UPDATE ON CHANGES TO THE HIPAA PRIVACY AND SECURITY RULES

Similar documents
New Rules on Privacy, Security, Breach Reporting and Enforcement: Not Just for HIPAA-chondriacs

Key HIPAA HITECH Changes. Gina Kastel, Partner, Health and Life Sciences

HHS Issues New HITECH/HIPAA Rule: Implications for Hospice Providers

Department of Health and Human Services. No. 17 January 25, Part II

HIPAA Omnibus & HITECH Rules: Key Provisions and a Simple Checklist.

Protecting Patient Information in an Electronic Environment- New HIPAA Requirements

Legislative & Regulatory Information

HIPAA and HITECH Compliance Under the New HIPAA Final Rule. HIPAA Final Omnibus Rule ( Final Rule )

Data Breach, Electronic Health Records and Healthcare Reform

HITECH Privacy, Security, Enforcement, Breach & GINA The Final Omnibus Rule Frequently Asked Questions and Answers

Long-Expected Omnibus HIPAA Rule Implements Significant Privacy and Security Regulations for Entities and Business Associates

Breaches, Business Associates and Texting, Oh My! A HIPAA HITECH Update. Overview

Business Associate Liability Under HIPAA/HITECH

Network Security and Data Privacy Insurance for Physician Groups

Welcome to the Privacy and Security PowerPoint presentation in the Data Analytics Toolkit. This presentation will provide introductory information

Signed into law on February 17, 2009, the Stimulus Package known

COMPLIANCE ALERT 10-12

HHS Finalizes HIPAA Privacy and Data Security Rules, Including Stricter Rules for Breaches of Unsecured PHI

Updated HIPAA Regulations What Optometrists Need to Know Now. HIPAA Overview

OCR UPDATE Breach Notification Rule & Business Associates (BA)

Shipman & Goodwin LLP. HIPAA Alert STIMULUS PACKAGE SIGNIFICANTLY EXPANDS HIPAA REQUIREMENTS

H. R Subtitle D Privacy

Finally! HHS Issues Proposed Rule Implementing Changes to the HIPAA Privacy, Security and Enforcement Rules under HITECH

What Health Care Entities Need to Know about HIPAA and the American Recovery and Reinvestment Act

HHS announces sweeping changes to the HIPAA Privacy and Security Rules in the final HIPAA Omnibus Rule

By Ross C. D Emanuele, John T. Soshnik, and Kari Bomash, Dorsey & Whitney LLP Minneapolis, MN

SUMMARY OF CHANGES HIPAA AND OHIO PRIVACY LAWS

Business Associates, HITECH & the Omnibus HIPAA Final Rule

New HIPAA regulations require action. Are you in compliance?

Cybersecurity in the Health Care Sector: HIPAA Responsibilities from a Legal and Compliance Perspective

White Paper THE HIPAA FINAL OMNIBUS RULE: NEW CHANGES IMPACTING BUSINESS ASSOCIATES

Business Associates: HITECH Changes You Need to Know

HIPAA/HITECH Rules Proposed: Major Changes Looming for Business Associates and Subcontractors

HIPAA Compliance, Notification & Enforcement After The HITECH Act. Presenter: Radha Chanderraj, Esq.

The HITECH Act: Implications to HIPAA Covered Entities and Business Associates. Linn F. Freedman, Esq.

OCR Issues Final Modifications to the HIPAA Privacy, Security, Breach Notification and Enforcement Rules to Implement the HITECH Act

New HIPAA Rules: A Guide for Radiology Providers

HIPAA Privacy and Security Changes in the American Recovery and Reinvestment Act

HIPAA and the HITECH Act Privacy and Security of Health Information in 2009

Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions

January 25, P a g e

H I P AA B U S I N E S S AS S O C I ATE AGREEMENT

HIPAA/HITECH and Texas Privacy Laws Comparison Tool Updated 2013

Am I a Business Associate?

Disclaimer: Template Business Associate Agreement (45 C.F.R )

Understanding HIPAA Regulations and How They Impact Your Organization!

6/17/2013 PRESENTED BY: Updates on HIPAA, Data, IT and Security Technology. June 25, 2013

Welcome to ChiroCare s Fourth Annual Fall Business Summit. October 3, 2013

Business Associate Considerations for the HIE Under the Omnibus Final Rule

Community First Health Plans Breach Notification for Unsecured PHI

what your business needs to do about the new HIPAA rules

BUSINESS ASSOCIATE AGREEMENT. Business Associate. Business Associate shall mean.

Final Rule: Modifications to the HIPAA Privacy, Security, Enforcement, and HITECH Act Breach Notification Rules, 78 Fed. Reg (Jan.

BUSINESS ASSOCIATE AGREEMENT

A How-To Guide for Updating HIPAA Policies & Procedures to Align with ARRA Health Care Provider Edition Version 1

UPDATES FOR MEDICAL PRACTICES: RED FLAGS AND IDENTITY THEFT AND HIPAA PRIVACY CHANGES (FROM HITECH)

BREVIUM HIPAA BUSINESS ASSOCIATE TERMS AND CONDITIONS

lsh!urology ASSOCIATES OF HOUSTON, P.A.

BUSINESS ASSOCIATE AGREEMENT ( BAA )

THE HIPAA TANGO CHOREOGRAPHING PRIVACY AND SECURITY UNDER THE FINAL RULE

ACKNOWLEDGMENT OF RECEIPT OF NOTICE OF PRIVACY PRACTICES

Add a section in the back of your HIPAA Privacy Manual and HIPAA Security Manual.

HIPAA Compliance: Are you prepared for the new regulatory changes?

Appendix : Business Associate Agreement

Lessons Learned from Recent HIPAA Enforcement Actions, Breaches, and Audit. Iliana L. Peters, J.D., LL.M. April 23, 2014

Surviving a HIPAA violation One Agency s Experience Presented by: Roger Shindell. Topics Covered Part One. Topics Covered Part Two.

HIPAA PRIVACY AND SECURITY FOR EMPLOYERS

FirstCarolinaCare Insurance Company Business Associate Agreement

BUSINESS ASSOCIATE AGREEMENT

HIPAA in an Omnibus World. Presented by

This form may not be modified without prior approval from the Department of Justice.

HIPAA Omnibus Compliance How A Data Loss Prevention Solution Can Help

Is Your Organization Compliant With The HIPAA Final Omnibus Rule Of 2013?

HIPAA Compliance in 2013:

The MC Academy The Employee Benefits and Executive Compensation Series. HIPAA PRIVACY AND SECURITY The New Final Regulations

OCR Reports on the Enforcement. Learning Objectives 4/1/2013. HIPAA Compliance/Enforcement (As of December 31, 2012) HCCA Compliance Institute

OCR Reports on the Enforcement. Learning Objectives

PLLC NOTICE OF PRIVACY PRACTICES

OFFICE OF CONTRACT ADMINISTRATION PURCHASING DIVISION. Appendix A HEALTHCARE INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPPA)

FORM OF HIPAA BUSINESS ASSOCIATE AGREEMENT

SAMPLE BUSINESS ASSOCIATE AGREEMENT

Sample Business Associate Agreement Provisions

BUSINESS ASSOCIATE AGREEMENT

How To Understand And Understand The Benefits Of A Health Insurance Risk Assessment

BUSINESS ASSOCIATE AGREEMENT

2/9/ HIPAA Privacy and Security Audit Readiness. Table of contents

HIPAA BUSINESS ASSOCIATE AGREEMENT

Infinedi HIPAA Business Associate Agreement RECITALS SAMPLE

Business Associates under HITECH: A Chain of Trust

HIPAA In The Workplace. What Every Employee Should Know and Remember

Privacy Officer Job Description 4/28/2014. HIPAA Privacy Officer Orientation. Cathy Montgomery, RN. Presented by:

NOTICE OF PRIVACY PRACTICES

NOTICE OF PRIVACY PRACTICES

Isaac Willett April 5, 2011

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) BUSINESS ASSOCIATE AGREEMENT

Tools to Prepare and Protect Your Practice for HIPAA and Meaningful Use Audits

Business Associate Agreement Involving the Access to Protected Health Information

HIPAA Summit. March 10, Phyllis A. Patrick, MBA, FACHE, CHC Phyllis A. Patrick & Associates LLC

New HIPAA Breach Notification Rule: Know Your Responsibilities. Loudoun Medical Group Spring 2010

BUSINESS ASSOCIATE AGREEMENT

Transcription:

UPDATE ON CHANGES TO THE HIPAA PRIVACY AND SECURITY RULES HCCA April 11, 2011 Iliana L. Peters, JD, LLM Objective 2 Understand recent changes to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules 1

GINA NPRM 3 NPRM issued 10/01/2009 Together with IFR for GINA protections from health plan discrimination issued by HHS/CMS, DOL, and Treasury (IRS) 25 comments received EEOC Final Rule for GINA protections from employer issued 11/9/2010 HITECH Mandate 4 The Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009, is designed to promote the widespread adoption and standardization of health information technology, and requires HHS to modify the HIPAA Privacy, Security, and Enforcement Rules to strengthen the privacy and security protections for health information and to improve the workability and effectiveness of the HIPAA Rules. 2

Breach Notification IFR 5 Guidance issued 4/17/2009 Guidance on Technologies/Methodologies for unusable, unreadable, indecipherable PHI IFR issued 8/24/2009 Effective for breaches after 9/23/09 120 comments received Enforcement IFR 6 IFR issued 10/30/2009 25 Comments Received For violations occurring prior to 2/18/2009 For violations occurring on or after 2/18/2009 PENALTY AMOUNT Up to $100 per violation From $100 to $50,000 per violation CALENDAR YEAR CAP FOR VIOLATIONS OF AN IDENTICAL PROVISION $25,000 $1,500,000 3

HITECH NPRM 7 NPRM issued 7/14/2010 304 Comments Received Business Associates: HITECH 8 HITECH Sections 13401 and 13404 make BAs accountable to consumers and to HHS for protecting the privacy and security of protected health information and directly liable for criminal and civil penalties for violations of certain provisions of the HIPAA Privacy and Security Rules. 4

Business Associates: NPRM 9 NPRM proposes: Requiring that BAs comply with the technical, administrative, and physical safeguard requirements under the Security Rule. Prohibiting a BA from making a use or disclosure in violation of the Privacy Rule. Including Health Information Organizations, E-prescribing Gateways, and PHR vendors that provide services to covered entities as BAs. Clarifying that BAs are liable whether or not they have an agreement in place with the CE. Defining subcontractors as BAs; clarifying that BA liability flows to all subcontractors. Sale of PHI: HITECH 10 HITECH Section 13405(d) explicitly bans the sale of protected health information without authorization. 5

Sale of PHI: NPRM 11 NPRM proposes: Prohibiting a CE or BA from selling PHI without authorization. Including Specific Exceptions to this General Prohibition Marketing: HITECH 12 HITECH Section 13406(a) tightens the HIPAA Privacy Rule s marketing provisions by now requiring authorizations for certain health-related communications to the individual that are paid for by a third party. 6

Marketing: NPRM 13 NPRM proposes: Requiring authorizations for health-related communications (except for treatment) about the CE s products or services, case management or care coordination, and treatment alternatives where the CE receives payment in exchange for making the communication from or on behalf of the third party whose product or service is being described. Limited exception for refill reminders. For subsidized treatment communications, requiring that health care providers notify patients of the fact of remuneration and provide an opportunity for patients to opt out of receiving such communications. CEs can still engage in face to face communications about products or services with an individual or provide promotional gifts of nominal value to an individual without an authorization. 14 Fundraising: HITECH HITECH Section 13406(b) ensures that individuals will have a clear and conspicuous opportunity to opt out of all fundraising communications sent by or on behalf of a covered entity. 7

Fundraising: NPRM 15 NPRM proposes: Requiring that each fundraising communication to an individual include a clear and conspicuous opt-out method that would not cause the individual to incur an undue burden or more than a nominal cost. Prohibiting a covered entity from sending further fundraising communications to an individual who has opted-out. Prohibiting a covered entity from conditioning treatment or payment on the individual s choice to opt-out. Access: HITECH 16 HITECH Section 13405(e) strengthens individuals right to access their protected health information by creating an absolute right to an electronic copy of their health information if the entity maintains the information electronically. 8

Access: NPRM 17 NPRM proposes: Strengthening the right to an electronic copy of PHI in any electronic designated record set, not just in an electronic health record. Permitting a covered entity to charge a reasonable, costbased fee to cover the labor for copying and electronic media. Giving an individual the right to direct the covered entity to transmit the copy of protected health information directly to another person designated by the individual. Right to Request Restrictions: HITECH 18 HITECH Section 13405(a) strengthens the HIPAA Privacy Rule s individual rights by requiring a health care provider to comply with an individual's requested restriction not to disclose health information about a particular health care service to a health plan for payment or health care operations, as long as the individual has paid the provider out of pocket in full and has requested such a restriction. 9

Right to Request Restrictions: NPRM 19 NPRM proposes that a covered entity must abide by the requested restriction regardless of whether it is the individual paying out of pocket for the health care service or item or whether a family member or other person is paying for the care on behalf of the individual. Minimum Necessary: HITECH 20 HITECH Section 13405(b) provides: CEs must first consider whether a limited data set is sufficient as minimum necessary to accomplish a particular purpose; and Requires the Department to issue guidance on what constitutes minimum necessary. The guidance sunsets the provision. 10

Minimum Necessary: NPRM 21 NPRM does not include proposed regulatory text to implement this HITECH Act provision but explains that HHS intends to issue the required guidance based on the public input received, which would negate the need for a change in the Privacy Rule. Enforcement 22 NPRM proposes to modify the HIPAA Enforcement Rule regarding: Willful neglect; The definition of reasonable cause; The factors used in determining a civil money penalty amount; and Affirmative defenses. 11

Other Modifications 23 Research Student Immunizations Decedents Information Proposed Compliance Dates 24 Covered entities and business associates will have 180 days from the effective date of the final rule to comply. Covered entities and business associates will have up to one year from the compliance date (one year and 240 days from the publication date) to make any necessary changes to existing business associate agreements. Sooner if agreement is renegotiated during this time period. Business associates must still comply with all other applicable requirements of the HIPAA Rules, even if not reflected in agreement. 12

Final HITECH Rule: Timeline 25 Final HITECH Modifications, Final Breach Rule, Final Enforcement Rule, and Final Genetic Information Nondiscrimination Act (GINA) Rule will be issued together Minimizes staggered compliance dates Minimizes changes to notices of privacy practices Final Rule coming soon (2011) Accounting of Disclosures 26 Disclosures for treatment, payment, health care operations Through an electronic health record Balance interests of individuals and administrative burden on covered entities NPRM coming soon (2011) 13

National Outreach Campaign 27 Digital toolkit of consumer materials Backgrounders with general information Fact sheets on specific topics Videos on specific topics Community discussions on EHRs Improved website navigation Audit Program/State AG Training 28 Audit Program HITECH grants OCR the authority to conduct periodic audits of covered entities and business associates. State Attorneys General Training Education on HIPAA Plan for coordination of investigations 14

29 Questions? For More Information 30 OCR Website: http://www.hhs.gov/ocr/privacy My contact information: Iliana.Peters@hhs.gov 15

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information