Pune Call Girl Service 📞9xx000xx09📞Just Call Divya📲 Call Girl In Pune No💰Adva...
Brian Balow HIPAA Final Rule
1. No More Excuses: HHS Releases
Tough Final HIPAA Privacy and
Security Rules
Brian R. Balow
Dickinson Wright PLLC
June 6, 2013
2. Overview
Released January 17, 2013
Effective March 26, 2013
Covered entities and business associates have 180 days
beyond the effective date to come into compliance with
most of the Final Rule’s provisions (September 23, 2013)
3. Rules to be Discussed
Privacy Rule
Security Rule
Breach Notification Rule
Enforcement Rule
4. Some General Matters
Patient Safety Organizations are now business
associates
HIOs, E-Prescribing Gateways, and others that facilitate
ePHI transmission can be business associates (if
“access to PHI on routine basis” and not merely a
conduit)
PHR vendors can be business associates if the PHR is
offered on behalf of a covered entity
5. Some General Matters
Subcontractors to a covered entity can be business
associates “to the extent that they require access to
PHI.” Thus, covered entity must gain satisfactory
assurances of compliance required by the Rules from its
business associates, and business associates must
obtain same from subcontractors
PHI “stored, whether intentionally or not, in photocopier,
facsimile, and other devices is subject to the Privacy and
Security Rules”
Copyright 2013 Michigan Health Information Network 5
6. Privacy Rule
Uses and disclosures of patient information:
• Genetic information (health plans as defined in
HIPAA)
• Sale of PHI
• To health plan if services paid by patient
• Marketing activities
• Fundraising activities
• Deceased persons
• Immunization records to schools
Copyright 2013 Michigan Health Information Network 6
7. Privacy Rule
Confirms a business associate’s direct liability for
specific provisions of the Privacy Rule
Business associates not directly liable for other Privacy
Rule provisions (e.g., providing a NPP) unless
delegated to BA under a BAA
BA may use PHI for “proper management and
administration of the BA and to provide data aggregation
services to a covered entity”
8. Privacy Rule
A BA must enter into a BAA-style agreement with a
subcontractor prior to disclosing PHI
Covered entities need no longer report uncured breach
by a BA of its obligations under a BAA
A BA must attempt to cure a subcontractor’s breach of
“satisfactory assurance” type obligations (parallel to a
CE’s obligations vis-à-vis a BA)
Copyright 2013 Michigan Health Information Network 8
9. Privacy Rule
Required changes to BAAs:
• BA must comply where applicable with Security Rule re
ePHI
• BA must report breaches of unsecured PHI to CE
• BA must flow down satisfactory assurance provisions to
subcontractors
• If Privacy Rule requirement delegated to BA, BA liable to
CE if BA breaches pertinent Privacy Rule requirement
(does not create direct BA liability, however)
10. Privacy Rule
BAA Amendments
IF
• Existing BAA in place prior to January 25, 2013, and is
compliant with Privacy Rule as then in effect, and
• Existing BAA is not renewed or modified between March 26
and September 23, 2013,
THEN that BAA is deemed compliant until earlier of
• Date on which BAA is renewed or modified after September
23, 2013, or
• September 24, 2014
Copyright 2013 Michigan Health Information Network 10
11. Security Rule
Security Rule’s administrative, physical, and technical safeguard
requirements, as well as the Rule’s policies and procedures and
documentation requirements, apply to business associates in the
same manner as they apply to covered entities, and BAs will be
civilly and criminally liable for violations
It is the BA’s, and not the CE’s, obligation to obtain satisfactory
assurances from a subcontractor regarding protection of ePHI
Allows that formerly required but duplicative BAA provisions are no
longer required (i.e., those required under each of the Privacy Rule
and the Security Rule)
12. Breach Notification Rule
Unsecured PHI
• Secured PHI = Compliance with valid encryption processes for
data at rest consistent with NIST Special Publication 800-111,
Guide to Storage Encryption Technologies for End User Devices,
and with valid encryption processes for data in motion consistent
with NIST Special Publications 800-52, Guidelines for the
Selection and Use of Transport Layer Security (TLS)
Implementations; 800-77, Guide to IPsec VPNs; or 800-113,
Guide to SSL VPNs, or others which are Federal Information
Processing Standards (FIPS) 140-2 validated
Copyright 2013 Michigan Health Information Network 12
13. Breach Notification Rule, Cont’d
“Breach”
1. Impermissible use or disclosure of PHI is presumed to be a
breach unless CE or BA can demonstrate “low probability” that
PHI was “compromised” (move away from “risk of harm”
standard)
2. CE or BA must conduct a risk assessment to determine if PHI
was compromised
14. Breach Notification Rule, Cont’d
Risk Assessment:
1. Nature and extent of PHI involved (including identifiers/likelihood
of re-identification)
2. Consider the recipient (e.g., already under HIPAA obligation?)
3. Was PHI actually acquired or viewed
4. Extent to which risk has been mitigated
15. Breach Notification Rule, Cont’d
Notification to Individuals
“Discovery”: When CE knew or by exercising reasonable
diligence would have been known to any person other than
the person committing the breach, who is a workforce
member or agent of CE
Timeliness: w/o unreasonable delay, not more than 60 days
post-discovery (law enforcement delay exception remains)
Content:
• What happened, when, and when discovered
• Description of compromised PHI
• Steps individuals should take to mitigate effects
• Steps CE is taking, plus contact information
16. Breach Notification Rule, Cont’d
Notification to Media:
Unsecured PHI
500+ affected individuals of any one State
Within 60 days of discovery, max
“Prominent media outlet” (depends on the market)
Press release on a CE website does not meet this
requirement
17. Breach Notification Rule, Cont’d
Notification to Secretary:
500+ affected individuals (anywhere): “immediate” (meaning
at time individual notices are sent)
Less than 500, maintain log and report on HHS website
annually, within 60 days of end of year
Notification by a Business Associate:
BA’s knowledge of breach is imputed to CE if the BA is an
agent of the CE (meaning CE’s clock starts ticking when BA
“discovers”
Otherwise, CE’s clock begins upon notice from BA
19. Enforcement Rule, Cont’d
“Reasonable cause” (second tier) defined as “an act or omission in
which a covered entity or business associate knew, or by exercising
reasonable diligence would have known, that the act or omission
violated an administrative simplification provision, but in which the
covered entity or business associate did not act with willful neglect.”
Covered entities and business associates are now liable as
principals for the acts of business associates (for CEs) or
subcontractors (for BAs) acting as agents under Federal common
law principles
Copyright 2013 Michigan Health Information Network 19
20. Enforcement Rule, Cont’d
Bases for Penalty Determinations:
1. Nature and extent of violation
2. Nature and extent of harm
3. History of prior compliance
4. Financial condition of the CE or BA
5. Other matters “as justice requires”
21. To-Do List: All
1.Print pp. 491 – 562 of the Final Rule
and put them in a binder
2.Read them in conjunction with
existing HIPAA regulations (which
should likewise be in a binder)
22. To Do List: Covered Entities
1. Update privacy policies (uses and disclosures of PHI)
2. Update compliance plan consistent with Breach Notification Rule changes
3. Examine BA relationships in light of agency liability issues
4. BAA review and revision (including amendments to existing BAAs)
5. Update notice of privacy practices and patient authorization form
6. (Seriously) consider encryption of ePHI if not already done
7. Conduct training
8. Use OCR resources
23. To Do List: Business Associates
1. Determine if you are a “business associate” (and if not be prepared
to defend your case)
2. Evaluate your current operations for compliance with applicable
Privacy Rule, Security Rule, and Breach Notification provisions
3. Ensure you have appropriate subcontracts in place and with proper
content
4. Conduct training
5. Use OCR resources
24. Disclaimer
This presentation is informational only. It does not constitute legal or
professional advice.
You are encouraged to consult with an attorney if you have specific
questions relating to any of the topics covered in this presentation