1 / 22

2019 HIPAA Update

2019 HIPAA Update. Speakers. Charlotte Tschider, DePaul College of Law, Jaharis Faculty Fellow in Health Law and Intellectual Property Tracy Palmer Berns, Chief Compliance Officer, AMAG Pharmaceuticals Elizabeth Ortmann-Vincenzo, Assistant General Counsel, Cigna-Express Scripts. Agenda.

uta
Download Presentation

2019 HIPAA Update

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. 2019 HIPAA Update

  2. Speakers • Charlotte Tschider, DePaul College of Law, JaharisFaculty Fellow in Health Law and Intellectual Property • Tracy Palmer Berns, Chief Compliance Officer, AMAG Pharmaceuticals • Elizabeth Ortmann-Vincenzo, Assistant General Counsel, Cigna-Express Scripts

  3. Agenda • HIPAA Refresher • Trends in Breach Activity • Recent HIPAA Enforcement Actions • Hot Topics in Privacy

  4. Introduction to HIPAA • What is HIPAA? • Health Insurance Portability and Accountability Act of 1996 • The Privacy Rule addresses the use and disclosure of individuals’ protected health information (PHI) • Security Rule requires covered entities to evaluate risks and vulnerabilities in their environments and to implement policies and procedures to address them • Breach Notification Rule

  5. Introduction to HIPAA • Limited Applicability • Covered Entities (health care providers, health plans, clearinghouses) • Business Associates (entity creates, receives, maintains, transmits PHI for CE) • Protects individually identifiable health information • Protected Health Information or PHI • Available in any form created or received by a covered entity (oral, paper, electronic)

  6. Introduction to HIPAA Other Entities: • A manufacturer not typically CE or BA but may receive protected PHI from CE/BA • Hub may be BA to pharmacies -OR- • Hub may receive information subject to an authorization form

  7. Introduction to HIPAA • Not all Health Information or even Individually Identifiable Health Information is Protected Health Information that is subject to HIPAA • Protected Health Information (PHI) is all "individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media

  8. Introduction to HIPAA Enforcement • Office of Civil Rights (OCR) in the Department of Health & Human Services (HHS) • Civil penalties – fines of 50K-1.5 million per provision of HIPAA violated • Criminal penalties – with a malicious motive, personal fines of up to 250K and up to 10 years in jail • No private right of action

  9. HIPAA Breach Activity • Recently reported breaches currently under investigation • OCR is required to publish breaches affecting over 500 individuals The “Wall of Shame” • 1/1/2019 - 5/12/2019 – 145 breaches affecting over 500 individuals were reported

  10. Recent Large Breaches Reported to OCR

  11. Complaints Outcome of Complaint Investigations Source: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/data/enforcement-results-by-year/index.html

  12. Breach Investigations Outcome of Breach Compliance Reviews Source: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/data/enforcement-results-by-year/index.html

  13. Top Five Compliance Issues Top Five Issues in Investigated Cases Closed with Corrective Action, by Calendar Year available at https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/data/top-five-issues-investigated-cases-closed-corrective-action-calendar-year/index.html

  14. Top Five Compliance Issues Top Five Issues in Investigated Cases Closed with Corrective Action, by Calendar Year available at https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/data/top-five-issues-investigated-cases-closed-corrective-action-calendar-year/index.html

  15. 2018 Enforcement Highlights – A Record Year • Feb. 2018: $3.5 million for failing to perform risk assessments and implement safeguards • Feb. 2018: fine imposed on a receiver appointed to liquidate medical record management company • Oct. 2018: record $16 million settlement for systemic HIPAA violations and 2015 data breach

  16. 2018 Enforcement Highlightshttps://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/2018enforcement/index.html

  17. 2019 Enforcement Highlights • May 2019: $3 million to settle claims of failure to prevent breach and failure to timely notify patients of breach • Right of access continues to be area of concern – cases likely this year • Top 3 Risks under Audit Program: • Risk analysis (not accounting for data flows into systems); risk management; and right of access

  18. Breach Reporting Strategies • List all steps the organization took: • To prevent the breach • To contain the breach • To mitigate harmful effects of the breach • To prevent future breaches • Only report true breaches • Log small breaches and report them at the end of the year • Don’t forget about reputational harm • Most small or typical breaches are not further investigated, but always be prepared for OCR investigation for large or unusual breaches

  19. Most Importantly… Avoid breaches before they occur!

  20. Hot Topics • Federal Privacy Legislation • OCR’s guidance on fines

  21. Thank you!

More Related