Submit Search
Upload
2010 Hipaa Rules 011310
•
3 likes
•
1,554 views
GuardEra Access Solutions, Inc.
Follow
2010 updates to HIPAA Security
Read less
Read more
Report
Share
Report
Share
1 of 29
Download now
Download to read offline
Recommended
1307 Privacy Act
1307 Privacy Act
Zowie Murray
HIPAA Compliance For Small Practices
HIPAA Compliance For Small Practices
Nisos Health
Hitech changes-to-hipaa
Hitech changes-to-hipaa
geeksikh
Introduction to Data Security Breach Preparedness with Model Data Security Br...
Introduction to Data Security Breach Preparedness with Model Data Security Br...
- Mark - Fullbright
Sec af pa slides
Sec af pa slides
wrightjr02
Privacy in India: Legal issues
Privacy in India: Legal issues
Sagar Rahurkar
Regulatory Compliance under the Information Technology Act, 2000
Regulatory Compliance under the Information Technology Act, 2000
n|u - The Open Security Community
What Is Security Risk Analysis? By: MedSafe
What Is Security Risk Analysis? By: MedSafe
MedSafe
Recommended
1307 Privacy Act
1307 Privacy Act
Zowie Murray
HIPAA Compliance For Small Practices
HIPAA Compliance For Small Practices
Nisos Health
Hitech changes-to-hipaa
Hitech changes-to-hipaa
geeksikh
Introduction to Data Security Breach Preparedness with Model Data Security Br...
Introduction to Data Security Breach Preparedness with Model Data Security Br...
- Mark - Fullbright
Sec af pa slides
Sec af pa slides
wrightjr02
Privacy in India: Legal issues
Privacy in India: Legal issues
Sagar Rahurkar
Regulatory Compliance under the Information Technology Act, 2000
Regulatory Compliance under the Information Technology Act, 2000
n|u - The Open Security Community
What Is Security Risk Analysis? By: MedSafe
What Is Security Risk Analysis? By: MedSafe
MedSafe
10 Things You Need To Know About Privacy
10 Things You Need To Know About Privacy
Now Dentons
Compliance audit under the Information Technology Act, 2000
Compliance audit under the Information Technology Act, 2000
Sagar Rahurkar
It Industry Regulations
It Industry Regulations
Nicholas Davis
10. law invest & ethics
10. law invest & ethics
7wounders
HIPAA Access Medical Records by Sainsbury-Wong
HIPAA Access Medical Records by Sainsbury-Wong
Lorianne Sainsbury-Wong
Examples of international privacy legislation
Examples of international privacy legislation
Ulf Mattsson
You and HIPAA - Get the Facts
You and HIPAA - Get the Facts
resourceone
Unit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hr
Tushar Rajput
A brief introduction to hipaa compliance
A brief introduction to hipaa compliance
Prince George
Kurnava_Law+Ethics+and+Cybersecurity_Research+Paper
Kurnava_Law+Ethics+and+Cybersecurity_Research+Paper
Matthew Kurnava
Ict Compliance (Sept 2004)
Ict Compliance (Sept 2004)
Lance Michalson
Hipaa basics
Hipaa basics
MichaelRodriguesdosS1
Infosec Law (Feb 2006)
Infosec Law (Feb 2006)
Lance Michalson
Cyberinsurance 111006
Cyberinsurance 111006
JNicholson
HIPAA HiTech Regulations: What Non-Medical Companies Need to Know
HIPAA HiTech Regulations: What Non-Medical Companies Need to Know
Network 1 Consulting
The Human Right to Privacy in the Digital Age
The Human Right to Privacy in the Digital Age
- Mark - Fullbright
3 Understand the ethical and legislative environment relating to IT
3 Understand the ethical and legislative environment relating to IT
Mark Anthony Kavanagh
Uchi data local presentation 2020
Uchi data local presentation 2020
Christo W. Meyer
PACT Cybersecurity Series Event, speaker Gregory M. Fliszar, Esq. of Cozen O'...
PACT Cybersecurity Series Event, speaker Gregory M. Fliszar, Esq. of Cozen O'...
eringold
HHS Issues HIPAA Cyber Attack Response Checklist
HHS Issues HIPAA Cyber Attack Response Checklist
Todd LaRue
Padrón de consesionarios del servicio público de transporte
Padrón de consesionarios del servicio público de transporte
semanarioevidencias
The Deliverance Of The Dancing Bears
The Deliverance Of The Dancing Bears
Jeremy Gaysek
More Related Content
What's hot
10 Things You Need To Know About Privacy
10 Things You Need To Know About Privacy
Now Dentons
Compliance audit under the Information Technology Act, 2000
Compliance audit under the Information Technology Act, 2000
Sagar Rahurkar
It Industry Regulations
It Industry Regulations
Nicholas Davis
10. law invest & ethics
10. law invest & ethics
7wounders
HIPAA Access Medical Records by Sainsbury-Wong
HIPAA Access Medical Records by Sainsbury-Wong
Lorianne Sainsbury-Wong
Examples of international privacy legislation
Examples of international privacy legislation
Ulf Mattsson
You and HIPAA - Get the Facts
You and HIPAA - Get the Facts
resourceone
Unit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hr
Tushar Rajput
A brief introduction to hipaa compliance
A brief introduction to hipaa compliance
Prince George
Kurnava_Law+Ethics+and+Cybersecurity_Research+Paper
Kurnava_Law+Ethics+and+Cybersecurity_Research+Paper
Matthew Kurnava
Ict Compliance (Sept 2004)
Ict Compliance (Sept 2004)
Lance Michalson
Hipaa basics
Hipaa basics
MichaelRodriguesdosS1
Infosec Law (Feb 2006)
Infosec Law (Feb 2006)
Lance Michalson
Cyberinsurance 111006
Cyberinsurance 111006
JNicholson
HIPAA HiTech Regulations: What Non-Medical Companies Need to Know
HIPAA HiTech Regulations: What Non-Medical Companies Need to Know
Network 1 Consulting
The Human Right to Privacy in the Digital Age
The Human Right to Privacy in the Digital Age
- Mark - Fullbright
3 Understand the ethical and legislative environment relating to IT
3 Understand the ethical and legislative environment relating to IT
Mark Anthony Kavanagh
Uchi data local presentation 2020
Uchi data local presentation 2020
Christo W. Meyer
PACT Cybersecurity Series Event, speaker Gregory M. Fliszar, Esq. of Cozen O'...
PACT Cybersecurity Series Event, speaker Gregory M. Fliszar, Esq. of Cozen O'...
eringold
HHS Issues HIPAA Cyber Attack Response Checklist
HHS Issues HIPAA Cyber Attack Response Checklist
Todd LaRue
What's hot
(20)
10 Things You Need To Know About Privacy
10 Things You Need To Know About Privacy
Compliance audit under the Information Technology Act, 2000
Compliance audit under the Information Technology Act, 2000
It Industry Regulations
It Industry Regulations
10. law invest & ethics
10. law invest & ethics
HIPAA Access Medical Records by Sainsbury-Wong
HIPAA Access Medical Records by Sainsbury-Wong
Examples of international privacy legislation
Examples of international privacy legislation
You and HIPAA - Get the Facts
You and HIPAA - Get the Facts
Unit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hr
A brief introduction to hipaa compliance
A brief introduction to hipaa compliance
Kurnava_Law+Ethics+and+Cybersecurity_Research+Paper
Kurnava_Law+Ethics+and+Cybersecurity_Research+Paper
Ict Compliance (Sept 2004)
Ict Compliance (Sept 2004)
Hipaa basics
Hipaa basics
Infosec Law (Feb 2006)
Infosec Law (Feb 2006)
Cyberinsurance 111006
Cyberinsurance 111006
HIPAA HiTech Regulations: What Non-Medical Companies Need to Know
HIPAA HiTech Regulations: What Non-Medical Companies Need to Know
The Human Right to Privacy in the Digital Age
The Human Right to Privacy in the Digital Age
3 Understand the ethical and legislative environment relating to IT
3 Understand the ethical and legislative environment relating to IT
Uchi data local presentation 2020
Uchi data local presentation 2020
PACT Cybersecurity Series Event, speaker Gregory M. Fliszar, Esq. of Cozen O'...
PACT Cybersecurity Series Event, speaker Gregory M. Fliszar, Esq. of Cozen O'...
HHS Issues HIPAA Cyber Attack Response Checklist
HHS Issues HIPAA Cyber Attack Response Checklist
Viewers also liked
Padrón de consesionarios del servicio público de transporte
Padrón de consesionarios del servicio público de transporte
semanarioevidencias
The Deliverance Of The Dancing Bears
The Deliverance Of The Dancing Bears
Jeremy Gaysek
Prezentatsiya мэв
Prezentatsiya мэв
Александр Гренадеров
Building a structure with newspaper
Building a structure with newspaper
Jeremy Gaysek
Web Škola
Web Škola
Mario Rancic
O "Ulisses" de Maria Alberta Menéres: correção da ficha de avaliação sumativa
O "Ulisses" de Maria Alberta Menéres: correção da ficha de avaliação sumativa
Gonçalo Silva
Viewers also liked
(6)
Padrón de consesionarios del servicio público de transporte
Padrón de consesionarios del servicio público de transporte
The Deliverance Of The Dancing Bears
The Deliverance Of The Dancing Bears
Prezentatsiya мэв
Prezentatsiya мэв
Building a structure with newspaper
Building a structure with newspaper
Web Škola
Web Škola
O "Ulisses" de Maria Alberta Menéres: correção da ficha de avaliação sumativa
O "Ulisses" de Maria Alberta Menéres: correção da ficha de avaliação sumativa
Similar to 2010 Hipaa Rules 011310
What You Need to Know About Privacy
What You Need to Know About Privacy
Now Dentons
What You Need To Know About Privacy - Now!
What You Need To Know About Privacy - Now!
Now Dentons
Protecting patient privacy
Protecting patient privacy
dlemin919
HIPAA Part I the Law Test
HIPAA Part I the Law Test
Sachiko Hurst
What You Need To Know About Privacy Now!
What You Need To Know About Privacy Now!
catherinecoulter
What You Need To Know About Privacy Now!
What You Need To Know About Privacy Now!
catherinecoulter
HIPAA and HITECH : What you need to know
HIPAA and HITECH : What you need to know
Shred-it
Hipaa for business associates simple
Hipaa for business associates simple
Jose Ivan Delgado, Ph.D.
HNI U: HIPAA Essentials
HNI U: HIPAA Essentials
HNI Risk Services
HIPAA Privacy & Security
HIPAA Privacy & Security
National Pharmacy Technician Association
HIPAA compliance report submitted to Congress by DHHS OCR
HIPAA compliance report submitted to Congress by DHHS OCR
David Sweigert
HIPAA , REGULATORY AFFAIRS , M.PHARM ...
HIPAA , REGULATORY AFFAIRS , M.PHARM ...
susmitaghosh93
MPCA HIPAA Compliance/Meaningful Use Requirements and Security Risk Assessmen...
MPCA HIPAA Compliance/Meaningful Use Requirements and Security Risk Assessmen...
Michigan Primary Care Association
Presentation hippa
Presentation hippa
maggie_Platt
Rightscale webinar-hipaa-public-cloud
Rightscale webinar-hipaa-public-cloud
RightScale
Hipaa omnibus
Hipaa omnibus
wardell henley
HIPAA Security Rule application to Business Associates heats up
HIPAA Security Rule application to Business Associates heats up
David Sweigert
health insurance portability and accountability act.pptx
health insurance portability and accountability act.pptx
amartya2087
Chapter07
Chapter07
dhlwilson
Chapter07
Chapter07
dhlwilson
Similar to 2010 Hipaa Rules 011310
(20)
What You Need to Know About Privacy
What You Need to Know About Privacy
What You Need To Know About Privacy - Now!
What You Need To Know About Privacy - Now!
Protecting patient privacy
Protecting patient privacy
HIPAA Part I the Law Test
HIPAA Part I the Law Test
What You Need To Know About Privacy Now!
What You Need To Know About Privacy Now!
What You Need To Know About Privacy Now!
What You Need To Know About Privacy Now!
HIPAA and HITECH : What you need to know
HIPAA and HITECH : What you need to know
Hipaa for business associates simple
Hipaa for business associates simple
HNI U: HIPAA Essentials
HNI U: HIPAA Essentials
HIPAA Privacy & Security
HIPAA Privacy & Security
HIPAA compliance report submitted to Congress by DHHS OCR
HIPAA compliance report submitted to Congress by DHHS OCR
HIPAA , REGULATORY AFFAIRS , M.PHARM ...
HIPAA , REGULATORY AFFAIRS , M.PHARM ...
MPCA HIPAA Compliance/Meaningful Use Requirements and Security Risk Assessmen...
MPCA HIPAA Compliance/Meaningful Use Requirements and Security Risk Assessmen...
Presentation hippa
Presentation hippa
Rightscale webinar-hipaa-public-cloud
Rightscale webinar-hipaa-public-cloud
Hipaa omnibus
Hipaa omnibus
HIPAA Security Rule application to Business Associates heats up
HIPAA Security Rule application to Business Associates heats up
health insurance portability and accountability act.pptx
health insurance portability and accountability act.pptx
Chapter07
Chapter07
Chapter07
Chapter07
More from GuardEra Access Solutions, Inc.
HIPAA Regs
HIPAA Regs
GuardEra Access Solutions, Inc.
HITECH Modifications to HIPAA
HITECH Modifications to HIPAA
GuardEra Access Solutions, Inc.
Patrick Notley1
Patrick Notley1
GuardEra Access Solutions, Inc.
Awarenesstechnologies Intro Document
Awarenesstechnologies Intro Document
GuardEra Access Solutions, Inc.
Mx Pb En 100929
Mx Pb En 100929
GuardEra Access Solutions, Inc.
Rp 2010 data-breach-report-en_xg
Rp 2010 data-breach-report-en_xg
GuardEra Access Solutions, Inc.
Deepwater Horizon
Deepwater Horizon
GuardEra Access Solutions, Inc.
Cloud Computing Payback
Cloud Computing Payback
GuardEra Access Solutions, Inc.
10844 5415 The Value Of Corporate Secrets
10844 5415 The Value Of Corporate Secrets
GuardEra Access Solutions, Inc.
Security Breach Laws
Security Breach Laws
GuardEra Access Solutions, Inc.
2010 New Guidelines Hipaa Checklist V1
2010 New Guidelines Hipaa Checklist V1
GuardEra Access Solutions, Inc.
Og Disparate It Mgmt Tool Impact Report
Og Disparate It Mgmt Tool Impact Report
GuardEra Access Solutions, Inc.
Accel Ops Brochure0609
Accel Ops Brochure0609
GuardEra Access Solutions, Inc.
Healthcare Data Security Update
Healthcare Data Security Update
GuardEra Access Solutions, Inc.
HITECH Act
HITECH Act
GuardEra Access Solutions, Inc.
EMR Yes- No
EMR Yes- No
GuardEra Access Solutions, Inc.
SourceFire IPS Overview
SourceFire IPS Overview
GuardEra Access Solutions, Inc.
Closing the Clinical IT Chasm
Closing the Clinical IT Chasm
GuardEra Access Solutions, Inc.
Valiente Balancing It SecurityCompliance, Complexity & Cost
Valiente Balancing It SecurityCompliance, Complexity & Cost
GuardEra Access Solutions, Inc.
2009 Databreach Report
2009 Databreach Report
GuardEra Access Solutions, Inc.
More from GuardEra Access Solutions, Inc.
(20)
HIPAA Regs
HIPAA Regs
HITECH Modifications to HIPAA
HITECH Modifications to HIPAA
Patrick Notley1
Patrick Notley1
Awarenesstechnologies Intro Document
Awarenesstechnologies Intro Document
Mx Pb En 100929
Mx Pb En 100929
Rp 2010 data-breach-report-en_xg
Rp 2010 data-breach-report-en_xg
Deepwater Horizon
Deepwater Horizon
Cloud Computing Payback
Cloud Computing Payback
10844 5415 The Value Of Corporate Secrets
10844 5415 The Value Of Corporate Secrets
Security Breach Laws
Security Breach Laws
2010 New Guidelines Hipaa Checklist V1
2010 New Guidelines Hipaa Checklist V1
Og Disparate It Mgmt Tool Impact Report
Og Disparate It Mgmt Tool Impact Report
Accel Ops Brochure0609
Accel Ops Brochure0609
Healthcare Data Security Update
Healthcare Data Security Update
HITECH Act
HITECH Act
EMR Yes- No
EMR Yes- No
SourceFire IPS Overview
SourceFire IPS Overview
Closing the Clinical IT Chasm
Closing the Clinical IT Chasm
Valiente Balancing It SecurityCompliance, Complexity & Cost
Valiente Balancing It SecurityCompliance, Complexity & Cost
2009 Databreach Report
2009 Databreach Report
2010 Hipaa Rules 011310
1.
HIPAA Privacy and
Security New HITECH Act Requirements for 2010 Jan 13, 2010 | 1:00-2:15 pm Central © 2009 Open Health IT Exchange. All rights reserved. | 011310 | Slide 1 of 29
2.
Speakers • Colleen Sauter,
Moderator Administrator, OHITX • Grant Peterson, J.D. DGPeterson, LLC HIPAA Privacy and Security Consulting © 2009 Open Health IT Exchange. All rights reserved. | 011310 | Slide 2 of 29
3.
Grant Peterson, J.D. •
Grant provides personal compliance consulting to healthcare organizations, with services including compliance strategies, HIPAA audits and Privacy Officer outsourcing to meet short and long-term needs. • In 2001, he developed a Web-based compliance program to deliver HIPAA training and tools in versions designed specifically for medical clinics, long-term care facilities and business associates. • Grant has more than 25 years of experience creating and managing several professional service firms specializing in the design, development and integration of regulatory and technology-based programs for insurance, banking and healthcare. • Grant holds a B.S. degree in Public Administration from Minnesota State University, and a Juris Doctor (J.D.) law degree from Hamline University School of Law. © 2009 Open Health IT Exchange. All rights reserved. | 011310 | Slide 3 of 29
4.
Agenda • Welcome • Program
Notes • HITECH Act – New Privacy & Security Requirements – Comments on delayed FTC Red Flags Rule • Resources • Q&A © 2009 Open Health IT Exchange. All rights reserved. | 011310 | Slide 4 of 29
5.
HIPAA Overview HIPAA History
and Timeline HIPAA Privacy Rule April 2003 HIPAA Security Rule April 2005 HIPSA (Senate Bill) July 2007 HITECH Act February 2009 © 2009 Open Health IT Exchange. All rights reserved. | 011310 | Slide 5 of 29
6.
HITECH Act –
H. R. 1-146 Part 1 - Improved Privacy and Security Provision 13401 Application of Security Provisions and Penalties to Business Associates + HHS Annual Guidance 13402 Notification in the Case of Breach 13403 Education on Health Information Privacy 13404 Application of Privacy Provisions to Business Associates of Covered Entities 13405 Restrictions on Certain Disclosures and Sales of Health Information, Accounting of Certain PHI Disclosures, Access of Certain Information in Electronic Format © 2009 Open Health IT Exchange. All rights reserved. | 011310 | Slide 6 of 29
7.
HITECH Act –
H. R. 1-146 cont. Part 1 cont. - Improved Privacy and Security Provision 13406 Conditions on Certain Contacts as Part of Health Care Operations 13407 Temporary Breach Notification for Vendors of PHR and other Non-HIPAA Covered Entities 13408 Business Associate Contracts Required for Certain Entities 13409 Clarification of Application of Wrongful Disclosures Criminal Penalties 13410 Improved Enforcement 13411 Audits © 2009 Open Health IT Exchange. All rights reserved. | 011310 | Slide 7 of 29
8.
Business Associates –
Section 13401 Application of Security Provisions and Penalties to Business Associates + HHS Annual Guidance • §164.308 Administrative Safeguards (Security Rule) • §164.310 Physical Safeguards (Security Rule) • §164.312 Technical safeguards (Security Rule) • § 164.316 Policies and Procedures and Documentation Requirements (Security Rule) RESOURCE/ HIPAA Administrative Simplification • Application of Civil and Criminal Penalties, Sections 1176 and 1177 of the Social Security Act RESOURCE/ Application of Civil and Criminal Penalties • HHS Annual Guidance on Most Effective and Appropriate Technical Safeguards in Carrying Out the Above © 2009 Open Health IT Exchange. All rights reserved. | 011310 | Slide 8 of 29
9.
Data Breach Notification
– Section 13402 Definition of Breach • Is defined in the Act as ‘‘the unauthorized acquisition, access, use, or disclosure of protected health information (PHI) which compromises the security or privacy of such information, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information.’’ • Exceptions include: The unauthorized acquisition, access, or use of PHI is unintentional or if such acquisition, access, or use was made in good faith and such information is not further acquired, accessed, used, or disclosed. • The risk of harm standard requires that a Covered Entity undertake some form of risk assessment in the event of a breach, and based upon the assessment, determine in good faith whether it is necessary to notify the individual of the breach. RESOURCE/ HIPAA Breach Notification © 2009 Open Health IT Exchange. All rights reserved. | 011310 | Slide 9 of 29
10.
Breach Notification –
Section 13402 cont. Breach of “Unsecured” Protected Health Information • Section 13402(h) of the Act defines ‘‘unsecured protected health information’’ to mean protected health information that is not secured through the use of a technology or methodology specified by the Secretary in guidance. • According to HHS, the specified technologies and methodologies “create the functional equivalent of a safe harbor.” • HHS explains what is secured through the use of a technology or methodology... “In consultation with information security experts at NIST, we have identified two methods for rendering PHI unusable, unreadable, or indecipherable to unauthorized individuals: 1. encryption 2. destruction © 2009 Open Health IT Exchange. All rights reserved. | 011310 | Slide 10 of 29
11.
Breach Notification –
Section 13402 cont. Following the discovery of a breach of unsecured PHI • A covered entity must notify each individual whose unsecured PHI has been, or is reasonably believed to have been, inappropriately accessed, acquired, or disclosed in the breach [section 13402(a)] • Additionally, following the discovery of a breach by a business associate, the business associate must notify the covered entity of the breach and identify for the covered entity the individuals whose unsecured PHI has been, or is reasonably believed to have been, breached [section 13402(b)] • The Act requires the notifications to be made without unreasonable delay but in no case later than 60 calendar days after discovery of the breach © 2009 Open Health IT Exchange. All rights reserved. | 011310 | Slide 11 of 29
12.
Breach Notification –
Section 13402 cont. Notice Following the discovery of a breach • The notice shall be made in writing, except under circumstances where the Covered Entity does not have the correct contact information for the affected individual, or where there is particular urgency to the notification. The notice to affected individuals must contain the following 5 elements: 1. A brief description of what occurred with respect to the breach, including, to the extent known, the date of the breach and the date on which the breach was discovered; 2. A description of the types of unsecured PHI that were disclosed during the breach; 3. A description of the steps the affected individual should take in order to protect himself or herself from potential harm caused by the breach; 4. A description of what the Covered Entity is doing to investigate and mitigate the breach and to prevent future breaches; and 5. Instructions for the individual to contact the Covered Entity © 2009 Open Health IT Exchange. All rights reserved. | 011310 | Slide 12 of 29
13.
Education – Section
13403 Education on Health Information Privacy • Regional Office Privacy Advisors and Education Initiative • Guidance and Education to covered entities, business associates and individuals on rights and responsibilities related to federal privacy and security requirements for protected health information © 2009 Open Health IT Exchange. All rights reserved. | 011310 | Slide 13 of 29
14.
Business Associate –
Section 13404 Application of Privacy Provisions to Business Associates of Covered Entities • Section 13404 of the Act requires HIPAA business associates to comply with 45 CFR § 164.504(e), which sets forth the privacy terms required in HIPAA business associate agreements. While these contract obligations have always been enforceable by covered entities, they are now enforceable by the government through HIPAA. Business associates also are required to comply with the additional privacy requirements imposed by the Act described below. • Business associates must take reasonable steps to cure a breach of, or terminate, a Business Associate Agreement if it becomes aware of a pattern of activity or practice by a covered entity that violates the agreement. If a business associate fails to take reasonable steps to cure the breach, terminate the agreement, or report the problem to HHS, then the business associate may be liable for civil and/or criminal penalties under the Act. RESOURCE/ Sample Business Associate Agreement (BAA) © 2009 Open Health IT Exchange. All rights reserved. | 011310 | Slide 14 of 29
15.
Restrictions, Accounting, Access
– Section 13405 Restrictions on Certain Disclosures and Sales of Health Information, Accounting of Certain PHI Disclosures, Access of Certain Information in Electronic Format • 13405(a) A covered entity must comply with the requested restriction if the disclosure would be to a health plan for purposes of carrying out payment or health care operations—but not for treatment; and the PHI pertains solely to a health care item or service for which the health care provider involved has been fully paid by the patient. • 13405(b) Disclosures limited to the Limited Data Set or Minimum Necessary. The Act requires the Covered Entity to make the determination of Minimum Necessary, rather than relying on others. • Section 13405(c) of the Act provides that disclosures made through an EHR for treatment, payment and health care operations purposes must be included in the accounting, but information is limited to three years of disclosure information (rather than six). © 2009 Open Health IT Exchange. All rights reserved. | 011310 | Slide 15 of 29
16.
Restrictions, Accounting, Access
– Section 13405 cont. Restrictions on Certain Disclosures and Sales of Health Information, Accounting of Certain PHI Disclosures, Access of Certain Information in Electronic Format • Section 13405(d) of the Act now prohibits indirect and direct remuneration for a disclosure of PHI without the individual’s authorization. The authorization document must also explain whether PHI can be further exchanged for remuneration by the downstream entity receiving the PHI. The statute contains several exceptions where a covered entity is still permitted to receive remuneration for disclosures, such as public health, research, treatment, sale or merger of a CE, to a business associate for work functions, to an individual who requests copies of their PHI etc. • Section 13405(e) In the case that the CE uses or maintains an EHR, individuals have the right to obtain a copy in electronic format. © 2009 Open Health IT Exchange. All rights reserved. | 011310 | Slide 16 of 29
17.
Marketing – Section
13406 Conditions on Certain Contacts as Part of Health Care Operations • Section 13406(a), communications which are deemed part of health care operations and excluded from the definition of marketing as contained in 164.501(1)(i), (ii) or (iii) are now limited to those communications for which the covered entity has not been paid directly or indirectly, unless the communication involves a drug or biologic currently being prescribed. Otherwise, an authorization from the individual is needed. • Section 13406(b) All fund-raising communications must provide for the opportunity to opt-out of receiving further communications. © 2009 Open Health IT Exchange. All rights reserved. | 011310 | Slide 17 of 29
18.
Temporary Breach Notification
– Section 13407 Temporary Breach Notification Requirement for Vendors of Personal Health Records and Other Non-HIPAA Covered Entities • The HITECH Act includes two sets of new breach notification requirements. Section 13402 (previously discussed) of the HITECH Act requires HIPAA covered entities to notify individuals if there has been a breach involving their “unsecured PHI.” Section 13407 of the HITECH Act includes breach notification requirements for vendors of personal health records (PHR) and related entities that are not subject to the HIPAA requirements and therefore not covered by the Section 13402 requirements. • Federal Trade Commission, Health Breach Notification Rule, 16 CFR Part 318 was created pursuant to HITECH Act Section 13407(g). The rule requires vendors of personal health records and related entities to notify consumers when the security of their individually identifiable health information has been breached. The rule is effective September 24, 2009. Full compliance is required by February 22, 2010. RESOURCE/ HIPAA Breach Notification © 2009 Open Health IT Exchange. All rights reserved. | 011310 | Slide 18 of 29
19.
Business Associate Contracts
– Section 13408 Business Associate Contracts Required for Certain Entities • Section 13408 of the Act identifies additional entities that are to be considered business associates and with whom covered entities must have written agreements (or other arrangement). These are organizations that transmit protected health information to the covered entity (or its business associates), such a Health Information Exchange Organization, a Regional Health Information Organization, an E-prescribing Gateway, or each vendor that contracts with a Covered Entity to offer a Personal Health Record as part of its EHR, is required to enter into a written contract and shall be treated as a business associate. © 2009 Open Health IT Exchange. All rights reserved. | 011310 | Slide 19 of 29
20.
Wrongful Disclosures –
Section 13409 Clarification of Application of Wrongful Disclosures Criminal Penalties • Section 1177(a) of the Social Security Act (42 U.S.C. 1320d-6(a)) is amended by adding at the end the following new sentence: “For purposes of the previous sentence, a person (including an employee or other individual) shall be considered to have obtained or disclosed individually identifiable health information in violation of this part if the information is maintained by a covered entity (as defined in the HIPAA privacy regulation described in section 1180(b)(3)) and the individual obtained or disclosed such information without authorization.” This provision clarifies that an individual does not need to be a HIPAA covered entity to be subject to the criminal penalties in 42 U.S.C. § 1320d-6(a). • The base penalty is a $50,000 fine, imprisonment for not more than one year, or both. For offenses committed under false pretenses, the fine is not more than $100,000, imprisonment for not more than five years, or both. And if the offense is committed with the intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm, the fine is not more than $250,000, imprisonment for not more than 10 years, or both. © 2009 Open Health IT Exchange. All rights reserved. | 011310 | Slide 20 of 29
21.
Improved Enforcement –
Section 13410 Improved Enforcement • Section 13410 makes a variety of changes to the civil penalty provisions. First, the Act adds that noncompliance for willful neglect requires HHS to formally investigate a complaint and to impose a civil penalty. HHS is required to implement regulations, and these statutory amendments will be effective in 24 months. • The section also requires civil penalties collected for privacy or security violations to go to the HHS Office for Civil Rights to fund enforcement. The Government Accountability Office is also directed to issue a report on sharing a percentage of these penalties with individuals who are harmed, and HHS is directed to issue regulations within three years. • States Attorney General may bring a civil action to enjoin privacy or security violations or obtain damages on behalf of state residents for such violations. © 2009 Open Health IT Exchange. All rights reserved. | 011310 | Slide 21 of 29
22.
Improved Enforcement –
Section 13410 cont. Enhanced Enforcement Options and Increased Penalties for Non-Compliance • The Act also increases the amount of civil penalties from the present $100 per violation (up to $25,000 per identical violation), to the following tiered civil penalties: 1. If the person did not know (and by exercising reasonable diligence would not have known) that such person violated a provision, the civil penalty is between $100 - $50,000 for each violation, up to a total of $25,000-$1,500,000 for all violations of an identical requirement; 2. If the violation was due to reasonable cause and not to willful neglect, the civil penalty is between $1,000 - $50,000 for each violation, up to a total of $100,000-$1,500,000 for all violations of an identical requirement; 3. If the violation was due to willful neglect, the civil penalty is between $10,000 - $50,000 for each violation, up to a total of $250,000-$1,500,000 for all violations of an identical requirement if the violation was corrected during the 30 day period beginning on the first date the person liable for the penalty knew, or by exercising reasonable diligence would have known, that the failure to comply occurred. 4. If the violation is not corrected within 30 days, the penalties increase to $50,000 for each violation, up to a total of $1,500,000 for all violations of an identical requirement. © 2009 Open Health IT Exchange. All rights reserved. | 011310 | Slide 22 of 29
23.
Audits – Section
13411 cont. Audits • Section 13411 requires the Secretary of HHS to conduct periodic audits to ensure that covered entities and business associates are in compliance with HIPAA Covered entities and business associates should prepare for audits to begin no later than February 17, 2010 for all HIPAA requirements. © 2009 Open Health IT Exchange. All rights reserved. | 011310 | Slide 23 of 29
24.
FTC Red Flags
Rule Red Flag Rule • The Identity Theft Red Flags Rule was promulgated under the Fair and Accurate Credit Transactions Act, in which Congress directed the Commission and other agencies to develop regulations requiring “creditors” and “financial institutions” to address the risk of identity theft. • Health care providers who periodically allow patients to pay for medical services over time through a series of payments should have written policies that identify the “red flags” or indicators of possible identity theft they may come across in the course of business, establish procedures to detect those red flags and to respond appropriately to mitigate and prevent harm, and develop procedures for training staff and keeping applicable policies current. Health care providers should also have procedures in place to ensure that their vendors are in compliance with the Red Flag Rules and amend existing business associate agreements or asking for copies of the vendors’ Red Flag policies. • The Federal Trade Commission is delaying enforcement of the “Red Flags” Rule until June 1, 2010, for financial institutions and creditors subject to enforcement by the FTC RESOURCE/ Red Flag Rule © 2009 Open Health IT Exchange. All rights reserved. | 011310 | Slide 24 of 29
25.
HIPAA Privacy and
Security Assessment Framework for Managing Risk • PHI, ePHI, Patient, Organization, Vendors • Methodical, repeatable, risk-based approach to implementing effective risk management • Life cycle that facilitates continuous monitoring and improvement • Purpose and scope • Applicability • Audience • How and why to use assessment RESOURCES/ CMS Security Audit © 2009 Open Health IT Exchange. All rights reserved. | 011310 | Slide 25 of 29
26.
Next Steps Task
Completed Amend Business Associate Agreements: •New Obligations •Red Flags Rule Create Policies & Procedures to Address Notification of Breach Create Policies & Procedures to Address: •Disclosures and Sales of Health Information •Accounting of PHI •Disclosures and Access of Certain Information in Electronic Format Amend Marketing Policies & Procedures, Review Communications, Need for Authorization and Fund Raising Opt-Out Review Health Breach Notification, Create Policies & Procedures as Required Create Policy & Procedures on Wrongful Disclosures Develop Training & Awareness Campaign to Address HITECH Act Consider Framework to Manage HIPAA Compliance RESOURCES/ Standards Checklist and 2010 New Guidelines © 2009 Open Health IT Exchange. All rights reserved. | 011310 | Slide 26 of 29
27.
Q&A
© 2009 Open Health IT Exchange. All rights reserved. | 011310 | Slide 27 of 29
28.
Thank You! For more
information on OHITX or today’s session, please contact Colleen Sauter csauter@ohitx.org. To access the resource section, please click here: © 2009 Open Health IT Exchange. All rights reserved. | 011310 | Slide 28 of 29
29.
Disclaimer This Webinar IS
NOT Legal Advice • These materials should not be considered as, or as a substitute for, legal advice and they are not intended to, nor do they create an attorney-client relationship. Because the materials included here are general, they may not apply to a particular individual legal or factual circumstance. • The reader should not take, or refrain from taking, any action based on the information contained herein without first obtaining professional counsel. • The views expressed herein do not necessarily reflect the views of OHITX © 2009 Open Health IT Exchange. All rights reserved. | 011310 | Slide 29 of 29
Download now