HIPAA Final Rules: What You Need to Know and...
Transcript of HIPAA Final Rules: What You Need to Know and...
![Page 1: HIPAA Final Rules: What You Need to Know and Dolpa.idexpertscorp.com/acton/attachment/6200/f-004c/1...• 21st National HIPAA Summit, Washington, D.C. – February 19 - 21 – Adam](https://reader034.fdocuments.us/reader034/viewer/2022050117/5f4de4ed5d6bf557d6050526/html5/thumbnails/1.jpg)
HIPAA Final Rules: What You Need to Know and Do
February 06, 2013 ID Experts
www2.idexpertscorp.com
![Page 2: HIPAA Final Rules: What You Need to Know and Dolpa.idexpertscorp.com/acton/attachment/6200/f-004c/1...• 21st National HIPAA Summit, Washington, D.C. – February 19 - 21 – Adam](https://reader034.fdocuments.us/reader034/viewer/2022050117/5f4de4ed5d6bf557d6050526/html5/thumbnails/2.jpg)
2
ID Experts Webinar Series
ID Experts delivers complete data breach care. The company's solutions in data breach prevention, analysis and response are endorsed by the American Hospital Association, meet regulatory compliance and achieve the most positive outcomes for its customers. ID Experts is a leading advocate for privacy as a contributor to legislation, a corporate and active member in both the IAPP and HIMSS, a corporate member of HCCA and chairs the ANSI Identity Management Standards Panel PHI Project. For more information visit: • www2.idexpertscorp.com • RADAR: Risk Assessment, Documentation And Reporting • Complete Data Breach Care
![Page 3: HIPAA Final Rules: What You Need to Know and Dolpa.idexpertscorp.com/acton/attachment/6200/f-004c/1...• 21st National HIPAA Summit, Washington, D.C. – February 19 - 21 – Adam](https://reader034.fdocuments.us/reader034/viewer/2022050117/5f4de4ed5d6bf557d6050526/html5/thumbnails/3.jpg)
Mahmood Sher-Jan
VP of Product Management Partner
Adam H. Greene, JD, MPH
![Page 4: HIPAA Final Rules: What You Need to Know and Dolpa.idexpertscorp.com/acton/attachment/6200/f-004c/1...• 21st National HIPAA Summit, Washington, D.C. – February 19 - 21 – Adam](https://reader034.fdocuments.us/reader034/viewer/2022050117/5f4de4ed5d6bf557d6050526/html5/thumbnails/4.jpg)
4
Agenda
• Review the scope and history of the rules • Key areas of change: what’s new and what’s different • Implications of the removal of the harm threshold from breach
notification • What the changes mean for covered entities and business
associates • Guidance and recommendations for compliance
![Page 5: HIPAA Final Rules: What You Need to Know and Dolpa.idexpertscorp.com/acton/attachment/6200/f-004c/1...• 21st National HIPAA Summit, Washington, D.C. – February 19 - 21 – Adam](https://reader034.fdocuments.us/reader034/viewer/2022050117/5f4de4ed5d6bf557d6050526/html5/thumbnails/5.jpg)
5
The Wait is Over
![Page 6: HIPAA Final Rules: What You Need to Know and Dolpa.idexpertscorp.com/acton/attachment/6200/f-004c/1...• 21st National HIPAA Summit, Washington, D.C. – February 19 - 21 – Adam](https://reader034.fdocuments.us/reader034/viewer/2022050117/5f4de4ed5d6bf557d6050526/html5/thumbnails/6.jpg)
6
The “Omnibus Rule”
• Most of HITECH Act privacy and security provisions • Breach Notification Rule • Genetic Information Nondiscrimination Act (limit on
underwriting) • Enforcement Rule • Several workability amendments • General Compliance Date:
September 23, 2013
![Page 7: HIPAA Final Rules: What You Need to Know and Dolpa.idexpertscorp.com/acton/attachment/6200/f-004c/1...• 21st National HIPAA Summit, Washington, D.C. – February 19 - 21 – Adam](https://reader034.fdocuments.us/reader034/viewer/2022050117/5f4de4ed5d6bf557d6050526/html5/thumbnails/7.jpg)
7
What’s Still Missing?
• Accounting of disclosures/access reports
• Minimum necessary guidance
• Distribution of penalties/settlements to harmed individuals
![Page 8: HIPAA Final Rules: What You Need to Know and Dolpa.idexpertscorp.com/acton/attachment/6200/f-004c/1...• 21st National HIPAA Summit, Washington, D.C. – February 19 - 21 – Adam](https://reader034.fdocuments.us/reader034/viewer/2022050117/5f4de4ed5d6bf557d6050526/html5/thumbnails/8.jpg)
8
NEW LIMITS ON USES AND DISCLOSURES OF PHI
![Page 9: HIPAA Final Rules: What You Need to Know and Dolpa.idexpertscorp.com/acton/attachment/6200/f-004c/1...• 21st National HIPAA Summit, Washington, D.C. – February 19 - 21 – Adam](https://reader034.fdocuments.us/reader034/viewer/2022050117/5f4de4ed5d6bf557d6050526/html5/thumbnails/9.jpg)
9
The Good News: Fundraising
• Adds categories of PHI that may be used or disclosed for fundraising: – Department of service – Treating physician – Outcome information – Health insurance status
![Page 10: HIPAA Final Rules: What You Need to Know and Dolpa.idexpertscorp.com/acton/attachment/6200/f-004c/1...• 21st National HIPAA Summit, Washington, D.C. – February 19 - 21 – Adam](https://reader034.fdocuments.us/reader034/viewer/2022050117/5f4de4ed5d6bf557d6050526/html5/thumbnails/10.jpg)
10
The Good News: Fundraising
• Strengthens opt-out for fundraising: – Clear and conspicuous – Must not require undue burden – May not condition treatment or payment – Covered entity may not make fundraising communications
after opt-out (previous standard was “reasonable effort”)
• Covered entity may provide method of opting back in
![Page 11: HIPAA Final Rules: What You Need to Know and Dolpa.idexpertscorp.com/acton/attachment/6200/f-004c/1...• 21st National HIPAA Summit, Washington, D.C. – February 19 - 21 – Adam](https://reader034.fdocuments.us/reader034/viewer/2022050117/5f4de4ed5d6bf557d6050526/html5/thumbnails/11.jpg)
11
The Good News: Research
• Covered entities may combine “conditioned” and “unconditioned” authorizations – For example, conditioned
authorization for clinical trial may be combined with unconditioned authorization for tissue specimen repository
![Page 12: HIPAA Final Rules: What You Need to Know and Dolpa.idexpertscorp.com/acton/attachment/6200/f-004c/1...• 21st National HIPAA Summit, Washington, D.C. – February 19 - 21 – Adam](https://reader034.fdocuments.us/reader034/viewer/2022050117/5f4de4ed5d6bf557d6050526/html5/thumbnails/12.jpg)
12
The Good News: Research
• Authorization must differentiate between conditioned and unconditioned portions
• Unconditioned authorization must be opt in, e.g., – Check box – Second signature line
![Page 13: HIPAA Final Rules: What You Need to Know and Dolpa.idexpertscorp.com/acton/attachment/6200/f-004c/1...• 21st National HIPAA Summit, Washington, D.C. – February 19 - 21 – Adam](https://reader034.fdocuments.us/reader034/viewer/2022050117/5f4de4ed5d6bf557d6050526/html5/thumbnails/13.jpg)
13
The Good News: Research
• HHS changed interpretation on authorization for future research: – Prior interpretation – Authorization for research must be
study specific – New interpretation – Authorization may govern future
research – Authorization must reasonably put individual on notice of
potential future research
![Page 14: HIPAA Final Rules: What You Need to Know and Dolpa.idexpertscorp.com/acton/attachment/6200/f-004c/1...• 21st National HIPAA Summit, Washington, D.C. – February 19 - 21 – Adam](https://reader034.fdocuments.us/reader034/viewer/2022050117/5f4de4ed5d6bf557d6050526/html5/thumbnails/14.jpg)
14
The Good News: Student Immunization Records
• Covered entity may release student immunization records to school without authorization – If state law requires school to have
immunization record – Written or oral agreement (must be
documented)
![Page 15: HIPAA Final Rules: What You Need to Know and Dolpa.idexpertscorp.com/acton/attachment/6200/f-004c/1...• 21st National HIPAA Summit, Washington, D.C. – February 19 - 21 – Adam](https://reader034.fdocuments.us/reader034/viewer/2022050117/5f4de4ed5d6bf557d6050526/html5/thumbnails/15.jpg)
15
The Good News: Decedent Information
• No longer PHI 50 years after death
• Covered entity may disclose PHI to persons involved in decedent’s care or payment if not contrary to prior expressed preference
![Page 16: HIPAA Final Rules: What You Need to Know and Dolpa.idexpertscorp.com/acton/attachment/6200/f-004c/1...• 21st National HIPAA Summit, Washington, D.C. – February 19 - 21 – Adam](https://reader034.fdocuments.us/reader034/viewer/2022050117/5f4de4ed5d6bf557d6050526/html5/thumbnails/16.jpg)
16
The Bad News: Marketing
• Question 1: Communication about a product or service that encourages purchase or use? If yes, marketing.
• Question 2: Describes health-related item or service offered by covered entity or treatment alternative? If yes, no longer marketing.
• (New) Question 3: Remuneration received from third party whose item or service is described? If yes, marketing again (authorization required).
![Page 17: HIPAA Final Rules: What You Need to Know and Dolpa.idexpertscorp.com/acton/attachment/6200/f-004c/1...• 21st National HIPAA Summit, Washington, D.C. – February 19 - 21 – Adam](https://reader034.fdocuments.us/reader034/viewer/2022050117/5f4de4ed5d6bf557d6050526/html5/thumbnails/17.jpg)
17
The Bad News: Sale of PHI
• Covered entity may not receive remuneration in exchange for PHI
• Exceptions (no limit): – Treatment – Payment – Public health – Sale of covered entity and related due diligence – Required by law
![Page 18: HIPAA Final Rules: What You Need to Know and Dolpa.idexpertscorp.com/acton/attachment/6200/f-004c/1...• 21st National HIPAA Summit, Washington, D.C. – February 19 - 21 – Adam](https://reader034.fdocuments.us/reader034/viewer/2022050117/5f4de4ed5d6bf557d6050526/html5/thumbnails/18.jpg)
18
The Bad News: Sale of PHI
• Exceptions (no limit) – Business associate activities
• Exceptions (limits) – Any other permissible purpose if remuneration limited to
reasonable, cost-based fee for preparation and transmittal (not in HITECH Act)
– Research – To an individual for access and accounting
![Page 19: HIPAA Final Rules: What You Need to Know and Dolpa.idexpertscorp.com/acton/attachment/6200/f-004c/1...• 21st National HIPAA Summit, Washington, D.C. – February 19 - 21 – Adam](https://reader034.fdocuments.us/reader034/viewer/2022050117/5f4de4ed5d6bf557d6050526/html5/thumbnails/19.jpg)
19
The Bad News: Genetic Information
• Clarification that genetic information is health information
• Health plan (other than long-term care plan) may not use or disclose genetic information for underwriting purposes
![Page 20: HIPAA Final Rules: What You Need to Know and Dolpa.idexpertscorp.com/acton/attachment/6200/f-004c/1...• 21st National HIPAA Summit, Washington, D.C. – February 19 - 21 – Adam](https://reader034.fdocuments.us/reader034/viewer/2022050117/5f4de4ed5d6bf557d6050526/html5/thumbnails/20.jpg)
20
BUSINESS ASSOCIATES AND SUBCONTRACTORS
![Page 21: HIPAA Final Rules: What You Need to Know and Dolpa.idexpertscorp.com/acton/attachment/6200/f-004c/1...• 21st National HIPAA Summit, Washington, D.C. – February 19 - 21 – Adam](https://reader034.fdocuments.us/reader034/viewer/2022050117/5f4de4ed5d6bf557d6050526/html5/thumbnails/21.jpg)
21
Who Is a Business Associate?
• New definition of business associate
– Uses or discloses individually identifiable health information
– Creates, receives, maintains, or transmits protected health information
• On behalf of a covered entity
![Page 22: HIPAA Final Rules: What You Need to Know and Dolpa.idexpertscorp.com/acton/attachment/6200/f-004c/1...• 21st National HIPAA Summit, Washington, D.C. – February 19 - 21 – Adam](https://reader034.fdocuments.us/reader034/viewer/2022050117/5f4de4ed5d6bf557d6050526/html5/thumbnails/22.jpg)
22
Subcontractors: Welcome to the HIPAA Party!
• Subcontractor + PHI = Business Associate
• Subcontractor = Person to whom a business associate delegates a function, activity, or service
• Subcontractor ≠ workforce member
• All the way down the chain (contractual relationships should remain the same)
![Page 23: HIPAA Final Rules: What You Need to Know and Dolpa.idexpertscorp.com/acton/attachment/6200/f-004c/1...• 21st National HIPAA Summit, Washington, D.C. – February 19 - 21 – Adam](https://reader034.fdocuments.us/reader034/viewer/2022050117/5f4de4ed5d6bf557d6050526/html5/thumbnails/23.jpg)
23
Liability of Business Associates
• Impermissible uses and disclosures • Breach notification to covered entity • Failure to provide e-copy of ePHI as specified in the
business associate contract • Failure to disclose PHI to HHS for HIPAA investigation • Failure to provide an accounting of disclosures • Failure to comply with the applicable requirements of the
Security Rule
![Page 24: HIPAA Final Rules: What You Need to Know and Dolpa.idexpertscorp.com/acton/attachment/6200/f-004c/1...• 21st National HIPAA Summit, Washington, D.C. – February 19 - 21 – Adam](https://reader034.fdocuments.us/reader034/viewer/2022050117/5f4de4ed5d6bf557d6050526/html5/thumbnails/24.jpg)
24
Business Associate Contracts
• Must specify compliance with Breach Notification Rule
• Should specify to whom BA provides electronic access
• If CE delegates HIPAA responsibility, must specify that BA will comply with HIPAA
• 1-yr grandfathering may be available
![Page 25: HIPAA Final Rules: What You Need to Know and Dolpa.idexpertscorp.com/acton/attachment/6200/f-004c/1...• 21st National HIPAA Summit, Washington, D.C. – February 19 - 21 – Adam](https://reader034.fdocuments.us/reader034/viewer/2022050117/5f4de4ed5d6bf557d6050526/html5/thumbnails/25.jpg)
25
INCREASED PATIENT RIGHTS
![Page 26: HIPAA Final Rules: What You Need to Know and Dolpa.idexpertscorp.com/acton/attachment/6200/f-004c/1...• 21st National HIPAA Summit, Washington, D.C. – February 19 - 21 – Adam](https://reader034.fdocuments.us/reader034/viewer/2022050117/5f4de4ed5d6bf557d6050526/html5/thumbnails/26.jpg)
26
Electronic Copy of PHI
Old Rule: – Form or format requested,
if readily producible – If not readily producible,
then readable hard copy
New Rule: – If not readily producible
and maintained electronically, then readable electronic copy
![Page 27: HIPAA Final Rules: What You Need to Know and Dolpa.idexpertscorp.com/acton/attachment/6200/f-004c/1...• 21st National HIPAA Summit, Washington, D.C. – February 19 - 21 – Adam](https://reader034.fdocuments.us/reader034/viewer/2022050117/5f4de4ed5d6bf557d6050526/html5/thumbnails/27.jpg)
27
Copy of PHI to Third Party
• Individual may designate third party to receive copy – Must be in writing – Clearly identify the designated person
– Clearly identify where to send the copy
• Access vs. Authorization further confused
![Page 28: HIPAA Final Rules: What You Need to Know and Dolpa.idexpertscorp.com/acton/attachment/6200/f-004c/1...• 21st National HIPAA Summit, Washington, D.C. – February 19 - 21 – Adam](https://reader034.fdocuments.us/reader034/viewer/2022050117/5f4de4ed5d6bf557d6050526/html5/thumbnails/28.jpg)
28
Restriction for Out-of-Pocket Payments
• Covered entity must agree to individual’s request to restrict disclosure to health plan, if: – For payment or health care operations, – Disclosure is not required by law, and – Individual (or person on individual’s behalf )
pays for item or service in full out of pocket
![Page 29: HIPAA Final Rules: What You Need to Know and Dolpa.idexpertscorp.com/acton/attachment/6200/f-004c/1...• 21st National HIPAA Summit, Washington, D.C. – February 19 - 21 – Adam](https://reader034.fdocuments.us/reader034/viewer/2022050117/5f4de4ed5d6bf557d6050526/html5/thumbnails/29.jpg)
29
NOTICE OF PRIVACY PRACTICES
![Page 30: HIPAA Final Rules: What You Need to Know and Dolpa.idexpertscorp.com/acton/attachment/6200/f-004c/1...• 21st National HIPAA Summit, Washington, D.C. – February 19 - 21 – Adam](https://reader034.fdocuments.us/reader034/viewer/2022050117/5f4de4ed5d6bf557d6050526/html5/thumbnails/30.jpg)
30
Changes to Notice of Privacy Practices
• Prohibition on sale of PHI
• Duty to notify affected individuals of a breach of unsecured PHI
• Right to opt out of fundraising (if applicable)
• Right to restrict disclosure of PHI when paid out of pocket
• Limit on use of genetic information (certain health plans only)
![Page 31: HIPAA Final Rules: What You Need to Know and Dolpa.idexpertscorp.com/acton/attachment/6200/f-004c/1...• 21st National HIPAA Summit, Washington, D.C. – February 19 - 21 – Adam](https://reader034.fdocuments.us/reader034/viewer/2022050117/5f4de4ed5d6bf557d6050526/html5/thumbnails/31.jpg)
31
BREACH NOTIFICATION RULE
![Page 32: HIPAA Final Rules: What You Need to Know and Dolpa.idexpertscorp.com/acton/attachment/6200/f-004c/1...• 21st National HIPAA Summit, Washington, D.C. – February 19 - 21 – Adam](https://reader034.fdocuments.us/reader034/viewer/2022050117/5f4de4ed5d6bf557d6050526/html5/thumbnails/32.jpg)
32
New “Compromise Standard”
• “Significant risk of financial, reputational, or other harm”
• Exception for limited data set without ZIP codes or dates of birth
• Presumption of reportable breach, unless low probability the PHI has been compromised after risk assessment
![Page 33: HIPAA Final Rules: What You Need to Know and Dolpa.idexpertscorp.com/acton/attachment/6200/f-004c/1...• 21st National HIPAA Summit, Washington, D.C. – February 19 - 21 – Adam](https://reader034.fdocuments.us/reader034/viewer/2022050117/5f4de4ed5d6bf557d6050526/html5/thumbnails/33.jpg)
33
Risk Assessment
• Risk assessment must include four required
elements • What is “compromised”?
– Comment to interim final rule suggesting compromise standard indicates that it is whether PHI is “inappropriately viewed, re-identified, re-disclosed, or otherwise misused”
![Page 34: HIPAA Final Rules: What You Need to Know and Dolpa.idexpertscorp.com/acton/attachment/6200/f-004c/1...• 21st National HIPAA Summit, Washington, D.C. – February 19 - 21 – Adam](https://reader034.fdocuments.us/reader034/viewer/2022050117/5f4de4ed5d6bf557d6050526/html5/thumbnails/34.jpg)
34
PRACTICAL IMPLICATIONS OF BREACH NOTIFICATION RULE
![Page 35: HIPAA Final Rules: What You Need to Know and Dolpa.idexpertscorp.com/acton/attachment/6200/f-004c/1...• 21st National HIPAA Summit, Washington, D.C. – February 19 - 21 – Adam](https://reader034.fdocuments.us/reader034/viewer/2022050117/5f4de4ed5d6bf557d6050526/html5/thumbnails/35.jpg)
35
Data Breaches Keep Happening
• Nearly 60% of respondents’ organization had
suffered an incident in the last year, and 20% had suffered four or more.
• Leading source of Data Breaches: Lost Paper
files (38%)
• Leading source & discovery by rank and file Employees (47%) (non-IT)
SOURCE: HCCA/SCCE survey (published Jan, 2013)
The Human Factor!
Theft, 50%
Unauthorized Access,
18%
Loss/Improper
Disposl, 16%
Hacking/IT
Incident, 6%
Other, 10.0%
Breach Types
![Page 36: HIPAA Final Rules: What You Need to Know and Dolpa.idexpertscorp.com/acton/attachment/6200/f-004c/1...• 21st National HIPAA Summit, Washington, D.C. – February 19 - 21 – Adam](https://reader034.fdocuments.us/reader034/viewer/2022050117/5f4de4ed5d6bf557d6050526/html5/thumbnails/36.jpg)
36
Breach Notification: Spirit of the Rule
• Put pressure on the healthcare industry to better safeguard patient privacy by protecting PHI
• Increase patient/consumer confidence in privacy protection
• Mitigate harm to the affected individuals when consequential events occur
The intent behind the obligation to notify
![Page 37: HIPAA Final Rules: What You Need to Know and Dolpa.idexpertscorp.com/acton/attachment/6200/f-004c/1...• 21st National HIPAA Summit, Washington, D.C. – February 19 - 21 – Adam](https://reader034.fdocuments.us/reader034/viewer/2022050117/5f4de4ed5d6bf557d6050526/html5/thumbnails/37.jpg)
37
Factors for Incident Risk Assessment
Before • Type of PHI disclosed • Recipient of PHI • Accessed; Disclosed; Used;
Acquired • Intent of Recipient • Steps Taken to Mitigate or
Eliminate Risk of Harm
After • Type of PHI disclosed • Recipient of PHI • Accessed; Viewed; Re-
Identified; Re-Disclosed • Intent of Recipient • Steps Taken to Mitigate risk
to PHI
Before and After Final Rule
![Page 38: HIPAA Final Rules: What You Need to Know and Dolpa.idexpertscorp.com/acton/attachment/6200/f-004c/1...• 21st National HIPAA Summit, Washington, D.C. – February 19 - 21 – Adam](https://reader034.fdocuments.us/reader034/viewer/2022050117/5f4de4ed5d6bf557d6050526/html5/thumbnails/38.jpg)
38
Know The Statutory Exceptions
• Unintentional Good Faith Acquisition of PHI by Workforce Member (CE/BA/Subcontractors)
• Inadvertent Disclosure between Authorized Persons in an organized healthcare arrangement (i.e. clinically integrated care setting)
• Good Faith Belief that Unauthorized Person Could not have Reasonably Retained the Information
The Remaining Exceptions
![Page 39: HIPAA Final Rules: What You Need to Know and Dolpa.idexpertscorp.com/acton/attachment/6200/f-004c/1...• 21st National HIPAA Summit, Washington, D.C. – February 19 - 21 – Adam](https://reader034.fdocuments.us/reader034/viewer/2022050117/5f4de4ed5d6bf557d6050526/html5/thumbnails/39.jpg)
39
Incident Management: Burden of Proof Requires more than issue tracking & ad-hoc risk assessment
Solution Scope & Automation
Eas
e of
Use
& A
ffor
dab
ilit
y
RADARTM
![Page 40: HIPAA Final Rules: What You Need to Know and Dolpa.idexpertscorp.com/acton/attachment/6200/f-004c/1...• 21st National HIPAA Summit, Washington, D.C. – February 19 - 21 – Adam](https://reader034.fdocuments.us/reader034/viewer/2022050117/5f4de4ed5d6bf557d6050526/html5/thumbnails/40.jpg)
40
INCREASED ENFORCEMENT
![Page 41: HIPAA Final Rules: What You Need to Know and Dolpa.idexpertscorp.com/acton/attachment/6200/f-004c/1...• 21st National HIPAA Summit, Washington, D.C. – February 19 - 21 – Adam](https://reader034.fdocuments.us/reader034/viewer/2022050117/5f4de4ed5d6bf557d6050526/html5/thumbnails/41.jpg)
41
Focus on Willful Neglect
• Willful neglect: Conscious, intentional failure or reckless indifference
• OCR will investigate all cases of possible willful neglect
• OCR will impose penalty on all violations due to willful neglect
• Greater OCR discretion to proceed directly to penalty without seeking informal resolution
![Page 42: HIPAA Final Rules: What You Need to Know and Dolpa.idexpertscorp.com/acton/attachment/6200/f-004c/1...• 21st National HIPAA Summit, Washington, D.C. – February 19 - 21 – Adam](https://reader034.fdocuments.us/reader034/viewer/2022050117/5f4de4ed5d6bf557d6050526/html5/thumbnails/42.jpg)
42
Other Enforcement Changes
• Revised definition of reasonable cause (fills gap between “did not know …” and willful neglect)
• Vicarious liability for business associate agents • Modification of factors impacting CMP calculation
![Page 43: HIPAA Final Rules: What You Need to Know and Dolpa.idexpertscorp.com/acton/attachment/6200/f-004c/1...• 21st National HIPAA Summit, Washington, D.C. – February 19 - 21 – Adam](https://reader034.fdocuments.us/reader034/viewer/2022050117/5f4de4ed5d6bf557d6050526/html5/thumbnails/43.jpg)
43
ACTION ITEMS
![Page 44: HIPAA Final Rules: What You Need to Know and Dolpa.idexpertscorp.com/acton/attachment/6200/f-004c/1...• 21st National HIPAA Summit, Washington, D.C. – February 19 - 21 – Adam](https://reader034.fdocuments.us/reader034/viewer/2022050117/5f4de4ed5d6bf557d6050526/html5/thumbnails/44.jpg)
44
Compliance & Risk Mitigation Actions
• Conduct Compliance Assessment – Privacy, Security & Breach Notification Rules
• Amend Policies, Training & NPP • Perform/Update Risk Analysis • Revise Incident Management Process (Burden of Proof ) • Develop a Business Associate Strategy
– Update Agreement Template (Agent?) – Monitoring for Compliance?
For Covered Entities
![Page 45: HIPAA Final Rules: What You Need to Know and Dolpa.idexpertscorp.com/acton/attachment/6200/f-004c/1...• 21st National HIPAA Summit, Washington, D.C. – February 19 - 21 – Adam](https://reader034.fdocuments.us/reader034/viewer/2022050117/5f4de4ed5d6bf557d6050526/html5/thumbnails/45.jpg)
45
Compliance & Risk Mitigation Actions
• Confirm your BA classification! – BA Agreement (are you an “agent”)? – Subcontract Assurances
• Do you have a compliance program? – Risk analysis & risk management plan – Policies & Procedures – Workforce training & awareness – How do you monitor your sub-contractors?
• What is your incident detection and response plan? – Incident documentation and risk assessment (Burden of Proof ) – Covered Entity reporting timeline
For Business Associates
![Page 46: HIPAA Final Rules: What You Need to Know and Dolpa.idexpertscorp.com/acton/attachment/6200/f-004c/1...• 21st National HIPAA Summit, Washington, D.C. – February 19 - 21 – Adam](https://reader034.fdocuments.us/reader034/viewer/2022050117/5f4de4ed5d6bf557d6050526/html5/thumbnails/46.jpg)
46
Resources
• Omnibus HIPAA Rule:
http://www.hhs.gov/ocr/privacy/hipaa/administrative/omnibus/index.html
• Breach Notification Rule: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/index.html
• OCR audit website: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/index.html
• NIST IRP Planning Guide: http://csrc.nist.gov/publications/drafts/800-61-rev2/draft-sp800-61rev2.pdf
![Page 47: HIPAA Final Rules: What You Need to Know and Dolpa.idexpertscorp.com/acton/attachment/6200/f-004c/1...• 21st National HIPAA Summit, Washington, D.C. – February 19 - 21 – Adam](https://reader034.fdocuments.us/reader034/viewer/2022050117/5f4de4ed5d6bf557d6050526/html5/thumbnails/47.jpg)
47
Resources
• ID Experts RADAR: http://www2.idexpertscorp.com/RADAR
• Privacy Incident Management Solution Guide: http://www2.idexpertscorp.com/breach-tools/radar/solution-guide/
• Davis Wright Tremaine Blog: http://www.dwt.com/New-Omnibus-Rule-Released-HIPAA-Puts-on-More-Weight-01-23-2013/
![Page 48: HIPAA Final Rules: What You Need to Know and Dolpa.idexpertscorp.com/acton/attachment/6200/f-004c/1...• 21st National HIPAA Summit, Washington, D.C. – February 19 - 21 – Adam](https://reader034.fdocuments.us/reader034/viewer/2022050117/5f4de4ed5d6bf557d6050526/html5/thumbnails/48.jpg)
48
Mahmood Sher-Jan, CHPC
VP of Product Management Partner
Adam Green, JD, MPH
Questions & Answers
971-242-4706
If you are having a breach now, call 866-726-4271
202-973-4213
ID Experts Davis Wright Tremaine LLP
![Page 49: HIPAA Final Rules: What You Need to Know and Dolpa.idexpertscorp.com/acton/attachment/6200/f-004c/1...• 21st National HIPAA Summit, Washington, D.C. – February 19 - 21 – Adam](https://reader034.fdocuments.us/reader034/viewer/2022050117/5f4de4ed5d6bf557d6050526/html5/thumbnails/49.jpg)
49
Events of Interest
• 21st National HIPAA Summit, Washington, D.C. – February 19 - 21 – Adam Greene, co-chairing and presenting – Keynote presentations from top OCR officials on the Omnibus Rule. – Additional information is available at www.hipaasummit.com
• PHI Protection Network Forum on PHI Security, Boston, MA – March 12 - 13 – Presentations from PHI Privacy Experts – Leave with the knowledge necessary to build, present and defend a customized business
case for PHI security initiatives tailored exclusively for your enterprise. – Additional information is available at http://phiprotection.org