HIPAA Compliance, Notification & Enforcement After The HITECH Act. Presenter: Radha Chanderraj, Esq.

Similar documents
HHS Issues New HITECH/HIPAA Rule: Implications for Hospice Providers

Data Breach, Electronic Health Records and Healthcare Reform

what your business needs to do about the new HIPAA rules

Trust 9/10/2015. Why Does Privacy and Security Matter? Who Must Comply with HIPAA Rules? HIPAA Breaches, Security Risk Analysis, and Audits

By Ross C. D Emanuele, John T. Soshnik, and Kari Bomash, Dorsey & Whitney LLP Minneapolis, MN

Legislative & Regulatory Information

New HIPAA regulations require action. Are you in compliance?

COMPLIANCE ALERT 10-12

A How-To Guide for Updating HIPAA Policies & Procedures to Align with ARRA Health Care Provider Edition Version 1

OCR Reports on the Enforcement. Learning Objectives 4/1/2013. HIPAA Compliance/Enforcement (As of December 31, 2012) HCCA Compliance Institute

OCR Reports on the Enforcement. Learning Objectives

New Privacy Laws Impacting the Health Care Work Place

Updated HIPAA Regulations What Optometrists Need to Know Now. HIPAA Overview

HIPAA Omnibus Rule Practice Impact. Kristen Heffernan MicroMD Director of Prod Mgt and Marketing

REPRODUCTIVE ASSOCIATES OF DELAWARE (RAD) NOTICE OF PRIVACY PRACTICES PLEASE REVIEW IT CAREFULLY.

Are You Still HIPAA Compliant? Staying Protected in the Wake of the Omnibus Final Rule Click to edit Master title style.

What do you need to know?

You Probably Don t Even Know

HIPAA and HITECH Compliance Under the New HIPAA Final Rule. HIPAA Final Omnibus Rule ( Final Rule )

White Paper THE HIPAA FINAL OMNIBUS RULE: NEW CHANGES IMPACTING BUSINESS ASSOCIATES

Protecting Patient Information in an Electronic Environment- New HIPAA Requirements

Dissecting New HIPAA Rules and What Compliance Means For You

Health Information Privacy Refresher Training. March 2013

HIPAA Hot Topics. Audits, the Latest on Enforcement and the Impact of Breaches. September Nashville Knoxville Memphis Washington, D.C.

HIPAA. New Breach Notification Risk Assessment and Sanctions Policy. Incident Management Policy. Focus on: For breaches affecting 1 3 individuals

The HITECH Act: Implications to HIPAA Covered Entities and Business Associates. Linn F. Freedman, Esq.

BUSINESS ASSOCIATE AGREEMENT

Long-Expected Omnibus HIPAA Rule Implements Significant Privacy and Security Regulations for Entities and Business Associates

HIPAA Omnibus & HITECH Rules: Key Provisions and a Simple Checklist.

HIPAA Omnibus Rule Overview. Presented by: Crystal Stanton MicroMD Marketing Communication Specialist

HIPAA and the HITECH Act Privacy and Security of Health Information in 2009

Business Associates, HITECH & the Omnibus HIPAA Final Rule

HIPAA Update. Presented by: Melissa M. Zambri. June 25, 2014

BUSINESS ASSOCIATE AGREEMENT ( BAA )

Disclaimer 8/8/2014. Current Developments in Privacy and Security Rule Enforcement

HIPAA Privacy and Security Changes in the American Recovery and Reinvestment Act

Am I a Business Associate? Do I want to be a Business Associate? What are my obligations?

STATE OF NEVADA DEPARTMENT OF HEALTH AND HUMAN SERVICES BUSINESS ASSOCIATE ADDENDUM

OCR UPDATE Breach Notification Rule & Business Associates (BA)

HIPAA BUSINESS ASSOCIATE AGREEMENT

University Healthcare Physicians Compliance and Privacy Policy

HHS announces sweeping changes to the HIPAA Privacy and Security Rules in the final HIPAA Omnibus Rule

Name of Other Party: Address of Other Party: Effective Date: Reference Number as applicable:

HHS Finalizes HIPAA Privacy and Data Security Rules, Including Stricter Rules for Breaches of Unsecured PHI

HIPAA Omnibus Final Rule Changes Breach Notification & Enforcement Plus An Audit Update

NACHC Issue Brief Changes to the Health Insurance Portability and Accountability Act Included in ARRA. March 2010

OCR s Anatomy: HIPAA Breaches, Investigations, and Enforcement

Privacy Officer Job Description 4/28/2014. HIPAA Privacy Officer Orientation. Cathy Montgomery, RN. Presented by:

HIPAA, HIPAA Hi-TECH and HIPAA Omnibus Rule

HIPAA in an Omnibus World. Presented by

12/19/2014. HIPAA More Important Than You Realize. Administrative Simplification Privacy Rule Security Rule

HIPAA Enforcement. Emily Prehm, J.D. Office for Civil Rights U.S. Department of Health and Human Services. December 18, 2013

Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions

BUSINESS ASSOCIATE AGREEMENT. Business Associate. Business Associate shall mean.

SAMPLE BUSINESS ASSOCIATE AGREEMENT

Business Associates and Breach Reporting Under HITECH and the Omnibus Final HIPAA Rule

SaaS. Business Associate Agreement

Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

HIPAA Compliance The Time is Now Changes on the Horizon: The Final Regulations on Privacy and Security. May 7, 2013

Presented by Jack Kolk President ACR 2 Solutions, Inc.

Philip L. Gordon, Esq. Littler Mendelson, P.C.

ACCOUNTABLE HEALTHCARE IPA HIPAA PRIVACY AND SECURITY TRAINING. By: Jerry Jackson Compliance and Privacy Officer

BUSINESS ASSOCIATE AGREEMENT

Business Associate Liability Under HIPAA/HITECH

Business Associate Agreement Involving the Access to Protected Health Information

HIPAA Privacy FAQ s. 3. Generally, what does the HIPAA Privacy Rule require the average provider or health plan to do?

HIPPA and HITECH NOTIFICATION Effective Date: September 23, 2013

Transcription:

HIPAA Compliance, Notification & Enforcement After The HITECH Act Presenter: Radha Chanderraj, Esq.

Key Dates Publication date January 25, 2013 Effective date - March 26, 2013 Compliance date - September 23, 2013 Compliance Grandfathered BA September 22, 2014 Chanderraj Law Offices HIPAA Compliance Presentation 2

Overview of Changes Business Associate (BA) Revisions Notice of Privacy Practice Patient Right To Access/Request for Restrictions Breach Notification/Risk Assessment Strengthening of Enforcement Rule/CMP Chanderraj Law Offices HIPAA Compliance Presentation 3

Who Is a Business Associate? Entities that transmit and need routine access to PHI (e.g.hio, E-prescribing Gateway, others) PHR Vendors who serve CEs A person or entity that creates, receives, maintains, or transmits PHI for CE Chanderraj Law Offices HIPAA Compliance Presentation 4

Business Associate Potential Liabilities BA s Are Subject To: Ø HHS jurisdiction under HIPAA Ø Civil and Criminal penalties Chanderraj Law Offices HIPAA Compliance Presentation 5

Business Associate Agreements Required Provisions: ü Compliance with HIPAA Security and Privacy rules; ü Duty to quickly report Breach of unsecured PHI; ü Agreement with any subcontractor/agent that handles PHI; ü Make available to HHS internal practices, books and records; ü Material Violations = Termination; ü Return or Destruction of all PHI upon termination. Note: BA Agreements now in force are grandfathered until Sept. 22 of this year Chanderraj Law Offices HIPAA Compliance Presentation 6

Next steps: Evaluate your relationships to determine who might now be considered a BA Ensure that you have BA Agreements in place with additional contractors like your EMR vendors, data storage companies and e- prescribing gateways Review your existing BA Agreements to ensure that they are in compliance with the HIPAA megarule If the existing BA Agreement was entered into prior to 1/25/13, amend the BA by the earlier of: (1) the date that the BAA is renewed; or (ii) September 22, 2014 If the existing BA Agreement was entered into after 1/25/13, the agreement should have been amended by September 23, 2013 Chanderraj Law Offices HIPAA Compliance Presentation 7

Notice of Privacy Practices Required changes to Notice Description of types of uses and disclosures that need authorization Explanation of patients right to restrict disclosure Notification of breach of unsecured PHI Patient authorization/revocation/opt out Patient s right to access PHI in electronic format Chanderraj Law Offices HIPAA Compliance Presentation 8

Distribution of Revised Notices Revised Notices should be distributed to all new patients To existing patients upon request Displayed in prominent place in physical location Website Chanderraj Law Offices HIPAA Compliance Presentation 9

Limits on marketing of PHI Use of PHI for marketing without patient s express authorization generally prohibited Exceptions (if CE receives financial remuneration) Ø face-to-face encounter Ø Relating to drugs and biologics if financial remuneration is reasonably related to costs; and communication is about refill reminders or current prescriptions Chanderraj Law Offices HIPAA Compliance Presentation 10

Limitations on sale of PHI Sale of PHI without express patient authorization prohibited Exclusions ü Public health activities ü Research (limitations) ü Treatment and payment purposes ü Sale or merger of CE Chanderraj Law Offices HIPAA Compliance Presentation 11

Next steps Evaluate current relationships to determine whether they meet marketing or sales definitions under HIPAA Mega rule If you are on speakers bureaus for a pharmaceutical company, amend or terminate relationships or disclose relationship in privacy notice Ensure that patient marketing authorization forms have been updated to disclose financial remuneration received from third party; and state that individual may revoke authorization at any time Sale of PHI authorization must state that disclosure will result in financial remuneration to covered entity Chanderraj Law Offices HIPAA Compliance Presentation 12

Patient s Access To PHI Rights Providers need revise policies and procedure for patient s request for PHI to ensure: Format Electronic copy of records to third party Transmission Respond timely Accounting of disclosures Chanderraj Law Offices HIPAA Compliance Presentation 13

Request for Restrictions Paid-in-Full Restriction Narrow restriction on disclosure to a health plan if: Disclosure is for payment or health care operation purposes; Disclosure not otherwise required by law; and Restriction pertains solely to health care item or service for which individual/someone on individual s behalf (other than health plan) has paid provider in full Chanderraj Law Offices HIPAA Compliance Presentation 14

Breach Notification Rule What Constitutes a Breach? Acquisition, access, use or disclosure of unsecured PHI; In a manner not permitted by HIPAA; and Which poses a significant risk of financial, reputational or other ham What is not a Breach? PHI is considered secured Reasonable safeguards put in place Chanderraj Law Offices HIPAA Compliance Presentation 15

HITECH Act Breach Notification Breach Exceptions Disclosure made in good faith in the course of workplace events An inadvertent disclosure of PHI from an authorized individual to another similarly situated individual (No exception when individual was not authorized to access PHI) Disclosure to a person that could not reasonably retain the information Chanderraj Law Offices HIPAA Compliance Presentation 16

Breach Notification Requirements q Timing q Method q Breach > 500 people Chanderraj Law Offices HIPAA Compliance Presentation 17

Breach Notification Requirements Notification Content ü A brief description; ü types of unsecured PHI involved in the breach; ü steps that individuals should take to protect themselves; ü CE action to mitigate harm; and ü Contact information Chanderraj Law Offices HIPAA Compliance Presentation 18

Notification to the Secretary Determined by Number of Individuals Involved Individuals Involved Notification By 500 or More 60 Days Less than 500 Following End of Calendar Year Chanderraj Law Offices HIPAA Compliance Presentation 19

Changes to Breach Notification Rule Presumption of breach unless CE demonstrates low probability of harm based on risk assessment Factors to be Considered Type and amount of PHI involved Scope Identity of the recipient Intentional or unintentional Steps taken to mitigate Chanderraj Law Offices HIPAA Compliance Presentation 20

The Enforcement Rule Increased enforcement and reduced discretionary authority for willful neglect Ø OCR must investigate a complaint when a preliminary review of the facts indicates a possible violation due to willful neglect Ø Secretary must undertake a full HIPAA compliance review when a preliminary review of the facts indicates a possible violation due to wilful neglect Chanderraj Law Offices HIPAA Compliance Presentation 21

Civil Monetary Penalties Categories of Violations and Respective Penalty Amounts Available Violation Category Each Violation Cap applicable to all such violations of an identical standard in a calendar year Did Not Know $100 $50,000 $1,500,000 Reasonable Cause $1,000 $50,000 $1,500,000 Willful Neglect-Timely Corrected $10,000 $50,000 $1,500,000 Willful Neglect-Not Timely Corrected $50,000 $1,500,000 Chanderraj Law Offices HIPAA Compliance Presentation 22

Factors determining amount of CMP Nature and extent of the violation / resulting harm Entity s history of non-compliance and financial condition Use of corrective action plans Defenses Not due to willful neglect Timely corrected Chanderraj Law Offices HIPAA Compliance Presentation 23

Criminal Penalties Tier Potential Jail Sentence Unknowingly or with reasonable cause Under false pretenses Up to one year Up to five years For personal gain or malicious reasons Up to ten years Chanderraj Law Offices HIPAA Compliance Presentation 24

Recent Enforcement Trends November December 2013 100000 80000 60000 40000 20000 0 COMPLAINTS No Violation Resolved Ineligible Complaints Complaints Ineligible Resolved No Violation Chanderraj Law Offices HIPAA Compliance Presentation 25

Resolution Expense: The Cost to Settle Recent Agreements & Civil Money Penalties (CMP) Date Entity Amount Dec. 26, 2013 Aug. 14, 2013 Adult & Pediatric Dermatology, P.C. Affinity Health Plan, Inc. $150,000 $1,215,780 July 11, 2013 WellPoint, Inc. $1,700,000 June 13, 2013 Shasta Regional Medical Center $275,000 May 31, 2013 ISU $400,000 Apr. 17, 2012 Phoenix Cardiac Surgery, P.C. $100,000 Note: No Resolution Agreements or CMPs Involving Nevada Entities Chanderraj Law Offices HIPAA Compliance Presentation 26

Avoiding Civil Money Penalties Best Defense = Planning ü Conduct an overall assessment of Current HIPAA Compliance ü Generally revise Operational procedures & forms affected by HIPAA Mega rule Training & Education ü Designate Compliance Officer & Committee ü Develop Communication & Reporting Systems ü Conduct Periodic Audits ü Evaluate & Enforce Compliance Efforts Chanderraj Law Offices HIPAA Compliance Presentation 27

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information