270 likes | 403 Views
HIPAA and the TAS: Is it As Bad As We Thought It Would Be? Thoughts on Current Experiences and Problems. Marty Ween, Esq Wilson Elser Moskowitz Edelman & Dicker LLP Henry Cifuentes Vice President – Hays Affinity April 30, 2014. Webinar Agenda. ATSI / Hays Program Intro Speaker Intro
E N D
HIPAA and the TAS: Is it As Bad As We Thought It Would Be? Thoughts on Current Experiences and Problems Marty Ween, Esq Wilson Elser Moskowitz Edelman & Dicker LLP Henry Cifuentes Vice President – Hays Affinity April 30, 2014
Webinar Agenda • ATSI / Hays Program Intro • Speaker Intro • ATSI / Hays PL Policy Highlights • Questions
About the ATSI/Hays Insurance Program • The same program underwriters and defense law firm for over 20 years • Program exclusively offered to ATSI members, however, all may obtain a quote • Policy is tailored to your industry, it is not a miscellaneous policy – common in the marketplace • ATSI and Hays are both constantly working with the underwriters to provide a competitive and industry leading product
Program Enhancements • Cyber Liability Coverage • $100,000 Now included at no additional cost. • Higher options available for nominal premium, up to $1,000,000 • Coverage provides protection for: • Allegations of failing to prevent unauthorized access to computer systems • Releases or transmitting of a computer virus • Destruction, corruption or removal of electronic data stored or transmitted • HIPPA/HITECH Fines Coverage • Important if you have any medical related clients/business • Reimbursement for Fines and Penalities - $50,000/$100,000 at no additional cost. Higher limits available for a nominal additional premium. • HIPPA/HITECH – if a third party claim, coverage up to your policy limit.
Program Enhancements With the Professional Liability Insurance in place, we can also assist with: • Business Owners Package • General Liability • Business Property • Workers Compensation • Commercial Business Auto • Employment Practices Liability Just launched in the past month: • Life • Disability • Long-Term • Personal Umbrella Please visit the program website for more information.
Association of TeleServices International Webinar – April 30, 2014 HIPAA and the TAS: Is it as Bad as We Thought it Would Be? Thoughts on Current Experiences and Problems Martin M. Ween Senior Partner Albany • Baltimore • Boston • Chicago • Connecticut • Dallas • Denver ∙ Detroit ∙Houston • Las Vegas • London ∙ Long Island • Los Angeles • Miami • New Jersey • New York • Orlando • Philadelphia San Diego • San Francisco • Virginia • Washington, DC • White Plains Affiliate Offices: Berlin • Cologne • Frankfurt am Main • Munich • Paris
HIPAA and the TAS: Is it as Bad as We Thought It Would Be? • Purpose of this Webinar • 1. Provide a short description of HIPAA, HITECH , the Privacy and Security Rules and what is required for Business Associate Agreements • 2. What issues have arisen since the final Privacy and Security Rules became effective • 3. Provide some suggestions to approach these issues
What is HIPAA? HIPAA stands for the Health Insurance Portability and Accountability Act of 1996. It is a federal law that protects the privacy of individually identifiable health information, or “Protected Health Information” (“PHI”).
What is Protected Health Information? • PHI can include, name, age, gender and other personal demographic information such as phone number, address and more, health status information, prescription drug information, healthcare payment information and prior existing conditions.
The Privacy Rule The Secretary of Health and Human Resources established the Privacy Rule effective April 14, 2001 to set national standards to protect individuals’ medical records and other personal health information and applied to health plans, health care clearinghouses and to any health care provider who transmits health information (also known as “Covered Entities”).
The Privacy Rule • The Privacy Rule also dealt with “Business Associates” of the Covered Entities and the need for these parties to enter into “Business Associate Agreements” (later referred to as “Business Associate Contracts”) confirming compliance with the Privacy Rule.
The Security Rule The Security Rule, effective February 2003, requires the “Covered Entities” to use measures that would reasonably and appropriately ensure the confidentiality, integrity and availability of electronic PHI (or “ePHI”); protect against reasonably anticipated threats, hazards, uses or disclosures of ePHI; and ensure that the work force of a covered entity complies with this rule.
What is HITECH? HITECH is the Health Information Technology for Economic and Clinical Health Act, as part of the American Recovery and Reinvestment Act of 2009 (“ARRA”), or the “Stimulus” Act. HITECH was aimed at various areas of concern under HIPAA and the Privacy and Security Rules, including establishing greater protections for ePHI by encryption, as well as to promote the use of electronic information systems. HITECH obligated Business Associates to comply with the HIPAA Privacy and Security Rules on the same basis as Covered Entities and made the Business Associates directly subject to the same civil and criminal penalties for violations.
Why Does Compliance Matter? • Audits • Civil Penalties $100 to $50,000 per individual violation $25,000 to $1.5 million for multiple violations in a single year. • Criminal penalties can range up to $50,000 to as much as $250,000, with imprisonment from one year to as much as ten years. • Both the civil and criminal penalties can apply to the organization and its officers, as well as to the individual violators.
The Final Privacy and Security Rules • After a lengthy public comment process, the final Privacy and Security Rules under HIPAA/HITECH were adopted as of January 25, 2013 • Business Associate Agreements were required to be in compliance with these final Rules between September 23, 2013 and September 23, 2014, depending on their renewal date
What do the Final Privacy and Security Rule Require in a Business Associate Contract ? HHS has required ten items for the Business Associate Contract: • The permitted and required uses by and disclosures of potential Protected Health Information to the Business Associate; 2. The acknowledgement by the Business Associate that it will not use or further disclose the protected information other than as permitted or required by the services agreement or by law; (
What do the Final Privacy and Security Rule Require in a Business Associate Contract ? 3. The agreement of the Business Associate that it will implement appropriate safeguards to protect against unauthorized use or disclosure of the protected information, including safeguards as to Electronic Protected Health Information; 4. The Business Associate must report to the Covered Entity any use or disclosure of the protected information not permitted within the services contract within sixty days of the disclosure;
What do the Final Privacy and Security Rule Require in a Business Associate Contract ? 5. The Business Associate has to disclose protected health information if the Covered Entity receives a request from an individual for his or her protected health information, as well as making the protected health information available for amendments and accountings; 6. The Business Associate has to acknowledge that it will comply with the Privacy Rule to the extent the Business Associate is performing the work of the Covered Entity;
What do the Final Privacy and Security Rule Require in a Business Associate Contract ? 7. The Business Associate has to make available to HHS its internal practices, books and records in connection with the use and disclosure of protected health information received from, or created or received by the Business Associate on behalf the Covered Entity; 8. If the telephone answering services contract is terminated and, as a result, the Business Associate Contract is terminated, the Business Associate must return or destroy the protected health information it received or created for the Covered Entity;
What do the Final Privacy and Security Rule Require in a Business Associate Contract ? 9. The Business Associate must ensure that any subcontractors it may retain that has access to protected health information agree to the same restrictions and conditions that apply to the Business Associate; and 10.The Business Associate Contract must be terminable by the Covered Entity if the Business Associate violates a material term of the contract.
What do the Final Privacy and Security Rule Require in a Business Associate Contract ? The Business Associate Contracts in place as of the final Rules that were based on the ATSI sample agreement were generally compliant with these Rules, but needed review and revision for a number of differences.
What are the Issues That Have Come Up after the Final Rules? • Clients who refuse to sign a Business Associate Contract • Clients who refuse to sign your proposed Business Associate Contract and propose their own form, with unfair or unacceptable terms • Getting your subcontractors to sign a Business Associate Contract
Some Suggested Approaches to these Issues • Establish a Business Associate Agreement by your unilateral written agreement to comply with the statutes and the Rules • For new clients, or clients being given new service contracts, put in a requirement that all parties will execute a Business Associate Contract and/or put into the services contract the agreement to comply • Ask HHS for an interpretation or opinion
Some Suggested Approaches to these Issues • Agree to the use of the client’s own form with modifications to avoid losing insurance coverage • Alternative pricing to take into consideration increased risk if the client insists on the use of its form
For more information, please contact: Martin M. Ween Senior Partner Wilson, Elser, Moskowitz, Edelman & Dicker, LLP 150 East 42nd Street New York, NY 10017-5639 T: 212-915-5590 F: 212.490.3038
ATSI / Hays Insurance Program https://atsi.haysaffinity.com For more information, please contact: Henry Cifuentes 202-263-4018 or hcifuentes@hayscompanies.com