California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. :: www.buchananingersoll.com 1 NEW OBLIGATIONS.

Slides:

Advertisements

Similar presentations

HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.

Advertisements

“Reaching across Arizona to provide comprehensive quality health care for those in need” Our first care is your health care Arizona Health Care Cost Containment.

Presented by Elena Chan, UCSF Pharm.D. Candidate Tiffany Jew, USC Pharm.D. Candidate March 14, 2007 P HARMACEUTICAL C ONSULTANTS, I NC. P RO P HARMA HIPAA.

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.

Dinsmore & Shohl, LLP Stacey Borowicz, Esq. Simi Botic, Esq. August 14, 2013.

HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.

HIPAA – Privacy Rule and Research USCRF Research Educational Series March 19, 2003.

Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.

HIPAA What’s New? What Is HIPAA Health Insurance Portability and Accountability Act of 1996 Health Insurance Portability and Accountability Act.

HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Constangy, Brooks & Smith, LLC (205) ; Victoria Nemerson.

Changes to HIPAA (as they pertain to records management) Health Information Technology for Economic Clinical Health Act (HITECH) – federal regulation included.

Health Insurance Portability and Accountability Act (HIPAA)HIPAA.

Key Changes to HIPAA from the Stimulus Bill (ARRA) Children’s Health System Department Leadership Meeting October 28, 2009 Kathleen Street Privacy Officer/Risk.

HIPAA CHANGES: HITECH ACT AND BREACH NOTIFICATION RULES February 3, 2010 Kristen L. Gentry, Esq. Catherine M. Stowers, Esq.

1 HIPAA Challenges Ahead in Mining Patient-Centric Data Kristen B. Rosati Coppersmith Schermer & Brockelman, PLC PRISM Forum SIG on Clinical Informatics.

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.

COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.

2014 HIPAA Refresher Omnibus Rule & HIPAA Security.

Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.

Free HIPAA Training BCI Computers Free HIPAA Training (c) 2014 BCI Computers all rights reserved.

Health IT Privacy and Security Policy Jodi Daniel, J.D., M.P.H. Director, Office of Policy and Research, Office of the National Coordinator for Health.

Health Insurance Portability & Accountability Act (HIPAA)

March 19, 2009 Changes to HIPAA Privacy and Security Requirements Joel T. Kopperud Scott A. Sinder Rhonda M. Bolton.

© Copyright 2014 Saul Ewing LLP The Coalition for Academic Scientific Computation HIPAA Legal Framework and Breach Analysis Presented by: Bruce D. Armon,

HIPAA COMPLIANCE IN YOUR PRACTICE MARIBEL VALENTIN, ESQUIRE.

COMPLYING WITH HIPAA BUSINESS ASSOCIATE REQUIREMENTS Quick, Cost Effective Solutions for HIPAA Compliance: Business Associate Agreements.

HIPAA Trading Partners, Legal Relationships October 2, 2001 presented by Peter B. Goldstein, Esq. Cap Gemini Ernst & Young, US LLC.

HIPAA PRIVACY AND SECURITY AWARENESS.

“ Technology Working For People” Intro to HIPAA and Small Practice Implementation.

HIPAA and HITECH The Latest Developments Presented By: Michele Madison Partner, Healthcare Practice Morris, Manning & Martin, LLP

Confidentiality, Consents and Disclosure Recent Legal Changes and Current Issues Presented by Pam Beach, Attorney at Law.

Copyright ©2011 by Pearson Education, Inc. Upper Saddle River, New Jersey All rights reserved. Health Information Technology and Management Richard.

2012 Audits of Covered Entity Compliance with HIPAA Privacy, Security and Breach Notification Rules Initial Analysis February 2013.

Computerized Networking of HIV Providers Workshop Data Security, Privacy and HIPAA: Focus on Privacy Joy L. Pritts, J.D. Assistant Research Professor Health.

HITECH Act and HIPAA: Important Compliance Update Susan E. Ziel Gerald “Jud” DeLoss.

HIPAA Michigan Cancer Registrars Association 2005 Annual Educational Conference Sandy Routhier.

HIPAAand Disaster Situations By LYNDA M. JOHNSON Friday, Eldredge & Clark.

Office of the Secretary Office for Civil Rights (OCR) The HITECH NPRM: Overview of Research Comments October 19, 2010 Christina Heide, JD HHS Office for.

Medical Law and Ethics, Third Edition Bonnie F. Fremgen Copyright ©2009 by Pearson Education, Inc. Upper Saddle River, New Jersey All rights reserved.

LeToia Crozier, Esq., CHC Vice President, Compliance & Regulatory Affairs Corey Wilson Director of Technical Services & Security Officer Interactive Think.

Eliza de Guzman HTM 520 Health Information Exchange.

A PRACTICAL GUIDE TO RESPONDING TO A HEALTHCARE DATA SECURITY BREACH May 19, 2011 | State College, PA Matthew H. Meade Stephanie Winer-Schreiber.

HIPAA BASIC TRAINING Presented by Anderson Health Information Systems, Inc.

HIPAA PRACTICAL APPLICATION WORKSHOP Orientation Module 1B Anderson Health Information Systems, Inc.

The American Recovery and Reinvestment Act of 2009: Changes to HIPAA Privacy and Security Requirements And its Impact on Hospitals Presented By: Michele.

The Culture of Healthcare Privacy, Confidentiality, and Security Lecture d This material (Comp2_Unit9d) was developed by Oregon Health and Science University,

HealthBridge is one of the nation’s largest and most successful health information exchange organizations. Tri-State REC: Privacy and Security Issues for.

Rhonda Anderson, RHIA, President  …is a PROCESS, not a PROJECT 2.

A Professional Corporation Stinson, Mag & Fizzell (402) Business Associates 101 Jennifer Wolfe Jerram, B.S.N., J.D.

Copyright ©2014 by Saunders, an imprint of Elsevier Inc. All rights reserved 1 Chapter 02 Compliance, Privacy, Fraud, and Abuse in Insurance Billing Insurance.

HIPAA Privacy Rules: What Are Plan Sponsors Required to Do?

1 Privacy Plan of Action © HIPAA Pros 2002 All rights reserved.

1 Changes to Privacy Regulations under ARRA May 4, 2009 Melissa Goldstein, J.D. The George Washington University School of Public Health and Health Services.

Top 10 Series Changes to HIPAA Devon Bernard AOPA Reimbursement Services Coordinator.

Finally, the Final HIPAA/HITECH Regulations are Here! By LYNDA M. JOHNSON Friday, Eldredge & Clark.

HIPAA Privacy Rule Positive Changes Affecting Hospitals’ Implementation of the Rule.

Final PRIVACY RULE Presentation by Richard Campanelli, Director OCR/HHS at 5 th National HIPAA Summit Washington, D.C. October 31, 2002.

AND CE-Prof, Inc. January 28, 2011 The Greater Chicago Dental Academy 1 Copyright CE-Prof, Inc

COMMUNITY-WIDE HEALTH INFORMATION EXCHANGE: HIPAA PRIVACY AND SECURITY ISSUES Ninth National HIPAA Summit September 14, 2004 Prepared by: Robert Belfort,

HIPAA Privacy Rule Positive Changes Affecting Hospitals’ Implementation of the Rule Melinda Hatton -- Oct. 31, 2002.

HIPAA Training Workshop #3 Individual Rights Kaye L. Rankin Rankin Healthcare Consultants, Inc.

What is HIPAA? HIPAA stands for “Health Insurance Portability & Accountability Act” It was an Act of Congress passed into law in HEALTH INSURANCE.

HIPAA CONFIDENTIALITY

HIPAA Administrative Simplification

HOGAN & HARTSON, L.L.P. “Publications” “Health”

HIPAA PRIVACY AWARENESS, COMPLIANCE and ENFORCEMENT

Disability Services Agencies Briefing On HIPAA

HIPAA Privacy and Security Summit 2018 HIPAA Privacy Rule: Compliance Plans, Training, Internal Audits and Patient Rights Widener University Delaware.

Analysis of Final HIPAA Privacy Modification Rule

Presentation transcript:

California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. :: 1 NEW OBLIGATIONS UNDER HIPAA STEPHANIE WINER-SCHREIBER May 19, 2011

California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. :: 2 OVERVIEW I.RECENT DEVELOPMENTS – HITECH ACT II. NEW OBLIGATIONS FOR COVERED ENTITIES III. NEW OBLIGATIONS FOR BUSINESS ASSOCIATES IV. ENFORCEMENT CHANGES V. July 14, 2010 Proposed Rule

California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. :: 3 WHAT’S NEW? HITECH ACT OF 2009: HEALTH INFORMATION TECHNOLOGY FOR ECONOMIC AND CLINICAL HEALTH ACT Effective February 17, 2010 Proposed Rule – July 14, 2010 Modifications to the HIPAA Privacy, Security, and Enforcement Rules NOT FINAL RULE Comment period through September 13, 2010 Final Rule – Any time now!

California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. :: 4 KEY POINTS Extends the reach of privacy and security protections beyond covered entities Imposes additional obligations on Business Associates Authorizes greater access and rights to individuals Imposes State Attorney General oversight and additional tiered penalties Proposed Rule attempts to clarify obligations for both Covered Entities and Business Associates

California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. :: 5 NEW OBLIGATIONS FOR COVERED ENTITIES Notice Obligations in the event of a “breach” Even if not a “breach” it may still be a HIPAA violation Individuals may request additional restrictions: May request that a covered entity not disclosure PHI to a health plan if the disclosure is for payment or healthcare operations (not treatment) AND the PHI pertains solely to a healthcare item or service for which the provider has been paid in full Issue for comment in Proposed Rule

California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. :: 6 NEW OBLIGATIONS FOR COVERED ENTITIES Further limitations on use of PHI – Minimum Necessary Requirements Safe Harbor Limited Data Set Retains current carve outs for treatment HHS guidance pending comments on Proposed Rule

California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. :: 7 NEW OBLIGATIONS FOR COVERED ENTITIES Electronic Health Records and Accountings Accountings will be required for treatment, payment and healthcare operations for disclosures made through an electronic health record Accountings 3 years prior to request Compliance date dependent on date of electronic health record

California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. :: 8 NEW OBLIGATIONS FOR COVERED ENTITIES Electronic Health Records and Accountings – Cont. Current electronic health record users (as of 1/1/09) – applies to disclosures on or after 1/1/14 Others (acquire electronic health records after 1/1/09) later of 1/1/11 or date of acquisition Secretary can set later effective date, but no later than 2016 or 2013 respectively

California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. :: 9 NEW OBLIGATIONS FOR COVERED ENTITIES Electronic Health Records and Accountings – Cont. Covered Entity may provide accountings for itself and all BAs or May provide list of all BAs and their contact information Possible modifications/expansions based on Proposed Rule

California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. :: 10 NEW OBLIGATIONS FOR COVERED ENTITIES Electronic Health Records and Accountings – Cont. Individuals may request information in an electronic format if the covered entity uses or maintains an electronic health record Fee may not be greater than the covered entity’s labor costs in responding to the request May request to have it sent electronically to third party Effective February 17, 2010

California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. :: 11 NEW OBLIGATIONS FOR COVERED ENTITIES A covered entity and business associate may not directly or indirectly receive remuneration in exchange for protected health information of an individual unless the covered entity obtains from the individual a valid authorization Effective 6 months following issuance of HHS Rule There are proposed modifications in the Proposed Rule There are exceptions ---

California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. :: 12 NEW OBLIGATIONS FOR COVERED ENTITIES Exceptions: public health activities research and the price charged reflects the costs of preparation and transmittal of the data for such purpose treatment (subject to future regulations by the Secretary) Healthcare operations (Proposed Rule clarifications) activities pursuant to a business associate agreement provision of information to an individual (in accordance with a valid request) other exchanges approved by the Secretary

California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. :: 13 NEW OBLIGATIONS FOR COVERED ENTITIES New Marketing Requirements Definition of Marketing – “A communication about a product or service that encourages recipients of the communication to purchase or use the product or service”

California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. :: 14 NEW OBLIGATIONS FOR COVERED ENTITIES Marketing Exceptions: Communications that encourage recipients to purchase or use the product will not be considered to be healthcare operations unless the communication is made: (i) to describe a health related product or service that is provided by or included in a plan of benefits of the covered entity making the communication, replacement of or enhancements to a health plan; and health related product or services available only to a health plan enrollee that add value to, but are not part of a plan of benefits; (ii) for treatment; or (iii) for case management or care coordination for the individual or to direct or recommend alternative treatments, therapies, healthcare providers or settings of care for the individual

California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. :: 15 NEW OBLIGATIONS FOR COVERED ENTITIES Communications that fall within the marketing exception: Are not marketing Still need to be permissible under the Privacy Rule Typically characterized as healthcare operations or treatment Are the only types of communications to encourage the use or purchase of a product or service that can be considered healthcare operations

California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. :: 16 NEW OBLIGATIONS FOR COVERED ENTITIES Marketing Exceptions Cont. These communications cannot be healthcare operations if the Covered Entity received direct or indirect payment, unless: The communication describes only a current prescribed drug or biologic and any payment is reasonable in amount – or Covered Entity receives an authorization – or The communication is made by a BA on behalf of a Covered Entity within the scope of the Business Associate Agreement

California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. :: 17 NEW OBLIGATIONS FOR BUSINESS ASSOCIATES HIPAA Security Rule Regulations under Sections , , , and will become applicable to Business Associates These sections relate to administrative safeguards, physical safeguards, technical safeguards, and documentation requirements Potentially broader requirements under Proposed Rule

California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. :: 18 NEW OBLIGATIONS FOR BUSINESS ASSOCIATES Security Rule Examples: Administrative Safeguards: Develop policies and procedures Appoint a security officer Establish sanctions for violations Provide security training Perform evaluations of effectiveness of policies and procedures

California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. :: 19 NEW OBLIGATIONS FOR BUSINESS ASSOCIATES Security Rule Examples: Physical Safeguards: Implement policies and procedures to limit physical access to information systems Implement safeguards for workstation security Develop policies for disposition of PHI on workstations Develop policies and procedures for removal of hardware from facility

California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. :: 20 NEW OBLIGATIONS FOR BUSINESS ASSOCIATES Security Rule Examples: Technical Safeguards: Assign unique names and/or numbers for tracking user identity Establish mechanisms for auditing activity Establish means of verifying users Establish means of restricting PHI transmissions over an electronic network

California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. :: 21 NEW OBLIGATIONS FOR BUSINESS ASSOCIATES Security Rule Examples: Documentation Requirements: Policies must be in writing (or in electronic format) Reports of actions and activities must be maintained in writing or electronically Required documentation must be retained for at least 6 years from the later of date of creation or date last in effect Documentation must be periodically reviewed and modified as necessary

California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. :: 22 NEW OBLIGATIONS FOR BUSINESS ASSOCIATES Even if appropriate safeguards are in place, Business Associates should document compliance with each aspect of the Security Rule Will require a risk assessment and appropriate policies and procedures

California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. :: 23 NEW OBLIGATIONS FOR BUSINESS ASSOCIATES Non Compliance – Under HIPAA, if Covered Entity had knowledge that BA was not complying, then Covered Entity had obligation to cure, terminate contract or if not feasible, report to HHS HITECH makes this obligation reciprocal If BA is aware of non compliance by Covered Entity – BA has obligation to cure, terminate contract or if not feasible, report to HHS Proposed Rule potentially modifies this further

California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. :: 24 NEW OBLIGATIONS FOR BUSINESS ASSOCIATES Business Associates may become directly responsible for responding to requests for accountings Covered Entities may not want Business Associates to take on this responsibility Business Associates – Increased obligations for reporting breaches Business Associates – may want to encrypt PHI Will need to establish policies and protocols Proposed Rule includes additional obligations

California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. :: 25 NEW OBLIGATIONS FOR BUSINESS ASSOCIATES Business Associates will need to develop policies and procedures regarding minimum necessary obligations Business Associates and individuals (i.e. employees) may be held liable for violations No longer just a contractual breach Under Proposed Rule – greater overall obligation to comply with Privacy Rule and increased definition of workforce

California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. :: 26 ENFORCEMENT CHANGES State Attorney Generals can bring civil HIPAA actions A percentage of civil monetary penalties will go to victims Civil monetary penalties are tiered and the cap raised from $25,000 to $1.5 million annually per type of violation Fines are mandatory if caused due to “willful neglect” Extensive proposals in Proposed Rules

California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. :: 27 ENFORCEMENT CHANGES HIPAA criminal penalties apply to individuals Business Associates can be held liable HHS may bring civil enforcement actions where the violation may be criminal but no criminal action is pursued

California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. :: 28 PROPOSED RULE Remember they are just PROPOSED RULES and may change significantly Highlights thought process of HHS Significant areas of potential change Definition of Business Associate Requirements for new Business Associate Agreements Obligations for Business Associates Timeframes for compliance (including new Business Associate Agreements) Content for Privacy Notices Changes with respect to marketing and fundraising

California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. :: 29 Questions? Stephanie W. Schreiber, Esq. Buchanan Ingersoll & Rooney PC 20th Floor, One Oxford Centre Pittsburgh, PA Phone: FAX: