SlideShare a Scribd company logo

HIPAA Compliance Date Is Approaching

Download as PPTX, PDF
R
RobPattersonBuffaloNY

The document outlines critical information regarding HIPAA compliance deadlines and requirements for healthcare providers, emphasizing the protection of patient privacy and secured handling of protected health information (PHI). It details the consequences of non-compliance, including increased penalties, breach notification protocols, and obligations related to business associates. Providers are urged to assess their compliance strategies, update necessary documents, and ensure compliance with recent rule changes before the approaching final compliance date.

Healthcare
Related topics:
Health Care
1 of 16
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
Final HIPAA Compliance Date For Providers Is Fast Approaching Robert W. Patterson Lauren A. Fish Jaeckle Fleischmann & Mugel, LLP Avant Building – Suite 900 200 Delaware Avenue Buffalo, NY 14202-2107 Tel: 716.856.0600September 7, 2013
HIPAA Privacy and Security in a Nutshell Covered entities (CEs) (health care providers, health plans & “clearinghouses”) must:  protect privacy and security of protected health information (PHI)  provide access to PHI to individuals  include protective provisions in contracts with business associates (BAs) 2
A Quick History Lesson 1996 HIPAA enacted 2000-02 First HIPAA final rules 2003 Effective date of first HIPPA rules 2009 HITECH (part of ARRA) 2009-12 Proposed HITECH rules Jan. 2013 “Omnibus final rule” eff. 3/2013 9/23/2013 Final compliance date 3
Enforcement and Penalties  Increased monetary penalties  “Tiers” with mandatory minimum/maximum penalties based on culpability  Mandatory OCR investigation if preliminary investigation indicates possible violation  Mandatory penalty if willful neglect  Increased audit activity 4
Recent Settlements and Penalties  Affinity Health Plan - $1.2 million settlement  Prime Healthcare - $275,000  Mass. Eye and Ear - $1.5 million  Mass. Pathology Group - $140,000  Hospice of Northern Idaho - $50,000 and  Phoenix Cardiac Surgery - $100,000 5
Breach Notifications  General rule: CE must notify affected individuals and HHS of a breach of unsecured PHI  Original rule: Notice not required if no risk of harm to the individual  Omnibus rule: Breach is assumed if risk of compromise of PHI  Must perform risk analysis 6
Business Associates  Provides services that involve use or disclosure of PHI  Billing, utilization review, claims processing, etc.  Provider must have all BAs under contract  HITECH changes  Makes BAs directly subject to HIPAA  Downstream contractors are BAs (of the 1st BA)  Change to BA definition (HIEs, HIOs) 7
Business Associates (continued)  BA changes increase provider’s duties  BA must notify HHS of breach, etc.  Provider must ensure that 1st BA is complying  “Chain of trust” includes downstream vendors  Provider due diligence  BA Privacy & Security Questionnaires  Examine all vendor relationships to see to BA relationship exists 8
Marketing  Pre-2013 — Promotions could be sent to patients as long as considered “treatment”  Omnibus rule — Need patient authorization for paid promotional communications  Exceptions  Refill reminders (if remuneration is reasonable)  Face to face communications  NPP must state that patient authorization is required for disclosures of PHI for marketing 9
Fundraising  Patient right to opt out  “800” number not required (but encouraged)  Broader range of info can be used  Outcome info, specific physician or dept.  Can’t condition treatment on authorization  NPP must inform patients that they may be contacted for fundraising purposes and right to opt out 10
Notice of Privacy Practices (NPP)  Every provider and CE must have an NPP and make it available to patients  New requirements under HITECH and omnibus rule  Marketing communications and “sale” uses and need for authorization  Fundraising and opt-out rights  Right to restrict re “self-pay” services  Right to be notified of a breach 11
12 Other Changes in Omnibus Rule  Patient right to restrict disclosure of “self-pay” services  May need “flags” or holds in billing system  Patients can request other restrictions but not mandatory as this  Patient access to PHI in electronic form  E.g. MS Word/Excel document or .pdf  Note 30 day (+ one 30 day extension) deadline
Other Changes in Omnibus Rule (continued)  Written authorization to disclose proof of immunization to a school no longer required  Oral authorization permitted, but must be documented  Family member access to deceased patient’s PHI  If involved in care or treatment  Unless patient restricted before death  Confirms that copier, fax, etc. info can be PHI that must be appropriately secured, including when traded in, sold or disposed of. 13
What Providers Should Do  Assessment of HIPAA compliance policies and procedures  Mobile devices, cloud computing  Disposal of equipment  Evaluation of BAs and Subcontractors  Assess BA relationships  Modify BA agreements 14
What Providers Should Do (continued)  Update and post NPP  Mobile devices, cloud computing  Disposal of equipment  Evaluation of potential “marketing” or “sale of PHI” arrangements  Be aware of New York rules 15
Final HIPAA Compliance Date For Providers Is Fast Approaching Robert W. Patterson Lauren A. Fish Jaeckle Fleischmann & Mugel, LLP Avant Building – Suite 900 200 Delaware Avenue Buffalo, NY 14202-2107 Tel: 716.856.0600September 7, 2013

More Related Content

PPTX
Hipaa
Sarah10201020
 
PPTX
HIPAA
ravelo1212
 
PPT
Joint Commission Inservice Hipaa
Ryan Furlough, BSCPE CPAS
 
PDF
Choosing Initial and Expansion States for Your Telehealth Practice – Essentia...
Epstein Becker Green
 
PDF
2010 New Guidelines Hipaa Checklist V1
GuardEra Access Solutions, Inc.
 
PDF
Application Developers Guide to HIPAA Compliance
TrueVault
 
PDF
HIPAA 101 for Startups
Obaa, Inc.
 
PPTX
The Startup Path to HIPAA Compliance
Jim Anfield
 
Hipaa
Sarah10201020
 
HIPAA
ravelo1212
 
Joint Commission Inservice Hipaa
Ryan Furlough, BSCPE CPAS
 
Choosing Initial and Expansion States for Your Telehealth Practice – Essentia...
Epstein Becker Green
 
2010 New Guidelines Hipaa Checklist V1
GuardEra Access Solutions, Inc.
 
Application Developers Guide to HIPAA Compliance
TrueVault
 
HIPAA 101 for Startups
Obaa, Inc.
 
The Startup Path to HIPAA Compliance
Jim Anfield
 

What's hot (19)

DOCX
HiPAA info
Rob Jones
 
PPTX
HIPAA - Understanding the Basics of Compliance
Jay Hodes
 
PPT
Hipaa101 updated
kkurapat
 
PDF
Align your compliance efforts with the 2014 oig strategy
complianceonline123
 
PPT
HIPAA
belziebub
 
PPTX
HIPAA Complaince
FarhatParveen10
 
PPT
E Healthcare Systems Hb Emr Prep Pp
hunterberney
 
PPTX
HIPAA Training: Preventing Employees from Violating HIPAA
jbhicks
 
PPTX
Assessing Your Hosting Environment for HIPAA Compliance
Hostway|HOSTING
 
PPT
HIPAA Omnibus Rule for Business Associates
Jose Ivan Delgado, Ph.D.
 
PPTX
Confidentiality and privacy
WIBYTH4977
 
PDF
HIPAA Compliance for Developers
TrueVault
 
PPTX
Hipaa slideshow
heronimus92
 
PDF
Personal Health Records & HIPAA
Margery Lynn
 
PPT
HIPAA Audio Presentation
Lisa Shannon, RN, BSN, JD.
 
PPT
Lisa Hancock, RN, MHA
Lisa Hancock
 
PPTX
HIPAA Training - 2011
darichardson
 
PDF
HIPAA 101- What all Doctors NEED to know
Compliancy Group
 
PPT
Sylvia hipaa powerpoint presentation 2010(2)
bholmes
 
HiPAA info
Rob Jones
 
HIPAA - Understanding the Basics of Compliance
Jay Hodes
 
Hipaa101 updated
kkurapat
 
Align your compliance efforts with the 2014 oig strategy
complianceonline123
 
HIPAA
belziebub
 
HIPAA Complaince
FarhatParveen10
 
E Healthcare Systems Hb Emr Prep Pp
hunterberney
 
HIPAA Training: Preventing Employees from Violating HIPAA
jbhicks
 
Assessing Your Hosting Environment for HIPAA Compliance
Hostway|HOSTING
 
HIPAA Omnibus Rule for Business Associates
Jose Ivan Delgado, Ph.D.
 
Confidentiality and privacy
WIBYTH4977
 
HIPAA Compliance for Developers
TrueVault
 
Hipaa slideshow
heronimus92
 
Personal Health Records & HIPAA
Margery Lynn
 
HIPAA Audio Presentation
Lisa Shannon, RN, BSN, JD.
 
Lisa Hancock, RN, MHA
Lisa Hancock
 
HIPAA Training - 2011
darichardson
 
HIPAA 101- What all Doctors NEED to know
Compliancy Group
 
Sylvia hipaa powerpoint presentation 2010(2)
bholmes
 
Ad

Similar to HIPAA Compliance Date Is Approaching (20)

PPTX
Hipaa privacy and security 03192014
Samantha Haas
 
PPTX
2013 06-21 HIPPA omnibus rule
DusaElraha
 
PPTX
Health Insurance and Portability and Accountability Act
সারন দাস
 
PDF
Hipaa journal com - HIPAA compliance guide
Felipe Prado
 
PPTX
Privacy, Confidentiality, and Security Lecture 2_slides
ZakCooper1
 
PPTX
Hipaa in clinical trails
Tejaswi Reddy
 
PDF
HIPAA Panel Discussion
Dan Wellisch
 
PDF
Welcome to HIPAA Training
Jonathan Montes
 
PPT
Brian Balow HIPAA Final Rule
mihinpr
 
PDF
Hipaa omnibus
wardell henley
 
ODP
PanoMed HIPAA Omnibus Compendium
Omar Vázquez
 
PPTX
Protecting patient privacy
dlemin919
 
PDF
The New HIPAA: Rules and Responsibilitues
complianceexpert
 
PPTX
HIPAA Course University of Iowa 2020.pptx
thedentallabinc
 
PPT
HIPAA Privacy & Security
National Pharmacy Technician Association
 
PPTX
What You Don’t Know About the HIPAA Security Rule
Cooperative of American Physicians, Inc.
 
PPTX
Hipaa for business associates simple
Jose Ivan Delgado, Ph.D.
 
PPTX
Health Insurance Portability and Accountability Act (HIPPA) - Kloudlearn
KloudLearn
 
PDF
HIPAA Compliance: What Medical Practices and Their Business Associates Need t...
Skoda Minotti
 
PDF
2024 HIPAA Compliance Training Guide to the Compliance Officers
Conference Panel
 
Hipaa privacy and security 03192014
Samantha Haas
 
2013 06-21 HIPPA omnibus rule
DusaElraha
 
Health Insurance and Portability and Accountability Act
সারন দাস
 
Hipaa journal com - HIPAA compliance guide
Felipe Prado
 
Privacy, Confidentiality, and Security Lecture 2_slides
ZakCooper1
 
Hipaa in clinical trails
Tejaswi Reddy
 
HIPAA Panel Discussion
Dan Wellisch
 
Welcome to HIPAA Training
Jonathan Montes
 
Brian Balow HIPAA Final Rule
mihinpr
 
Hipaa omnibus
wardell henley
 
PanoMed HIPAA Omnibus Compendium
Omar Vázquez
 
Protecting patient privacy
dlemin919
 
The New HIPAA: Rules and Responsibilitues
complianceexpert
 
HIPAA Course University of Iowa 2020.pptx
thedentallabinc
 
HIPAA Privacy & Security
National Pharmacy Technician Association
 
What You Don’t Know About the HIPAA Security Rule
Cooperative of American Physicians, Inc.
 
Hipaa for business associates simple
Jose Ivan Delgado, Ph.D.
 
Health Insurance Portability and Accountability Act (HIPPA) - Kloudlearn
KloudLearn
 
HIPAA Compliance: What Medical Practices and Their Business Associates Need t...
Skoda Minotti
 
2024 HIPAA Compliance Training Guide to the Compliance Officers
Conference Panel
 
Ad

Recently uploaded (20)

PDF
Myers’ Psychology for AP, 1st Edition David G. Myers Test Bank.pdf
solutionsmanual3
 
PPTX
AI_in_Pharmaceutical_Technology_Presentation.pptx
bharghav bhushan
 
PPTX
Galactosemia pathophysiology, clinical features, investigation and treatment ...
ssuser7f57ff
 
PPTX
different types of Gait in orthopaedic injuries
bhoomikagowda71
 
PPTX
Infection prevention and control for medical students
w2tz2qrqxd
 
PDF
Khaled Sary- Trailblazers of Transformation Middle East's 5 Most Inspiring Le...
insightscare
 
PPT
Parental-Carer-mental-illness-and-Potential-impact-on-Dependant-Children.ppt
IsabelMichelucciBran
 
PPT
Microscope is an instrument that makes an enlarged image of a small object, t...
LuckyMittal13
 
PPT
KULIAH UG WANITA Prof Endang 121110 (1).ppt
eddieSaputra4
 
PPTX
Current Treatment Of Heart Failure By Dr Masood Ahmed
adilseoexpert1
 
PPTX
PE and Health 7 Quarter 3 Lesson 1 Day 3,4 and 5.pptx
AnnaMae39
 
PDF
CHAPTER 9 MEETING SAFETY NEEDS FOR OLDER ADULTS.pdf
ANNIELOURRIECASABUEN1
 
PDF
2E-Learning-Together...PICS-PCISF con.pdf
AssessoriadaGernciaG
 
PPTX
First aid in common emergency conditions.pptx
cham2i1738
 
PPTX
PEDIATRIC OSCE, MBBS, by Dr. Sangit Chhantyal(IOM)..pptx
SangeetChhantyal
 
PPTX
3. Adherance Complianace.pptx pharmacy pci
SurajRawal10
 
PDF
Pharmacology slides archer and nclex quest
elianalujan
 
PPTX
NUTRITIONAL PROBLEMS, CHANGES NEEDED TO PREVENT MALNUTRITION
rpragatheeswari
 
PPTX
First Aid and Basic Life Support Training.pptx
polistadesiree
 
PPTX
Medical aspects of impairment including all the domains mentioned in ICF
muskaan650751
 
Myers’ Psychology for AP, 1st Edition David G. Myers Test Bank.pdf
solutionsmanual3
 
AI_in_Pharmaceutical_Technology_Presentation.pptx
bharghav bhushan
 
Galactosemia pathophysiology, clinical features, investigation and treatment ...
ssuser7f57ff
 
different types of Gait in orthopaedic injuries
bhoomikagowda71
 
Infection prevention and control for medical students
w2tz2qrqxd
 
Khaled Sary- Trailblazers of Transformation Middle East's 5 Most Inspiring Le...
insightscare
 
Parental-Carer-mental-illness-and-Potential-impact-on-Dependant-Children.ppt
IsabelMichelucciBran
 
Microscope is an instrument that makes an enlarged image of a small object, t...
LuckyMittal13
 
KULIAH UG WANITA Prof Endang 121110 (1).ppt
eddieSaputra4
 
Current Treatment Of Heart Failure By Dr Masood Ahmed
adilseoexpert1
 
PE and Health 7 Quarter 3 Lesson 1 Day 3,4 and 5.pptx
AnnaMae39
 
CHAPTER 9 MEETING SAFETY NEEDS FOR OLDER ADULTS.pdf
ANNIELOURRIECASABUEN1
 
2E-Learning-Together...PICS-PCISF con.pdf
AssessoriadaGernciaG
 
First aid in common emergency conditions.pptx
cham2i1738
 
PEDIATRIC OSCE, MBBS, by Dr. Sangit Chhantyal(IOM)..pptx
SangeetChhantyal
 
3. Adherance Complianace.pptx pharmacy pci
SurajRawal10
 
Pharmacology slides archer and nclex quest
elianalujan
 
NUTRITIONAL PROBLEMS, CHANGES NEEDED TO PREVENT MALNUTRITION
rpragatheeswari
 
First Aid and Basic Life Support Training.pptx
polistadesiree
 
Medical aspects of impairment including all the domains mentioned in ICF
muskaan650751
 

HIPAA Compliance Date Is Approaching

  • 1. Final HIPAA Compliance Date For Providers Is Fast Approaching Robert W. Patterson Lauren A. Fish Jaeckle Fleischmann & Mugel, LLP Avant Building – Suite 900 200 Delaware Avenue Buffalo, NY 14202-2107 Tel: 716.856.0600September 7, 2013
  • 2. HIPAA Privacy and Security in a Nutshell Covered entities (CEs) (health care providers, health plans & “clearinghouses”) must:  protect privacy and security of protected health information (PHI)  provide access to PHI to individuals  include protective provisions in contracts with business associates (BAs) 2
  • 3. A Quick History Lesson 1996 HIPAA enacted 2000-02 First HIPAA final rules 2003 Effective date of first HIPPA rules 2009 HITECH (part of ARRA) 2009-12 Proposed HITECH rules Jan. 2013 “Omnibus final rule” eff. 3/2013 9/23/2013 Final compliance date 3
  • 4. Enforcement and Penalties  Increased monetary penalties  “Tiers” with mandatory minimum/maximum penalties based on culpability  Mandatory OCR investigation if preliminary investigation indicates possible violation  Mandatory penalty if willful neglect  Increased audit activity 4
  • 5. Recent Settlements and Penalties  Affinity Health Plan - $1.2 million settlement  Prime Healthcare - $275,000  Mass. Eye and Ear - $1.5 million  Mass. Pathology Group - $140,000  Hospice of Northern Idaho - $50,000 and  Phoenix Cardiac Surgery - $100,000 5
  • 6. Breach Notifications  General rule: CE must notify affected individuals and HHS of a breach of unsecured PHI  Original rule: Notice not required if no risk of harm to the individual  Omnibus rule: Breach is assumed if risk of compromise of PHI  Must perform risk analysis 6
  • 7. Business Associates  Provides services that involve use or disclosure of PHI  Billing, utilization review, claims processing, etc.  Provider must have all BAs under contract  HITECH changes  Makes BAs directly subject to HIPAA  Downstream contractors are BAs (of the 1st BA)  Change to BA definition (HIEs, HIOs) 7
  • 8. Business Associates (continued)  BA changes increase provider’s duties  BA must notify HHS of breach, etc.  Provider must ensure that 1st BA is complying  “Chain of trust” includes downstream vendors  Provider due diligence  BA Privacy & Security Questionnaires  Examine all vendor relationships to see to BA relationship exists 8
  • 9. Marketing  Pre-2013 — Promotions could be sent to patients as long as considered “treatment”  Omnibus rule — Need patient authorization for paid promotional communications  Exceptions  Refill reminders (if remuneration is reasonable)  Face to face communications  NPP must state that patient authorization is required for disclosures of PHI for marketing 9
  • 10. Fundraising  Patient right to opt out  “800” number not required (but encouraged)  Broader range of info can be used  Outcome info, specific physician or dept.  Can’t condition treatment on authorization  NPP must inform patients that they may be contacted for fundraising purposes and right to opt out 10
  • 11. Notice of Privacy Practices (NPP)  Every provider and CE must have an NPP and make it available to patients  New requirements under HITECH and omnibus rule  Marketing communications and “sale” uses and need for authorization  Fundraising and opt-out rights  Right to restrict re “self-pay” services  Right to be notified of a breach 11
  • 12. 12 Other Changes in Omnibus Rule  Patient right to restrict disclosure of “self-pay” services  May need “flags” or holds in billing system  Patients can request other restrictions but not mandatory as this  Patient access to PHI in electronic form  E.g. MS Word/Excel document or .pdf  Note 30 day (+ one 30 day extension) deadline
  • 13. Other Changes in Omnibus Rule (continued)  Written authorization to disclose proof of immunization to a school no longer required  Oral authorization permitted, but must be documented  Family member access to deceased patient’s PHI  If involved in care or treatment  Unless patient restricted before death  Confirms that copier, fax, etc. info can be PHI that must be appropriately secured, including when traded in, sold or disposed of. 13
  • 14. What Providers Should Do  Assessment of HIPAA compliance policies and procedures  Mobile devices, cloud computing  Disposal of equipment  Evaluation of BAs and Subcontractors  Assess BA relationships  Modify BA agreements 14
  • 15. What Providers Should Do (continued)  Update and post NPP  Mobile devices, cloud computing  Disposal of equipment  Evaluation of potential “marketing” or “sale of PHI” arrangements  Be aware of New York rules 15
  • 16. Final HIPAA Compliance Date For Providers Is Fast Approaching Robert W. Patterson Lauren A. Fish Jaeckle Fleischmann & Mugel, LLP Avant Building – Suite 900 200 Delaware Avenue Buffalo, NY 14202-2107 Tel: 716.856.0600September 7, 2013

Editor's Notes