Más contenido relacionado La actualidad más candente (20) Similar a HIPAA in 2023: Changes, Updates, and Best Practices (20) Más de Conference Panel (20) HIPAA in 2023: Changes, Updates, and Best Practices1. HIPAA 2023
Latest Guidance and Compliance Focus
Jim Sheldon-Dean
Director of Compliance Services
Lewis Creek Systems, LLC
www.lewiscreeksystems.com
1
© Copyright 2023 Lewis Creek Systems, LLC All Rights Reserved
jim@lewiscreeksystems.com www.lewiscreeksystems.com
2. Agenda
• Overview of HIPAA Regulatory Expectations
• Telemedicine and Communication during (AND after)
the Public Health Emergency
• Issues in Individual Access of Records under HIPAA
• HIPAA Accounting of Disclosures Changes
• Potential and Proposed Rule Changes
• HIPAA Controls and New Technologies
• Q&A
2
© Copyright 2023 Lewis Creek Systems, LLC All Rights Reserved
jim@lewiscreeksystems.com www.lewiscreeksystems.com
3. HIPAA Privacy, Security, & Breach Rules
• Privacy Rule
– 45 CFR §164.5xx; Enforceable since 2003
– Establishes Rights of Individuals
– Controls on Uses and Disclosures
– Access of PHI is a hot button issue for HHS – FORTY-THREE settlements so far
recently in HHS OCR Right of Access initiative
• Security Rule
– 45 CFR §164.3xx; Enforceable since 2005
– Applies to all electronic PHI
– Flexible, customizable approach to health information security
– Uses Risk Analysis to identify and plan the mitigation of security risks
• Breach Notification Rule
– 45 CFR §164.4xx; Enforceable since February 2010
– Requires reporting of all PHI breaches to HHS and individuals
– Extensive/expensive obligations
– Provides examples of what not to do on the HHS “Wall of Shame”:
https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
3
© Copyright 2023 Lewis Creek Systems, LLC All Rights Reserved
jim@lewiscreeksystems.com www.lewiscreeksystems.com
4. Part 1
• Overview of HIPAA Regulatory Expectations
– New Regulatory Directions
– Rule Modifications and Guidance on the COVID-19
Pandemic
– Overdue Regulatory Action
– Court Ruling Limiting Regulations
4
© Copyright 2023 Lewis Creek Systems, LLC All Rights Reserved
jim@lewiscreeksystems.com www.lewiscreeksystems.com
5. Updated Rules for 42 CFR Part 2
• Keeps 42 CFR Part 2 protections on use of SUD data for prosecution or
investigation (as do the changes under the CARES Act)
• Clarification of when the rules apply, definition of “records”
• Access of central registries (such as PDMPs)
• Generalization of consents (such as to entities) (Under the CARES Act allows
use of Part 2 information under HIPAA-like controls, with consent)
• Clarification on allowable disclosures for payment & operations, with a list of
17 example allowable activities
• Better alignment with HIPAA & Common Rule on research
• Rules on clearing personally-owned-by-staff devices of Part 2 data, including
texts and e-mail
• Also revisions for Medical Emergencies and disasters, investigations of
“extremely serious crimes”, and placement of undercover informants
5
© Copyright 2023 Lewis Creek Systems, LLC All Rights Reserved
jim@lewiscreeksystems.com www.lewiscreeksystems.com
6. November 2022 Proposed Rules
• Coordinate 42 CFR Part 2 Rules with HIPAA
– Single prior consent signed by the patient for all future uses and
disclosures for treatment, payment, and health care operations
– Permit the redisclosure of Part 2 records as permitted by the
HIPAA Privacy Rule by recipients that are Part 2 programs, HIPAA
covered entities, and business associates, with certain exceptions.
– Expand prohibitions on the use and disclosure of Part 2 records in
civil, criminal, administrative, or legislative proceedings
– Right to an accounting of disclosures (HIPAA)
– Right to request restrictions on disclosures for treatment,
payment, and health care operations (HIPAA)
– Require disclosures to the Secretary for enforcement
– Apply HIPAA and HITECH Act civil and criminal penalties to Part 2
violations.
– And more…
6
© Copyright 2023 Lewis Creek Systems, LLC All Rights Reserved
jim@lewiscreeksystems.com www.lewiscreeksystems.com
7. How the HIPAA Safe Harbor Law Fits In
• Effective January 5, 2021, the HIPAA Safe Harbor bill amends
the HITECH act to require the Department of Health and Human
Services to incentivize best practice cybersecurity for meeting
HIPAA requirements.
– The legislation directs HHS to take into account a covered entity’s
or business associate’s use of industry-standard security
practices within the course of 12 months, when investigating and
undertaking HIPAA enforcement actions, or other regulatory
purposes.
– Further, the bill requires that HHS take cybersecurity into
consideration when calculating fines related to security incidents.
HHS is also required to decrease the extent and length of an
audit, if it’s determined the impacted entity has indeed met
industry-standard best practice security requirements.
7
© Copyright 2023 Lewis Creek Systems, LLC All Rights Reserved
jim@lewiscreeksystems.com www.lewiscreeksystems.com
8. Telemedicine, HIPAA, and COVID-19
• HHS has issued an enforcement advisory on telemedicine during the
COVID-19 emergency: Relaxed enforcement for using services that
are non-public facing but may not meet HIPAA requirements (such as
a providing a BAA)
– Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, or
Skype
• BUT: Do NOT use public-facing services that are not private
– Facebook Live, Twitch, TikTok, and similar
• And: Once the emergency is over you will need to use HIPAA
compliant services, under a Business Associate Agreement, according
to a HIPAA Security Risk Analysis
• See: https://www.hhs.gov/hipaa/for-professionals/special-topics/emergency-
preparedness/notification-enforcement-discretion-telehealth/index.html
8
© Copyright 2023 Lewis Creek Systems, LLC All Rights Reserved
jim@lewiscreeksystems.com www.lewiscreeksystems.com
9. Part 2
• Issues in Individual Access of Records under
HIPAA
– New Emphasis on Enforcement of Individual Access
Rules
– New Court Ruling Limiting Third-Party Access
Requests
– New Limitation of Business Associate Liability for
Compliance
9
© Copyright 2023 Lewis Creek Systems, LLC All Rights Reserved
jim@lewiscreeksystems.com www.lewiscreeksystems.com
10. • January 12, 2021: $200,000 settlement and CAP for Banner health system,
for taking too long (five and six months) to deliver records
• February 10, 2021: $75,000 and CAP for Renown Health’s failure to transmit
electronic records to a third party as requested
• February 12, 2021: Number 16: $70K and CAP for Sharp HealthCare for a
second lack of response for records request, even after OCR provided help
after the first complaint was investigated
• March 24, 2021: Slow response to records request, requiring two
interventions by HHS OCR – $65K and a CAP for Arbour Hospital
• March 26, 2021: Slow response to records request – $30K and a CAP for
Village Plastic Surgery
• June 2, 2021: Taking two years to deliver a minor child’s medical record -
$5K and a CAP for The Diabetes, Endocrinology & Lipidology Center, Inc.
(“DELC”) of West Virginia
• September 10, 2021: Failure to satisfy request for minor child’s records by
Children’s Hospital Medical Center of Omaha, Nebraska -- $80K and a CAP
• November 30, 2021: FOUR MORE settlements and ONE civil money
penalty, up to $160K with CAPs
10
2021 Access Enforcement Actions
© Copyright 2023 Lewis Creek Systems, LLC All Rights Reserved
jim@lewiscreeksystems.com www.lewiscreeksystems.com
11. • March 28, 2022: Two Enforcement Actions for Right of Access
–Dr. Donald Brockley, D.D.M., a solo dental practitioner in Butler,
Pennsylvania, failed to provide a patient with a copy of their medical
record: $30,000 and a CAP
–Jacob and Associates, a psychiatric medical services provider with two
offices in California: $28,000 and a CAP for violations of the right of
access standard
• September 20, 2022: 3 more settlements, all with Dental Offices, $25K to
$80K and CAPs – rules apply to dentists, too
• December 15, 2022: $20K and a CAP for Health Specialists of Central
Florida, for not providing access to deceased father’s records
• January 3, 2023: Life Hope Labs took too long to provide records, pays
$16,500 and CAP in penalty #43 in the Individual Right of Access initiative
11
2022 and 2023 Access Enforcement Actions
© Copyright 2023 Lewis Creek Systems, LLC All Rights Reserved
jim@lewiscreeksystems.com www.lewiscreeksystems.com
12. So, what are we allowed to do?
• Do what the patient wants
– Meet HIPAA Requirements
– Accommodate what you reasonably can
– Remember! Patient access of information a high priority at HHS
• Meet the Patient’s Needs
– Communication with the office for Prescription Renewals, Scheduling
etc.
– Discussion of particular health issues
– Access of Medical Records, test results
• Do what you can handle properly
– For Patient Care
– For Medical Records
12
© Copyright 2023 Lewis Creek Systems, LLC All Rights Reserved
jim@lewiscreeksystems.com www.lewiscreeksystems.com
13. Part 3
• HIPAA Accounting of Disclosures Changes
– Current Accounting of Disclosures Requirements
– Required Changes and Difficulties Implementing
Them
– Likely Regulation to be Proposed
13
© Copyright 2023 Lewis Creek Systems, LLC All Rights Reserved
jim@lewiscreeksystems.com www.lewiscreeksystems.com
14. Accounting of Disclosures Today
• Individual has right to an accounting of all disclosures of
health information in last six years
• Except for disclosures:
– For Treatment, Payment, and Healthcare Operations
– To the individual; under authorization; associated with
disclosures under §164.502; for facility directories; for
national security; law enforcement; limited data set…
• The Result?
– Number of Accountings requested very low
– Many hospitals have had NO requests for such accountings
since the rule went in to effect in 2003!
– Time and money spent implementing systems and tracking
that are never used – Cost vs. benefit?
14
© Copyright 2023 Lewis Creek Systems, LLC All Rights Reserved
jim@lewiscreeksystems.com www.lewiscreeksystems.com
15. Part 4
• Potential (and Proposed) Rules Changes
– Acknowledgement of Receipt of Notice of Privacy
Practices
– TCPA and Cell Phone Communications
– Getting Back to Normal After the Pandemic
Emergency: Coming soon!
15
© Copyright 2023 Lewis Creek Systems, LLC All Rights Reserved
jim@lewiscreeksystems.com www.lewiscreeksystems.com
16. 16
TCPA and Communicating to Cell Phones
• Telephone Consumer Protection Act of 1991 limits calls and
messages to cell phones without consent
• Limits Robo-calling (including reminder calls)
• There are Penalties for, without consent, calling a cell phone
or leaving:
– A payment related message (voice or text)
– A healthcare related message more than one minute
(voice) or 160 characters (text) long; no more than one per
day or three per week
• Includes healthcare reminders, appointment reminders,
etc.
© Copyright 2023 Lewis Creek Systems, LLC All Rights Reserved
jim@lewiscreeksystems.com www.lewiscreeksystems.com
17. TCPA and Communicating to Cell Phones
• Be cautious, especially for any calls or texts relating to billing
• Get consent up front to call or text the number provided for healthcare &
(especially) financial purposes, including reminders & follow-up
• Consent must be written, or
• Consent is considered provided for Healthcare Communications ONLY (NOT
for Payment communications) if:
– the patient provides a phone number, and
– the Notice of Privacy Practices says the patient may be contacted for Treatment,
Payment, and Healthcare Operations, and
– the Notice is acknowledged as received with a signature
• Proposals have been made to change TCPA to allow communications for TPO
purposes without consent, but not yet!
• Meanwhile, the Proposed Privacy Rule changes would eliminate the signed
acknowledgement as a consent, so you’d have to get that separately,
instead
17
© Copyright 2023 Lewis Creek Systems, LLC All Rights Reserved
jim@lewiscreeksystems.com www.lewiscreeksystems.com
18. Part 5
• HIPAA Controls and New Technologies
– Difficulty in Managing Privacy
– Calls for HIPAA Expansions
18
© Copyright 2023 Lewis Creek Systems, LLC All Rights Reserved
jim@lewiscreeksystems.com www.lewiscreeksystems.com
19. New Technologies
• New technologies in health care every day
– Some new technologies will be very useful
– Some new technologies will be a privacy and security
nightmare
• You can’t deny new technologies
– New Technologies should be addressed head-on
– If you ignore them they don’t go away
– Encourage dialog on new technologies and find ways to
use them productively, securely
• Education addressing new technologies is essential
– Prevent improper uses
– Train in appropriate usage
19
© Copyright 2023 Lewis Creek Systems, LLC All Rights Reserved
jim@lewiscreeksystems.com www.lewiscreeksystems.com
20. 20
© Copyright 2023 Lewis Creek Systems, LLC All Rights Reserved
jim@lewiscreeksystems.com www.lewiscreeksystems.com
New Technologies and HIPAA
• HIPAA can handle new technologies for PHI
– Security Rule is very flexible, adaptable
• New kinds of information, apps, devices, and various uses outside
the formal HIPAA definition of “Protected Health Information”
• New calls for protection of more kinds of patient information than
HIPAA covers
• Proposed HIPAA Privacy Rule changes would address many issues
more clearly
• Don’t be surprised if new laws and regulations result
– Expanded FTC activity
– State laws may also be in the works
– Expansion of existing state breach rules
21. 21
Your to-do list…
✓ Don’t be in denial – willful neglect costs more than
compliance
✓ Keep your ears out for new rules, laws, guidance
✓ Provide individual access – don’t block information
✓ Be careful adopting new technologies
✓ Step up your Security game
✓ Make sure mobile devices are protected
✓ Document your processes for proper methods of
communications with both patients and professionals
✓ Conduct drills in audit and breach response
✓ Make corrections based on results
✓ Always have a plan for moving forward, and follow it!
© Copyright 2023 Lewis Creek Systems, LLC All Rights Reserved
jim@lewiscreeksystems.com www.lewiscreeksystems.com
22. Thank you!
Any Questions?
For additional information, please contact:
Jim Sheldon-Dean
Lewis Creek Systems, LLC
5675 Spear Street, Charlotte, VT 05445
jim@lewiscreeksystems.com
www.lewiscreeksystems.com
22
© Copyright 2023 Lewis Creek Systems, LLC All Rights Reserved
jim@lewiscreeksystems.com www.lewiscreeksystems.com
Register Now