110 likes | 278 Views
HOUSE BILL 300. Susan Sullivan Atlas, Hall & Rodriguez, L.L.P. 818 West Pecan McAllen, Texas 78501 (956) 682-5501 ssullivan@atlashall.com. I. HIPPA and HITECH. A. Enforcement of Privacy and Security Rules civil and criminal penalties
E N D
HOUSE BILL 300 Susan SullivanAtlas, Hall & Rodriguez, L.L.P. 818 West PecanMcAllen, Texas 78501 (956) 682-5501 ssullivan@atlashall.com
I. HIPPA and HITECH A. Enforcement of Privacy and Security Rules • civil and criminal penalties B. Definition of “Covered Entity” and “Business Associate” • A “covered entity” is a health plan, a health care clearinghouse, or a health care provider who transmits any health information in electronic form in connection with certain transactions for which the HHS has adopted standards. Some examples of health plans that are considered covered entities include health, dental, HMOs, Medicare, and Medicaid. Health care clearinghouses include a public or private entity, such as a billing service, repricing company, community health management information system or community health information system, or “value-added” networks. Health care providers include institutional providers such as hospitals, non-institutional providers such as physicians and dentists, and any other person or organization that furnishes, bills, or is paid for health care. • A “business associate” is a person or organization that, on behalf of a covered entity or organized health care arrangement, (1) performs or assists in the performance of a function or activity involving the use or disclosure of individually identifiable health information or any other function or activity regulated by HIPAA or (2) provides legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services.
I. HIPPA and HITECH (cont.) C.Lawyers as HITECH Business Associates 1.When Are Lawyers BAs? • Privacy or security compliance support for CEs; • Fraud and abuse/false claims defense; • Healthcare professional disciple defense; • Risk management for CEs; • Due diligence for some types of CE transactions; • Representing a CE in any case involving individual patient diagnosis or treatment, individual health benefits. • Although not an exhaustive list, examples of when a law firm may not be obtaining PHI on behalf of a CE may include: • When it is representing a party which is not a CE; • In workers compensation cases which are excluded from HIPAA by statute; • In social security cases; • In employment law matters. 2.Law Firm Management of BA Compliance
I. HIPPA and HITECH (cont.) D. Ethical Issues Arising After A Breach • Raising the issue with the client. • Avoiding or limiting information access rights of subject individuals. • Limit or condition HHS access rights to records for investigation of a CE client by internal policy. • Limit or condition HHS access rights to investigate BA law firm by certain policy. • Design practice scope and processes to “wall” matters potentially subject to investigation from other matters.
II. HOUSE BILL 300 A. What Is It and What Were They Thinking? B. Everything Is Bigger in Texas 1.Broader Definition of Covered Entities • A health plan; • A health care clearinghouse; or • A health care provider who transmits any health information in electronic form in connection with a transaction covered in this subchapter. • For commercial, financial, or professional gain, monetary fees, or dues, or on a cooperative, non-profit, or pro bono basis, engages, in whole or in part, and with real or constructive knowledge, in the practice of assembling, collecting, analyzing, using, evaluating, storing, or transmitting protected health information. The term includes a business associate, health care payer, governmental unit, information or computer management entity, school, health researcher, health care facility, clinic, health care provider, or person who maintains an Internet site; • Comes in possession of protected health information; • Obtains or stores protected health information under this chapter; or • Is an employee, agent, or contractor of a person described by above, insofar as the employee, agent, or contractor creates, receives, obtains, maintains, uses, or transmits protected health information.
II. HOUSE BILL 300(cont.) 2. Expanded Training Requirements • Establish an Employee HB 300TRAININGPlan • Contents: State & Federal law regarding PHI as it relates to: • Your particular business; and • Each employee's scope of employment in your business. • Each employee must complete Training NLT • September 1, 2012, or • 60th day after New Hiring. • Each employee has to be re-trained at least once every two years. • Each employee must sign, electronically or in writing, a statement verifying the employee's attendance at the training program. • You must maintain the signed statement. • I ______________________ have been trained on Texas HB300 privacy laws on_____________________ Signature ______________________
II. HOUSE BILL 300(cont.) • 2. Expanded Training Requirements (cont.) • + Make sure you have a firewall on your COMPUTER and/or computer • network • + Make sure you have virus / hacking protection • + Make sure you control Thumb Drives • + Make sure you control lap tops • + Make sure you control broken hard drives • + Make sure you control smart phones • + Social Media – Shut employees out • + Put up a SIGN in your waiting room, or • + Put a notice on your website, or • + Put a notice in your client contract, or • + Put a notice in your medical release that • + “We may transmit your protected health information electronically in the • course of our representation of you.” 3. Increased Patient Rights and Remedies Over Electronic Health Records
II. HOUSE BILL 300(cont.) 4. Increased Enforcement Penalties Penalties for Breach + A civil penalty assessed under this section may not exceed: + (1) $5,000 for each violation that occurs in one year, regardless of how long the violation continues during that year, committed negligently; + (2) $25,000 for each violation that occurs in one year, regardless of how long the violation continues during that year, committed knowingly or intentionally; or + (3) $250,000 for each violation in which the covered entity knowingly or intentionally used protected health information for financial gain.
II. HOUSE BILL 300(cont.) • Considerations: • + The seriousness of the violation; • + The covered entity’s compliance history; • + Whether the violation poses a significant risk of financial, reputational, or other harm to the patient; • + The amount necessary to deter future violations, and; • + The covered entity’s efforts to correct the violation. C. Standards for Electronic Sharing of PHI D. Broad Notification Requirements E. Audits of Covered Entities F. Entities Should Begin Compliance Efforts Now
HIPAA , HITECH & HOUSE BILL 300 Susan SullivanAtlas, Hall & Rodriguez, L.L.P. 818 West PecanMcAllen, Texas 78501 (956) 682-5501 ssullivan@atlashall.com