White Paper THE HIPAA FINAL OMNIBUS RULE: NEW CHANGES IMPACTING BUSINESS ASSOCIATES

Similar documents
HHS Issues New HITECH/HIPAA Rule: Implications for Hospice Providers

Business Associates, HITECH & the Omnibus HIPAA Final Rule

OCR UPDATE Breach Notification Rule & Business Associates (BA)

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc.

HIPAA Omnibus Compliance How A Data Loss Prevention Solution Can Help

Am I a Business Associate? Do I want to be a Business Associate? What are my obligations?

BUSINESS ASSOCIATES AND BUSINESS ASSOCIATE AGREEMENTS

Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

Updated HIPAA Regulations What Optometrists Need to Know Now. HIPAA Overview

New HIPAA regulations require action. Are you in compliance?

COMPLIANCE ALERT 10-12

OCRA Spring Convention ~ 2014 Phyllis Craver Lykken, RPR, CLR, CCR Court Reporters and HIPAA

Business Associate Management Methodology

Data Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, :15pm 3:30pm

SaaS. Business Associate Agreement

HHS announces sweeping changes to the HIPAA Privacy and Security Rules in the final HIPAA Omnibus Rule

HIPAA Compliance: Are you prepared for the new regulatory changes?

University Healthcare Physicians Compliance and Privacy Policy

SAMPLE BUSINESS ASSOCIATE AGREEMENT

HIPAA Security Rule Compliance

Please print the attached document, sign and return to or contact Erica Van Treese, Account Manager, Provider Relations &

Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions

BUSINESS ASSOCIATE AGREEMENT. Recitals

HIPAA BUSINESS ASSOCIATE ADDENDUM (Privacy & Security) I. Definitions

HHS Finalizes HIPAA Privacy and Data Security Rules, Including Stricter Rules for Breaches of Unsecured PHI

A How-To Guide for Updating HIPAA Policies & Procedures to Align with ARRA Health Care Provider Edition Version 1

HIPAA PRIVACY AND SECURITY RULES BUSINESS ASSOCIATE AGREEMENT BETWEEN. Stewart C. Miller & Co., Inc. (Business Associate) AND

New HIPAA Breach Notification Rule: Know Your Responsibilities. Loudoun Medical Group Spring 2010

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) TERMS AND CONDITIONS FOR BUSINESS ASSOCIATES

Department of Health and Human Services. No. 17 January 25, Part II

Sample Business Associate Agreement Provisions

HIPAA Omnibus & HITECH Rules: Key Provisions and a Simple Checklist.

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) BUSINESS ASSOCIATE AGREEMENT

My Docs Online HIPAA Compliance

Business Associates and Breach Reporting Under HITECH and the Omnibus Final HIPAA Rule

SAMPLE BUSINESS ASSOCIATE AGREEMENT

Long-Expected Omnibus HIPAA Rule Implements Significant Privacy and Security Regulations for Entities and Business Associates

BUSINESS ASSOCIATE AGREEMENT

HIPAA PRIVACY AND SECURITY AWARENESS

Legislative & Regulatory Information

BUSINESS ASSOCIATE AGREEMENT

Overview of the HIPAA Security Rule

NEW PERSPECTIVES. Professional Fee Coding Audit: The Basics. Learn how to do these invaluable audits page 16

HIPAA BUSINESS ASSOCIATE AGREEMENT

COVERMYMEDS BUSINESS ASSOCIATE AGREEMENT

Business Associate Liability Under HIPAA/HITECH

BUSINESS ASSOCIATE AGREEMENT ( BAA )

6/17/2013 PRESENTED BY: Updates on HIPAA, Data, IT and Security Technology. June 25, 2013

BUSINESS ASSOCIATE AGREEMENT

Protecting Patient Information in an Electronic Environment- New HIPAA Requirements

Data Breach, Electronic Health Records and Healthcare Reform

Business Associate Agreement

Privacy Officer Job Description 4/28/2014. HIPAA Privacy Officer Orientation. Cathy Montgomery, RN. Presented by:

BUSINESS ASSOCIATE AGREEMENT

Name of Other Party: Address of Other Party: Effective Date: Reference Number as applicable:

HIPAA Omnibus Rule Overview. Presented by: Crystal Stanton MicroMD Marketing Communication Specialist

BUSINESS ASSOCIATE AGREEMENT

HIPAA and HITECH Compliance for Cloud Applications

BUSINESS ASSOCIATE ADDENDUM. WHEREAS, Provider (as defined below) has a contractual relationship with FHCCP requiring this Addendum;

HIPAA BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT. (Contractor name and address), hereinafter referred to as Business Associate;

HIPAA Privacy and Business Associate Agreement

BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT

The Institute of Professional Practice, Inc. Business Associate Agreement

This presentation focuses on the Healthcare Breach Notification Rule. First published in 2009, the final breach notification rule was finalized in

M E M O R A N D U M. Definitions

The HIPAA Audit Program

Medical Privacy Version Standard. Business Associate Agreement. 1. Definitions

HIPAA Compliance Guide

MMA SAMPLE FORM *REVIEW CAREFULLY & ADAPT TO YOUR PRACTICE*

BUSINESS ASSOCIATE ADDENDUM

HIPAA, HIPAA Hi-TECH and HIPAA Omnibus Rule

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT TERMS

Transcription:

White Paper THE HIPAA FINAL OMNIBUS RULE: NEW CHANGES IMPACTING BUSINESS ASSOCIATES

CONTENTS Introduction 3 Brief Overview of HIPPA Final Omnibus Rule 3 Changes to the Definition of Business Associate 4 Security Rule Applies Directly to Business Associates 4 Agreements with Business Associates 5 Administrative, Physical and Technical Safeguards 5 Administrative Safeguards 5 Physical Safeguards 5 Technical Safeguards 5 Breach Notification Rule 6 Privacy Rule Applies Directly to Business Associates 6 Planning for Compliance 7 Conclusion 8 References 8

Introduction This paper briefly outlines some of the key changes to the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and the Omnibus Final Rule. The Final Rule imposes new obligations and direct liability on business associates to comply with HIPAA s Security and Privacy Rules. Covered entities and business associates have until September 23, 2013 to become fully compliant under the Final Rule. MerusCase keeps your data private and secure. It is the policy of MerusCase to be in strict compliance under HIPAA, the Final Rule, and other applicable state law. Because the MerusCase team works around the clock to ensure complete privacy of all client information, regardless of nature, you can rest assured that your data is safe, your clients are protected, and your firm maintains regulatory compliance. Brief Overview of HIPAA Final Omnibus Rule The long-awaited HIPAA Final Omnibus Rule (Final Rule), which went into effect on January 25, 2013, by the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR), greatly enhances patients privacy protection, provides individuals new rights to their personal health information, redefines breach and strengthens the government s ability to enforce the law. When the Final Rule was passed in January, HHS Secretary Kathleen Sebelius stated Much has changed in health care since HIPAA was enacted over fifteen years ago. The Secretary also stated that, The new rule will help protect patient privacy and safeguard patients health information in an ever expanding digital stage. HIPAA has been around for more than 15 years and was updated with the Omnibus Rule in March of 2013. To help safeguard against the breach of personal medical information, the HIPAA set standards for medical privacy that went into effect in 1996. The American Recovery and Reinvestment Act (ARRA), signed by President Obama in February 2009, established privacy requirements, which were hailed by many experts as the most sweeping change to the healthcare privacy and security environment since the original HIPAA Privacy rule. The Health Information Technology for Economic and Clinical Health (HITECH) Act sought to streamline healthcare and reduce costs 3

through the use of health information technology, and the healthcare industry had to comply with the HIPAA Privacy and Security Rules by establishing a risk management process and conducting annual risk assessments. security, as well as who is now subject to compliance under the Final socalled business associates and their subcontractors that do business with covered entities. business associates and the imposition of direct liability to business associates of covered entities for noncompliance with certain of the HIPAA Privacy and Security Rules. Moreover, under the current Rule, It is up to you to determine if you are a business associate. MerusCase can be your trusted partner in achieving compliance. of contracting with a covered entity. Unlike the previously narrower was expanded to cover any entity that creates, receives, maintains, or transmits protected health information (PHI) for a function or activity regulated by HIPAA, which includes claim process, or administration, data analytics, processing, as well as other categories. Health information organizations, e-prescribing gateways, and other persons that provide data transmission services with respect to PHI and require routine access to PHI, are also covered. a subcontractor that creates, receives, maintains, or transmits protected health information on behalf of a business associate. According to the preamble in the Final Rule, this includes agents of companies that are not under contract, as well as persons who act on behalf of the subcontractors. 4

Security Rule Applies Directly to Business Associates The Security standards were also modified to include business associates expressly, with direct liability for violations. There were also certain changes made to the section that addresses routine maintenance. Requirement for administrative safeguards was also updated to cover business associates. Agreements with Business Associates Under the Final Rule, a covered entity is not required to obtain satisfactory assurances from a business associate that is a subcontractor. Rather, business associates are required to obtain satisfactory assurances that the subcontractor will properly safeguard information if the subcontractor is to create, receive, maintain, or transmit electronic PHI on behalf of the business associate. This directly imposes the burden regarding subcontractors on the business associate, rather than the covered entity. A Business Associate Agreement is required of all your vendors. Administrative, Physical and Technical Safeguards Under the Final Rule, business associates are directly required to comply with administrative, physical and technical safeguards in order to address specific security issues and solutions implemented as they relate to transmitting and storing patient data. Safeguard procedures include the following: HIPAA compliance requires adherence to strict guidelines and regular audits. It encompasses procedural, technical and prsonnel training issues. Administrative Safeguards Security Management Process Assigned Security Responsibility Workforce Security Information Access Management Security Awareness and Training Security Incident Procedures Contingency Plan Evaluation Business Associate Contracts and Other Arrangements 5

Physical Safeguards Facility Access Controls Workstation Use Workstation Security Device and Media Controls Technical Safeguards Access Controls Audit Controls Integrity Person or Entity Authentication Transmission Security The HIPAA security standards do not specify specific technology requirements, so each affected organization must assess its own risk and develop security measures accordingly. Organizations must then certify their security programs though an internal procedure or by a private accreditation company. Thus, to be in full compliance with the HIPAA Security Rule and ensure Administrative, Physical, and Technical Safeguards are implemented that will lead to HIPAA compliance, a comprehensive and effective information security program is necessary. Breach Notification Rule Under the Final Rule, business associates must conduct an incident risk assessment of every data security incident involving PHI. However, instead of determining the risk of harm, the risk assessment determines the probability that PHI has been compromised. The factors that should be considered in the making of the risk assessment include: Disclosure is required in the event patient healthcare information is compromised. The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of reidentification; The unauthorized person who used the protected health information or to whom the disclosure was made; Whether the protected health information was actually acquired or viewed; and The extent to which the risk to the protected health information has been mitigated. 6

Privacy Rule Applies Directly to Business Associates The Final Rule also applies parts of the Privacy Rule directly to business associates. Most notably, business associates must not use or disclose PHI, except as permitted under the Privacy Rule. Business associates may not use or disclose PHI in a manner that would violate the Privacy Rule if done by the covered entity. Business associates must disclose PHI to HHS to investigate or determine compliance, and must disclose PHI to the covered entity, individual or individual s designee as necessary to satisfy a covered entity s obligations to respond to an individual s request for an electronic copy or electronic PHI. HIPAA affects everyone. Business associates must make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose when using, disclosing or requesting PHI. Finally, business associates must directly enter into a business associate agreement with a subcontractor that creates, receives, maintains, or transmits PHI on the business associate s behalf. Finally, under the Final Rule, business associates are subject to the HIPAA Breach Notification Rule, which imposes a duty on business associates to notify covered entity of a breach of unsecured PHI. Planning for Compliance The Final Rule puts renewed pressure on covered entities and new burdens on business associates to act now to achieve compliance with HIPAA and breach notification requirements. With the strengthened enforcement powers by the OCR, business associates and healthcare organizations need to demonstrate and document this compliance. There are five immediate steps that can be taken to provide a comprehensive foundation for compliance under the Final Rule: Implement HIPAA compliant policy and procedure by September 2013. Clearly define a policy-driven security management program that can be incorporated into your business processes - Identify and designate the people and the technology controls necessary to satisfy the company s security policies and procedures. Conduct a complete risk assessment First identify all PHI and determine the risks to PHI security that exist within the company and spell out all the controls you have in place for safeguarding PHI. Conduct a comprehensive HIPAA Security Assessment to 7

Validate security controls Provide for the monitoring and reporting of controls on personnel actions, process controls, and information technology controls. Create a plan to mitigate major risks. Carry out, monitor, and document annual privacy and security risk assessments, including risks and vulnerabilities to the Clearly identify, manage, and document compliance of business associates and their downstream subcontractors. assessments that determine if an incident is a reportable breach or not. Demonstrate that the proper steps were taken to correct Ensure that all employees and management are trained on their roles and responsibilities with respect to the Security Rule and PHI. Maintain an ongoing program for monitoring, auditing, and reporting of the operational processes for HIPAA Compliance. Conclusion should be of great concern to business associates and subcontractors. HIPAA compliance plan. in enforcing HIPAA and now has even greater enforcement power at and procedures in place to ensure compliance. MerusCase adheres to the policies and procedures within MerusCase s HIPAA Compliance Policy Manual, and will continue to achieve further compliance under the Final Rule to further enhance and increase safeguards to protect the privacy of all client information. References 1. 78 Fed. Reg. 5566 (Jan. 25, 2013) http://www.gpo.gov/fdsys/pkg/fr- 2013-01-25/pdf/2013-01073.pdf 2. HIPAA Business Associate Agreement is available in the Forms & Template section within MerusCase. It will automatically include 8

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information