More Related Content
Similar to Hipaa omnibus presentation webinar (20)
Hipaa omnibus presentation webinar
- 2. Your Presenter
A.J. (Andy) Weitzberg
President of HIPAA Continuity Planners
President of the Association of Contingency Planners
Long Island Chapter
© HIPAA Continuity
Planners 2013
- 3. History
• Health Insurance Portability and Accountability
Act (HIPAA)of 1996
• The Health Information Technology for
Economic and Clinical Health
(HITECH) Act, enacted as part of the American
Recovery and Reinvestment Act of 2009
• Omnibus Rule of 2013
© HIPAA Continuity
Planners 2013
- 4. Omnibus Rule conforms HIPAA regulations to
HITECH Act changes:
– Before HITECH, BAs regulated through business
associate contracts or agreements ("BAAs")
– After HITECH, BAs and subcontractors are now
regulated directly under HIPAA,
therefore they:
Must comply with Security Rules
Must comply with some of Privacy Rule
and provisions of BAA
© HIPAA Continuity
Planners 2013
- 5. By the Numbers from August
2009 through December 2012*
• 538 breaches of protected health information (PHI)
• 21,408,505 patient health records affected
• 21.5% increase in # of large breaches in 2012 over 2011
• but… a 77% decrease in # of patient records impacted
• 67% of all breaches have been the result of theft or loss
• 57% of all patient records breached involved a business
associate
• 5X historically, breaches at business associates have
impacted 5 times as many patient records as those at a
covered entity
• 38% of incidents were as a result of an unencrypted laptop or
other portable electronic device
• 63.9% percent of total records breached in 2012 resulted from
the 5 largest incidents
• 780,000 number of records breached in the single largest incident
of 2012
*These numbers include breaches that affected >500 individuals and were
© HIPAA Continuity
reported to HHS from August 2009 to January 17, 2013.
Planners 2013
- 6. Expanded definition of “Business Associates”
"Business associate" ” means one who, on behalf
of a covered entity creates, receives, maintains or
transmits PHI* now also means "subcontractor of
business associate“ who creates, receives,
maintains or transmits PHI* on behalf of a business
associate
Status as BA based upon role and responsibilities,
not upon who are the parties to the contract
Contract between the covered entity's BA and
that BA's subcontractor must satisfy the BA
agreement requirements
*Personal Health Information
© HIPAA Continuity
Planners 2013
- 7. Business Associate - Consequences
Secretary (HHS) authorized to receive and investigate
complaints against BAs (including subcontractors), and to take
action regarding complaints and noncompliance
BAs (incl. subs) required to maintain records and submit
compliance reports to Secretary, cooperate in complaint
investigations and compliance reviews, give Secretary
access to information
BAs (incl. subs) forbidden to intimidate, discriminate
against, etc. those who make complaints, cooperate with
regulators or oppose unlawful actions
BAs (incl. subcontractors) subject to civil money penalties
for HIPAA violations
BA/Subs remain liable under contract to Covered Entity and BA
© HIPAA Continuity
Planners 2013
- 8. How do these updates affect your
Business
As a “Business Associate” you have
HIPAA/HITECH Compliance Requirements:
1. A Written Risk Analysis
2. A Written Continuity Plan
3. A Documented Security Practices and
Procedures
4. An Incident Response Plan (Breach Response)
5. Termination Procedures
6. A Record Disposal Procedure for Electronic Media
xxxxx and Paper Records
7. Employee Training Program
8. Documentation and Logs
© HIPAA Continuity
Planners 2013
- 9. Penalties for Your non-Compliance
CATEGORIES OF VIOLATIONS AND RESPECTIVE PENALTY
AMOUNTS AVAILABLE
Violation Category Each Violation All such violations
Section 1176(a)(1) of an identical
provision in a
calendar year
(A) Did Not Know $100 to Max $1,500,000
$50,000
(B) Reasonable $1,000 to Max $1,500,000
Cause $50,000
(C)(i) Willful $10,000 to Max $1,500,000
Neglect-Corrected $50,000
(C)(ii) Willful $50,000 $1,500,000
Neglect-Not
Corrected
© HIPAA Continuity
Planners 2013
- 10. Are you a “Business Associate”?
Illustration of the types of firms that are now
considered “Business Associates”
• IT Support and Software Vendors
• IT Equipment Vendors
• Leasing firms
• Telephone CPE Vendors
• Shredding Vendors
• Data Centers
• Cloud Computing Providers
• Answering Services for Medical Offices
• Medical Billing Services
• Medical Transcriptions Services
• Medical Collection Agencies
• Temporary Employment Agencies
© HIPAA Continuity
Planners 2013
- 11. Questions
A.J. (Andy) Weitzberg
President
HIPAA Continuity Planners
Email: AJ@HIPAACP.COM
1.800.654.2041 Toll Free
1.631.654.4001 Office
1.516.641.4001 Mobile
© HIPAA Continuity
Planners 2013