Loading presentation...

Present Remotely

Send the link below via email or IM


Present to your audience

Start remote presentation

  • Invited audience members will follow you as you navigate and present
  • People invited to a presentation do not need a Prezi account
  • This link expires 10 minutes after you close the presentation
  • A maximum of 30 users can follow your presentation
  • Learn more about this feature in our knowledge base article

Do you really want to delete this prezi?

Neither you, nor the coeditors you shared it with will be able to recover it again.


HIPAA, HITECH, and Omnibus Act 2013

The Rule modifies the breach notifications standard; imposes new rules governing uses and disclosures of PHI in areas such as marketing, sale of PHI, and disclosures of decedent information. Covered entities and BA's must comply by Sept 23, 2013.

Bonnie Rae Bergsma

on 25 June 2013

Comments (0)

Please log in to add your comment.

Report abuse

Transcript of HIPAA, HITECH, and Omnibus Act 2013

This presentation will be used to help you become more compliant with the

Authorizations for uses and disclosures of PHI
per CFR § 164.502
of the Privacy Rule for health care operations.
Complying with the
new HIPAA Privacy, HITECH, & Omnibus Act 2013

Cherry Street Health Clinic

HIPAA Omnibus Act
164.501 Definitions
164.508 Authorization Requirements
164.512(b)(1) Student Disclosures
164.514 Other requirements relating to uses &
disclosures of PHI
164.514(f)(1)(i) Fundraising
164. 520(b)(1)(ii)(E) Notice of Privacy Practice(NOPP)
164.402 Breach of Notification

Section 13410 General
Section 13404(a) Business Associates (BA)
Section 13405(d) Authorizations
13405(b)(3)(i) and (ii)
Section 13406(a) Marketing
Section 13406(b) Fundraising
Section 13502(b)(1)(ii)(E) Notice of Privacy Practice (NOPP)
Section 13402 Breach of Notification

Associates (BA)
You MUST obtain
an authorization in
and Fundraising
Are you in
a Business Associate is directly liable for use of or disclosure of PHI that are in breach with their Business agreement
Business Associates (BA) remained contractually liable for all other HIPAA Privacy Rule obligations that are included in BA agreements.

limits the health-related communications that may be considered health care operations and thus, are excepted from the definition of 'MARKETING' to the extent that a covered entity has received direct or indirect payment in exchange for making communication.
So, if a payment has been received,
the HITECH requires you to obtain
an authorization.....
this also applies to Business Assocation (BA)
Covered Entities and Business Associate's (BA) will be allowed to operate under existing agreements
for ONE YEAR beyond the
compliance date unless the agreement was already HITECH compliant
Requirements in Business Associate (BA) agreements "cascade down" to sub-contractor and sub-contractors of sub-contractors.
ARE you obtaining authorizations?
There are three (3) instances where an AUTHORIZATION is REQUIRED.......

1. Most uses and disclosures of psychotherapy notes

2. Uses and disclosures for marketing purpose, and

3. Uses and disclosures that involve the "sale of PHI".

There are several exceptions for the authorization requirements when PHI is exchanged and on the sale of PHI, they are......

1. Public health purposes
2. Research purposes
3. Treatment and payment purposes
4. The sale, transfer, merger or consolidation of all or part of Covered Entity business
5. Services rendered by a BA pursuant to a BA agreement contract and at the specific request of the Covered Entity.
6. To provide an individual requesting access to his/her PHI
7. Other purposes by the Privacy Rule in the payment received is for preparting and transmitting the PHI
Disclosures of the SALE of PHI applies after six (6) months after giving out the information.
Disclosures for:
treatment and
DO NOT require an authorization
The Final Rule allows the Covered Entity to combine conditioned and unconditioned Authorizations for research.....
....provided the Authorization clearly differentiates between

1. the conditioned and unconditioned research components, and

2. clearly allows the individual to opt-in the conditioned research activities.

A Covered Entity is permitted to disclose a students proof of immunization to a school where the State or other law requires the
school to have prior to admitting the student.

Written Notification is no longer required
Covered Entities will still be REQUIRED to obtain agreement, which can be oral, from a parent, guardian, or other person in loco parentis for the individual, or from the individual himself or herself is an adult or emancipated minor.
A Covered Entity MUST document the agreement obtained, and

The agreement obtained is effective until revoked
1. Use the left and right arrow button to
progress back and forth.

2. Use the up button to enlarge a the size
of the slide.

3. Use down button to make decrease the
size of the slide.
Are you in compliance
with the new Business
Associate (BA) Rules?

What is the Sale of PHI?

The Omnibus defines the
"sale of PHI" as the exchange
of anything of value in return of for PHI.

This does not include the transfer of ownership.
Touch an arrow key to begin
Who are Business Associates (BA)
This is anyone who creates, receives, maintains or transmits PHI on behalf of a Covered Entity.
or with HIPAA Privacy Rule.
HITECH Act 13410 General
before HITECH updated this,
HITECH 13406(a)....Marketing Communications
What does THAT mean?
That means....

Under the Omnibus Rule, hospitals are NO longer permitted to send product information about new
medical devices they have to their patients, even if
the manufactors of the device pay the hospital to do so.

If hospitals want to communicate to their patients they need to obtain an from individuals before sending product information.

There is one (1) exception to this rule though:

The hospital may communicate about a drug or biologic (refill reminders) that are currently being prescribed to an individual as long the any payment they receive is within reason.

The payment should only cover the cost for
sending out the refill reminders.
HITECH 13406(b) - Fundraising
A Covered Entity is to provide the recipient of any
fundraising communication with a clear and conspicuous opportunity to opt out of receiving further fundraising communications.
164.508 Authorization Required
If an individual decides to opt out then their choice must be treated as a deny for authorization.
A Covered Entity may not condition treatment either, based on an individual opting out of
fundraising communications.
HITECH 13406(b) Fundraising
HITECH 13406(b) Fundraising
The opt of method should not cause the individual to incur an undue burden,

such as having to
a writing a letter.
HITECH 13406(b) Fundraising
A Covered Entity that intends to contact an individual for raising funds MUST INCLUDE a statement of the
Notice of Privacy Practices
1306 (a) Marketing Communications
Sept. 23, 2013
164.501 PHI Definition
HITECH 13405(d) Authoizations

HITEC 13405(d)(4) Authorizations
164.508(b)(3)(i) and (ii) Authorizations
ONLY IF, the clearly differentiates between the conditioned and unconditioned research components and allow the individual to opt in the conditioned research activities.
164.512(b)(1) Student Disclosuers
This has complete your session over the new HIPAA Privacy Rules, HITECH and Omnibus Act 2013
The Omnibus Act has broaden the definition of "Business Associates".

A Business Associate is anyone that creates, receive, maintain, or transmit PHI on behalf of a Covered Entity.
The HITECH includes certain data transmission vendors and personal health records vendors to be treated as Business Associates as well.

Health Information Organizations

E-prescribing Gateways

or others who provide PHI to a covered entity on behalf of a Covered Entity

HITECH 13408 Business Associate (BA)
Omnibus Act 160.103 Business Associate (BA)
Omnibus 164.402 Breach of Notification
HITECH 13402 Breach of Notification
HHS is the enforcement agency for the HIPAA Breach Notification Rule, not the FTC.

Risk of Harm has been removed and replaced with Risk Assessment (RA).

All breaches of unsecured PHI affecting less than 500 individuals are required to reported and no later than 60 days after the end of the calendar year when breaches were discovered, not occurred.
An example would be:
If the covered entity or business associate did not know of the violation and would not have known of the violation by exercising reasonable due diligence, a civil penalty of $100 to $50,000 per violation may be assessed.
Under HIPAA covered entities and business associates can be subject to both civil and criminal penalties for violations for privacy and security requirements.
Reasonable Cause
Examples of violations due to willful neglect are breaches in medical records due to a medical facility having an unsecured server room where electronic medical records are stored or employees having passwords written in plain sight.

4.If the violation was the result of willful neglect and was not corrected in a timely fashion, the civil penalty will be $50,000 to $1.5 million per violation.
A lost paper file
An example of a violation due to a reasonable cause would be a medical professional accessing a patient’s medical information without the patient’s consent to release that information to a psychiatric facility where the patient was being held in involuntarily
Willful Neglect
In general,
to be considered corrected the
violation must be corrected
within 30 days.
Full transcript