1 HIPAA: The New Era Darrell W. Contreras, Esq., LHRM, CHPC, CHC, CHRC Clinical Practice Compliance Conference Philadelphia, PA October 15, 2013 Agenda 2 Review of the Omnibus Rule Highlight Critical Elements Application - From Rule to Practice OCR Investigations and Penalty Calculations Mitigating Risk Summary/Q & A
14
Embed
HIPAA: The New Era · HIPAA: The New Era Darrell W. Contreras, Esq., LHRM, CHPC, CHC, CHRC Clinical Practice Compliance Conference Philadelphia, PA October 15, 2013 Agenda 2 Review
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
1
HIPAA:
The New Era
Darrel l W. Contreras, E s q . , LH R M , C H P C , C H C , C H R C
Clinical Practice Compliance ConferencePhiladelphia, PAOctober 15, 2013
Agenda2
� Review of the Omnibus Rule
� Highlight Critical Elements
� Application - From Rule to Practice
� OCR Investigations and Penalty Calculations
� Mitigating Risk
� Summary/Q & A
2
• Implements HITECH provisions
• Compliance Date – September 23, 2013
• Next step in HIPAA Compliance
HIPAA Omnibus Rule
3
HIPAA Omnibus Rule - Changes4
� Business Associates and subcontractors
� Breach notification
� Marketing
� Sale of PHI
� Fundraising
� Notice of Privacy Practices
� Individual access to ePHI
� Third party designation for receipt of PHI
� Research
� Decedent PHI
� Student Immunization Records
� Restriction on health plan disclosures
3
Review of Critical Elements5
Business Associates and Subcontractors:
� “Maintains” now included in the definition of Business Associate
� Anyone who stores PHI, even if it is not accessed, is a BA
� Privacy protection requirements are not extended to subcontractors of business associates
� All Business Associates must comply with the Security Rule requirements for safeguards:
� Administrative
� Physical
� Technical
� BAs now have Civil and Criminal liability
� Covered Entities are responsible for breaches of BAs through “Agency Liability”
Application – Business Associate Agreements
6
The Impact of BA Changes to Covered Entities:
� The Covered Entities (CE) does not need a BAA with a subcontractor� The BA must have a BAA with the subcontractor
� The subcontractor must agree to the same restrictions and conditions as the BA
� CEs should:� Revise their BAA to require subcontractor compliance
� Obtain assurances (in the BAA) that the BA monitors compliance by the subcontractor
� Consider indemnification clause in the BAA
� CEs are responsible no matter what…try to protect yourself
4
Review of Critical Elements7
Breach Notification Rules:
� Old Rule – A reportable breach occurs if 3 elements are present:
1. Violation of the Privacy Regulations
2. Unsecured PHI
3. Substantial risk of financial, reputational, or other harm to the individual
� New Rule – A reportable breach is PRESUMED to have occurred if:
1. There is a violation of the Privacy Regulations that includes
2. Unsecured PHI
Unless … “low probability” that PHI has been compromised
Review of Critical Elements8
Breach Notification (Continued):
� “Low Probability” is based on 4 factors:
� What was the nature and extent of the protected health information (PHI) involved, including the types of identifiers in the information and the likelihood of re-identification?
� To whom was the unauthorized information disclosed?
� Was the PHI actually acquired or viewed?
� What was the extent to which the risk to PHI has been mitigated?
5
Application – Breach Notification Requirements
9
The Impact of Breach Notification changes:
� Change your risk assessment to evaluate the 4 factors
� As a practical matter…� The outcome of your assessment may not change
� Obtain assurances (in the BAA) that the BA monitors compliance by the subcontractor
� Consider indemnification clause in the BAA
� CEs are responsible no matter what…try to protect yourself
Review of Critical Elements10
Restrictions on Health Plan Disclosures:
� New Rule – Patients may restrict information provided to health plans if:
1. If the patient requests the restriction;
2. The patient has paid in full for the service or healthcare item;
3. The disclosure would have been for payment or healthcare operations and is not required by law.
6
Application – Breach Notification Requirements
11
The Impact of Restrictions on Disclosures to Health Plans:
� Determine the services for which patients might want to restrict disclosure
� Evaluate your record system for mechanisms to flag these disclosures
� Considerations:
� What happens if subsequent treatment
� As a practical matter…
� The outcome of your assessment may not change
� Develop your risk assessment in advance
Review of Critical Elements12
Notice of Privacy Practices (NPP):
� Covered Entities must amend their NPP� Patient authorization is required for:
� Most uses and disclosures of psychotherapy notes
� Uses and disclosures for marketing
� Sale of PHI
� All other uses and disclosures not described in the NPP
� If PHI is used for fundraising, the individual has the right to opt out
� Right to restrict disclosures to health plans
� Right to be notified of a breach
7
Application – Notice of Privacy Practices13
Impact of NPP Changes:
� Changes to the NPP are “material”
� Patient notification is required…
� Healthcare providers must:
� Prominently post the revised NPP
� A summary of the NPP may be posted IF the full NPP is available
� Make the NPP available upon request
� New patients must receive the NPP
� Good faith acknowledgement of receipt
� NPP may be e-mailed
Review of Critical Elements14
Individual Access to ePHI
� If PHI is maintained electronically� Even if PHI is in one or more designated record sets
� If requested by the individual…� A copy of ePHI must be provided in the form and format requested
� If not readily producible…� In a readable electronic form and format “as agreed to by the individual
and the CE”
8
Application – Individual Access to ePHI15
Impact of ePHI access changes:
� Goal is to move to electronic access
� CEs are not required to purchase new systems to satisfy the requirement
� Rely on “Reasonableness” standard
� Include ALL PHI in the designated record set
� Example: Photographs linked to the record
� Paper PHI is not required to be scanned
� May send PHI via unencrypted e-mail if…� The individual has been advised of and accepts the security risks
� CE should amend their request “form” to include advisory
OCR Investigations
� Snooping in a medical record
� Unauthorized disclosure of health information
� PHI placed in the regular trash
� Lost or stolen laptop
� Cell phone or personal camera pictures of patient’s body parts or X-rays
� Top 5 OCR investigation issues with Corrective Action Required: