1 / 108

Regzilla- An Introduction to HIPAA’s Mega Rule

Regzilla- An Introduction to HIPAA’s Mega Rule. Jo Ellen Whitney Davis Brown Law Firm. REGZILLA. HIPAA/HITECH Omnibus Rule was issued on January 25, 2013. Dates to be aware of: March 26, 2013-Compliance date. September 23, 2013-Enforcement. BA-last chance September 22, 2014.

robbin
Download Presentation

Regzilla- An Introduction to HIPAA’s Mega Rule

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Regzilla- An Introduction to HIPAA’s Mega Rule Jo Ellen Whitney Davis Brown Law Firm

  2. REGZILLA HIPAA/HITECH Omnibus Rule was issued on January 25, 2013. Dates to be aware of: March 26, 2013-Compliance date. September 23, 2013-Enforcement. BA-last chance September 22, 2014.

  3. LIKE ANY GOOD HORROR MOVIE DON’T HIKE IN HIGH HEELS DON’T HITCH A RIDE WITH THE CRAZY GUY DON’T GO INTO THE CELLAR WITH THE FAULTY LIGHT BULB. DON’T IGNORE YOUR OWN RULES AND COMMON SENSE.

  4. OR IF YOU WANT TO FOLLOW THE GODZILLA THEME STAY OUT OF NEW YORK JAPAN CALIFORNIA

  5. THINGS YOU WILL NEED NEW BAA NEW NPP NEW BREACH ASSESSMENTS/REPORTING POLICIES A LONG TALK WITH MARKETING AND NEW POLICIES TRAINING FOR STAFF PATIENCE

  6. WHAT IT DIDN’T DO NO RULES ISSUED FOR LOGGING TPO DISCLOSURES.

  7. HITECH, LOW TECH, NO TECH-ITS PEOPLE THAT CAUSE THE PROBLEM Recent questions answered: Nurse tells the mother of a patient, “Oh aren’t you glad to be a grandma again?” Another nurse sees the patient out with her older child and says, “How do you like your new sister?” ONLY PROBLEM, NO ONE ELSE WAS AWARE OF THE PREGNANCY AND THE CHILD WAS INTENDED FOR ADOPTION.

  8. NEW KEY LEGAL TERMS MENS REA-State of mind, what did you know, what was your intent, what were you thinking? CONSTRUCTIVE KNOWLEDGE-Did you know or should you have known that something was a breach? NOTE: each of these terms places a significant emphasis on being aware of what it going on in your facility and heading off problems before they become significant issues. Also note, reasonable cause, reasonable diligence and willful neglect, See 160.404.

  9. WHAT YOUR EMPLOYEES KNOW, YOU ARE SUPPOSED TO KNOW REMEMBER THAT THE STANDARD REMAINS THAT “ANY PERSON, OTHER THAN THE INDIVIDUAL COMMITTING THE BREACH, WHO IS AN EMPLOYEE OR AGENT OF THE ENTITY IS AWARE OF THE BREACH,” THAT MEANS THE ENTITY IS AWARE OF THE BREACH.

  10. CHANGES There are a number of significant changes to the Rule which can be broken down in various ways:

  11. SECTION 160.102 Makes HIPAA provisions, particularly security and reporting provisions, applicable to Business Associates.

  12. YOU SAY TOMATO, I SAY TOMHATO • Who exactly is a Business Associate? • A Business Associate is a person or entity who performs work on behalf of the covered entity and is not a member of its workforce. Such work or services must involve the use or disclosure of PHI.

  13. ORGANIZATIONS COVERED Section 164.105- This section discusses the organizations covered by HIPAA/HITECH including hybrid entities. These sections scoop in hybrid and other entities, including things such as the IHIN.

  14. I COULD ACCESS BUT I DON’T REALLY WANT TOO Conduits are not considered to be Business Associates-Conduit is a very limited category, including such things as the US Postal Service, Fed Ex, or anyone handling temporary storage of transmitted data which is incident to transmission. If you store the electronic data you are a Business Associate, if the data passes through and you have no way to access it, store it or otherwise utilize the date, you are a conduit.

  15. SUBCONTRACTORS Subcontractors are also liable under the rules and will need contracts which represent these increased security and privacy obligations.

  16. NOTE: 164.308 Section 164.308(8)(b)(1) states: “A covered entity is not required to obtain such satisfactory assurances from a business associate that is a subcontractor.”

  17. DON’T FORGET Non BA may have access to information. Contracts with non BA should also specify security protocols and indemnification.

  18. Business Associate 164.504(E)(1)(ii) A covered entity is not in compliance with the standards set in Section 164.504(E) and this paragraph, if the covered entity knew of a pattern of activity or practice of the Business Associate that constituted a material breach or violation of the Business Associate’s obligation under the Contract or other arrangement, unless the covered entity took reasonable steps to cure the breach or end the violation, as applicable and, if such steps were unsuccessful.

  19. Terminate the Contract or arrangement if feasible, removing the requirement that the secretary be notified if termination is not feasible.

  20. J(iii) - requires that a Business Associate authorize termination of the Contract by the covered entity, if the covered entity determines that the Business Associate has violated a material term of the Contract.

  21. WHAT DO YOU NEED? • NEW BAA • EVALUATION OF BAA AS NECESSARY, INCLUDING AUDIT

  22. SECTION 164.314 WWW.HHS.GOV/OCR for proposed contractual language.

  23. SECTION 164.508 Changes regarding marketing have occurred pursuant to 164.508. If you have or will receive financial payment or in kind payment, patient authorization must be received for use of PHI.

  24. MARKETING 101 To make a communication about a product or service that encourages recipients of the communication to purchase or use the product or service.

  25. IF YOU ARE GETTING PAID IF YOU ARE GETTING PAID TO DO IT, IT IS PROBABLY MARKETING.

  26. WHAT IS NOT MARKETING • REFILL REMINDERS • UNLESS YOU GET PAID TO SEND THE REMINDERS MORE THAN IT COSTS YOU TO SEND THEM BY THE PHARMACEUTICAL COMPANY • FOR TREATMENT, CASE MANAGEMENT, CARE COORDINATION • TO RECOMMEND ALTERNATIVE TREATMENTS, THERAPIES AND PROVIDERS • TO DESCRIBE A HEALTH RELATED PRODUCT OR SERVICE (HEALTH PLAN). • UNLESS YOU GET PAID TO DO IT IN A DIRECT OR INDIRECT WAY

  27. SECTION 164.514(F)(1) Marketing-(Foundations) Business Associate/Institutionally related foundation may use: a) Demographic information (name, address, contact information, age, gender, date of birth); b) Dates of healthcare provided; c) Department of Service information; d) Treating physician; e) Outcome information; and f) Health insurance status.

  28. NOTE: This does not apply in a circumstance where you are receiving payment from a third-party for any marketing efforts.

  29. FUNDRAISING Fundraising must be listed in your Notice of Privacy Practices With each fundraising communication you must provide the individual with an easy opt out.

  30. “CONDITION” You must not condition treatment or payment on fundraising activities. You may not ignore the “opt-out” although you may provide an “opt-back-in” process. “Opt-out” includes phone calls.

  31. AUTHORIZATION WHERE AUTHORIZATION IS NOT REQUIRED UNLESS THERE IS AN EXCEPTION (opt out) • Directory • To clergy • To persons who ask for the individual by name

  32. WHEN IS AUTHORIZATION NOT REQUIRED? • For public health purposes • For research purposes (must be a reasonable cost based fee) • For treatment and payment purposes • For the sale, merger, transfer and consolidation for part of due diligence • When a BAA is paid to provide services • Payment for providing the records on a cost-base, such as in a response to a subpoena • As required by law under 164.512(A) • For other purposes permitted in accordance with law

  33. NOTE: Any authorization must clearly state that the facility will receive payment for the PHI if in fact the facility will receive payment of any type. Appropriate authorizations received prior to September 23, 2013 will be grandfathered in under this Rule.

  34. THE HURRICANE EXCEPTION IN CASE OF AN EMERGENCY IF CONSISTENT WITH PRIOR EXPRESSED PREFERENCE OF THE INDIVIDUAL AND IN THE INDIVIDUAL’S BEST INTEREST.

  35. SECTION 164.502 PHI of deceased individuals is protected for up to fifty (50) years following the individual’s death. Then the protection lapses.

  36. NOTE This does not mean you have to keep records for 50 years. Continue to plan for destruction not retention. Some states may have laws that extend this time period. Many states’ statutes are silent on this issue.

  37. SECTION 164.510 Allows a covered entity to disclose information to “family” members or others who are involved in care regarding the circumstances of the resident/patient’s death unless this has been prohibited by the resident/patient’s prior expressly stated wishes.

  38. PRIVACY OF TREATMENT Section 164.522, if an individual requests privacy regarding certain treatment and pays for that treatment out-of-pocket, you must respect that request and may not provide that information even to the insurer.

  39. GINA Regzilla again restates that genetic information is a type of health information and prohibits health plans, other than long-term care plans from utilizing such information for underwriting and similar purposes. This section of the regulation primarily relates to the utilization of genetic information by the insurance industry and does not provide significant direction or issues relating to healthcare providers.

  40. FAQs Frequently asked questions: How can I win the lottery and retire? If the record is lost internally and we simply can’t find it, is it a breach? What do we do about a BAA with an evergreen clause?

  41. INTERESTING CASES Lisnoff v. Stein, US District Court of RI, Patient discovers a book, “The Addict: One Patient, One Doctor, One Year.” The Court allows suit to go forward pursuant to the right to be secure from unreasonable publicity and unreasonable intrusion under Rhode Island law.

  42. KAISER PERMANENTE Kaiser Permanente under investigation for using a local family as their storage facility. Items were stored in the family’s home and garage, including more than 300,000 confidential records. Los Angeles City Times

  43. JACKSON HEALTH SYSTEM North Miami Beach Loverson Gelmine volunteered at Jackson Memorial North and stole more than 556 patient records by photographing their paper records using a cell phone camera, the thief was discovered in a local McDonald’s parking lot, attempting to use the restaurant’s WIFI to file fraudulent tax returns. Jackson has now banned smart phones in patient areas.

  44. THE STANDARDS HAVE CHANGED BREACH

  45. BREACH Major changes have occurred in how a breach is identified. The prior rule states that a breach occurred when there was reputational or other specific harm including potential identity theft.

  46. NEW STANDARD Breach now means an assessment of • The nature and extent of the PHI involved, including identifiers and likelihood of re-identification; • Who may have had access to the PHI or to whom disclosure was made; • Was the PHI actually acquired or viewed; and • To what extent has the risk of disclosure been mitigated.

  47. GUILTY UNTIL PROVEN INNOCENT - BURDEN OF PROOF The burden of proof has shifted from showing that something such as identify theft was not likely, to a heavier burden of proof on the entity to show that the information was not in fact compromised.

  48. BREACH GUIDANCE OCR has indicated that it will issue guidance on the new breach standards but we may not see it before September 23, 2013, the official enforcement date.

  49. NOTIFICATIONS There were no significant changes to the notification sections. NOTE: You must notify no later than 60 days and 60 days is an outside limit. As soon as reasonably possible.

  50. ALWAYS A CONCERN You also have to show mitigating and proactive changes to avoid future breaches.

More Related