2014 HIPAA RefresherOmnibus Rule & HIPAA Security

What is the Omnibus Rule?2

• The Omnibus Rule modifies the HIPAA Privacy, Security, Breach Notification and Enforcement rules.

• The Omnibus Rule implements the HITECH Act (Health Information Technology for Economic and Clinical Health) that were not implemented in 2010

• The Omnibus Rule implements the provisions of the Genetic Information Non-discrimination Act of 2008 (GINA).

Overview of Omnibus Rule Impact

• Breach Notification• Civil and Monetary Penalties• Business Associate Agreements• Notice of Privacy Practices• Fundraising and Marketing• Research• Self Pay Patients• Release of Information• New and revised policies• New and revised forms

3

Breach Notification4

• Definition of breach amended to clarify the impermissible acquisition, access, use or disclosure of protected health information (PHI) is presumed to be a breach.

• Breach notification is necessary unless Covered Entity or Business Associate can

demonstrate low probability that PHI has been compromised through documented risk assessment.

Reminder!

5

• A breach is a violation of patient privacy that occurs when patient information is impermissibly acquired, accessed, used or disclosed.

• Report all breaches or suspected breaches as soon as possible to the Privacy Officer by calling 323-1184, 323-8002 or using ComplyLine 1-877-898-6072.

Civil Monetary Penalties

Maximum Penalty Amount: $100 to $50,000 per violation

Calendar Year Cap: $1.5 million

• FYI – The Kentucky Attorney General may sue on behalf of the patient.

6

Business Associate Agreements7

• Much of the Privacy Rule and Security Rule now applies to business associates

and their subcontractors.

• Covered entities and business associates may now be held liable for acts of their agents, including business associates and subcontractors of business

associates.

• This includes the civil monetary penalties for violations of HIPAA

Business Associate Agreements

• Review all vendors and verify whether they work with UKHC protected health information (PHI).

• Contact the Privacy Officer at 323-1184 with your questions about vendors and business associate agreements.

8

Notice of Privacy Practices - Revised9

• Patient has right to request restriction when paying out- of-pocket, in-full, at time of visit.

• Patient has right to be informed about breach of unsecured health information.

• Operations – Add “safety” as in “We may use your PHI to assess your care in an effort to improve the

quality and safety of our service to you.”

10

Notice of Privacy Practices - Revised

• Fundraising communications require giving option and contact information to opt out of fundraising

effort and further fundraising communications.

• Marketing requires patient authorization. PHI (protected health information) may not be sold without patient authorization.

• Most disclosures regarding psychiatric notes require an authorization.

• Patient has right to receive copies of medical records in electronic form, if available.

Research

• Compound authorizations are permitted for multiple research purposes.

• Compound authorizations must be clear :– When provision of research–related treatment is

conditioned upon authorization – When treatment is not conditioned upon authorization

12

Research

• Authorizations for future research must continue to describe future research purposes although they do not need to be study specific.

• Authorizations related to use of psychotherapy notes can only be compounded to

authorizations also related to use of psychotherapy notes.

13

Self Pay Patients

• Patients may restrict visits from disclosure to health plans and Medicare if they self pay, in full, (or someone with the patient pays) at the time of the visit.

• Patient must complete and sign the Self-Pay Restriction form at the time of visit.

• Visits the patients restrict from disclosure to health plans may not be audited by the health plans. However, Medicare patient restricted visits may be audited by

Medicare.

14

.

Release of Information

• Verbal authorization is allowed for sharing only immunization records with

schools. Document in the medical record.

• HIPAA protection of records has changed for deceased patients from ‘forever’ to

50 years after the patient’s death.

• Patients may restrict release of genetic information.

Look for New and Revised Policies

15

New Policies

Fundraising

Self Pay Restriction

Revised Policies

A05-065 Release of Medical Records/Information

A06-100 Privacy Investigations and Breach Notification

Look for New and Revised Forms

16

• New form – Self Pay Visit Restriction

• Revised - Notice of Privacy Practices

• Revised - Authorization to Release Medical Records/Information

• Revised - Business Associate Agreement

17

Please read the following Confidentiality Expectations. Indicate your understanding

by checking the ‘Yes’ box.

Yes

Confidentiality ExpectationsI agree to keep patient information confidential by

observing the following:

1. I will signoff/log off the system when I leave the workstation and not allow others to use my access.

2. I will only look up information on patients for whom I have direct responsibility. I will not look up my own medical information on the computer.

3. I will protect my password from use by others or theft.

18

Confidentiality Expectations

4. I will follow all UK HealthCare and department rules of conduct whenever I use e-mail

5. I will password protect any personal digital assistant device that contains patient or confidential information.

6. I will share patient information only with people who have a right to access the information in order to perform their job function.

19

Confidentiality Expectations7. I will not disseminate confidential patient information

from my home computer without appropriate authorization for release of information.

8. I will dispose of confidential information properly in accordance with all applicable policies.

9. I understand that audits will be performed on computer usage to ensure compliance with all computer-related policies and this confidentiality agreement.

20

Confidentiality Expectations10. I will follow other specific confidentiality rules for

special situations. When departments have standards more stringent than this statement, I will abide by their standards.

11. I understand that audits will be performed on computer usage to ensure compliance with all computer-related policies and this confidentiality agreement.

12. I will follow other specific confidentiality rules for special situations. When departments have standards more stringent than this statement, I will abide by their standards.

21

Confidentiality Expectations

13. will comply with UK Enterprise electronic signature policies and protect my electronic signature, when issued to me, from use or theft by others.

14. I understand that my employer has the right to take disciplinary action up to and including termination of my employment for breaches of confidentiality.

22

Lynn Crothers Privacy Officer859-323-1184

Office of Corporate Compliance859-323-8002

9/23/2013

23