Presentation is loading. Please wait.

Presentation is loading. Please wait.

Presented by: Thomas J. Weber, Esq. Goldberg Katzman, P.C. HIPAA 2013 Update Hosted by: Sponsored By:

Similar presentations

Presentation on theme: "Presented by: Thomas J. Weber, Esq. Goldberg Katzman, P.C. HIPAA 2013 Update Hosted by: Sponsored By:"— Presentation transcript:

1 Presented by: Thomas J. Weber, Esq. Goldberg Katzman, P.C. HIPAA 2013 Update Hosted by: Sponsored By:

2 HIPAA IN PARTS HIPAA is comprised of four main components  Privacy Rule  Security Rule  Breach Notification Rule  Enforcement Rule 2

3 THE PRIVACY RULE The first portion to be implemented Deals with maintaining the confidentiality of a patients personal/medical information Protected Health Information (PHI)  Privacy Notices  Minimum Necessary Standards  Introduced Business Associates 3

4 THE SECURITY RULE Whereas Privacy Rule governed how you could disclose PHI, the Security Rule deals with how PHI is stored/transmitted  Protection from theft (third parties/hackers)  Protection from employees  Protection from inadvertent disclosure 4

5 HITECH ACT 2009 American Recovery and Reinvestment Act (ARRA) included The Health Information Technology for Economic and Clinical Health Act (HITECH Act) Another set of acronyms going to save money and improve health care Provides financial incentives for implementation of EHR. Creates national health care infrastructure HITECH implemented sweeping changes impacting HIPAA 5

6 THE PLAYERS Covered Entities (CE) – You/Healthcare Providers Business Associates (BA)- entities you deal with that due to those dealings gain access to your patients’ PHI Initially under HIPAA you needed to have an Agreement with your BAs informing them of their obligation to maintain the confidentiality of the PHI 6

7 HIPAA OMNIBUS RULE Became effective March 26, 2013 CEs and BAs have 180 days in order to become compliant Finalize and refine changes and recommendations that were raised by HITECH and interim rules 7

8 HHS HIPAA OMNIBUS RULE Final modifications to HIPAA Privacy, Security and Enforcement Rules Final rule adopting increased and tiered civil money penalties Final Rule on Breach Notification for Unsecured Protected Health Information (moves from “harm” standard to objective) Modifies Privacy Rule as required by Genetic Information Nondiscrimination Act (GINA) 8

9 OVERVIEW OF OMNIBUS RULE The Omnibus Rule is over 500 pages Many of the changes/refinements will have little/no impact on your practices Highlight those changes perceived as most germane to dental practices 9

10 MODIFICATIONS TO KEY DEFINITIONS Business Associates  Business Associates can be directly held accountable for HIPAA violations  A subcontractor who creates, receives, maintains or transmits PHI on behalf of a BA is a HIPAA BA  CE must obtain “satisfactory assurances” from their BAs and BAs from their sub-contractors that their PHI will be protected in accordance with HIPAA 10

11 BUSINESS ASSOCIATES cont.  “Conduit exception” still applies but is limited to an organization that merely transmits (ISP) PHI as opposed to those that “maintain and store it” (record storage company)  Care most be given when determining how a CE plans on storing data-i.e., on the Cloud 11

12 PROTECTED HEALTH INFORMATION Definition of PHI changed to acknowledge that Privacy and Security Rules do not apply to the individually identifiable health information of persons who have been deceased for 50 years 12

13 WORKFORCE MEMEBER Definition changed to make clear it includes the employees, trainees, and other persons whose conduct, in the performance of work for a BA, is under the direct control of the BA 13

14 HIPAA PRIVACY RULE General  BA is directly liable for uses and disclosures of PHI that violate BA agreement or the Privacy Rule  BA remains liable for all Privacy Rule obligations that are included in BA contract or other arrangements  BA agreements can address indemnification provisions 14

15 HIPAA PRIVACY RULE cont. Business Associates  BA is determined by their conduct. They are a BA if they create, receive, maintain, or transmit PHI on behalf of a CE not whether there is a BA Agreement or not.  BA must have BA Agreements with their sub-contractors that use PHI on their behalf  BA must monitor the BA Agreements  BA must comply with “Minimum Necessary” principle 15

16 HIPAA PRIVACY RULE cont. Business Associates cont.  BA can be directly liable:  Impermissible uses and disclosures  Failure to provide breach notification to CE  Failure to provide access of PHI to individual or CE  Failure to disclose PHI to Secretary of HHS  Failure to provide an accounting of disclosures  Failure to comply with HIPAA Security Rule 16

17 HIPAA PRIVACY RULE cont. Business Associates cont.  CEs and BAs can operate under existing BA Agreements for 1 year after compliance date as long as existing Agreements are HITECH compliant  Sample BA Agreement can be found at: 17

18 HIPAA PRIVACY RULE cont. Notice of Privacy Practices  Notice must contain statement Authorization is required for:  Most uses and disclosures of psychotherapy notes (unless you do not record or maintain such notes)  Uses and disclosures of PHI for marketing purposes  Disclosures that constitute a sale of PHI  As well as other uses and disclosures not described in the Notice will on be made without an authorization 18

19 NOTICE OF PRIVACY PRACTICES AUTHORIZATION IS NOT REQUIRED FOR: Authorization is not required where exchange is for:  Public health activities  Research purposes  Treatment of the individual  Sale, transfer, merger or consolidation of all or part of a CE and for related due diligence  Services rendered by BA pursuant to Agreement  Providing an individual with access to their PHI  Treatment or payment 19

20 NOTICE MUST ALSO CONTAIN: cont.  If you intend to contact individual for fundraising, notice must inform individual they can opt out  A statement indicating an individual’s new right to restrict certain disclosures of PHI to a health plan where the individual pays out of pocket in full for the service  A statement of the right of an affected individual to be notified following a breach of unsecured PHI  These are deemed material changes to the notice and the modified notice must be given to “new patients” 20

21 HIPAA PRIVACY RULE cont. Access of Individuals to PHI  If CE uses or maintains EHR for PHI, the individual has a right to obtain a copy in electronic format and may direct delivery to a designee as long as direction is clear, conspicuous and specific  This applies to electronic storage even if not part of EHR, such as MS Word, Excel, plain text, PDF…  Fee charged cannot exceed CEs labor costs in responding 21

22 HIPAA PRIVACY RULE cont. Access of Individuals to PHI cont.  CE is not required to purchase new software or systems  CE can still require that the request be made in writing  CE must provide ALL PHI maintained in an electronically designated record set  Whether records are electronic or written, CE must implement reasonable policies and procedures to verify individuals identity 22

23 HIPAA PRIVACY RULE cont. Access of Individuals to PHI cont.  CE must provide information within 30 days of receipt of request even if stored off site (previously had 60 days if stored off site) can ask for additional 30 days  CE can refuse to use outside electronic media (USB) if written risk analysis determined using such media poses unreasonable risk and CE has supply of new media on hand to use and provides them for free or as part of reasonable fee 23

24 HIPAA PRIVACY RULE cont. Access of Individuals to PHI cont.  CE can honor an individual’s request that their PHI be sent via unencrypted email if:  CE advised the individual of the risk, and  The individual still prefers to receive the information via an unencrypted email  CE must implement reasonable safeguards including reasonable procedures to ensure the email address is accurate  CE not responsible for email while in transit or after delivered 24

25 HIPAA PRIVACY RULE cont. Marketing  Marketing is a communication that encourages someone to buy a product or service  A signed Authorization is generally required if the CE receives “financial remuneration” from a third party for making the communication about the third party’s product or service  Authorization form must disclose that CE received financial remuneration for making the communication 25

26 HIPAA PRIVACY RULE cont. Marketing, cont.  Exceptions to Authorization requirement  Face-to-face communications  Promotional gifts of nominal value (toothbrushes)  Communications promoting general health issues  When no financial remuneration is received  Refill reminders, as long as; The drug is currently prescribed to the patient Payment received by CE is reasonably related to cost of the communication 26

27 HIPAA PRIVACY RULE cont. Miscellaneous  Decedents- HIPAA does not apply to HPI for individual deceased more than 50 years  Students- Proof of immunizations can be provided without written authorization to schools where required by law. Still need agreement from parent, guardian….  Fundraising, must provide convenient opt out 27

28 HIPAA BREACH NOTIFICATION RULE HITECH created a requirement that a CE provide notification to affected individuals and to the Secretary of HHS following discovery of a breach of unsecured PHI. If the breach was by a BA, the BA was required to notify the CE The Final Omnibus Rule finalizes the interim rule of 2009. 28

29 HIPAA BREACH NOTIFICATION RULE, cont. HHS is the enforcement agent Impermissible use or disclosure is presumed a breach unless CE or BA demonstrates there is a low probability that the PHI has been compromised Prior “risk of harm” analysis replaced with a “Risk Assessment” (RA) 29

30 HIPAA BREACH NOTIFICATION RULE, cont. Risk Assessment RA must consider the following factors:  Nature and extent of PHI involved, including type of identifiers  The unauthorized person who used the PHI or to whom it was disclosed  Whether the PHI was actually acquired or viewed  The extent to which the risk to the PHI has been mitigated 30

31 HIPAA BREACH NOTIFICATION RULE, cont. A Risk Assessment is required only if the CE or BA is contemplating not providing notification of the breach Prior exception to need for notification if the limited data set did not include DOB and Zip Code has been removed CE and BA have burden of proving all necessary notifications were provided or that an impermissible use or disclosure did not constitute a breach 31

32 HIPAA BREACH NOTIFICATION RULE, cont. Uses or disclosures that violate the “Minimum Necessary” standard may qualify as a breach. RA required if notification not going to be provided A CE that conducts a credible risk assessment in good faith likely would have no exposure for any penalties 32

33 HIPAA BREACH NOTIFICATION RULE, cont. Notification and Presumptive Disclosures  If after assessing the four aforementioned factors, it can be demonstrated there is a low probability that the PHI was compromised, breach notification can be avoided.  Avoiding breach notification may be the exception (absent Safe Harbor) 33

34 HIPAA BREACH NOTIFICATION RULE, cont. Encryption Safe Harbor  If the PHI is encrypted there is an exception which does not require the breach notification process  Encrypted means can only be read with the use of a password that is not available to the public  Encryption is an automatic favorable RA  Encrypt your PHI 34

35 HIPAA BREACH NOTIFICATION RULE, cont. Notification Process  Within 60 calendar days of discovery of breach CE and/or BA must notify individual whose unsecured PHI was breached  Notification sent first-class mail to individual or next of kin/personal representative (unless they agree to email)  If there is a possible imminent misuse notification must also be made by phone. 35

36 HIPAA BREACH NOTIFICATION RULE, cont. Notification Process, cont.  If individuals out of state and 10 or more individuals are involved, must post information about the breach for 90 days on your website or write a notice in a major print or broadcast media  If the breach involves more than 500 residents of a state, notification must also be made to the media  If 500 or more individuals involved Secretary of HHS notified via HHS website: 's/breach%20notification%20 to%20CMS.pdf.  For breaches under 500, report to same website within 60 days of the end of the year 36

37 HIPAA BREACH NOTIFICATION RULE, cont. Notification Content  Brief description of breach, including date of breach and date of discovery  Type of unsecured PHI involved, but not the information itself  Steps individuals should take to avoid harm  What is being done to investigate the breach, mitigate harm and protect from further breaches  Contact information, toll free, email, website or postal address 37

38 HIPAA SECURITY RULE CEs and BAs must regularly review and modify security measures as needed to ensure “reasonable and appropriate” protection of PHI  Change passwords  Update spyware  Terminate users accounts 38

39 HIPAA SECURITY RULE, cont. BA not CE must get “satisfactory assurances” from BAs subcontractor A subcontractor of a BA must report security incidents, including breaches, to its respective BA 39

40 HIPAA ENFORCEMENT RULE HIPAA continues to preempt state law unless the state law is more stringent Secretary can coordinate with State Attorney Generals State AGs may bring civil complaints on behalf of the citizens for HIPAA violations CEs and BAs are liable for the actions of their agents Secretary can waive penalties Number of individuals affected can be used to determine number of identical violations Organization’s history of compliance is a relevant factor 30 day cure period for violations begin when entity has actual or constructive knowledge of violation 40

41 HIPAA ENFORCEMENT RULE cont. Tiered penalties  “Did not know/would not have known’ at least $100 not to exceed $25,000 per person per year  Had “reasonable cause” to know of the violation at least $1,000 not to exceed $100,000 per person per year  Had “willful neglect” with corrective actions at least $10,000 not to exceed $250,000 per person per year  Had “willful neglect” and the violation is not corrected at least $250,000 not to exceed $1,500,000 per person per year 41

42 PA BREACH OF PERSONAL INFORMATION NOTIFICATION ACT An entity that maintains, stores or manages computerized data that includes personal information shall provide notice of any breach of the security of the system following discovery of the breach of the system to any resident of this Commonwealth whose unencrypted and un-redacted personal information was or is reasonably believed to have been accessed and acquired by an unauthorized person 73 P.S. § 2303 42

43 RESOURCES Office for Civil Rights Health Information Privacy Combined Regulation Text of All Rules 43

44 INSTRUCTIONS FOR OBTAINING CONTINUING EDUCATION CREDIT FOR THIS ONLINE COURSE 44 Thank you for viewing the “HIPAA 2013 Update.” You are eligible to receive one continuing education (CE) credit if you pass a short quiz based on the content on the presentation. If you are not able to pass the quiz, you will not receive CE credit for the course. To access the quiz, please use the link located at Please enter your preferred email address in the fields provided within the quiz. Upon successful completion of the quiz, a CE verification of participation form will be emailed to you within 12 business days.

Download ppt "Presented by: Thomas J. Weber, Esq. Goldberg Katzman, P.C. HIPAA 2013 Update Hosted by: Sponsored By:"

Similar presentations

Ads by Google