Upload
kellen-cardy
View
219
Download
2
Embed Size (px)
Citation preview
HIPAA PRIVACY WORK GROUP FOR EYE BANKS
EBAA HIPAA PRIVACY WORK GROUPChristina W. Strong, Esq., Facilitator
HIPAA Overview
Health
Insurance
Portability &
Accountability
Act
• 1996• Portability and accessibility
- Pre-existing conditions- Enrollment at “life events”
• Accountability- Administrative
Simplification- Privacy /Security Rule- Enforcement - Breach
HITECH Act
Health Information Technology for Electronic and Clinical Health
• 2009• Part of ARRA, aka the
“Stimulus Bill”• EMR/EHR Adoption
Rules and Incentives• Increased HIPAA Fines
and Penalties• Expanded
Applicability of HIPAA
Allowable Disclosures
HIPAA allows for the use and disclosure of PHI without authorization under 45 CFR 164:• 164.512(b) FDA-regulated products:
tracking, adverse events, post market surveillance
• 164.512(g) Coroners and Medical examiners: for determining cause of death
• 164.512(h) Cadaveric organ, eye or tissue donation facilitation
Covered Entity
• (A health plan).• (A health care clearinghouse).• A health care provider who transmits
any health information in electronic form in connection with a transaction covered by this chapter.
• 45 CFR 160.103
Covered Entity – Exception #1
“We delete from the definition of ‘‘health care’’ activities related to the procurement or banking of blood, sperm, organs, or any other tissue for administration to patients…
“Consequently, such procurement or banking activities are not considered health care and the organizations that perform such activities are not considered health care providers for purposes of this rule.”
HIPAA Privacy Final Rule, Federal Register/Vol. 65, No. 250/ Thursday, December 28, 2000, p. 82571-2
Business Associate
With respect to a covered entity, a person who:• On behalf of such covered entity,• But other than as a member of its workforce,• Performs or assists in the performance of• A function or activity involving the use or
disclosure of individually identifiable health information…
45 CFR 160.103
Business Associate (BA)
• Claims processing or administration• Data analysis• Processing or administration• Utilization review• Quality Assurance• Billing• Benefit Management• Practice Management• Repricing• Any other function regulated in this subchapter
…On behalf of the covered entity
Business Associate (BA)
• Legal• Actuarial• Accounting• Consulting • Data Aggregation• Management• Administrative• Accreditation• Financial Services…
Business Associate – NOT US
HIPAA Privacy Final Rule, Federal Register/Vol. 65, No. 250/ Thursday, December 28, 2000, p. 82688.
Business Associate – What’s the Problem
• HIPAA now applies directly to Business Associates
• Civil and Criminal Penalties now apply directly to BAs
• Must report Covered Entity for HIPAA non-compliance
• Subject to HIPAA Audit by Heath and Human Services
Signing a Business Associate Agreement subjects an exempt organization to HIPAA compliance
What’s so Bad about Being a BA
Business Associates subject to HIPAA Fines and Penalties:
“Authority to impose civil money penalties on business associates for violations of the HITECH Act is provided by sections 13401(b) and 13404(c).”
Breach Notification for Unsecured Protected Health Information, Interim Final Rule, Federal Register / Vol. 74, No. 162 / Monday, August 24, 2009
Business Associate - Implications
Business Associates are subject to HIPAA Audit by HHS:
“The protocol and audit program performance requested under this contract shall assist OCR in operating an audit program that effectively implements the statutory requirement to audit covered entity and business associate compliance with the HIPAA privacy and security standards as amended by ARRA.”
Federal Business Opportunities (FBO.gov)