Upload
online-tech
View
219
Download
0
Embed Size (px)
Citation preview
8/4/2019 Legal Implications of HIPAA, HITECH and BAAs
1/10
8/4/2019 Legal Implications of HIPAA, HITECH and BAAs
2/10
HIPAA(Health Insurance Portability and Accountability Act)
Passed in 1996
Enacted to protect health information
transaction standards for the exchange of health information
security standards
privacy standards
Protects protected health information
means individually identifiable health information that is: (i)Transmitted by electronic media; (ii) Maintained in electronic media;or (iii) Transmitted or maintained in any other form or medium
there are certain exclusionssuch as education records and employmentrecords held by a covered entity in its role as employer
8/4/2019 Legal Implications of HIPAA, HITECH and BAAs
3/10
Applies to covered entities
Covered entity means (1) A health plan, (2) A health careclearinghouse, (3) A health care provider who transmits anyhealth information in electronic formin connection with a
transaction covered by this subchapter
Health information means any information, whether oral orrecorded in any form or medium, that: (1) Is created or receivedby a health care provider, . . .employer, . . . and (2) Relates tothe past, present, OR future physical or mental health orcondition of an individual; the provision of health care to anindividual; OR the past, present, or future payment for theprovision of health care to an individual.
8/4/2019 Legal Implications of HIPAA, HITECH and BAAs
4/10
Also applies to the business associates of covered
entities
Business associate means broadly, a person who performs, or
assists in the performance of . . . a function or activity involving
the use or disclosure of individually identifiable healthinformation
including claims processing or administration, data analysis,processing or administration, utilization review, quality assurance,billing, benefit management, practice management, and repricing
Broadly, this means that if you use or receive PHI, then you areeither a covered entity or a business associate
8/4/2019 Legal Implications of HIPAA, HITECH and BAAs
5/10
HITECH (Health Information Technology for Economic andClinical Health)
Signed into law on February 17, 2009
Provides for the adoption of electronic health records
Alsoadds new breach provisions
"the unauthorizedacquisition, access, use, or disclosureofprotected health information which compromisesthe security orprivacyof such information, exceptwhere an unauthorized personto whom such information is disclosed would notreasonably have
been able to retainsuch information"
8/4/2019 Legal Implications of HIPAA, HITECH and BAAs
6/10
HITECH Breach
Who is under Obligations?
Covered Entity Business Associate
Subcontractor Requirements
8/4/2019 Legal Implications of HIPAA, HITECH and BAAs
7/10
HITECH Breach
Who is under Obligations?
Covered Entity
Business Associate Subcontractor Requirements
What are an entitys Obligations?
Investigate, give notice, reprimand, record/notify Secretary of Healthand Human Services
If over 500 individuals affected, then must report to the Secretary As of September 26, 2011, 330 reports (several organizations more than
once), impacting more than 11 million records
8/4/2019 Legal Implications of HIPAA, HITECH and BAAs
8/10
Getting out of Breach Notification
Only provide the required notification if the breach involvedunsecured protected health information
Unsecured PHI is PHI that has not been rendered unusable,unreadable, or indecipherableto unauthorized individualsthrough the use of a technology or methodology specified bythe Secretary in guidance
8/4/2019 Legal Implications of HIPAA, HITECH and BAAs
9/10
Getting out of Breach Notification
Guidance available:http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brguidance.html (and is to be updated annually)
Data at Rest: NIST
Data in Motion:
8/4/2019 Legal Implications of HIPAA, HITECH and BAAs
10/10