1 / 24

HIPAA Updates

Learn about the importance of defining your entity as a HIPAA-covered hybrid entity, which includes both covered and non-covered functions. Discover the rules and requirements for disclosure, breach notifications, security measures, and more.

hamler
Download Presentation

HIPAA Updates

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. HIPAA Updates Jill Moore, JD, MPH NCPHA Fall 2019

  2. Defining your entity

  3. Hybrid entity • A HIPAA-covered entity that has both covered functions and non-covered functions • In other words, the entity has some programs/services/ activities/functions that have to comply with HIPAA and some that don’t

  4. Time for a reboot? • LHDs are encouraged to revisit their hybrid entity designations, especially if: • New consolidated agency • Programs/services added or ended • Current designation more than a couple years old • No templates or required forms, but there is a specific HIPAA provision that outlines what has to be in a hybrid entity designation • 45 CFR 164.105(a)

  5. Why is it important? • To know which programs and which workforce members must comply with HIPAA • Recognize there are two separate but related questions: • Must a program/service/activity comply with HIPAA? • Is the information held by the program/service/activity confidential? • First question is answered by hybrid entity designation; second question is answered by whether confidentiality laws apply

  6. LHDs are subject to multiple confidentiality laws

  7. FAQs with answers that depend in part on what the hybrid entity designation says • What are the rules for disclosing particular information? • Suppose information has been used or disclosed improperly. Is the incident subject to the HIPAA breach notification process? • Which information in your entity does the HIPAA security rule apply to? • Which vendors do you need business associate agreements with? • Which workforce members have to take HIPAA training?

  8. Hybrid Entity Resources HIPAA Regulation • 45 C.F.R. 164.105(a) Network for Public Health Law, Hybrid Entity Toolkit • https://www.networkforphl.org/resources/topics__resources/health_information_and_data_sharing/hipaa_hybrid_toolkit/ (or go to networkforphl.org and put “hybrid” in the search box) SOG Local Government Law Blog • Should a Local Government be a HIPAA Hybrid Entity?, by Aimee Wall, at https://canons.sog.unc.edu/should-a-local-government-be-a-hipaa-hybrid-entity/ (or go to canons.sog.unc.edu and put “hybrid” in the search box)

  9. Text Messages

  10. HIPAA Rules Privacy Rule Security Rule Safeguards for ePHI: technical, physical, administrative Ongoing assessment and analysis of risks associated with maintaining, using, disclosing, and disposing of ePHI • Rules for using and disclosing PHI; when release is required and when it isn’t • Individual rights, including the right to request confidential communications • Reasonable safeguards against unauthorized uses or disclosures of information

  11. HIPAA Security Rule Applies if texts contain protected health information All ePHI must be protected by technical, physical, and administrative safeguards If using text messages to transmit PHI, must assure the security rule’s requirements for protecting the PHI are satisfied

  12. Recommendations • Be sure your agency’s security risk assessment is up-to-date • Your EHR provider may be able to provide a secure messaging platform • If you can establish a secure method for sending texts, develop a texting policy that addresses: • What kinds of communication texts will be used for • How clients opt-in or opt-out of receiving texts • Devices: which will be used; who can use them; how they’ll be secured; who must be notified in the event of theft, loss, malicious software, etc. • Any other issues identified by your messaging platform vendor or during your security risk assessment

  13. Responding to breaches

  14. What is a breach? • Acquisition, access, use, or disclosure of protected health information (PHI) that: • Is not allowed by the HIPAA privacy rule, and • Compromises the privacy and security of the PHI. • Breach is presumed unless: • The situation is in the “safe harbor,” or • An exception applies, or • A risk assessment shows a low probability that PHI was compromised.

  15. What is the safe harbor? • PHI was encrypted, or • PHI was disposed in keeping with HHS guidance on secure disposal

  16. What are the exceptions? • PHI could not reasonably be retained • Access is unintentional and by a workforce member or business associate acting in good faith • Inadvertent disclosure is made to another person within the CE or BA who is authorized to access PHI

  17. What is a breach risk assessment? What it is: Minimum factors: Nature and extent of PHI, including types of identifiers & likelihood of re-identification Unauthorized person who received disclosure or used PHI Whether PHI was actually acquired and viewed Extent to which any risk to PHI has been mitigated • Analysis you undertake to demonstrate low probability that PHI was compromised • Demonstrated low probability of compromise defeats the presumption that unauthorized acquisition, access, use, or disclosure was a breach

  18. Do not use the eyeball test!

  19. Did acquisition, access, use, or disclosure involve PHI? STOP No Yes • Was it encrypted or disposed per rules (safe harbor)? • Notification required Yes STOP Yes Yes No No • Does an exception apply? • Low probability of compromise per risk assessment? No

  20. If notification is required, who must be notified and how quickly?

  21. What must the notice include? • What happened? • Description of incident • Description of types of PHI involved (e.g., name, address, record number, DOB, diagnosis, etc.) • When did it happen? When did you realize it happened? • Description of incident must include dates of breach and of discovery of breach • What should people do? • Steps individuals should take to minimize potential harm from the breach • What is the covered entity doing? • Brief description of CE actions to investigate and mitigate the breach, and protect against future breaches • What if I want to know more? • Contact information and procedures for individuals to ask questions or learn more about breach

  22. What else should you do? • Investigate the circumstances • Mitigate harm to individuals • Account for disclosures (include in accounting log or other mechanism you use to provide accounting to individuals who request it) • Follow-up with employees – apply sanctions, review training

  23. Questions?

More Related