1 / 13

HIPAA Privacy Rule in a Nutshell

Changes to Privacy Regulations under ARRA May 4, 2009 Melissa Goldstein, J.D. The George Washington University School of Public Health and Health Services. HIPAA Privacy Rule in a Nutshell.

luciae
Download Presentation

HIPAA Privacy Rule in a Nutshell

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Changes to Privacy Regulations under ARRAMay 4, 2009Melissa Goldstein, J.D. The George Washington University School of Public Health and Health Services

  2. HIPAA Privacy Rule in a Nutshell • A covered entity cannot use or disclose protected health information unless it is permitted or required by the Rule • And then, generally, only the minimum necessary information may be used or disclosed • Rule sets a federal floor • More protective state statutes are permitted

  3. American Recovery & Reinvestment Act of 2009 (ARRA) • Title XIII – Health Information Technology (HITECH) • $19 billion over 10 years • Establishes HIT infrastructure at HHS (Advisory committees on policy and standards) • Significant changes to healthcare privacy and security environment • Does not change all of HIPAA but should be addressed by entities handling health care information • Most provisions require further regulatory clarification

  4. Overview of Investment • $2 billion in grants • $300M for subnational and regional exchange efforts • $20M for NIST for health care information enterprise integration • Incentives through Medicare & Medicaid for healthcare professionals, hospitals and other providers

  5. Changes to HIPAA • Enhanced Individual Control • Right of electronic access • Can direct record to another entity or individual (PHR) • Right to restrict disclosures to health plans for payment and operations • Application to business associates (entities that act on behalf of “covered entities”) • HIPAA security rules • HIPAA privacy rules • Provisions in ARRA

  6. Changes to HIPAA • Business Associate contracts • Required for health information exchanges, RHIOs, and other entities that transmit protected health information (PHI) to a covered entity • Required for vendors that contract with a covered entity to offer a personal health record (PHR) • Breach notification requirement • Definition of breach • Safe harbor for “protected” data

  7. Changes to HIPAA Accounting for disclosure requirements for entities using electronic health records Requirement applies after standard and regulations are developed Phased in over time Covers only 3 years

  8. Changes to HIPAA Marketing Limited right to use information for marketing if the communication is paid for by an outside entity Exceptions for treatment and communications about current drugs and biologics Fundraising Opt-out required

  9. Changes to HIPAA • Prohibition on sale of health records or protected health information • Exceptions • Public health • Research • Treatment of an individual • Sale of a facility/business • Payments to business associates • Copies to individuals

  10. Changes to HIPAA • Secretary guidance on minimum necessary • Use of limited data set where possible in interim • Discloser determines minimum necessary • Minimum necessary still does not apply to treatment or de-identified information • Study on implementation of the de-identification requirements

  11. Enhanced Enforcement of HIPAA • Tiered increase in civil penalties • Secretary required to do periodic audits • State Attorney General civil enforcement

  12. Entities not covered by HIPAA • Study of privacy protections • HHS & FTC report to Congress on privacy and security recommendations for PHRs • Temporary breach notification provisions • FTC enforced

  13. Implementation Refining terms “certified EHR” and “meaningful use” Strategic plan for rollout Implementation of privacy and security provisions

More Related