Date post: | 24-Jan-2015 |
Category: |
Healthcare |
Upload: | compliancy-group |
View: | 63 times |
Download: | 2 times |
855.85HIPAA www.compliancygroup.com
Industry leading Education
Certified Partner Program For Today
• Please ask questions
• Todays Slides http://compliancy-group.com/slides023/
• Upcoming & Past webinars:http://compliancy-group.com/webinar/
Get Involved
#cgwebinar
• September 23 - Omnibus Celebration
• October 21 - Top 5 Compliance tools • November 13 - Human Resources issues for todays medical practitioner
HIPAA MYTHS: HOW MUCH DO YOU KNOW? COMMON MYTHS DEBUNKED & EXPLAINED
Matthew Fisher, Esq. Mirick O’Connell DeMallie & Lougee, LLP
WHAT IS HIPAA?
§ Need brief introduction first § May begin to answers myths, but always useful
to have basic background
HIPAA: OVERVIEW
§ Many implications, but most important are regulating privacy and security of protected health information (PHI) • Privacy – addresses use and disclosure • Security – addresses storage and transmission
n Consider statute and implementing regulations ¨ 1996 - Originally enacted ¨ 2009 - Significantly modified by HITECH ¨ 2013 - Final Rule implementing HITECH published
HIPAA: WHO IS SUBJECT?
§ Covered Entities • Health Care Providers (meeting certain conditions) • Health Insurers • Health Care Clearinghouses
§ Business Associates • Any entity that assists with or performs functions for a
covered entity for any activity regulated by HIPAA • Very broad (e.g. law firms)
§ Subcontractors of Business Associates
HIPAA: WHAT DOES IT COVER?
§ “Protected Health Information” or “PHI” § Term of art defined by statute and regulations § If not PHI, then not covered by HIPAA
HIPAA: PRIVACY RULE
§ General Purpose – regulates “use” and “disclosure” of PHI by “covered entities” and “business associates” • Allows for certain, limited uses and disclosures without
requiring authorization • Others require notice to and/or authorization from the
patient § Imposes numerous compliance requirements on
entities (e.g. tracking, reporting, training)
HIPAA: SECURITY RULE
§ General purpose – creates standard security measures for the protection of PHI that is created, received, used or maintained by covered entity
§ Includes various technical requirements and specifications
HIPAA: BREACH NOTIFICATION RULE § General purpose - requires notification if a
“breach” of PHI occurs • Applies to a breach by any entity handling PHI • Final rule claimed to create an objective standard, but
still has subjective elements • Presumption of a breach, breaching entity must prove
why notification is not needed § Increasing exposure to enforcement actions by
Office of Civil Rights (OCR)
THE MYTHS
GENERAL MYTHS
MYTH #1
§ Healthcare providers are prevented from sharing protected health information with a patient’s family members and caregivers.
MYTH #1 EXPLANATION
§ FICTION § Providers are permitted to share information with
family members and caregivers in certain circumstances
§ Patient can impact through specific authorization or denial
MYTH #2
§ Only a patient or the patient’s personal representative may obtain a copy of that patient’s medical record.
MYTH #2 EXPLAINED
§ FICTION § Many permissible uses and disclosures § Do not always need permission
MYTH #3
§ HIPAA prevents providers and patients from communicating by email.
MYTH #3 EXPLAINED
§ FICTION § Any information may be sent by email § May need to implement certain protections § Providers should send as instructed by patient
MYTH #4
§ Providers are obligated to provide a patient their entire medical record upon request.
MYTH #4 EXPLAINED
§ FICTION § Certain parts of a record may be exempt from
disclosure – often mental health information § State law may influence – must be reviewed in
addition to HIPAA
MYTH #5
§ HIPAA protects all protected health information no matter who is in possession of it.
MYTH #5 EXPLAINED
§ FICTION § Only “covered entities” and their “business
associates” must comply with HIPAA § Context in which protected health information is
held important for determining obligations
MYTH #6
§ HIPAA obligates providers to correct any errors that may be in an individual’s medical record.
MYTH #6 EXPLAINED
§ FICTION § Individuals have the right to request
amendments § Request does not guarantee change will be
made
MYTH #7
§ Your medical records will not impact your credit score or credit generally.
MYTH #7 EXPLAINED
§ Partial FACT § The record itself does not impact an individual’s
credit § However, failure to pay for medical treatments
can be reported to credit agencies
MYTH #8
§ Protected health information cannot be sold or used for marketing.
MYTH #8 EXPLAINED
§ Partially FACT § HIPAA limits when protected health information
can be used for marketing purposes without authorization
§ However, de-identified data is not subject to restrictions
§ Certain, limited marketing also allowed as of right
MYTH #9
§ HIPAA requires patients to consent to the sharing of protected health information by providers.
MYTH #9 EXPLAINED
§ FICTION § Uses and disclosures for “treatment” purposes
are allowed without requiring an individual’s consent
§ Transfers between providers occur without patient involvement
MYTH #10
§ HIPAA prevents an individual’s family member from picking up the patient’s prescriptions.
MYTH #10 EXPLAINED
§ FICTION § A family member can pick up prescriptions,
medical supplies, x-rays and other similar forms of protected health information
§ Allowed if providers determines in patient’s best interests
MYTH #11
§ Patients can sue providers for HIPAA violations.
MYTH #11 EXPLAINED
§ FICTION § There is no private right of action under HIPAA § Only the federal or state government can sue to
enforce HIPAA
BUSINESS ASSOCIATE MYTHS
MYTH #12
§ A healthcare provider or covered entity can never be a business associate to another covered entity.
MYTH #12 EXPLAINED
§ FICTION § Need to evaluate what function is being
performed § For healthcare services, exempted § If perform billing, data analysis, data storage or
other functions can be a business associate § Review definition
MYTH #13
§ A cloud data storage company is not a business associate because all the company does is store my information.
MYTH #13 EXPLAINED
§ FICTION § The Omnibus Rule changed the rules and
expanded who is a business associate § Entities that maintain protected information are
business associates § Determination is not about access § Only “conduits” outside requirements
MYTH #14
§ I’ve been using a new business associate agreement for all arrangements since September 23, 2013, I’m all set and do not need to review any previously existing agreements.
MYTH #14 EXPLAINED
§ FICTION § Primary compliance date was September 23,
2013 § BUT, then current agreements need to be
replaced by September 22, 2014 § Review now to ensure all business associate
agreements conform to new requirements
MYTH #15
§ A covered entity must get every business associate to sign a business associate agreement.
MYTH #15 EXPLAINED
§ FACT, but . . . § Regulations require covered entity to have
business associate sign § What if business associate refuses? § Arguably can make reasonable efforts § Business associate’s status not driven by
agreement, but regulatory definition
MYTH #16
§ Now that business associates may be directly liable for breaches, covered entities are off the hook.
MYTH #16 EXPLAINED
§ FICTION § Even if a business associate is the cause of a
breach, a covered entity’s patients still harmed § Covered entities also have obligations to review
and oversee actions of business associates
HEALTH IT RELATED MYTHS
MYTH #17
§ HIPAA will control and regulate all mobile health apps.
MYTH #17 EXPLAINED
§ FICTION § Never forget, context determines when HIPAA
applies § How will a mobile health app be used § Who is collecting the data and why
MYTH #18
§ A covered entity has a bring your own device policy in place, all concerns have been addressed.
MYTH #18 EXPLAINED
§ FICTION § When was the BYOD policy prepared and what
is in it? § Have all circumstances been addressed. § Pay attention to New York and Presbyterian
Hospital and Columbia University settlement
MYTH #19
§ Small practices are less complex than larger organizations and do not have the same security concerns, so a risk analysis is not necessary.
MYTH #19 EXPLAINED
§ FICTION § Conducting a risk analysis is a required element
under the Security Rule § No exceptions § Necessary to help with development and
implementation of security policies § Once not enough either
ONE FINAL MYTH
MYTH #20
§ HIPAA can be used as an excuse to deny access to information or otherwise restrict what individuals may do.
MYTH #20 EXPLAINED
§ FICTION § Oftentimes, HIPAA is improperly cited as a
reason to deny a request § Examples:
• Parent cannot accompany their children • Visitors must leave a hospital room after a certain
time • Offices cannot announce patient names in the waiting
room
QUESTIONS?
www.compliancy-‐group.com
855.85 HIPAA (855.854.4722)
The Guard: • Intelligent web based solution designed by auditors. • Used by over 1,000 Covered Entities and Business Associates • Quickly and cost-effectively Achieve, Illustrate and Maintain
HIPAA, HITECH, and Omnibus Compliance. • HIPAA Audit Guarantee Features • Training, Policy & Procedure Templates Included • Business Associate Management • Document & Version Control • Training & Attestations Tracking • HIPAA Coaches to Assist every step of the way
HIPAA Education Series sponsored by:
CONTACT INFORMATION
Matthew Fisher Mirick O’Connell 100 Front Street
Worcester, MA 01608 (508) 791-8500
[email protected] @matt_r_fisher