HIPAA Omnibus Presentation
1 like682 views
The document summarizes key implications of the HIPAA Omnibus Rule for organizations that are considered Business Associates. It defines Business Associates and subcontractors as those who create, receive, maintain or transmit protected health information on behalf of covered entities or other business associates. The Omnibus Rule directly regulates business associates and subcontractors under HIPAA, requiring compliance with security and privacy rules. It expands the definition of a breach and penalties for noncompliance, potentially making it more likely organizations will need to notify individuals of breaches. The document provides examples of types of organizations now defined as Business Associates and outlines compliance requirements.
HIPAA Omnibus Presentation
- 1. 855.85HIPAA www.compliancygroup.com Industry leading Education Certified Partner Program • Please ask questions • Todays slides are available http://compliancy-‐group.com/slides023/ • Past webinars and recordings http://compliancy-‐group.com/webinar/
- 2. HIPAA New Final Omnibus Rule: “Key Business Associate Implications for Your Organization”
- 3. Your Presenter © HIPAA Continuity Planners 2013 A.J. (Andy) Weitzberg President of HIPAA Continuity Planners President of the Association of Contingency Planners Long Island Chapter
- 4. © HIPAA Continuity Planners 2013 History • Health Insurance Portability and Accountability Act (HIPAA)of 1996 • The Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009 • Omnibus Rule of 2013
- 5. © HIPAA Continuity Planners 2013 Omnibus Rule conforms HIPAA regulations to HITECH Act changes: – Before HITECH, BAs regulated through business associate contracts or agreements ("BAAs") – After HITECH, BAs and subcontractors are now regulated directly under HIPAA, therefore they: Must comply with Security Rules Must comply with some of Privacy Rule and provisions of BAA
- 6. By the Numbers 2009 through 2012* • 538 breaches of protected health information (PHI) – 21,408,505 patient health records affected • 21.5% increase in # of large breaches in 2012 over 2011 – 77% decrease in # of patient records impacted • 67% of all breaches have been the result of theft or loss • 57% of all patient records breached involved a business associate • Business associates have impacted 5 X times as many patient records as those at a covered entity • 38% of incidents were as a result of an unencrypted laptop or other portable electronic device • 63.9% percent of total records breached in 2012 resulted from the 5 largest incidents • 780,000 number of records breached in the single largest incident of 2012 *These numbers include breaches that affected >500 individuals and were reported to HHS from August 2009 to January 17, 2013. © HIPAA Continuity Planners 2013
- 7. © HIPAA Continuity Planners 2013 "Business associate”: one who, on behalf of a covered entity creates, receives, maintains or transmits PHI* • Status as BA based upon role and responsibilities, not upon who are the parties to the contract • Contract between the covered entity's BA and that BA's subcontractor must satisfy the BA agreement requirements Subcontractor of business associate: one who creates, receives, maintains or transmits PHI* on behalf of a business associate *Personal Health Information Expanded definition of “Business Associates”
- 8. © HIPAA Continuity Planners 2013 Business Associate - Consequences Secretary (HHS) authorized to receive and investigate complaints against BAs (including subcontractors), and to take action regarding complaints and noncompliance BAs (incl. subs) required to maintain records and submit compliance reports to Secretary, cooperate in complaint investigations and compliance reviews, give Secretary access to information BAs (incl. subs) forbidden to intimidate, discriminate against, etc. those who make complaints, cooperate with regulators or oppose unlawful actions BAs (incl. subcontractors) subject to civil money penalties for HIPAA violations BA/Subs remain liable under contract to Covered Entity and BA
- 9. How do these updates affect your Business As a “Business Associate” you have HIPAA/ HITECH Compliance Requirements: 1. A Written Risk Analysis 2. A Written Continuity Plan 3. A Documented Security Practices and Procedures 4. An Incident Response Plan (Breach Response) 5. A Record Disposal Procedure for Electronic Media and Paper Records 6. Employee Training Program 7. Termination Procedures 8. Documentation and Logs © HIPAA Continuity Planners 2013
- 10. Definition of a Breach The final rule also changes the risk analysis requirements for determining when a breach has occurred. Previously, a risk of harm threshold was considered in determining whether a breach had occurred. The Office of Civil Rights (OCR) changes in the final rule create almost a presumption of a “breach,” which will seemingly make it more likely that a business will be required to notify those individuals whose personal health information has been affected, HHS and possibly the media. © HIPAA Continuity Planners 2013
- 11. © HIPAA Continuity Planners 2013 Penalties for Your non-Compliance CATEGORIES OF VIOLATIONS AND RESPECTIVE PENALTY AMOUNTS AVAILABLE Violation Category Section 1176(a)(1) Each Violation All such violations of an identical provision in a calendar year (A) Did Not Know $100 to Max $50,000 $1,500,000 (B) Reasonable Cause $1,000 to Max $50,000 $1,500,000 (C)(i) Willful Neglect-Corrected $10,000 to Max $50,000 $1,500,000 (C)(ii) Willful Neglect-Not Corrected $50,000 $1,500,000
- 12. HITRUST* now has several of its members that will require business associates to follow the framework and document compliance with it. © HIPAA Continuity Planners 2013 *The Health Information Trust Alliance, or HITRUST, in collaboration with healthcare, technology and information security leaders, has established the Common Security Framework (CSF), a certifiable framework that can be used by any and all organizations that create, access, store or exchange personal health and financial information. The most widely adopted security control framework in the U.S. healthcare industry, the CSF includes a prescriptive set of controls and supporting requirements that clearly define how organizations meet the objectives of the framework
- 13. Are you a “Business Associate”? Illustration of the types of firms that are now considered “Business Associates” • IT Support and Software Vendors • IT Equipment Vendors • Leasing firms • Telephone CPE Vendors • Shredding Vendors • Data Centers • Cloud Computing Providers • Answering Services for Medical Offices • Medical Billing Services • Medical Transcriptions Services • Medical Collection Agencies • Temporary Employment Agencies © HIPAA Continuity Planners 2013
- 14. © HIPAA Continuity Planners 2013 Questions A.J. (Andy) Weitzberg President HIPAA Continuity Planners Email: AJ@HIPAACP.COM 1.800.654.2041 Toll Free 1.631.654.4001 Office 1.516.641.4001 Mobile
- 15. Free Demo and 60 Day Evaluation www.compliancy-‐group.com HIPAA Hotline 855.85HIPAA 855.854.4722 HIPAA Compliance HITECH Attestation Omnibus Rule Ready Meaningful Use core measure 15