1 / 17

HIPAA Update: New Rules, New Challenges

HIPAA Update: New Rules, New Challenges. Jill Moore April 2013 . New Rules. Business Associates. A person or entity that creates, receives, transmits, or maintains PHI in the course of providing business or administrative functions for a covered entity

minnie
Download Presentation

HIPAA Update: New Rules, New Challenges

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. HIPAA Update: New Rules, New Challenges Jill Moore April 2013

  2. New Rules

  3. Business Associates • A person or entity that creates, receives, transmits, or maintains PHI in the course of providing business or administrative functions for a covered entity • Includes HIOs, HIEs, PHR vendors who work on behalf of covered entity • May include researchers in some circumstances (not automatic – analyze the particular situation)

  4. Business Associates • Changes to BA responsibilities • Now directly responsible for HIPAA compliance and directly liable for violations • Must identify their own BAs (subcontractors) and enter BA agreements with them to assure “downstream” compliance

  5. Business Associates • Review your business relationships to identify BAs or BA-like relationships within your entity • Review hybrid entitydesignation to ensure those acting in BA-like capacity are part of covered component • Execute or update BA agreements You may need to dust off your HIPAA jargon dictionary.

  6. Breach Notification • Must notify individuals of security breaches. • Unauthorized access or disclosure is presumed to be a breach unless: • A specific exception in the rule applies, or • A risk analysis shows a low probability that PHI was compromised, or • You’re in a “safe harbor” as defined by the rule.

  7. Breach? Specific exceptions Risk analysis factors Nature and extent of PHI, including types of identifiers & likelihood of re-identification Unauthorized person who received disclosure or used PHI Whether PHI was actually acquired and viewed Extent to which any risk to PHI has been mitigated • PHI could not reasonably be retained • PHI access is unintentional and by a workforce member or business associate acting in good faith • Inadvertent disclosure is made to another person within the CE or BA who is authorized to access PHI

  8. Safe Harbor • Don’t have to notify if: • PHI was encrypted, or • PHI was disposed in keeping with HHS guidance on secure disposal

  9. Breach Notification • Review and update breach notification procedures to reflect new risk analysis. • Follow procedures developed under old rule until September 23, then you must follow new rule.

  10. Individual Rights • Restrictions on disclosures • Access to electronic PHI • Notice of Privacy Practices • Other changes affecting decedents’ records, immunization records for schools, a couple of other things

  11. Restrictions on disclosures • Care paid out-of-pocket • Upon patient request, no disclosures of information to health plans(insurance) unless disclosure to health plan required by law • Does not limit disclosures to public health • Does not limit disclosures to other health care providers for treatment purposes

  12. Access to electronic PHI • Individuals have a right of access to their own PHI. • If patient requests PHI in electronic form, must provide it if you already maintain the information electronically and the form requested is “readily producible.” If not readily producible, must reach agreement with individual on alternative form. • Take a close look at the issue of providing PHI by email.

  13. Notice of Privacy Practices • Must be revised to reflect rule changes, including: • Covered entity’s legal duty to give notice of breaches. • Right to request restriction of disclosure to health plans for care paid in full out-of-pocket. • Revised Notice must be disseminated: • To new clients, in accordance with current policies • To existing clients on request • Via website, if you have one

  14. Individual Rights • Develop a policy about requests for restrictions on disclosure for care paid for in full out-of-pocket. • Review and if necessary update policies about individual access to PHI to address electronic access and the use of email to deliver PHI. • Revise Notice of Privacy Practices and disseminate.

  15. Enforcement • New: HHS must investigate violations if a preliminary review of the facts suggests “willful neglect” by the covered entity or BA. Practice tip!! In an investigation, expect HHS to request copies of your policies. You will want them to be readily accessible and up-to-date.

  16. Checklist • Review business relationships and update hybrid entity designation and business associate agreements. • Update breach notification policies and procedures. • Update policies re individual access. • Update notice of privacy practices and disseminate. • Review other policies (training, workforce, etc.) and update if needed. • Compliance date: • September 23, 2013 for most matters • September 22, 2014 for some existing BA agreements

More Related