HIPAA in a Post-HITECH World

Slides:

Advertisements

Similar presentations

HIPAA: An Overview of Transaction, Privacy and Security Regulations Training for Providers and Staff.

Advertisements

“Reaching across Arizona to provide comprehensive quality health care for those in need” Our first care is your health care Arizona Health Care Cost Containment.

HIPAA Training: Health Insurance Portability and Accountability Act.

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.

1. As a Florida KidCare community partner families entrust you to not only help them navigate the Florida KidCare system but to keep the information they.

HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.

HIPAA Privacy Rule Training

HIPAA Privacy Training Your Name Here. © 2004 MHM Resources Inc.2 HIPAA Background Health Insurance Portability and Accountability Act of 1996.

HIPAA What’s New? What Is HIPAA Health Insurance Portability and Accountability Act of 1996 Health Insurance Portability and Accountability Act.

HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Constangy, Brooks & Smith, LLC (205) ; Victoria Nemerson.

What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,

1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.

Key Changes to HIPAA from the Stimulus Bill (ARRA) Children’s Health System Department Leadership Meeting October 28, 2009 Kathleen Street Privacy Officer/Risk.

Managing Access to Student Health Information per Federal HIPAA Guidelines Joan M. Kiel, Ph.D., CHPS Duquesne University Pittsburgh, Penna

HIPAA CHANGES: HITECH ACT AND BREACH NOTIFICATION RULES February 3, 2010 Kristen L. Gentry, Esq. Catherine M. Stowers, Esq.

NAU HIPAA Awareness Training

1 Louisiana Department of Health and Hospitals Basic HIPAA Privacy Training: Policies and Procedures 01/09/

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

HIPAA Regulations What do you need to know?.

HIPAA Privacy Rule Compliance Training for YSU April 9, 2014.

Importance of the Information Risk Assessment. Compliance Programs are intended to proactively audit and assess an organization’s operations to detect.

COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.

2014 HIPAA Refresher Omnibus Rule & HIPAA Security.

Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.

Are you ready for HIPPO??? Welcome to HIPAA

HIPAA Privacy of Health Information Claudia Allen, Esq. General Counsel HealthBridge.

Privacy, Security and Compliance Concerns for Management and Boards November 15, 2013 Carolyn Heyman-Layne, Esq. 1.

Health IT Privacy and Security Policy Jodi Daniel, J.D., M.P.H. Director, Office of Policy and Research, Office of the National Coordinator for Health.

March 19, 2009 Changes to HIPAA Privacy and Security Requirements Joel T. Kopperud Scott A. Sinder Rhonda M. Bolton.

HIPAA COMPLIANCE IN YOUR PRACTICE MARIBEL VALENTIN, ESQUIRE.

HIPAA Health Insurance Portability & Accountability Act of 1996.

From HIPAA to HITECH OMH Briefing.

HIPAA PRIVACY AND SECURITY AWARENESS.

“ Technology Working For People” Intro to HIPAA and Small Practice Implementation.

Privacy and Security Laws for Health Care Organizations Presented by Robert J. Scott Scott & Scott, LLP

HIPAA Michigan Cancer Registrars Association 2005 Annual Educational Conference Sandy Routhier.

Privacy and Security Risks to Rural Hospitals John Hoyt, Partner December 6, 2013.

Medical Law and Ethics, Third Edition Bonnie F. Fremgen Copyright ©2009 by Pearson Education, Inc. Upper Saddle River, New Jersey All rights reserved.

Health Insurance Portability and Accountability Act (HIPAA) CCAC.

Health Insurance Portability and Accountability Act of 1996 HIPAA Privacy Training for County Employees.

Understanding HIPAA (Health Insurandce Portability and Accountability Act)

© 2013 The McGraw-Hill Companies, Inc. All rights reserved. Ch 8 Privacy Law and HIPAA.

PricewaterhouseCoopers 1 Administrative Simplification: Privacy Audioconference April 14, 2003 William R. Braithwaite, MD, PhD “Doctor HIPAA” HIPAA Today.

HIPAA BASIC TRAINING Presented by Anderson Health Information Systems, Inc.

HIPAA THE PRIVACY RULE. 2 HISTORY In 2000, many patients that were newly diagnosed with depression received free samples of anti- depressant medications.

HealthBridge is one of the nation’s largest and most successful health information exchange organizations. Tri-State REC: Privacy and Security Issues for.

Copyright ©2014 by Saunders, an imprint of Elsevier Inc. All rights reserved 1 Chapter 02 Compliance, Privacy, Fraud, and Abuse in Insurance Billing Insurance.

HITECH and HIPAA Presented by Rhonda Anderson, RHIA Anderson Health Information Systems, Inc

Snowe Amendment to the Wired Act William F. Pewen, Ph.D., M.P.H. Office of Senator Olympia J. Snowe, ME (202)

A Road Map to Research at Jefferson: HIPAA Privacy and Security Rules for Researchers Presented By: Privacy Officer/Office of Legal Counsel October 2015.

Lessons Learned from Recent HIPAA Breaches HHS Office for Civil Rights.

Top 10 Series Changes to HIPAA Devon Bernard AOPA Reimbursement Services Coordinator.

HIPAA: Breach Notification By: Office of University Counsel For: Jefferson IRB Continuing Education September 2014.

HIPAA Overview Why do we need a federal rule on privacy? Privacy is a fundamental right Privacy can be defined as the ability of the individual to determine.

HIPAA TRIVIA Do you know HIPAA?. HIPAA was created by?  The Affordable Care Act  Health Insurance companies  United States Congress  United States.

PHASE II OF HIPAA AUDIT PROGRAM June 2016 Presented by John P. Murdoch II, Esq. of Wilentz, Goldman & Spitzer, P.A. Two Industrial Way West Two Industrial.

HIPAA: So You Think You’re Compliant September 1, 2011 Carolyn Heyman-Layne, J.D.

Public Health IT Privacy, Confidentiality and Security of Public Health Information This material (Comp13_Unit2) was developed Columbia University, funded.

Health Insurance Portability and Accountability Act (HIPAA) Primer for Observers, Volunteers, Medical Students Dr. Michael Palumbo- Privacy Officer/ EVP.

HIPAA Privacy Rule Training

HIPAA THE PRIVACY RULE Reviewed December 2012.

Privacy & Information Security Basics

Patient Privacy for the Life Sciences Industry: 2012 Update Drew Gantt and David Sclar Cooley LLP 1.

What is HIPAA? HIPAA stands for “Health Insurance Portability & Accountability Act” It was an Act of Congress passed into law in HEALTH INSURANCE.

HIPAA Administrative Simplification

By: Eamon Callahan and Wilston Johnston

HIPAA PRIVACY AWARENESS, COMPLIANCE and ENFORCEMENT

Disability Services Agencies Briefing On HIPAA

Presentation transcript:

HIPAA in a Post-HITECH World Stephen L. Page RegionalCare Hospital Partners stephen.page@regionalcare.net (615) 844-9849 Elizabeth Warren Bass Berry Sims PLC ewarren@bassberry.com (615) 742-7719

2014 HIPAA TOPICS Overview of HIPAA Basics Liability Risks with Business Associates OCR Enforcement 2014 OCR 2014 Guidance HIPAA Audits Data Breaches New Frontiers (and some old ones)

HIPAA 101 HIPAA refers to the Health Insurance Portability and Accountability Act of 1996 HIPAA prohibits the unauthorized use or disclosure of protected health information unless an exception applies HIPAA impacts covered entities and business associates of covered entities HITECH Act of 2009 revised certain parts of HIPAA

HIPAA 101 - What is PHI? Individually identifiable information Relating to condition, treatment, or payment Created or received by a provider, plan, employer, or clearinghouse Transmitted or stored electronically or in any other form

HIPAA 101 - Who is covered by HIPAA? Covered Entities (CEs) Health Plans (including group health plans) Clearinghouses Providers Business Associates of Covered Entities (BAs) Including law firms that handle PHI for clients who are CEs or BAs

HIPAA 101 – Uses and Disclosures The Privacy Rule defines and limits how an individual’s PHI may be used or disclosed by CEs The CE may not use or disclose PHI except: as the Privacy Rule permits or requires (without an authorization), OR as authorized in writing by the individual who is subject of the information

HIPAA 101 – HIPAA Authorizations A HIPAA authorization is a specific type of written permission Must contain a number of mandatory elements (who, what, why, etc.) A “2 sentence” type permission is not compliant May not be combined with other types of permission (with very narrow exceptions such as for research)

HIPAA 101 – HIPAA Patient Rights Access Amendment Accounting of certain disclosures Privacy notice Restrictions and confidential communications Complaints

HIPAA 101 – Additional Requirements: Minimum necessary Safeguards (all PHI) Business associate agreements Privacy officer Policies and procedures Training

Liability Risks with Business Associates HITECH: increased risk of being held liable for BA acts Actions of business associate vendors can create breach notification obligations for covered entities Client view may be: “we didn’t cause this so, not our problem.” Wrong response OCR view: “no get out of jail free card for covered entity.”

Liability Risks with Business Associates How to prevent/mitigate issues with BA compliance? Consider indemnification clauses Consider reviewing key BA security safeguards—but watch out for risks Confirm policies address process for providing access to BAs

Liability Risks with Business Associates Risks for BA oversight: If you know about issues and don’t address them . . . Be careful what you ask for and how wide of a net you cast Will your oversight trigger the BA being viewed as an agent?

Enforcement Since April 2003, HHS has received over 99,957 HIPAA complaints OCR has resolved 96% of complaints received (over 96,741 cases) OCR found violations of HIPAA in over 22,927 cases OCR found no violation in 10,390 cases OCR found 63,424 cases that were not eligible for enforcement

Enforcement Jail time for HIPAA criminal violations: still happening -10/2013 nursing assistant in Florida sentenced to 3 years for stealing and selling patient records First penalty for failure to have breach notification policies: $150,000 penalty imposed on dermatology practice (involved stolen unencrypted thumb drive)

Enforcement Don’t leave PHI on the curb:$800,000 Settlement for 2009 conduct (Parkview; June 2014) Don’t post PHI on the internet: $4.8 Million record settlement (NY Presby/Columbia; May 2014) Do encrypt laptops -$1,725,220 (Concentra; April 2014) -$250,000 (QCA; April 2014)

Enforcement: Lawsuits West Virginia case allowed to proceed based on state law Many class actions based on breaches still dismissed FCRA claims?

Enforcement: Lessons Learned or Not Hard to predict amount of penalties or when conduct gets penalized Enforcement actions may take years Increasing pressure to allow private causes of action Criminal penalties may help with internal training Sources of complaints/investigations broadening -unions -covered entity in response to BA breach notice -payers

New OCR Guidance Guidance on lawfully married same sex spouses Sharing Information related to Mental Health Security Risk Assessment tool released

On the Horizon: New Audits Audits of some 350 healthcare providers and another 50 of their business associates will likely start in early 2015; they were originally set to begin in October 2014 Per OCR, will ask audited CEs for list of BAs and draw from that pool for the 50 audited BAs Per OCR, will be tied to enforcement

Breach Notification Standard Presumption of breach applies to any non-permissible use or disclosure Risk assessment using at least 4 factors Nature and extent of PHI Who received? Accessed or not? Mitigated? Little guidance on how to apply these 4 factors

Data Breach

Data Breaches OCR investigated since September 2009: Breach involving greater than 500 individuals -1,176 incidents Breaches involving fewer than 500 individuals-122,000 incidents 60% of data breaches could have been prevented if Covered Entities or Business Associates had encrypted data

Recent Notable Data Breaches and Issues CHS -new concern: hacking Concentra (laptops) Identity theft a real risk (not just dealing with mistakes but with deliberate acts) HR issues often result in breaches The “social media defense” breach risk

State Law Privacy Risks State law risks California: 5 day standard; AG has brought lawsuits-Alere case Florida: new, stricter breach notification law (30 days timing requirement) Massachusetts: not limited to enforcing within its borders (RI case)

New Frontiers False Claims Liability Medicare Number certifications relating to Business Associate Agreements Meaningful Use Certifications FDA Issues Cybersecurity Guidelines for Medical Devices FTC enforcement

New Frontiers HIPAA as barrier to technology innovation The remote use documentation on HHS’s website pre-dates Apple’s iPhone rollout (last updated in December 2006) It does not include information on any new Apple iOS or Android phones or tablets, making it challenging for developers that want to ensure their apps meet HIPAA regulations

Old Frontiers BAA templates still lacking for many Covered Entities Still battles of the forms Still working to get BAAs in place where needed Some CEs still lack comprehensive HIPAA policies or awareness BAs often are still behind the curve

Questions?