Presentation is loading. Please wait.

Presentation is loading. Please wait.

Enforcement, Business Associates and Breach Notification. Oh my!

Published byCody Porter Modified over 6 years ago

Similar presentations

Presentation on theme: "Enforcement, Business Associates and Breach Notification. Oh my!"— Presentation transcript:

1 Enforcement, Business Associates and Breach Notification. Oh my!

2 Enforcement Key Points
OCR Director Jocelyn Samuels indicated that OCR will continue to focus on breaches that demonstrate systemic deficiencies to send a message to organizations that fail to conduct risk analysis, ignore known threats or have insufficient workforce training. That’s a warning that the practice of imposing large fines and resolution agreements on organizations OCR believes have disregarded HIPAA rules will continue. Health Data Management magazine (Feb. 2015)

3 Annual Cap on penalty for all identical violations
Violation Category Penalty Per violation Annual Cap on penalty for all identical violations Can penalty be waived by OCR? Did Not Know $100-50,000 $1.5 million  Yes Reasonable Cause $1,000-50,000 Willful Neglect, Promptly Corrected $10,000-50,000  No Willful Neglect, Not Corrected $50,000

4 Violations Due to Willful Neglect
Violations resulting from willful neglect, defined to mean the conscious, intentional failure or reckless indifference to the obligation to comply with the regulations, will trigger the highest levels of penalties. Penalties arising from willful neglect cannot be waived.

5 Enforcement Key Points
Generally speaking, where multiple individuals are affected by an impermissible use or disclosure, such as in the case of a breach of unsecured protected health information, the number of identical violations of the Privacy Rule standard regarding permissible uses and disclosures would be counted by the number of individuals affected.

6 Enforcement Key Points
The Secretary must formally investigate complaints indicating violations due to willful neglect, and impose civil penalties upon finding said violations. The investigation is triggered if the initial facts show the “possibility” of willful neglect (i.e. no finding of probability is required).

7 Enforcement Key Points
The definition under allows the Secretary to move directly to a civil penalty without exhausting informal resolution efforts, particularly in cases involving willful neglect.

8 Enforcement Key Points
HHS, on a case-by-case basis, may expand any preliminary review and conduct additional inquiries for purposes of identifying a possible violation due to willful neglect. The HHS Secretary can coordinate with other law enforcement agencies on actions (e.g. State Attorney Generals and the FTC).

9 Enforcement Key Points
An organization's history of HIPAA compliance is relevant to the determination of the civil money penalty.

10 Business Associates (BA)
This term has broad applicability and includes, other than a health care provider’s employees, “partners” that may provide legal, actuarial, accounting, consulting, data aggregation, management, administration or financial services wherein the services require the disclosure of individually identifiable health information.

11 Business Associate Key Points
Business associates (“BAs”) are directly liable under HITECH 13404(a) for uses and disclosure that violate the Privacy Rule (“PR”) or are in breach of the BA contract.

12 Business Associate Key Points
BAs are not permitted to use or disclose protected health information (“PHI”) if it would be a PR violation for a covered entity (“CE”) to do so, except that a BA may use PHI for its own management and administration.

13 Business Associate Key Points
A person/entity (“Person”) becomes a BA by definition, and NOT because there happens to be a BA contract in place; therefore liability attaches immediately when a Person “creates, receives, maintains, or transmits PHI on behalf of a CE.”

14 Business Associate Key Points
BAs are now directly liable under the HIPAA rules: (1) for impermissible uses and disclosures (2) for failure to provide breach notification to the CE (3) for failure to provide access of ePHI either to the individual or the CE (4) for failure to disclose PHI to the Secretary (5) for failure to provide an accounting of disclosures (6) for failure to comply with the requirements of the Security Rule

15 Business Associate Key Points
BAs must comply with the “Minimum Necessary” principle. BAs are required to have Business Associate Agreements with their sub-contractors who use PHI on their behalf. BAs must monitor their Business Associate Agreements with their sub-contractors. Requirements in Business Associate Agreements “cascade down” to sub-contractors and sub-contractors of sub-contractors (i.e. to ALL downstream sub-contractors).

16 Breach Notification Key Points
Refer to CFR , Subpart D of final regulation

17 Notification Requirements for Breaches of Unsecured Protected Health Information
Identifying when a breach occurs. Securing protected health information. Notice to individuals, including timing, content, and providing substitute notice. Notice to HHS, including annual and immediate notices to HHS, timing, and content. The HHS electronic reporting process may be accessed through the OCR’s HIPAA website,

18 Notification Requirements for Breaches of Unsecured Protected Health Information
Notice to the media, including form, timing and content. Notice by business associates, including timing and required information. Delay in notice at request of law enforcement.

19 On behalf of the WCA Regional Training Center Thank You!
Mark Norby, Certified HIPAA Professional Instructor/HIPAA Consultant Office:  ext. 31 Cell:  Poll question number 2, at the end, poll question number 3

Download ppt "Enforcement, Business Associates and Breach Notification. Oh my!"

Similar presentations

H OGAN & H ARTSON, L.L.P.

H OGAN & H ARTSON, L.L.P.
An Overview for In-Home Service Providers Legal advice must be tailored to specific circumstances. Information provided in this presentation should not.

An Overview for In-Home Service Providers Legal advice must be tailored to specific circumstances. Information provided in this presentation should not.
“Reaching across Arizona to provide comprehensive quality health care for those in need” Our first care is your health care Arizona Health Care Cost Containment.

“Reaching across Arizona to provide comprehensive quality health care for those in need” Our first care is your health care Arizona Health Care Cost Containment.
HIPAA Basics Brian Fleetham Dickinson Wright PLLC.

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
HIPAA: Privacy, Security, and HITECH, Oh My! Presented by Stephanie L. Ganucheau, Special Assistant Attorney General.

HIPAA: Privacy, Security, and HITECH, Oh My! Presented by Stephanie L. Ganucheau, Special Assistant Attorney General.
HIPAA Basics November 1, 2014.

HIPAA Basics November 1, 2014.
Changes to HIPAA (as they pertain to records management) Health Information Technology for Economic Clinical Health Act (HITECH) – federal regulation included.

Changes to HIPAA (as they pertain to records management) Health Information Technology for Economic Clinical Health Act (HITECH) – federal regulation included.
1 Navigating the Privacy and Security Issues: HITECH Overview Rebecca L. Williams, RN, JD Partner Co-chair of HIT/HIPAA Practice Davis Wright Tremaine.

1 Navigating the Privacy and Security Issues: HITECH Overview Rebecca L. Williams, RN, JD Partner Co-chair of HIT/HIPAA Practice Davis Wright Tremaine.
Key Changes to HIPAA from the Stimulus Bill (ARRA) Children’s Health System Department Leadership Meeting October 28, 2009 Kathleen Street Privacy Officer/Risk.

Key Changes to HIPAA from the Stimulus Bill (ARRA) Children’s Health System Department Leadership Meeting October 28, 2009 Kathleen Street Privacy Officer/Risk.
HIPAA CHANGES: HITECH ACT AND BREACH NOTIFICATION RULES February 3, 2010 Kristen L. Gentry, Esq. Catherine M. Stowers, Esq.

HIPAA CHANGES: HITECH ACT AND BREACH NOTIFICATION RULES February 3, 2010 Kristen L. Gentry, Esq. Catherine M. Stowers, Esq.
Thank You For Your Participation Kansas City   Omaha  Overland Park St. Louis  Jefferson City www.spencerfane.com www.UBAbenefits.com This Employer.

Thank You For Your Participation Kansas City   Omaha  Overland Park St. Louis  Jefferson City This Employer.
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)
HIPAA Regulations What do you need to know?.

HIPAA Regulations What do you need to know?.
H IPAA PRIVACY WORK GROUP FOR EYE BANKS EBAA HIPAA PRIVACY WORK GROUP Christina W. Strong, Esq., Facilitator.

H IPAA PRIVACY WORK GROUP FOR EYE BANKS EBAA HIPAA PRIVACY WORK GROUP Christina W. Strong, Esq., Facilitator.
COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.

COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.
HIPAA THE PRIVACY RULE Reviewed December 2012 2 HISTORY In 2000, many patients that were newly diagnosed with depression received free samples of anti-

HIPAA THE PRIVACY RULE Reviewed December HISTORY In 2000, many patients that were newly diagnosed with depression received free samples of anti-
2014 HIPAA Refresher Omnibus Rule & HIPAA Security.

2014 HIPAA Refresher Omnibus Rule & HIPAA Security.
Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.

Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.
OCR HITECH Enforcement Tips: Prevent, Detect and Quickly Correct HIPAA COW 2010 Spring Conference Privacy/Security Session 1 HIPAA Privacy Best Practices:

OCR HITECH Enforcement Tips: Prevent, Detect and Quickly Correct HIPAA COW 2010 Spring Conference Privacy/Security Session 1 HIPAA Privacy Best Practices:
March 19, 2009 Changes to HIPAA Privacy and Security Requirements Joel T. Kopperud Scott A. Sinder Rhonda M. Bolton.

March 19, 2009 Changes to HIPAA Privacy and Security Requirements Joel T. Kopperud Scott A. Sinder Rhonda M. Bolton.

Similar presentations

Ads by Google