this presentation
play

This Presentation Key elements of the new HITECH rules Take a - PowerPoint PPT Presentation

Aug 29, 2022 •397 likes •773 views

The New HIPAA Era: What's New, What's Different and What's Actually Important Presented by: Kirk J. Nahra Wiley Rein LLP Washington, D.C. 202.719.7335 KNahra@wileyrein.com @kirkjnahrawork March 13, 2013 This Presentation Key elements of

  1. The New HIPAA Era: What's New, What's Different and What's Actually Important Presented by: Kirk J. Nahra Wiley Rein LLP Washington, D.C. 202.719.7335 KNahra@wileyrein.com @kirkjnahrawork March 13, 2013

  2. This Presentation Key elements of the new HITECH rules • Take a deep breath – they are important, and will • involve change, but are not earth shattering. We have known for four years most of what this • regulation was going to say Will try to focus on what’s most important for most • of you. Page 2

  3. The Omnibus Regulation Published in the Federal Register on January • 25, 2013 Effective on March 26, 2013 • Requires compliance by September 23, 2013 • One question during this period – what will • you do for situations where the rules are changing? Page 3

  4. Background The interim final regulation clarified that the • statute incorporated a “risk of harm” threshold – notice is required where there is a “significant risk of financial, reputational or other harm.” Covered entities have been reporting breaches • under this standard for two plus years Page 4

  5. The Big News Two significant changes • Modified the “presumption” for breach • reporting so that it is clear that notification is required to the affected individuals unless the covered entity “demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment.” Page 5

  6. The Risk Assessment HHS has removed the “risk of harm” element • Instead of the risk of harm standard, there is a • “risk assessment” to determine if there is a low probability of a “compromise” of the PHI. If the risk assessment reveals a low probability • of compromise, notification is not required. Covered entity can provide notice without a risk • assessment. Page 6

  7. The Risk Assessment The nature and extent of the protected health • information involved, including types of identifiers and likelihood of re-identification; The unauthorized person who used the protected • health information or to whom the disclosure was made; Whether the protected health information was • actually acquired or viewed; and The extent to which the risk to the protected health • information has been mitigated. Page 7

  8. Other Elements Most of the rest of the rule remains largely the • same General exceptions to “breach” do not change • Reporting to HHS stays the same (except for • timing on reporting of some smaller breaches) Notice to media does not change • Details of notification do not change • Page 8

  9. Next Steps Current rule is in effect until September • 23, 2013 Follow the current “interim final” • standard until then Each time you have a potential breach, • evaluate using both standards. Spend some time figuring out if any results are different Page 9

  10. Business Associate Issues The biggest overall development for • this regulation is the impact on business associates Business associates have always had • contractual obligations Now they are subject to legal • obligations and enforcement risk Page 10

  11. Business Associate Issues Business associates will now have a legal obligation • to follow the privacy provisions of a standard business associate agreement (and the new HITECH provisions) This is not everything in the privacy rule (e.g., • providing a privacy notice) This should not impact behavior because the “legal” • obligations are the same as the current contracts Page 11

  12. Business Associate Issues Business associates now must follow the entire • HIPAA Security Rule This is a big deal. • The current contracts require “reasonable and • appropriate” security standards Complying with the Security Rule is much more • involved and detailed Page 12

  13. Business Associate Issues Business associates need to get moving now • on security compliance These rules also apply to downstream • contractors – on down the line indefinitely This is a big expansion – and to some • companies who may not even be aware of their BA obligations Page 13

  14. Business Associate Issues (For CEs) Evaluate what you want to do with • your business associate contracts – substance and process Plan on the timing – you have time, but • how long do you want “old” contracts in place? Page 14

  15. Business Associate Issues (For CEs) HHS has created categories of business • associates – those who are “agents” and those who are not Applies primarily in notice and enforcement • contexts Explicitly a “fact specific” assessment • Consider how you are going to handle this – • real questions as to whether to address at all. Page 15

  16. Enforcement Lots of new provisions for the HIPAA • Enforcement Rule These do not create compliance obligations, • but define a process for a formal enforcement proceeding Bottom line – HHS has LOTS of discretion, on • how it does enforcement and issues penalties and other resolutions Page 16

  17. Enforcement Discussion of “agents” in context of • enforcement Clearly states that HHS can take action • against CEs for actions of “agents” Unclear what they can/will do for others • This is very much a “formality” issue – • investigations still will be mostly negotiations Page 17

  18. Enforcement Remember what HHS is doing on • enforcement these days They are starting investigations in lots of • situations – based on notices, complaints, media reports, etc. They are asking lots of questions, and then • broadening out from the starting point Page 18

  19. Enforcement Be very careful in the early stages of • investigations Documentation of policies and • procedures is critical It is always better to have fixed the • problem already (if there is one) Take them seriously at all times • Page 19

  20. Marketing Provision Current HIPAA rules impose significant • restrictions on how PHI can be used and disclosed for marketing purposes HITECH statute mandated that marketing be • further restricted in situations where there is “payment” to make the communication Omnibus regulation now implements this • provision Page 20

  21. Marketing Provision What does this do? • Does not change the situations where • “marketing” has been permitted so far. If it is permitted under the rules today, • BUT the covered entity receives “remuneration,” a member authorization will be required. Page 21

  22. Marketing Provision What kinds of communications may be • affected? Presumably when a covered entity is • “marketing” someone else’s products or services Be careful if you are getting paid in any way • – think about why you are doing this Page 22

  23. Sale Issue Similar point as with marketing – PHI • cannot be sold without a patient authorization Many exceptions • Covered entities and business • associates need to evaluate any situation where PHI is sold Page 23

  24. Sale Issue So what’s really changed? • There still has to be a permitted basis for • disclosure (even before sale issue) Since treatment and payment are still • “exceptions,” then is this really (only?) eliminating “sales” for “health care operations” purposes? How much of that is there? Page 24

  25. Authorizations The Rule makes certain changes about the • substance of authorizations In addition to the “sale” and “marketing” • issues Simplify authorizations in the research • context – both allowing compound authorizations and for future research Page 25

  26. Privacy Notices Covered entities will need to issue new • privacy notices HHS recognizes the cost elements of this, • and has taken some steps to moderate financial impact Have not simplified notices in any way • Their cost estimate is 1/3 of an hour at a • cost in legal fees of $28 – good luck with that Page 26

  27. Miscellaneous No more HIPAA protection for records of • people dead for more than 50 years GINA provisions impact how genetic • information can be used by health plans for underwriting purposes Mainly reinforces existing principles • Page 27

  28. Miscellaneous Confusing provision about requiring • providers to restrict disclosure to health plans where patient requests and pays for services out of pocket Imposes no compliance obligations on • health plans Consider where (if at all) this will be • relevant Page 28

  29. What’s Not Here? Few new changes to HIPAA beyond HITECH • No final accounting rule changes – separate • timeframe. Highly controversial, most comments were exceedingly critical Additional guidance on minimum necessary • coming Parallel developments on de-identification • issues Page 29

  30. Next Steps The omnibus regulation affects only a small • portion of the HIPAA provisions No material changes to the substance of the • Security Rule (just the application to BAs) And we have known almost all of this since • HITECH law – this just starts the real clock running Page 30

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Use of IKEv2 and IPsec with Multiple CoA support MONAMI6 WG, IETF 68 Vijay Devarapalli

Use of IKEv2 and IPsec with Multiple CoA support MONAMI6 WG, IETF 68 Vijay Devarapalli

Use of IKEv2 and IPsec with Multiple CoA support MONAMI6 WG, IETF 68 Vijay Devarapalli (vijay.devarapalli@azairenet.com) Assumptions in RFC 3775, 3963 There is only one primary care-of address per mobile node The primary care-of

240 views • 7 slides
Paying for College 2018-2019 Todays Questions What do we need to do? How will we pay

Paying for College 2018-2019 Todays Questions What do we need to do? How will we pay

Paying for College 2018-2019 Todays Questions What do we need to do? How will we pay for this? 2 Todays Questions We know what to do We know what steps to take We have a plan to pay for college 3 Agenda College

576 views • 46 slides
Cryptography and network security Firewalls slide 1 Firewalls Idea: separate local network

Cryptography and network security Firewalls slide 1 Firewalls Idea: separate local network

Cryptography and network security Firewalls slide 1 Firewalls Idea: separate local network from the Internet Trusted hosts and networks Firewall Router Intranet Demilitarized Zone: DMZ publicly accessible servers and networks

746 views • 31 slides
Lecture 14 - Web Security CSE497b - Spring 2007 Introduction Computer and Network Security

Lecture 14 - Web Security CSE497b - Spring 2007 Introduction Computer and Network Security

Lecture 14 - Web Security CSE497b - Spring 2007 Introduction Computer and Network Security Professor Jaeger www.cse.psu.edu/~tjaeger/cse497b-s07/ CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Network

346 views • 23 slides
Early Binding Updates for Mobile IPv6 Early Binding Updates for Mobile IPv6 Christian Vogt,

Early Binding Updates for Mobile IPv6 Early Binding Updates for Mobile IPv6 Christian Vogt,

Early Binding Updates for Mobile IPv6 Early Binding Updates for Mobile IPv6 Christian Vogt, chvogt@tm.uka.de Roland Bless, bless@tm.uka.de Mark Doll, doll@tm.uka.de Tobias Kfner, kuefner@tm.uka.de IEEE Wireless and Communications and Networking

575 views • 35 slides
Mobile Samples and Movers: Locating Respondents in the 2014 SIPP Panel Locating Respondents in

Mobile Samples and Movers: Locating Respondents in the 2014 SIPP Panel Locating Respondents in

Mobile Samples and Movers: Locating Respondents in the 2014 SIPP Panel Locating Respondents in the 2014 SIPP Panel A Amber Phillips b Philli Bennett Adelman D Daniel Doyle i l D l Jason Fields U.S. Census Bureau 1 The SIPP Mission

342 views • 16 slides
Wireless Networks: Network Protocols/Mobile IP Mo$va$on

Wireless Networks: Network Protocols/Mobile IP Mo$va$on

Wireless Networks: Network Protocols/Mobile IP Mo$va$on Problems Data transfer DHCP Encapsula$on Security IPv6 Adapted from J. Schiller,

441 views • 29 slides
Security Models: Proofs, Protocols and Certification Florent Autrau - Yassine Lakhnech -

Security Models: Proofs, Protocols and Certification Florent Autrau - Yassine Lakhnech -

Security Models: Proofs, Protocols and Certification Florent Autrau - Yassine Lakhnech - Jean-Louis Roch Master-2 Security, Cryptology and Coding of Information Systems ENSIMAG/Grenoble-INP UJF Grenoble University, France Security Models,

396 views • 20 slides
4. Convex Sets and (Quasi-)Concave Functions Daisuke Oyama Mathematics II April 17, 2020 Convex

4. Convex Sets and (Quasi-)Concave Functions Daisuke Oyama Mathematics II April 17, 2020 Convex

4. Convex Sets and (Quasi-)Concave Functions Daisuke Oyama Mathematics II April 17, 2020 Convex Sets Definition 4.1 A R N is convex if (1 ) x + x A whenever x, x A and [0 , 1] . A R N is strictly

442 views • 40 slides
COAs Integrated Behavioral Health & Primary Care Supplement Melissa Dury, LCSW Associate

COAs Integrated Behavioral Health & Primary Care Supplement Melissa Dury, LCSW Associate

COAs Integrated Behavioral Health & Primary Care Supplement Melissa Dury, LCSW Associate Director of Standards Development Council on Accreditation Agenda 2 1 INT Overview Q & A 2 1 INT Overview 3 INT Overview 4 INT Overview

587 views • 15 slides
Mobile IPv6 Security Arnaud Ebalard - EADS Corporate Research Center France Guillaume Valadon - The

Mobile IPv6 Security Arnaud Ebalard - EADS Corporate Research Center France Guillaume Valadon - The

Mobile IPv6 Security Arnaud Ebalard - EADS Corporate Research Center France Guillaume Valadon - The University of Tokyo / Laboratoire dInformatique de Paris 6 Summary IPv6 Mobile IPv6 Security and Mobile IPv6 Protections by

669 views • 50 slides
Kernel Learning with a Million Kernels Ashesh Jain SVN Vishwanathan IIT Delhi Purdue

Kernel Learning with a Million Kernels Ashesh Jain SVN Vishwanathan IIT Delhi Purdue

Kernel Learning with a Million Kernels Ashesh Jain SVN Vishwanathan IIT Delhi Purdue University Manik Varma Microsoft Research India Kernel Learning The objective in kernel learning is to jointly learn both SVM and kernel parameters

1.34k views • 38 slides
DETERMINATION OF NEED FAFSA & CSS Profile Expected Family Contribution (EFC)

DETERMINATION OF NEED FAFSA & CSS Profile Expected Family Contribution (EFC)

AMEDF Scholars Methodology: FINANCIAL AID FOR COLLEGE Scholars Methodology: A Review Complete Guide to College Funding with Session 2 One on One Conference FINANCIAL AID FOR COLLEGE Career & Majors and CB Big Future 2019 20

163 views • 4 slides
UAV Presentation Bill Timmins GIS Services UAV copters can provide for a variety of sensors for

UAV Presentation Bill Timmins GIS Services UAV copters can provide for a variety of sensors for

UAV Presentation Bill Timmins GIS Services UAV copters can provide for a variety of sensors for solution requirements. Flight time depends on payload weight, temperature and alititude . UAV Unmanned Aerial Vehicles It is an aircraft

686 views • 22 slides
COAPS API A Generic Cloud Application Provisioning and Management API Why COAPS ? PaaS 1 Cloud

COAPS API A Generic Cloud Application Provisioning and Management API Why COAPS ? PaaS 1 Cloud

COAPS API A Generic Cloud Application Provisioning and Management API Why COAPS ? PaaS 1 Cloud consumer COAPS Needed Platform resources PaaS 2 Whats COAPS ? PaaS-independent approach for the provisioning and management of

339 views • 9 slides
Synchronization Computer Architecture J. Daniel Garca Snchez (coordinator) David Expsito

Synchronization Computer Architecture J. Daniel Garca Snchez (coordinator) David Expsito

Synchronization Synchronization Computer Architecture J. Daniel Garca Snchez (coordinator) David Expsito Singh Francisco Javier Garca Blas ARCOS Group Computer Science and Engineering Department University Carlos III of Madrid cbed

595 views • 35 slides
Introduction to IPv6 (Chapter 4 in Huitema) IPv6,Mobility-1 S-38.2121 / Fall-2006 / N Beijar

Introduction to IPv6 (Chapter 4 in Huitema) IPv6,Mobility-1 S-38.2121 / Fall-2006 / N Beijar

Introduction to IPv6 (Chapter 4 in Huitema) IPv6,Mobility-1 S-38.2121 / Fall-2006 / N Beijar IPv6 addresses 128 bits long Written as eight 16-bit hexadecimal integers separated with colons E.g.

471 views • 20 slides
THE ALLOCATION OF FISHING PERMITS: A PROPERTY RIGHTS APPROACH Gary D Libecap University of

THE ALLOCATION OF FISHING PERMITS: A PROPERTY RIGHTS APPROACH Gary D Libecap University of

THE ALLOCATION OF FISHING PERMITS: A PROPERTY RIGHTS APPROACH Gary D Libecap University of California, Santa Barbara National Bureau of Economic Research, Cambridge, MA. Reykjavik, August 29, 2016 THE BROAD QUESTIONS Debates: Who should

395 views • 27 slides
tr t trr t rt

tr t trr t rt

tr t trr t rt rtr s s rtt

1.03k views • 63 slides
tr t trr t t

tr t trr t t

tr t trr t t Prs rs s s

337 views • 21 slides
CREATING FLOW: AN EXECUTIVE PERSPECTIVE Tim Sullivan, CEO 17 Years online 2.7 million

CREATING FLOW: AN EXECUTIVE PERSPECTIVE Tim Sullivan, CEO 17 Years online 2.7 million

CREATING FLOW: AN EXECUTIVE PERSPECTIVE Tim Sullivan, CEO 17 Years online 2.7 million subscribers 12 billion records 55 million family trees 175 million sharable photos, documents and written stories $488 million in revenue in 2012 2 3

617 views • 19 slides
SUSTAINABILITY Break-out session ANTI-TRUST Regarding your companys and/or your competitors

SUSTAINABILITY Break-out session ANTI-TRUST Regarding your companys and/or your competitors

BUSINESS ETHICS AND SOCIAL SUSTAINABILITY Break-out session ANTI-TRUST Regarding your companys and/or your competitors product and services, it is forbidden : To discuss current or future prices or supply conditions. To discuss any

835 views • 70 slides
Presenter: Paul Marshall University of Colorado at Boulder Ma7hew

Presenter: Paul Marshall University of Colorado at Boulder Ma7hew

Presenter: Paul Marshall University of Colorado at Boulder Ma7hew Woitaszek, Henry Tufo, Rob Knight, Daniel McDonald, Julia Goodrich, Jeremy Widmann

486 views • 29 slides
Increasing Battery Potential: Electrochemical Controls Scott Moura Assistant Professor | eCAL

Increasing Battery Potential: Electrochemical Controls Scott Moura Assistant Professor | eCAL

Increasing Battery Potential: Electrochemical Controls Scott Moura Assistant Professor | eCAL Director University of California, Berkeley Satadru Dey, Hector Perez, Saehong Park, Dong Zhang UGBA 193B | UC Berkeley Scott Moura | UC Berkeley

1.16k views • 77 slides

More recommend