lyn e beggs esq nutile pitz associates hipaa final
play

Lyn E. Beggs, Esq. Nutile Pitz & Associates HIPAA Final Omnibus - PowerPoint PPT Presentation

Lyn E. Beggs, Esq. Nutile Pitz & Associates HIPAA Final Omnibus Rule Patient Protection and Affordable Care Act (ACA) Trends in medicine: concierge practices/direct primary care; medical directorships, etc. Are you in


  1. Lyn E. Beggs, Esq. Nutile Pitz & Associates

  2.  HIPAA Final Omnibus Rule  Patient Protection and Affordable Care Act (ACA)  Trends in medicine: concierge practices/direct primary care; medical directorships, etc.

  3. Are you in compliance? ◦ Significant changes to Privacy and Security Rules  Business Associates and BAAs  Notice of Privacy Practices  Breach Notification Requirements

  4. Who must comply?  Covered Entities  Expands Compliance Requirements to Business Associates and their Subcontractors

  5.  Definition expanded ( 45 C.F.R. 160.103 ): “Business associate means, with respect to a covered entity, a person who…on behalf of a covered entity… creates, receives, maintains, or transmits protected health information for a function or activity regulated by this subchapter, including claims processing or administration, data analysis, processing, or administration, utilization review, quality assurance, patient safety activities…billing, benefit management, practice management, and repricing ”.

  6. Additionally: “ Business associate includes: A Health Information Organization, E-prescribing Gateway, or other person that provides data transmission services with respect to protected health information to a covered entity and that requires access on a routine basis to such protected health information .”

  7.  Must have a Business Associate Agreement (BAA) with all business associates  BAAs must be revised or drafted to contain all required provisions  Deadline for compliance was September 23, 2013  If existing BAA was in place with a business associate prior to January 25, 2013 and was otherwise compliant, revise by expiration or September 23, 2014, whichever is earliest

  8.  Significant changes and additions made to Notice of Privacy Practices (NPP) ◦ Uses and disclosures of PHI ◦ Patient restrictions of uses and disclosures NPPs  Deadline for compliance was September 23, 2013  Provide revised notice to patients no later that first date of service delivery after compliance date, post conspicuously and have copies available in person or on website

  9.  What is a breach? Generally: “The acquisition, access, use or disclosure of protected health information in a manner not permitted…which compromised the security or privacy of the protected health information.” 45 C.F.R. 164.402 Prior to Omnibus : a significant risk of financial, reputational or other harm needed to be a breach.

  10.  Now : an acquisition, access, use or disclosure of PHI in a manner not permitted is presumed to be a breach unless the CE or BA “demonstrates that there is a low probability that the (PHI) has been compromised based on a risk assessment”.

  11.  Risk Assessment Consists of Four Factors: ◦ Nature and extent of PHI involved; type of identifiers; likelihood of re-identification ◦ The unauthorized person who used the PHI or to whom it was disclosed ◦ Whether the PHI was actually acquired or viewed ◦ Extent to which the risk to the PHI has been mitigated

  12. Notifications of Breaches of Unsecured PHI  Individual ◦ Must be made in writing by first-class mail; some exceptions ◦ Within 60 days of “discovery” of breach ◦ Breach is “discovered” by the CE on the first day it is known to the CE. A CE is “deemed to have knowledge of a breach if such breach is known, or by exercising reasonable diligence would have been known, to any person…who is a workforce member or agent of the covered entity.”

  13.  Media ◦ Only if breach involves 500 or more residents of a state or jurisdiction ◦ Within 60 days of discovery of breach  Secretary of HHS ◦ If breach involves 500 or more individuals, must be made contemporaneously with individual notice ◦ If less that 500 involved; keep log, report within 60 days of year end  BAs must report to CE a breach within 60 days of discovery: CE does not get an additional 60 days after notification by BA – consideration for BAA

  14.  Civil Monetary Penalties –may be imposed on CEs and now BAs  Tiered penalties ◦ Did not know and would not have known: $100 to $50,000 per violation; $1,500,000 yearly max ◦ Reasonable neglect but not willful: $1,000 to $50,000 per violation; $1,500,000 yearly max ◦ Willful neglect, corrected within 30 days: $10,000 to $50,000 per violation; $1,500,000 yearly max ◦ Willful neglect, not corrected within 30 days: $50,000 per violation; $1,500,000 yearly max

  15.  Immediately update BAAs and NPPs to bring them into compliance  Identify who your BAs are and ensure BAAs are in place  Update policies and procedures to ensure they encompass changes under Omnibus Rule

  16.  Look beyond the headlines  Increased focus on fraud and abuse prevention and enforcement ◦ Compliance plans ◦ False claims ◦ Self disclosures

  17.  Compliance plans have been encouraged but have been voluntary  Section 6401 of ACA makes mandatory  HHS has not yet established core elements or date for implementation  Guidance is available through OIG and Federal Sentencing Guidelines  Providers encouraged to start development of compliance plans

  18.  Claims filed for services or products in violation of Anti-Kickback Statute are now false/fraudulent claims – Section 6402(f)  Need not have actual knowledge or intent!

  19.  Medicaid, Medicare overpayments must be reported and returned within 60 days of identification of the overpayment – Section 6402(d)  Failure to timely report and return overpayments are treated as false claims  Self-Referral Disclosure Protocol (“SRDP”) – allows self-reporting of actual or potential Stark violations – Section 6409

  20.  In-Office Ancillary Services Exception – Stark (Section 6003) ◦ Now requires written notice to patients of at least 5 other suppliers within 25 mile radius  Suspension of Payments Pending Investigation ◦ Medicare/Medicaid payments may be suspended during investigation of credible fraud allegations

  21.  Be aware of increased focus of fraud and abuse prevention and enforcement measures  Begin process to develop and implement compliance plan ◦ Will be mandatory ◦ Can greatly assist in avoiding violation of newly enacted fraud and abuse provisions

  22.  Do you know the requirements for the following? ◦ Concierge Practices/Direct Primary Care ◦ Medical Directorships ◦ Pain management ◦ Telemedicine

  23.  Take immediate action to comply with HIPAA Omnibus  Begin development and implementation of compliance plan to avoid fraud and abuse risks  Consult the proper advisors to assist with these actions  Before embarking on any “new” endeavor, consult with a legal advisor who understands healthcare

  24. Questions?

  25. Lyn Beggs, Esq. Nutile Pitz & Associates lyn@nutilepitz.com Reno Office: 675 Sierra Rose Dr., Ste. 101 775-284-1020 Henderson Office: 1070 W. Horizon Ridge Parkway, Ste. 210 702-307-4880

Recommend


More recommend