Presentation is loading. Please wait.

Presentation is loading. Please wait.

HIPAA Privacy of Health Information Claudia Allen, Esq. General Counsel HealthBridge.

Published byAutumn Watson Modified over 9 years ago

Similar presentations

Presentation on theme: "HIPAA Privacy of Health Information Claudia Allen, Esq. General Counsel HealthBridge."— Presentation transcript:

1 HIPAA Privacy of Health Information Claudia Allen, Esq. General Counsel HealthBridge

2 Federal Privacy Legislation a.State laws requiring privacy and confidentiality have existed for many years b.Federal law – HIPAA – was enacted in 1996, but the regulations containing the Privacy and Security Rules were not in place until 2003 c.HIPAA creates a minimum threshold of confidentiality – but does not pre-empt state law if the state law requires a higher standard

3 Federal Privacy Legislation d. “Covered Entities” are subject to the rules protecting the privacy/confidentiality of “Protected Health Information” i. Covered Entities: 1. Providers of health care services (e.g., labs, physicians, dentists, chiropractors, psychologists) 2. Health Plans 3. Health Clearinghouses

4 Federal Privacy Legislation ii. PHI is health related information that is 1. Identifiable to an individual (contains name, address, phone, SSN, medical record number, date of birth, etc.) 2. Transmitted or maintained by electronic or any other media

5 A. HIPAA sets standards for security, use and disclosure of PHI and permits disclosure or use of PHI without patient consent for the following purposes: i. Treatment ii. Payment iii. Health Care Operations iv. Research: Limited data set or IRB v. Public health vi. As otherwise required by law I. HIPAA Privacy Rule (1)

6 B. HIPAA rules for Business Associates of CEs (e.g., HealthBridge, the Collaborative, EMR vendors) i. Covered Entities may authorize disclosure of PHI to BA for a specific permitted purpose ii. CE required to enter into a Business Associate Agreement with BAs to protect PHI security iii. Originally, a breach of the BAA would only subject the CE to liability to third parties iv. CE would recover cost from BA in a breach of contract lawsuit I. HIPAA Privacy Rule (2)

7 II. 2009: ARRA and HITECH Extended Privacy & Security Rules to Business Associates (“BA”) a.Business Associates became directly subject to privacy/confidentiality requirements and some security rules (can be held liable) b.BA can be held liable for privacy non- compliance by a subcontractor who is acting as an “agent” of a BA c.BA Agreements are now required with entities that provide data to a CE such as Health Information Exchanges

8 III: 2013: Omnibus Final Regulations A. Definition of “Business Associate” Expanded i.Entities that create, receive, maintain, transmit PHI to perform functions or activities for a CE ii.Health Information Organizations, e-prescribing gateways, entities maintaining personal health records for a CE iii. Subcontractors receiving PHI on behalf of BAs Subcontractors are now subject to the same obligations as BAs with respect to the CE – need BAAs Subs must have HIPAA compliant security policies

9 III. Omnibus Final Regulations (2) B. New Breach Standard: When it is discovered that there has been an unauthorized use or disclosure of Unsecured PHI, notice is presumed necessary EXCEPT where CE or BA demonstrates that “there is a low probability that PHI has been compromised.”

10 III. Omnibus Final Regulations (3) i. Final Rule does not define “Compromised” but specifies what the risk assessment must consider: Nature and extent of PHI, types of identifiers (likelihood of re-identification) The unauthorized person to whom PHI was disclosed Was the PHI actually used/viewed? Extent to which the risk has been mitigated

11 C. Notification requirements upon determination of Breach: i. CEs must notify each individual whose UPHI is breached ii. BA must notify the CE (CE may delegate to BA by BAA) iii. Time period: without unreasonable delay but no later than 60 calendar days after discovery (first day known or should have been known) III. Omnibus Final Regulations (4)

12 III. Omnibus Final Regulations (5) 1. Burden on discoverer to notify 2. Written notice by mail unless urgent 3. If more than 9 individuals involved, posting on web 4. Notice to media if over 500 residents in state or jurisdiction affected 5. Immediate notice to Secretary if over 500 affected 6. Breach log required to be sent to Secretary annually

13 D. Notice must contain 1. Description of what happened 2. Description of types of data involved 3. Steps individuals should take to protect themselves 4. What CE is doing to investigate, mitigate losses, and protect from further breaches 5. Contact procedures III. Omnibus Final Regulations (6)

14 IV. Patient Rights re Disclosures a.Individuals may restrict disclosure to a health plan for payment or operations if individual has paid out of pocket in full for services b.Patient may request an accounting of all 3 years’ disclosures of his/her ePHI to any third party including TPO – i.e., to the billing company, to the insurance company, to another provider for a consult.

15 V. HHS Audit Initiative Pilot Audit of 115 CEs uncovered violations – All but 13 had some type of violation – 60 violations were security related Missing: risk assessments, documentation of decisions Privacy violations include no notice of privacy practices – Notices must be revised to include new breach notification and disclosure rules – Policies and procedures (such as patient access to disclosure information, breach assessment and notification, restriction where paid) must be formulated and written – Employee training missing to inform them of rules and procedures

16 VI. Practical Steps to Avoid Liability: Show How You Secure PHI a.Appoint a Privacy Officer to establish policies, field questions and monitor compliance b.Review company policies and procedures with your staff to ensure compliance with ARRA privacy and security requirements – update as needed c.Make sure you have signed BAAs with those from whom you are receiving PHI (as from other physicians, clinics, hospitals, labs) and those you are sending/disclosing PHI to (e.g., billing company, insurance company, etc.) d.Conduct a general risk assessment to determine if procedures are protecting PHI. Document review.

17 VI. Practical Steps (2) e.Take steps to see that: i.Doors are locked except for business entrances and exits during business hours ii.Employee access is restricted/logged during non- business hours iii.Visitors are not in a position to see or access data iv.Employees understand the importance of not disclosing patient information outside of work- and at work, only as necessary v.All remote access to data is limited, inventoried vi.All portable electronics are encrypted

18 VI. Practical Steps (3) vii. Keys, pass codes are inventoried/changed frequently viii. Workstations are secured, screens not in view of public ix. Procedures are implemented for ending data access by terminated employees x. Procedures are implemented for reporting suspicious activity xi. Hiring practices are implemented that help minimize risk –(i.e., checking references and background) xii. Regular training on privacy and security requirements is conducted xiii. Decisive action is taken if a breach is suspected: procedures are followed and actions documented.

19 HIPAA Privacy QUESTIONS?

Download ppt "HIPAA Privacy of Health Information Claudia Allen, Esq. General Counsel HealthBridge."

Similar presentations

H OGAN & H ARTSON, L.L.P.

H OGAN & H ARTSON, L.L.P.
HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.

HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.
An Overview for In-Home Service Providers Legal advice must be tailored to specific circumstances. Information provided in this presentation should not.

An Overview for In-Home Service Providers Legal advice must be tailored to specific circumstances. Information provided in this presentation should not.
“Reaching across Arizona to provide comprehensive quality health care for those in need” Our first care is your health care Arizona Health Care Cost Containment.

“Reaching across Arizona to provide comprehensive quality health care for those in need” Our first care is your health care Arizona Health Care Cost Containment.
Presented by Elena Chan, UCSF Pharm.D. Candidate Tiffany Jew, USC Pharm.D. Candidate March 14, 2007 P HARMACEUTICAL C ONSULTANTS, I NC. P RO P HARMA HIPAA.

Presented by Elena Chan, UCSF Pharm.D. Candidate Tiffany Jew, USC Pharm.D. Candidate March 14, 2007 P HARMACEUTICAL C ONSULTANTS, I NC. P RO P HARMA HIPAA.
HIPAA Basics Brian Fleetham Dickinson Wright PLLC.

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
Steps to Compliance: Managing Business Associates PRESENTED BY.

Steps to Compliance: Managing Business Associates PRESENTED BY.
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.

HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
HIPAA Privacy Rule Training

HIPAA Privacy Rule Training
The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.

The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.
1 Navigating the Privacy and Security Issues: HITECH Overview Rebecca L. Williams, RN, JD Partner Co-chair of HIT/HIPAA Practice Davis Wright Tremaine.

1 Navigating the Privacy and Security Issues: HITECH Overview Rebecca L. Williams, RN, JD Partner Co-chair of HIT/HIPAA Practice Davis Wright Tremaine.
1 TECO ENERGY, INC. HIPAA PRIVACY AND SECURITY REQUIREMENTS April 29, 2014 Dana L. Thrasher Constangy, Brooks & Smith, LLP (205)

1 TECO ENERGY, INC. HIPAA PRIVACY AND SECURITY REQUIREMENTS April 29, 2014 Dana L. Thrasher Constangy, Brooks & Smith, LLP (205)
Key Changes to HIPAA from the Stimulus Bill (ARRA) Children’s Health System Department Leadership Meeting October 28, 2009 Kathleen Street Privacy Officer/Risk.

Key Changes to HIPAA from the Stimulus Bill (ARRA) Children’s Health System Department Leadership Meeting October 28, 2009 Kathleen Street Privacy Officer/Risk.
HIPAA CHANGES: HITECH ACT AND BREACH NOTIFICATION RULES February 3, 2010 Kristen L. Gentry, Esq. Catherine M. Stowers, Esq.

HIPAA CHANGES: HITECH ACT AND BREACH NOTIFICATION RULES February 3, 2010 Kristen L. Gentry, Esq. Catherine M. Stowers, Esq.
W W W. L E C L A I R R Y A N. C O M Revisiting the PHI Breach Under HIPAA and HITECH and Considerations for Ophthalmologists Neil H. Ekblom, Esq. 885 Third.

W W W. L E C L A I R R Y A N. C O M Revisiting the PHI Breach Under HIPAA and HITECH and Considerations for Ophthalmologists Neil H. Ekblom, Esq. 885 Third.
Before reviewing the following presentation click on the links below and print off the documents: NAM-43 The Bair Foundation HIPAA Policy NAM- 89 HIPAA.

Before reviewing the following presentation click on the links below and print off the documents: NAM-43 The Bair Foundation HIPAA Policy NAM- 89 HIPAA.
HIPAA Regulations What do you need to know?.

HIPAA Regulations What do you need to know?.
Importance of the Information Risk Assessment. Compliance Programs are intended to proactively audit and assess an organization’s operations to detect.

Importance of the Information Risk Assessment. Compliance Programs are intended to proactively audit and assess an organization’s operations to detect.
COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.

COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.
HIPAA THE PRIVACY RULE Reviewed December 2012 2 HISTORY In 2000, many patients that were newly diagnosed with depression received free samples of anti-

HIPAA THE PRIVACY RULE Reviewed December HISTORY In 2000, many patients that were newly diagnosed with depression received free samples of anti-

Similar presentations

Ads by Google