1 / 27

2013 HIPAA Omnibus Modifications

2013 HIPAA Omnibus Modifications. Patti Kritzberger, RHIT, CHPS, CPHP North Dakota Health Care Review May 1, 2014. Omnibus Composition. HITECH Privacy & Security Business Associates Marketing & Fundraising Sale of PHI Right to Request Restrictions Electronic Access

arion
Download Presentation

2013 HIPAA Omnibus Modifications

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. 2013 HIPAA Omnibus Modifications Patti Kritzberger, RHIT, CHPS, CPHP North Dakota Health Care Review May 1, 2014

  2. Omnibus Composition • HITECH Privacy & Security • Business Associates • Marketing & Fundraising • Sale of PHI • Right to Request Restrictions • Electronic Access • HITECH Breach Notification • HITECH Enforcement • GINA Privacy • Other Non-Statutory Modifications • Research • Notice of Privacy Practices • Decedents • Student Immunizations

  3. Important Omnibus Dates • January 25, 2013 – Part II, 45 CFR Parts 160 and 164 Published in the Federal Register • March 26, 2013 – Effective Date • September 23, 2013 – Compliance Date • September 24, 2014 – Transition Period for BA Contracts • Most interim rules were now final rules except: 1) Accounting for Disclosures/Access Reports; 2) Minimum Necessary Guidance; and, 3) Distribution of penalties & settlements to harmed individuals

  4. Key Modifications of Omnibus • Implementation of the HITECH changes issued in the proposed rule of 2010 • Business Associates – directly liable for compliance with certain HIPAA Privacy & Security Provisions • Strengthens limitations on use and disclosure of PHI – marketing & fundraising • Prohibits sale of PHI without authorization • Expands patient’s rights to receive electronic copies of health information • Restricts disclosures of information to a health plan for treatment if patient has paid out of pocket • Modify and redistribute Notice of Privacy Practices • Modify individual authorization & other requirements to facilitate research, disclosure of child immunizations & enable access to decedent information

  5. Business Associate Definition – OLD RULE The old HIPAA Rule defined “business associate” to mean a person who performs functions or activities on behalf of, or certain services for, a covered entity that involve the use or disclosure of protected health information.

  6. Business Associate Definition – NEW RULE The final rule adopts the language that expressly designates as business associates: (1) A Health Information Organization, E- prescribing Gateway, or other person that provides data transmission services with respect to protected health information to a covered entity and that requires routine access to such protected health information; and, (2) a person who offers a personal health record to one or more individuals on behalf of a covered entity.

  7. Business Associates-Subcontractors In the new rule, a business associate includes a “subcontractor that creates, receives, maintains, or transmits PHI on behalf of the business associate.” “Subcontractor” is clarified as “a person to whom a business associate delegates a function, activity, or service, other than in the capacity of a member of the workforce of such a business associate.”

  8. Conduit Exception • Exception is limited to transmission services (whether digital or hard copy), including any temporary storage of transmitted data incident to such transmission • Intention – to exclude only those entities providing a mere courier service, such as the USPS, Federal Express, and their electronic equivalents

  9. Marketing • Omnibus Rule Definition: “a communication about a product or service that encourages recipients to purchase or use the product or service.” • If the covered entity is receiving financial remuneration over and above labor, supplies and postage costs from a third party to make these communications, the covered entity must obtain an authorization

  10. Fundraising • PHI can be used in these new categories of fundraising: • Department of Service • Treating Physician • Outcome Information • Health Insurance Status • The ability to opt out must be clearly defined and must not cause undue burden or effect treatment or payment • If patient opts out – NO fundraising communications can be made to patient

  11. Sale of PHI • Covered entities cannot receive remuneration in exchange for PHI, even where disclosure is permitted, unless authorized by individual • If an authorization is obtained it must specifically state that remuneration will result from the disclosure

  12. Sale of PHI Exceptions No Limits Defined • Treatment and Payment • Public Health • Sale of Covered Entity • Business Associate-Related Services • Disclosures Required by Law Limits Defined • Research • Access to PHI and accounting of disclosures • Other permitted disclosure –reasonable and cost-based fees to prepare and transmit PHI

  13. Right to Request a Restriction of Uses and Disclosures Old Rule: Individuals could request that a covered entity restrict uses or disclosures of the PHI but covered entities were not required to agree to the Restriction New Rule: If an individual requests to restrict disclosure to a health plan for the purpose of payment or health care operations and the restriction applies to PHI that pertains to a health care item or service for which the individual has paid in full out of pocket, the covered entity must agree unless the disclosure is required by law.

  14. Access to Electronic Health Records • If PHI is electronic, an individual can request a copy and the covered entity must provide access in the requested electronic format if readily producible. • If not readily producible, the individual and covered entity must agree on a readable electronic format

  15. Access to Electronic Health Records, cont • If requested, covered entity must transmit ePHI to individual’s designee • Request must be in writing & signed • Clearly identify designee and where to sent • Covered entity does not have to purchase new software to comply with this but must have capability to provide some form of electronic copy • If an individual declines to accept an alternate electronic format than requested, covered entity can default to paper copy • Covered entity is not required to accept a personal device from individual but can’t require them to purchase device from covered entity

  16. Access to Electronic Health Records, cont • Charging: covered entity can charge for • Labor for copying (reviewing request & producing copy) • Cost of electronic media (CD, USB, etc) • Timeframe to act on Request: covered entity has 30 days (with one 30-day extension) to act on the request

  17. Breach Definition • New Definition: (Removes the risk of harm) “Impermissible use or disclosure of PHI is presumed to be a breach unless the covered entity or business associate, as applicable, can demonstrate low probability that the PHI has been compromised,” based on a risk assessment of: • Nature and extent of PHI involved (types & likelihood of re-identification) • Who received/accessed the information • Potential that PHI was actually acquired, viewed or disclosed • Extent to which risk to the data (PHI) has been mitigated

  18. Breach Notification • The other provisions of the 2009 Interim Final Rule are made permanent, including: • Notification timeline (starts at date of discovery) • Content & methods of notification • Notification by Business Associate • Minor modification regarding notice to Secretary of smaller breaches – to occur within 60 days of end of CY in which breach was discovered • Documentation and burden of proof

  19. Potential Breaches • One employee inappropriately accessing another employee’s chart • Employee inappropriately accessing family members’ or friends’ charts • information sent, faxed or emailed to the wrong address/fax number/email address • Inappropriate access to high profile individual’s information (celebrity, etc) • Posting information on social media that contains specific information that can be linked to a patient

  20. Enforcement of Rules - OCR

  21. Five Fine-Determining Factors • Nature & extent of the violation – including number of people involved & the time of the breach • Nature & extent of harm resulting from violation – physical, financial, reputational • History of prior compliance with administrative simplification provision, including violations by CE/BA • Financial condition of CE/BA • Other matters as justice may require

  22. GINA Act • Health plans impacted – not covered entities • Clarifies that genetic information is health information • Other health plans than LTC plans may not use or disclose genetic information for underwriting purposes

  23. Notice of Privacy Practices • New notices were to be out 9/23/13 • Must add information regarding: • Sale of PHI • Duty to notify affected individuals of a breach of unsecured PHI • Right to opt out of fundraising (if applicable) • Right to restrict disclosures of PHI when product or service was paid in full out of pocket • Limit on use of genetic information (certain health plans)

  24. Decedents • 50 year after death, the PHI of a deceased patient is no longer considered protected health information • If not contrary to any prior expressed preference, a covered entity may disclose PHI to person(s) involved in the decedent’s care or payment

  25. Student Immunizations • Under the new rule, covered entities no longer have to have an authorization to release immunization information to schools if: • State or other law requires the school to have the immunization record prior to admitting the student • The covered entity has received written or oral authorization (oral authorization must be documented)

  26. References and Resources • www.hipaasurvivalguide.com • www.himss.org • www.ahima.org • Webinar – Laura Rosas – ONC Office of the Chief Privacy Officer • Webinar – Danika Brinda – REACH/College of St. Scholastica • The HIPAA Omnibus Rule, A Compliance Guide for CEs and BAs – Kate Borten, CISSP, CISM • Optum – 2014 HIPAA Tool Kit • Regional Extension Assistance Center for Health Information Technology (REACH) • http://www.khaREACH.org

  27. North Dakota Health Care Review, Inc. . . . Improving health and healthcare for the people of North Dakota Patti Kritzberger, RHIT, CHPS, CPHP pkritzberger@ndhcri.org 3520 North Broadway  Minot, ND 58703 701-500-7216 www.ndhcri.org

More Related