hipaa update new rules new challenges n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
HIPAA Update: New Rules, New Challenges PowerPoint Presentation
Download Presentation
HIPAA Update: New Rules, New Challenges

Loading in 2 Seconds...

play fullscreen
1 / 17

HIPAA Update: New Rules, New Challenges - PowerPoint PPT Presentation


  • 118 Views
  • Uploaded on

HIPAA Update: New Rules, New Challenges. Jill Moore April 2013 . New Rules. Business Associates. A person or entity that creates, receives, transmits, or maintains PHI in the course of providing business or administrative functions for a covered entity

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'HIPAA Update: New Rules, New Challenges' - minnie


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
business associates
Business Associates
  • A person or entity that creates, receives, transmits, or maintains PHI in the course of providing business or administrative functions for a covered entity
    • Includes HIOs, HIEs, PHR vendors who work on behalf of covered entity
    • May include researchers in some circumstances (not automatic – analyze the particular situation)
business associates1
Business Associates
  • Changes to BA responsibilities
    • Now directly responsible for HIPAA compliance and directly liable for violations
    • Must identify their own BAs (subcontractors) and enter BA agreements with them to assure “downstream” compliance
business associates2
Business Associates
  • Review your business relationships to identify BAs or BA-like relationships within your entity
  • Review hybrid entitydesignation to ensure those acting in BA-like capacity are part of covered component
  • Execute or update BA agreements

You may need to dust off your HIPAA jargon dictionary.

breach notification
Breach Notification
  • Must notify individuals of security breaches.
  • Unauthorized access or disclosure is presumed to be a breach unless:
    • A specific exception in the rule applies, or
    • A risk analysis shows a low probability that PHI was compromised, or
    • You’re in a “safe harbor” as defined by the rule.
breach
Breach?

Specific exceptions

Risk analysis factors

Nature and extent of PHI, including types of identifiers & likelihood of re-identification

Unauthorized person who received disclosure or used PHI

Whether PHI was actually acquired and viewed

Extent to which any risk to PHI has been mitigated

  • PHI could not reasonably be retained
  • PHI access is unintentional and by a workforce member or business associate acting in good faith
  • Inadvertent disclosure is made to another person within the CE or BA who is authorized to access PHI
safe harbor
Safe Harbor
  • Don’t have to notify if:
    • PHI was encrypted, or
    • PHI was disposed in keeping with HHS guidance on secure disposal
breach notification1
Breach Notification
  • Review and update breach notification procedures to reflect new risk analysis.
  • Follow procedures developed under old rule until September 23, then you must follow new rule.
individual rights
Individual Rights
  • Restrictions on disclosures
  • Access to electronic PHI
  • Notice of Privacy Practices
  • Other changes affecting decedents’ records, immunization records for schools, a couple of other things
restrictions on disclosures
Restrictions on disclosures
  • Care paid out-of-pocket
    • Upon patient request, no disclosures of information to health plans(insurance) unless disclosure to health plan required by law
  • Does not limit disclosures to public health
  • Does not limit disclosures to other health care providers for treatment purposes
access to electronic phi
Access to electronic PHI
  • Individuals have a right of access to their own PHI.
  • If patient requests PHI in electronic form, must provide it if you already maintain the information electronically and the form requested is “readily producible.” If not readily producible, must reach agreement with individual on alternative form.
  • Take a close look at the issue of providing PHI by email.
notice of privacy practices
Notice of Privacy Practices
  • Must be revised to reflect rule changes, including:
    • Covered entity’s legal duty to give notice of breaches.
    • Right to request restriction of disclosure to health plans for care paid in full out-of-pocket.
  • Revised Notice must be disseminated:
    • To new clients, in accordance with current policies
    • To existing clients on request
    • Via website, if you have one
individual rights1
Individual Rights
  • Develop a policy about requests for restrictions on disclosure for care paid for in full out-of-pocket.
  • Review and if necessary update policies about individual access to PHI to address electronic access and the use of email to deliver PHI.
  • Revise Notice of Privacy Practices and disseminate.
enforcement
Enforcement
  • New: HHS must investigate violations if a preliminary review of the facts suggests “willful neglect” by the covered entity or BA.

Practice tip!!

In an investigation, expect HHS to request copies of your policies. You will want them to be readily accessible and up-to-date.

checklist
Checklist
  • Review business relationships and update hybrid entity designation and business associate agreements.
  • Update breach notification policies and procedures.
  • Update policies re individual access.
  • Update notice of privacy practices and disseminate.
  • Review other policies (training, workforce, etc.) and update if needed.
  • Compliance date:
    • September 23, 2013 for most matters
    • September 22, 2014 for some existing BA agreements