_

Our first care is your health careArizona Health Care Cost Containment System
HIPAA Privacy and Security 2013: The New Regulations

By Melanie A. Herring, Esq.
Our first care is your health carearizona health care cost containment system
2
Major Provisions
Breach Notification RegulationsBusiness Associate (BA) ChangesEnhanced Enforcement and PenaltiesNew Privacy RequirementsAmended Notice of Privacy Practices (NPP)
Our first care is your health carearizona health care cost containment system
3
Important Deadlines
January 25, 2013: Final Regs were issuedMarch 22, 2013: Effective DateSeptember 23, 2013: Compliance Date (180 days from Effective Date)*September 22, 2014: Deferred Compliance Date for Certain BA Contracts* For all future HIPAA amendments, default 180 day compliance deadline
Breach Notification Standards . . .
When a CE is required to report a privacy or security breach to HHS-OCR, the affected individuals, and/or the media . . . .
Our first care is your health carearizona health care cost containment system
4
Our first care is your health carearizona health care cost containment system
5
. . . Breach Notification Standards
Under the old rule, breaches were not reported unless they posed “a significant risk of reputational, financial or other harm”Under the new rule, “harm threshold” is eliminated and replaced with a more objective standardUnder the new rule, the “safe harbor” provisions for encrypted and PHI secure disposal remain intact
. . . Breach Notification Standards
New Rule:All incidents are assumed to be a reportable breach to HHS-OCR unless a Risk Analysis (RA) reveals a “low probability” that PHI has been compromised
Our first care is your health carearizona health care cost containment system
6
. . . Breach Notification Standards
4 factors to a Risk Analysis:The nature and extent of PHI involved, including the types of identifiers and the likelihood of re-identificationThe unauthorized person who used or received the PHIWhether the PHI was actually acquired and viewed, and
Our first care is your health carearizona health care cost containment system
7
. . . Breach Notification Standards
The extent to which any risk to the PHI has been mitigatedNotification to HHS-OCR will be required if the RA reveals any risk except “Low Probability that the PHI will be or has been compromised”
Our first care is your health carearizona health care cost containment system
8
. . . Breach Notification Standards
The CE’s Risk Analysis must be in writing and retained by the CE.Willful Negligence: If a breach reported to HHS-OCR suggests “willful negligence” by the CE or its BA, then HHS-OCR must investigate
Our first care is your health carearizona health care cost containment system
9
Business Associate Requirements
This section of the regulation has the most changes. Highlights:Amended BA definition:Clarify that a BA is also an entity that “maintains” PHI on behalf of the CE (i.e.: record storage services, record locator services)E-prescribing Gateways, HIO’s, PSO’s are a BA
Our first care is your health carearizona health care cost containment system
10
. . .Business Associate Requirements
Security Rule, Minimum Necessary Rule, Accounting of Disclosures Rule now apply directly to BA’sOur BA contracts will require amendmentsOur BA’s must now have BA contracts in place with their subcontractors
Our first care is your health carearizona health care cost containment system
11
. . . Business Associate Requirements
BA’s are now directly liable for their own breaches, and the CE of a BA remains liable as well for its BA’s breachesSubcontractors to BA’s are directly liable for their own breaches
Our first care is your health carearizona health care cost containment system
12
Enhanced Penalties and Enforcement
HHS-OCR may fine all parties responsible (i.e.: can fine the CE and the BA for the same violation)The General Rule: Monetary penalties will be tallied on a per person and per day basisMaximum Annual Cap for Violations of a Provision: 1.5 million dollarsA few defenses are allowed but if you do not cure the violation within 30 days of the breach you may lose that defense
Our first care is your health carearizona health care cost containment system
13
New Privacy Requirements
50 year deceased exceptionBA’s are now directly required to comply with significant provisions of the privacy ruleGenetic information (GINA) is now expressly included within the definition of “health information”Amendments to the Marketing Requirements (mostly dealing with financial remuneration marketing)
Our first care is your health carearizona health care cost containment system
14
. . . New Privacy Requirements
Prohibits the sale of PHI without individual authorization (data use agreements)Enhances an individual’s right to request and receive a copy of their PHI recordsAn individual can restrict disclosures of his/her PHI to health plans if the PHI pertains solely to a service that the individual has paid for in full
Our first care is your health carearizona health care cost containment system
15
. . . New Privacy Requirements
Relaxes the regulations surrounding disclosures of PHI to family members or others involved in the person’s careAllows disclosure of immunization records to schools
Our first care is your health carearizona health care cost containment system
16
Notice of Privacy Practices
Must Amend the CE’s Notice of Privacy Practices and mail to all individuals by September 23, 2013
Our first care is your health carearizona health care cost containment system
17
Genetic Information Nondiscrimination Act (GINA)
GINA prohibits the use of genetic information for underwriting purposes. HHS has made this prohibition applicable to all health plans subject to HIPAA, not just the limited set of plans covered by GINA
Our first care is your health carearizona health care cost containment system
18