Hipaa privacy and security 03192014


Published on

Published in: Health & Medicine
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Hipaa privacy and security 03192014

  1. 1. HIPAA Privacy And Security Presented by: Michele Madison Partner, Healthcare & Healthcare IT Practices Morris, Manning & Martin, LLP mmadison@mmmlaw.com Direct: 404-504-7621
  2. 2. Privacy and Security 2
  3. 3. HIPAA Omnibus Rule Purpose 3 Final Rule Addresses 4 Proposed Rules Published in 2009 and 2010 1. Strengthen the HIPAA Privacy and Security Requirements Mandated by HITECH (Proposed Rule July 2010) • Strengthen Restrictions on Marketing and Fundraising Activities • Enhanced Patient Rights on Access and Restricting Disclosures to Health Plans • Modify the Notice of Privacy Practices • Modify the Authorization process • Expands Direct Enforcement of HIPAA Requirements and Penalties to Business Associates
  4. 4. HIPAA Omnibus Rule Purposes 4 2. Adopt changes to the Enforcement Rule (Proposed October 2009) • New Tiered Civil Monetary Penalties Standards • Increased Monetary Penalties 3. Modifies the Breach Notification for Unsecured Protected Health Information by replacing the breach notification rule‘s ‗‗harm‘‘ threshold with a more objective standard. (Proposed Rule August 2009 –supplanted) 4. Modifies HIPAA to conform with Genetic Information Nondiscrimination Act
  5. 5. Important Dates and Laws 5 1. HIPAA – Privacy Rule Effective on April 14, 2003 Security Rule Effective on April 20, 2005 2. HITECH signed February 17, 2009 • Interim Final Rule on Breach of Unsecured PHI– August 24, 2009 and effective on September 23, 2009 • Interim Final Rule on Civil Monetary Penalty—October 30, 2009 and effective on November 30, 2009 • Proposed Rule on July 14, 2010 3. GINA 2008 – Proposed Rule to address HIPAA on October 7, 2009
  6. 6. Effective Dates 6 Final Rule Provisions:  Final Rule Effective on March 26, 2013  Compliance Deadline September 23, 2013 (for Privacy and Security)  Business Associates flexible compliance date standards  Transition provisions permit time to address documents and practices to establish compliance
  7. 7. Security Risk Assessment 7  Ensure the full Risk Assessment has been completed - Administrative - Physical - Technical Safeguards  This is part of the Meaningful Use Requirements
  8. 8. Security Breach Notification 8 • Old standard: Notification required where ―significant risk of financial, reputational, or other harm to individual‖. Burden was on CE or BA to show there was no significant risk. • New standard: Subject to certain existing exceptions, any access, use or disclosure of unsecured PHI in violation of Privacy Rule is presumed a breach unless demonstrate low probability that PHI has been compromised based on risk assessment involving at least the following factors: – Nature and extent of PHI involved, including types of identifiers and likelihood of re-identification – Unauthorized person who used the PHI or to whom disclosure was made – Whether PHI was actually acquired or viewed – Extent to which risk to PHI has been mitigated • Rule also eliminates exception for limited data sets that do not contain dates of birth or zip codes.
  9. 9. Common Violations 9  Of the 90,000 complaints investigated most are, compiled cumulatively, in order of frequency:  Impermissible uses and disclosures of protected health information;  Lack of safeguards of protected health information;  Lack of patient access to their protected health information;  Uses or disclosures of more than the minimum necessary protected health information; and  Lack of administrative safeguards of electronic protected health information.
  10. 10. Most Common Violators 10 The most common types of covered entities that have been required to take corrective action to achieve voluntary compliance are, in order of frequency:  PRIVATE PRACTICES;  General Hospitals;  Outpatient Facilities;  Health Plans (group health plans and health insurance issuers); and,  Pharmacies.
  11. 11. Enforcement Activities 11 Adult & Pediatric Dermatology, P.C., of Concord, Massachusetts (APDerm) -$150,000.00 Affinity Health Plan, Inc. will settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules for $1,215,780. WellPoint Inc. has agreed to pay the U.S. Department of Health and Human Services $1.7 million to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules
  12. 12. Major Steps to Take Now 12 • Evaluate BA and subcontractor status • Evaluate BA and subcontractor agreements for compliance and amend as appropriate • Evaluate whether BAs and subcontractors are federal common law agents • Review Security Rule compliance • Implement BA policies and procedures as appropriate—for example, minimum necessary • Amend security breach policies and procedures appropriately • Ensure the Security Risk Assessment and policies are completed and in effect
  13. 13. Questions 13 Michele Madison, Partner, Morris, Manning & Martin, LLP Healthcare & Healthcare IT Practices mmadison@mmmlaw.com Direct: 404-504-7621