FIVE EASY STEPS FOR HANDLING NEW HIPAA REQUIREMENTS & MANAGING YOUR ELECTRONIC COMMUNICATIONS

Similar documents
HIPAA OMNIBUS RULE: EXPANDED COMPLIANCE REQUIREMENTS

HIPAA and the HITECH Act Privacy and Security of Health Information in 2009

OCR UPDATE Breach Notification Rule & Business Associates (BA)

HIPAA Omnibus Rule Overview. Presented by: Crystal Stanton MicroMD Marketing Communication Specialist

HIPAA and HITECH Compliance Under the New HIPAA Final Rule. HIPAA Final Omnibus Rule ( Final Rule )

HIPAA Omnibus Rule Practice Impact. Kristen Heffernan MicroMD Director of Prod Mgt and Marketing

Key HIPAA HITECH Changes. Gina Kastel, Partner, Health and Life Sciences

Protecting Patient Information in an Electronic Environment- New HIPAA Requirements

Updated HIPAA Regulations What Optometrists Need to Know Now. HIPAA Overview

Use & Disclosure of Protected Health Information by Business Associates

Implementation Business Associates and Breach Notification

Data Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, :15pm 3:30pm

Regulatory Update with a Touch of HIPAA

Business Associates and Breach Reporting Under HITECH and the Omnibus Final HIPAA Rule

Business Associates, HITECH & the Omnibus HIPAA Final Rule

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc.

Isaac Willett April 5, 2011

COMPLIANCE ALERT 10-12

HHS Issues New HITECH/HIPAA Rule: Implications for Hospice Providers

12/19/2014. HIPAA More Important Than You Realize. Administrative Simplification Privacy Rule Security Rule

Why Lawyers? Why Now?

Legislative & Regulatory Information

Understanding HIPAA Regulations and How They Impact Your Organization!

New HIPAA regulations require action. Are you in compliance?

My Docs Online HIPAA Compliance

HIPAA/HITECH and Texas Privacy Laws Comparison Tool Updated 2013

HHS Finalizes HIPAA Privacy and Data Security Rules, Including Stricter Rules for Breaches of Unsecured PHI

HHS announces sweeping changes to the HIPAA Privacy and Security Rules in the final HIPAA Omnibus Rule

Business Associate Management Methodology

M E M O R A N D U M. Definitions

HIPAA initially went into effect April 14, HIPAA is a set of rules that is to be followed by doctors, hospitals and other health care providers.

INFORMATION SECURITY & HIPAA COMPLIANCE MPCA

Trust 9/10/2015. Why Does Privacy and Security Matter? Who Must Comply with HIPAA Rules? HIPAA Breaches, Security Risk Analysis, and Audits

Data Breach, Electronic Health Records and Healthcare Reform

CMA BUSINESS ASSOCIATE AGREEMENT WITH CMA MEMBERS

Ethics, Privilege, and Practical Issues in Cloud Computing, Privacy, and Data Protection: HIPAA February 13, 2015

HIPAA Compliance: Are you prepared for the new regulatory changes?

Overview of the HIPAA Security Rule

Business Associate Considerations for the HIE Under the Omnibus Final Rule

HIPAA BUSINESS ASSOCIATE AGREEMENT

SAMPLE BUSINESS ASSOCIATE AGREEMENT

Am I a Business Associate? Do I want to be a Business Associate? What are my obligations?

THE HIPAA TANGO CHOREOGRAPHING PRIVACY AND SECURITY UNDER THE FINAL RULE

Chris Bennington, Esq., INCompliance Consulting Shannon DeBra, Esq., Bricker & Eckler LLP Victoria Norton, R.N., J.D., M.B.A.

New HIPAA Breach Notification Rule: Know Your Responsibilities. Loudoun Medical Group Spring 2010

HIPAA, HIPAA Hi-TECH and HIPAA Omnibus Rule

This presentation focuses on the Healthcare Breach Notification Rule. First published in 2009, the final breach notification rule was finalized in

HIPAA Privacy and Security Rules: A Refresher. Marilyn Freeman, RHIA California Area HIPAA Coordinator California Area HIM Consultant

OCTOBER 2013 PART 1. Keeping Data in Motion: How HIPAA affects electronic transfer of protected health information

Are You Still HIPAA Compliant? Staying Protected in the Wake of the Omnibus Final Rule Click to edit Master title style.

Shipman & Goodwin LLP. HIPAA Alert STIMULUS PACKAGE SIGNIFICANTLY EXPANDS HIPAA REQUIREMENTS

Community First Health Plans Breach Notification for Unsecured PHI

BREVIUM HIPAA BUSINESS ASSOCIATE TERMS AND CONDITIONS

OCR s Anatomy: HIPAA Breaches, Investigations, and Enforcement

Creating Stable Security & Compliance Relationships

HIPAA Update Focus on Breach Prevention

Business Associate Agreement

UNDERSTANDING THE HIPAA/HITECH BREACH NOTIFICATION RULE 2/25/14

The Basics of HIPAA Privacy and Security and HITECH

HIPAA 101. March 18, 2015 Webinar

HIPAA Compliance Guide

HIPAA Changes Mike Jennings & Jonathan Krasner BEI For MCMS 07/23/13

It s a New Regulatory Landscape: Do You Know Where Your Business Associates are and What They are Doing?

What s New with HIPAA? Policy and Enforcement Update

You Probably Don t Even Know

Welcome to ChiroCare s Fourth Annual Fall Business Summit. October 3, 2013

Am I a Business Associate?

Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions

HIPAA in an Omnibus World. Presented by

Disclaimer: Template Business Associate Agreement (45 C.F.R )

HIPAA Security Rule Compliance

HIPAA and HITECH Compliance for Cloud Applications

Business Associate Agreement Involving the Access to Protected Health Information

Information Privacy and Security Program. Title: EC.PS.01.02

Lessons Learned from HIPAA Audits

Raymond: Beyond Basic HIPAA - GSHA Convention HIPAA HIPAA HIPAA. Financial. Carol Ann Raymond, MBA, Ed.S., CCC-SLP

HIPAA Update. Presented by: Melissa M. Zambri. June 25, 2014

University Healthcare Physicians Compliance and Privacy Policy

Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

Lawyers as HIPAA Business Associates

Name of Other Party: Address of Other Party: Effective Date: Reference Number as applicable:

White Paper THE HIPAA FINAL OMNIBUS RULE: NEW CHANGES IMPACTING BUSINESS ASSOCIATES

HIPAA BREACH NOTIFICATION REQUIREMENTS. Heman A. Marshall, III July 25, 2014

Long-Expected Omnibus HIPAA Rule Implements Significant Privacy and Security Regulations for Entities and Business Associates

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA Compliance Guide

HIPAA Omnibus & HITECH Rules: Key Provisions and a Simple Checklist.

Dissecting New HIPAA Rules and What Compliance Means For You

Information Protection Framework: Data Security Compliance and Today s Healthcare Industry

BUSINESS ASSOCIATE AGREEMENT ( BAA )

HIPAA/HITECH: A Guide for IT Service Providers

HIPAA FOR LAWYERS AND LAW FIRMS What you need to know to prevent your law firm from paying MILLION$

HIPAA PRIVACY AND SECURITY FOR EMPLOYERS

OFFICE OF CONTRACT ADMINISTRATION PURCHASING DIVISION. Appendix A HEALTHCARE INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPPA)

HIPAA Security. 1 Security 101 for Covered Entities. Security Topics

OCR Reports on the Enforcement. Learning Objectives 4/1/2013. HIPAA Compliance/Enforcement (As of December 31, 2012) HCCA Compliance Institute

OCR Reports on the Enforcement. Learning Objectives

The Challenges of Applying HIPAA to the Cloud. Adam Greene, Partner Davis Wright Tremaine LLP

Page 1. NAOP HIPAA and Privacy Risks 3/11/2014. Privacy means being able to have control over how your information is collected, used, or shared;

Barnes & Thornburg LLP HIPAA Update: HITECH Act Breach Notification Rule

Transcription:

FIVE EASY STEPS FOR HANDLING NEW HIPAA REQUIREMENTS & MANAGING YOUR ELECTRONIC COMMUNICATIONS James J. Eischen, Jr., Esq. October 2013 Chicago, Illinois

JAMES J. EISCHEN, JR., ESQ. Partner at Higgs, Fletcher & Mack, LLP 26+ years of experience as an attorney in California Experience in the healthcare field: medical groups, EHR firms, health coaching enterprises and healthcare products. Graduated from the University of California at Davis School of Law. Professional Memberships: San Diego County Bar Association Law & Medicine Section, Attorney-Client Relations Committee, State Bar Of California Section Member, AAPP Corporate Secretary

STEP ONE Understand The Purpose Of HIPAA

WHAT IS HIPAA? The Health Insurance Portability and Accountability Act of 1996 (HIPAA) required the Secretary of the U.S. Department of Health and Human Services (HHS) to develop regulations protecting the privacy and security of certain health information. To fulfill this requirement, HHS published what are commonly known as the HIPAA Privacy Rule and the HIPAA Security Rule. The Privacy Rule (Standards for Privacy of Individually Identifiable Health Information) establishes national standards for the protection of certain health information. The Security Rule (Security Standards for the Protection of Electronic Protected Health Information) establishes a national set of security standards for protecting certain health information that is held or transferred in electronic form. The Security Rule operationalizes the protections contained in the Privacy Rule by addressing the technical and non-technical safeguards that organizations called covered entities must put in place to secure individuals electronic protected health information (e-phi). Within HHS, the Office for Civil Rights (OCR) has responsibility for enforcing the Privacy and Security Rules with voluntary compliance activities and civil money penalties.

Unsecured PHI KEY TERMS PHI that is not rendered unusable, unreadable or indecipherable to unauthorized persons specified by HHS ephi Encryption and destruction Electronic PHI Breach Acquisition, access, use or disclosure of PHI PHI security or privacy is compromised

STEP TWO Look At Basic HIPAA Compliance (Privacy And Security Rules)

SECURITY RULE Prior to HIPAA, no generally accepted federal security standards or general requirements for protecting health information. New technologies evolving. Health care industry moves away from paper processes to electronic information systems to pay claims, answer eligibility questions, provide health information and conduct a host of other administrative and clinically based functions. Providers use clinical applications such as computerized physician order entry (COPE) systems, electronic health records (EHR), and radiology, pharmacy, and laboratory systems. Security Rule: Protects the privacy of individuals health information while allowing covered entities to adopt new technologies to improve the quality and efficiency of patient care. Security Rule is designed to be flexible and scalable so a covered entity can implement policies, procedures, and technologies that are appropriate for the entity s particular size, organizational structure, and risks to consumers ephi.

SECURITY RULE APPLIED Security Rule requires covered entities to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting ephi. Specifically, covered entities must: Ensure the confidentiality, integrity, and availability of all ephi they create, receive, maintain or transmit; Identify and protect against reasonably anticipated threats to the security or integrity of the information; Protect against reasonably anticipated, impermissible uses or disclosures; and Ensure compliance by their workforce.

PRIVACY RULE: CONFIDENTIALITY The Privacy Rule defines confidentiality to mean that ephi is not available or disclosed to unauthorized persons. The Privacy Rule prohibits improper uses and disclosures of ephi.

SO, WHAT SECURITY MEASURES MUST BE IMPLEMENTED? Security Rule does not dictate measures, but requires the covered entity to consider: Its size, complexity, and capabilities, Its technical, hardware, and software infrastructure, The costs of security measures, and The likelihood and possible impact of potential risks to e-phi. Covered entities must review and modify their security measures to continue protecting e-phi in a changing environment.

http://www.ama-assn.org/resources/doc/washington/hipaa-phi-encryption.pdf

STEP THREE Evaluate What Changed With The Omnibus/Final Rule

BEFORE AND AFTER OMNIBUS RULE Before BA regulated through BAAs After BAs and subcontractors regulated directly under HIPAA BAs are CEs, and must comply with Security Rule

EXPANDED DEFINITION OF CE CE: On behalf of a covered entity (CE), creates, receives, maintains or transmits PHI Subcontractor of a BA Role + responsibilities of BA = CE BA requirements/exposure not defined simply because it is a party to a BAA

NOT A BA Those who simply provide transmission services Digital couriers or mere conduits But if you store personalized ephi, even if you do not view it, you are a BA/CE

SUBCONTRACTORS Contract between the CE s BA and the BA s subcontractor must satisfy the BAA requirements Subcontractor of a subcontractor of a subcontractor of a subcontractor ALL BAS HIPAA/HITECH obligations apply to subcontractors

OMNIBUS/FINAL RULE All covered entities must review documentation including business associate agreements, notice of privacy practices, and their policies and procedures to ensure compliance with the Final Rule BAA and NPP MUST BE UPDATED

PRESUMPTION OF BREACH Interim Final Rule Risk assessment to determine if unauthorized ephi access, use or disclosure caused harm No presumption of a breach Final Rule Unauthorized access, use or disclosure presumed to be a breach unless CE determines low probability ephi was compromised

POTENTIAL BREACH EVALUATION CE must evaluate Nature and extent of ephi Unauthorized person who used ephi Whom disclosure was made ephi actually viewed or acquired How risk was mitigated DOCUMENT, DOCUMENT, DOCUMENT AND THEN DOCUMENT SOME MORE

BREACH NOTIFICATION BA must provide notice of breach To CE Breach treated as discovered as of 1 st day when known or would have been known When by exercising reasonable diligence would have breach been known? Subcontractor BA gives notice to BA

ELECTRONIC ACCESS Reasonable safeguards If PHI owner wants PHI sent unencrypted, CE needs to let individual know of risks DOCUMENT ephi OWNER S CONSENT Secure mechanism Electronic machine readable copy Can be used on a computer PDFs If a PHI owner asks for specific format, CE needs to accommodate when possible

FEES CHARGED FOR ELECTRONIC Labor costs only RECORDS? Retrieval costs or capital costs not allowed to be charged Supplies upon request can be charged Best practice is to list fees on authorization/consent form itself

ACCESS TO THIRD PARTIES Individual can request CE to send ephi to another individual In writing Electronic OK but verification needed Identify who is the receiver PHI must still be protected when sent to third party

RESTRICTIONS/ACCOUNTING RULE Individual can restrict ephi to health plan when paying out of pocket in full for a service (Accounting Rule) CE need to develop how to track restrictions CEs submit restricted ephi for required audits when required by law

STEP FOUR Identify Necessary HIPAA Compliance Steps

Update Your Documentation!

HIPAA COMPLIANCE: BASIC DOCUMENTATION Notice of Privacy Practices (NPP) Business Associate Agreement (BAA) Internal risk analysis memo Practice s written office procedures and processes must be examined thoroughly Evaluate risks and decide how to address those risks

SO, WHAT DO I DO? Update BAA Update NPP Update internal risk assessment memo Ensure electronic records access not subject to unlawful charges

STEP FIVE Electronic Communications, Scheduling & Records Management

HIPAA/PRIVACY COMPLIANCE WITH ELECTRONIC COMMUNICATIONS Electronic data storage of any kind = HIPAA

SHOULD MY PHYSICIAN-PATIENT AGREEMENT DEAL WITH ELECTRONIC COMMUNICATIONS Not recommended! Need separate ephi agreement for risk management/hipaa compliance HIPAA Final Rule: Non-compound ephi consent

CHECK MARKETING/PRACTICE COMMUNICATION PLATFORMS FOR COMPLIANCE Website Calendar/Scheduling FAQs Patient letters Staff training!!! Is this all really necessary? (Hint The correct answer is not no )

So What Can Go Wrong Anyway? Case Study: Arizona Cardiologist Fined $100,000 and ordered to take corrective action to implement policies and procedures to safeguard the protected health information of its patients.

WHAT WENT WRONG? Inadequate internal risk analysis Lack of staff training No BAA with outside IT vendor for web calendar Bottom Line: an internal risk analysis memo and awareness of patient privacy rights can avoid fines/penalties http://www.healthcareitnews.com/news/phoenix-practice-pay-100000- settle-hipaa-case

QUESTIONS? James J. Eischen, Jr., Esq. Office: (619) 819-9655 Email: eischenj@higgslaw.com Skype: jeischenjr http://www.assessmentandplan.com http://www.higgslaw.com

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information