SlideShare a Scribd company logo

2010 Hipaa Rules 011310

GuardEra Access Solutions, Inc.
GuardEra Access Solutions, Inc.

2010 updates to HIPAA Security

1 of 29
Download to read offline
HIPAA Privacy and Security New HITECH Act Requirements for 2010 Jan 13, 2010 | 1:00-2:15 pm Central © 2009 Open Health IT Exchange. All rights reserved. | 011310 | Slide 1 of 29
Speakers • Colleen Sauter, Moderator Administrator, OHITX • Grant Peterson, J.D. DGPeterson, LLC HIPAA Privacy and Security Consulting © 2009 Open Health IT Exchange. All rights reserved. | 011310 | Slide 2 of 29
Grant Peterson, J.D. • Grant provides personal compliance consulting to healthcare organizations, with services including compliance strategies, HIPAA audits and Privacy Officer outsourcing to meet short and long-term needs. • In 2001, he developed a Web-based compliance program to deliver HIPAA training and tools in versions designed specifically for medical clinics, long-term care facilities and business associates. • Grant has more than 25 years of experience creating and managing several professional service firms specializing in the design, development and integration of regulatory and technology-based programs for insurance, banking and healthcare. • Grant holds a B.S. degree in Public Administration from Minnesota State University, and a Juris Doctor (J.D.) law degree from Hamline University School of Law. © 2009 Open Health IT Exchange. All rights reserved. | 011310 | Slide 3 of 29
Agenda • Welcome • Program Notes • HITECH Act – New Privacy & Security Requirements – Comments on delayed FTC Red Flags Rule • Resources • Q&A © 2009 Open Health IT Exchange. All rights reserved. | 011310 | Slide 4 of 29
HIPAA Overview HIPAA History and Timeline HIPAA Privacy Rule April 2003 HIPAA Security Rule April 2005 HIPSA (Senate Bill) July 2007 HITECH Act February 2009 © 2009 Open Health IT Exchange. All rights reserved. | 011310 | Slide 5 of 29
HITECH Act – H. R. 1-146 Part 1 - Improved Privacy and Security Provision 13401 Application of Security Provisions and Penalties to Business Associates + HHS Annual Guidance 13402 Notification in the Case of Breach 13403 Education on Health Information Privacy 13404 Application of Privacy Provisions to Business Associates of Covered Entities 13405 Restrictions on Certain Disclosures and Sales of Health Information, Accounting of Certain PHI Disclosures, Access of Certain Information in Electronic Format © 2009 Open Health IT Exchange. All rights reserved. | 011310 | Slide 6 of 29
HITECH Act – H. R. 1-146 cont. Part 1 cont. - Improved Privacy and Security Provision 13406 Conditions on Certain Contacts as Part of Health Care Operations 13407 Temporary Breach Notification for Vendors of PHR and other Non-HIPAA Covered Entities 13408 Business Associate Contracts Required for Certain Entities 13409 Clarification of Application of Wrongful Disclosures Criminal Penalties 13410 Improved Enforcement 13411 Audits © 2009 Open Health IT Exchange. All rights reserved. | 011310 | Slide 7 of 29
Business Associates – Section 13401 Application of Security Provisions and Penalties to Business Associates + HHS Annual Guidance • §164.308 Administrative Safeguards (Security Rule) • §164.310 Physical Safeguards (Security Rule) • §164.312 Technical safeguards (Security Rule) • § 164.316 Policies and Procedures and Documentation Requirements (Security Rule) RESOURCE/ HIPAA Administrative Simplification • Application of Civil and Criminal Penalties, Sections 1176 and 1177 of the Social Security Act RESOURCE/ Application of Civil and Criminal Penalties • HHS Annual Guidance on Most Effective and Appropriate Technical Safeguards in Carrying Out the Above © 2009 Open Health IT Exchange. All rights reserved. | 011310 | Slide 8 of 29
Data Breach Notification – Section 13402 Definition of Breach • Is defined in the Act as ‘‘the unauthorized acquisition, access, use, or disclosure of protected health information (PHI) which compromises the security or privacy of such information, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information.’’ • Exceptions include: The unauthorized acquisition, access, or use of PHI is unintentional or if such acquisition, access, or use was made in good faith and such information is not further acquired, accessed, used, or disclosed. • The risk of harm standard requires that a Covered Entity undertake some form of risk assessment in the event of a breach, and based upon the assessment, determine in good faith whether it is necessary to notify the individual of the breach. RESOURCE/ HIPAA Breach Notification © 2009 Open Health IT Exchange. All rights reserved. | 011310 | Slide 9 of 29
Breach Notification – Section 13402 cont. Breach of “Unsecured” Protected Health Information • Section 13402(h) of the Act defines ‘‘unsecured protected health information’’ to mean protected health information that is not secured through the use of a technology or methodology specified by the Secretary in guidance. • According to HHS, the specified technologies and methodologies “create the functional equivalent of a safe harbor.” • HHS explains what is secured through the use of a technology or methodology... “In consultation with information security experts at NIST, we have identified two methods for rendering PHI unusable, unreadable, or indecipherable to unauthorized individuals: 1. encryption 2. destruction © 2009 Open Health IT Exchange. All rights reserved. | 011310 | Slide 10 of 29
Breach Notification – Section 13402 cont. Following the discovery of a breach of unsecured PHI • A covered entity must notify each individual whose unsecured PHI has been, or is reasonably believed to have been, inappropriately accessed, acquired, or disclosed in the breach [section 13402(a)] • Additionally, following the discovery of a breach by a business associate, the business associate must notify the covered entity of the breach and identify for the covered entity the individuals whose unsecured PHI has been, or is reasonably believed to have been, breached [section 13402(b)] • The Act requires the notifications to be made without unreasonable delay but in no case later than 60 calendar days after discovery of the breach © 2009 Open Health IT Exchange. All rights reserved. | 011310 | Slide 11 of 29
Breach Notification – Section 13402 cont. Notice Following the discovery of a breach • The notice shall be made in writing, except under circumstances where the Covered Entity does not have the correct contact information for the affected individual, or where there is particular urgency to the notification. The notice to affected individuals must contain the following 5 elements: 1. A brief description of what occurred with respect to the breach, including, to the extent known, the date of the breach and the date on which the breach was discovered; 2. A description of the types of unsecured PHI that were disclosed during the breach; 3. A description of the steps the affected individual should take in order to protect himself or herself from potential harm caused by the breach; 4. A description of what the Covered Entity is doing to investigate and mitigate the breach and to prevent future breaches; and 5. Instructions for the individual to contact the Covered Entity © 2009 Open Health IT Exchange. All rights reserved. | 011310 | Slide 12 of 29
Education – Section 13403 Education on Health Information Privacy • Regional Office Privacy Advisors and Education Initiative • Guidance and Education to covered entities, business associates and individuals on rights and responsibilities related to federal privacy and security requirements for protected health information © 2009 Open Health IT Exchange. All rights reserved. | 011310 | Slide 13 of 29
Business Associate – Section 13404 Application of Privacy Provisions to Business Associates of Covered Entities • Section 13404 of the Act requires HIPAA business associates to comply with 45 CFR § 164.504(e), which sets forth the privacy terms required in HIPAA business associate agreements. While these contract obligations have always been enforceable by covered entities, they are now enforceable by the government through HIPAA. Business associates also are required to comply with the additional privacy requirements imposed by the Act described below. • Business associates must take reasonable steps to cure a breach of, or terminate, a Business Associate Agreement if it becomes aware of a pattern of activity or practice by a covered entity that violates the agreement. If a business associate fails to take reasonable steps to cure the breach, terminate the agreement, or report the problem to HHS, then the business associate may be liable for civil and/or criminal penalties under the Act. RESOURCE/ Sample Business Associate Agreement (BAA) © 2009 Open Health IT Exchange. All rights reserved. | 011310 | Slide 14 of 29
Restrictions, Accounting, Access – Section 13405 Restrictions on Certain Disclosures and Sales of Health Information, Accounting of Certain PHI Disclosures, Access of Certain Information in Electronic Format • 13405(a) A covered entity must comply with the requested restriction if the disclosure would be to a health plan for purposes of carrying out payment or health care operations—but not for treatment; and the PHI pertains solely to a health care item or service for which the health care provider involved has been fully paid by the patient. • 13405(b) Disclosures limited to the Limited Data Set or Minimum Necessary. The Act requires the Covered Entity to make the determination of Minimum Necessary, rather than relying on others. • Section 13405(c) of the Act provides that disclosures made through an EHR for treatment, payment and health care operations purposes must be included in the accounting, but information is limited to three years of disclosure information (rather than six). © 2009 Open Health IT Exchange. All rights reserved. | 011310 | Slide 15 of 29
Restrictions, Accounting, Access – Section 13405 cont. Restrictions on Certain Disclosures and Sales of Health Information, Accounting of Certain PHI Disclosures, Access of Certain Information in Electronic Format • Section 13405(d) of the Act now prohibits indirect and direct remuneration for a disclosure of PHI without the individual’s authorization. The authorization document must also explain whether PHI can be further exchanged for remuneration by the downstream entity receiving the PHI. The statute contains several exceptions where a covered entity is still permitted to receive remuneration for disclosures, such as public health, research, treatment, sale or merger of a CE, to a business associate for work functions, to an individual who requests copies of their PHI etc. • Section 13405(e) In the case that the CE uses or maintains an EHR, individuals have the right to obtain a copy in electronic format. © 2009 Open Health IT Exchange. All rights reserved. | 011310 | Slide 16 of 29
Marketing – Section 13406 Conditions on Certain Contacts as Part of Health Care Operations • Section 13406(a), communications which are deemed part of health care operations and excluded from the definition of marketing as contained in 164.501(1)(i), (ii) or (iii) are now limited to those communications for which the covered entity has not been paid directly or indirectly, unless the communication involves a drug or biologic currently being prescribed. Otherwise, an authorization from the individual is needed. • Section 13406(b) All fund-raising communications must provide for the opportunity to opt-out of receiving further communications. © 2009 Open Health IT Exchange. All rights reserved. | 011310 | Slide 17 of 29
Temporary Breach Notification – Section 13407 Temporary Breach Notification Requirement for Vendors of Personal Health Records and Other Non-HIPAA Covered Entities • The HITECH Act includes two sets of new breach notification requirements. Section 13402 (previously discussed) of the HITECH Act requires HIPAA covered entities to notify individuals if there has been a breach involving their “unsecured PHI.” Section 13407 of the HITECH Act includes breach notification requirements for vendors of personal health records (PHR) and related entities that are not subject to the HIPAA requirements and therefore not covered by the Section 13402 requirements. • Federal Trade Commission, Health Breach Notification Rule, 16 CFR Part 318 was created pursuant to HITECH Act Section 13407(g). The rule requires vendors of personal health records and related entities to notify consumers when the security of their individually identifiable health information has been breached. The rule is effective September 24, 2009. Full compliance is required by February 22, 2010. RESOURCE/ HIPAA Breach Notification © 2009 Open Health IT Exchange. All rights reserved. | 011310 | Slide 18 of 29
Business Associate Contracts – Section 13408 Business Associate Contracts Required for Certain Entities • Section 13408 of the Act identifies additional entities that are to be considered business associates and with whom covered entities must have written agreements (or other arrangement). These are organizations that transmit protected health information to the covered entity (or its business associates), such a Health Information Exchange Organization, a Regional Health Information Organization, an E-prescribing Gateway, or each vendor that contracts with a Covered Entity to offer a Personal Health Record as part of its EHR, is required to enter into a written contract and shall be treated as a business associate. © 2009 Open Health IT Exchange. All rights reserved. | 011310 | Slide 19 of 29
Wrongful Disclosures – Section 13409 Clarification of Application of Wrongful Disclosures Criminal Penalties • Section 1177(a) of the Social Security Act (42 U.S.C. 1320d-6(a)) is amended by adding at the end the following new sentence: “For purposes of the previous sentence, a person (including an employee or other individual) shall be considered to have obtained or disclosed individually identifiable health information in violation of this part if the information is maintained by a covered entity (as defined in the HIPAA privacy regulation described in section 1180(b)(3)) and the individual obtained or disclosed such information without authorization.” This provision clarifies that an individual does not need to be a HIPAA covered entity to be subject to the criminal penalties in 42 U.S.C. § 1320d-6(a). • The base penalty is a $50,000 fine, imprisonment for not more than one year, or both. For offenses committed under false pretenses, the fine is not more than $100,000, imprisonment for not more than five years, or both. And if the offense is committed with the intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm, the fine is not more than $250,000, imprisonment for not more than 10 years, or both. © 2009 Open Health IT Exchange. All rights reserved. | 011310 | Slide 20 of 29
Improved Enforcement – Section 13410 Improved Enforcement • Section 13410 makes a variety of changes to the civil penalty provisions. First, the Act adds that noncompliance for willful neglect requires HHS to formally investigate a complaint and to impose a civil penalty. HHS is required to implement regulations, and these statutory amendments will be effective in 24 months. • The section also requires civil penalties collected for privacy or security violations to go to the HHS Office for Civil Rights to fund enforcement. The Government Accountability Office is also directed to issue a report on sharing a percentage of these penalties with individuals who are harmed, and HHS is directed to issue regulations within three years. • States Attorney General may bring a civil action to enjoin privacy or security violations or obtain damages on behalf of state residents for such violations. © 2009 Open Health IT Exchange. All rights reserved. | 011310 | Slide 21 of 29
Improved Enforcement – Section 13410 cont. Enhanced Enforcement Options and Increased Penalties for Non-Compliance • The Act also increases the amount of civil penalties from the present $100 per violation (up to $25,000 per identical violation), to the following tiered civil penalties: 1. If the person did not know (and by exercising reasonable diligence would not have known) that such person violated a provision, the civil penalty is between $100 - $50,000 for each violation, up to a total of $25,000-$1,500,000 for all violations of an identical requirement; 2. If the violation was due to reasonable cause and not to willful neglect, the civil penalty is between $1,000 - $50,000 for each violation, up to a total of $100,000-$1,500,000 for all violations of an identical requirement; 3. If the violation was due to willful neglect, the civil penalty is between $10,000 - $50,000 for each violation, up to a total of $250,000-$1,500,000 for all violations of an identical requirement if the violation was corrected during the 30 day period beginning on the first date the person liable for the penalty knew, or by exercising reasonable diligence would have known, that the failure to comply occurred. 4. If the violation is not corrected within 30 days, the penalties increase to $50,000 for each violation, up to a total of $1,500,000 for all violations of an identical requirement. © 2009 Open Health IT Exchange. All rights reserved. | 011310 | Slide 22 of 29
Audits – Section 13411 cont. Audits • Section 13411 requires the Secretary of HHS to conduct periodic audits to ensure that covered entities and business associates are in compliance with HIPAA Covered entities and business associates should prepare for audits to begin no later than February 17, 2010 for all HIPAA requirements. © 2009 Open Health IT Exchange. All rights reserved. | 011310 | Slide 23 of 29
FTC Red Flags Rule Red Flag Rule • The Identity Theft Red Flags Rule was promulgated under the Fair and Accurate Credit Transactions Act, in which Congress directed the Commission and other agencies to develop regulations requiring “creditors” and “financial institutions” to address the risk of identity theft. • Health care providers who periodically allow patients to pay for medical services over time through a series of payments should have written policies that identify the “red flags” or indicators of possible identity theft they may come across in the course of business, establish procedures to detect those red flags and to respond appropriately to mitigate and prevent harm, and develop procedures for training staff and keeping applicable policies current. Health care providers should also have procedures in place to ensure that their vendors are in compliance with the Red Flag Rules and amend existing business associate agreements or asking for copies of the vendors’ Red Flag policies. • The Federal Trade Commission is delaying enforcement of the “Red Flags” Rule until June 1, 2010, for financial institutions and creditors subject to enforcement by the FTC RESOURCE/ Red Flag Rule © 2009 Open Health IT Exchange. All rights reserved. | 011310 | Slide 24 of 29
HIPAA Privacy and Security Assessment Framework for Managing Risk • PHI, ePHI, Patient, Organization, Vendors • Methodical, repeatable, risk-based approach to implementing effective risk management • Life cycle that facilitates continuous monitoring and improvement • Purpose and scope • Applicability • Audience • How and why to use assessment RESOURCES/ CMS Security Audit © 2009 Open Health IT Exchange. All rights reserved. | 011310 | Slide 25 of 29
Next Steps Task Completed Amend Business Associate Agreements: •New Obligations •Red Flags Rule Create Policies & Procedures to Address Notification of Breach Create Policies & Procedures to Address: •Disclosures and Sales of Health Information •Accounting of PHI •Disclosures and Access of Certain Information in Electronic Format Amend Marketing Policies & Procedures, Review Communications, Need for Authorization and Fund Raising Opt-Out Review Health Breach Notification, Create Policies & Procedures as Required Create Policy & Procedures on Wrongful Disclosures Develop Training & Awareness Campaign to Address HITECH Act Consider Framework to Manage HIPAA Compliance RESOURCES/ Standards Checklist and 2010 New Guidelines © 2009 Open Health IT Exchange. All rights reserved. | 011310 | Slide 26 of 29
Q&A © 2009 Open Health IT Exchange. All rights reserved. | 011310 | Slide 27 of 29
Thank You! For more information on OHITX or today’s session, please contact Colleen Sauter csauter@ohitx.org. To access the resource section, please click here: © 2009 Open Health IT Exchange. All rights reserved. | 011310 | Slide 28 of 29
Disclaimer This Webinar IS NOT Legal Advice • These materials should not be considered as, or as a substitute for, legal advice and they are not intended to, nor do they create an attorney-client relationship. Because the materials included here are general, they may not apply to a particular individual legal or factual circumstance. • The reader should not take, or refrain from taking, any action based on the information contained herein without first obtaining professional counsel. • The views expressed herein do not necessarily reflect the views of OHITX © 2009 Open Health IT Exchange. All rights reserved. | 011310 | Slide 29 of 29

Recommended

1307 Privacy Act
1307 Privacy Act1307 Privacy Act
1307 Privacy ActZowie Murray
 
HIPAA Compliance For Small Practices
HIPAA Compliance For Small PracticesHIPAA Compliance For Small Practices
HIPAA Compliance For Small PracticesNisos Health
 
Hitech changes-to-hipaa
Hitech changes-to-hipaaHitech changes-to-hipaa
Hitech changes-to-hipaageeksikh
 
Introduction to Data Security Breach Preparedness with Model Data Security Br...
Introduction to Data Security Breach Preparedness with Model Data Security Br...Introduction to Data Security Breach Preparedness with Model Data Security Br...
Introduction to Data Security Breach Preparedness with Model Data Security Br...- Mark - Fullbright
 
Sec af pa slides
Sec af pa slidesSec af pa slides
Sec af pa slideswrightjr02
 
Privacy in India: Legal issues
Privacy in India: Legal issuesPrivacy in India: Legal issues
Privacy in India: Legal issuesSagar Rahurkar
 
Regulatory Compliance under the Information Technology Act, 2000
Regulatory Compliance under the Information Technology Act, 2000Regulatory Compliance under the Information Technology Act, 2000
Regulatory Compliance under the Information Technology Act, 2000n|u - The Open Security Community
 
What Is Security Risk Analysis? By: MedSafe
What Is Security Risk Analysis? By: MedSafeWhat Is Security Risk Analysis? By: MedSafe
What Is Security Risk Analysis? By: MedSafeMedSafe
 

Recommended

1307 Privacy Act
1307 Privacy Act1307 Privacy Act
1307 Privacy ActZowie Murray
 
HIPAA Compliance For Small Practices
HIPAA Compliance For Small PracticesHIPAA Compliance For Small Practices
HIPAA Compliance For Small PracticesNisos Health
 
Hitech changes-to-hipaa
Hitech changes-to-hipaaHitech changes-to-hipaa
Hitech changes-to-hipaageeksikh
 
Introduction to Data Security Breach Preparedness with Model Data Security Br...
Introduction to Data Security Breach Preparedness with Model Data Security Br...Introduction to Data Security Breach Preparedness with Model Data Security Br...
Introduction to Data Security Breach Preparedness with Model Data Security Br...- Mark - Fullbright
 
Sec af pa slides
Sec af pa slidesSec af pa slides
Sec af pa slideswrightjr02
 
Privacy in India: Legal issues
Privacy in India: Legal issuesPrivacy in India: Legal issues
Privacy in India: Legal issuesSagar Rahurkar
 
Regulatory Compliance under the Information Technology Act, 2000
Regulatory Compliance under the Information Technology Act, 2000Regulatory Compliance under the Information Technology Act, 2000
Regulatory Compliance under the Information Technology Act, 2000n|u - The Open Security Community
 
What Is Security Risk Analysis? By: MedSafe
What Is Security Risk Analysis? By: MedSafeWhat Is Security Risk Analysis? By: MedSafe
What Is Security Risk Analysis? By: MedSafeMedSafe
 
10 Things You Need To Know About Privacy
10 Things You Need To Know About Privacy10 Things You Need To Know About Privacy
10 Things You Need To Know About PrivacyNow Dentons
 
Compliance audit under the Information Technology Act, 2000
Compliance audit under the Information Technology Act, 2000Compliance audit under the Information Technology Act, 2000
Compliance audit under the Information Technology Act, 2000Sagar Rahurkar
 
It Industry Regulations
It Industry RegulationsIt Industry Regulations
It Industry RegulationsNicholas Davis
 
10. law invest & ethics
10. law invest & ethics10. law invest & ethics
10. law invest & ethics7wounders
 
HIPAA Access Medical Records by Sainsbury-Wong
HIPAA Access Medical Records by Sainsbury-WongHIPAA Access Medical Records by Sainsbury-Wong
HIPAA Access Medical Records by Sainsbury-WongLorianne Sainsbury-Wong
 
Examples of international privacy legislation
Examples of international privacy legislationExamples of international privacy legislation
Examples of international privacy legislationUlf Mattsson
 
You and HIPAA - Get the Facts
You and HIPAA - Get the FactsYou and HIPAA - Get the Facts
You and HIPAA - Get the Factsresourceone
 
Unit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hrUnit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hrTushar Rajput
 
A brief introduction to hipaa compliance
A brief introduction to hipaa complianceA brief introduction to hipaa compliance
A brief introduction to hipaa compliancePrince George
 
Kurnava_Law+Ethics+and+Cybersecurity_Research+Paper
Kurnava_Law+Ethics+and+Cybersecurity_Research+PaperKurnava_Law+Ethics+and+Cybersecurity_Research+Paper
Kurnava_Law+Ethics+and+Cybersecurity_Research+PaperMatthew Kurnava
 
Ict Compliance (Sept 2004)
Ict Compliance (Sept 2004)Ict Compliance (Sept 2004)
Ict Compliance (Sept 2004)Lance Michalson
 
Hipaa basics
Hipaa basicsHipaa basics
Hipaa basicsMichaelRodriguesdosS1
 
Infosec Law (Feb 2006)
Infosec Law (Feb 2006)Infosec Law (Feb 2006)
Infosec Law (Feb 2006)Lance Michalson
 
Cyberinsurance 111006
Cyberinsurance 111006Cyberinsurance 111006
Cyberinsurance 111006JNicholson
 
HIPAA HiTech Regulations: What Non-Medical Companies Need to Know
HIPAA HiTech Regulations: What Non-Medical Companies Need to KnowHIPAA HiTech Regulations: What Non-Medical Companies Need to Know
HIPAA HiTech Regulations: What Non-Medical Companies Need to KnowNetwork 1 Consulting
 
The Human Right to Privacy in the Digital Age
The Human Right to Privacy in the Digital Age The Human Right to Privacy in the Digital Age
The Human Right to Privacy in the Digital Age - Mark - Fullbright
 
3 Understand the ethical and legislative environment relating to IT
3 Understand the ethical and legislative environment relating to IT3 Understand the ethical and legislative environment relating to IT
3 Understand the ethical and legislative environment relating to ITMark Anthony Kavanagh
 
Uchi data local presentation 2020
Uchi data local presentation 2020Uchi data local presentation 2020
Uchi data local presentation 2020Christo W. Meyer
 
PACT Cybersecurity Series Event, speaker Gregory M. Fliszar, Esq. of Cozen O'...
PACT Cybersecurity Series Event, speaker Gregory M. Fliszar, Esq. of Cozen O'...PACT Cybersecurity Series Event, speaker Gregory M. Fliszar, Esq. of Cozen O'...
PACT Cybersecurity Series Event, speaker Gregory M. Fliszar, Esq. of Cozen O'...eringold
 
HHS Issues HIPAA Cyber Attack Response Checklist
HHS Issues HIPAA Cyber Attack Response ChecklistHHS Issues HIPAA Cyber Attack Response Checklist
HHS Issues HIPAA Cyber Attack Response ChecklistTodd LaRue
 
Padrón de consesionarios del servicio público de transporte
Padrón de consesionarios del servicio público de transportePadrón de consesionarios del servicio público de transporte
Padrón de consesionarios del servicio público de transportesemanarioevidencias
 
The Deliverance Of The Dancing Bears
The Deliverance Of The Dancing BearsThe Deliverance Of The Dancing Bears
The Deliverance Of The Dancing BearsJeremy Gaysek
 

More Related Content

What's hot

10 Things You Need To Know About Privacy
10 Things You Need To Know About Privacy10 Things You Need To Know About Privacy
10 Things You Need To Know About PrivacyNow Dentons
 
Compliance audit under the Information Technology Act, 2000
Compliance audit under the Information Technology Act, 2000Compliance audit under the Information Technology Act, 2000
Compliance audit under the Information Technology Act, 2000Sagar Rahurkar
 
It Industry Regulations
It Industry RegulationsIt Industry Regulations
It Industry RegulationsNicholas Davis
 
10. law invest & ethics
10. law invest & ethics10. law invest & ethics
10. law invest & ethics7wounders
 
HIPAA Access Medical Records by Sainsbury-Wong
HIPAA Access Medical Records by Sainsbury-WongHIPAA Access Medical Records by Sainsbury-Wong
HIPAA Access Medical Records by Sainsbury-WongLorianne Sainsbury-Wong
 
Examples of international privacy legislation
Examples of international privacy legislationExamples of international privacy legislation
Examples of international privacy legislationUlf Mattsson
 
You and HIPAA - Get the Facts
You and HIPAA - Get the FactsYou and HIPAA - Get the Facts
You and HIPAA - Get the Factsresourceone
 
Unit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hrUnit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hrTushar Rajput
 
A brief introduction to hipaa compliance
A brief introduction to hipaa complianceA brief introduction to hipaa compliance
A brief introduction to hipaa compliancePrince George
 
Kurnava_Law+Ethics+and+Cybersecurity_Research+Paper
Kurnava_Law+Ethics+and+Cybersecurity_Research+PaperKurnava_Law+Ethics+and+Cybersecurity_Research+Paper
Kurnava_Law+Ethics+and+Cybersecurity_Research+PaperMatthew Kurnava
 
Ict Compliance (Sept 2004)
Ict Compliance (Sept 2004)Ict Compliance (Sept 2004)
Ict Compliance (Sept 2004)Lance Michalson
 
Cyberinsurance 111006
Cyberinsurance 111006Cyberinsurance 111006
Cyberinsurance 111006JNicholson
 
HIPAA HiTech Regulations: What Non-Medical Companies Need to Know
HIPAA HiTech Regulations: What Non-Medical Companies Need to KnowHIPAA HiTech Regulations: What Non-Medical Companies Need to Know
HIPAA HiTech Regulations: What Non-Medical Companies Need to KnowNetwork 1 Consulting
 
The Human Right to Privacy in the Digital Age
The Human Right to Privacy in the Digital Age The Human Right to Privacy in the Digital Age
The Human Right to Privacy in the Digital Age - Mark - Fullbright
 
3 Understand the ethical and legislative environment relating to IT
3 Understand the ethical and legislative environment relating to IT3 Understand the ethical and legislative environment relating to IT
3 Understand the ethical and legislative environment relating to ITMark Anthony Kavanagh
 
Uchi data local presentation 2020
Uchi data local presentation 2020Uchi data local presentation 2020
Uchi data local presentation 2020Christo W. Meyer
 
PACT Cybersecurity Series Event, speaker Gregory M. Fliszar, Esq. of Cozen O'...
PACT Cybersecurity Series Event, speaker Gregory M. Fliszar, Esq. of Cozen O'...PACT Cybersecurity Series Event, speaker Gregory M. Fliszar, Esq. of Cozen O'...
PACT Cybersecurity Series Event, speaker Gregory M. Fliszar, Esq. of Cozen O'...eringold
 
HHS Issues HIPAA Cyber Attack Response Checklist
HHS Issues HIPAA Cyber Attack Response ChecklistHHS Issues HIPAA Cyber Attack Response Checklist
HHS Issues HIPAA Cyber Attack Response ChecklistTodd LaRue
 

What's hot (20)

10 Things You Need To Know About Privacy
10 Things You Need To Know About Privacy10 Things You Need To Know About Privacy
10 Things You Need To Know About Privacy
 
Compliance audit under the Information Technology Act, 2000
Compliance audit under the Information Technology Act, 2000Compliance audit under the Information Technology Act, 2000
Compliance audit under the Information Technology Act, 2000
 
It Industry Regulations
It Industry RegulationsIt Industry Regulations
It Industry Regulations
 
10. law invest & ethics
10. law invest & ethics10. law invest & ethics
10. law invest & ethics
 
HIPAA Access Medical Records by Sainsbury-Wong
HIPAA Access Medical Records by Sainsbury-WongHIPAA Access Medical Records by Sainsbury-Wong
HIPAA Access Medical Records by Sainsbury-Wong
 
Examples of international privacy legislation
Examples of international privacy legislationExamples of international privacy legislation
Examples of international privacy legislation
 
You and HIPAA - Get the Facts
You and HIPAA - Get the FactsYou and HIPAA - Get the Facts
You and HIPAA - Get the Facts
 
Unit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hrUnit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hr
 
A brief introduction to hipaa compliance
A brief introduction to hipaa complianceA brief introduction to hipaa compliance
A brief introduction to hipaa compliance
 
Kurnava_Law+Ethics+and+Cybersecurity_Research+Paper
Kurnava_Law+Ethics+and+Cybersecurity_Research+PaperKurnava_Law+Ethics+and+Cybersecurity_Research+Paper
Kurnava_Law+Ethics+and+Cybersecurity_Research+Paper
 
Ict Compliance (Sept 2004)
Ict Compliance (Sept 2004)Ict Compliance (Sept 2004)
Ict Compliance (Sept 2004)
 
Hipaa basics
Hipaa basicsHipaa basics
Hipaa basics
 
Infosec Law (Feb 2006)
Infosec Law (Feb 2006)Infosec Law (Feb 2006)
Infosec Law (Feb 2006)
 
Cyberinsurance 111006
Cyberinsurance 111006Cyberinsurance 111006
Cyberinsurance 111006
 
HIPAA HiTech Regulations: What Non-Medical Companies Need to Know
HIPAA HiTech Regulations: What Non-Medical Companies Need to KnowHIPAA HiTech Regulations: What Non-Medical Companies Need to Know
HIPAA HiTech Regulations: What Non-Medical Companies Need to Know
 
The Human Right to Privacy in the Digital Age
The Human Right to Privacy in the Digital Age The Human Right to Privacy in the Digital Age
The Human Right to Privacy in the Digital Age
 
3 Understand the ethical and legislative environment relating to IT
3 Understand the ethical and legislative environment relating to IT3 Understand the ethical and legislative environment relating to IT
3 Understand the ethical and legislative environment relating to IT
 
Uchi data local presentation 2020
Uchi data local presentation 2020Uchi data local presentation 2020
Uchi data local presentation 2020
 
PACT Cybersecurity Series Event, speaker Gregory M. Fliszar, Esq. of Cozen O'...
PACT Cybersecurity Series Event, speaker Gregory M. Fliszar, Esq. of Cozen O'...PACT Cybersecurity Series Event, speaker Gregory M. Fliszar, Esq. of Cozen O'...
PACT Cybersecurity Series Event, speaker Gregory M. Fliszar, Esq. of Cozen O'...
 
HHS Issues HIPAA Cyber Attack Response Checklist
HHS Issues HIPAA Cyber Attack Response ChecklistHHS Issues HIPAA Cyber Attack Response Checklist
HHS Issues HIPAA Cyber Attack Response Checklist
 

Viewers also liked

Padrón de consesionarios del servicio público de transporte
Padrón de consesionarios del servicio público de transportePadrón de consesionarios del servicio público de transporte
Padrón de consesionarios del servicio público de transportesemanarioevidencias
 
The Deliverance Of The Dancing Bears
The Deliverance Of The Dancing BearsThe Deliverance Of The Dancing Bears
The Deliverance Of The Dancing BearsJeremy Gaysek
 
Building a structure with newspaper
Building a structure with newspaperBuilding a structure with newspaper
Building a structure with newspaperJeremy Gaysek
 
O "Ulisses" de Maria Alberta Menéres: correção da ficha de avaliação sumativa
O "Ulisses" de Maria Alberta Menéres: correção da ficha de avaliação sumativaO "Ulisses" de Maria Alberta Menéres: correção da ficha de avaliação sumativa
O "Ulisses" de Maria Alberta Menéres: correção da ficha de avaliação sumativaGonçalo Silva
 

Viewers also liked (6)

Padrón de consesionarios del servicio público de transporte
Padrón de consesionarios del servicio público de transportePadrón de consesionarios del servicio público de transporte
Padrón de consesionarios del servicio público de transporte
 
The Deliverance Of The Dancing Bears
The Deliverance Of The Dancing BearsThe Deliverance Of The Dancing Bears
The Deliverance Of The Dancing Bears
 
Prezentatsiya мэв
Prezentatsiya мэвPrezentatsiya мэв
Prezentatsiya мэв
 
Building a structure with newspaper
Building a structure with newspaperBuilding a structure with newspaper
Building a structure with newspaper
 
Web Škola
Web ŠkolaWeb Škola
Web Škola
 
O "Ulisses" de Maria Alberta Menéres: correção da ficha de avaliação sumativa
O "Ulisses" de Maria Alberta Menéres: correção da ficha de avaliação sumativaO "Ulisses" de Maria Alberta Menéres: correção da ficha de avaliação sumativa
O "Ulisses" de Maria Alberta Menéres: correção da ficha de avaliação sumativa
 

Similar to 2010 Hipaa Rules 011310

What You Need to Know About Privacy
What You Need to Know About PrivacyWhat You Need to Know About Privacy
What You Need to Know About PrivacyNow Dentons
 
What You Need To Know About Privacy - Now!
What You Need To Know About Privacy - Now!What You Need To Know About Privacy - Now!
What You Need To Know About Privacy - Now!Now Dentons
 
Protecting patient privacy
Protecting patient privacyProtecting patient privacy
Protecting patient privacydlemin919
 
HIPAA Part I the Law Test
HIPAA Part I the Law TestHIPAA Part I the Law Test
HIPAA Part I the Law TestSachiko Hurst
 
What You Need To Know About Privacy Now!
What You Need To Know About Privacy Now!What You Need To Know About Privacy Now!
What You Need To Know About Privacy Now!catherinecoulter
 
What You Need To Know About Privacy Now!
What You Need To Know About Privacy Now!What You Need To Know About Privacy Now!
What You Need To Know About Privacy Now!catherinecoulter
 
HIPAA and HITECH : What you need to know
HIPAA and HITECH : What you need to knowHIPAA and HITECH : What you need to know
HIPAA and HITECH : What you need to knowShred-it
 
HIPAA compliance report submitted to Congress by DHHS OCR
HIPAA compliance report submitted to Congress by DHHS OCRHIPAA compliance report submitted to Congress by DHHS OCR
HIPAA compliance report submitted to Congress by DHHS OCRDavid Sweigert
 
HIPAA , REGULATORY AFFAIRS , M.PHARM ...
HIPAA , REGULATORY AFFAIRS , M.PHARM ...HIPAA , REGULATORY AFFAIRS , M.PHARM ...
HIPAA , REGULATORY AFFAIRS , M.PHARM ...susmitaghosh93
 
MPCA HIPAA Compliance/Meaningful Use Requirements and Security Risk Assessmen...
MPCA HIPAA Compliance/Meaningful Use Requirements and Security Risk Assessmen...MPCA HIPAA Compliance/Meaningful Use Requirements and Security Risk Assessmen...
MPCA HIPAA Compliance/Meaningful Use Requirements and Security Risk Assessmen...Michigan Primary Care Association
 
Presentation hippa
Presentation hippaPresentation hippa
Presentation hippamaggie_Platt
 
Rightscale webinar-hipaa-public-cloud
Rightscale webinar-hipaa-public-cloudRightscale webinar-hipaa-public-cloud
Rightscale webinar-hipaa-public-cloudRightScale
 
HIPAA Security Rule application to Business Associates heats up
HIPAA Security Rule application to Business Associates heats upHIPAA Security Rule application to Business Associates heats up
HIPAA Security Rule application to Business Associates heats upDavid Sweigert
 
health insurance portability and accountability act.pptx
health insurance portability and accountability act.pptxhealth insurance portability and accountability act.pptx
health insurance portability and accountability act.pptxamartya2087
 

Similar to 2010 Hipaa Rules 011310 (20)

What You Need to Know About Privacy
What You Need to Know About PrivacyWhat You Need to Know About Privacy
What You Need to Know About Privacy
 
What You Need To Know About Privacy - Now!
What You Need To Know About Privacy - Now!What You Need To Know About Privacy - Now!
What You Need To Know About Privacy - Now!
 
Protecting patient privacy
Protecting patient privacyProtecting patient privacy
Protecting patient privacy
 
HIPAA Part I the Law Test
HIPAA Part I the Law TestHIPAA Part I the Law Test
HIPAA Part I the Law Test
 
What You Need To Know About Privacy Now!
What You Need To Know About Privacy Now!What You Need To Know About Privacy Now!
What You Need To Know About Privacy Now!
 
What You Need To Know About Privacy Now!
What You Need To Know About Privacy Now!What You Need To Know About Privacy Now!
What You Need To Know About Privacy Now!
 
HIPAA and HITECH : What you need to know
HIPAA and HITECH : What you need to knowHIPAA and HITECH : What you need to know
HIPAA and HITECH : What you need to know
 
Hipaa for business associates simple
Hipaa for business associates simpleHipaa for business associates simple
Hipaa for business associates simple
 
HNI U: HIPAA Essentials
HNI U: HIPAA EssentialsHNI U: HIPAA Essentials
HNI U: HIPAA Essentials
 
HIPAA Privacy & Security
HIPAA Privacy & SecurityHIPAA Privacy & Security
HIPAA Privacy & Security
 
HIPAA compliance report submitted to Congress by DHHS OCR
HIPAA compliance report submitted to Congress by DHHS OCRHIPAA compliance report submitted to Congress by DHHS OCR
HIPAA compliance report submitted to Congress by DHHS OCR
 
HIPAA , REGULATORY AFFAIRS , M.PHARM ...
HIPAA , REGULATORY AFFAIRS , M.PHARM ...HIPAA , REGULATORY AFFAIRS , M.PHARM ...
HIPAA , REGULATORY AFFAIRS , M.PHARM ...
 
MPCA HIPAA Compliance/Meaningful Use Requirements and Security Risk Assessmen...
MPCA HIPAA Compliance/Meaningful Use Requirements and Security Risk Assessmen...MPCA HIPAA Compliance/Meaningful Use Requirements and Security Risk Assessmen...
MPCA HIPAA Compliance/Meaningful Use Requirements and Security Risk Assessmen...
 
Presentation hippa
Presentation hippaPresentation hippa
Presentation hippa
 
Rightscale webinar-hipaa-public-cloud
Rightscale webinar-hipaa-public-cloudRightscale webinar-hipaa-public-cloud
Rightscale webinar-hipaa-public-cloud
 
Hipaa omnibus
Hipaa omnibusHipaa omnibus
Hipaa omnibus
 
HIPAA Security Rule application to Business Associates heats up
HIPAA Security Rule application to Business Associates heats upHIPAA Security Rule application to Business Associates heats up
HIPAA Security Rule application to Business Associates heats up
 
health insurance portability and accountability act.pptx
health insurance portability and accountability act.pptxhealth insurance portability and accountability act.pptx
health insurance portability and accountability act.pptx
 
Chapter07
Chapter07Chapter07
Chapter07
 
Chapter07
Chapter07Chapter07
Chapter07
 

More from GuardEra Access Solutions, Inc.

Valiente Balancing It SecurityCompliance, Complexity & Cost
Valiente Balancing It SecurityCompliance, Complexity & CostValiente Balancing It SecurityCompliance, Complexity & Cost
Valiente Balancing It SecurityCompliance, Complexity & CostGuardEra Access Solutions, Inc.
 

More from GuardEra Access Solutions, Inc. (20)

HIPAA Regs
HIPAA RegsHIPAA Regs
HIPAA Regs
 
HITECH Modifications to HIPAA
HITECH Modifications to HIPAAHITECH Modifications to HIPAA
HITECH Modifications to HIPAA
 
Patrick Notley1
Patrick Notley1Patrick Notley1
Patrick Notley1
 
Awarenesstechnologies Intro Document
Awarenesstechnologies Intro DocumentAwarenesstechnologies Intro Document
Awarenesstechnologies Intro Document
 
Mx Pb En 100929
Mx Pb En 100929Mx Pb En 100929
Mx Pb En 100929
 
Rp 2010 data-breach-report-en_xg
Rp 2010 data-breach-report-en_xgRp 2010 data-breach-report-en_xg
Rp 2010 data-breach-report-en_xg
 
Deepwater Horizon
Deepwater HorizonDeepwater Horizon
Deepwater Horizon
 
Cloud Computing Payback
Cloud Computing PaybackCloud Computing Payback
Cloud Computing Payback
 
10844 5415 The Value Of Corporate Secrets
10844 5415 The Value Of Corporate Secrets10844 5415 The Value Of Corporate Secrets
10844 5415 The Value Of Corporate Secrets
 
Security Breach Laws
Security Breach LawsSecurity Breach Laws
Security Breach Laws
 
2010 New Guidelines Hipaa Checklist V1
2010 New Guidelines Hipaa Checklist V12010 New Guidelines Hipaa Checklist V1
2010 New Guidelines Hipaa Checklist V1
 
Og Disparate It Mgmt Tool Impact Report
Og Disparate It Mgmt Tool Impact ReportOg Disparate It Mgmt Tool Impact Report
Og Disparate It Mgmt Tool Impact Report
 
Accel Ops Brochure0609
Accel Ops Brochure0609Accel Ops Brochure0609
Accel Ops Brochure0609
 
Healthcare Data Security Update
Healthcare Data Security UpdateHealthcare Data Security Update
Healthcare Data Security Update
 
HITECH Act
HITECH ActHITECH Act
HITECH Act
 
EMR Yes- No
EMR Yes- NoEMR Yes- No
EMR Yes- No
 
SourceFire IPS Overview
SourceFire IPS OverviewSourceFire IPS Overview
SourceFire IPS Overview
 
Closing the Clinical IT Chasm
Closing the Clinical IT ChasmClosing the Clinical IT Chasm
Closing the Clinical IT Chasm
 
Valiente Balancing It SecurityCompliance, Complexity & Cost
Valiente Balancing It SecurityCompliance, Complexity & CostValiente Balancing It SecurityCompliance, Complexity & Cost
Valiente Balancing It SecurityCompliance, Complexity & Cost
 
2009 Databreach Report
2009 Databreach Report2009 Databreach Report
2009 Databreach Report
 

2010 Hipaa Rules 011310

  • 1. HIPAA Privacy and Security New HITECH Act Requirements for 2010 Jan 13, 2010 | 1:00-2:15 pm Central © 2009 Open Health IT Exchange. All rights reserved. | 011310 | Slide 1 of 29
  • 2. Speakers • Colleen Sauter, Moderator Administrator, OHITX • Grant Peterson, J.D. DGPeterson, LLC HIPAA Privacy and Security Consulting © 2009 Open Health IT Exchange. All rights reserved. | 011310 | Slide 2 of 29
  • 3. Grant Peterson, J.D. • Grant provides personal compliance consulting to healthcare organizations, with services including compliance strategies, HIPAA audits and Privacy Officer outsourcing to meet short and long-term needs. • In 2001, he developed a Web-based compliance program to deliver HIPAA training and tools in versions designed specifically for medical clinics, long-term care facilities and business associates. • Grant has more than 25 years of experience creating and managing several professional service firms specializing in the design, development and integration of regulatory and technology-based programs for insurance, banking and healthcare. • Grant holds a B.S. degree in Public Administration from Minnesota State University, and a Juris Doctor (J.D.) law degree from Hamline University School of Law. © 2009 Open Health IT Exchange. All rights reserved. | 011310 | Slide 3 of 29
  • 4. Agenda • Welcome • Program Notes • HITECH Act – New Privacy & Security Requirements – Comments on delayed FTC Red Flags Rule • Resources • Q&A © 2009 Open Health IT Exchange. All rights reserved. | 011310 | Slide 4 of 29
  • 5. HIPAA Overview HIPAA History and Timeline HIPAA Privacy Rule April 2003 HIPAA Security Rule April 2005 HIPSA (Senate Bill) July 2007 HITECH Act February 2009 © 2009 Open Health IT Exchange. All rights reserved. | 011310 | Slide 5 of 29
  • 6. HITECH Act – H. R. 1-146 Part 1 - Improved Privacy and Security Provision 13401 Application of Security Provisions and Penalties to Business Associates + HHS Annual Guidance 13402 Notification in the Case of Breach 13403 Education on Health Information Privacy 13404 Application of Privacy Provisions to Business Associates of Covered Entities 13405 Restrictions on Certain Disclosures and Sales of Health Information, Accounting of Certain PHI Disclosures, Access of Certain Information in Electronic Format © 2009 Open Health IT Exchange. All rights reserved. | 011310 | Slide 6 of 29
  • 7. HITECH Act – H. R. 1-146 cont. Part 1 cont. - Improved Privacy and Security Provision 13406 Conditions on Certain Contacts as Part of Health Care Operations 13407 Temporary Breach Notification for Vendors of PHR and other Non-HIPAA Covered Entities 13408 Business Associate Contracts Required for Certain Entities 13409 Clarification of Application of Wrongful Disclosures Criminal Penalties 13410 Improved Enforcement 13411 Audits © 2009 Open Health IT Exchange. All rights reserved. | 011310 | Slide 7 of 29
  • 8. Business Associates – Section 13401 Application of Security Provisions and Penalties to Business Associates + HHS Annual Guidance • §164.308 Administrative Safeguards (Security Rule) • §164.310 Physical Safeguards (Security Rule) • §164.312 Technical safeguards (Security Rule) • § 164.316 Policies and Procedures and Documentation Requirements (Security Rule) RESOURCE/ HIPAA Administrative Simplification • Application of Civil and Criminal Penalties, Sections 1176 and 1177 of the Social Security Act RESOURCE/ Application of Civil and Criminal Penalties • HHS Annual Guidance on Most Effective and Appropriate Technical Safeguards in Carrying Out the Above © 2009 Open Health IT Exchange. All rights reserved. | 011310 | Slide 8 of 29
  • 9. Data Breach Notification – Section 13402 Definition of Breach • Is defined in the Act as ‘‘the unauthorized acquisition, access, use, or disclosure of protected health information (PHI) which compromises the security or privacy of such information, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information.’’ • Exceptions include: The unauthorized acquisition, access, or use of PHI is unintentional or if such acquisition, access, or use was made in good faith and such information is not further acquired, accessed, used, or disclosed. • The risk of harm standard requires that a Covered Entity undertake some form of risk assessment in the event of a breach, and based upon the assessment, determine in good faith whether it is necessary to notify the individual of the breach. RESOURCE/ HIPAA Breach Notification © 2009 Open Health IT Exchange. All rights reserved. | 011310 | Slide 9 of 29
  • 10. Breach Notification – Section 13402 cont. Breach of “Unsecured” Protected Health Information • Section 13402(h) of the Act defines ‘‘unsecured protected health information’’ to mean protected health information that is not secured through the use of a technology or methodology specified by the Secretary in guidance. • According to HHS, the specified technologies and methodologies “create the functional equivalent of a safe harbor.” • HHS explains what is secured through the use of a technology or methodology... “In consultation with information security experts at NIST, we have identified two methods for rendering PHI unusable, unreadable, or indecipherable to unauthorized individuals: 1. encryption 2. destruction © 2009 Open Health IT Exchange. All rights reserved. | 011310 | Slide 10 of 29
  • 11. Breach Notification – Section 13402 cont. Following the discovery of a breach of unsecured PHI • A covered entity must notify each individual whose unsecured PHI has been, or is reasonably believed to have been, inappropriately accessed, acquired, or disclosed in the breach [section 13402(a)] • Additionally, following the discovery of a breach by a business associate, the business associate must notify the covered entity of the breach and identify for the covered entity the individuals whose unsecured PHI has been, or is reasonably believed to have been, breached [section 13402(b)] • The Act requires the notifications to be made without unreasonable delay but in no case later than 60 calendar days after discovery of the breach © 2009 Open Health IT Exchange. All rights reserved. | 011310 | Slide 11 of 29
  • 12. Breach Notification – Section 13402 cont. Notice Following the discovery of a breach • The notice shall be made in writing, except under circumstances where the Covered Entity does not have the correct contact information for the affected individual, or where there is particular urgency to the notification. The notice to affected individuals must contain the following 5 elements: 1. A brief description of what occurred with respect to the breach, including, to the extent known, the date of the breach and the date on which the breach was discovered; 2. A description of the types of unsecured PHI that were disclosed during the breach; 3. A description of the steps the affected individual should take in order to protect himself or herself from potential harm caused by the breach; 4. A description of what the Covered Entity is doing to investigate and mitigate the breach and to prevent future breaches; and 5. Instructions for the individual to contact the Covered Entity © 2009 Open Health IT Exchange. All rights reserved. | 011310 | Slide 12 of 29
  • 13. Education – Section 13403 Education on Health Information Privacy • Regional Office Privacy Advisors and Education Initiative • Guidance and Education to covered entities, business associates and individuals on rights and responsibilities related to federal privacy and security requirements for protected health information © 2009 Open Health IT Exchange. All rights reserved. | 011310 | Slide 13 of 29
  • 14. Business Associate – Section 13404 Application of Privacy Provisions to Business Associates of Covered Entities • Section 13404 of the Act requires HIPAA business associates to comply with 45 CFR § 164.504(e), which sets forth the privacy terms required in HIPAA business associate agreements. While these contract obligations have always been enforceable by covered entities, they are now enforceable by the government through HIPAA. Business associates also are required to comply with the additional privacy requirements imposed by the Act described below. • Business associates must take reasonable steps to cure a breach of, or terminate, a Business Associate Agreement if it becomes aware of a pattern of activity or practice by a covered entity that violates the agreement. If a business associate fails to take reasonable steps to cure the breach, terminate the agreement, or report the problem to HHS, then the business associate may be liable for civil and/or criminal penalties under the Act. RESOURCE/ Sample Business Associate Agreement (BAA) © 2009 Open Health IT Exchange. All rights reserved. | 011310 | Slide 14 of 29
  • 15. Restrictions, Accounting, Access – Section 13405 Restrictions on Certain Disclosures and Sales of Health Information, Accounting of Certain PHI Disclosures, Access of Certain Information in Electronic Format • 13405(a) A covered entity must comply with the requested restriction if the disclosure would be to a health plan for purposes of carrying out payment or health care operations—but not for treatment; and the PHI pertains solely to a health care item or service for which the health care provider involved has been fully paid by the patient. • 13405(b) Disclosures limited to the Limited Data Set or Minimum Necessary. The Act requires the Covered Entity to make the determination of Minimum Necessary, rather than relying on others. • Section 13405(c) of the Act provides that disclosures made through an EHR for treatment, payment and health care operations purposes must be included in the accounting, but information is limited to three years of disclosure information (rather than six). © 2009 Open Health IT Exchange. All rights reserved. | 011310 | Slide 15 of 29
  • 16. Restrictions, Accounting, Access – Section 13405 cont. Restrictions on Certain Disclosures and Sales of Health Information, Accounting of Certain PHI Disclosures, Access of Certain Information in Electronic Format • Section 13405(d) of the Act now prohibits indirect and direct remuneration for a disclosure of PHI without the individual’s authorization. The authorization document must also explain whether PHI can be further exchanged for remuneration by the downstream entity receiving the PHI. The statute contains several exceptions where a covered entity is still permitted to receive remuneration for disclosures, such as public health, research, treatment, sale or merger of a CE, to a business associate for work functions, to an individual who requests copies of their PHI etc. • Section 13405(e) In the case that the CE uses or maintains an EHR, individuals have the right to obtain a copy in electronic format. © 2009 Open Health IT Exchange. All rights reserved. | 011310 | Slide 16 of 29
  • 17. Marketing – Section 13406 Conditions on Certain Contacts as Part of Health Care Operations • Section 13406(a), communications which are deemed part of health care operations and excluded from the definition of marketing as contained in 164.501(1)(i), (ii) or (iii) are now limited to those communications for which the covered entity has not been paid directly or indirectly, unless the communication involves a drug or biologic currently being prescribed. Otherwise, an authorization from the individual is needed. • Section 13406(b) All fund-raising communications must provide for the opportunity to opt-out of receiving further communications. © 2009 Open Health IT Exchange. All rights reserved. | 011310 | Slide 17 of 29
  • 18. Temporary Breach Notification – Section 13407 Temporary Breach Notification Requirement for Vendors of Personal Health Records and Other Non-HIPAA Covered Entities • The HITECH Act includes two sets of new breach notification requirements. Section 13402 (previously discussed) of the HITECH Act requires HIPAA covered entities to notify individuals if there has been a breach involving their “unsecured PHI.” Section 13407 of the HITECH Act includes breach notification requirements for vendors of personal health records (PHR) and related entities that are not subject to the HIPAA requirements and therefore not covered by the Section 13402 requirements. • Federal Trade Commission, Health Breach Notification Rule, 16 CFR Part 318 was created pursuant to HITECH Act Section 13407(g). The rule requires vendors of personal health records and related entities to notify consumers when the security of their individually identifiable health information has been breached. The rule is effective September 24, 2009. Full compliance is required by February 22, 2010. RESOURCE/ HIPAA Breach Notification © 2009 Open Health IT Exchange. All rights reserved. | 011310 | Slide 18 of 29
  • 19. Business Associate Contracts – Section 13408 Business Associate Contracts Required for Certain Entities • Section 13408 of the Act identifies additional entities that are to be considered business associates and with whom covered entities must have written agreements (or other arrangement). These are organizations that transmit protected health information to the covered entity (or its business associates), such a Health Information Exchange Organization, a Regional Health Information Organization, an E-prescribing Gateway, or each vendor that contracts with a Covered Entity to offer a Personal Health Record as part of its EHR, is required to enter into a written contract and shall be treated as a business associate. © 2009 Open Health IT Exchange. All rights reserved. | 011310 | Slide 19 of 29
  • 20. Wrongful Disclosures – Section 13409 Clarification of Application of Wrongful Disclosures Criminal Penalties • Section 1177(a) of the Social Security Act (42 U.S.C. 1320d-6(a)) is amended by adding at the end the following new sentence: “For purposes of the previous sentence, a person (including an employee or other individual) shall be considered to have obtained or disclosed individually identifiable health information in violation of this part if the information is maintained by a covered entity (as defined in the HIPAA privacy regulation described in section 1180(b)(3)) and the individual obtained or disclosed such information without authorization.” This provision clarifies that an individual does not need to be a HIPAA covered entity to be subject to the criminal penalties in 42 U.S.C. § 1320d-6(a). • The base penalty is a $50,000 fine, imprisonment for not more than one year, or both. For offenses committed under false pretenses, the fine is not more than $100,000, imprisonment for not more than five years, or both. And if the offense is committed with the intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm, the fine is not more than $250,000, imprisonment for not more than 10 years, or both. © 2009 Open Health IT Exchange. All rights reserved. | 011310 | Slide 20 of 29
  • 21. Improved Enforcement – Section 13410 Improved Enforcement • Section 13410 makes a variety of changes to the civil penalty provisions. First, the Act adds that noncompliance for willful neglect requires HHS to formally investigate a complaint and to impose a civil penalty. HHS is required to implement regulations, and these statutory amendments will be effective in 24 months. • The section also requires civil penalties collected for privacy or security violations to go to the HHS Office for Civil Rights to fund enforcement. The Government Accountability Office is also directed to issue a report on sharing a percentage of these penalties with individuals who are harmed, and HHS is directed to issue regulations within three years. • States Attorney General may bring a civil action to enjoin privacy or security violations or obtain damages on behalf of state residents for such violations. © 2009 Open Health IT Exchange. All rights reserved. | 011310 | Slide 21 of 29
  • 22. Improved Enforcement – Section 13410 cont. Enhanced Enforcement Options and Increased Penalties for Non-Compliance • The Act also increases the amount of civil penalties from the present $100 per violation (up to $25,000 per identical violation), to the following tiered civil penalties: 1. If the person did not know (and by exercising reasonable diligence would not have known) that such person violated a provision, the civil penalty is between $100 - $50,000 for each violation, up to a total of $25,000-$1,500,000 for all violations of an identical requirement; 2. If the violation was due to reasonable cause and not to willful neglect, the civil penalty is between $1,000 - $50,000 for each violation, up to a total of $100,000-$1,500,000 for all violations of an identical requirement; 3. If the violation was due to willful neglect, the civil penalty is between $10,000 - $50,000 for each violation, up to a total of $250,000-$1,500,000 for all violations of an identical requirement if the violation was corrected during the 30 day period beginning on the first date the person liable for the penalty knew, or by exercising reasonable diligence would have known, that the failure to comply occurred. 4. If the violation is not corrected within 30 days, the penalties increase to $50,000 for each violation, up to a total of $1,500,000 for all violations of an identical requirement. © 2009 Open Health IT Exchange. All rights reserved. | 011310 | Slide 22 of 29
  • 23. Audits – Section 13411 cont. Audits • Section 13411 requires the Secretary of HHS to conduct periodic audits to ensure that covered entities and business associates are in compliance with HIPAA Covered entities and business associates should prepare for audits to begin no later than February 17, 2010 for all HIPAA requirements. © 2009 Open Health IT Exchange. All rights reserved. | 011310 | Slide 23 of 29
  • 24. FTC Red Flags Rule Red Flag Rule • The Identity Theft Red Flags Rule was promulgated under the Fair and Accurate Credit Transactions Act, in which Congress directed the Commission and other agencies to develop regulations requiring “creditors” and “financial institutions” to address the risk of identity theft. • Health care providers who periodically allow patients to pay for medical services over time through a series of payments should have written policies that identify the “red flags” or indicators of possible identity theft they may come across in the course of business, establish procedures to detect those red flags and to respond appropriately to mitigate and prevent harm, and develop procedures for training staff and keeping applicable policies current. Health care providers should also have procedures in place to ensure that their vendors are in compliance with the Red Flag Rules and amend existing business associate agreements or asking for copies of the vendors’ Red Flag policies. • The Federal Trade Commission is delaying enforcement of the “Red Flags” Rule until June 1, 2010, for financial institutions and creditors subject to enforcement by the FTC RESOURCE/ Red Flag Rule © 2009 Open Health IT Exchange. All rights reserved. | 011310 | Slide 24 of 29
  • 25. HIPAA Privacy and Security Assessment Framework for Managing Risk • PHI, ePHI, Patient, Organization, Vendors • Methodical, repeatable, risk-based approach to implementing effective risk management • Life cycle that facilitates continuous monitoring and improvement • Purpose and scope • Applicability • Audience • How and why to use assessment RESOURCES/ CMS Security Audit © 2009 Open Health IT Exchange. All rights reserved. | 011310 | Slide 25 of 29
  • 26. Next Steps Task Completed Amend Business Associate Agreements: •New Obligations •Red Flags Rule Create Policies & Procedures to Address Notification of Breach Create Policies & Procedures to Address: •Disclosures and Sales of Health Information •Accounting of PHI •Disclosures and Access of Certain Information in Electronic Format Amend Marketing Policies & Procedures, Review Communications, Need for Authorization and Fund Raising Opt-Out Review Health Breach Notification, Create Policies & Procedures as Required Create Policy & Procedures on Wrongful Disclosures Develop Training & Awareness Campaign to Address HITECH Act Consider Framework to Manage HIPAA Compliance RESOURCES/ Standards Checklist and 2010 New Guidelines © 2009 Open Health IT Exchange. All rights reserved. | 011310 | Slide 26 of 29
  • 27. Q&A © 2009 Open Health IT Exchange. All rights reserved. | 011310 | Slide 27 of 29
  • 28. Thank You! For more information on OHITX or today’s session, please contact Colleen Sauter csauter@ohitx.org. To access the resource section, please click here: © 2009 Open Health IT Exchange. All rights reserved. | 011310 | Slide 28 of 29
  • 29. Disclaimer This Webinar IS NOT Legal Advice • These materials should not be considered as, or as a substitute for, legal advice and they are not intended to, nor do they create an attorney-client relationship. Because the materials included here are general, they may not apply to a particular individual legal or factual circumstance. • The reader should not take, or refrain from taking, any action based on the information contained herein without first obtaining professional counsel. • The views expressed herein do not necessarily reflect the views of OHITX © 2009 Open Health IT Exchange. All rights reserved. | 011310 | Slide 29 of 29