2014 hipaa refresher omnibus rule & hipaa security
TRANSCRIPT
What is the Omnibus Rule?2
• The Omnibus Rule modifies the HIPAA Privacy, Security, Breach Notification and Enforcement rules.
• The Omnibus Rule implements the HITECH Act (Health Information Technology for Economic and Clinical Health) that were not implemented in 2010
• The Omnibus Rule implements the provisions of the Genetic Information Non-discrimination Act of 2008 (GINA).
Overview of Omnibus Rule Impact
• Breach Notification• Civil and Monetary Penalties• Business Associate Agreements• Notice of Privacy Practices• Fundraising and Marketing• Research• Self Pay Patients• Release of Information• New and revised policies• New and revised forms
3
Breach Notification4
• Definition of breach amended to clarify the impermissible acquisition, access, use or disclosure of protected health information (PHI) is presumed to be a breach.
• Breach notification is necessary unless Covered Entity or Business Associate can
demonstrate low probability that PHI has been compromised through documented risk assessment.
Reminder!
5
• A breach is a violation of patient privacy that occurs when patient information is impermissibly acquired, accessed, used or disclosed.
• Report all breaches or suspected breaches as soon as possible to the Privacy Officer by calling 323-1184, 323-8002 or using ComplyLine 1-877-898-6072.
Civil Monetary Penalties
Maximum Penalty Amount: $100 to $50,000 per violation
Calendar Year Cap: $1.5 million
• FYI – The Kentucky Attorney General may sue on behalf of the patient.
6
Business Associate Agreements7
• Much of the Privacy Rule and Security Rule now applies to business associates
and their subcontractors.
• Covered entities and business associates may now be held liable for acts of their agents, including business associates and subcontractors of business
associates.
• This includes the civil monetary penalties for violations of HIPAA
Business Associate Agreements
• Review all vendors and verify whether they work with UKHC protected health information (PHI).
• Contact the Privacy Officer at 323-1184 with your questions about vendors and business associate agreements.
8
Notice of Privacy Practices - Revised9
• Patient has right to request restriction when paying out- of-pocket, in-full, at time of visit.
• Patient has right to be informed about breach of unsecured health information.
• Operations – Add “safety” as in “We may use your PHI to assess your care in an effort to improve the
quality and safety of our service to you.”
10
Notice of Privacy Practices - Revised
• Fundraising communications require giving option and contact information to opt out of fundraising
effort and further fundraising communications.
• Marketing requires patient authorization. PHI (protected health information) may not be sold without patient authorization.
• Most disclosures regarding psychiatric notes require an authorization.
• Patient has right to receive copies of medical records in electronic form, if available.
Research
• Compound authorizations are permitted for multiple research purposes.
• Compound authorizations must be clear :– When provision of research–related treatment is
conditioned upon authorization – When treatment is not conditioned upon authorization
12
Research
• Authorizations for future research must continue to describe future research purposes although they do not need to be study specific.
• Authorizations related to use of psychotherapy notes can only be compounded to
authorizations also related to use of psychotherapy notes.
13
Self Pay Patients
• Patients may restrict visits from disclosure to health plans and Medicare if they self pay, in full, (or someone with the patient pays) at the time of the visit.
• Patient must complete and sign the Self-Pay Restriction form at the time of visit.
• Visits the patients restrict from disclosure to health plans may not be audited by the health plans. However, Medicare patient restricted visits may be audited by
Medicare.
14
.
Release of Information
• Verbal authorization is allowed for sharing only immunization records with
schools. Document in the medical record.
• HIPAA protection of records has changed for deceased patients from ‘forever’ to
50 years after the patient’s death.
• Patients may restrict release of genetic information.
Look for New and Revised Policies
15
New Policies
Fundraising
Self Pay Restriction
Revised Policies
A05-065 Release of Medical Records/Information
A06-100 Privacy Investigations and Breach Notification
Look for New and Revised Forms
16
• New form – Self Pay Visit Restriction
• Revised - Notice of Privacy Practices
• Revised - Authorization to Release Medical Records/Information
• Revised - Business Associate Agreement
17
Please read the following Confidentiality Expectations. Indicate your understanding
by checking the ‘Yes’ box.
Yes
Confidentiality ExpectationsI agree to keep patient information confidential by
observing the following:
1. I will signoff/log off the system when I leave the workstation and not allow others to use my access.
2. I will only look up information on patients for whom I have direct responsibility. I will not look up my own medical information on the computer.
3. I will protect my password from use by others or theft.
18
Confidentiality Expectations
4. I will follow all UK HealthCare and department rules of conduct whenever I use e-mail
5. I will password protect any personal digital assistant device that contains patient or confidential information.
6. I will share patient information only with people who have a right to access the information in order to perform their job function.
19
Confidentiality Expectations7. I will not disseminate confidential patient information
from my home computer without appropriate authorization for release of information.
8. I will dispose of confidential information properly in accordance with all applicable policies.
9. I understand that audits will be performed on computer usage to ensure compliance with all computer-related policies and this confidentiality agreement.
20
Confidentiality Expectations10. I will follow other specific confidentiality rules for
special situations. When departments have standards more stringent than this statement, I will abide by their standards.
11. I understand that audits will be performed on computer usage to ensure compliance with all computer-related policies and this confidentiality agreement.
12. I will follow other specific confidentiality rules for special situations. When departments have standards more stringent than this statement, I will abide by their standards.
21
Confidentiality Expectations
13. will comply with UK Enterprise electronic signature policies and protect my electronic signature, when issued to me, from use or theft by others.
14. I understand that my employer has the right to take disciplinary action up to and including termination of my employment for breaches of confidentiality.
22