Presentation on theme: "2014 HIPAA Refresher Omnibus Rule & HIPAA Security."— Presentation transcript:
2014 HIPAA Refresher Omnibus Rule & HIPAA Security
What is the Omnibus Rule? 2 The Omnibus Rule modifies the HIPAA Privacy, Security, Breach Notification and Enforcement rules. The Omnibus Rule implements the HITECH Act (Health Information Technology for Economic and Clinical Health) that were not implemented in 2010 The Omnibus Rule implements the provisions of the Genetic Information Non-discrimination Act of 2008 (GINA).
Overview of Omnibus Rule Impact Breach Notification Civil and Monetary Penalties Business Associate Agreements Notice of Privacy Practices Fundraising and Marketing Research Self Pay Patients Release of Information New and revised policies New and revised forms 3
Breach Notification 4 Definition of breach amended to clarify the impermissible acquisition, access, use or disclosure of protected health information (PHI) is presumed to be a breach. Breach notification is necessary unless Covered Entity or Business Associate can demonstrate low probability that PHI has been compromised through documented risk assessment.
Reminder! 5 A breach is a violation of patient privacy that occurs when patient information is impermissibly acquired, accessed, used or disclosed. Report all breaches or suspected breaches as soon as possible to the Privacy Officer by calling , or using ComplyLine
Civil Monetary Penalties Maximum Penalty Amount: $100 to $50,000 per violation Calendar Year Cap: $1.5 million FYI – The Kentucky Attorney General may sue on behalf of the patient. 6
Business Associate Agreements 7 Much of the Privacy Rule and Security Rule now applies to business associates and their subcontractors. Covered entities and business associates may now be held liable for acts of their agents, including business associates and subcontractors of business associates. This includes the civil monetary penalties for violations of HIPAA
Business Associate Agreements Review all vendors and verify whether they work with UKHC protected health information (PHI). Contact the Privacy Officer at with your questions about vendors and business associate agreements. 8
Notice of Privacy Practices - Revised 9 Patient has right to request restriction when paying out- of-pocket, in-full, at time of visit. Patient has right to be informed about breach of unsecured health information. Operations – Add “safety” as in “We may use your PHI to assess your care in an effort to improve the quality and safety of our service to you.”
10 Notice of Privacy Practices - Revised Fundraising communications require giving option and contact information to opt out of fundraising effort and further fundraising communications. Marketing requires patient authorization. PHI (protected health information) may not be sold without patient authorization. Most disclosures regarding psychiatric notes require an authorization. Patient has right to receive copies of medical records in electronic form, if available.
Research Compound authorizations are permitted for multiple research purposes. Compound authorizations must be clear : –When provision of research–related treatment is conditioned upon authorization –When treatment is not conditioned upon authorization
12 Research Authorizations for future research must continue to describe future research purposes although they do not need to be study specific. Authorizations related to use of psychotherapy notes can only be compounded to authorizations also related to use of psychotherapy notes.
13 Self Pay Patients Patients may restrict visits from disclosure to health plans and Medicare if they self pay, in full, (or someone with the patient pays) at the time of the visit. Patient must complete and sign the Self-Pay Restriction form at the time of visit. Visits the patients restrict from disclosure to health plans may not be audited by the health plans. However, Medicare patient restricted visits may be audited by Medicare.
14. Release of Information Verbal authorization is allowed for sharing only immunization records with schools. Document in the medical record. HIPAA protection of records has changed for deceased patients from ‘forever’ to 50 years after the patient’s death. Patients may restrict release of genetic information.
Look for New and Revised Policies 15 New Policies Fundraising Self Pay Restriction Revised Policies A Release of Medical Records/Information A Privacy Investigations and Breach Notification
Look for New and Revised Forms 16 New form – Self Pay Visit Restriction Revised - Notice of Privacy Practices Revised - Authorization to Release Medical Records/Information Revised - Business Associate Agreement
17 Please read the following Confidentiality Expectations. Indicate your understanding by checking the ‘Yes’ box. Yes
Confidentiality Expectations I agree to keep patient information confidential by observing the following: 1.I will signoff/log off the system when I leave the workstation and not allow others to use my access. 2.I will only look up information on patients for whom I have direct responsibility. I will not look up my own medical information on the computer. 3.I will protect my password from use by others or theft. 18
Confidentiality Expectations 4. I will follow all UK HealthCare and department rules of conduct whenever I use 5.I will password protect any personal digital assistant device that contains patient or confidential information. 6.I will share patient information only with people who have a right to access the information in order to perform their job function. 19
Confidentiality Expectations 7. I will not disseminate confidential patient information from my home computer without appropriate authorization for release of information. 8.I will dispose of confidential information properly in accordance with all applicable policies. 9. I understand that audits will be performed on computer usage to ensure compliance with all computer-related policies and this confidentiality agreement. 20
Confidentiality Expectations 10. I will follow other specific confidentiality rules for special situations. When departments have standards more stringent than this statement, I will abide by their standards. 11.I understand that audits will be performed on computer usage to ensure compliance with all computer-related policies and this confidentiality agreement. 12. I will follow other specific confidentiality rules for special situations. When departments have standards more stringent than this statement, I will abide by their standards. 21
Confidentiality Expectations 13.will comply with UK Enterprise electronic signature policies and protect my electronic signature, when issued to me, from use or theft by others. 14. I understand that my employer has the right to take disciplinary action up to and including termination of my employment for breaches of confidentiality. 22
Lynn Crothers Privacy Officer Office of Corporate Compliance /23/