2013 HIPAA Updates and Required Changes. Session Objectives HIPAA HISTORY 9/5/2013

Transcription

1 Recorded 2013 HIPAA Updates and Required Changes Presented to: American Academy of Audiology Tuesday, Page 0 Session Objectives At the end of this session, participant will be able to: Discuss the history of the Privacy and Security rules List the main changes under the Omnibus Rule Making Define the compliance timeline for implementation of changes Identify four action steps to take towards compliance in their practice Page 1 HIPAA HISTORY Page 2 1

2 Recorded The Privacy Rule (2003) Controls the use and disclosure of what is defined as protected health information(phi) Allows the patient to control the disclosure of their PHI to certain entities Page 3 The Security Rule (2005) Protects and safeguards information that is in an electronic format - ephi Addresses the transmission, storage and receipt of data The Risk Analysis is also a requirement in meaningful use attestation Page 4 Security Rule Safeguards Administrative Safeguards (Formal, documented processes) Physical Safeguards (Procedures to protect computers, buildings, etc. from hazards and intrusions) Technical Safeguards (Processes to control and monitor access to EPHI) Page 5 2

3 Recorded HIPAA Breach Notification Rule (2009) The Interim Final Rule has been enforceable since February 2010 Defined reporting responsibility based on size and extent of breach Reporting is visible with likelihood of reputational harm hipaa/enforcement/examples/ casebyentity.html#2privatepractice Page 6 Four Major Provisions of the Omnibus Final Rule Page 7 I. Final Modifications Mandated Under HITECH Business Associates are now fully liable for HIPAA compliance Strengthen the limitations on use and disclosure of PHI for marketing and fundraising 45 CFR Parts 160 and 164: Federal Register, 1/25/2013 Page 8 3

4 Recorded I. Final Modifications Mandated Under HITECH (cont d) Prohibit the sale of individual PHI without authorization Expand the individuals right to receive electronic copies of their health information Restrict disclosure of PHI to a health plan if an individual has paid out of pocket, in full for the service 45 CFR Parts 160 and 164: Federal Register 1/25/2013 Page 9 I. Final Modifications Mandated Under HITECH (cont d) Requires modification of and redistribution of the Notice of Privacy Practices Modifies individual authorizations to more easily facilitate research and the release of childhood immunization records to schools Adopt additional HITECH enhancements to the enforcement rule 45 CFR Parts 160 and 164: Federal Register 1/25/2013 Page 10 II. Adopting Changes to the Enforcement Rule Retains the tiered penalty structure OCR must now investigate any complaint if a preliminary review indicates a possible noncompliance due to willful neglect. Business Associates and subcontractors can be subject to penalties Page 11 4

5 Recorded New Civil Money Penalties Old HIPAA Tier I Violation not known or reasonably known None Tier II Violation due to reasonable cause, but not willful neglect $100 per violation, $25,000 max for identical violations in calendar year; no penalty if corrected in 30 days Tier III Violation due to willful neglect, if corrected within 30 days Same as Tier II Tier IV Violation due to willful neglect, if not corrected within 30 days Same as Tier II Omnibus Rule At least $100 per violation, $25,000 max for identical violations in calendar year; no penalty if corrected in 30 days At least $1,000 per violation, $100,000 max for identical violations in calendar year; no penalty if corrected in 30 days At least $10,000 per violation, $250,000 max for identical violations in calendar year At least $50,000 per violation, $1.5 million max for identical violations in calendar year Page 12 Enhanced Enforcement HHS must investigate any complaint which may involve willful neglect State Attorneys General may bring action to enjoin violations or obtain damages Penalties reinvested in enforcement activity Individual harmed by violation eligible for portion of any penalty Page 13 III. Changes in Breach Notification Replaced the breach rule of harm threshold with a more objective standard Covered entities are required to notify the Secretary of all breaches of unsecured PHI affecting fewer than 500, within 60 days of the end of the calendar year that the breach was discovered. (not occurred) Page 14 5

6 Recorded III. Changes in Breach Notification (cont d) Change in definition Old - the covered entity had latitude to determine whether the breach posed a significant risk of financial, reputational or other harm New Presumption of reportable breach, unless low probability the PHI has been compromised Page 15 III. Changes in Breach Notification (cont d) The nature and the extent of the PHI involved Who was the disclosure made to Was the PHI actually viewed/used? To what extent has the risk been mitigated? Page 16 Five Factors 1. Nature and extent of violation 2. Nature and extent of harm resulting from violation 3. History of prior compliance and violations 4. Financial condition of violator 5. Such other matters as justice may require Page 17 6

7 Recorded IV. HIPAA as it Relates to Genetic Information Genetic Information Nondiscrimination Act (GINA) prohibits health plans form using or disclosing genetic information for underwriting purposes 45 CFR Parts 160 and 164: Federal Register 1/25/2013 Page 18 Who Is Our Business Associate? Page 19 Business Associate A business associate is a person or entity, other than a member of the workforce of a covered entity, who performs functions or activities on behalf of, or provides certain services to, a covered entity that involve access by the business associate to protected health information. A business associate also is a subcontractor that creates, receives, maintains, or transmits protected health information on behalf of another business associate. The HIPAA Rules generally require that covered entities and business associates enter into contracts with their business associates to ensure that the business associates will appropriately safeguard protected health information. Examples: Health Information Organizations, Patient Safety Organizations, Vendors for Portals SAMPLE BUSINESS ASSOCIATE AGREEMENT PROVISIONS (Published January 25, 2013, HHS/GOV) Page 20 7

8 Recorded Business Associate (cont d) A business associate may use or disclose protected health information only as permitted or required by its business associate contract or as required by law. A business associate is directly liable under the HIPAA Rules and subject to civil and, in some cases, criminal penalties for making uses and disclosures of protected health information that are not authorized by its contract or required by law. A business associate also is directly liable and subject to civil penalties for failing to safeguard electronic protected health information in accordance with the HIPAA Security Rule. SAMPLE BUSINESS ASSOCIATE AGREEMENT PROVISIONS (Published January 25, 2013, HHS/GOV Page 21 Important Dates Published in the Federal Register on January 25, 2013 Effective Date March 26, 2013 Compliance Date September 23, 2013 Compliance with existing (prior to 1/25/2013) BAAs September 22, 2014 Page 22 Requests For Access Old Rule: Review/obtain copy of PHI maintained in designated record set New Rule: Review/obtain copy of PHI CE maintains electronic PHI In electronic form/format requested by individual if such format is readily producible If not, CE must offer to produce the electronic PHI in at least one readable electronic format Page 23 8

9 Recorded Liability for BAs Old Rule: CE not liability for BA s actions if: Complied with BA rules Unaware of pattern or practice of violating BAA Took action in response to known violation New Rule: CE liable for BA who acts as agent Totality of circumstances CE s right or authority to control BA s conduct in course of performing services on CE s behalf BAA agency relationship unless vests CE with authority over BA Page 24 Research Authorizations Old Rule: No compound authorizations New Rule: May combine authorization for use/disclosure with consent to participate in research study Page 25 Decedent Information Old Rule: HIPAA rights the same, living or dead New Rule: Definition of PHI excludes information relating to individual who has been deceased more than 50 years Page 26 9

10 Recorded Sale of PHI Old Rule: CE cannot sell PHI; no prohibition on receiving remuneration for permissible disclosure New Rule: Even where disclosure is permitted, CE cannot disclose PHI in exchange for remuneration unless authorized If authorization obtained, must state that disclosure will result in remuneration Limited research exception remuneration must be limited to cost to prepare and transmit PHI Page 27 Request For Restrictions Old Rule: CE not required to accept restrictions on use/disclosure for which authorization not required New Rule: CE must accept restriction if: Disclosure for payment or health care operations Disclosure not otherwise required by law PHI pertains solely to item or service for which individual (or person other than the health plan on behalf of the individual) has paid CE in full Page 28 Action Items Page 29 10

11 Recorded Action Items Assess your current level of compliance Educate staff on updates Assess Business Associate list Page 30 Action Items (cont d) Update policies and procedures as needed Inventory where ephi is stored, transmitted, etc. Changes to your NPP Page 31 Questions To ask a question, please type your question into the chat box in the lower left corner of the screen and click on the Send button located right below the box. Page 32 11

12 Recorded Contact Information Barbara Stahura, MPA Senior Manager Pershing Yoakley & Associates, P.C. (800) Page 33 12