1

2

3

•The Omnibus Rule not only greatly enhances a patient’s privacy rights and protections, but also strengthen the ability to vigorously enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a health care provider, or one of their business associates.”

•The HIPAA Privacy and Security Rules have focused on health care providers, health plans and other entities that process health insurance claims.

•The changes expand many of the requirements to BA’s of these entities that receive protected health information, such as contractors and subcontractors.

•Some of the largest breaches reported to HHS have involved business associates.

•This final omnibus rule marks the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented,”

4

•These modifications are both functional and technical

•For example conforming/cleanup changes which include, but are not limited to,

•1) Marketing Communications

•2) Business Associates

•3) Authorizations

•4) Fundraising; and

•5) Notice of Privacy Practices

And as of late this Security Rule has gotten the most attention because of Meaningful Use attestations

5

•BAs and subcontractors of Businesses should already have in place security practices that comply with the HIPAA Security Rule.

•However, keep in mind HIPAA Security Rule was required (to a degree) even before the Omnibus Rule.

•So new HIPAA Security Rule requirements should have just necessitated incremental adjustments.

The rule now more clearly indicates that CE’s and BA’s must review and modify security measures as needed to ensure the continued provision of "reasonable and appropriate" protection of Electronic Protected Health Information.

6

Enforcement Rule (like all HIPAA rules) continues to preempt any State law that is contrary to it; however is does not preempt a State law that is "more stringent."

7

8

9

• CE’s may not give protected PHI to a telemarketer, door-to-door salesperson, or other third party it has hired to make permitted communications (for example, about a CE’s own goods and services) unless that third party has agreed by contract to use the information only for communicating on behalf of the covered entity. Without the Privacy Rule, there may be no restrictions on how third parties re-use information they obtain from health plans and providers.

• Selling protected health information to third parties for their use and re-use. For Example under the rule, a hospital or other provider may not sell names of pregnant women to baby formula manufacturers or magazines without an authorization.

• Individual rights are expanded in important ways.

• When individuals pay by cash they can instruct their provider not to share information about their treatment with their health plan.

• The final omnibus rule sets new limits on how information is used and disclosed for marketing and fundraising purposes and prohibits the sale of an individuals’ health information without their permission

10

•The new rule underscores providers obligation to give patients access to their medical records in the electronic format they prefer. That means that despite the sensitivity over data security, the patient can request that the data not be in an encrypted format.. The CE only needs notify the patient of the security risk if the data isn’t encrypted

•Patients have the right to inspect and obtain a copy of HI about themselves that is maintained by a CE or its business associate in a “designated record set.”

• A designated record set is basically a group of records which a covered entity uses to make decisions about individuals, and includes a health care provider’s medical records and billing records, and a health plan’s enrollment, payment, claims adjudication, and case or medical management record systems.

The Rule does not require covered entities to tape or digitally record oral communications, nor retain digitally or tape recorded information after transcription. But if such records are maintained and used to make decisions about the individual, they may meet the definition of “designated record set.” For example, a health plan is not required to provide a member access to tapes of a telephone “advice line” interaction if the tape is maintained only for customer service review and not to make decisions about the member.

11

There are exceptions to the rule in relation to clinical trials.

11

Updated BA’s were to be in place no later than September 2014. My records indicate that everyone in this room has a BAA with MicroMD.

If you deal with any of the listed type of companies, you should have a current (modified) BAA in place.

12

MicroMD has BA’s because there are times when our Client Services Representatives need to access your system to assist you for support. The may be exposed to PHI.

If we would create a breach of PHI we could be subject to the civil money penalties for violations depending on the nature of the breach.

We have BAAs with our subcontractors- Clearinghouses and those who provide eSERVICES.

13

14

•RISK ANALYSIS

• The process will identify potential threats to, and vulnerabilities of, systems containing electronic protected health information (e-PHI).

•Three common categories of threat

•Human: Events that are either enabled by or caused by human beings, such as unintentional acts (inadvertent data entry) or deliberate actions (network based attacks, malicious software upload, unauthorized access to confidential information).

•Natural: Floods, earthquakes, tornadoes, landslides, avalanches, electrical storms,

•Environmental: Long-term power failure, pollution, chemicals, and liquid leakage.

Continuity Plan – should have in place in the event something happens to your location

Security Practices and Procedures – should be updated annually at a minimum

15

Incident Response Plan ( in relation to Breaches)

Definition of a Breech

Understanding Breech notification requirements

Knowing Administration requirements and burden of proof

Instructions on how to submit breach notifications to the Secretary

Disposal Procedure for Electronic Media and Paper Records

Understanding of proper disposal/contracted with a company

Employee Training ProgramEmployees trained upon hire

Minimum annual training for ALL employees

•Termination Procedures

•Audit Logs

•The HIPAA Audit program analyzes processes, controls, and policies of selected Ces pursuant to the audit mandate.

•A comprehensive audit protocol contains the requirements to be assessed through these performance audits.

•The entire audit protocol is organized around modules, representing separate elements of privacy, security, and breach notification.

•The combination of these multiple requirements may vary based on the type of CE selected for review.

15

16

17

18

19

20

A breach is, generally, an nonpermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information.

21

•Under the “old” HIPAA/HITECH Breach rules, a breach required a significant risk of financial, reputational, or other harm to the individual.

•The updated breach rules in the HIPAA Omnibus Rules lower the barriers for a breach and increase the work that you need to do to track impermissible uses and disclosures of PHI.

22

As a reminder the Human Health Services secretary is required to review ALL complaints received in relation to the Covered Entity.

23

24

25

26

Anthem / UPMC

27

Corrected with in 30 days

Not Corrected within 30 days

28

• To patients – post/share Individual Privacy Practices

• Should already have the modified BAAs updated and distributed to your BA- signed and returned for your files

• Test it to ensure you haven’t missed any thing

• Complete the Security Risk Assessment to ensure there are not any gaps – if you find any fix them!

• Have well written documents policies & procedures- make sure your staff is aware of them and have them sign off acknowledging the P& P have been provided/shared with them and they are aware of them

• Have an action plan in place for any breach that may occur

• Conduct regular audits to ensure what you have in place is working

• Have your BAAs available for new BAs / Subcontractors as it relates to your orginzation

• Establish and schedule regular audit reports – print and have available in event they are requested

• Train your staff at hire and minimum once a year to keep the HIPAA polices/procedures fresh

•

29

By doing everything as discussed in our previous slide it would show (and be documented) that you are showing a ‘good faith effort”

30

31

32

•So, if you are not up to speed with the new modifications you need to be swift in your actions

•Talk to your legal team, study the breach notification guidelines and prepare a plan.

•Teach the employees about the best practices in handling PHI and HIPAA guidelines

•Spruce up your IT security and get ready to demonstrate HIPAA compliance.

33

34