HIPAA Update - PowerPoint PPT Presentation

About This Presentation
Title:

HIPAA Update

Description:

... HHS Office for Civil Rights WHAT S NEW Decedents PHI no longer protected 50 years after date of death Access ... opt out of receiving such communications. – PowerPoint PPT presentation

Number of Views:245
Avg rating:3.0/5.0
Slides: 39
Provided by: dickin
Category:

less

Transcript and Presenter's Notes

Title: HIPAA Update


1
HIPAA Update Significant Omnibus Rule Changes
  • Rose Willis
  • Billee Lightvoet Ward
  • Dickinson Wright PLLC

2
HIPAA OMNIBUS RULE
  • Timeline
  • Published January 25, 2013
  • Effective Date March 26, 2013
  • Compliance Date September 23, 2013
  • Transition Period September 23, 2014
  • omnibus adjective containing or including many
    items
  • Privacy Rule
  • Security Rule
  • Breach Notification Rule
  • Enforcement Rule
  • omnibus. Merriam-Webster.com. 2014.
    http//www.merriam-webster.com/dictionary/omnibus
    (9 September 2014)

3
HIPAA OMNIBUS RULE
  • . . . the most sweeping changes
  • to the HIPAA Privacy and Security Rules since
    they were first implemented.
  • Leon Rodriguez, Director, HHS Office for Civil
    Rights

4
HIPAA OMNIBUS RULE
  • These changes not only greatly enhance a
    patients privacy rights and protections, but
    also strengthen the ability of my office to
    vigorously enforce the HIPAA privacy and security
    protections, regardless of whether the
    information is being held by a health plan, a
    health care provider, or one of their business
    associates.
  • Leon Rodriguez, Director, HHS Office for Civil
    Rights

5
WHATS NEW
  • Decedents
  • PHI no longer protected 50 years after date of
    death
  • Access
  • Covered Entities (CE) must provide access to
    e-PHI in the form requested if readily producible
    in such form
  • Must be provided within 30 days (30 day extension
    allowed)
  • Restrictions
  • CE must restrict disclosures to health plans
    concerning treatment for which the individual
    paid in full

6
WHATS NEW
  • Notice of Privacy Practices
  • Past Compliance Deadline for Revisions
  • Material Revisions
  • Distribution of Revised Version
  • HHS Model Notice of Privacy Practices
  • Business Associates (BA)
  • Expanded definition
  • New requirements for Business Associate
    Agreements
  • Direct liability
  • Breach Notification Rule
  • Presumption of breach
  • New risk assessment standards

7
Notice of Privacy Practices
  • The deadline for making required changes was
    September 23, 2013
  • What if you did not meet this deadline?
  • No back dating

8
Notice of Privacy Practices
  • Whats new The NPP must include a statement that
    any uses and disclosures of a patients PHI for
    marketing purposes require an individuals
    written authorization.

Marketing Purposes The term marketing means
to make a communication about a product or
service that encourages recipients of the
communication to purchase or use the product or
service but generally excepts communications for
treatment and health care operations. Exception
face to face communication made by the covered
entity or promotional gift of nominal value
provided by the covered entity
If the marketing involves to the covered
entity by a third party, the authorization must
state that is involved.
9
Notice of Privacy Practices
  • Whats new The NPP must include a statement that
    any uses and disclosures of a patients PHI that
    are considered the sale of PHI require an
    individuals written authorization.

Authorization must state that the disclosure will
result in to the CE!
10
Notice of Privacy Practices
  • Whats new If the CE records or maintains
    psychotherapy notes, NPP must include a statement
    that uses and disclosures of psychotherapy notes
    require an individuals written authorization.
  • Psychotherapy Notes notes recorded (in any
    medium) by a health care provider who is a mental
    health professional documenting or analyzing the
    contents of conversation during a private
    counseling session or a group, joint, or family
    counseling session and that are separated from
    the rest of the individuals medical record.
    Psychotherapy notes excludes medication
    prescription and monitoring, counseling session
    start and stop times, the modalities and
    frequencies of treatment furnished, results of
    clinical tests, and any summary of the following
    items diagnosis, functional status, the
    treatment plan, symptoms, prognosis, and progress
    to date.

11
Notice of Privacy Practices
  • Whats new Other Uses and Disclosures - The NPP
    must also state that uses and disclosures of PHI
    not listed in the notice will be made only with
    an individuals written authorization.

Uses and disclosures of your PHI that are not
listed in this notice will be made only with your
written authorization
Remember - Notice of Privacy Practices is the
Roadmap!
12
Notice of Privacy Practices
  • Refresher What is an Authorization?
  • Make sure that you have a HIPAA-compliant
    authorization!
  • It must meet specific requirements of the HIPAA
    Privacy Rule, such as
  • Specific identification of the information to be
    used or disclosed
  • Expiration date or expiration event
  • Signature of the patient and date
  • Certain required statements such as the
    individual having the right to revoke the
    authorization in writing.

13
Notice of Privacy Practices
  • Whats new A covered entity that intends to
    contact an individual for fundraising purposes
    must disclose in its NPP that it may contact the
    individual to raise funds and that the individual
    has the right to opt out of receiving such
    communications.
  • Fundraising A communication to an individual
    that is made by a covered entity, an
    institutionally related foundation, or a business
    associate on behalf of the covered entity for the
    purpose of raising funds for the covered entity
    is a fundraising communication
  • Opt out the mechanism for opting out must go in
    the fundraising solicitation, not in the NPP.

14
Notice of Privacy Practices
  • Whats new NPP must include right to restrict
    disclosures of PHI to a health plan when the
    individual (or someone on their behalf) pays out
    of pocket in full for the health care item or
    service.
  • This is a new obligation of each CE where
    disclosure is to carry out payment or health care
    operations and the PHI pertains solely to a
    service for which payment has been made to the
    covered entity in full.
  • Discuss with patient any inability to unbundle a
    bundled service
  • Downstream providers- no obligation to notify (so
    far)

15
Notice of Privacy Practices
  • Whats new NPP must include a statement
    informing individuals of their right to be
    notified following a breach of their unsecured
    PHI.
  • You have the right to be notified following a
    breach of your unsecured PHI
  • A simple statement no need to include the
    regulatory requirements of breach notification
    (discussed later in this session).

16
Notice of Privacy Practices
  • Whats new For health plans only, the NPP must
    state that the health plan is prohibited from
    using or disclosing genetic information for
    underwriting purposes.

17
Notice of Privacy Practices
  • Possible Additional Amendments (not required)
  • Statement regarding individuals right to a copy
    of PHI maintained electronically by the CE
  • Individuals ability to have immunization records
    sent directly by the CE to a school
  • Applicable time frames for an individuals access
    to his or her PHI.

18
Notice of Privacy Practices Distribution of
Revised Version
  • Incorporate new Revision Date (no back dating)
  • CE must distribute the revised NPP as follows
  • Make the revised NPP available upon request on or
    after the effective date of the revised notice
  • Have the NPP available at the delivery site
  • Post the revised notice in a clear and prominent
    location
  • Provide to all new patients along with an
    acknowledgment of receipt
  • Post to website, if you have one

19
HHS Model Notices of Privacy Practices
  • http//www.hhs.gov/ocr/privacy/hipaa/modelnotices.
    html
  • Recommendation
  • Use HHS form but tailor it.

20
BUSINESS ASSOCIATES
  • Who is a Business Associate?
  • Refresher
  • A person (or entity) who performs certain
    functions or activities for or on behalf of CE,
    or provides certain services to CE
  • Billing, claims processing, data analysis
  • Utilization review, QA, practice management
  • Legal, accounting, financial services
  • Must involve the use or disclosure of PHI
  • Not a member of the CEs workforce

21
BUSINESS ASSOCIATES
  • Who is a Business Associate?
  • Whats new
  • Any person who creates, receives, maintains or
    transmits PHI for certain functions or
    activities on CEs behalf
  • New category of functions patient safety
    activities
  • Clarification data storage companies who
    maintain PHI are BAs regardless of whether they
    view the PHI

22
BUSINESS ASSOCIATES
  • Who is a Business Associate?
  • Whats new
  • New service providers
  • Persons providing data transmission services
    (HIO e-prescribing gateway, etc.) and require
    routine access
  • Persons offering personal health records on CE
    behalf
  • Subcontractors of the BA

23
BUSINESS ASSOCIATES
  • Business Associate Agreements
  • Refresher
  • CE must enter into a Business Associate Agreement
    (BAA)
  • BAA must
  • Establish permitted and required uses and
    disclosures of PHI
  • Require BA to implement administrative, physical
    and technical safeguards
  • Comply with certain other obligations to assist
    CE in meeting its HIPAA obligations
  • Report use/disclosure not provided for in BAA
  • Authorize termination of the contract for BAs
    material violation
  •  

24
BUSINESS ASSOCIATES
  • Business Associate Agreements
  • Whats new
  • The BAA must now require BA to
  • Comply with the HIPAA Security Rule for e-PHI
  • Report breaches of unsecured PHI
  • Comply with applicable Privacy Rule requirements
    when carrying out a CEs obligation under the
    Privacy Rule
  • Take steps to cure or end the violation (or
    terminate the relationship) if it knows of a
    Subcontractors pattern of activity or practice
    that constitutes a material breach of the
    Subcontractors obligations
  • Whats new
  • BA must have BAA with Subcontractors

25
BUSINESS ASSOCIATES
  • Liability
  • Refresher
  • CE is liable for BA violations
  • BA had no direct HIPAA liability (breach of
    contract only)
  • Whats new
  • BA (including Subcontractors) are now directly
    liable under HIPAA
  • CE/BA can be held vicariously liable for agents
    violations
  • Facts and circumstances
  • Key indicator authority to control performance
    of the services
  • Independent Contractor language not enough

26
BREACH NOTIFICATION
  • Breach Notification Rule
  • CEs and BAs must notify affected patients, DHHS,
    and, in some instances, the media of certain
    breaches of unsecured PHI
  • i.e. not encrypted or destroyed
  • Breach means an acquisition, access, use, or
    disclosure of PHI in a manner not permitted under
    the Privacy Rule which compromises the security
    or privacy of the PHI.

27
BREACH NOTIFICATION
  • Whats new
  • Presumption of Breach
  • An improper use or disclosure is presumed to be a
    breach
  • To refute the presumption that there was a
    breach, CE must
  • conduct and document a comprehensive risk
    assessment and
  • determine that there was a low probability that
    PHI has been compromised

28
BREACH NOTIFICATION
  • Risk Assessment
  • Nature and extent of PHI
  • Sensitive information included?
  • Unauthorized person who used or obtained the PHI
  • Another CE?
  • Whether the PHI was actually acquired or viewed
  • Extent to which the risk to PHI has been
    mitigated
  • Documents retrieved?

29
BREACH NOTIFICATION
  • Notification to Individuals
  • Without unreasonable delay, not more than 60 days
    after discovery
  • When CE knew or would have known (reasonable
    diligence)
  • When agent/workforce member knew (other than the
    person committing the breach)
  • When CE receives notice from BA
  • If BA is an agent, when BA discovered breach
  • Content of Notice
  • What, when, and when discovered
  • Description of compromised PHI
  • Steps individuals should take to mitigate effects
  • Steps CE is taking
  • CE contact information

30
BREACH NOTIFICATION
  • Notification to Media
  • gt 500 affected individuals
  • Within 60 days of discovery
  • Prominent media outlets (depends on the market)
  • Press release on a CE website does not meet this
    requirement

31
BREACH NOTIFICATION
  • Notification to Secretary
  • Immediately
  • gt 500 affected individuals (anywhere)
  • immediate means at the time individual notices
    are sent
  • Annually
  • lt 500 affected individuals
  • maintain log and report on HHS website within 60
    days of end of calendar year

32
Breach Notification Reports to Congress
  • Breaches affecting fewer than 500 individuals
  • 165,135 reports made to OCR in 2012
  • Most common (in order of frequency)
  • (1) unauthorized access or disclosure (21,639
    reports affecting 62,069 individuals)
  • (2) unknown/other (2,033 reports affecting
    13,091 individuals)
  • (3) theft (1,028 reports affecting 49,132
    individuals)
  • (4) loss (789 reports affecting 20,176
    individuals)
  • (5) improper disposal (155 reports affecting
    4,518 individuals) and
  • (6) hacking/IT incident (61 reports affecting
    2,619 individuals).

33
Breach Notification Reports to Congress
  • Secretarys Annual Report to Congress
  • Submitted May 20, 2014 for calendar years 2011
    and 2012
  • Breaches involving more than 500 individuals
  • Healthcare providers 68 Business Associates
    25
  • Theft 53 Unauthorized Access/Disclosure 18
  • Largest Breach theft of unencrypted laptop from
    employees vehicle (gt116,000 individuals
    affected)
  • Other Locations
  • Medical offices and pharmacies
  • Subway and other public transit
  • Storage facilities

34
Breach Notification Reports to Congress
  • Improper Disposal
  • Largest breach (189,489 individuals affected)
  • X-rays (lost) by Business Associate hired to
    digitize and destroy x-rays and accompanying
    paper jackets
  • Others disposal in recycling or trash bins
  • Hacking/IT Incidents
  • Largest breach of 2012 overall (780,000
    individuals affected
  • Unencrypted network server compromised by a
    cyber-attack
  • Others
  • viruses and malware
  • unidentified, unauthorized persons accessing
    systems
  • PHI rendered corrupt and inaccessible (CE
    received ransom note to restore access to the
    files)

35
(No Transcript)
36
OCR Audits of Breach Notification Rule
  • Pilot Audit Program
  • Detailed in Enforcement presentation
  • The pilot audits looked at covered entities
    compliance with specific aspects of the Breach
    Notification Rule
  • Notification to Individuals
  • Timeliness of Notification
  • Methods of Individual Notification
  • Burden of Proof

37
(No Transcript)
38
QUESTIONS?
Write a Comment
User Comments (0)
About PowerShow.com