OCR UPDATE Breach Notification Rule & Business Associates (BA)



Similar documents
Lessons Learned from Recent HIPAA Enforcement Actions, Breaches, and Audit. Iliana L. Peters, J.D., LL.M. April 23, 2014

OCR Reports on the Enforcement. Learning Objectives 4/1/2013. HIPAA Compliance/Enforcement (As of December 31, 2012) HCCA Compliance Institute

OCR Reports on the Enforcement. Learning Objectives

Protecting Patient Information in an Electronic Environment- New HIPAA Requirements

Am I a Business Associate? Do I want to be a Business Associate? What are my obligations?

New HIPAA regulations require action. Are you in compliance?

Overview of the HIPAA Security Rule

Implementation Business Associates and Breach Notification

Business Associates, HITECH & the Omnibus HIPAA Final Rule

HIPAA Omnibus Rule Overview. Presented by: Crystal Stanton MicroMD Marketing Communication Specialist

White Paper THE HIPAA FINAL OMNIBUS RULE: NEW CHANGES IMPACTING BUSINESS ASSOCIATES

HIPAA OMNIBUS RULE: EXPANDED COMPLIANCE REQUIREMENTS

HIPAA Omnibus Rule Practice Impact. Kristen Heffernan MicroMD Director of Prod Mgt and Marketing

HIPAA Compliance Guide

Enforcement of Health Information Privacy & Security Standards Federal Enforcement Through Recent Cases and Tools to Measure Regulatory Compliance

Business Associate Considerations for the HIE Under the Omnibus Final Rule

This presentation focuses on the Healthcare Breach Notification Rule. First published in 2009, the final breach notification rule was finalized in

SaaS. Business Associate Agreement

HIPAA and HITECH Compliance Under the New HIPAA Final Rule. HIPAA Final Omnibus Rule ( Final Rule )

Legislative & Regulatory Information

Privacy Officer Job Description 4/28/2014. HIPAA Privacy Officer Orientation. Cathy Montgomery, RN. Presented by:

HHS announces sweeping changes to the HIPAA Privacy and Security Rules in the final HIPAA Omnibus Rule

FIVE EASY STEPS FOR HANDLING NEW HIPAA REQUIREMENTS & MANAGING YOUR ELECTRONIC COMMUNICATIONS

Key HIPAA HITECH Changes. Gina Kastel, Partner, Health and Life Sciences

My Docs Online HIPAA Compliance

THE HIPAA TANGO CHOREOGRAPHING PRIVACY AND SECURITY UNDER THE FINAL RULE

HIPAA Omnibus Final Rule Changes Breach Notification & Enforcement Plus An Audit Update

HIPAA Compliance: Are you prepared for the new regulatory changes?

Business Associates and Breach Reporting Under HITECH and the Omnibus Final HIPAA Rule

HIPAA Compliance Guide

HHS Finalizes HIPAA Privacy and Data Security Rules, Including Stricter Rules for Breaches of Unsecured PHI

What s New with HIPAA? Policy and Enforcement Update

HIPAA in an Omnibus World. Presented by

Lessons Learned from Recent HIPAA and Big Data Breaches. Briar Andresen Katie Ilten Ann Ladd

SECURITY RISK ASSESSMENT SUMMARY

Surviving a HIPAA violation One Agency s Experience Presented by: Roger Shindell. Topics Covered Part One. Topics Covered Part Two.

HHS Issues New HITECH/HIPAA Rule: Implications for Hospice Providers

NCHICA HITECH Act Breach Notification Risk Assessment Tool. Prepared by the NCHICA Privacy, Security & Legal Officials Workgroup

Presented by Jack Kolk President ACR 2 Solutions, Inc.

Datto Compliance 101 1

Long-Expected Omnibus HIPAA Rule Implements Significant Privacy and Security Regulations for Entities and Business Associates

HIPAA Omnibus & HITECH Rules: Key Provisions and a Simple Checklist.

Breaches, Business Associates and Texting, Oh My! A HIPAA HITECH Update. Overview

Are You Still HIPAA Compliant? Staying Protected in the Wake of the Omnibus Final Rule Click to edit Master title style.

HIPAA Update Focus on Breach Prevention

Am I a Business Associate?

Montclair State University. HIPAA Security Policy

The MC Academy The Employee Benefits and Executive Compensation Series. HIPAA PRIVACY AND SECURITY The New Final Regulations

Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions

HIPAA Compliance The Time is Now Changes on the Horizon: The Final Regulations on Privacy and Security. May 7, 2013

Greenway Marketplace. Hear from GSG Compliance & White Plume November 14, 2013

Why Lawyers? Why Now?

Ethics, Privilege, and Practical Issues in Cloud Computing, Privacy, and Data Protection: HIPAA February 13, 2015

Updated HIPAA Regulations What Optometrists Need to Know Now. HIPAA Overview

HIPAA Privacy and Security Rules: A Refresher. Marilyn Freeman, RHIA California Area HIPAA Coordinator California Area HIM Consultant

BUSINESS ASSOCIATES AND BUSINESS ASSOCIATE AGREEMENTS

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc.

HIPAA Security Rule Compliance

Understanding HIPAA Regulations and How They Impact Your Organization!

When HHS Calls, Will Your Plan Be HIPAA Compliant?

Data Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, :15pm 3:30pm

HIPAA Compliance in 2013:

12/19/2014. HIPAA More Important Than You Realize. Administrative Simplification Privacy Rule Security Rule

HIPAA: Protecting Your. Ericka L. Adler. Practice and Your Patients

Security Is Everyone s Concern:

HIPAA 101. March 18, 2015 Webinar

HIPAA. New Breach Notification Risk Assessment and Sanctions Policy. Incident Management Policy. Focus on: For breaches affecting 1 3 individuals

HIPAA BUSINESS ASSOCIATE AGREEMENT

OCR HIPAA Audit Readiness. ISACA - North Texas Chapter April 11, 2013

BREVIUM HIPAA BUSINESS ASSOCIATE TERMS AND CONDITIONS

Department of Health and Human Services. No. 17 January 25, Part II

Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification

Disclaimer 8/8/2014. Current Developments in Privacy and Security Rule Enforcement

HIPAA BUSINESS ASSOCIATE AGREEMENT

Creating Stable Security & Compliance Relationships

4/9/2015. One Year After the HIPAA Omnibus Rule: Lessons Learned in Breach Notification. Agenda

HIPAA/HITECH: A Guide for IT Service Providers

White Paper. HIPAA-Regulated Enterprises. Paper Title Here

HIPAA Omnibus Compliance How A Data Loss Prevention Solution Can Help

BUSINESS ASSOCIATE AGREEMENT. Recitals

What is HIPAA? The Health Insurance Portability and Accountability Act of 1996

Welcome to the Privacy and Security PowerPoint presentation in the Data Analytics Toolkit. This presentation will provide introductory information

Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

HIPAA Privacy and Information Security Management Briefing

A How-To Guide for Updating HIPAA Policies & Procedures to Align with ARRA Health Care Provider Edition Version 1

Table of Contents INTRODUCTION AND PURPOSE 1

HIPAA initially went into effect April 14, HIPAA is a set of rules that is to be followed by doctors, hospitals and other health care providers.

Covered Entities and Business Associates: An Evolving Relationship

HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What?

Privacy & Security. Risk Management Strategies for Healthcare Data. Ohio Hospital Association Centennial Annual Meeting.

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)

Q: How does a provider know if their system has encryption? Do big services (gmail, yahoo, hotmail, etc.) have built-in encryption?

SAMPLE BUSINESS ASSOCIATE AGREEMENT

New HIPAA Breach Notification Rule: Know Your Responsibilities. Loudoun Medical Group Spring 2010

Network Security and Data Privacy Insurance for Physician Groups

Chris Bennington, Esq., INCompliance Consulting Shannon DeBra, Esq., Bricker & Eckler LLP Victoria Norton, R.N., J.D., M.B.A.

Healthcare Compliance Solutions

What do you need to know?

It s a New Regulatory Landscape: Do You Know Where Your Business Associates are and What They are Doing?

Transcription:

OCR UPDATE Breach Notification Rule & Business Associates (BA) Alicia Galan Supervisory Equal Opportunity Specialist March 7, 2014 HITECH OMNIBUS A Reminder of What s Included: Final Modifications of the HIPAA Privacy, Security, Breach Notification, and Enforcement Rules pursuant to the Health Information Technology for Economic and Clinical Health Act (the HITECH Act) Final Modifications of the Privacy Rule pursuant to the Genetic Information Nondiscrimination Act (GINA) Other Modifications to Improve Workability of the Privacy Rule 2 1

BUSINESS ASSOCIATES Contract between CE and BA still required; however, now: BAs must comply with the technical, administrative, and physical safeguard requirements under the Security Rule; directly liable for violations BAs must comply with the use or disclosure limitations expressed in its contract and those in the Privacy Rule; directly liable for violations Clarification that BAs are liable whether or not they have an agreement in place with the CE If CE delegates Privacy Rule obligation to BA (e.g., providing Notice of Privacy Practices (NPP) to individuals), contract must require BA to perform in compliance with Rule Makes CE liable for violations of BA agent, acting within scope of agency (Federal Common Law of Agency) 3 BUSINESS ASSOCIATE LIABILITY Direct liability Impermissible uses and disclosures (including more than minimum necessary) Failure to comply with Security Rule Failure to provide breach notification Failure to provide e-access as provided in BA contract Failure to disclose PHI to HHS for compliance and enforcement Failure to provide HITECH accounting (later no final rule yet) Contractual liability for requirements of the BA contract 4 2

SUBCONTRACTORS Business Associates New Rule Subcontractors Subcontractors now defined as BAs BA liability flows down the chain Does not change parties to the contracts CE must have BA contract with its BA, BA must have BA contract with subcontractor, and so forth 5 DEFINITION OF BA NEW RULE Now expressly in definition: Health Information Organizations, E-Prescribing Gateways, others that provide Data transmission services with respect to PHI and Require access on a routine basis to such PHI PHR vendors that provide services to individuals on behalf of covered entities Clarification that conduit exception does not apply to BAs that store PHI 6 3

BREACH NOTIFICATION RULE Revised Definition of Breach: Breach Presumed UNLESS: LoProCo: The CE or BA can demonstrate that there is a low probability that the PHI has been compromised based on: Nature and extent of the PHI involved (including the types of identifiers and the likelihood of re-identification); The unauthorized person who used the PHI or to whom the disclosure was made; Whether the PHI was actually acquired or viewed; and The extent to which the risk to the PHI has been mitigated. Focus on risk to the data, instead of risk of harm to the individual. Risk Assessment must be documented. 7 BREACH NOTIFICATION Breach Notification to the Secretary Makes permanent the notification and other provisions of August 2009 interim final rule, with only minor changes/clarifications, e.g., Clarifies that notification to Secretary of smaller breaches to occur within 60 days of end of calendar year in which breaches were discovered (versus occurred) 8 4

500+ Breaches by Type of Breach Improper Disposal 5% Other Unknown 10% 1% Hacking/IT Incident 7% Theft 48% Unauthorized Access/Disclosure 18% Loss 11% Data as of February 2014 9 500+ Breaches by Location of Breach E-mail 4% Network Server 11% EMR 4% Paper Records 22% Portable Electronic Device 12% Desktop Computer 14% Other 10% Laptop 23% Data as of January 2014 10 5

BREACH HIGHLIGHTS September 2009 through January 2014 800 reports involving a breach of PHI affecting 500 or more individuals Theft and Loss are 59% of large breaches Laptops and other portable storage devices account for 35% of large breaches Paper records are 22% of large breaches 92,000 reports of breaches of PHI affecting less than 500 individuals 11 LESSONS LEARNED Appropriate Safeguards Prevent Breaches Evaluate the risk to e-phi when at rest on removable media, mobile devices and computer hard drives Take reasonable and appropriate measures to safeguard e-phi Store all e-phi to a network Encrypt data stored on portable/movable devices & media Employ a remote device wipe to remove data when lost or stolen Train workforce members on how to effectively safeguard data and timely report security incidents 12 6

LESSONS LEARNED Use a password or other user authentication. Install and enable encryption. Install and activate wiping and/or remote disabling. Disable and do not install file- sharing applications. Install and enable a firewall. Install and enable security software. Keep security software up to date. Research mobile apps before downloading. Maintain physical control of your mobile device. Use adequate security to send or receive PHI over public Wi-Fi networks. Delete all stored health information before discarding or reusing the mobile device. 13 OCR website: www.hhs.gov/ocr 14 7

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information