Dissecting New HIPAA Rules and What Compliance Means For You

Similar documents
Faster, Smarter, More Secure: IT Services Geared for the Health Care Industry A White Paper by CMIT Solutions

HIPAA Omnibus Rule Overview. Presented by: Crystal Stanton MicroMD Marketing Communication Specialist

HIPAA Omnibus Rule Practice Impact. Kristen Heffernan MicroMD Director of Prod Mgt and Marketing

COMPLIANCE ALERT 10-12

Am I a Business Associate? Do I want to be a Business Associate? What are my obligations?

Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions

Updated HIPAA Regulations What Optometrists Need to Know Now. HIPAA Overview

Data Breach, Electronic Health Records and Healthcare Reform

Business Associates, HITECH & the Omnibus HIPAA Final Rule

Ethics, Privilege, and Practical Issues in Cloud Computing, Privacy, and Data Protection: HIPAA February 13, 2015

12/19/2014. HIPAA More Important Than You Realize. Administrative Simplification Privacy Rule Security Rule

This presentation focuses on the Healthcare Breach Notification Rule. First published in 2009, the final breach notification rule was finalized in

HIPAA Security Rule Compliance

The Basics of HIPAA Privacy and Security and HITECH

Name of Other Party: Address of Other Party: Effective Date: Reference Number as applicable:

HIPAA, HIPAA Hi-TECH and HIPAA Omnibus Rule

Business Associate Management Methodology

My Docs Online HIPAA Compliance

THE STATE OF HEALTHCARE COMPLIANCE: Keeping up with HIPAA, Advancements in EHR & Additional Regulations

By Ross C. D Emanuele, John T. Soshnik, and Kari Bomash, Dorsey & Whitney LLP Minneapolis, MN

The HITECH Act: Implications to HIPAA Covered Entities and Business Associates. Linn F. Freedman, Esq.

HHS Finalizes HIPAA Privacy and Data Security Rules, Including Stricter Rules for Breaches of Unsecured PHI

Use & Disclosure of Protected Health Information by Business Associates

HIPAA Compliance, Notification & Enforcement After The HITECH Act. Presenter: Radha Chanderraj, Esq.

Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

Data Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, :15pm 3:30pm

HIPAA Compliance Guide

HIPAA and the HITECH Act Privacy and Security of Health Information in 2009

OCR UPDATE Breach Notification Rule & Business Associates (BA)

Welcome to the Privacy and Security PowerPoint presentation in the Data Analytics Toolkit. This presentation will provide introductory information

University Healthcare Physicians Compliance and Privacy Policy

BUSINESS ASSOCIATE AGREEMENT ( BAA )

HIPAA Compliance Guide

HHS Issues New HITECH/HIPAA Rule: Implications for Hospice Providers

HIPAA Happenings in Hospital Systems. Donna J Brock, RHIT System HIM Audit & Privacy Coordinator

White Paper THE HIPAA FINAL OMNIBUS RULE: NEW CHANGES IMPACTING BUSINESS ASSOCIATES

Trust 9/10/2015. Why Does Privacy and Security Matter? Who Must Comply with HIPAA Rules? HIPAA Breaches, Security Risk Analysis, and Audits

New HIPAA Breach Notification Rule: Know Your Responsibilities. Loudoun Medical Group Spring 2010

REPRODUCTIVE ASSOCIATES OF DELAWARE (RAD) NOTICE OF PRIVACY PRACTICES PLEASE REVIEW IT CAREFULLY.

HIPAA and HITECH Compliance Under the New HIPAA Final Rule. HIPAA Final Omnibus Rule ( Final Rule )

New HIPAA regulations require action. Are you in compliance?

M E M O R A N D U M. Definitions

OCR Reports on the Enforcement. Learning Objectives 4/1/2013. HIPAA Compliance/Enforcement (As of December 31, 2012) HCCA Compliance Institute

OCR Reports on the Enforcement. Learning Objectives

Business Associate Agreement Involving the Access to Protected Health Information

STANDARD ADMINISTRATIVE PROCEDURE

Legislative & Regulatory Information

Protecting Patient Information in an Electronic Environment- New HIPAA Requirements

NCHICA HITECH Act Breach Notification Risk Assessment Tool. Prepared by the NCHICA Privacy, Security & Legal Officials Workgroup

HIPAA and HITECH Compliance for Cloud Applications

Business Associates and Breach Reporting Under HITECH and the Omnibus Final HIPAA Rule

Patient Privacy and HIPAA/HITECH

HIPPA and HITECH NOTIFICATION Effective Date: September 23, 2013

Health Information Privacy Refresher Training. March 2013

HIPAA in an Omnibus World. Presented by

HIPAA Hot Topics. Audits, the Latest on Enforcement and the Impact of Breaches. September Nashville Knoxville Memphis Washington, D.C.

Privacy Officer Job Description 4/28/2014. HIPAA Privacy Officer Orientation. Cathy Montgomery, RN. Presented by:

OCR s Anatomy: HIPAA Breaches, Investigations, and Enforcement

Business Associate Agreement

HIPAA Omnibus Compliance How A Data Loss Prevention Solution Can Help

BUSINESS ASSOCIATE AGREEMENT

SAMPLE BUSINESS ASSOCIATE AGREEMENT

HIPAA Privacy and Security Rules: A Refresher. Marilyn Freeman, RHIA California Area HIPAA Coordinator California Area HIM Consultant

Presented by Jack Kolk President ACR 2 Solutions, Inc.

Vendor Management Challenges and Solutions for HIPAA Compliance. Jim Sandford Vice President, Coalfire

Business Associate Agreement (BAA) Guidance

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA/HITECH: A Guide for IT Service Providers

HIPAA PRIVACY AND SECURITY AWARENESS

Page 1. NAOP HIPAA and Privacy Risks 3/11/2014. Privacy means being able to have control over how your information is collected, used, or shared;

Are You Still HIPAA Compliant? Staying Protected in the Wake of the Omnibus Final Rule Click to edit Master title style.

Datto Compliance 101 1

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT. Recitals

HIPAA Compliance: Are you prepared for the new regulatory changes?

HIPAA BUSINESS ASSOCIATE AGREEMENT

Transcription:

Dissecting New HIPAA Rules and What Compliance Means For You A White Paper by Cindy Phillips of CMIT Solutions and Kelly McClendon of CompliancePro Solutions

TABLE OF CONTENTS Introduction 3 What Are the New HIPAA Rules? 4 Protected Health Information (PHI) and the Privacy and Security Rules 5 Breach Notification Rule Changes and Penalties 6 The Need for New Business Associate Agreements (BAAs) 8 The Need for Updated Risk Assessments 9 Implementing New Policies and Procedures 10 Training Employees on the Ongoing Needs of HIPAA Compliancy 11 Conclusion 13

Introduction HIPAA the Health Insurance Portability and Accountability Act was enacted in 1996 to protect health insurance coverage for workers and their families and establish national standards for electronic health care transactions pertaining to providers, employers, employees, and plans. HIPAA includes several facets, including the Privacy Rule, Security Rule, Enforcement Rule, Transactions and Code Sets Rule, and Unique Identifiers Rule. With health care technology changing rapidly, however, several amendments, enhancements, and changes have been made to HIPAA, the most important of which the new Omnibus Rule takes effect on September 23, 2013. This white paper aims to answer questions about how these new regulations apply, to whom, and how small to medium-sized businesses can chart the best course for compliancy by utilizing CMIT Solutions HIPAA Compliant Managed Services.

What Are the New HIPAA Rules? The Omnibus Rule, published on January 25, 2013 with an effective date of September 23, 2013, finalizes suggestions made in the 2009 HITECH (Health Insurance Technology for Economic and Clinical Health) Act. As part of the American Recovery and Reinvestment Act, more commonly known as the stimulus, HITECH allocated $19 billion to hospitals and physicians who demonstrated meaningful use of Electronic Medical Records (EMR) and Electrical Health Records (EHR). Any health care provider receiving meaningful use funds should be prepared for a potential audit by the Department of Health and Human Services (HHS) Office of Civil Rights (OCR), making compliance with revised HIPAA standards.

Protected Health Information (PHI) and the Privacy and Security Rules The most significant change contained within the Omnibus Rule concerns who must now comply with the Privacy and Security Rules that govern Protected Health Information (PHI). The Privacy Rule establishes national standards to protect individuals medical records and other information in regards to health plans, health care clearinghouses, and health care providers that conduct transactions electronically. The Rule also requires appropriate safeguards to protect the privacy of PHI, sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization, and gives patients rights to access and request corrections of their health records. 1 The Security Rule establishes national standards to protect individuals electronic PHI that is created, received, used, or maintained by a Covered Entity (CE). The Rule requires appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of electronic PHI. 2 1 HIPAA Administrative Simplification Statute and Rules, http://www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/index.html 2 HIPAA Administrative Simplification Statute and Rules, http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/index.html

In the past, only Covered Entities any organization that accepts payments from insurance companies, Medicare, or Medicaid were required by law to follow rules pertaining to PHI. But now, Business Associates (BAs) of those CEs IT service providers, lawyers, accountants, data processers, and others who may be privy to PHI are also held to the same standard. Additionally, third-party subcontractors of those BAs are now defined as BAs, as well. These new regulations even apply to organizations that simply maintain PHI data and may never access it. Breach Notification Rule Changes and Penalties Additionally, the Omnibus Rule implements revised policies and procedures pertaining to data breaches. Gone is the old harm standard that defined how breaches of PHI were handled, replaced by a new standard that states any impermissible use or disclosure of PHI, generally defined as a breach, is presumed to automatically require notification. There are three exceptions to this rule: 1) If the PHI is unintentionally acquired, accessed, or used by an employee acting under the authority of a Covered Entity or Business Associate. 2) If PHI is inadvertently disclosed from one person authorized to access it by his or her CE or BA to another person authorized to access it. 3) And if the CE or BA has a good faith belief that the unauthorized individual to whom the impermissible disclosure was couldn t have retained the information. Otherwise, breaches must be announced as follows: Covered Entities responsible for breaches affecting less than 500 people must notify the affected individuals and the CE s Business Associates within 60 days of the discovery of the breach. Breaches of

this size can be reported to the Secretary of the HHS on an annual basis, no later than 60 days after the end of the calendar year in which the breaches occurred. In addition to the above methods, breaches affecting more than 500 people must also be reported to prominent media outlets serving the state or jurisdiction where the breach happened. Also, all notifications must be made within 60 days of the discovery of the beach. Penalties for PHI breaches have been significantly enhanced, as well. The American Recovery and Reinvestment Act of 2009 established a tiered civil penalty structure that remains subject to the discretion of the Secretary of HHS. Civil penalties can range from $100 per violation up to annual maximums of $1.5 million, with differing levels of assessment depending on the willful neglect exhibited by the HIPAA violation. In addition, criminal penalties are now a possibility for Covered Entities and specified individuals who knowingly obtain or disclose Protected Health Information. Prison terms can reach ten years for particularly egregious examples, including using individually identifiable health information for commercial advantage, personal gain, or malicious harm. 3 Remember not all incidents involving PHI are breaches. But all breaches begin as innocuous incidents, making diligence in the field of HIPAA compliancy a must. 3 HIPAA Administrative Simplification Statute and Rules, http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/index. html

The Need for New Business Associate Agreements (BAAs) Of course, most health-care providers have no intentions of improperly handling or distributing their patients PHI. But the full impact of the new Omnibus Rule is most severely felt at the Business Associate level, where all previous Business Associate Agreements (BAAs) must be scrapped. In their place, both parties must agree to new BAAs that specifically protect the privacy and security of health information. If a supplier, vendor, or subcontractor could potentially access PHI, even in a worst-case scenario, a new BAA is needed. Understand that when you sign a BAA, you are attesting to and agreeing that your company, along with the other party to the agreement, follows HIPAA regulations. DO NOT SIGN BAAs with COVERED ENTITIES IF YOU ARE NOT SURE THEY ARE IN COMPLIANCE OR IF YOUR COMPANY IS NOT IN COMPLIANCE EITHER. Business Associates are now directly liable for HIPAA violations and must comply with all limitations and requirements included in the Privacy and Security Rules. The Omnibus Rule defines IT service providers as Business Associates if any data potentially containing PHI is maintained in the performance of its role as a service provider. This applies even if the BAA with the CE does not anticipate any access to the PHI, or anticipates access only on a random or incidental basis. Also, BAs like IT providers, lawyers, or accountants are required to maintain BAAs with their own subcontractors or downstream entities and assume obligation of compliance with those parties. Although HHS has extended the transition period for some grandfathered-in BAAs until September 22 nd, 2014, instituting a

comprehensive HIPAA compliancy package now will save your business from the impact of potential problems ahead. The transition provision only applies if the BAA was in existence and HIPAAcompliant prior to publication of the Omnibus Rule on January 25, 2013, and if it is not renewed or modified during the grandfather period. The Need for Updated Risk Assessments Even after new Business Associate Agreements are signed, ensuring you re your company and your BAs are HIPAA compliant doesn t stop. All companies involved in any way with the health care marketplace should undergo an updated Privacy and Security Rule Risk Assessment, one of the core bedrocks of CMIT s HIPAA Compliant Managed Services. Conducting an analysis like this represents the first step in identifying and implementing policies and procedures that comply with and carry out the standards set out by the Omnibus Rule. A HIPAA risk assessment will also determine whether your company could pass an independent audit of the hundreds of HIPAA citations and components up for examination.

Implementing New Policies and Procedures Here at CMIT Solutions, we ve focused on establishing four basic operating procedures that offer the highest level of HIPAA compliancy. 1) Maintaining the integrity of login credentials or access to any systems that create, read, update, or delete Protected Health Information (PHI), Electronic Medical Records (EMR), or Electronic Health Records (EHR). 2) Encrypting any and all data accessed on behalf of a Covered Entity (CE) with top industry encryption techniques. 3) Refusing to hold encryption keys that could access a CE s client data. 4) Requiring clients to physically and programmatically secure any systems that access PHI or medical equipment where PHI is created, read, updated, or deleted.

These four pillars may or may not work for your company. But, at the very least, you should ensure that your IT service provider follows these procedures. If they don t, we urge you to look into a program like CMIT s HIPAA Compliant Managed Services. Training Employees on the Ongoing Needs of HIPAA Compliancy Many Covered Entities and Business Associates might assume that HIPAA compliance is something that can be achieved by performing one clearly defined set of actions. Even after completing all of the steps listed above, action is still required, however. The best way to ensure that your company maintains HIPAA compliance now and into the future, consider naming someone on your leadership team as a HIPAA Privacy and Security Officer and/or HIPAA Compliance Officer. These roles should be assigned and trained BEFORE you execute any new Business Associate Agreements.

The HIPAA Privacy and Security Office and/or HIPAA Compliance Officer should be certified in HIPAA compliancy and familiar with all rules and auditing processes. That person or persons can then execute HIPAA compliance training for your entire staff. Each individual should receive appropriate training that s pertinent to his or her role, and all training should be tracked and maintained in a training log. Training should occur at least once a year, with quarterly updates undertaken as needed. Once training is complete, a HIPAA Privacy and Security Management Plan should be implemented in your office, ensuring that all new policies and procedures meet the six-year data-archiving requirement contained within HIPAA regulations. All staff members should be made aware of HIPAA Privacy and Security Rules, understand the definition of PHI, and be able to recognize and report both data breaches and any potentially prohibited behaviors.

Conclusion On its own, IT security is a complicated field add on new layers of government regulations and the prospect of this new Omnibus Rule going into effect on September 23rd is downright terrifying and beyond complex. HIPAA compliance can seem painful and expensive, but that s why CMIT Solutions offers specifically tailored HIPAA Compliant Managed Services right-sized for your company.

About The Authors Cindy Phillips, Director of Product Management, CMIT Solutions Cindy serves as the Director of Product Development for CMIT Solutions. She is responsible for the product and services roadmap and performs market research to assure that CMIT Solutions offerings meet the dynamic and changing demands of the small to medium-sized business community. Cindy holds a Bachelor s Degree in Chemical Engineering from the University of Missouri at Columbia, an MBA from Maryville University, and is a graduate of the Institute for Managerial Leadership at the University of Texas at Austin and Leadership Austin. Kelly McClendon, RHIA, CHPS, Managing Partner/Chief Marketing Officer, CompliancePro Solutions Kelly is a well-known consultant and industry expert in patient privacy and security, with specific subject matter expertise in the areas of privacy incident, detection, and automation. He is also an industry expert in legal health records, HIM operations, electronic document management, and EHR project planning. Kelly is a frequent industry speaker and received the FHIMA Distinguished Member Award in 2008 and the AHIMA Visionary Award in 2003. Kelly has held senior management positions at Eclipsys and MedPlus and founded the consulting firm Health Information Xperts.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information