Presentation on theme: "Jill Moore April 2013 HIPAA Update: New Rules, New Challenges."— Presentation transcript:
Jill Moore April 2013 HIPAA Update: New Rules, New Challenges
New Rules Business Associates Breach Notification Individual Rights Enforcement
Business Associates A person or entity that creates, receives, transmits, or maintains PHI in the course of providing business or administrative functions for a covered entity – Includes HIOs, HIEs, PHR vendors who work on behalf of covered entity – May include researchers in some circumstances (not automatic – analyze the particular situation)
Business Associates Changes to BA responsibilities – Now directly responsible for HIPAA compliance and directly liable for violations – Must identify their own BAs (subcontractors) and enter BA agreements with them to assure “downstream” compliance
Business Associates Review your business relationships to identify BAs or BA-like relationships within your entity Review hybrid entity designation to ensure those acting in BA-like capacity are part of covered component Execute or update BA agreements You may need to dust off your HIPAA jargon dictionary.
Breach Notification Must notify individuals of security breaches. Unauthorized access or disclosure is presumed to be a breach unless: – A specific exception in the rule applies, or – A risk analysis shows a low probability that PHI was compromised, or – You’re in a “safe harbor” as defined by the rule.
Breach? Specific exceptions PHI could not reasonably be retained PHI access is unintentional and by a workforce member or business associate acting in good faith Inadvertent disclosure is made to another person within the CE or BA who is authorized to access PHI Risk analysis factors Nature and extent of PHI, including types of identifiers & likelihood of re- identification Unauthorized person who received disclosure or used PHI Whether PHI was actually acquired and viewed Extent to which any risk to PHI has been mitigated
Safe Harbor Don’t have to notify if: – PHI was encrypted, or – PHI was disposed in keeping with HHS guidance on secure disposal
Affected individuals – within 60 days US DHHS – if > 500 individuals involved, contemporaneous notice; otherwise annual report Media, if > 500 involved – within 60 days. Recipients & timing of notice Description of incident, PHI involved, advice to individuals to minimize harm, actions you’ve taken to investigate and mitigate, contact information for more info. Content of notice Written letter (standard); email if prior agreement to email notification obtained; telephone if urgent (but also send written) Method of notice
Breach Notification Review and update breach notification procedures to reflect new risk analysis. Follow procedures developed under old rule until September 23, then you must follow new rule.
Individual Rights Restrictions on disclosures Access to electronic PHI Notice of Privacy Practices Other changes affecting decedents’ records, immunization records for schools, a couple of other things
Restrictions on disclosures Care paid out-of-pocket – Upon patient request, no disclosures of information to health plans (insurance) unless disclosure to health plan required by law Does not limit disclosures to public health Does not limit disclosures to other health care providers for treatment purposes
Access to electronic PHI Individuals have a right of access to their own PHI. If patient requests PHI in electronic form, must provide it if you already maintain the information electronically and the form requested is “readily producible.” If not readily producible, must reach agreement with individual on alternative form. Take a close look at the issue of providing PHI by email.
Notice of Privacy Practices Must be revised to reflect rule changes, including: – Covered entity’s legal duty to give notice of breaches. – Right to request restriction of disclosure to health plans for care paid in full out-of-pocket. Revised Notice must be disseminated: – To new clients, in accordance with current policies – To existing clients on request – Via website, if you have one
Individual Rights Develop a policy about requests for restrictions on disclosure for care paid for in full out-of-pocket. Review and if necessary update policies about individual access to PHI to address electronic access and the use of email to deliver PHI. Revise Notice of Privacy Practices and disseminate.
Enforcement New: HHS must investigate violations if a preliminary review of the facts suggests “willful neglect” by the covered entity or BA. Practice tip!! In an investigation, expect HHS to request copies of your policies. You will want them to be readily accessible and up-to-date.
Checklist Review business relationships and update hybrid entity designation and business associate agreements. Update breach notification policies and procedures. Update policies re individual access. Update notice of privacy practices and disseminate. Review other policies (training, workforce, etc.) and update if needed. Compliance date: September 23, 2013 for most matters September 22, 2014 for some existing BA agreements