Presentation is loading. Please wait.

Presentation is loading. Please wait.

Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.

Published byLuis Mich Modified over 9 years ago

Similar presentations

Presentation on theme: "Jill Moore April 2013 HIPAA Update: New Rules, New Challenges."— Presentation transcript:

1 Jill Moore April 2013 HIPAA Update: New Rules, New Challenges

2 New Rules Business Associates Breach Notification Individual Rights Enforcement

3 Business Associates A person or entity that creates, receives, transmits, or maintains PHI in the course of providing business or administrative functions for a covered entity – Includes HIOs, HIEs, PHR vendors who work on behalf of covered entity – May include researchers in some circumstances (not automatic – analyze the particular situation)

4 Business Associates Changes to BA responsibilities – Now directly responsible for HIPAA compliance and directly liable for violations – Must identify their own BAs (subcontractors) and enter BA agreements with them to assure “downstream” compliance

5 Business Associates Review your business relationships to identify BAs or BA-like relationships within your entity Review hybrid entity designation to ensure those acting in BA-like capacity are part of covered component Execute or update BA agreements You may need to dust off your HIPAA jargon dictionary.

6 Breach Notification Must notify individuals of security breaches. Unauthorized access or disclosure is presumed to be a breach unless: – A specific exception in the rule applies, or – A risk analysis shows a low probability that PHI was compromised, or – You’re in a “safe harbor” as defined by the rule.

7 Breach? Specific exceptions PHI could not reasonably be retained PHI access is unintentional and by a workforce member or business associate acting in good faith Inadvertent disclosure is made to another person within the CE or BA who is authorized to access PHI Risk analysis factors Nature and extent of PHI, including types of identifiers & likelihood of re- identification Unauthorized person who received disclosure or used PHI Whether PHI was actually acquired and viewed Extent to which any risk to PHI has been mitigated

8 Safe Harbor Don’t have to notify if: – PHI was encrypted, or – PHI was disposed in keeping with HHS guidance on secure disposal

9 Affected individuals – within 60 days US DHHS – if > 500 individuals involved, contemporaneous notice; otherwise annual report Media, if > 500 involved – within 60 days. Recipients & timing of notice Description of incident, PHI involved, advice to individuals to minimize harm, actions you’ve taken to investigate and mitigate, contact information for more info. Content of notice Written letter (standard); email if prior agreement to email notification obtained; telephone if urgent (but also send written) Method of notice

10 Breach Notification Review and update breach notification procedures to reflect new risk analysis. Follow procedures developed under old rule until September 23, then you must follow new rule.

11 Individual Rights Restrictions on disclosures Access to electronic PHI Notice of Privacy Practices Other changes affecting decedents’ records, immunization records for schools, a couple of other things

12 Restrictions on disclosures Care paid out-of-pocket – Upon patient request, no disclosures of information to health plans (insurance) unless disclosure to health plan required by law Does not limit disclosures to public health Does not limit disclosures to other health care providers for treatment purposes

13 Access to electronic PHI Individuals have a right of access to their own PHI. If patient requests PHI in electronic form, must provide it if you already maintain the information electronically and the form requested is “readily producible.” If not readily producible, must reach agreement with individual on alternative form. Take a close look at the issue of providing PHI by email.

14 Notice of Privacy Practices Must be revised to reflect rule changes, including: – Covered entity’s legal duty to give notice of breaches. – Right to request restriction of disclosure to health plans for care paid in full out-of-pocket. Revised Notice must be disseminated: – To new clients, in accordance with current policies – To existing clients on request – Via website, if you have one

15 Individual Rights Develop a policy about requests for restrictions on disclosure for care paid for in full out-of-pocket. Review and if necessary update policies about individual access to PHI to address electronic access and the use of email to deliver PHI. Revise Notice of Privacy Practices and disseminate.

16 Enforcement New: HHS must investigate violations if a preliminary review of the facts suggests “willful neglect” by the covered entity or BA. Practice tip!! In an investigation, expect HHS to request copies of your policies. You will want them to be readily accessible and up-to-date.

17 Checklist Review business relationships and update hybrid entity designation and business associate agreements. Update breach notification policies and procedures. Update policies re individual access. Update notice of privacy practices and disseminate. Review other policies (training, workforce, etc.) and update if needed. Compliance date:  September 23, 2013 for most matters  September 22, 2014 for some existing BA agreements

Download ppt "Jill Moore April 2013 HIPAA Update: New Rules, New Challenges."

Similar presentations

H OGAN & H ARTSON, L.L.P.

H OGAN & H ARTSON, L.L.P.
Implementing the New HIPAA Rules

Implementing the New HIPAA Rules
HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.

HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.
An Overview for In-Home Service Providers Legal advice must be tailored to specific circumstances. Information provided in this presentation should not.

An Overview for In-Home Service Providers Legal advice must be tailored to specific circumstances. Information provided in this presentation should not.
“Reaching across Arizona to provide comprehensive quality health care for those in need” Our first care is your health care Arizona Health Care Cost Containment.

“Reaching across Arizona to provide comprehensive quality health care for those in need” Our first care is your health care Arizona Health Care Cost Containment.
HIPAA Basics Brian Fleetham Dickinson Wright PLLC.

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
Dinsmore & Shohl, LLP Stacey Borowicz, Esq. Simi Botic, Esq. August 14, 2013.

Dinsmore & Shohl, LLP Stacey Borowicz, Esq. Simi Botic, Esq. August 14, 2013.
Steps to Compliance: Managing Business Associates PRESENTED BY.

Steps to Compliance: Managing Business Associates PRESENTED BY.
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.

HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
1 Navigating the Privacy and Security Issues: HITECH Overview Rebecca L. Williams, RN, JD Partner Co-chair of HIT/HIPAA Practice Davis Wright Tremaine.

1 Navigating the Privacy and Security Issues: HITECH Overview Rebecca L. Williams, RN, JD Partner Co-chair of HIT/HIPAA Practice Davis Wright Tremaine.
HIPAA CHANGES: HITECH ACT AND BREACH NOTIFICATION RULES February 3, 2010 Kristen L. Gentry, Esq. Catherine M. Stowers, Esq.

HIPAA CHANGES: HITECH ACT AND BREACH NOTIFICATION RULES February 3, 2010 Kristen L. Gentry, Esq. Catherine M. Stowers, Esq.
Thank You For Your Participation Kansas City   Omaha  Overland Park St. Louis  Jefferson City www.spencerfane.com www.UBAbenefits.com This Employer.

Thank You For Your Participation Kansas City   Omaha  Overland Park St. Louis  Jefferson City This Employer.
W W W. L E C L A I R R Y A N. C O M Revisiting the PHI Breach Under HIPAA and HITECH and Considerations for Ophthalmologists Neil H. Ekblom, Esq. 885 Third.

W W W. L E C L A I R R Y A N. C O M Revisiting the PHI Breach Under HIPAA and HITECH and Considerations for Ophthalmologists Neil H. Ekblom, Esq. 885 Third.
HIPAA Regulations What do you need to know?.

HIPAA Regulations What do you need to know?.
Importance of the Information Risk Assessment. Compliance Programs are intended to proactively audit and assess an organization’s operations to detect.

Importance of the Information Risk Assessment. Compliance Programs are intended to proactively audit and assess an organization’s operations to detect.
COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.

COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.
2014 HIPAA Refresher Omnibus Rule & HIPAA Security.

2014 HIPAA Refresher Omnibus Rule & HIPAA Security.
HIPAA Privacy of Health Information Claudia Allen, Esq. General Counsel HealthBridge.

HIPAA Privacy of Health Information Claudia Allen, Esq. General Counsel HealthBridge.
What You Don’t Know Can Cost You HIPAA in a HITECH World Alaina N. Crislip, Esq. October 10, 2013.

What You Don’t Know Can Cost You HIPAA in a HITECH World Alaina N. Crislip, Esq. October 10, 2013.
Hot Topics Legal Update Jill D. Moore, JD, MPH University of North Carolina School of Government September 2014.

Hot Topics Legal Update Jill D. Moore, JD, MPH University of North Carolina School of Government September 2014.

Similar presentations

Ads by Google