Upload
phoebe-wisbey
View
216
Download
3
Tags:
Embed Size (px)
Citation preview
HIPAA and the TAS: Is it As Bad As We Thought It Would Be? Thoughts on Current Experiences and
Problems
Marty Ween, Esq
Wilson Elser Moskowitz Edelman & Dicker LLP
Henry Cifuentes
Vice President – Hays Affinity
April 30, 2014
Webinar Agenda
• ATSI / Hays Program Intro• Speaker Intro• ATSI / Hays PL Policy Highlights• Questions
About the ATSI/Hays Insurance Program
• The same program underwriters and defense law firm for over 20 years
• Program exclusively offered to ATSI members, however, all may obtain a quote
• Policy is tailored to your industry, it is not a miscellaneous policy – common in the marketplace
• ATSI and Hays are both constantly working with the underwriters to provide a competitive and industry leading product
Program Enhancements
Cyber Liability Coverage • $100,000 Now included at no additional cost. • Higher options available for nominal premium, up
to $1,000,000• Coverage provides protection for:
– Allegations of failing to prevent unauthorized access to computer systems
– Releases or transmitting of a computer virus– Destruction, corruption or removal of electronic data
stored or transmitted
HIPPA/HITECH Fines Coverage• Important if you have any medical related
clients/business• Reimbursement for Fines and Penalities -
$50,000/$100,000 at no additional cost. Higher limits available for a nominal additional premium.
• HIPPA/HITECH – if a third party claim, coverage up to your policy limit.
Program Enhancements
With the Professional Liability Insurance in place, we can also assist with:
Business Owners Package General Liability Business Property Workers Compensation Commercial Business Auto Employment Practices Liability
Just launched in the past month: Life Disability Long-Term Personal Umbrella
Please visit the program website for more information.
Wilson Elser
Wilson Elser Moskowitz Edelman & Dicker LLPwww.wilsonelser.com
Martin M. Ween Senior Partner
Association of TeleServices InternationalAssociation of TeleServices International
Webinar – April 30, 2014Webinar – April 30, 2014
HIPAA and the TAS: Is it as Bad as We Thought it Would Be?HIPAA and the TAS: Is it as Bad as We Thought it Would Be?
Thoughts on Current Experiences and ProblemsThoughts on Current Experiences and Problems
Albany • Baltimore • Boston • Chicago • Connecticut • Dallas • Denver ∙ Detroit ∙Houston • Las Vegas • London ∙ Long Island • Los Angeles • Miami • New Jersey • New York • Orlando • Philadelphia
San Diego • San Francisco • Virginia • Washington, DC • White Plains Affiliate Offices: Berlin • Cologne • Frankfurt am Main • Munich • Paris
Wilson Elser
Wilson Elser Moskowitz Edelman & Dicker LLPwww.wilsonelser.com
HIPAA and the TAS: Is it as Bad as We HIPAA and the TAS: Is it as Bad as We Thought It Would Be?Thought It Would Be?
• Purpose of this Webinar
– 1. Provide a short description of HIPAA, HITECH , the Privacy and Security Rules and
what is required for Business Associate Agreements
– 2. What issues have arisen since the final Privacy and Security Rules became effective
– 3. Provide some suggestions to approach these issues
Wilson Elser
Wilson Elser Moskowitz Edelman & Dicker LLPwww.wilsonelser.com
What is HIPAA?What is HIPAA?
HIPAA stands for the Health Insurance Portability and Accountability Act of 1996. It is a federal law that protects the privacy of individually identifiable health information, or “Protected Health Information” (“PHI”).
Wilson Elser
Wilson Elser Moskowitz Edelman & Dicker LLPwww.wilsonelser.com
What is Protected Health Information?What is Protected Health Information?
PHI can include, name, age, gender and other personal demographic information such as phone number, address and more, health status information, prescription drug information, healthcare payment information and prior existing conditions.
Wilson Elser
Wilson Elser Moskowitz Edelman & Dicker LLPwww.wilsonelser.com
The Privacy RuleThe Privacy Rule
The Secretary of Health and Human Resources established the Privacy Rule effective April 14, 2001 to set national standards to protect individuals’ medical records and other personal health information and applied to health plans, health care clearinghouses and to any health care provider who transmits health information (also known as “Covered Entities”).
Wilson Elser
Wilson Elser Moskowitz Edelman & Dicker LLPwww.wilsonelser.com
The Privacy RuleThe Privacy Rule
• The Privacy Rule also dealt with “Business Associates” of the Covered Entities and the need for these parties to enter into “Business Associate Agreements” (later referred to as “Business Associate Contracts”) confirming compliance with the Privacy Rule.
Wilson Elser
Wilson Elser Moskowitz Edelman & Dicker LLPwww.wilsonelser.com
The Security RuleThe Security Rule
The Security Rule, effective February 2003, requires the “Covered Entities” to use measures that would reasonably and appropriately ensure the confidentiality, integrity and availability of electronic PHI (or “ePHI”); protect against reasonably anticipated threats, hazards, uses or disclosures of ePHI; and ensure that the work force of a covered entity complies with this rule.
Wilson Elser
Wilson Elser Moskowitz Edelman & Dicker LLPwww.wilsonelser.com
What is HITECH?What is HITECH?HITECH is the Health Information Technology for Economic and Clinical Health Act, as part of the American Recovery and Reinvestment Act of 2009 (“ARRA”), or the “Stimulus” Act. HITECH was aimed at various areas of concern under HIPAA and the Privacy and Security Rules, including establishing greater protections for ePHI by encryption, as well as to promote the use of electronic information systems. HITECH obligated Business Associates to comply with the HIPAA Privacy and Security Rules on the same basis as Covered Entities and made the Business Associates directly subject to the same civil and criminal penalties for violations.
Wilson Elser
Wilson Elser Moskowitz Edelman & Dicker LLPwww.wilsonelser.com
Why Does Compliance Matter?Why Does Compliance Matter?
• Audits
• Civil Penalties$100 to $50,000 per individual violation $25,000 to $1.5 million for multiple violations in a single year.
• Criminal penalties can range up to $50,000 to as much as $250,000, with imprisonment from one year to as much as ten years.
• Both the civil and criminal penalties can apply to the organization and its officers, as well as to the individual violators.
Wilson Elser
Wilson Elser Moskowitz Edelman & Dicker LLPwww.wilsonelser.com
The Final Privacy and Security RulesThe Final Privacy and Security Rules
• After a lengthy public comment process, the final Privacy and Security Rules under HIPAA/HITECH were adopted as of January 25, 2013
• Business Associate Agreements were required to be in compliance with these final Rules between September 23, 2013 and September 23, 2014, depending on their renewal date
Wilson Elser
Wilson Elser Moskowitz Edelman & Dicker LLPwww.wilsonelser.com
What do the Final Privacy and Security Rule What do the Final Privacy and Security Rule Require in a Business Associate Contract ?Require in a Business Associate Contract ?
HHS has required ten items for the Business Associate Contract:
1. The permitted and required uses by and disclosures of potential Protected Health Information to the Business Associate;
2. The acknowledgement by the Business Associate that it will not use or further disclose the protected information other than as permitted or required by the services agreement or by law;
(
Wilson Elser
Wilson Elser Moskowitz Edelman & Dicker LLPwww.wilsonelser.com
What do the Final Privacy and Security Rule What do the Final Privacy and Security Rule Require in a Business Associate Contract ?Require in a Business Associate Contract ?
3. The agreement of the Business Associate that it will implement appropriate safeguards to protect against unauthorized use or disclosure of the protected information, including safeguards as to Electronic Protected Health Information;
4. The Business Associate must report to the Covered Entity any use or disclosure of the protected information not permitted within the services contract within sixty days of the disclosure;
Wilson Elser
Wilson Elser Moskowitz Edelman & Dicker LLPwww.wilsonelser.com
What do the Final Privacy and Security Rule What do the Final Privacy and Security Rule Require in a Business Associate Contract ?Require in a Business Associate Contract ?
5. The Business Associate has to disclose protected health information if the Covered Entity receives a request from an individual for his or her protected health information, as well as making the protected health information available for amendments and accountings;
6. The Business Associate has to acknowledge that it will comply with the Privacy Rule to the extent the Business Associate is performing the work of the Covered Entity;
Wilson Elser
Wilson Elser Moskowitz Edelman & Dicker LLPwww.wilsonelser.com
What do the Final Privacy and Security Rule What do the Final Privacy and Security Rule Require in a Business Associate Contract ?Require in a Business Associate Contract ?
7. The Business Associate has to make available to HHS its internal practices, books and records in connection with the use and disclosure of protected health information received from, or created or received by the Business Associate on behalf the Covered Entity;
8. If the telephone answering services contract is terminated and, as a result, the Business Associate Contract is terminated, the Business Associate must return or destroy the protected health information it received or created for the Covered Entity;
Wilson Elser
Wilson Elser Moskowitz Edelman & Dicker LLPwww.wilsonelser.com
What do the Final Privacy and Security Rule What do the Final Privacy and Security Rule Require in a Business Associate Contract ?Require in a Business Associate Contract ?
9. The Business Associate must ensure that any subcontractors it may retain that has access to protected health information agree to the same restrictions and conditions that apply to the Business Associate; and
10.The Business Associate Contract must be terminable by the Covered Entity if the Business Associate violates a material term of the contract.
Wilson Elser
Wilson Elser Moskowitz Edelman & Dicker LLPwww.wilsonelser.com
What do the Final Privacy and Security Rule What do the Final Privacy and Security Rule Require in a Business Associate Contract ?Require in a Business Associate Contract ?
The Business Associate Contracts in place as of the final Rules that were based on the ATSI sample agreement were generally compliant with these Rules, but needed review and revision for a number of differences.
Wilson Elser
Wilson Elser Moskowitz Edelman & Dicker LLPwww.wilsonelser.com
What are the Issues That Have Come Up What are the Issues That Have Come Up after the Final Rules?after the Final Rules?
1. Clients who refuse to sign a Business Associate Contract
2. Clients who refuse to sign your proposed Business Associate Contract and propose their own form, with unfair or unacceptable terms
3. Getting your subcontractors to sign a Business Associate Contract
Wilson Elser
Wilson Elser Moskowitz Edelman & Dicker LLPwww.wilsonelser.com
Some Suggested Approaches to these Some Suggested Approaches to these IssuesIssues
• Establish a Business Associate Agreement by your unilateral written agreement to comply with the statutes and the Rules
• For new clients, or clients being given new service contracts, put in a requirement that all parties will execute a Business Associate Contract and/or put into the services contract the agreement to comply
• Ask HHS for an interpretation or opinion
Wilson Elser
Wilson Elser Moskowitz Edelman & Dicker LLPwww.wilsonelser.com
Some Suggested Approaches to these Some Suggested Approaches to these IssuesIssues
• Agree to the use of the client’s own form with modifications to avoid losing insurance coverage
• Alternative pricing to take into consideration increased risk if the client insists on the use of its form
Wilson Elser
Wilson Elser Moskowitz Edelman & Dicker LLPwww.wilsonelser.com
For more information, please contact:For more information, please contact:
Martin M. WeenSenior Partner
Wilson, Elser, Moskowitz, Edelman & Dicker, LLP150 East 42nd Street
New York, NY 10017-5639
T: 212-915-5590F: 212.490.3038
ATSI / Hays Insurance Programhttps://atsi.haysaffinity.com
For more information, please contact:
Henry Cifuentes 202-263-4018 or [email protected]