HIPAA Omnibus Presentation


Published on

Published in: Education, Business, Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

HIPAA Omnibus Presentation

  1. 1. 855.85HIPAA  www.compliancygroup.com  Industry  leading  Education  Certified  Partner  Program    •  Please  ask  questions  •  Todays  slides  are  available    http://compliancy-­‐group.com/slides023/    •  Past  webinars  and  recordings  http://compliancy-­‐group.com/webinar/    
  2. 2. HIPAA New Final Omnibus Rule:“Key Business AssociateImplications for Your Organization”  
  3. 3. Your Presenter© HIPAA ContinuityPlanners 2013A.J. (Andy) WeitzbergPresident of HIPAA Continuity PlannersPresident of the Association of Contingency PlannersLong Island Chapter
  4. 4. © HIPAA ContinuityPlanners 2013History•  Health Insurance Portability and AccountabilityAct (HIPAA)of 1996•  The Health Information Technology forEconomic and Clinical Health (HITECH) Act,enacted as part of the American Recovery andReinvestment Act of 2009•  Omnibus Rule of 2013
  5. 5. © HIPAA ContinuityPlanners 2013Omnibus Rule conforms HIPAA regulations toHITECH Act changes:– Before HITECH, BAs regulated through businessassociate contracts or agreements ("BAAs")– After HITECH, BAs and subcontractors are nowregulated directly under HIPAA,therefore they:Must comply with Security RulesMust comply with some of Privacy Ruleand provisions of BAA
  6. 6. By the Numbers2009 through 2012*•  538 breaches of protected health information (PHI)–  21,408,505 patient health records affected•  21.5% increase in # of large breaches in 2012 over 2011–  77% decrease in # of patient records impacted•  67% of all breaches have been the result of theft or loss•  57% of all patient records breached involved a businessassociate•  Business associates have impacted 5 X times as manypatient records as those at a covered entity•  38% of incidents were as a result of an unencrypted laptop orother portable electronic device•  63.9% percent of total records breached in 2012 resulted fromthe 5 largest incidents•  780,000 number of records breached in the single largest incidentof 2012*These numbers include breaches that affected >500 individuals and werereported to HHS from August 2009 to January 17, 2013.© HIPAA ContinuityPlanners 2013
  7. 7. © HIPAA ContinuityPlanners 2013"Business associate”: one who, on behalf of acovered entity creates, receives, maintains ortransmits PHI*•  Status as BA based upon role and responsibilities,not upon who are the parties to the contract•  Contract between the covered entitys BA and thatBAs subcontractor must satisfy the BA agreementrequirementsSubcontractor of business associate: one whocreates, receives, maintains or transmits PHI* onbehalf of a business associate*Personal Health InformationExpanded definition of “Business Associates”
  8. 8. © HIPAA ContinuityPlanners 2013Business Associate - ConsequencesSecretary (HHS) authorized to receive and investigatecomplaints against BAs (including subcontractors), and to takeaction regarding complaints and noncomplianceBAs (incl. subs) required to maintain records and submitcompliance reports to Secretary, cooperate in complaintinvestigations and compliance reviews, give Secretaryaccess to informationBAs (incl. subs) forbidden to intimidate, discriminate against,etc. those who make complaints, cooperate with regulatorsor oppose unlawful actionsBAs (incl. subcontractors) subject to civil money penaltiesfor HIPAA violationsBA/Subs remain liable under contract to Covered Entity and BA
  9. 9. How do these updates affect yourBusinessAs a “Business Associate” you have HIPAA/HITECH Compliance Requirements:1. A Written Risk Analysis2. A Written Continuity Plan3. A Documented Security Practices andProcedures4. An Incident Response Plan (BreachResponse)5. A Record Disposal Procedure for ElectronicMedia and Paper Records6. Employee Training Program7. Termination Procedures8. Documentation and Logs© HIPAA ContinuityPlanners 2013
  10. 10. Definition of a BreachThe final rule also changes the risk analysisrequirements for determining when abreach has occurred.Previously, a risk of harm threshold wasconsidered in determining whether a breachhad occurred.The Office of Civil Rights (OCR) changes inthe final rule create almost a presumptionof a “breach,” which will seemingly makeit more likely that a business will berequired to notify those individuals whosepersonal health information has beenaffected, HHS and possibly the media.© HIPAA ContinuityPlanners 2013
  11. 11. © HIPAA ContinuityPlanners 2013Penalties for Your non-ComplianceCATEGORIES OF VIOLATIONS AND RESPECTIVE PENALTYAMOUNTS AVAILABLEViolation CategorySection 1176(a)(1)Each Violation All such violationsof an identicalprovision in acalendar year(A) Did Not Know $100 to Max$50,000$1,500,000(B) ReasonableCause$1,000 to Max$50,000$1,500,000(C)(i) WillfulNeglect-Corrected$10,000 to Max$50,000$1,500,000(C)(ii) WillfulNeglect-NotCorrected$50,000 $1,500,000
  12. 12. HITRUST* now has several ofits members that will requirebusiness associatesto follow the framework anddocument compliance with it.© HIPAA ContinuityPlanners 2013*The Health Information Trust Alliance, or HITRUST, incollaboration with healthcare, technology and informationsecurity leaders, has established the Common SecurityFramework (CSF), a certifiable framework that can be usedby any and all organizations that create, access, store orexchange personal health and financial information. The mostwidely adopted security control framework in the U.S.healthcare industry, the CSF includes a prescriptive set ofcontrols and supporting requirements that clearly define howorganizations meet the objectives of the framework
  13. 13. Are you a “Business Associate”?Illustration of the types of firms that are nowconsidered “Business Associates”•  IT Support and Software Vendors•  IT Equipment Vendors•  Leasing firms•  Telephone CPE Vendors•  Shredding Vendors•  Data Centers•  Cloud Computing Providers•  Answering Services for Medical Offices•  Medical Billing Services•  Medical Transcriptions Services•  Medical Collection Agencies•  Temporary Employment Agencies© HIPAA ContinuityPlanners 2013
  14. 14. © HIPAA ContinuityPlanners 2013QuestionsA.J. (Andy) WeitzbergPresidentHIPAA Continuity PlannersEmail: AJ@HIPAACP.COM1.800.654.2041 Toll Free1.631.654.4001 Office1.516.641.4001 Mobile
  15. 15. Free  Demo  and  60  Day  Evaluation  www.compliancy-­‐group.com    HIPAA  Hotline      855.85HIPAA  855.854.4722    HIPAA  Compliance    HITECH  Attestation    Omnibus  Rule  Ready    Meaningful  Use  core  measure  15