The HIPAA Omnibus Rule

Similar documents
HIPAA Tips and Advice for Your. Medical Practice

HIPAA-HITECH: Privacy & Security Updates for 2015

Breach Notification Remember State Law

Into the Breach: Breach Notification Requirements in the Wake of the HIPAA Omnibus Rule

HIPAA Privacy, Security and Breach Notification

Update on HIPAA Administration and Enforcement. Marissa Gordon-Nguyen, JD, MPH October 7, 2016

HIPAA Compliance: What it is, what it means, and what to do about it. Adam Carlson, Security Solutions Consultant Intapp

DATA PRIVACY & SECURITY THE CHANGING HIPAA CLIMATE

HIPAA Cloud Computing Guidance

Lessons Learned from Recent HIPAA Enforcement Actions, Breaches, and Pilot Audits

HIPAA How to Comply with Limited Time & Resources. Jonathan Pantenburg, MHA, Senior Consultant August 17, 2017

Security and Privacy Breach Notification

HIPAA FOR BROKERS. revised 10/17

QUALITY HIPAA December 23, 2013

Inside the OCR Investigation/Audit Process 2018 PBI HEALTH LAW INSTITUTE TUESDAY, MARCH 13, 2017 GREGORY M. FLISZAR, J.D., PH.D.

CERT Symposium: Cyber Security Incident Management for Health Information Exchanges

The HIPAA Security & Privacy Rule How Municipalities Can Prepare for Compliance

Security Rule for IT Staffs. J. T. Ash University of Hawaii System HIPAA Compliance Officer

Putting It All Together:

University of Wisconsin-Madison Policy and Procedure

HIPAA Compliance Officer Training By HITECH Compliance Associates. Building a Culture of Compliance


The Relationship Between HIPAA Compliance and Business Associates

HIPAA Security and Privacy Policies & Procedures

How to Respond to a HIPAA Breach. Tuesday, Oct. 25, 2016

Integrating HIPAA into Your Managed Care Compliance Program

A Panel Discussion. Nancy Davis

Boerner Consulting, LLC Reinhart Boerner Van Deuren s.c.

Hospital Council of Western Pennsylvania. June 21, 2012

Privacy & Information Security Protocol: Breach Notification & Mitigation

HIPAA & Privacy Compliance Update

Policy and Procedure: SDM Guidance for HIPAA Business Associates

Incident Response: Are You Ready?

(c) Apgar & Associates, LLC

HIPAA For Assisted Living WALA iii

HIPAA in 2017: Hot Topics You Can t Ignore. Danika Brinda, PhD, RHIA, CHPS, HCISPP March 16, 2017

American Academy of Audiology Responses to Questions from HIPAA Webinar

Terms used, but not otherwise defined, in this Agreement shall have the same meaning as those terms in the HIPAA Privacy Rule.

Data Use and Reciprocal Support Agreement (DURSA) Overview

HIPAA Privacy & Security Training. Privacy and Security of Protected Health Information

Cybersecurity in Higher Ed

Federal Breach Notification Decision Tree and Tools

MNsure Privacy Program Strategic Plan FY

3/24/2014. Agenda & Objectives. HIPAA Security Rule. Compliance Institute. Background and Regulatory Overlay. OCR Statistics/

MANUAL OF UNIVERSITY POLICIES PROCEDURES AND GUIDELINES. Applies to: faculty staff students student employees visitors contractors

Cyber Attacks and Data Breaches: A Legal and Business Survival Guide

WHITE PAPER. HIPAA Breaches Continue to Rise: Avoid Becoming a Casualty

Standard text messaging (mobile devices) Secure text messaging (mobile devices) Paging Instant messaging (Google Hangouts, Skype, etc.

HIPAA Privacy and Security Training Program

HIPAA ( ) HIPAA 2017 Compliancy Group, LLC

All Aboard the HIPAA Omnibus An Auditor s Perspective

HIPAA Security & Privacy

CANADA S ANTI-SPAM LEGISLATION (CASL): WHAT YOUR CHARITY NEEDS TO DO BEFORE JULY 1ST

Don t Be the Next Headline! PHI and Cyber Security in Outsourced Services.

Agenda. Hungry, Hungry HIPAA: Security, Enforcement, Audits, & More. Health Law Institute

HIPAA Omnibus Notice of Privacy Practices

Developing Issues in Breach Notification and Privacy Regulations: Risk Managers Are you having the right conversation with the C Suite?

for the Dental Industry

It applies to personal information for individuals that are external to us such as donors, clients and suppliers (you, your).

Privacy Statement. Your privacy and trust are important to us and this Privacy Statement ( Statement ) provides important information

Cyber Risks in the Boardroom Conference

Understanding the Impact of Data Privacy January 2012

TIPS FOR FORGING A BETTER WORKING RELATIONSHIP BETWEEN COUNSEL AND IT TO IMPROVE CYBER-RESPONSE

Elements of a Swift (and Effective) Response to a HIPAA Security Breach

HIPAA. Developed by The University of Texas at Dallas Callier Center for Communication Disorders

Enforcement of Health Information Privacy & Security Standards Federal Enforcement Through Recent Cases and Tools to Measure Regulatory Compliance

Top Five Privacy and Data Security Issues for Nonprofit Organizations

HIPAA COMPLIANCE WHAT YOU NEED TO DO TO ENSURE YOU HAVE CYBERSECURITY COVERED

Red Flags/Identity Theft Prevention Policy: Purpose

Data Processing Agreement

ENCRYPTION: ADDRESSABLE OR A DE FACTO REQUIREMENT?

Housecall Privacy Statement Statement Date: 01/01/2007. Most recent update 09/18/2009

Auditing and Monitoring for HIPAA Compliance. HCCA COMPLIANCE INSTITUTE 2003 April, Presented by: Suzie Draper Sheryl Vacca, CHC

Texting and ing Patients, Providers and Others: HIPAA, CMS, and Suggestions

Subject: University Information Technology Resource Security Policy: OUTDATED

ORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers

Update on Administration and Enforcement of the HIPAA Privacy, Security, and Breach Notification Rules

USER CORPORATE RULES. These User Corporate Rules are available to Users at any time via a link accessible in the applicable Service Privacy Policy.

Data Compromise Notice Procedure Summary and Guide

HIPAA Security. An Ounce of Prevention is Worth a Pound of Cure

Upcoming PIPEDA Changes What is changing and what to do about it

HIPAA and Research Contracts JILL RAINES, ASSISTANT GENERAL COUNSEL AND UNIVERSITY PRIVACY OFFICIAL

HIPAA and HIPAA Compliance with PHI/PII in Research

Organization information. When you create an organization on icentrex, we collect your address (as the Organization Owner), your

HIPAA COMPLIANCE AND DATA PROTECTION Page 1

HIPAA/HITECH Act Update HCCA South Central Regional Annual Conference December 2, Looking Back at 2011

BYOD (Bring Your Own Device): Employee-owned Technology in the Workplace

Update on Administration and Enforcement of the HIPAA Privacy, Security, and Breach Notification Rules

View the Replay on YouTube

PPR TOKENS SALE PRIVACY POLICY. Last updated:

Data Processing Agreement for Oracle Cloud Services

DON T GET STUNG BY A BREACH! WHAT'S NEW IN HIPAA PRIVACY AND SECURITY

HIPAA Comes of Age: 21 Years of Privacy and Security

Securing IT Infrastructure Improve information exchange and comply with HIPAA, HITECH, and ACA mandates

HIPAA 101: What All Doctors NEED To Know

What is HIPPA/PCI? Understanding HIPAA. Understanding PCI DSS

Privacy Breach Policy

NYDFS Cybersecurity Regulations: What do they mean? What is their impact?

Privacy Notice. Introduction. What is personal data? Date Updated: 2/11/2019

I. INFORMATION WE COLLECT

Transcription:

The HIPAA Omnibus Rule What You Should Know and Do as Enforcement Begins Rebecca Fayed, Associate General Counsel and Privacy Officer Eric Banks, Information Security Officer

3 Biographies Rebecca C. Fayed is associate general counsel and privacy officer for The Advisory Board Company in Washington, DC. In this role, Rebecca advises on, and is responsible for all health regulatory and data privacy matters. Prior to joining the Advisory Board, Rebecca spent more than ten years as an attorney in private practice representing hospitals, health systems, health plans, health information technology companies, and other entities within the health care industry in connection with health regulatory and data privacy issues. Rebecca has extensive experience developing and implementing health information privacy and security compliance programs, and representing covered entities and business associates in connection with investigations related to privacy and security compliance and complying with federal and state breach notification obligations. Eric Banks has been the Information Security Officer for The Advisory Board Company since July of 2010 and has over 17 years of combined experience in information security and IT leadership. His experience includes team development and project management within the health care, higher education, and human resources sectors, and he has been able to lead organizational change while continuing to manage complex technical projects. Eric is tied in to the information security community and is doggedly focused on proving that information security professionals, and the industry as a whole, can stretch beyond typical industry roles to help lead growth and add tremendous value throughout a company.

4 Learning Objectives After attending this webinar, participants in this webinar will be able to: 1 Recognize how the HIPAA Omnibus Rule most significantly changed preexisting HIPAA privacy and security obligations. 2 Assess their privacy and security compliance programs against these new obligations. 3 4 Utilize industry best practices to supplement existing compliance programs. Prepare for and respond to a potential breach, security incident, investigation, or audit.

5 The Omnibus Rule Compliance Date: September 23, 2013 What does the Omnibus Rule Do? Implements HITECH Act and certain GINA requirements Modifies HIPAA Privacy, Security, Breach Notification, and Enforcement Rules Increases obligations, liability, and oversight/enforcement Creates a whole new HIPAA world

6 Overview of the Most Significant Changes Breach Notification Obligations No more risk of harm?! But did anything REALLY change? Business Associates Who are they, what must they do, and what happens if they don t? Use and Disclosure of PHI Some expansion and some limitations Individual Rights Additional rights provided, but some questions left unanswered Increased Oversight and Enforcement The game changer

Breach Notification 7

Breach Notification 8 Risk of Harm Was Always at Risk of Being Eliminated Basic Rule Remains Breach Interim Final Rule (the old way): Omnibus Rule Upon the discovery of a Breach of unsecured PHI, CEs and BAs must make certain notifications. Unauthorized acquisition, access, use, or disclosure of unsecured PHI, in a manner not permitted by the Privacy Rule, that compromises the security or privacy of PHI (subject to certain exceptions). Privacy or security of PHI was compromised if there was a significant risk of financial, reputational, or other harm to the individual affected. Not surprisingly, risk of harm eliminated from Breach analysis.

Breach Notification 9 Risk Assessment is the New Standard New Standard Presumption Impermissible acquisition, access, use, or disclosure presumed to be a Breach unless there is a low probability that the PHI has been compromised. 4 Factor Documented Risk Assessment 1. Nature and Extent of PHI involved 2. Unauthorized person who used the PHI or to whom PHI was disclosed 3. Whether PHI was actually acquired or viewed 4. Extent to which the risk to the PHI has been mitigated

Breach Notification 10 Notification Obligations Remain the Same Covered Entities 1. Notify the individuals affected without unreasonable delay, but within 60 days of discovery 2. If greater than 500 individuals affected in total, notify HHS of the breach at the same time individuals are notified 3. If less than 500 individuals affected in total, notify HHS of the breach within 60 days of the end of the calendar year in which the breach was discovered 4. If more than 500 individuals affected in any given state, notify prominent media outlets Business Associates 1. Must notify the covered entity without unreasonable delay, but within 60 days of discovery. 2. Highly negotiated term of a BAA how quickly must the BA notify the CE?

Business Associates 11

Business Associates 12 Same Actors, But Omnibus Rule Expanded the Definition Confirmed What Many Already Believed to Be the Case Old definition Generally, a third party that provides certain services to a covered entity that involved the use or disclosure of PHI. New Omnibus Rule Definition 1 2 3 4 Third party that provides certain services to a covered entity during which that third party creates, receives, maintains, or transmits PHI. Specifically includes: HIOs E-prescribing gateways Other providers of transmission services with routine access to PHI PHR vendors engaged by CEs A subcontractor that creates, receives, maintains, or transmits PHI on behalf of a business associate Creates a chain of BAAs all tied to the covered entity (but covered entities do NOT need BAAs with subcontractors) What about cloud computing providers? What about third parties that only have access to encrypted data?

Business Associates 13 Additional Obligations 1 2 Breach Notification Compliance with the HIPAA Security Rule 3 4 Compliance with use and disclosure provisions of the Privacy Rule, NOT the entire Privacy Rule Best practices even if not legal obligations

Business Associates 14 Security Rule Changes Changes are more conforming and procedural than Privacy and Breach Notification Rules Conduit exception: check on Google Apps, DropBox, Skype Relationship between CE s, BAs, and the BA s BAs HHS expects that BAs were already meeting their obligations under HITECH and HIPAA Couldn t be further from the truth!

Business Associates 15 BA Responsibilities Regarding the Security Rule Risk Management- Conducting risk analyses Policies and procedures Training Encryption analysis (is data in my database considered at rest?) Know your subcontractors!

Business Associates 16 Subcontractors and the Security Rule A Progressive/ Deep in Health B Large Industry Agnostic C Smaller Industry Agnostic Many smaller vendors that are now BA s are not ready Risk scoring with appropriate approvals for vendor analysis Don t be afraid to say no Be prepared to help them!

Business Associates 17 Increased Liability Pre-Omnibus Rule: Omnibus Rule: Breach of Contract Directly liable under HIPAA for violations of the Security Rule Directly liable under HIPAA for impermissible use and disclosure of PHI under the Privacy Rule and/or under the BAA This was the game changer for business associates

Use and Disclosure of PHI 18

19 Use and Disclosure of PHI Marketing Remuneration From a 3rd Party Refill Reminders Is anyone really surprised that marketing uses and disclosures were further restricted? Sale of PHI Subject to certain exceptions, covered entities may not receive remuneration in exchange for PHI. Is anyone really surprised by this clarification? Fundraising New categories of PHI may be used or disclosed Right to opt-out strengthened

Individual Rights 20

21 Individuals Have Additional Rights Access to PHI Electronic Copy of PHI Restrictions on Use and Disclosure of PHI Restrictions when item or service paid for out of pocket in full Accounting of Disclosures Many unanswered questions. Will access reports ever be required?

Increased Oversight and Enforcement 22

23 Increased Oversight and Enforcement Remember January 2009, i.e., Pre-HITECH? Little enforcement, little oversight, complaint-driven process? It s Gone. For Good. Post-HITECH Monetary Penalties are Higher Post- Breach Investigations Investigations of all cases of willful neglect Audits State AG Enforcement Complaint-driven process still alive and well too

24 Think When, Not If Compliance is Not Foolproof 1 Be prepared for a breach 2 Be prepared for a security incident 3 Be prepared for an investigation 4 Be prepared for an audit

25 What should you do now Take Steps to Create a Culture of Compliance Review, revise, and implement policies and procedures Develop and conduct training Set up process and means for questions, incident reporting, etc. Review and revise business associate agreements Assess business associates and subcontractor compliance Identify incident response team and other responsible parties for security incidents, breaches, or other incidents and have plan in place to address these incidents. Get senior leadership and board on board with a culture of compliance

How Do I Assess My Company and Vendors For Security Rule Compliance? 26 A good Risk Assessment is key Key areas are Governance, Physical Security, Access Control, Data Storage and Transmission, Incident Response, Vulnerability Management, Network Security, Risk Management, DR/BCP, and Third-Party Oversight You can use similar assessments for yourself, vendors, and partners Score your vendors and approve/reject based on that scoring

Security Action Items that Relate to Your Subcontractors 27 Create or enforce your vendor risk assessment process Ask vendors for their Risk Assessment or external assessment results Don t overlook vendor/partner applications are they secure? If a subcontractor handles your PHI and doesn t know about the Omnibus Rule, be afraid

What May the Government Ask For if You Have a Breach or Are Investigated? 28 Clear documentation of the incident and facts surrounding the breach Copies of notification letters, media notices, business associate agreements Actions taken to locate missing data, prevent further loss of data, and protect affected individuals (e.g., credit monitoring services) Security Rule risk assessments Description of safeguards in place to protect the information, specifically requesting information related to whether data was encrypted and other documented safeguards Applicable Policies and Procedures and compliance efforts related to policies and procedure revisions, training, and sanctions imposed Your Incident Response and Employee Sanctions processes

29 Questions? Rebecca Fayed fayedr@advisory.com Eric Banks bankse@advisory.com

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback