Your SlideShare is downloading. ×
Hipaa privacy and security 03192014
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.


Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Hipaa privacy and security 03192014


Published on

Published in: Health & Medicine

1 Like
  • Be the first to comment

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  • 1. HIPAA Privacy And Security Presented by: Michele Madison Partner, Healthcare & Healthcare IT Practices Morris, Manning & Martin, LLP Direct: 404-504-7621
  • 2. Privacy and Security 2
  • 3. HIPAA Omnibus Rule Purpose 3 Final Rule Addresses 4 Proposed Rules Published in 2009 and 2010 1. Strengthen the HIPAA Privacy and Security Requirements Mandated by HITECH (Proposed Rule July 2010) • Strengthen Restrictions on Marketing and Fundraising Activities • Enhanced Patient Rights on Access and Restricting Disclosures to Health Plans • Modify the Notice of Privacy Practices • Modify the Authorization process • Expands Direct Enforcement of HIPAA Requirements and Penalties to Business Associates
  • 4. HIPAA Omnibus Rule Purposes 4 2. Adopt changes to the Enforcement Rule (Proposed October 2009) • New Tiered Civil Monetary Penalties Standards • Increased Monetary Penalties 3. Modifies the Breach Notification for Unsecured Protected Health Information by replacing the breach notification rule‘s ‗‗harm‘‘ threshold with a more objective standard. (Proposed Rule August 2009 –supplanted) 4. Modifies HIPAA to conform with Genetic Information Nondiscrimination Act
  • 5. Important Dates and Laws 5 1. HIPAA – Privacy Rule Effective on April 14, 2003 Security Rule Effective on April 20, 2005 2. HITECH signed February 17, 2009 • Interim Final Rule on Breach of Unsecured PHI– August 24, 2009 and effective on September 23, 2009 • Interim Final Rule on Civil Monetary Penalty—October 30, 2009 and effective on November 30, 2009 • Proposed Rule on July 14, 2010 3. GINA 2008 – Proposed Rule to address HIPAA on October 7, 2009
  • 6. Effective Dates 6 Final Rule Provisions:  Final Rule Effective on March 26, 2013  Compliance Deadline September 23, 2013 (for Privacy and Security)  Business Associates flexible compliance date standards  Transition provisions permit time to address documents and practices to establish compliance
  • 7. Security Risk Assessment 7  Ensure the full Risk Assessment has been completed - Administrative - Physical - Technical Safeguards  This is part of the Meaningful Use Requirements
  • 8. Security Breach Notification 8 • Old standard: Notification required where ―significant risk of financial, reputational, or other harm to individual‖. Burden was on CE or BA to show there was no significant risk. • New standard: Subject to certain existing exceptions, any access, use or disclosure of unsecured PHI in violation of Privacy Rule is presumed a breach unless demonstrate low probability that PHI has been compromised based on risk assessment involving at least the following factors: – Nature and extent of PHI involved, including types of identifiers and likelihood of re-identification – Unauthorized person who used the PHI or to whom disclosure was made – Whether PHI was actually acquired or viewed – Extent to which risk to PHI has been mitigated • Rule also eliminates exception for limited data sets that do not contain dates of birth or zip codes.
  • 9. Common Violations 9  Of the 90,000 complaints investigated most are, compiled cumulatively, in order of frequency:  Impermissible uses and disclosures of protected health information;  Lack of safeguards of protected health information;  Lack of patient access to their protected health information;  Uses or disclosures of more than the minimum necessary protected health information; and  Lack of administrative safeguards of electronic protected health information.
  • 10. Most Common Violators 10 The most common types of covered entities that have been required to take corrective action to achieve voluntary compliance are, in order of frequency:  PRIVATE PRACTICES;  General Hospitals;  Outpatient Facilities;  Health Plans (group health plans and health insurance issuers); and,  Pharmacies.
  • 11. Enforcement Activities 11 Adult & Pediatric Dermatology, P.C., of Concord, Massachusetts (APDerm) -$150,000.00 Affinity Health Plan, Inc. will settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules for $1,215,780. WellPoint Inc. has agreed to pay the U.S. Department of Health and Human Services $1.7 million to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules
  • 12. Major Steps to Take Now 12 • Evaluate BA and subcontractor status • Evaluate BA and subcontractor agreements for compliance and amend as appropriate • Evaluate whether BAs and subcontractors are federal common law agents • Review Security Rule compliance • Implement BA policies and procedures as appropriate—for example, minimum necessary • Amend security breach policies and procedures appropriately • Ensure the Security Risk Assessment and policies are completed and in effect
  • 13. Questions 13 Michele Madison, Partner, Morris, Manning & Martin, LLP Healthcare & Healthcare IT Practices Direct: 404-504-7621