Hipaa omnibus presentation webinar


Published on

Description of the changes to HIPAA and HITECH made by the new Omnibus Rules as it affects Business Associates.

Published in: Health & Medicine
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Hipaa omnibus presentation webinar

  1. 1. Humongous InsuranceHIPAA New Final Omnibus Rule: “Key Business AssociateImplications for Your Organization”
  2. 2. Your Presenter A.J. (Andy) Weitzberg President of HIPAA Continuity Planners President of the Association of Contingency Planners Long Island Chapter © HIPAA Continuity Planners 2013
  3. 3. History• Health Insurance Portability and Accountability Act (HIPAA)of 1996• The Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009• Omnibus Rule of 2013 © HIPAA Continuity Planners 2013
  4. 4. Omnibus Rule conforms HIPAA regulations to HITECH Act changes: – Before HITECH, BAs regulated through business associate contracts or agreements ("BAAs") – After HITECH, BAs and subcontractors are now regulated directly under HIPAA, therefore they: Must comply with Security Rules Must comply with some of Privacy Rule and provisions of BAA © HIPAA Continuity Planners 2013
  5. 5. By the Numbers from August 2009 through December 2012*• 538 breaches of protected health information (PHI)• 21,408,505 patient health records affected• 21.5% increase in # of large breaches in 2012 over 2011• but… a 77% decrease in # of patient records impacted• 67% of all breaches have been the result of theft or loss• 57% of all patient records breached involved a business associate• 5X historically, breaches at business associates have impacted 5 times as many patient records as those at a covered entity• 38% of incidents were as a result of an unencrypted laptop or other portable electronic device• 63.9% percent of total records breached in 2012 resulted from the 5 largest incidents• 780,000 number of records breached in the single largest incident of 2012*These numbers include breaches that affected >500 individuals and were © HIPAA Continuity reported to HHS from August 2009 to January 17, 2013. Planners 2013
  6. 6. Expanded definition of “Business Associates”"Business associate" ” means one who, on behalf of a covered entity creates, receives, maintains or transmits PHI* now also means "subcontractor of business associate“ who creates, receives, maintains or transmits PHI* on behalf of a business associateStatus as BA based upon role and responsibilities, not upon who are the parties to the contractContract between the covered entitys BA and that BAs subcontractor must satisfy the BA agreement requirements *Personal Health Information © HIPAA Continuity Planners 2013
  7. 7. Business Associate - Consequences Secretary (HHS) authorized to receive and investigate complaints against BAs (including subcontractors), and to take action regarding complaints and noncompliance BAs (incl. subs) required to maintain records and submit compliance reports to Secretary, cooperate in complaint investigations and compliance reviews, give Secretary access to information BAs (incl. subs) forbidden to intimidate, discriminate against, etc. those who make complaints, cooperate with regulators or oppose unlawful actionsBAs (incl. subcontractors) subject to civil money penalties for HIPAA violations BA/Subs remain liable under contract to Covered Entity and BA © HIPAA Continuity Planners 2013
  8. 8. How do these updates affect your Business As a “Business Associate” you have HIPAA/HITECH Compliance Requirements: 1. A Written Risk Analysis 2. A Written Continuity Plan 3. A Documented Security Practices and Procedures 4. An Incident Response Plan (Breach Response) 5. Termination Procedures 6. A Record Disposal Procedure for Electronic Media xxxxx and Paper Records 7. Employee Training Program 8. Documentation and Logs © HIPAA Continuity Planners 2013
  9. 9. Penalties for Your non-Compliance CATEGORIES OF VIOLATIONS AND RESPECTIVE PENALTY AMOUNTS AVAILABLEViolation Category Each Violation All such violationsSection 1176(a)(1) of an identical provision in a calendar year(A) Did Not Know $100 to Max $1,500,000 $50,000(B) Reasonable $1,000 to Max $1,500,000Cause $50,000(C)(i) Willful $10,000 to Max $1,500,000Neglect-Corrected $50,000(C)(ii) Willful $50,000 $1,500,000Neglect-NotCorrected © HIPAA Continuity Planners 2013
  10. 10. Are you a “Business Associate”? Illustration of the types of firms that are now considered “Business Associates”• IT Support and Software Vendors• IT Equipment Vendors• Leasing firms• Telephone CPE Vendors• Shredding Vendors• Data Centers• Cloud Computing Providers• Answering Services for Medical Offices• Medical Billing Services• Medical Transcriptions Services• Medical Collection Agencies• Temporary Employment Agencies © HIPAA Continuity Planners 2013
  11. 11. Questions A.J. (Andy) Weitzberg PresidentHIPAA Continuity Planners Email: AJ@HIPAACP.COM 1.800.654.2041 Toll Free 1.631.654.4001 Office 1.516.641.4001 Mobile © HIPAA Continuity Planners 2013