic health care transactions -Rights under Privacy Rule – health insurers and providers who are covered entities have to comply with right to: ask to see and get copy of health records; have corrections added to health information; receive notice telling yo how health information may be used or shared; decide if you want to give permission before health information can be used or shared for certain purposes such as marketing; get a report on when and why health information shared for certain purposes -information can be used and shred for treatment and care; to pay doctors and hospitals; with family, friends, relatives; etc. ---above slides information taken from the HHS website 2017 PACE CONVENTION & EXPO | APRIL 2-5, | TAMPA, FL

14 Implementing a HIPAA Compliance Program – A High-level Overview
2017 PACE CONVENTION & EXPO | APRIL 2-5, | TAMPA, FL

15 HIPAA Project Overview
HIPAA Standards Complete scoping documents: (What and who is in scope) Identify: systems, associates that have access, equipment used, physical documents, third parties Deploy operating and security controls, and ensure evidence is documented close all known gaps Deploy HIPAA training to all associates that have access to view or process any form of PHI Deploy required security controls on all in scope systems and equipment Insure documented access to in scope systems On-going management support of HIPAA requirements Retain records for 7 years to demonstrate compliance e.g. access requests/deletions, background checks, versions of operating procedures & training material, evidence of training, system settings & reviews, policies, processes, etc.

16 HIPAA Project Overview
Develop privacy and security risk management & governance program Develop & implement comprehensive HIPAA privacy and security and breach notification policies & procedures Train all employees that are associated with the HIPAA program (e.g.: managers, floor monitors and phone agents) Complete a HIPAA security risk analysis and risk management review Complete a HIPAA security non-technical evaluation (i.e.: compliance assessment) Complete privacy rule and breach notification rule compliance assessment Implement an on going, proactive vendor management program Assess your current insurance coverage (e.g., Cyber Liability, General Liability, D&O, E&O) Document and act upon a remediation plan 2017 PACE CONVENTION & EXPO | APRIL 2-5, | TAMPA, FL

17 HIPAA Program Overview
HIPAA Solutions Physical Security Access controls of sites and data centers Site security Partitioned work areas (solid, high) Privacy Privacy policy HIPAA training Operations Clear desk and screen process Data handling guidelines and procedures Information classification standards Secure Desktop Builds Technical Develop standardized solutions Leverage existing certified platforms Internal and External Vulnerability Scans Internal and External Penetration Testing Encryption solutions Physical Privacy Operational Technical 2017 PACE CONVENTION & EXPO | APRIL 2-5, | TAMPA, FL

18 HIPAA Risk Review Standards
HHS Office for Civil Rights Risk Analysis Guidance Regardless of the risk analysis methodology employed… Scope of the Analysis - all ePHI that an organization creates, receives, maintains, or transmits must be included in the risk analysis. (45 C.F.R. § (a)). Data Collection - The data on ePHI gathered using these methods must be documented. (See 45 C.F.R. §§ (a)(1)(ii)(A) and (b)(1).) Identify and Document Potential Threats and Vulnerabilities - Organizations must identify and document reasonably anticipated threats to ePHI. (See 45 C.F.R. §§ (a)(2), (a)(1)(ii)(A) and (b)(1)(ii).) Assess Current Security Measures - Organizations should assess and document the security measures an entity uses to safeguard ePHI. (See 45 C.F.R. §§ (b)(1), (a)(1)(ii)(A), and (b)(1).) Determine the Likelihood of Threat Occurrence - The Security Rule requires organizations to take into account the likelihood of potential risks to ePHI. (See 45 C.F.R. § (b)(2)(iv).) Determine the Potential Impact of Threat Occurrence - The Rule also requires consideration of the “criticality,” or impact, of potential risks to confidentiality, integrity, and availability of ePHI. (See 45 C.F.R. § (b)(2)(iv).) Determine the Level of Risk - The level of risk could be determined, for example, by analyzing the values assigned to the likelihood of threat occurrence and resulting impact of threat occurrence. (See 45 C.F.R. §§ (a)(2), (a)(1)(ii)(A), and (b)(1).) Finalize Documentation - The Security Rule requires the risk analysis to be documented but does not require a specific format. (See 45 C.F.R. § (b)(1).) Periodic Review and Updates to the Risk Assessment - The risk analysis process should be ongoing. In order for an entity to update and document its security measures “as needed,” which the Rule requires, it should conduct continuous risk analysis to identify when updates are needed. (45 C.F.R. §§ (e) and (b)(2)(iii).)

19 TCPA and Other Compliance Considerations for Health Care Campaigns
2017 PACE CONVENTION & EXPO | APRIL 2-5, | TAMPA, FL

20 TCPA Class Actions by Industry
Source: U.S. Chamber of Commerce 2017 PACE CONVENTION & EXPO | APRIL 2-5, | TAMPA, FL

21 TCPA Restrictions on Calls to Cell Phones
General Rule – must have consent to call cell phones using an ATDS or prerecorded message Non-telemarketing calls- must have “prior express consent” Telemarketing/advertising calls- must have “prior express written consent” 2017 PACE CONVENTION & EXPO | APRIL 2-5, | TAMPA, FL

22 2017 PACE CONVENTION & EXPO | APRIL 2-5, 2017 | TAMPA, FL
Relevant Exemptions for TCPA Cell Phone Rules Limited Exemption for Health Care Messages Calls made by on or behalf of a covered entity or its business associate to deliver a health care message (as defined under HIPAA) Made for purposes such as preventive, diagnostic or therapeutic treatment Prescription notifications, etc. Exempt from the written consent requirement, but must have prior express consent 2017 PACE CONVENTION & EXPO | APRIL 2-5, | TAMPA, FL

23 Relevant Exemptions for TCPA Cell Phone Rules
Full Exemption for Certain Health Care Messages Calls/texts/messages must meet the following criteria: Must be free to the end user May only be made to a number provided by the called party Must include the caller’s contact information Must be concise (one minute for calls; 160 characters for texts) Must include opt-out mechanism (automated opt-out for calls and STOP reply for texts) May not send more than 1 call per day or 3 calls per week Must be made for very specific purposes (see next slide) Entirely exempt from the TCPA’s consent requirements 2017 PACE CONVENTION & EXPO | APRIL 2-5, | TAMPA, FL

24 Relevant Exemptions for TCPA Cell Phone Rules
Full Exemption for Certain Health Care Messages Permissible purposes of calls: Appointment confirmation or reminder Wellness check-ups Hospital pre-registration instructions Pre-operative instructions Lab results Post-discharge follow-up intended to prevent readmission Prescription notifications Home healthcare instructions 2017 PACE CONVENTION & EXPO | APRIL 2-5, | TAMPA, FL

25 2017 PACE CONVENTION & EXPO | APRIL 2-5, 2017 | TAMPA, FL
TSR’s HIPAA Exemption General TSR Rule – must have written consent for prerecorded telemarketing messages (to landlines and cell phones) Exemption for Health Care Messages Calls made by on or behalf of a covered entity or its business associate to deliver a health care message Call must be made for one of the following purposes: To describe health-related product or service included in the individual’s plan of benefits; For treatment of the individual; For case management or care coordination for the individual; or To direct or recommend alternative treatments, therapies, health care providers, or settings of care to the individual 2017 PACE CONVENTION & EXPO | APRIL 2-5, | TAMPA, FL

26 2017 PACE CONVENTION & EXPO | APRIL 2-5, 2017 | TAMPA, FL
TSR’s HIPAA Exemption Exempt Calls- examples of exempt calls cited by the FTC include calls by or on behalf of a: pharmacy to provide prescription refill reminders; medical provider to provide medical appointment or other reminders (e.g. availability of flu shots); medical equipment supplier regarding supply reorders; and case manager to check on a patient’s condition. 2017 PACE CONVENTION & EXPO | APRIL 2-5, | TAMPA, FL

27 Call Recording/Monitoring
Rule – in several states, you must notify the other party that the call is being recorded Two Party States – CA, CT, FL, IL, MD, MA, MI, MT, NV, NH, PA, WA Risk Exposure – up to $5,000 per call (California); several settlements over $10M Note: rules generally apply to ALL calls (B2B, B2C, marketing, informational) 2017 PACE CONVENTION & EXPO | APRIL 2-5, | TAMPA, FL

28 2017 PACE CONVENTION & EXPO | APRIL 2-5, 2017 | TAMPA, FL
TCPA Fax Rules Primary Rule – may not send marketing faxes without: (1) consent; or (2) an EBR (if fax number was provided by recipient or publicly listed) Opt-Out Disclosures – all advertising faxes must include an opt-out disclosure that meets specific requirements Opt-Out Requests – must honor all opt-out requests within a reasonable time (not to exceed 30 days) 2017 PACE CONVENTION & EXPO | APRIL 2-5, | TAMPA, FL

29 2017 PACE CONVENTION & EXPO | APRIL 2-5, 2017 | TAMPA, FL
Questions 2017 PACE CONVENTION & EXPO | APRIL 2-5, | TAMPA, FL


Download ppt "Compliance Officers Forum Live"

Similar presentations


Ads by Google