HIPAA Omnibus Rule: First Look
-
Upload
holland-hart-llp -
Category
Healthcare
-
view
366 -
download
1
Transcript of HIPAA Omnibus Rule: First Look
1
Kim C. StangerHolland & Hart LLP
HIPAA Omnibus Rule: First Look
Holland & Hart LLP
Preliminaries
Written materials.– Copy of .ppt slides.– Copy of HIPAA Omnibus Rule is scheduled to be
published in Federal Register on January 25, 2013.– Available at www hollandhart comAvailable at www.hollandhart.com.
Presentation will be recorded and available for download at www.hhhealthlawblog.com.
If you have questions, please submit them using chat line or e-mail me at [email protected].
If you experience technical problems during the program, please contact Luke Kelly at [email protected].
Copyright ©2013, Holland & Hart LLP Kim C. Stanger 208-383-3913 [email protected] www.hollandhart.com www.hhhealthlawblog.com
2
Preliminaries
Lots to cover in short time. This presentation summarizes significant changes in
HIPAA; it does not cover all of HIPAA. Read the rules and commentary when applying the new
rules. We are still synthesizing the new rules. More stringent state or federal laws may apply.
This program does not establish an attorney-client relationship.
This program does not constitute the giving of legal advice.
Background
2003: HIPAA Privacy and Security Rules 2008: Genetic Information Nondiscrimination Act (GINA)
– 2009: Proposed GINA Rules 2009: HITECH Act
2009: Interim Breach Notification Rule– 2009: Interim Breach Notification Rule– 2009: Interim Enforcement Rule– 2010: Proposed HITECH Act Rules
January 17, 2013: HIPAA Omnibus Rule– Modified and finalized interim and proposed rules.– Implemented additional rules required by HITECH and
GINA.
Omnibus Rule:Significant Changes
Breach notification standards Business associate requirements Limits on disclosures to health insurers Marketing limits Fundraising limitsg Sale of PHI restrictions Disclosures regarding deceased persons Disclosures for school immunizations Patient rights to electronic health info Notice of privacy practices requirements Limits on using genetic info in underwriting Compound authorizations for research
Copyright ©2013, Holland & Hart LLP Kim C. Stanger 208-383-3913 [email protected] www.hollandhart.com www.hhhealthlawblog.com
3
Deadlines
New rules are effective March 26, 2013. Covered entities and business associates must
comply with new rules by September 23, 2013.– Extended compliance deadline by 180 days.– In the meantime, existing interim rules still
apply. Covered entities generally are not required to
modify existing, compliant business associate agreements until September 23, 2014.
Enforcement(45 CFR 164.300-.400)
Enforcement
Omnibus Rule generally finalized the existing interim rule that has been in place since 2009.
Penalties apply to covered entities and business associates.
OCR will investigate every case if preliminary review indicates possible HIPAA violation due to willful neglect.
OCR may investigate cases in which violation appears to be caused by other factors.
(160.300-.400)
Copyright ©2013, Holland & Hart LLP Kim C. Stanger 208-383-3913 [email protected] www.hollandhart.com www.hhhealthlawblog.com
4
Civil Penalties
Conduct Penalty
Did not know and should not have known of violation
• $100 to $50,000 per violation• Up to $1.5 million per type per year• No penalty if correct w/in 30 days • OCR may waive or reduce penalty
Violation due to reasonable • $1000 to $50,000 per violationViolation due to reasonable cause
$1000 to $50,000 per violation• Up to $1.5 million per type per year• No penalty if correct w/in 30 days• OCR may waive or reduce penalty
Willful neglect, but correct w/in 30 days
• $10,000 to $50,000 per violation• Up to $1.5 million per type per year• Penalty is mandatory
Willful neglect,but do not correct w/in 30 days
• At least $50,000 per violation• Up to $1.5 million per type per year• Penalty is mandatory
(160.404)
Civil Penalties
For violations that do not involve willful neglect, may avoid penalties if correct within 30 days.
30-day deadline runs from the date the entity knew, or by exercise of reasonable diligence,
ld h k f th i l tiwould have known of the violation.– May be liable for knowledge of agents acting within
scope of their authority.– External notification of noncompliance is not required;
internal indications of potential noncompliance may provide sufficient knowledge.
(160.410)
Civil Penalties
Number of violations depends on circumstances.– A breach affecting a number of individuals: each
affected individual would constitute a separate violation.– Failure to implement safeguard: each day of
noncompliance would be separate violationnoncompliance would be separate violation.– Single incident may result in multiple violations, e.g.,
improper disclosure may result from failure to implement required policies or safeguards.
Violations and penalties may add up quickly.
Copyright ©2013, Holland & Hart LLP Kim C. Stanger 208-383-3913 [email protected] www.hollandhart.com www.hhhealthlawblog.com
5
Civil Penalties
Amount of penalties depends on factors.– Nature of violation.– Number of individuals affected.– Time period during which the violation occurred.
N t d t t f h h i l h– Nature and extent of harm, e.g., physical harm, reputational harm, impaired ability to get health care.
– History of prior compliance and corrective action.– Financial condition of entity.– Size of the entity.– Other matters as justice requires.
(160.408)
Criminal Penalties
Applies if employees or other individuals obtain or disclose protected health info from covered entity without authorization.
Conduct Penalty
Knowingly obtain info in violation of the law • $50,000 fine• 1 year in prison
Committed under false pretenses • 100,000 fine• 5 years in prison
Intent to sell, transfer, or use for commercial gain, personal gain, or malicious harm
• $250,000 fine• 10 years in prison
(42 USC 1320d-6(a))
Breach Notification(45 CFR 164.400 et seq.)
Copyright ©2013, Holland & Hart LLP Kim C. Stanger 208-383-3913 [email protected] www.hollandhart.com www.hhhealthlawblog.com
6
Breach Notification
If there is a breach of unsecured PHI, covered entity must notify:– Individual or personal representative.– HHS.– Local media if breach involves more than 500
persons. Business associate must notify covered entity. Breach notification rules are subject to certain
exceptions.(164.400 et seq.)
Breach Notification
Old Rule: Only requires covered entities and business associates to report a breach if there is a significant risk of financial, reputational or other harm to the individual.
“N h f l” t d d– “No harm, no foul” standard.(164.402, definition of “breach”)
Members of Congress and privacy advocates objected to the harm standard.
Breach Notification
New Rule: Acquisition, access, use or disclosure of PHI in violation of privacy rules is presumed to be a breach unless the covered entity or business associate demonstrates that there is a low probability that the PHI has been compromised based on a risk passessment of the following factors:– nature and extent of PHI involved;– unauthorized person who used or received the PHI;– whether PHI was actually acquired or viewed; and– extent to which the risk to the PHI has been
mitigated.(164.402, definition of “breach”)
Copyright ©2013, Holland & Hart LLP Kim C. Stanger 208-383-3913 [email protected] www.hollandhart.com www.hhhealthlawblog.com
7
Breach Notification
“Breach notification is necessary in all situations except– “those in which the covered entity or business
associate … demonstrates that there is a low probability that the [PHI] has been compromised, or“one of the other exceptions to the definition of– one of the other exceptions to the definition of breach applies”, i.e.,
unintentional internal access to PHI. inadvertent disclosure of PHI to a person
authorized to access PHI. recipient not reasonably able to retain PHI.
(164.402)
Breach Notification
When is PHI “compromised”? The PHI is acquired, accessed, used or disclosed?
– HHS noted “there are situations in which unauthorized acquisition, access, use or disclosure of [PHI] is so inconsequential that it does not warrant notification ”inconsequential that it does not warrant notification.
– Whether the PHI was actually acquired or viewed is only one factor in the risk assessment.
– HHS recognized that requiring notice in all situations where PHI was accessed, acquired, used or disclosed would be too burdensome and would unduly trouble patients.
Breach Notification
When is PHI “compromised”? The acquisition, access, use or disclosure would result in
potential harm?– HHS repeatedly affirmed that it was removing the harm
standardstandard.– HHS noted, “Considering the type of [PHI] involved in
the impermissible use or disclosure will help entities determine the probability that the [PHI] could be used by an unauthorized recipient in a manner adverse to the individual or otherwise used to further the unauthorized recipient’s own interests.”
Copyright ©2013, Holland & Hart LLP Kim C. Stanger 208-383-3913 [email protected] www.hollandhart.com www.hhhealthlawblog.com
8
Breach Notification
When is PHI “compromised”? “Compromise: (a) to expose to suspicion, discredit, or
mischief; (b) to reveal or expose to an unauthorized person….” (Merriam-Webster Dictionary)
“Compromise: To lay open to suspicion disrepute etc ”Compromise: … To lay open to suspicion, disrepute, etc. (Webster’s New Dictionary (2003))
“Compromise: To expose or make liable to danger, suspicion, or disrepute.” (The Free Dictionary)
Probably involves both the potential for (1) unauthorized access, acquisition, use or disclosure, and (2) misuse.
Focus seems to be on actual or potential for misuse of PHI, not harm to individual.
Breach Notification
Risk assessment factors1. Nature and extent of PHI involved, including types of
identifiers and the likelihood of re-identification.2. Unauthorized person who used PHI or to whom
disclosure was madedisclosure was made.3. Whether PHI was actually acquired or viewed.4. Extent to which the risk to the PHI has been mitigated.5. Other factors as appropriate under the circumstances.
(164.402) Risk assessment is unnecessary if make report.
Breach Notification
Based on commentary, following situations likely involve lower probability that PHI would be compromised.– Fax sent to wrong physician, but physician reports fax
and confirms he has destroyed it.– Disclosure to or use by persons who are required by y p q y
HIPAA to maintain confidentiality.– Disclosure of info without identifiers or to entity that
lacks ability to re-identify the PHI.– Stolen laptop recovered and analysis shows that PHI
was not accessed. But must evaluate all factors.
Copyright ©2013, Holland & Hart LLP Kim C. Stanger 208-383-3913 [email protected] www.hollandhart.com www.hhhealthlawblog.com
9
Breach Notification
Based on commentary, following situations likely involve higher probability that PHI is compromised.– Disclosure involves financial data (e.g., credit card
numbers, SSN, etc.), sensitive info (e.g., STDs, mental health, or other info), or detailed info (e.g., treatment plan, di i di ti di l hi t t t lt )diagnosis, medication, medical history, test results).
– Disclosure involves list of patient names, addresses, hospital IDs.
– Info mailed to wrong individual who opened and read it; person is not a covered entity or business associate.
But must evaluate all factors. HHS will issue future guidance regarding common scenarios.
Breach Notification
Old Rule: no breach if disclosed info in limited data set minus birthdates and zip codes.
New Rule: “minimum data set” exclusion is eliminated.– General rule applies to “minimum data set” PHI.– Must perform risk assessment to determine whetherMust perform risk assessment to determine whether
breach is reportable.
Violations of minimum necessary standard may constitute a breach.– Subject to risk assessment, including fact that recipients
of PHI may be obligated to maintain confidentiality.
Breach Notification
No breach notification required if:– Low probability that PHI would be compromised.– No privacy rule violation. “Incidental disclosures” do not violate the privacy rule.
PHI is “secured” i e encrypted per HHS standards– PHI is secured , i.e., encrypted per HHS standards.– Exception applies, i.e., Unintentional acquisition of PHI by workforce member
acting in good faith and no further use or redisclsoure. Inadvertent disclosure by authorized person to another
person authorized to access the PHI. Unauthorized recipient of PHI is unable to retain PHI.
Covered entity has burden of proof.
Copyright ©2013, Holland & Hart LLP Kim C. Stanger 208-383-3913 [email protected] www.hollandhart.com www.hhhealthlawblog.com
10
Breach Notification
Unless we receive further clarification, safer to err on the side of reporting all but clearly “inconsequential” breaches.– Covered entity has burden of proving “low probability that
PHI has been compromised.”– Failure to report may be viewed as willful neglect resulting in
mandatory penalties.– Timely report is unlikely to result in penalties for the incident
that triggered notification, but… Reporting still creates risk that OCR will find additional
violations during its investigation, e.g., absence of required policies or safeguards.– Blue Cross/Blue Shield of Tennessee– Paid $1.5 million after self-disclosure
Breach Notification
Covered entity must report breach to individual and, if breach involves > 500 persons, to HHS by no later than 60 days after breach is discovered or, through exercise of reasonable diligence, should have been discovered.– Liable for knowledge of agents acting within their scope
of duties.– Must investigate and report without unreasonable delay;
cannot wait until end of 60 days if circumstances would require otherwise.
– Train workforce and business associates to report promptly.
(164.402(a)(2))
Breach Notification
Old Rule: If breach involved less than 500 individuals, must report to HHS no later than 60 days after the calendar year in which the breach occurred.N R l If b h i l d l th 500 New Rule: If breach involved less than 500 individuals, must report to HHS no later than 60 days after the calendar year in which the breach was discovered.
(164.406(c))
Copyright ©2013, Holland & Hart LLP Kim C. Stanger 208-383-3913 [email protected] www.hollandhart.com www.hhhealthlawblog.com
11
Business Associates
Business Associates
Business associate = entity that creates, receives, maintains or transmits PHI in performing certain functions on behalf of a covered entity.– Not workforce members.
Not healthcare providers for purposes of treatment– Not healthcare providers for purposes of treatment.– Not covered entities when participating in an organized
health care arrangement.(160.103, definition of “business associate”)
Business Associates
New Rule: “business associate” includes– Subcontractors of business associates.– Entities that provide data transmission services and
require routine access to the PHI, e.g., health info organizations or e-prescribing gatewayorganizations or e prescribing gateway. Not entities that merely act as conduits, e.g., U.S.
Postal Service or United Parcel Service.– Vendors hired by covered entity to provide personal
health records.– Data storage companies.– Patient safety organizations (“PSOs”).
(160.103)
Copyright ©2013, Holland & Hart LLP Kim C. Stanger 208-383-3913 [email protected] www.hollandhart.com www.hhhealthlawblog.com
12
Business Associates
Old Rule: HIPAA does not apply directly to business associates.– Business associate agreement was required to
ensure business associate compliance.– Business associates were not subject to
regulatory penalties.
Business Associates
New Rule: HIPAA applies directly to business associates and their subcontractors.– Must comply with many privacy and security rules. Limit use or disclosure of PHI. Security risk assessmentSecurity risk assessment. Administrative, physical and technical safeguards
required by security rule. Execute agreements with subcontractor. Notify covered entities of breaches.
– Subject to HIPAA penalties if fail to comply. Still subject to business associate agreements.(164.300 et seq., .400 et seq., .502(e), .504(e))
Business Associates
Business associate agreements.– For new or renewed contracts: modify
agreement to address new requirements.– For compliant contracts in existence as of
1/17/13 that do not renew before 9/23/13: must comply by 9/23/14.
(164.532(d)-(e))
Copyright ©2013, Holland & Hart LLP Kim C. Stanger 208-383-3913 [email protected] www.hollandhart.com www.hhhealthlawblog.com
13
Business Associates
Covered entity is liable for acts of business associate if business associate is acting as the covered entity’s agent.– Apply federal common law of agency.
Primary factor is whether covered entity had the right to– Primary factor is whether covered entity had the right to control the business associate’s conduct. Covered entity authority to give interim directions. Relative size or complexity of parties. Ability of covered entity to perform the services. Business associate acting within scope of contract.
(160.402)
Deceased Persons
Deceased Persons
Old Rule: HIPAA applies to PHI of deceased persons perpetually.– Use or disclosure generally requires
authorization from decedent’s personal t tirepresentative.
– Personal representative = executor, administrator, or other person with authority under state law to act on behalf of decedent or decedent’s estate.
(164.502(f)-(g)(4))
Copyright ©2013, Holland & Hart LLP Kim C. Stanger 208-383-3913 [email protected] www.hollandhart.com www.hhhealthlawblog.com
14
Deceased Persons
New Rule: HIPAA only applies for 50 years after the decedent’s death.– Not required to maintain records for 50 years.– Does not affect separate research exception
that allows earlier disclosure in some circumstances.
(164.502(f))
Deceased Persons
New Rule: May disclose info about deceased patient to family members and others involved in patient’s healthcare or payment for care if:– Disclosure is not inconsistent with prior
d i h f ti t dexpressed wishes of patient, and– PHI is relevant to person’s involvement in
patient’s healthcare or payment for care.(164.510(b)(5)) May still disclose to deceased person’s personal
representative.
School Immunizations
Copyright ©2013, Holland & Hart LLP Kim C. Stanger 208-383-3913 [email protected] www.hollandhart.com www.hhhealthlawblog.com
15
School Immunizations
New Rule: Covered entity may disclose proof of immunization to a school where state or other law requires the school to have such info prior to admitting the student if covered entity obtains oral agreement from:agreement from:– Emancipated patient, or– If patient is not emancipated, from the parent,
guardian or other person acting in loco parentis. Covered entity must document agreement.(164.512(b)(1))
Restrictions on Disclosure of PHI to Health Insurers
Restrictions on Disclosure of PHI to Health Insurers
Old Rule: Patients generally have right to request restrictions on use or disclosure of PHI for purposes of treatment, payment or healthcare operations, but covered entity is not required to agree to such restrictionsagree to such restrictions.
(164.522(a))
Copyright ©2013, Holland & Hart LLP Kim C. Stanger 208-383-3913 [email protected] www.hollandhart.com www.hhhealthlawblog.com
16
Restrictions on Disclosure of PHI to Health Insurers
New Rule: Covered entity must agree to the request of a patient to restrict disclosure of PHI about the patient to a health plan if:– PHI pertains to health care item or service for
hi h th ti t th thwhich the patient, or another person on the patient’s behalf, paid the covered entity in full; and
– Disclosure is for the purpose of carrying out payment or health care operations and is not otherwise required by law.
(164.522(a)(1)(vi))
Restrictions on Disclosure of PHI to Health Insurers
HHS acknowledged the operational problems with new rule, but concluded providers should already have methods to flag records under minimum necessary standard.
Rule does not apply if disclosure is otherwise required by law, e.g., Medicare audits.
If cannot unbundle bill, notify patient they must pay entire bill to trigger rule.
Patient is responsible for notifying downstream providers. Provider may require payment in full before patient may
invoke the requirement. Only applies to disclosures to health insurers, not others.
Sale of PHI
Copyright ©2013, Holland & Hart LLP Kim C. Stanger 208-383-3913 [email protected] www.hollandhart.com www.hhhealthlawblog.com
17
Sale of PHI
New Rule: Cannot sell PHI unless obtain patient’s prior written authorization and the authorization discloses whether covered entity will receive remuneration in exchange for PHI.“S l f PHI” di l f PHI b d tit “Sale of PHI” = disclosure of PHI by covered entity or business associate if they receive (directly or indirectly) any remuneration (financial or otherwise) from or on behalf of the recipient of the PHI in exchange for the PHI.
(164.502(a)(5) and .508(a)(4))
Sale of PHI
Does not apply to disclosures:– for treatment or payment purposes.– as part of sale of covered entity.– to business associate and payment is for business
associate’s dutiesassociate s duties.– for purposes allowed by HIPAA and payment is
reasonable cost-based fee to transmit PHI.– Recovery of fees allowed by law.
Per commentary, does not apply to:– payments to provide services or grants.– payments to participate in health information exchange.
(164.502(a)(5) and .508(a)(4))
Marketing
Copyright ©2013, Holland & Hart LLP Kim C. Stanger 208-383-3913 [email protected] www.hollandhart.com www.hhhealthlawblog.com
18
Marketing
Use or disclosure for purposes of marketing generally requires patient’s authorization.
Old Rule: “marketing” does not include communications about covered entity’s own products or services or certain communications for purposes of treatment or healthcare operations.
(164.508(a))
Marketing
New Rule: If covered entity receives financial remuneration from third party in exchange for making communication about the third party’s items or services, then the following are “marketing” and covered entity must obtain patient’s authorization to use or disclose PHI to market:
provide refill reminders or communicate about drug– provide refill reminders or communicate about drug currently being prescribed unless remuneration is related to cost of making the communication.
– for treatment purposes, including case management, care coordination, or recommendations for treatment alternatives, providers, etc.
Authorization must disclose that covered entity is receiving remuneration.(164.508(a))
Marketing
New Rule: Even though covered entity receives financial remuneration, authorization is not required if:– communication for treatment, healthcare operations or
other marketing occurs in face-to-face communication with patient, or
– consists of promotional gift of nominal value provided by the covered entity.
Authorization would be required for such communications via telephone or e-mail since they are not “face-to-face”.
(164.508(a))
Copyright ©2013, Holland & Hart LLP Kim C. Stanger 208-383-3913 [email protected] www.hollandhart.com www.hhhealthlawblog.com
19
Fundraising
Fundraising
Old Rule: Covered entity may disclose demographic PHI to an institutionally related foundation for fundraising purposes without patient’s authorization if:
N tif ti t i th d tit ’ ti f– Notify patients in the covered entity’s notice of privacy practices, and
– Give recipients an opportunity to opt out.(164.514(f))
Fundraising
New Rule: Covered entity may disclose following demographic PHI:– Name, address, contact info, age, gender and birthdate.– Dates of healthcare provided by covered entity.
D t t f i– Department of service.– Treating physicians.– Outcome information.– Health insurance status.
(164.512(f)(1))
Copyright ©2013, Holland & Hart LLP Kim C. Stanger 208-383-3913 [email protected] www.hollandhart.com www.hhhealthlawblog.com
20
Fundraising
New Rule: To use PHI for fundraising, covered entity must:– Include statement notifying patient of fundraising in
covered entity’s notice of privacy practices.– With each fundraising communication, provide clear and
conspicuous opportunity to opt out of fundraising.p pp y p g– Method for opting out cannot cause undue burden or
more than nominal cost (e.g., toll-free number, e-mail). Cannot condition treatment on participation in fundraising. Cannot make fundraising communications to individuals
who opt out. May notify individuals of method to opt back in.(164.512(f)(1))
Patient Access to PHI
Patient Access to PHI
Old Rule: Covered entities had up to 60 days to respond to request to access records if records maintained offsite.
New Rule: Extension for off-site records is d l t ddeleted. – Covered entities must generally respond to request for
access within 30 days.– May obtain one 30-day extension.
(164.524(b)(2)(ii))
Copyright ©2013, Holland & Hart LLP Kim C. Stanger 208-383-3913 [email protected] www.hollandhart.com www.hhhealthlawblog.com
21
Patient Access to PHI
New Rule: If PHI is maintained in electronic form and patient requests electronic version of the PHI:– Covered entity must provide the PHI in form and format
requested by patient if it is readily producible.If PHI is not readily producible in requested form– If PHI is not readily producible in requested form, covered entity must provide it in a form as agreed by the covered entity and patient.
– If covered entity requests that PHI be sent to another person, covered entity must comply so long as request is in writing, signed by patient, and identifies recipient.
– May charge reasonable cost-based fee, including labor.(164.524(c))
Notice of Privacy Practices
Notice of Privacy Practices
New Rule: In addition to items currently required, must add items to notice of privacy practices.– Authorizations are required for most uses and disclosures
of psychotherapy notes (if applicable), marketing purposes, and sale of PHI.pu poses, a d sa e o
– Uses and disclosures not described in notice require authorizations.
– Patient may opt out of fundraising.– Patient may restrict disclosures to health insurers if patient
pays for the treatment.– Covered entity must notify the patient of breach of
unsecured PHI.(164.520)
Copyright ©2013, Holland & Hart LLP Kim C. Stanger 208-383-3913 [email protected] www.hollandhart.com www.hhhealthlawblog.com
22
Notice of Privacy Practices
Changes will require distribution of new notice of privacy practices.– Post new notice in prominent location at facility. May
post summary if full notice is otherwise available to patient without patient having to request notice.patient without patient having to request notice.
– Post new notice on website.– Provide copy of notice to new patients.– Provide copy of notice to other patients upon request.– Comply with discrimination laws, e.g., may need to
provide copy in another language, Braille, etc.(164.520(c))
Additional Items
Additional issues in Omnibus Rule
Research– Allows compound authorizations for conditioned and
unconditioned research authorizations.– Expands the ability to obtain authorizations for future
researchresearch. GINA
– Places limits on health plans’ use of genetic information in underwriting.
Copyright ©2013, Holland & Hart LLP Kim C. Stanger 208-383-3913 [email protected] www.hollandhart.com www.hhhealthlawblog.com
23
Issues Not Included in the Omnibus Rule
HITECH Act requirement that individuals receive portion of any fines or settlement.– Subject to proposed rulemaking.
HITECH Act requirement that patients may obtain record of disclosures if provider maintains electronic health records.– Proposed rule would allow patients to obtain
report of everyone who accessed or disclosed information. (See 76 FR 31426, 5/31/11)
– Subject to future rulemaking.
Estimated Cost of Omnibus Rule Implementation
$114,000,000 to $225,400,000 during first year $14,500,000 per year thereafter. But is this based on realistic assumptions?
– 20 minutes to update notices of privacy practices.– 90 minutes to draft new business associate
agreements.– 4 hours to investigate most breaches and 30 minutes to
write notice to patient.– 16 hours to implement administrative safeguards for
security rule compliance.
Action Items
Copyright ©2013, Holland & Hart LLP Kim C. Stanger 208-383-3913 [email protected] www.hollandhart.com www.hhhealthlawblog.com
24
Action Items
If you are business associate,– Make sure you comply with rules, e.g., Protect PHI consistent with HIPAA rules and
business associate agreement. Conduct security risk assessment Conduct security risk assessment. Implement safeguards required by the Security Rule. Notify covered entity of breaches.
– Enter business associate agreements with subcontractors.
Action Items
If you are a covered entity, make sure your business associate agreements comply.– Obtain agreements for new business associates,
including covered data transmission services.Review existing agreements to ensure they comply with– Review existing agreements to ensure they comply with operative rules.
– As new agreements are written or renewed, ensure they comply with new rules.
– Ensure all agreements comply by 9/23/14.– Ensure business associates are not your agents.
Action Items
Update notice of privacy practices– Update notice to include new requirements by 9/23/13.– Post updated notice and make available to patients.
Update policies to comply with new rules.– Disclosures regarding deceased persons.– Disclosures for school immunizations.– Restrictions on disclosures to health insurers.– Marketing, fundraising, and sale of PHI.– Patient access to electronic PHI.– Breach notification requirements.
Train employees.
Copyright ©2013, Holland & Hart LLP Kim C. Stanger 208-383-3913 [email protected] www.hollandhart.com www.hhhealthlawblog.com
25
Action Items
Ensure your EHR has required functionality.– Restrictions on disclosures to health insurers.– Consider encryption to avoid breaches.– Provide electronic records to patients.
W t h f fi l l di i d t t– Watch for final rule regarding required reports to patients regarding access or disclosure of PHI.
Action Items
If you discover breach that occurs after 3/26/13– Apply new standard.– Perform risk assessment.– If necessary, report breach in timely fashion.
Gi l d b h tifi ti t d d Given new rules and breach notification standard, it is a good time to review your entire HIPAAcompliance, including:– Security risk assessment.– Security rule compliance.– Privacy and security safeguards.– Document training.
Additional Resources
Copyright ©2013, Holland & Hart LLP Kim C. Stanger 208-383-3913 [email protected] www.hollandhart.com www.hhhealthlawblog.com
26
HIPAA Resources
HHS HIPAA Omnibus Rule and commentary.– Available in Federal Register on January 25,
2013. OCR website: www.hhs.gov/ocr/hipaa.OCR website: www.hhs.gov/ocr/hipaa.
– FAQs, Guidance, etc.– Past rules and commentary.
OCR listserve. Lots of stuff on the internet.
– Be careful of the source.
HIPAA Resources
We anticipate providing additional guidance– Client alerts regarding aspects of the Omnibus Rule.– Webinars regarding complying with the new rules.– To receive or participate, send me an e-mail at
[email protected] or visit www.hollandhart.com.
I anticipate preparing updated HIPAA privacy policies and forms by 3/26/13.– Available for purchase by clients.– Contact me at [email protected].
Additional Holland & Hart Resources
Future webinars– Health Law Basics monthly webinar series– 2/12 Stark– 2/21 Anti-Kickback Statute
2/28 Civil Monetary Penalties Law– 2/28 Civil Monetary Penalties Law– 3/14 Physician Contracts– 4/11 HIPAA Overview
Healthcare Update and Health Law Blog
– Under “Publications” at www.hollandhart.com.– E-mail me at [email protected].
Copyright ©2013, Holland & Hart LLP Kim C. Stanger 208-383-3913 [email protected] www.hollandhart.com www.hhhealthlawblog.com
27
Questions?
Kim C. StangerHolland & Hart LLP
[email protected]@hollandhart.com(208) 383-3913
Copyright ©2013, Holland & Hart LLP Kim C. Stanger 208-383-3913 [email protected] www.hollandhart.com www.hhhealthlawblog.com