Webinar: Your HIPAA Omnibus Rule Compliance Checklist

817 views

Published on

The HIPAA rules for Privacy and Security of Protected Health Information (PHI) have NEW finalized requirements with a compliance deadline of September 23, 2013. The changes include:

- Significant changes to patient rights
- Modifications of marketing rules
- A major change to how breaches of PHI are determined
- New requirements in Business Associate relationships

The changes to the rules create new challenges for HIPAA entities, and new risks for non-compliance and penalties. Join BridgeFront and leading consultant, Jim Sheldon-Dean, for a free webinar that explains these changes and identifies the items you need to complete by the deadline.

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
817
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
24
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Webinar: Your HIPAA Omnibus Rule Compliance Checklist

  1. 1. BridgeFront  www.bridgefront.com  info@bridgefront.com  (866) 447-2211 Lewis Creek Systems, LLC BridgeFront Welcomes You To: HIPAA Omnibus Rule Compliance Checklist Conference Line: (646) 558-2121 Access Code: 903-718-495 With Presenter: Jim Sheldon-Dean, Director of Compliance Services Lewis Creek Systems, LLC If you are experiencing difficulties hearing or seeing this presentation, send an email to support@bridgefront.com or call 1 (866) 447-2211.
  2. 2. BridgeFront  www.bridgefront.com  info@bridgefront.com  (866) 447-2211 Lewis Creek Systems, LLC Jim Sheldon-Dean Lewis Creek Systems, LLC Today’s Presenter: HIPAA Omnibus Rule Compliance Checklist
  3. 3. BridgeFront  www.bridgefront.com  info@bridgefront.com  (866) 447-2211 Lewis Creek Systems, LLC About Jim Sheldon-Dean  BSCE (Civil Engineering) from UVM, MST (Transportation) from MIT  More than three decades in consulting, information systems, and software development  Process, problem-solving oriented  Eight years as Vermont EMT, crew chief  12 years specializing in HIPAA and health information privacy and security consulting  Involved in WEDI, HIMSS, VITL, frequent speaker about HIPAA and information privacy and security  See www.lewiscreeksystems.com for more details, resources, information security compliance news, etc.
  4. 4. BridgeFront  www.bridgefront.com  info@bridgefront.com  (866) 447-2211 Lewis Creek Systems, LLC Our Time Together Changes to HIPAA privacy policies and procedures. New process for deciding on breach report-ability. Changes to HIPAA business associate relationships.
  5. 5. BridgeFront  www.bridgefront.com  info@bridgefront.com  (866) 447-2211 Lewis Creek Systems, LLC HITECH Act Updates to HIPAA • Most of the proposed rules finalized in the big HIPAA Omnibus Update published January 25, 2013, effective March 26, 2013, enforceable September 23, 2013 • Omnibus Update Rule, with Preamble, available at: http://www.gpo.gov/fdsys/pkg/FR-2013-01- 25/pdf/2013-01073.pdf • New Combined Rules published by HHS OCR, at: http://www.hhs.gov/ocr/privacy/hipaa/administrative/c ombined/index.html
  6. 6. BridgeFront  www.bridgefront.com  info@bridgefront.com  (866) 447-2211 Lewis Creek Systems, LLC Poll Question #1 Is your organization ready for the HIPAA Omnibus compliance deadline? o Yes o No o I Don't Know
  7. 7. BridgeFront  www.bridgefront.com  info@bridgefront.com  (866) 447-2211 Lewis Creek Systems, LLC What’s New in HIPAA? • New individual rights for access and requesting restrictions • New restrictions on disclosures for marketing, sale of PHI; changes to rules for use of PHI for fundraising • Notices of Privacy Practices must be updated • Expansion of rules to Business Associates • Change in the way to determine whether or not a breach must be reported • New restrictions on use of genetic information by health plans • PHI not protected >50 years after individual’s death • No changes to Accounting of Disclosures or CLIA, yet…
  8. 8. BridgeFront  www.bridgefront.com  info@bridgefront.com  (866) 447-2211 Lewis Creek Systems, LLC Designated Record Set (1) A group of records maintained by or for a covered entity that is: (i) The medical records and billing records about individuals maintained by or for a covered healthcare provider; (ii) The enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or (iii) Used, in whole or in part, by or for the covered entity to make decisions about individuals.
  9. 9. BridgeFront  www.bridgefront.com  info@bridgefront.com  (866) 447-2211 Lewis Creek Systems, LLC Use vs. Disclosure • Per 45 C.F.R. §164.103 HIPAA Definitions • Disclosure: the release, transfer, provision of, access to, or divulging in any other manner of information outside the entity holding the information • As distinct from Use: the sharing, employment, application, utilization, examination, or analysis of individually identifiable health information within an entity that maintains such information
  10. 10. BridgeFront  www.bridgefront.com  info@bridgefront.com  (866) 447-2211 Lewis Creek Systems, LLC Restriction of Disclosures HITECH §13405(a): Individual may request no disclosure to insurer if paid out of pocket, must comply In the HIPAA Omnibus Update, now under §164.522(a)(1)(vi)
  11. 11. BridgeFront  www.bridgefront.com  info@bridgefront.com  (866) 447-2211 Lewis Creek Systems, LLC Impact of Restriction of Disclosures to Insurers • Must have a policy/procedure/process • Required in your EHR to meet the law • Can you flag such encounters? • What about pass-through effects? • Issues with aggregated data • What about contracts with insurers? • Must be in the Notice of Privacy Practices
  12. 12. BridgeFront  www.bridgefront.com  info@bridgefront.com  (866) 447-2211 Lewis Creek Systems, LLC Individual Access of PHI • HIPAA §164.524: Must have a process for individual to request access, for reasonable cost-based fee • Must provide the entire record in the Designated Record Set if requested: – Medical and billing records used in whole or in part to make decisions related to health care – New: Information kept electronically must be available electronically if requested – Exceptions for Psychotherapy notes, CLIA, others – Changes to HIPAA and CLIA proposed to allow access of lab information by individuals, not finalized yet • New: 30-day extension for off-site records no longer allowed
  13. 13. BridgeFront  www.bridgefront.com  info@bridgefront.com  (866) 447-2211 Lewis Creek Systems, LLC Impacts of Individual Access of EHR Information • All kinds of electronic info in designated record set, not just your formal EHR • Have you performed inventory of PHI? • Are access procedures in place? • Who responds to requests for access? • What are acceptable formats for electronic access? • What if the patient wants you to send plain e-mail? • Need to update the Notice of Privacy Practices
  14. 14. BridgeFront  www.bridgefront.com  info@bridgefront.com  (866) 447-2211 Lewis Creek Systems, LLC Individual Preferences for Communication • §164.522(b)(1) Standard: Confidential Communications Requirements – (i) A covered health care provider must permit individuals to request and must accommodate reasonable requests by individuals to receive communications of protected health information from the covered health care provider by alternative means or at alternative locations. • §164.524(c) Provision of Access – (2) Form of access requested. (i) The covered entity must provide the individual with access to the protected health information in the form or format requested by the individual, if it is readily producible in such form or format…. – New (c)(2)(ii): If PHI is electronic, individual may request electronic copy.
  15. 15. BridgeFront  www.bridgefront.com  info@bridgefront.com  (866) 447-2211 Lewis Creek Systems, LLC Calculating/Evaluating Risk • Each Risk Issue has an Impact and Likelihood – Impact is how great the damage would be; more information about more people with more detail is greater – Likelihood is how likely it is that the risk issue would become a reality • Risk = Impact x Likelihood – If risk level appears low, an informed risk decision can be made by the patient – Rights can not be given up under HIPAA, but individuals can make an informed risk decision
  16. 16. BridgeFront  www.bridgefront.com  info@bridgefront.com  (866) 447-2211 Lewis Creek Systems, LLC Marketing Changes • Marketing still requires an Authorization • Treatment and healthcare operations do not require an authorization (with notice in the HIPAA Notice of Privacy Practices), except: • Authorizations are required for all treatment and healthcare operations where the Covered Entity receives financial remuneration from a third party whose product or service is being marketed • Exemptions from Authorization Requirement for Face to Face communication, Refill reminders or other info about a drug or biologic that is currently prescribed (unless there is remuneration), Communications promoting health in general and that do not promote a product or service from a particular provider, and Communications about government and government-sponsored programs
  17. 17. BridgeFront  www.bridgefront.com  info@bridgefront.com  (866) 447-2211 Lewis Creek Systems, LLC New Restrictions on Sale of PHI • HIPAA §164.508(a)(4): If you disclose for remuneration, you must have an authorization stating that the disclosure results in remuneration • Exceptions for public health, research, treatment and payment purposes, sale of practice, transfer to a BA providing services, to the individual, etc.
  18. 18. BridgeFront  www.bridgefront.com  info@bridgefront.com  (866) 447-2211 Lewis Creek Systems, LLC Fundraising Changes • HITECH §13406(b) now effective under HIPAA §164.514(f)(1): Opportunity to Opt Out of Fundraising • Demographic information, dates of healthcare services, department providing services, physician, health plan status, and outcome can be used for fundraising without authorization • Notice of Privacy Practices must state so, may need to modify • Easy Opt-out must be provided, by campaign or for all campaigns, must be honored, and can’t be used to condition treatment or payment
  19. 19. BridgeFront  www.bridgefront.com  info@bridgefront.com  (866) 447-2211 Lewis Creek Systems, LLC Update Notice of Privacy Practices • HIPAA Notice of Privacy Practices must reflect individual rights and controls on uses and disclosures – New right of access to electronic PHI – New right of restriction of disclosures – New right to be notified in the event of a breach – Changes to Marketing and Fundraising – GINA notice for health plan NPPs • Must update policies and NPP together, by deadline • Start using (and post) new version; no requirement for providers to redistribute to all patients
  20. 20. BridgeFront  www.bridgefront.com  info@bridgefront.com  (866) 447-2211 Lewis Creek Systems, LLC Poll Question #2 Has your HIPAA Notice of Privacy Practices been updated? o No, not yet o No, but we’re working on it o Yes, we’re about to implement it o Yes, we have already implemented it
  21. 21. BridgeFront  www.bridgefront.com  info@bridgefront.com  (866) 447-2211 Lewis Creek Systems, LLC Big Changes for Business Associates • New definition of what is a Business Associate • New application of rules directly to BAs • New consideration of how the rules apply to “cloud” based vendors • Need to update all Business Associate Agreements
  22. 22. BridgeFront  www.bridgefront.com  info@bridgefront.com  (866) 447-2211 Lewis Creek Systems, LLC What is a Business Associate? • An individual or entity, not acting as an employee, that: – Creates, receives, maintains, or transmits protected health information for a function or activity regulated by HIPAA on behalf of a covered entity (CE) or another BA – Provides legal, actuarial, accounting, consulting, data aggregation (as defined in § 164.501 of this subchapter), management, administrative, accreditation, or financial services and needs PHI to do it • Anything a CE or BA could do itself but has someone else do it for them, involving creation, receipt, maintenance, or transmission of PHI • Now includes subcontractors, Patient Safety Organizations, Health Information Exchanges
  23. 23. BridgeFront  www.bridgefront.com  info@bridgefront.com  (866) 447-2211 Lewis Creek Systems, LLC What is a Business Associate? • Includes: – Billing service – Shredding service – Systems vendors who access PHI • Does not include those who would have no reason to use, disclose, create, receive, maintain or transmit PHI, such as: – Tradesmen (plumber, etc.) – Housekeeping, etc. • Not Payers, other Providers, or Workforce Members • Not Conduits (USPS, FedEx, etc.)
  24. 24. BridgeFront  www.bridgefront.com  info@bridgefront.com  (866) 447-2211 Lewis Creek Systems, LLC Business Associates Now Directly Regulated by HIPAA • Security Rule applies • Breach Notification Rule applies • Privacy Rule Use and Disclosure provisions apply • Business Associates responsible for having contracts with Covered Entities and Subcontractors • Business Associates liable for compliance and violations • Contracts signed since January 25, 2013 must meet new standard by September 23, 2013 • Older, compliant contracts signed before January 25, 2013 and “evergreen” contracts have until September 23, 2014
  25. 25. BridgeFront  www.bridgefront.com  info@bridgefront.com  (866) 447-2211 Lewis Creek Systems, LLC Conduits, Persistence of Custody & Clouds • A narrow BA exception for Conduits – simple delivery only • Persistence of Custody of PHI creates a BA relationship • Regular e-mail services have persistent custody of messages • Are Cloud vendors Business Associates? • Now under review by HHS (and cloud vendors) • Principle of Persistence of Custody of PHI may apply in Cloud • Don’t forget: Security includes Confidentiality, Integrity, and Availability • Consider persistence of custody PHI, even if encrypted
  26. 26. BridgeFront  www.bridgefront.com  info@bridgefront.com  (866) 447-2211 Lewis Creek Systems, LLC Preparing to Update BAAs • Prioritize by risk, expiration date • Review for liability and indemnification of breaches • Include new required elements – Requirements for BAs and their subcontractors to comply with the HIPAA Security Rule, & specific sections of the HIPAA Privacy Rule – New language surrounding breach notification and the securing of PHI – New disclosure-related requirements for Electronic Health Records – Removed: Requirement for clause obligating CEs to report noncompliance by a downstream entity to HHS • New sample Business Associate Agreement provisions: http://www.hhs.gov/ocr/privacy/hipaa/understanding/covere dentities/contractprov.html
  27. 27. BridgeFront  www.bridgefront.com  info@bridgefront.com  (866) 447-2211 Lewis Creek Systems, LLC Poll Question #3 Do you use any “cloud” vendors for handling any of your PHI? o No, we don’t o Yes, but we don’t treat them as Business Associates o Yes, and we have them under a BA Agreement o I don't know
  28. 28. BridgeFront  www.bridgefront.com  info@bridgefront.com  (866) 447-2211 Lewis Creek Systems, LLC One (Big) Change in Breach Notification • Breach Notification final rule is same as proposed, with one change • Significant change to how you decide if a breach must be reported or not
  29. 29. BridgeFront  www.bridgefront.com  info@bridgefront.com  (866) 447-2211 Lewis Creek Systems, LLC What is a Breach? • A Reportable Breach is acquisition, access, use, or disclosure of unsecured PHI in violation of Privacy Rule; with some exceptions by law if: – PHI is destroyed – Unintentional, in good faith, with no further use (within your organization) – Inadvertent and within job scope (within your organization) – Info cannot be retained • “Harm Standard” for evaluation of need to report removed • Not reportable if there is a “low probability of compromise” of the data, based on a risk assessment
  30. 30. BridgeFront  www.bridgefront.com  info@bridgefront.com  (866) 447-2211 Lewis Creek Systems, LLC Is It a Reportable Breach? • All breaches not meeting an exception are reportable unless there is a “low probability of compromise” of the data, based on a risk assessment including at least: – what was the info, how well identified was it, and is its release “adverse to the individual” – to whom it was disclosed – was it actually acquired or viewed – the extent of mitigation
  31. 31. BridgeFront  www.bridgefront.com  info@bridgefront.com  (866) 447-2211 Lewis Creek Systems, LLC Breach Notification Decision Tree Step 1 • Was there acquisition, access, use, or disclosure of PHI in violation of the Privacy Rule? • If No, not a breach, end of process • If an incident, document the incident fully and the determination of “not a breach” • If Yes, Go on to Step 2
  32. 32. BridgeFront  www.bridgefront.com  info@bridgefront.com  (866) 447-2211 Lewis Creek Systems, LLC Breach Notification Decision Tree Step 2 • Was the information secured according to HHS guidance, or destroyed? • If Yes, not reportable, end of process; document the incident and determination of “not a reportable breach” • If No, may be able to use lower security encryption in the evaluation of risk later in Step 5; go on to Step 3
  33. 33. BridgeFront  www.bridgefront.com  info@bridgefront.com  (866) 447-2211 Lewis Creek Systems, LLC Breach Notification Decision Tree Step 3 • Was the potential breach internal to your organization, AND unintentional, in good faith, with no further use, or inadvertent and within job scope? • If Yes, not a breach, end of process, document the incident and determination of “not a breach” • If No, go on to Step 4
  34. 34. BridgeFront  www.bridgefront.com  info@bridgefront.com  (866) 447-2211 Lewis Creek Systems, LLC Breach Notification Decision Tree Step 4 • Is there no way the breached information can be retained? • If there is no way the PHI was retained, it is not a breach; end of process, document the incident and determination of “not a breach” • If the breached information may be retained in some way, go on to Step 5
  35. 35. BridgeFront  www.bridgefront.com  info@bridgefront.com  (866) 447-2211 Lewis Creek Systems, LLC Breach Notification Decision Tree Step 5 • If you’ve gotten here, you have a breach, and now the only way to keep from having to report it is to do a risk assessment to see if there is a “low probability of compromise” • If there is a low probability of compromise, it is not reportable, end of process, document incident and determination of “not a reportable breach” • If NOT a low probability of compromise, MUST report
  36. 36. BridgeFront  www.bridgefront.com  info@bridgefront.com  (866) 447-2211 Lewis Creek Systems, LLC Breach Notification Risk Assessment • Not reportable if there is a “low probability of compromise” of the data, based on a risk assessment including at least: – what was the info and how well identified was it (and is its release “adverse to the individual”) – to whom it was disclosed – was it actually acquired or viewed – the extent of mitigation
  37. 37. BridgeFront  www.bridgefront.com  info@bridgefront.com  (866) 447-2211 Lewis Creek Systems, LLC Factor 1: Extent and nature of PHI • Evaluate the nature and extent of the PHI Involved including the types of identifiers and the likelihood of re-identification – Consider: – Financial and clinical sensitivity of the information – Are direct or indirect identifiers are included – Can the information be linked for re-identification – Does the person receiving the PHI have the ability to re-identify the PHI
  38. 38. BridgeFront  www.bridgefront.com  info@bridgefront.com  (866) 447-2211 Lewis Creek Systems, LLC Factor 2: Who Received the PHI • Evaluate the nature of the unauthorized person who used the PHI or to whom the disclosure was made – Consider: – Does the person have obligations to protect the privacy and security of the PHI – Is the identity of the unauthorized person known – What is the likelihood that the information would be used by an unauthorized recipient to adversely affect individuals or for personal gain
  39. 39. BridgeFront  www.bridgefront.com  info@bridgefront.com  (866) 447-2211 Lewis Creek Systems, LLC Factor 3: Was the PHI Viewed • Evaluate whether the PHI Involved was actually acquired or viewed – Consider: – Was there opportunity to acquire or view the PHI – Was the potential breach discovered and prevented before PHI was viewed or acquired – What information are you relying on?
  40. 40. BridgeFront  www.bridgefront.com  info@bridgefront.com  (866) 447-2211 Lewis Creek Systems, LLC Factor 4: Was It Mitigated • Evaluate the extent to which the risk to the PHI has been mitigated – Consider: – Were satisfactory assurances obtained that PHI will not be further used or disclosed – The person providing satisfactory assurances – Are the satisfactory assurances written
  41. 41. BridgeFront  www.bridgefront.com  info@bridgefront.com  (866) 447-2211 Lewis Creek Systems, LLC Notification Determination Process Summary 1. Was there acquisition, access, use, or disclosure in violation of the Privacy Rule? 2. Was it secured? 3. Does it qualify for one of the internal exceptions? 4. Is the information un-retainable? 5. Is there a low probability of compromise per a risk assessment?
  42. 42. BridgeFront  www.bridgefront.com  info@bridgefront.com  (866) 447-2211 Lewis Creek Systems, LLC Poll Question #4 Do you have a breach notification policy and procedure in place? o Yes, and we have used it o Yes, but we haven't had to try it yet o I think we have some informal policy somewhere o Yes, but it's not adequate o No
  43. 43. BridgeFront  www.bridgefront.com  info@bridgefront.com  (866) 447-2211 Lewis Creek Systems, LLC Statistics on HIPAA Breach Notification • For reported breaches of 500 or more individuals’ PHI in the first year of the reporting requirement: – 76% of breaches involve loss (15%), theft (56%), or improper disposal (5%) – Old-fashioned physical security of valuable data – 17% are caused by unauthorized access or disclosure – 6% are caused by hacking • Portable data, laptops, smart phones, memory sticks the leaders for breaches of PHI • HHS Wall of Shame for large breaches: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breach notificationrule/breachtool.html
  44. 44. BridgeFront  www.bridgefront.com  info@bridgefront.com  (866) 447-2211 Lewis Creek Systems, LLC Most Frequent HIPAA Security Issues, per HHS OCR • Lack of Incident Response and Reporting Process • Lack of Security Awareness and Training • Poor Technical Access Control • Poor Administrative Information Access Management • Poor Physical Workstation Security Source: Presentation by OCR at NIST/OCR HIPAA Security Conference, May 11, 2011
  45. 45. BridgeFront  www.bridgefront.com  info@bridgefront.com  (866) 447-2211 Lewis Creek Systems, LLC Lessons Learned From PHI Breaches • Have physical safeguards for areas where paper records are stored or used • Reduce risk through network or enterprise storage as alternative to local devices • Encrypt data at rest on any desktop or portable device/media storing ePHI • Have clear and well documented administrative and physical safeguards on the storage devices and removable media which handle ePHI • Raise the security awareness of workforce members and managers to promote good data stewardship
  46. 46. BridgeFront  www.bridgefront.com  info@bridgefront.com  (866) 447-2211 Lewis Creek Systems, LLC New Enforcement Definitions • Reasonable Cause: An act or omission in which a covered entity or business associate knew, or by exercising reasonable diligence would have known, that the act or omission violated an administrative simplification provision, but in which the covered entity or business associate did not act with willful neglect • Reasonable Diligence: Business care and prudence expected from a person seeking to satisfy a legal requirement under similar circumstances • Willful Neglect: Conscious, intentional failure or reckless indifference to the obligation to comply with the administrative simplification provision violated
  47. 47. BridgeFront  www.bridgefront.com  info@bridgefront.com  (866) 447-2211 Lewis Creek Systems, LLC Tiered Penalty Structure • HIPAA Privacy Rule §160.404 – Penalty Amounts • Tier 1: Did not know and, with reasonable diligence, would not have known – $100 - $50,000 per violation • Tier 2: Violation due to reasonable cause and not willful neglect – $1000 - $50,000 per violation • Tier 3: Violation due to willful neglect and corrected within 30 days of when known or should have been known with reasonable diligence – $10,000 - $50,000 per violation • Tier 4: Violation due to willful neglect and NOT corrected within 30 days of when known or should have been known with reasonable diligence – $50,000 per violation • $1.5 million maximum for all violations of a similar type in a calendar year
  48. 48. BridgeFront  www.bridgefront.com  info@bridgefront.com  (866) 447-2211 Lewis Creek Systems, LLC HHS is Serious about Enforcement • $4.3 million fine for Cignet Health of Maryland for multiple violations • $1 million settlement with Mass General Hospital • $865K+ settlement with UCLA Medical Center for snooping in records • Multiple multi-million dollar settlements with pharmacies • $100K settlement with a physician’s office for Security Rule violations • $1.5 million settlement with BC/BS of Tennessee for lost hard drives • $1.7 million settlement with Alaska Medicaid for lack of security process • $1.5 million settlement with MEEI for lack of security for portable devices • $500K settlement with Hospice of North Idaho for insecure laptop • $400K settlement with Idaho State University for insecure server, process • $275K settlement with Shasta Regional Med Center for inappropriate disclosure of PHI and lack of sanctions for violations • $1.7 million settlement with WellPoint for insecure server, no process • $1.2 million settlement with Affinity Health for insecure disposal of copiers
  49. 49. BridgeFront  www.bridgefront.com  info@bridgefront.com  (866) 447-2211 Lewis Creek Systems, LLC Your To-Do List…  Don’t be in denial – willful neglect will cost you  Prepare for new individual rights  Find and prioritize (by risk) BA agreements  Make sure EHR vendors can meet restriction requirements and provide electronic copies  Update your Breach Notification evaluation process  Review your policies and procedures per the rules  Document, document, document!  Conduct drills in audit and breach response  Make corrections based on results  Always have a plan for moving forward, and follow it!
  50. 50. BridgeFront  www.bridgefront.com  info@bridgefront.com  (866) 447-2211 Lewis Creek Systems, LLC Please let me know if you have any questions! I’m always happy to help. Jim Sheldon-Dean jim@lewiscreeksystems.com www.lewiscreeksystems.com 802-425-3839 Thank You!

×