Weitere ähnliche Inhalte Ähnlich wie HIPAA Omnibus Presentation (20) Mehr von Compliancy Group (20) Kürzlich hochgeladen (20) HIPAA Omnibus Presentation1. 855.85HIPAA
www.compliancygroup.com
Industry
leading
Education
Certified
Partner
Program
• Please
ask
questions
• Todays
slides
are
available
http://compliancy-‐group.com/slides023/
• Past
webinars
and
recordings
http://compliancy-‐group.com/webinar/
2. HIPAA New Final Omnibus Rule:
“Key Business Associate
Implications for Your Organization”
3. Your Presenter
© HIPAA Continuity
Planners 2013
A.J. (Andy) Weitzberg
President of HIPAA Continuity Planners
President of the Association of Contingency Planners
Long Island Chapter
4. © HIPAA Continuity
Planners 2013
History
• Health Insurance Portability and Accountability
Act (HIPAA)of 1996
• The Health Information Technology for
Economic and Clinical Health (HITECH) Act,
enacted as part of the American Recovery and
Reinvestment Act of 2009
• Omnibus Rule of 2013
5. © HIPAA Continuity
Planners 2013
Omnibus Rule conforms HIPAA regulations to
HITECH Act changes:
– Before HITECH, BAs regulated through business
associate contracts or agreements ("BAAs")
– After HITECH, BAs and subcontractors are now
regulated directly under HIPAA,
therefore they:
Must comply with Security Rules
Must comply with some of Privacy Rule
and provisions of BAA
6. By the Numbers
2009 through 2012*
• 538 breaches of protected health information (PHI)
– 21,408,505 patient health records affected
• 21.5% increase in # of large breaches in 2012 over 2011
– 77% decrease in # of patient records impacted
• 67% of all breaches have been the result of theft or loss
• 57% of all patient records breached involved a business
associate
• Business associates have impacted 5 X times as many
patient records as those at a covered entity
• 38% of incidents were as a result of an unencrypted laptop or
other portable electronic device
• 63.9% percent of total records breached in 2012 resulted from
the 5 largest incidents
• 780,000 number of records breached in the single largest incident
of 2012
*These numbers include breaches that affected >500 individuals and were
reported to HHS from August 2009 to January 17, 2013.
© HIPAA Continuity
Planners 2013
7. © HIPAA Continuity
Planners 2013
"Business associate”: one who, on behalf of a
covered entity creates, receives, maintains or
transmits PHI*
• Status as BA based upon role and responsibilities,
not upon who are the parties to the contract
• Contract between the covered entity's BA and that
BA's subcontractor must satisfy the BA agreement
requirements
Subcontractor of business associate: one who
creates, receives, maintains or transmits PHI* on
behalf of a business associate
*Personal Health Information
Expanded definition of “Business Associates”
8. © HIPAA Continuity
Planners 2013
Business Associate - Consequences
Secretary (HHS) authorized to receive and investigate
complaints against BAs (including subcontractors), and to take
action regarding complaints and noncompliance
BAs (incl. subs) required to maintain records and submit
compliance reports to Secretary, cooperate in complaint
investigations and compliance reviews, give Secretary
access to information
BAs (incl. subs) forbidden to intimidate, discriminate against,
etc. those who make complaints, cooperate with regulators
or oppose unlawful actions
BAs (incl. subcontractors) subject to civil money penalties
for HIPAA violations
BA/Subs remain liable under contract to Covered Entity and BA
9. How do these updates affect your
Business
As a “Business Associate” you have HIPAA/
HITECH Compliance Requirements:
1. A Written Risk Analysis
2. A Written Continuity Plan
3. A Documented Security Practices and
Procedures
4. An Incident Response Plan (Breach
Response)
5. A Record Disposal Procedure for Electronic
Media and Paper Records
6. Employee Training Program
7. Termination Procedures
8. Documentation and Logs
© HIPAA Continuity
Planners 2013
10. Definition of a Breach
The final rule also changes the risk analysis
requirements for determining when a
breach has occurred.
Previously, a risk of harm threshold was
considered in determining whether a breach
had occurred.
The Office of Civil Rights (OCR) changes in
the final rule create almost a presumption
of a “breach,” which will seemingly make
it more likely that a business will be
required to notify those individuals whose
personal health information has been
affected, HHS and possibly the media.
© HIPAA Continuity
Planners 2013
11. © HIPAA Continuity
Planners 2013
Penalties for Your non-Compliance
CATEGORIES OF VIOLATIONS AND RESPECTIVE PENALTY
AMOUNTS AVAILABLE
Violation Category
Section 1176(a)(1)
Each Violation All such violations
of an identical
provision in a
calendar year
(A) Did Not Know $100 to Max
$50,000
$1,500,000
(B) Reasonable
Cause
$1,000 to Max
$50,000
$1,500,000
(C)(i) Willful
Neglect-Corrected
$10,000 to Max
$50,000
$1,500,000
(C)(ii) Willful
Neglect-Not
Corrected
$50,000 $1,500,000
12. HITRUST* now has several of
its members that will require
business associates
to follow the framework and
document compliance with it.
© HIPAA Continuity
Planners 2013
*The Health Information Trust Alliance, or HITRUST, in
collaboration with healthcare, technology and information
security leaders, has established the Common Security
Framework (CSF), a certifiable framework that can be used
by any and all organizations that create, access, store or
exchange personal health and financial information. The most
widely adopted security control framework in the U.S.
healthcare industry, the CSF includes a prescriptive set of
controls and supporting requirements that clearly define how
organizations meet the objectives of the framework
13. Are you a “Business Associate”?
Illustration of the types of firms that are now
considered “Business Associates”
• IT Support and Software Vendors
• IT Equipment Vendors
• Leasing firms
• Telephone CPE Vendors
• Shredding Vendors
• Data Centers
• Cloud Computing Providers
• Answering Services for Medical Offices
• Medical Billing Services
• Medical Transcriptions Services
• Medical Collection Agencies
• Temporary Employment Agencies
© HIPAA Continuity
Planners 2013
14. © HIPAA Continuity
Planners 2013
Questions
A.J. (Andy) Weitzberg
President
HIPAA Continuity Planners
Email: AJ@HIPAACP.COM
1.800.654.2041 Toll Free
1.631.654.4001 Office
1.516.641.4001 Mobile
15. Free
Demo
and
60
Day
Evaluation
www.compliancy-‐group.com
HIPAA
Hotline
855.85HIPAA
855.854.4722
HIPAA
Compliance
HITECH
Attestation
Omnibus
Rule
Ready
Meaningful
Use
core
measure
15