Presentation is loading. Please wait.

Presentation is loading. Please wait.

Office of the Secretary Office for Civil Rights (OCR) HIPAA Privacy and Security Rules Updates HIPAA COW 2010 Spring Conference April 16, 2010.

Published byKelly Wade Modified over 8 years ago

Similar presentations

Presentation on theme: "Office of the Secretary Office for Civil Rights (OCR) HIPAA Privacy and Security Rules Updates HIPAA COW 2010 Spring Conference April 16, 2010."— Presentation transcript:

1 Office of the Secretary Office for Civil Rights (OCR) HIPAA Privacy and Security Rules Updates HIPAA COW 2010 Spring Conference April 16, 2010

2 OCR HIPAA Security Rule Delegation of Authority – July 27, 2009 Streamline, unify, simplify investigation and resolution of cases Address growing overlap of security/privacy in HT environment Support and cooperation of CMS to effectuate transfer of cases, system support, technical experts OCR investigative staff in Regional Offices allows expansion of compliance review and on-site investigatory methods

3 OCR American Recovery and Reinvestment Act of 2009 Title 13: Health Information Technology for Economic and Clinical Health Act (HITECH Act) Subtitle A: Promotion of HIT through the Office of the National Coordinator for HIT (ONC) Subtitle B: Testing of HIT through the National Institute of Standards and Technology (NIST) Subtitle C: Grants and Loan Funding for Incentives for the Use of HIT Subtitle D: Privacy (Privacy Rule and Security Rule) 3

4 OCR Substantive Modifications to the HIPAA Rules

5 OCR HIPAA Privacy Rule Updates Regulatory Actions 2009 –Breach Notification Guidance 4/2009 –Breach Notification IFR 8/2009 –Enforcement IFR 10/2009 –GINA NPRM 10/2009 Regulatory Actions Scheduled for 2010 –HITECH Privacy & Security Rule, including more Enforcement Rule changes, NPRM/Final –Breach Notification Final –Breach Guidance Annual Update –Accounting for Disclosures from EHRs NPRM –GINA Final 5

6 OCR 6 Breach Notification 45 CFR 164 Subpart D HHS Issues RFI – April 2009 –Guidance on Technologies/Methodologies for unusable, unreadable, indecipherable PHI

7 OCR 7 Breach Notification IFR Covered entities must notify each affected individual of breach of “unsecured protected health information.” HHS Breach Notification Guidance: PHI is “unsecured” if it is NOT –Encrypted –Destroyed “Breach” defined as: –Impermissible use/disclosure –“Compromises privacy/security” – Poses a significant risk of harm to the individual –Exceptions for inadvertent, harmless mistakes

8 OCR Section 13402: Breach Notification. Covered entities must notify each affected individual of breach of “ unsecured protected health information. ” Business associate must notify covered entity of breach and identify individuals affected. Notice to media if more than 500 people affected. Notifications to be provided without unreasonable delay (but no later than within 60 days) of discovery of breach. Notice to Secretary of breach and posting on HHS Website. Effective for breaches occurring after 9/23/2009

9 OCR Breach Reports Notifications to the Secretary required by web portal As of March 31, 2010, 62 reports of breaches affecting 500+ individuals reported, resulting in approx. 750,000 notices –Mostly ePHI that is contained in lost or stolen unencrypted media or portable device Also received over 5000 reports of smaller breaches –Mostly paper records sent to wrong fax number, wrong address, wrong individual 9

10 OCR 10 FTC Breach Notification for PHRs FTC to regulate similar notice requirements for PHR vendors not subject to HIPAA –FTC Notice of Proposed Rulemaking Published April 2009; Request for Public Comment due June 1, 2009 –FTC Final Rule published August 2009 HHS and FTC to study and recommend to Congress privacy and security requirements for non-HIPAA PHR vendors and best oversight

11 OCR 11 Improved Enforcement HITECH Act, Sections 13410 and 13411: Noncompliance Due to Willful Neglect Distribution of Certain Civil Monetary Penalties –Transfer to OCR for Enforcement –Percentages to Harmed Individuals Tiered Increases in Civil Monetary Penalties Enforcement by State Attorneys General Periodic Audits Criminal Penalties for Individuals (Employees) Other: Secretary’s Delegation of Security Rule Enforcement to OCR – July 27, 2009

12 OCR Enforcement Framework in Complaint Investigation The Enforcement Rule –71 FR 32, P.8390 (Feb. 16, 2006) –Revised 74 FR, P.56123 (October 30, 2009) Enforcement Rule modified to implement changes mandated by HITECH Act The Enforcement Rule applies to both the Privacy & Security Rules Civil Monetary Penalties can be imposed by OCR

13 OCR Enforcement Rule IFR Section 13410(d) of the HITECH Act –Effective February 18, 2009 –Strengthened HIPAA’s CMP Scheme by: Creating tiers of increasing penalty amounts that are associated with categories of culpability 13

14 OCR CMPs Increased 45 CFR 160.404 - Amount of a Civil Money Penalty For violations occurring prior to 2/18/2009 For violations occurring on or after 2/18/2009 Penalty Amount Up to $100 per violation $100 to $50,000 or more per violation Calendar Year Cap$25,000$1,500,000 OCR may reduce a penalty if the failure to comply was due to reasonable cause and not willful neglect, and the penalty would be excessive relative to the noncompliance. 14

15 OCR Modifications to the Enforcement Rule Tiered Increase in Amount of CMPs: –Four categories of violations that reflect increasing levels of culpability; –Four corresponding tiers of penalty amounts that significantly increase the minimum penalty amount for each violation; and –A maximum penalty amount of $1.5 million for all violations of an identical provision.

16 OCR 16 CMP Categories If “person did not know” or “by exercising reasonable diligence would not have known.” If the violation was “due to reasonable cause and not to willful neglect.” If the violation is due to willful neglect, and is corrected during 30-day time period. If the violation is due to willful neglect, and is not corrected during 30-day time period. Effective Date: Violations occurring after 2/18/2009

17 OCR Amount of a Civil Money Penalty 45 C.F.R. § 160.404(b) Violation CategoryEach Violation All Identical Violations per Calendar Year Did Not Know$100 - $50,000 $1,500,000 Reasonable Cause$1,000 - $50,000 $1,500,000 Willful Neglect- Corrected $10,000 - $50,000 $1,500,000 Willful Neglect-Not Corrected $50,000$1,500,000

18 OCR More Information Enforcement Interim Final Rule (74 FR 56123) http://www.hhs.gov/ocr/privacy/hipaa/admin istrative/enforcementrule/hitechenforcementi fr.html

19 OCR HITECT Act Section 13410(e): State Attorneys General Jurisdiction State Attorney General (AG) may bring an action in federal court on behalf of state residents to: –enjoin defendant from further violation; or –obtain damages (of $100 per violation). State must serve prior written notice upon HHS. HHS may intervene in the state action. If HHS has already instituted an action against defendant, State AG may not bring action while HHS action ongoing.

20 OCR State Attorney General First complaint filed by CT SAG under HITECH authority Injunctive relief, statutory penalties sought Combination of HIPAA and state law –Security Rule violations alleged in loss/theft of portable media –Privacy Rule violations alleged in access –State law breach notification claims 20

21 OCR 21 HIT HIPAA Privacy Changes Business Associates: Liable for compliance with Security Rule and uses and disclosures under Privacy Rule; HIEs, certain PHR and others transmitting data are business associates Effective 2/2010 Right to Electronic Access: If covered entity uses an EHR, individual has a right to a copy of his PHI in electronic format. Effective 2/2010 Accounting for TPO Disclosures: If covered entity maintains an electronic health record (EHR), covered entity must include in an accounting disclosures through the EHR for treatment, payment, and health care operations for the three years prior to the request. Effective Date: Depends on CE’s adoption of EHR

22 OCR 22 Other HIPAA Privacy Changes Right to Restriction: Covered entity must comply with individual’s request for restriction if disclosure: (1) is to health plan for payment or health care operations and (2) pertains to item/service for which provider was paid in full “out-of-pocket.” Effective 2/2010 Marketing: Places additional restrictions on covered entity making certain communications about products or services, where entity receives payment in exchange for communication. Effective 2/2010 Fundraising: Covered entity’s fundraising communications must provide clear opportunity for individual to opt out of future communications. Effective 2/2010

23 OCR 23 Other HIPAA Privacy Changes Minimum Necessary: Covered entity must limit PHI, to extent practicable, to limited data set, or, if necessary, to minimum necessary. HHS to issue guidance on what constitutes minimum necessary. Sale of PHI: No direct or indirect remuneration in exchange for PHI, unless the individual signed an authorization; exceptions for public health, research, treatment, sale of business, business associate activities, individual access, and others as determined by Secretary. Effective Date: Regulations required within 18 months after enactment; provisions apply 6 months later.

24 OCR Section 13411: Audits Secretary must provide for periodic audits of covered entities and business associates to ensure that they are in compliance with the Privacy Rule and the Security Rule requirements.

25 OCR Education on Health Information Privacy Regional Office Privacy Advisors for education and guidance to covered entities, their business associates and individuals on privacy and security of PHI Multi-faceted National Education Initiative on health information privacy to enhance public transparency regarding uses of PHI, including programs to educate individuals about potential uses of their PHI, the effects of such uses, and their privacy rights with respect to such uses 25

26 OCR Genetic Information Genetic Information Non-Discrimination Act –Signed into law May 21, 2008 –To protect individuals from discrimination in health insurance and employment on the basis of genetic information –Mandates modification of the Privacy Rule to incorporate provisions specific to genetic information Genetic information is protected health information; Prohibit the use or disclosure of genetic information for underwriting 26

27 OCR GINA NPRM NPRM issued 10/01/2009 –Together with IFR for GINA protections from health plan discrimination issued by HHS/CMS, DOL, and Treasury (IRS) –EEOC Final Rule for GINA protections from employer discrimination in clearance 27

28 OCR Status of All Complaints

29 OCR Total Investigated Resolutions

30 OCR 30 Want More Information? The OCR website: http://www.hhs.gov/ocr/privacy/ http://www.hhs.gov/ocr/privacy/

Download ppt "Office of the Secretary Office for Civil Rights (OCR) HIPAA Privacy and Security Rules Updates HIPAA COW 2010 Spring Conference April 16, 2010."

Similar presentations

HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.

HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.
“Reaching across Arizona to provide comprehensive quality health care for those in need” Our first care is your health care Arizona Health Care Cost Containment.

“Reaching across Arizona to provide comprehensive quality health care for those in need” Our first care is your health care Arizona Health Care Cost Containment.
HIPAA Basics Brian Fleetham Dickinson Wright PLLC.

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
HIPAA Basics November 1, 2014.

HIPAA Basics November 1, 2014.
Navigating HIPAA & Recent Healthcare Reform: What You Need to Know.

Navigating HIPAA & Recent Healthcare Reform: What You Need to Know.
HIPAA What’s New? 2010. What Is HIPAA Health Insurance Portability and Accountability Act of 1996 Health Insurance Portability and Accountability Act.

HIPAA What’s New? What Is HIPAA Health Insurance Portability and Accountability Act of 1996 Health Insurance Portability and Accountability Act.
HIPAA In The Workplace What Every Employee Should Know and Remember.

HIPAA In The Workplace What Every Employee Should Know and Remember.
Changes to HIPAA (as they pertain to records management) Health Information Technology for Economic Clinical Health Act (HITECH) – federal regulation included.

Changes to HIPAA (as they pertain to records management) Health Information Technology for Economic Clinical Health Act (HITECH) – federal regulation included.
What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,

What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,
1 Navigating the Privacy and Security Issues: HITECH Overview Rebecca L. Williams, RN, JD Partner Co-chair of HIT/HIPAA Practice Davis Wright Tremaine.

1 Navigating the Privacy and Security Issues: HITECH Overview Rebecca L. Williams, RN, JD Partner Co-chair of HIT/HIPAA Practice Davis Wright Tremaine.
1 TECO ENERGY, INC. HIPAA PRIVACY AND SECURITY REQUIREMENTS April 29, 2014 Dana L. Thrasher Constangy, Brooks & Smith, LLP (205)

1 TECO ENERGY, INC. HIPAA PRIVACY AND SECURITY REQUIREMENTS April 29, 2014 Dana L. Thrasher Constangy, Brooks & Smith, LLP (205)
Key Changes to HIPAA from the Stimulus Bill (ARRA) Children’s Health System Department Leadership Meeting October 28, 2009 Kathleen Street Privacy Officer/Risk.

Key Changes to HIPAA from the Stimulus Bill (ARRA) Children’s Health System Department Leadership Meeting October 28, 2009 Kathleen Street Privacy Officer/Risk.
HIPAA CHANGES: HITECH ACT AND BREACH NOTIFICATION RULES February 3, 2010 Kristen L. Gentry, Esq. Catherine M. Stowers, Esq.

HIPAA CHANGES: HITECH ACT AND BREACH NOTIFICATION RULES February 3, 2010 Kristen L. Gentry, Esq. Catherine M. Stowers, Esq.
 July 10, 2013 Richard D. Sanders T HE S ANDERS L AW F IRM, P.C. 7 Piedmont Center, Suite 300 3525 Piedmont Road Atlanta, Georgia 30305 (404) 364-1819.

 July 10, 2013 Richard D. Sanders T HE S ANDERS L AW F IRM, P.C. 7 Piedmont Center, Suite Piedmont Road Atlanta, Georgia (404)
Thank You For Your Participation Kansas City   Omaha  Overland Park St. Louis  Jefferson City www.spencerfane.com www.UBAbenefits.com This Employer.

Thank You For Your Participation Kansas City   Omaha  Overland Park St. Louis  Jefferson City This Employer.
HIPAA Update: So what’s new with HIPAA?? And, what does it have to do with you? Ellen Cannon, WV DHHR HIPAA Privacy Officer WV Attorney General’s Office.

HIPAA Update: So what’s new with HIPAA?? And, what does it have to do with you? Ellen Cannon, WV DHHR HIPAA Privacy Officer WV Attorney General’s Office.
W W W. L E C L A I R R Y A N. C O M Revisiting the PHI Breach Under HIPAA and HITECH and Considerations for Ophthalmologists Neil H. Ekblom, Esq. 885 Third.

W W W. L E C L A I R R Y A N. C O M Revisiting the PHI Breach Under HIPAA and HITECH and Considerations for Ophthalmologists Neil H. Ekblom, Esq. 885 Third.
Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.

Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.
HIPAA Regulations What do you need to know?.

HIPAA Regulations What do you need to know?.
COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.

COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.

Similar presentations

Ads by Google