Lyn E. Beggs, Esq. Nutile Pitz & Associates HIPAA Final Omnibus - - PowerPoint PPT Presentation

lyn e beggs esq nutile pitz associates hipaa final
SMART_READER_LITE
LIVE PREVIEW

Lyn E. Beggs, Esq. Nutile Pitz & Associates HIPAA Final Omnibus - - PowerPoint PPT Presentation

Jan 16, 2024 179 likes •438 views

Lyn E. Beggs, Esq. Nutile Pitz & Associates HIPAA Final Omnibus Rule Patient Protection and Affordable Care Act (ACA) Trends in medicine: concierge practices/direct primary care; medical directorships, etc. Are you in

slide-1
SLIDE 1

Lyn E. Beggs, Esq. Nutile Pitz & Associates

slide-2
SLIDE 2

 HIPAA Final Omnibus Rule  Patient Protection and Affordable Care Act

(ACA)

 Trends in medicine: concierge

practices/direct primary care; medical directorships, etc.

slide-3
SLIDE 3

Are you in compliance?

  • Significant changes to Privacy and Security

Rules  Business Associates and BAAs  Notice of Privacy Practices  Breach Notification Requirements

slide-4
SLIDE 4

Who must comply?

 Covered Entities  Expands Compliance Requirements to Business

Associates and their Subcontractors

slide-5
SLIDE 5

 Definition expanded (45 C.F.R. 160.103):

“Business associate means, with respect to a covered entity, a person who…on behalf of a covered entity…creates, receives, maintains, or transmits protected health information for a function or activity regulated by this subchapter, including claims processing

  • r

administration, data analysis, processing, or administration, utilization review, quality assurance, patient safety activities…billing, benefit management, practice management, and repricing”.

slide-6
SLIDE 6

Additionally: “Business associate includes: A Health Information Organization, E-prescribing Gateway, or other person that provides data transmission services with respect to protected health information to a covered entity and that requires access on a routine basis to such protected health information.”

slide-7
SLIDE 7

 Must have a Business Associate Agreement

(BAA) with all business associates

 BAAs must be revised or drafted to contain all

required provisions

 Deadline for compliance was September 23,

2013

 If existing BAA was in place with a business

associate prior to January 25, 2013 and was

  • therwise compliant, revise by expiration or

September 23, 2014, whichever is earliest

slide-8
SLIDE 8

 Significant changes and additions made to

Notice of Privacy Practices (NPP)

  • Uses and disclosures of PHI
  • Patient restrictions of uses and disclosures NPPs

 Deadline for compliance was September 23,

2013

 Provide revised notice to patients no later

that first date of service delivery after compliance date, post conspicuously and have copies available in person or on website

slide-9
SLIDE 9

 What is a breach?

Generally: “The acquisition, access, use or disclosure of protected health information in a manner not permitted…which compromised the security or privacy of the protected health information.” 45 C.F.R. 164.402 Prior to Omnibus: a significant risk of financial, reputational or other harm needed to be a breach.

slide-10
SLIDE 10

 Now:

an acquisition, access, use

  • r

disclosure of PHI in a manner not permitted is presumed to be a breach unless the CE or BA “demonstrates that there is a low probability that the (PHI) has been compromised based on a risk assessment”.

slide-11
SLIDE 11

 Risk Assessment Consists of Four Factors:

  • Nature and extent of PHI involved; type of

identifiers; likelihood of re-identification

  • The unauthorized person who used the PHI or to

whom it was disclosed

  • Whether the PHI was actually acquired or viewed
  • Extent to which the risk to the PHI has been

mitigated

slide-12
SLIDE 12

Notifications of Breaches of Unsecured PHI

 Individual

  • Must be made in writing by first-class mail; some

exceptions

  • Within 60 days of “discovery” of breach
  • Breach is “discovered” by the CE on the first day it is

known to the CE. A CE is “deemed to have knowledge of a breach if such breach is known, or by exercising reasonable diligence would have been known, to any person…who is a workforce member

  • r agent of the covered entity.”
slide-13
SLIDE 13

 Media

  • Only if breach involves 500 or more residents of a state
  • r jurisdiction
  • Within 60 days of discovery of breach

 Secretary of HHS

  • If breach involves 500 or more individuals, must be

made contemporaneously with individual notice

  • If less that 500 involved; keep log, report within 60 days
  • f year end

 BAs must report to CE a breach within 60 days of

discovery: CE does not get an additional 60 days after notification by BA – consideration for BAA

slide-14
SLIDE 14

 Civil Monetary Penalties –may be imposed on

CEs and now BAs

 Tiered penalties

  • Did not know and would not have known: $100 to

$50,000 per violation; $1,500,000 yearly max

  • Reasonable neglect but not willful: $1,000 to

$50,000 per violation; $1,500,000 yearly max

  • Willful neglect, corrected within 30 days: $10,000

to $50,000 per violation; $1,500,000 yearly max

  • Willful neglect, not corrected within 30 days:

$50,000 per violation; $1,500,000 yearly max

slide-15
SLIDE 15

 Immediately update BAAs and NPPs to bring

them into compliance

 Identify who your BAs are and ensure BAAs

are in place

 Update policies and procedures to ensure

they encompass changes under Omnibus Rule

slide-16
SLIDE 16

 Look beyond the headlines  Increased focus on fraud and abuse prevention

and enforcement

  • Compliance plans
  • False claims
  • Self disclosures
slide-17
SLIDE 17

 Compliance plans have been encouraged but

have been voluntary

 Section 6401 of ACA makes mandatory  HHS has not yet established core elements or

date for implementation

 Guidance is available through OIG and

Federal Sentencing Guidelines

 Providers encouraged to start development of

compliance plans

slide-18
SLIDE 18

 Claims filed for services or products in

violation of Anti-Kickback Statute are now false/fraudulent claims – Section 6402(f)

 Need not have actual knowledge or intent!

slide-19
SLIDE 19

 Medicaid, Medicare overpayments must be

reported and returned within 60 days of identification of the overpayment – Section

6402(d)

 Failure

to timely report and return

  • verpayments are treated as false claims

 Self-Referral Disclosure Protocol (“SRDP”) –

allows self-reporting of actual or potential Stark violations – Section 6409

slide-20
SLIDE 20

 In-Office Ancillary Services Exception – Stark

(Section 6003)

  • Now requires written notice to patients of at least 5
  • ther suppliers within 25 mile radius

 Suspension of Payments Pending Investigation

  • Medicare/Medicaid payments may be suspended

during investigation of credible fraud allegations

slide-21
SLIDE 21

 Be aware of increased focus of fraud and

abuse prevention and enforcement measures

 Begin process to develop and implement

compliance plan

  • Will be mandatory
  • Can greatly assist in avoiding violation of newly

enacted fraud and abuse provisions

slide-22
SLIDE 22

 Do you know the requirements for the

following?

  • Concierge Practices/Direct Primary Care
  • Medical Directorships
  • Pain management
  • Telemedicine
slide-23
SLIDE 23

 Take immediate action to comply with HIPAA

Omnibus

 Begin development and implementation of

compliance plan to avoid fraud and abuse risks

 Consult the proper advisors to assist with

these actions

 Before embarking on any “new” endeavor,

consult with a legal advisor who understands healthcare

slide-24
SLIDE 24

Questions?

slide-25
SLIDE 25

Lyn Beggs, Esq. Nutile Pitz & Associates lyn@nutilepitz.com Reno Office: 675 Sierra Rose Dr., Ste. 101 775-284-1020 Henderson Office: 1070 W. Horizon Ridge Parkway, Ste. 210 702-307-4880