Presentation is loading. Please wait.

Presentation is loading. Please wait.

California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. :: www.buchananingersoll.com 1 NEW OBLIGATIONS.

Published byJunior Carpenter Modified over 8 years ago

Similar presentations

Presentation on theme: "California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. :: www.buchananingersoll.com 1 NEW OBLIGATIONS."— Presentation transcript:

1 California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. :: www.buchananingersoll.com 1 NEW OBLIGATIONS UNDER HIPAA STEPHANIE WINER-SCHREIBER May 19, 2011

2 California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. :: www.buchananingersoll.com 2 OVERVIEW I.RECENT DEVELOPMENTS – HITECH ACT II. NEW OBLIGATIONS FOR COVERED ENTITIES III. NEW OBLIGATIONS FOR BUSINESS ASSOCIATES IV. ENFORCEMENT CHANGES V. July 14, 2010 Proposed Rule

3 California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. :: www.buchananingersoll.com 3 WHAT’S NEW? HITECH ACT OF 2009: HEALTH INFORMATION TECHNOLOGY FOR ECONOMIC AND CLINICAL HEALTH ACT Effective February 17, 2010 Proposed Rule – July 14, 2010 Modifications to the HIPAA Privacy, Security, and Enforcement Rules NOT FINAL RULE Comment period through September 13, 2010 Final Rule – Any time now!

4 California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. :: www.buchananingersoll.com 4 KEY POINTS Extends the reach of privacy and security protections beyond covered entities Imposes additional obligations on Business Associates Authorizes greater access and rights to individuals Imposes State Attorney General oversight and additional tiered penalties Proposed Rule attempts to clarify obligations for both Covered Entities and Business Associates

5 California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. :: www.buchananingersoll.com 5 NEW OBLIGATIONS FOR COVERED ENTITIES Notice Obligations in the event of a “breach” Even if not a “breach” it may still be a HIPAA violation Individuals may request additional restrictions: May request that a covered entity not disclosure PHI to a health plan if the disclosure is for payment or healthcare operations (not treatment) AND the PHI pertains solely to a healthcare item or service for which the provider has been paid in full Issue for comment in Proposed Rule

6 California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. :: www.buchananingersoll.com 6 NEW OBLIGATIONS FOR COVERED ENTITIES Further limitations on use of PHI – Minimum Necessary Requirements Safe Harbor Limited Data Set Retains current carve outs for treatment HHS guidance pending comments on Proposed Rule

7 California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. :: www.buchananingersoll.com 7 NEW OBLIGATIONS FOR COVERED ENTITIES Electronic Health Records and Accountings Accountings will be required for treatment, payment and healthcare operations for disclosures made through an electronic health record Accountings 3 years prior to request Compliance date dependent on date of electronic health record

8 California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. :: www.buchananingersoll.com 8 NEW OBLIGATIONS FOR COVERED ENTITIES Electronic Health Records and Accountings – Cont. Current electronic health record users (as of 1/1/09) – applies to disclosures on or after 1/1/14 Others (acquire electronic health records after 1/1/09) later of 1/1/11 or date of acquisition Secretary can set later effective date, but no later than 2016 or 2013 respectively

9 California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. :: www.buchananingersoll.com 9 NEW OBLIGATIONS FOR COVERED ENTITIES Electronic Health Records and Accountings – Cont. Covered Entity may provide accountings for itself and all BAs or May provide list of all BAs and their contact information Possible modifications/expansions based on Proposed Rule

10 California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. :: www.buchananingersoll.com 10 NEW OBLIGATIONS FOR COVERED ENTITIES Electronic Health Records and Accountings – Cont. Individuals may request information in an electronic format if the covered entity uses or maintains an electronic health record Fee may not be greater than the covered entity’s labor costs in responding to the request May request to have it sent electronically to third party Effective February 17, 2010

11 California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. :: www.buchananingersoll.com 11 NEW OBLIGATIONS FOR COVERED ENTITIES A covered entity and business associate may not directly or indirectly receive remuneration in exchange for protected health information of an individual unless the covered entity obtains from the individual a valid authorization Effective 6 months following issuance of HHS Rule There are proposed modifications in the Proposed Rule There are exceptions ---

12 California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. :: www.buchananingersoll.com 12 NEW OBLIGATIONS FOR COVERED ENTITIES Exceptions: public health activities research and the price charged reflects the costs of preparation and transmittal of the data for such purpose treatment (subject to future regulations by the Secretary) Healthcare operations (Proposed Rule clarifications) activities pursuant to a business associate agreement provision of information to an individual (in accordance with a valid request) other exchanges approved by the Secretary

13 California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. :: www.buchananingersoll.com 13 NEW OBLIGATIONS FOR COVERED ENTITIES New Marketing Requirements Definition of Marketing – “A communication about a product or service that encourages recipients of the communication to purchase or use the product or service”

14 California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. :: www.buchananingersoll.com 14 NEW OBLIGATIONS FOR COVERED ENTITIES Marketing Exceptions: Communications that encourage recipients to purchase or use the product will not be considered to be healthcare operations unless the communication is made: (i) to describe a health related product or service that is provided by or included in a plan of benefits of the covered entity making the communication, replacement of or enhancements to a health plan; and health related product or services available only to a health plan enrollee that add value to, but are not part of a plan of benefits; (ii) for treatment; or (iii) for case management or care coordination for the individual or to direct or recommend alternative treatments, therapies, healthcare providers or settings of care for the individual

15 California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. :: www.buchananingersoll.com 15 NEW OBLIGATIONS FOR COVERED ENTITIES Communications that fall within the marketing exception: Are not marketing Still need to be permissible under the Privacy Rule Typically characterized as healthcare operations or treatment Are the only types of communications to encourage the use or purchase of a product or service that can be considered healthcare operations

16 California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. :: www.buchananingersoll.com 16 NEW OBLIGATIONS FOR COVERED ENTITIES Marketing Exceptions Cont. These communications cannot be healthcare operations if the Covered Entity received direct or indirect payment, unless: The communication describes only a current prescribed drug or biologic and any payment is reasonable in amount – or Covered Entity receives an authorization – or The communication is made by a BA on behalf of a Covered Entity within the scope of the Business Associate Agreement

17 California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. :: www.buchananingersoll.com 17 NEW OBLIGATIONS FOR BUSINESS ASSOCIATES HIPAA Security Rule Regulations under Sections 164.308, 164.310, 164.312, and 164.316 will become applicable to Business Associates These sections relate to administrative safeguards, physical safeguards, technical safeguards, and documentation requirements Potentially broader requirements under Proposed Rule

18 California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. :: www.buchananingersoll.com 18 NEW OBLIGATIONS FOR BUSINESS ASSOCIATES Security Rule Examples: Administrative Safeguards: Develop policies and procedures Appoint a security officer Establish sanctions for violations Provide security training Perform evaluations of effectiveness of policies and procedures

19 California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. :: www.buchananingersoll.com 19 NEW OBLIGATIONS FOR BUSINESS ASSOCIATES Security Rule Examples: Physical Safeguards: Implement policies and procedures to limit physical access to information systems Implement safeguards for workstation security Develop policies for disposition of PHI on workstations Develop policies and procedures for removal of hardware from facility

20 California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. :: www.buchananingersoll.com 20 NEW OBLIGATIONS FOR BUSINESS ASSOCIATES Security Rule Examples: Technical Safeguards: Assign unique names and/or numbers for tracking user identity Establish mechanisms for auditing activity Establish means of verifying users Establish means of restricting PHI transmissions over an electronic network

21 California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. :: www.buchananingersoll.com 21 NEW OBLIGATIONS FOR BUSINESS ASSOCIATES Security Rule Examples: Documentation Requirements: Policies must be in writing (or in electronic format) Reports of actions and activities must be maintained in writing or electronically Required documentation must be retained for at least 6 years from the later of date of creation or date last in effect Documentation must be periodically reviewed and modified as necessary

22 California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. :: www.buchananingersoll.com 22 NEW OBLIGATIONS FOR BUSINESS ASSOCIATES Even if appropriate safeguards are in place, Business Associates should document compliance with each aspect of the Security Rule Will require a risk assessment and appropriate policies and procedures

23 California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. :: www.buchananingersoll.com 23 NEW OBLIGATIONS FOR BUSINESS ASSOCIATES Non Compliance – Under HIPAA, if Covered Entity had knowledge that BA was not complying, then Covered Entity had obligation to cure, terminate contract or if not feasible, report to HHS HITECH makes this obligation reciprocal If BA is aware of non compliance by Covered Entity – BA has obligation to cure, terminate contract or if not feasible, report to HHS Proposed Rule potentially modifies this further

24 California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. :: www.buchananingersoll.com 24 NEW OBLIGATIONS FOR BUSINESS ASSOCIATES Business Associates may become directly responsible for responding to requests for accountings Covered Entities may not want Business Associates to take on this responsibility Business Associates – Increased obligations for reporting breaches Business Associates – may want to encrypt PHI Will need to establish policies and protocols Proposed Rule includes additional obligations

25 California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. :: www.buchananingersoll.com 25 NEW OBLIGATIONS FOR BUSINESS ASSOCIATES Business Associates will need to develop policies and procedures regarding minimum necessary obligations Business Associates and individuals (i.e. employees) may be held liable for violations No longer just a contractual breach Under Proposed Rule – greater overall obligation to comply with Privacy Rule and increased definition of workforce

26 California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. :: www.buchananingersoll.com 26 ENFORCEMENT CHANGES State Attorney Generals can bring civil HIPAA actions A percentage of civil monetary penalties will go to victims Civil monetary penalties are tiered and the cap raised from $25,000 to $1.5 million annually per type of violation Fines are mandatory if caused due to “willful neglect” Extensive proposals in Proposed Rules

27 California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. :: www.buchananingersoll.com 27 ENFORCEMENT CHANGES HIPAA criminal penalties apply to individuals Business Associates can be held liable HHS may bring civil enforcement actions where the violation may be criminal but no criminal action is pursued

28 California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. :: www.buchananingersoll.com 28 PROPOSED RULE Remember they are just PROPOSED RULES and may change significantly Highlights thought process of HHS Significant areas of potential change Definition of Business Associate Requirements for new Business Associate Agreements Obligations for Business Associates Timeframes for compliance (including new Business Associate Agreements) Content for Privacy Notices Changes with respect to marketing and fundraising

29 California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. :: www.buchananingersoll.com 29 Questions? Stephanie W. Schreiber, Esq. Buchanan Ingersoll & Rooney PC 20th Floor, One Oxford Centre Pittsburgh, PA 15219 Phone: 412-392-2148 FAX: 412-392-2128 email: stephanie.schreiber@bipc.com

Download ppt "California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. :: www.buchananingersoll.com 1 NEW OBLIGATIONS."

Similar presentations

HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.

HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.
“Reaching across Arizona to provide comprehensive quality health care for those in need” Our first care is your health care Arizona Health Care Cost Containment.

“Reaching across Arizona to provide comprehensive quality health care for those in need” Our first care is your health care Arizona Health Care Cost Containment.
Presented by Elena Chan, UCSF Pharm.D. Candidate Tiffany Jew, USC Pharm.D. Candidate March 14, 2007 P HARMACEUTICAL C ONSULTANTS, I NC. P RO P HARMA HIPAA.

Presented by Elena Chan, UCSF Pharm.D. Candidate Tiffany Jew, USC Pharm.D. Candidate March 14, 2007 P HARMACEUTICAL C ONSULTANTS, I NC. P RO P HARMA HIPAA.
HIPAA Basics Brian Fleetham Dickinson Wright PLLC.

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
Dinsmore & Shohl, LLP Stacey Borowicz, Esq. Simi Botic, Esq. August 14, 2013.

Dinsmore & Shohl, LLP Stacey Borowicz, Esq. Simi Botic, Esq. August 14, 2013.
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.

HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
HIPAA – Privacy Rule and Research USCRF Research Educational Series March 19, 2003.

HIPAA – Privacy Rule and Research USCRF Research Educational Series March 19, 2003.
Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.

Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.
HIPAA What’s New? 2010. What Is HIPAA Health Insurance Portability and Accountability Act of 1996 Health Insurance Portability and Accountability Act.

HIPAA What’s New? What Is HIPAA Health Insurance Portability and Accountability Act of 1996 Health Insurance Portability and Accountability Act.
HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Constangy, Brooks & Smith, LLC (205) 252-9321; Victoria Nemerson.

HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Constangy, Brooks & Smith, LLC (205) ; Victoria Nemerson.
Changes to HIPAA (as they pertain to records management) Health Information Technology for Economic Clinical Health Act (HITECH) – federal regulation included.

Changes to HIPAA (as they pertain to records management) Health Information Technology for Economic Clinical Health Act (HITECH) – federal regulation included.
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.

Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
Key Changes to HIPAA from the Stimulus Bill (ARRA) Children’s Health System Department Leadership Meeting October 28, 2009 Kathleen Street Privacy Officer/Risk.

Key Changes to HIPAA from the Stimulus Bill (ARRA) Children’s Health System Department Leadership Meeting October 28, 2009 Kathleen Street Privacy Officer/Risk.
HIPAA CHANGES: HITECH ACT AND BREACH NOTIFICATION RULES February 3, 2010 Kristen L. Gentry, Esq. Catherine M. Stowers, Esq.

HIPAA CHANGES: HITECH ACT AND BREACH NOTIFICATION RULES February 3, 2010 Kristen L. Gentry, Esq. Catherine M. Stowers, Esq.
1 HIPAA Challenges Ahead in Mining Patient-Centric Data Kristen B. Rosati Coppersmith Schermer & Brockelman, PLC PRISM Forum SIG on Clinical Informatics.

1 HIPAA Challenges Ahead in Mining Patient-Centric Data Kristen B. Rosati Coppersmith Schermer & Brockelman, PLC PRISM Forum SIG on Clinical Informatics.
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)
Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.

Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.
COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.

COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.
2014 HIPAA Refresher Omnibus Rule & HIPAA Security.

2014 HIPAA Refresher Omnibus Rule & HIPAA Security.
Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.

Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.

Similar presentations

Ads by Google