Presentation is loading. Please wait.

Presentation is loading. Please wait.

HIPAA and HITECH The Latest Developments Presented By: Michele Madison Partner, Healthcare Practice Morris, Manning & Martin, LLP 404-504-7621

Published byJennifer Kelly Modified over 8 years ago

Similar presentations

Presentation on theme: "HIPAA and HITECH The Latest Developments Presented By: Michele Madison Partner, Healthcare Practice Morris, Manning & Martin, LLP 404-504-7621"— Presentation transcript:

1 HIPAA and HITECH The Latest Developments Presented By: Michele Madison Partner, Healthcare Practice Morris, Manning & Martin, LLP 404-504-7621 mmadison@mmmlaw.com www.mmmlaw.com

2 Overview  Enhanced HIPAA Patient Rights Business Associates Transaction and Code Sets  Transaction and Code Sets  HITECH Enforcement Audits Breach Log 2

3 Patient Rights 3

4 Rules and Regulations  HIPAA Privacy and Security Rule  HITECH February 17, 2009  Proposed Rule July 14, 2010

5 Proposed RuleJuly 14, 2010  Extends the HIPAA Applicability to Business Associates  Establishes new limitations on the use and disclosure of PHI for marketing and fundraising purposes,  Prohibits the sale of PHI  Expands Patient Rights  Strengthens and expands HIPAA’s enforcement provisions.

6 Enhanced Restrictions on Disclosures  PHI Disclosures (Section 13405(a))  HITECH Act requires CEs to comply with a patient’s request not to use or disclose PHI if the disclosure Would be to a health plan for carrying out payment or health care operations (not for treatment); and PHI “pertains solely to a health care item or service for which the health care provider involved has been paid out of pocket in full.” 6

7 Minimum Necessary  Limited Data Set and Minimum Necessary  HITECH Act (Section 13405(b)) requires CEs to limit PHI disclosures “to the extent practicable” to the “limited data set” as defined under HIPAA, or, if more information is “needed,” to the minimum necessary “to accomplish the intended purpose of such use, disclosure, or request, respectively”. 7

8 Minimum Necessary Secretary guidance on what constitutes “minimum necessary” will be issued in next 18 months All the current exceptions to the existing minimum necessary disclosure standard, including disclosures made for treatment purposes and disclosure required by law are retained This is not applicable to de-identified PHI 8

9 Accounting to Patients  Accounting for PHI Disclosures (Section 13405(c))  Covered Entities are required by HITECH to account for disclosures of PHI to carry out treatment, payment and health care operations.  Disclosures must be accounted for during the three years prior to the request if an EHR was used 9

10 Proposed Rule May 31, 2011 DHHS issued a proposed Rule to provide guidance on implementation of HITECH changes related to accounting Comments were received until August 1, 2011

11 Proposed Rule  HHS expects to review comments and publish the Accounting of Disclosures Final Rule by the end of 2011, which means that compliance with the accounting of disclosures requirement would begin sometime during the summer of 2012  As of today’s date, the Rule has not been Finalized

12 Accounting to Patients  Effective Date  The accounting requirement effective date depends on when the CE received the EHR For EHR received as of January 1, 2009, these accounting rules apply to PHI disclosures starting January 1, 2014  Proposed rule has effective Date of January 1, 2013 12

13 Sale of PHI Prohibitions  Sale of PHI Prohibitions  Receiving remuneration in exchange for any PHI of an individual is prohibited without obtaining a specific authorization from the individual (Section 13405(d))  Additional regulations will be issue within 18 months after February 17, 2009  Effective for exchanges of PHI occurring 6 months after the date of promulgation of the final regulations 13

14 Sale of PHI Prohibitions Seven exceptions to Sale of PHI Prohibitions. The sale prohibitions does not apply to: Public Health activities as defined under HIPAA Research, up to the costs of preparation and transmittal of PHI; Treatment of the individual Sale, transfer, merger or consolidation of all or part of the Covered Entity and due diligence related 14

15 Sale of PHI Prohibitions A Business Associate’s duties to a Covered Entity under a business associate agreement Delivering a copy of the individual’s PHI pursuant to HIPAA section 164.524 and Other PHI exchanges that the Secretary deems similarly “appropriate and necessary” as exceptions in the new regulations

16 Right of Access  Right of Access to PHI in EHR (Section 13405(e))  If a CE “maintains an electronic health record with respect to” the CE must produce a copy of that PHI in electronic format upon request of a patient transmit the copy directly to an entity or person designated by the individual But only if the patient’s request is “clear, conspicuous, and specific” (45 CFR 164.524 - the Access of Individuals to PHI)  Charges cannot exceed the labor costs in responding to the request 16

17 September 14, 2011  Proposed Rule to permit Individuals Access to Directly receive lab results from Laboratory  Comments received through November 14, 2011

18 Restrictions on Marketing Communications  Restrictions on communications of CE and BA marketing to potential buyers or users (Section 13406)  Any communication that encourages the recipient to purchase or use a product or service is not considered a health care operation unless it is made: 18

19 Restrictions on Marketing Communications to describe a product or service (or payment therefore) that is provided by, or included in a plan of benefits of, the Covered Entity making the communication, including communications about:  “the entities participating in a health care provider network or health plan network  health plan replacements or enhancements and  health-related products or services available only to a health plan enrollee that add value to, but are not part of, a plan of benefits”

20 Restrictions on Marketing Communications Further exceptions: treatment of the individual; or case management or care coordination for the individual,  or to direct or recommend alternative treatments, therapies, health care providers,  or settings of care to the individual 20

21 Restrictions on Marketing Communications  The exceptions above will not be considered health care operations if the CE receives “direct or indirect payment” in exchange for making such communications, unless: payment is for a communication regarding a drug currently prescribed for the recipient of the communication and such payment is “reasonable in amount” 21

22 Restrictions on Marketing Communications the communication is made by the CE after obtaining a valid authorization in accordance with HIPAA section 164.508 or the communication is made by a BA of a CE, on behalf of such CE, and such communication is consistent with the applicable Business Associate Agreement

23 Fundraising Restrictions  A written communication for fundraising that is a healthcare operation under HIPAA section 164.501 must allow “in a clear and conspicuous manner” the recipient to opt out to receive any communications opting out, is to be treated as a revocation of authorization under section 164.508  Restrictions on marketing and fundraising communications will apply after February 17, 2010 23

24 Business Associate Contracts Required for Certain Entities  More vendors to covered entities or business associates will now be deemed to be business associates each organization that provides data transmission of protected health information and that requires access on a routine basis to such protected health information, such as Health Information Exchange Organization, Regional Health Information Organization, E-prescribing Gateway, or each vendor that contracts with a covered entity to allow that covered entity to offer a personal health record to patients as part of its electronic health record 24

25 Business Associates 25

26 Expanded Business Associates Each organization “that provides data transmission of Protected Health Information to such entity or its Business Associate and that requires access on a routine basis to such Protected Health Information, such as a Health Information Exchange Organization, Regional Health Information Organization, E-prescribing, Gateway, or each vendor that contracts with a Covered Entity to allow that Covered Entity to offer a personal health record to patients as part of its electronic health record and it is required to enter into a Business Associate Agreement.”

27 Business Associates  Must comply with certain HIPAA security standards Administrative safeguards Technical safeguards Physical safeguards  As a matter of law, must comply with privacy duties established by BA contract, including new duties established by HITECH  Covered entities will need to incorporate HITECH provisions into BA contracts HHS will issue annual guidance on these and other HIPAA security standards

28  Business Associates are now directly subject to specific requirements  Penalties directly apply to Business Associates  Increased Penalties  Enhanced Enforcement Activities Increased Application and Enforcement 28

29 Application of Privacy Provisions and Penalties to BA  Proposed that Business Associate is responsible for subcontractors  Proposed Rule expands definition of Business Associate  Direct Enforcement 29

30 Enforcement Activities

31 Criminal Penalties  Covered Entities should be aware of the additional Penalties and the Enforcement Activities: Enhanced Criminal Penalties Willful neglect standard 31

32 Penalty Tiered Increase  Minimal levels of Penalties based on Intent:  $100 - $25,000 -Person did not know and would not have known  $1,000 - $100,000- Reasonable cause and not willful neglect  $10,000 - $250,000 Willful Neglect  $50,000 -$1,500,000 Willful neglect and not corrected 32

33 State Attorney General  Permits civil actions on behalf of patients May enjoin the actions; and Obtain damages not to exceed $25,000 annually  Attorneys fees may be recovered by State  Each State Attorney General has been Trained on HIPAA 33

34 Future Enforcement Tools  Additional funding for Enforcement Activities  In 3 years, the “individual harmed” may receive a % of the CMP collected from the offense

35 Audit Program  Federal Government Granted two Contracts related to Auditing and Enforcement Booze Allen KPMG

36 Audit Program  November – December 2011 Pilot Program 150 audits 20 initial audits Covered Entities Initially  Program will Expand to Business Associates

37 OCR Enforcement Results  HHS / OCR has investigated and resolved over 15,176 cases by requiring changes in privacy practices and other corrective actions by the covered entities  7,894 cases, OCR found no violation had occurred

38 OCR Enforcement Activities  514 complaints alleging a violation of the Security Rule.  323 complaints closed after investigation and appropriate corrective action.  As of December 31, 2011, OCR had 266 open complaints and compliance reviews

39 HITECH Penalties  $4.3 Million Fine Cignet  $1.0 Million Fine Mass General  $865,500 Fine UCLA

40 Notification 40

41  Security provisions of HIPAA now apply to a Business Associate of a Covered Entity in the same manner that such sections apply to the Covered Entity.  Business associates subject to same penalties as Covered Entities  Also applies to vendors of personal health records Security and Notice Requirements 41

42 Security and Notice Requirements Applies to any Covered Entity or BA/vendor that:  Accesses, maintains, retains, modifies, records, stores, destroys or otherwise holds, uses, or discloses unsecured protected health information  Applies directly to vendors, regardless of whether a business associated agreement is executed 42

43 Security and Notice Requirements  Unsecured Protected Health Information means (Section 13402(h)) protected health information that is not secured through the use of a technology or methodology specified by the Secretary in the guidance issued under this section 43

44 Security and Notice Requirements  Obligation to notify triggers upon discovery of a breach Discovery determined to be the first day on which such breach is known or should reasonably have been known to such entity or associate to have occurred Knowledge by any person that is an employee, officer or other agent of the entity or associate 44

45 Security and Notice Requirements  Notice to Individual must include: Identification of each individual whose unsecured protected health information has been, or is reasonably believed to have been accessed, acquired, or disclosed during such breach Brief description of what happened, including the date of the breach and the date of discovery of the breach Description of the types of unsecured protected health information that were involved 45

46 Security and Notice Requirements Steps the individual should take to protect themselves from potential harm resulting from the breach Description of what the covered entity involved is doing to investigate the breach, to mitigate losses, and to protect against any further breaches Contact procedures for individuals to ask question or learn additional information

47 Security and Notice Requirements  Notice to the Secretary by Covered Entities:  For breaches impacting 500 or more individuals, notify the Secretary immediately  For breaches impacting fewer than 500 individuals, maintain a log and notify the Secretary annually submit such log 47

48 Security and Notice Requirements Notice Process  Notice Timing:  Notice must be made without unreasonable delay and in no case later than 60 calendar days after discovery of a breach  Delay allowed if a law enforcement official determines that a notification, notice or posting would impede a criminal investigation or cause damage to national security  Methods of Notice:  Written notification by first class mail to individual  Substitute notice process for insufficient or out of date contact information  Media notice information for 500 individuals or more 48

49 “Safe Harbor”  Safe Harbor from Notification Requirement is to ensure the data is maintained in a “secure” manner.  June 2009 --Requested comments on the proposed form of “secure” data. Encryption De-Identification 49

50 Georgia Breaches  The Neurological Institute of Savannah & Center of Spine July 2, 2011 63,425 Theft  University Hospital May 7, 2010 14,000 records Loss

51 HIPAA Transactions  HIPAA 5010  Update from HIPAA 4010  January 1, 2012  Delayed Enforcement by 3 Months

52 HIPAA Transaction Code Sets  HIPAA EFT Transaction  Remittance Advice Transaction  Proposed Rule January 12, 2012

53 Thank you Michele Madison Partner, Healthcare Practice Morris, Manning & Martin, LLP 404.504.7621 mmadison@mmmlaw.com www.mmmlaw.com This presentation is provided as a general informational service to clients and friends of Morris, Manning & Martin LLP. It should not be construed as, and does not constitute, legal advice on any specific matter, nor does this message create an attorney-client relationship. These materials may be considered Attorney Advertising in some states. Please note, prior results discussed in the material do not guarantee similar outcomes. 53

Download ppt "HIPAA and HITECH The Latest Developments Presented By: Michele Madison Partner, Healthcare Practice Morris, Manning & Martin, LLP 404-504-7621"

Similar presentations

HIPAA Privacy Practices. Notice A copy of the current DMH Notice must be posted at each service site where persons seeking DMH services will be able to.

HIPAA Privacy Practices. Notice A copy of the current DMH Notice must be posted at each service site where persons seeking DMH services will be able to.
The Department has declared itself to be a single covered entity. Thus, each and every one of our divisions is a covered entity and must comply with.

The Department has declared itself to be a single covered entity. Thus, each and every one of our divisions is a covered entity and must comply with.
HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.

HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.
“Reaching across Arizona to provide comprehensive quality health care for those in need” Our first care is your health care Arizona Health Care Cost Containment.

“Reaching across Arizona to provide comprehensive quality health care for those in need” Our first care is your health care Arizona Health Care Cost Containment.
HIPAA Basics Brian Fleetham Dickinson Wright PLLC.

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
Dinsmore & Shohl, LLP Stacey Borowicz, Esq. Simi Botic, Esq. August 14, 2013.

Dinsmore & Shohl, LLP Stacey Borowicz, Esq. Simi Botic, Esq. August 14, 2013.
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.

HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
HIPAA Privacy Rule Training

HIPAA Privacy Rule Training
Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.

Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.
The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.

The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.
Navigating HIPAA & Recent Healthcare Reform: What You Need to Know.

Navigating HIPAA & Recent Healthcare Reform: What You Need to Know.
HIPAA What’s New? 2010. What Is HIPAA Health Insurance Portability and Accountability Act of 1996 Health Insurance Portability and Accountability Act.

HIPAA What’s New? What Is HIPAA Health Insurance Portability and Accountability Act of 1996 Health Insurance Portability and Accountability Act.
HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Constangy, Brooks & Smith, LLC (205) 252-9321; Victoria Nemerson.

HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Constangy, Brooks & Smith, LLC (205) ; Victoria Nemerson.
What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,

What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,
1 Navigating the Privacy and Security Issues: HITECH Overview Rebecca L. Williams, RN, JD Partner Co-chair of HIT/HIPAA Practice Davis Wright Tremaine.

1 Navigating the Privacy and Security Issues: HITECH Overview Rebecca L. Williams, RN, JD Partner Co-chair of HIT/HIPAA Practice Davis Wright Tremaine.
HIPAA CHANGES: HITECH ACT AND BREACH NOTIFICATION RULES February 3, 2010 Kristen L. Gentry, Esq. Catherine M. Stowers, Esq.

HIPAA CHANGES: HITECH ACT AND BREACH NOTIFICATION RULES February 3, 2010 Kristen L. Gentry, Esq. Catherine M. Stowers, Esq.
1 HIPAA Challenges Ahead in Mining Patient-Centric Data Kristen B. Rosati Coppersmith Schermer & Brockelman, PLC PRISM Forum SIG on Clinical Informatics.

1 HIPAA Challenges Ahead in Mining Patient-Centric Data Kristen B. Rosati Coppersmith Schermer & Brockelman, PLC PRISM Forum SIG on Clinical Informatics.
Thank You For Your Participation Kansas City   Omaha  Overland Park St. Louis  Jefferson City www.spencerfane.com www.UBAbenefits.com This Employer.

Thank You For Your Participation Kansas City   Omaha  Overland Park St. Louis  Jefferson City This Employer.
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)
HIPAA Regulations What do you need to know?.

HIPAA Regulations What do you need to know?.

Similar presentations

Ads by Google