Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 HIPAA Regulations Update HIPAA Regulations Update What Covered Entities And Business Associates Actually Have To Do And When They Have To Do It HIPAA.

Published byAmberly Gardner Modified over 8 years ago

Similar presentations

Presentation on theme: "1 HIPAA Regulations Update HIPAA Regulations Update What Covered Entities And Business Associates Actually Have To Do And When They Have To Do It HIPAA."— Presentation transcript:

1 1 HIPAA Regulations Update HIPAA Regulations Update What Covered Entities And Business Associates Actually Have To Do And When They Have To Do It HIPAA COW Fall Conference, October 15, 2010 Sarah Coyne and Tom Shorter

2 2 Breach Notification We talked about this last year. We talked about this last year. Covered entities and business associates must notify patients and DHHS in the event of a breach Covered entities and business associates must notify patients and DHHS in the event of a breach Ways to get off the reporting train Ways to get off the reporting train Interim final rule still in effect – published August 24, 2009 (final rule drafted, released, withdrawn on July 28, 2010). Interim final rule still in effect – published August 24, 2009 (final rule drafted, released, withdrawn on July 28, 2010).

3 3 An Endpoint! PHI of patients deceased more than 50 years is no longer protected under HIPAA (under proposed rules) PHI of patients deceased more than 50 years is no longer protected under HIPAA (under proposed rules)

4 4 AHA Data Shows Poor Hospital Compliance With HITECH 2010 AHA survey of compliance officers 2010 AHA survey of compliance officers 85% hospitals not HITECH-compliant 85% hospitals not HITECH-compliant 41% of hospitals have 10 or more data breaches annually 41% of hospitals have 10 or more data breaches annually

5 5 Family and Friends Like Wisconsin, proposed HIPAA rules clarify that certain disclosures to friends and family are permissible Like Wisconsin, proposed HIPAA rules clarify that certain disclosures to friends and family are permissible Wisconsin – may release a "portion but not a copy" if any of the following: Wisconsin – may release a "portion but not a copy" if any of the following: patient agrees patient agrees emergency, emergency, family/ close friend notification family/ close friend notification family/ close friend involved in care family/ close friend involved in care

6 6 Redisclosure Original HIPAA stands: no protection for records redisclosed by recipient. Original HIPAA stands: no protection for records redisclosed by recipient. Wisconsin - No redisclosure unless: Wisconsin - No redisclosure unless: Patient authorizes Patient authorizes Court orders Court orders Consistent with original purpose of disclosure Consistent with original purpose of disclosure

7 7 Minimum Necessary Current Law Uses, disclosures, and requests should be limited to a limited data set, when practicable Uses, disclosures, and requests should be limited to a limited data set, when practicable If limited data set is not practicable, should be limited to the minimum necessary to achieve the purpose of use/disclosure If limited data set is not practicable, should be limited to the minimum necessary to achieve the purpose of use/disclosure The CE or BA disclosing gets to make the call on what is the minimum necessary The CE or BA disclosing gets to make the call on what is the minimum necessary

8 8 Minimum Necessary Proposed Rule Proposed rule did NOT provide new requirements to the minimum necessary rule – so we are still stuck with the default of a limited data set for now Proposed rule did NOT provide new requirements to the minimum necessary rule – so we are still stuck with the default of a limited data set for now Solicited comments on what guidance would be helpful to CEs and BAs Solicited comments on what guidance would be helpful to CEs and BAs

9 9 Minimum Necessary What Do We Need To Do? Revise BAAs and Privacy Rule policies and procedures to limit use, disclosures, and requests to a limited data set (where practicable) Revise BAAs and Privacy Rule policies and procedures to limit use, disclosures, and requests to a limited data set (where practicable) May need to revise again when new provisions come out - some CEs have chosen to wait for further guidance to revise BAAs May need to revise again when new provisions come out - some CEs have chosen to wait for further guidance to revise BAAs Make sure workforce members are aware of changes to minimum necessary rule Make sure workforce members are aware of changes to minimum necessary rule

10 10 Marketing Current Law Three exceptions to the definition of "marketing" Three exceptions to the definition of "marketing" Communications made to describe a health-related product or service provided by the CE Communications made to describe a health-related product or service provided by the CE Communications made for treatment Communications made for treatment Communications for case management or care coordination, or to direct or recommend alternative treatments, therapies, providers or settings of care Communications for case management or care coordination, or to direct or recommend alternative treatments, therapies, providers or settings of care

11 11 Marketing Current Law Communications that previously fell out of the definition of "marketing" may now constitute marketing if the CE receives payment from a third party for making the communication (and will require patient authorization) Communications that previously fell out of the definition of "marketing" may now constitute marketing if the CE receives payment from a third party for making the communication (and will require patient authorization)

12 12 Marketing Current Law Limited exceptions Limited exceptions A communication describing only a drug or biologic the recipient is currently prescribed (payment must be reasonable) A communication describing only a drug or biologic the recipient is currently prescribed (payment must be reasonable) A communication made by a BA on behalf of the CE (and the communication does not violate the BAA) A communication made by a BA on behalf of the CE (and the communication does not violate the BAA) A communication pursuant to a valid patient authorization, if the communication is made by the CE (obviously) A communication pursuant to a valid patient authorization, if the communication is made by the CE (obviously)

13 13 Marketing Proposed Rule Subsidized treatment communications do not require authorization BUT they are subject to notice and opt-out Subsidized treatment communications do not require authorization BUT they are subject to notice and opt-out Opt-out must be in the communication, must be relatively easy to opt out Opt-out must be in the communication, must be relatively easy to opt out NPPs must contain statement about subsidized treatment communications NPPs must contain statement about subsidized treatment communications

14 14 Marketing Proposed Rules Only specified HCO communications require authorization if CE receives financial remuneration in exchange for making the communication Only specified HCO communications require authorization if CE receives financial remuneration in exchange for making the communication Rule attempts to clarify differences between HCO and treatment communications Rule attempts to clarify differences between HCO and treatment communications Defines "financial remuneration" Defines "financial remuneration"

15 15 Marketing Proposed Rule Subsidized refill reminders and other communications about currently prescribed drugs/biologics do not require authorization (payment must be reasonable) Subsidized refill reminders and other communications about currently prescribed drugs/biologics do not require authorization (payment must be reasonable) Face-to-face communications and promotional gifts of nominal value still permitted Face-to-face communications and promotional gifts of nominal value still permitted

16 16 Marketing What Do We Need To Do? All arrangements where a CE receives remuneration from a third party to make patient communications must be reviewed to see whether an authorization is required All arrangements where a CE receives remuneration from a third party to make patient communications must be reviewed to see whether an authorization is required Evaluate whether an exception applies Evaluate whether an exception applies If an exception does not apply, you will need a patient authorization If an exception does not apply, you will need a patient authorization

17 17 Fundraising Current Law Must provide clear and conspicuous opportunity to opt-out of any further fundraising communications Must provide clear and conspicuous opportunity to opt-out of any further fundraising communications Strict compliance with the opt-out, no more reasonable efforts to comply Strict compliance with the opt-out, no more reasonable efforts to comply An individual's choice to opt out must be treated as a revocation of authorization An individual's choice to opt out must be treated as a revocation of authorization

18 18 Fundraising Proposed Rule Minor clarifications Minor clarifications Each fundraising communication to patient must include clear and conspicuous opt-out Each fundraising communication to patient must include clear and conspicuous opt-out CE may not condition treatment or payment on an individual's decision CE may not condition treatment or payment on an individual's decision If individual opts out, CE may not send further fundraising communications If individual opts out, CE may not send further fundraising communications Statement in NPP still required Statement in NPP still required Request for comment on PHI to be used in fundraising communications Request for comment on PHI to be used in fundraising communications

19 19 Fundraising What Do We Need To Do? Implement system for tracking opt-out decisions Implement system for tracking opt-out decisions Ensure all fundraising communications have clear opt-out process Ensure all fundraising communications have clear opt-out process Opt-out process may include phone or email option but requiring individuals to write a letter may be an "undue burden" Opt-out process may include phone or email option but requiring individuals to write a letter may be an "undue burden"

20 20 Accounting From EHR For TPO Current Law (sort of) HITECH Act requirements are not yet effective HITECH Act requirements are not yet effective If you had EHR as of 1/1/09, effective date is 1/1/2014 If you had EHR as of 1/1/09, effective date is 1/1/2014 If you adopted an EHR after 1/1/09, the effective date is the later of 1/1/11 or the date the EHR is acquired If you adopted an EHR after 1/1/09, the effective date is the later of 1/1/11 or the date the EHR is acquired As of the applicable effective date, if you have EHR, must account for disclosures made through EHR for treatment, payment, and health care operations As of the applicable effective date, if you have EHR, must account for disclosures made through EHR for treatment, payment, and health care operations Must account for such disclosures for past three years (as opposed to six years for other accounting requirements) Must account for such disclosures for past three years (as opposed to six years for other accounting requirements)

21 21 Accounting From EHR For TPO Current Law (sort of) Covered entities have the option of either: Covered entities have the option of either: Including the EHR disclosures made by their BAs in the same accounting of disclosures report, or Including the EHR disclosures made by their BAs in the same accounting of disclosures report, or Providing a list of their BAs who would then be required to provide an accounting to the patient (must include the contact information) Providing a list of their BAs who would then be required to provide an accounting to the patient (must include the contact information)

22 22 Accounting From EHR For TPO Current Law (sort of) HITECH Act required creation of regulations addressing what information should be collected for accountings through EHR HITECH Act required creation of regulations addressing what information should be collected for accountings through EHR Regulations should only require information that takes into account: Regulations should only require information that takes into account: The interests of the individuals in learning the circumstances under which their PHI is being disclosed, and The interests of the individuals in learning the circumstances under which their PHI is being disclosed, and The administrative burden for such accountings The administrative burden for such accountings

23 23 Accounting From EHR For TPO Proposed Rule (not yet) Proposed rule was anticipated in June, 2010…didn't happen Proposed rule was anticipated in June, 2010…didn't happen Little guidance available on what information will be required for these types of accountings Little guidance available on what information will be required for these types of accountings

24 24 Accounting From EHR What Do We Need to Do? Cross your fingers that the government proposes a reasonable rule… Cross your fingers that the government proposes a reasonable rule… If you are going to purchase and implement an EHR, make sure it has accounting capabilities If you are going to purchase and implement an EHR, make sure it has accounting capabilities If you already have an EHR, start to work with your vendor on how to meet the accounting requirements if it doesn't currently have this functionality If you already have an EHR, start to work with your vendor on how to meet the accounting requirements if it doesn't currently have this functionality

25 25 Security Rule Risk Analysis Guidance Guidance is based on NIST recommendations Guidance is based on NIST recommendations Recognizes that the risk analysis methods will vary based on size, complexity, and capabilities of the organization Recognizes that the risk analysis methods will vary based on size, complexity, and capabilities of the organization The result of the risk analysis determines how the CE should approach the implementation specifications – particularly addressable ones The result of the risk analysis determines how the CE should approach the implementation specifications – particularly addressable ones

26 26 Security Rule Risk Analysis Guidance Elements of a risk analysis: Elements of a risk analysis: Determine scope of risk analysis Determine scope of risk analysis Identify where e-PHI is stored, received, maintained, transmitted Identify where e-PHI is stored, received, maintained, transmitted Identify threats and vulnerabilities Identify threats and vulnerabilities Assess current security measures Assess current security measures Determine the likelihood that a threat will occur Determine the likelihood that a threat will occur Determine potential impact of potential threats Determine potential impact of potential threats Assign a risk level to identified threats/vulnerabilities Assign a risk level to identified threats/vulnerabilities Document assessment Document assessment

27 27 Security Rule Risk Analysis Guidance Must document risk analysis process Must document risk analysis process Document assigned risk levels and a list of corrective actions to be performed to mitigate each risk level Document assigned risk levels and a list of corrective actions to be performed to mitigate each risk level Documentation helps justify decision for addressable standards Documentation helps justify decision for addressable standards Must periodically review and update the risk assessment – ongoing process Must periodically review and update the risk assessment – ongoing process Frequency will vary among CEs Frequency will vary among CEs Should be performed as technologies and business operations change Should be performed as technologies and business operations change

28 28 Risk Analysis Guidance What Do We Need To Do? Make sure you have documented your risk analysis Make sure you have documented your risk analysis Make sure your addressable implementation specifications align with results of the risk analysis Make sure your addressable implementation specifications align with results of the risk analysis Make sure you periodically review and update your risk analysis (don't forget remote users and portable devices!) Make sure you periodically review and update your risk analysis (don't forget remote users and portable devices!) Update your security safeguards if necessary Update your security safeguards if necessary

29 29 Security Safeguard Trends Encryption continues to become more and more important: Encryption continues to become more and more important: Encryption = exception to breach notification Encryption = exception to breach notification PHI is rendered unusable, unreadable, or indecipherable if NIST encryption standards for data at rest and in motion are followed PHI is rendered unusable, unreadable, or indecipherable if NIST encryption standards for data at rest and in motion are followed Not all encryption technology meet NIST standards – check your technology Not all encryption technology meet NIST standards – check your technology Final Certification Rule = EHR certification requires encryption capabilities Final Certification Rule = EHR certification requires encryption capabilities

30 30 Security Safeguard Trends Destruction of PHI Destruction of PHI Exception to security breach notification if PHI has been destroyed as follows: Exception to security breach notification if PHI has been destroyed as follows: Paper, film, and other hard copy media are shredded or destroyed so PHI cannot be read or reconstructed (redaction is not sufficient) Paper, film, and other hard copy media are shredded or destroyed so PHI cannot be read or reconstructed (redaction is not sufficient) Electronic media is cleared, purged, or destroyed consistent with NIST standards on media sanitization Electronic media is cleared, purged, or destroyed consistent with NIST standards on media sanitization

31 31 Security Safeguard Trends HHS to issue annual guidance on the most effective and appropriate technical safeguards – Risk Analysis was first in the series HHS to issue annual guidance on the most effective and appropriate technical safeguards – Risk Analysis was first in the series For helpful Security Rule guidance, see: For helpful Security Rule guidance, see: http://www.hhs.gov/ocr/privacy/hipaa/administrat ive/securityrule/securityruleguidance.html Security Rule Educational Series Security Rule Educational Series Relevant NIST Standards Relevant NIST Standards Risk Analysis Guidance Risk Analysis Guidance Remote Use Guidance Remote Use Guidance

32 32 Business Associates Current Law Under HITECH, Business Associates are DIRECTLY liable for compliance with Security Rule and uses and disclosures under Privacy Rule Under HITECH, Business Associates are DIRECTLY liable for compliance with Security Rule and uses and disclosures under Privacy Rule Requires affirmative compliance obligations – details clarified somewhat in proposed rules July 14 and will be further clarified in final rules and other guidance. Requires affirmative compliance obligations – details clarified somewhat in proposed rules July 14 and will be further clarified in final rules and other guidance.

33 33 Business Associates NPRM Expansion of definition of BA to include: Expansion of definition of BA to include: Health Information Organizations Health Information Organizations E-Prescribing Gateways E-Prescribing Gateways Entities/individuals that Entities/individuals that Provide data transmissions services with respect to PHI AND Provide data transmissions services with respect to PHI AND Require access on a routine basis to that PHI Require access on a routine basis to that PHI Definition will not include “conduits” only accessing PHI on a random or infrequent basis Definition will not include “conduits” only accessing PHI on a random or infrequent basis

34 34 Business Associates NPRM Definition of BA will include SUBCONTRACTORS! Definition of BA will include SUBCONTRACTORS! Endless downstream flow of obligations Endless downstream flow of obligations

35 35 Business Associates NPRM Reference patient safety activities Reference patient safety activities Except certain entities from the BA Agreement requirement, including: Except certain entities from the BA Agreement requirement, including: Some governmental agencies that perform enrollment and eligibility activities for another governmental agency’s health plan Some governmental agencies that perform enrollment and eligibility activities for another governmental agency’s health plan

36 36 Business Associates NPRM Clarified liability of BAs Clarified liability of BAs Will be directly liable for Security Rule violations Will be directly liable for Security Rule violations Will be directly liable for impermissible uses and/or disclosures under Privacy Rule Will be directly liable for impermissible uses and/or disclosures under Privacy Rule Failure to disclose to Secretary or provide e- access Failure to disclose to Secretary or provide e- access

37 37 Business Associates NPRM Changes to liability of CEs Changes to liability of CEs Will be liable for acts of BAs acting as CEs’ agents within scope of agency Will be liable for acts of BAs acting as CEs’ agents within scope of agency

38 38 Business Associates Timing Continue to enter into and comply with BA Agreements Continue to enter into and comply with BA Agreements Comply with requirements in the HITECH Act now Comply with requirements in the HITECH Act now Proposed rules contemplate general compliance date of 180 days after effective date of final rules Proposed rules contemplate general compliance date of 180 days after effective date of final rules Proposed rules contemplate a transition period for BAA revision ending on the earliest of: Proposed rules contemplate a transition period for BAA revision ending on the earliest of: When the BA relationship is changed in any way after 240 days from publication of final rule When the BA relationship is changed in any way after 240 days from publication of final rule One year and 240 days after publication of final rule One year and 240 days after publication of final rule

39 39 Business Associates Practical Guidance Be prepared to act! Be prepared to act! BAs will be required to have BA Agreements with Subcontractor BAs BAs will be required to have BA Agreements with Subcontractor BAs This is the BA's obligation, not the CE's obligation (although practically speaking, CEs should make sure it happens.) This is the BA's obligation, not the CE's obligation (although practically speaking, CEs should make sure it happens.)

40 40 Disclosing PHI to Health Plans Current Law 45 CFR 164.506. A covered entity may, without the individual’s authorization, use or disclose protected health information for its own treatment, payment, and health care operations activities. To avoid interfering with an individual’s access to quality health care or the efficient payment for such health care To avoid interfering with an individual’s access to quality health care or the efficient payment for such health care A health care provider may disclose protected health information about an individual as part of a claim for payment to a health plan.

41 41 Disclosing PHI to Health Plans Current Law “Payment” is defined as the activities of health care providers to obtain payment or be reimbursed for their services and of a health plan to obtain premiums, to fulfill their coverage responsibilities and provide benefits under the plan, and to obtain or provide reimbursement for the provision of health care. Payment activities include: “Payment” is defined as the activities of health care providers to obtain payment or be reimbursed for their services and of a health plan to obtain premiums, to fulfill their coverage responsibilities and provide benefits under the plan, and to obtain or provide reimbursement for the provision of health care. Payment activities include: Determining eligibility or coverage under a plan and adjudicating claims; Determining eligibility or coverage under a plan and adjudicating claims; Risk adjustments; Risk adjustments; Billing and collection activities; Billing and collection activities; Reviewing health care services for medical necessity, coverage, justification of charges, and the like; Reviewing health care services for medical necessity, coverage, justification of charges, and the like; Utilization review activities; and Utilization review activities; and Disclosures to consumer reporting agencies (limited to specified identifying information about the individual, his or her payment history, and identifying information about the covered entity). Disclosures to consumer reporting agencies (limited to specified identifying information about the individual, his or her payment history, and identifying information about the covered entity).

42 42 Disclosing PHI to Health Plans Current Law A CE must limit disclosures of PHI for payment to the Minimum Necessary A CE must limit disclosures of PHI for payment to the Minimum Necessary A CE must develop role-based access policies and procedures that limit which members of its workforce may have access to PHI for payment based on those who need access for their jobs A CE must develop role-based access policies and procedures that limit which members of its workforce may have access to PHI for payment based on those who need access for their jobs A CE may choose to obtain an individual’s consent for it to use and disclose information for payment A CE may choose to obtain an individual’s consent for it to use and disclose information for payment Individuals have the right to request restrictions on how a CE uses and discloses PHI about them for payment. A CE is not required to agree to an individual’s request for a restriction, but is bound by any restrictions to which it agrees.

43 43 Disclosing PHI to Health Plans Proposed Regulations CE must agree to individual’s request to restrict disclosure of PHI to health plan if: PHI pertains solely to health care for which individual (or person on behalf of individual other than health plan) has paid CE in full out of pocket Disclosure is not required by other law

44 44 Disclosing PHI to Health Plans Proposed Regulations CE cannot require individual to pay out of pocket for all services if that individual wishes to restrict disclosures regarding only certain services If individual’s payment is not honored, and payment issue cannot otherwise be resolved with individual, covered entity may submit PHI to health plan for payment NPRM requests public comment to resolve various operational issues

45 45 Enforcement Current Law Sections 13409, 13410 and 13411 of the HITECH Act: Criminal penalties for individuals such as employees Criminal penalties for individuals such as employees Noncompliance due to “willful neglect” Noncompliance due to “willful neglect” Distribution of certain Civil Monetary Penalties Distribution of certain Civil Monetary Penalties Tiered increases in Civil Monetary Penalties Tiered increases in Civil Monetary Penalties Enforcement by State Attorneys General Enforcement by State Attorneys General Audits Audits

46 46 Enforcement Current Law Enforcement Interim Final Rule (IFR) Enforcement Interim Final Rule (IFR) Published Oct. 30, 2009; Effective November 30, 2009 Published Oct. 30, 2009; Effective November 30, 2009 Implemented Section 13410(d) of the HITECH Act by: Implemented Section 13410(d) of the HITECH Act by: Setting four categories of violations reflecting increasing culpability Setting four categories of violations reflecting increasing culpability Setting four corresponding tiers of penalty amounts, increasing minimum penalty amounts Setting four corresponding tiers of penalty amounts, increasing minimum penalty amounts Establishing a maximum penalty amount of $1.5 million for all violations of an identical provision Establishing a maximum penalty amount of $1.5 million for all violations of an identical provision Revised affirmative defenses Revised affirmative defenses Providing a prohibition on the imposition of penalties for any violation corrected within 30 days, if the violation was not due to willful neglect Providing a prohibition on the imposition of penalties for any violation corrected within 30 days, if the violation was not due to willful neglect

47 47 Enforcement Under NPRM Incorporates "willful neglect" and gives definition Incorporates "willful neglect" and gives definition Mandates certain investigations Mandates certain investigations Increases ability of HHS to see PHI for enforcement investigations Increases ability of HHS to see PHI for enforcement investigations Gives definition to factors considered in investigation Gives definition to factors considered in investigation

48 48 Enforcement Under NPRM OCR will investigate if preliminary investigation indicates “willful neglect” OCR will investigate if preliminary investigation indicates “willful neglect” OCR not required to seek informal resolution before proceeding to formal enforcement OCR not required to seek informal resolution before proceeding to formal enforcement Revised definition of “reasonable cause” Revised definition of “reasonable cause” Guidance as to categories of culpability in preamble Guidance as to categories of culpability in preamble

49 49 Enforcement Actions to Take Now Develop and implement HIPAA-compliant policies and procedures Develop and implement HIPAA-compliant policies and procedures Properly secure PHI to access the Breach Notification safe harbor Properly secure PHI to access the Breach Notification safe harbor Complete self-audits to confirm PHI is protected Complete self-audits to confirm PHI is protected If a violation is discovered, act quickly to discontinue and correct If a violation is discovered, act quickly to discontinue and correct Strengthen complaints process to resolve cases prior to federal claim Strengthen complaints process to resolve cases prior to federal claim Observe HIPAA’s relevant remediation requirements Observe HIPAA’s relevant remediation requirements

50 50 De-Identification Current Law De-identification under 45 CFR §164.514 (b) Statistical approach: a qualified statistical or scientific expert concludes, through the use of accepted analytic techniques, that the risk the information could be used alone, or in combination with other reasonably available information, to identify the subject is very small.

51 51 De-Identification Current Law “Safe Harbor” approach permits a covered entity to consider data to be de-identified if It removes 18 types of identifiers (e.g., names, dates, and geocodes on populations with less than 20,000 inhabitants) It has no actual knowledge that the remaining information could be used to identify an individual, either alone or in combination with other information.

52 52 De-Identification Current Law – Safe Harbor Names All dates except year and ages >89 Fax SSN Health plan # Certificate/license # Device IDs and Serial #s IP address Full face photo Geographic subdivisions smaller than state except for initial 3 of zip if it contains > 20,000 Geographic subdivisions smaller than state except for initial 3 of zip if it contains > 20,000 Telephone #s Telephone #s Email addresses Email addresses Medical Record # Medical Record # Account # Account # VINs and Vehicle Serial #s VINs and Vehicle Serial #s URLs URLs Biometric identifiers, i.e. finger or voice prints Biometric identifiers, i.e. finger or voice prints Any other unique ID #s, characteristics or codes Any other unique ID #s, characteristics or codes Must remove the following identifiers of the individual, relatives, employers, and household members:

53 53 De-Identification 2010 Workshop OCR hosted a Workshop on the Privacy Rule’s De-Identification Standard in March 2010 OCR hosted a Workshop on the Privacy Rule’s De-Identification Standard in March 2010 OCR will use information gained through workshop to develop the guidance required & supported by ARRA. OCR accepted comments after posting OCR promised guidance on its web site All materials developed for workshop are posted on OCR web site.

54 54 De-Identification Practical Guidance Even if fit within a safe harbor, are there other sources of liability for sharing de-identified data? If a CE or BA shares de-identified data, an agreement between the parties should prohibit the recipient from attempting to re-identify individuals. Require security measures even for de-identified information Require use of limited access datasets Require education of training of staff de-identifying data

55 55 Questions? Sarah Coyne (608) 283-2435 sarah.coyne@quarles.com Quarles & Brady LLP Tom Shorter (608) 284-2239 tshorter@gklaw.com Godfrey & Kahn, S.C.

Download ppt "1 HIPAA Regulations Update HIPAA Regulations Update What Covered Entities And Business Associates Actually Have To Do And When They Have To Do It HIPAA."

Similar presentations

HIPAA Privacy Rule “Standards for Privacy of Individually Identifiable Health Information” 45 CFR 160 and 164* *http://www.hhs.gov/ocr/combinedregtext.pdf.

HIPAA Privacy Rule “Standards for Privacy of Individually Identifiable Health Information” 45 CFR 160 and 164* *
“Reaching across Arizona to provide comprehensive quality health care for those in need” Our first care is your health care Arizona Health Care Cost Containment.

“Reaching across Arizona to provide comprehensive quality health care for those in need” Our first care is your health care Arizona Health Care Cost Containment.
HIPAA Basics Brian Fleetham Dickinson Wright PLLC.

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
Dinsmore & Shohl, LLP Stacey Borowicz, Esq. Simi Botic, Esq. August 14, 2013.

Dinsmore & Shohl, LLP Stacey Borowicz, Esq. Simi Botic, Esq. August 14, 2013.
HIPAA and Public Health 2007 Epi Rapid Response Team Conference.

HIPAA and Public Health 2007 Epi Rapid Response Team Conference.
1. As a Florida KidCare community partner families entrust you to not only help them navigate the Florida KidCare system but to keep the information they.

1. As a Florida KidCare community partner families entrust you to not only help them navigate the Florida KidCare system but to keep the information they.
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.

HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
HIPAA Privacy Rule Training

HIPAA Privacy Rule Training
HIPAA – Privacy Rule and Research USCRF Research Educational Series March 19, 2003.

HIPAA – Privacy Rule and Research USCRF Research Educational Series March 19, 2003.
Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.

Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.
The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.

The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.
What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,

What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,
1 Navigating the Privacy and Security Issues: HITECH Overview Rebecca L. Williams, RN, JD Partner Co-chair of HIT/HIPAA Practice Davis Wright Tremaine.

1 Navigating the Privacy and Security Issues: HITECH Overview Rebecca L. Williams, RN, JD Partner Co-chair of HIT/HIPAA Practice Davis Wright Tremaine.
HIPAA CHANGES: HITECH ACT AND BREACH NOTIFICATION RULES February 3, 2010 Kristen L. Gentry, Esq. Catherine M. Stowers, Esq.

HIPAA CHANGES: HITECH ACT AND BREACH NOTIFICATION RULES February 3, 2010 Kristen L. Gentry, Esq. Catherine M. Stowers, Esq.
TM The HIPAA Privacy Rule: Safeguarding Health Information in Research and Public Health Practice Centers for Disease Control and Prevention Beverly A.

TM The HIPAA Privacy Rule: Safeguarding Health Information in Research and Public Health Practice Centers for Disease Control and Prevention Beverly A.
1 HIPAA Challenges Ahead in Mining Patient-Centric Data Kristen B. Rosati Coppersmith Schermer & Brockelman, PLC PRISM Forum SIG on Clinical Informatics.

1 HIPAA Challenges Ahead in Mining Patient-Centric Data Kristen B. Rosati Coppersmith Schermer & Brockelman, PLC PRISM Forum SIG on Clinical Informatics.
COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.

COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.
2014 HIPAA Refresher Omnibus Rule & HIPAA Security.

2014 HIPAA Refresher Omnibus Rule & HIPAA Security.
Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.

Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.
Professional Nursing Services.  Privacy and Security Training explains:  The requirements of the federal HIPAA/HITEC regulations, state privacy laws.

Professional Nursing Services.  Privacy and Security Training explains:  The requirements of the federal HIPAA/HITEC regulations, state privacy laws.

Similar presentations

Ads by Google