Our first care is your health care - PowerPoint Presentation

Slide1

Our first care is your health care Arizona Health Care Cost Containment System

HIPAA Privacy and Security 2013: The New Regulations

By Melanie A. Herring, Esq.Slide2

Our first care is your health care arizona health care cost containment system

2

Major ProvisionsBreach Notification RegulationsBusiness Associate (BA) ChangesEnhanced Enforcement and PenaltiesNew Privacy RequirementsAmended Notice of Privacy Practices (NPP

)Slide3

Our first care is your health care arizona health care cost containment system

3

Important DeadlinesJanuary 25, 2013: Final Regs were issuedMarch 22, 2013: Effective DateSeptember 23, 2013: Compliance Date (180 days from Effective Date)*September 22, 2014: Deferred Compliance Date for Certain BA Contracts* For all future HIPAA amendments, default 180 day compliance deadline

Slide4

Breach Notification Standards . . .

When a CE is required to report a privacy or security breach to HHS-OCR, the affected individuals, and/or the media . . . .

Our first care is your health care arizona health care cost containment system4Slide5

Our first care is your health care arizona health care cost containment system

5

. . . Breach Notification StandardsUnder the old rule, breaches were not reported unless they posed “a significant risk of reputational, financial or other harm”Under the new rule, “harm threshold” is eliminated and replaced with a more objective standard

Under the new rule, the “safe harbor” provisions for encrypted and PHI secure disposal remain intactSlide6

. . . Breach Notification Standards

New Rule: All incidents are assumed to be a reportable breach to HHS-OCR unless a Risk Analysis (RA) reveals a “low probability” that PHI has been compromised

Our first care is your health care arizona health care cost containment system6Slide7

. . . Breach Notification Standards

4 factors to a Risk Analysis:The nature and extent of PHI involved, including the types of identifiers and the likelihood of re-identification

The unauthorized person who used or received the PHIWhether the PHI was actually acquired and viewed, and Our first care is your health care arizona health care cost containment system7Slide8

. . . Breach Notification Standards

The extent to which any risk to the PHI has been mitigatedNotification to HHS-OCR will be required if the RA reveals any risk except “Low Probability that the PHI will be or has been compromised”

Our first care is your health care arizona health care cost containment system8Slide9

. . . Breach Notification Standards

The CE’s Risk Analysis must be in writing and retained by the CE.Willful Negligence: If a breach reported to HHS-OCR suggests “willful negligence” by the CE or its BA, then HHS-OCR must investigate

Our first care is your health care arizona health care cost containment system9Slide10

Business Associate Requirements

This section of the regulation has the most changes. Highlights:Amended BA definition:

Clarify that a BA is also an entity that “maintains” PHI on behalf of the CE (i.e.: record storage services, record locator services)E-prescribing Gateways, HIO’s, PSO’s are a BA Our first care is your health care arizona health care cost containment system

10Slide11

. . .Business Associate Requirements

Security Rule, Minimum Necessary Rule, Accounting of Disclosures Rule now apply directly to BA’sOur BA contracts will require amendments

Our BA’s must now have BA contracts in place with their subcontractors Our first care is your health care arizona health care cost containment system11Slide12

. . . Business Associate Requirements

BA’s are now directly liable for their own breaches, and the CE of a BA remains liable as well for its BA’s breachesSubcontractors to BA’s are directly liable for their own breaches

Our first care is your health care arizona health care cost containment system12Slide13

Enhanced Penalties and Enforcement

HHS-OCR may fine all parties responsible (i.e.: can fine the CE and the BA for the same violation)The General Rule: Monetary penalties will be tallied on a per person and per day basis

Maximum Annual Cap for Violations of a Provision: 1.5 million dollars A few defenses are allowed but if you do not cure the violation within 30 days of the breach you may lose that defense Our first care is your health care arizona health care cost containment system

13Slide14

New Privacy Requirements

50 year deceased exceptionBA’s are now directly required to comply with significant provisions of the privacy ruleGenetic information (GINA) is now expressly included within the definition of “health information”

Amendments to the Marketing Requirements (mostly dealing with financial remuneration marketing) Our first care is your health care arizona health care cost containment system14Slide15

. . . New Privacy Requirements

Prohibits the sale of PHI without individual authorization (data use agreements)Enhances an individual’s right to request and receive a copy of their PHI records

An individual can restrict disclosures of his/her PHI to health plans if the PHI pertains solely to a service that the individual has paid for in full Our first care is your health care arizona health care cost containment system15Slide16

. . . New Privacy Requirements

Relaxes the regulations surrounding disclosures of PHI to family members or others involved in the person’s careAllows disclosure of immunization records to schools

Our first care is your health care arizona health care cost containment system16Slide17

Notice of Privacy Practices

Must Amend the CE’s Notice of Privacy Practices and mail to all individuals by September 23, 2013

Our first care is your health care arizona health care cost containment system17Slide18

Genetic Information Nondiscrimination Act (GINA)

GINA prohibits the use of genetic information for underwriting purposes. HHS has made this prohibition applicable to all health plans subject to HIPAA, not just the limited set of plans covered by GINA

Our first care is your health care arizona health care cost containment system18