Overview: The final amendments to HIPAA resulting from the HITECH Act are now in effect and compliance was required by September 23, 2013. The amendments require changes in several areas of operation, including health information management, marketing, fundraising, and security, and many of the changes will require significant effort to implement.
Every HIPAA Covered Entity is required to have a Notice of Privacy Practices that accurately reflects patient rights and practices at the entity. Because there are new finalized changes to the HIPAA rules, the NPP for every orgainzation having one must be updated. There are new requirements about fundraising activity, new controls on the sale of PHI, new rights of access and restrictions, and the right to be notified if there is a privacy breach. The new areas to be included will be discussed and explained, and areas that no longer need notice will also be discussed.
The new regulations will be reviewed and their effects on HIPAA Notices of Privacy Practices will be discussed. We will describe the new rights that must be added into your NPP and identify the places where current rights have been modified. In addition, we'll identify typical items that may be removed from your NPP, because it is always advisable to keep NPPs as short and readable as possible while covering all the requirements. We will examine a typical NPP and describe the places where changes might best be made, and discuss the information that needs to be added or removed to meet requirements most efficiently and economically.
Why should you attend:
New updates to the HIPAA regulations now in effect contain numerous changes based, for the most part, on The HITECH Act passed in 2009. Some of the most significant changes have to do with changes to individual rights under HIPAA that must be listed in an entity's HIPAA Notice of Privacy Practices. All HIPAA Covered Entities that currently provide a Notice of Privacy Practices must update their NPPs to reflect the changes in individual rights. Violations are subject to enforcement that can include fines up to $50,000. Changes will be necessary in areas of patient access to records, restrictions of disclosures, marketing, fundraising, breach notification, and more.
Included are new requirements for the NPP to include notice of fundraising activity and an opportunity to opt out, new requirements for individuals to provide authorization for the sale of PHI, new rights of access to electronic records, new rights to restrict certain disclosures, and rights of notice in the event of a breach. Health Plans also have changes related to the Genetic Information Nondiscrimination Act (GINA) that must be reflected in their NPPs.
Reimbursed marketing activity that may have been permissible without authorization from the individual under the old rules used to require notice in the NPP. Now all such marketing activity paid for by a third party wishing to promote a product or service will require authorization, and no longer needs to be specifically listed in the NPP.
The changes are numerous and many are subtle and require an in depth examination of your Notice of Privacy Practices.
Areas Covered in the Session:
All HIPAA Notices of Privacy Practices should have been updated to meet the new rules by September 23, 2013 The schedule of implementation and scope of the changes will be described
Notices will need to include mention of the right to be notified in the event of a breach of the privacy or security of their Protected Health Information
Individuals have a new right to request electronic copies of information held electronically that must be reflected in the NPP
Individuals have new rights to restrict disclosure of encounter information to an insurer if it is paid fully out of pocket by the individual The NPP must identify this right
Fundraising activity must be described in the NPP, with an opportunity to opt-out
You do NOT have to include information about reimbursed marketing activity in NPPs any more, but you do always need to get an authorization
Health Plans must include in their NPPs new changes pertaining to GINA, restricting the use of genetic information in enrolment
How you should update your NPP – how do you document it, to whom does it go, and how?
Who Will Benefit:
Compliance Director
CEO
CFO
Privacy Officer
Security Officer
Information Systems Manager
HIPAA Officer
Chief Information Officer
Health Information Manager
Healthcare Counsel/lawyer
Office Manager
Contracts Manager
Jim Sheldon-Dean is the founder and director of compliance services at Lewis Creek Systems, LLC, a Vermont-based consulting firm founded in 1982, providing information privacy and security regulatory compliance services to a wide variety of health care entities.
Sheldon-Dean serves on the HIMSS Information Systems Security Workgroup, has co-chaired the Workgroup for Electronic Data Interchange Privacy and Security Workgroup, and is a recipient of the WEDI 2011 Award of Merit. He is a frequent speaker regarding HIPAA and information privacy and security compliance issues at seminars and conferences, including speaking engagements at numerous regional and national healthcare association conferences and conventions and the annual NIST/OCR HIPAA Security Conference in Washington, D.C.
Every HIPAA Covered Entity is required to have a Notice of Privacy Practices that accurately reflects patient rights and practices at the entity. Because there are new finalized changes to the HIPAA rules, the NPP for every orgainzation having one must be updated. There are new requirements about fundraising activity, new controls on the sale of PHI, new rights of access and restrictions, and the right to be notified if there is a privacy breach. The new areas to be included will be discussed and explained, and areas that no longer need notice will also be discussed.
The new regulations will be reviewed and their effects on HIPAA Notices of Privacy Practices will be discussed. We will describe the new rights that must be added into your NPP and identify the places where current rights have been modified. In addition, we'll identify typical items that may be removed from your NPP, because it is always advisable to keep NPPs as short and readable as possible while covering all the requirements. We will examine a typical NPP and describe the places where changes might best be made, and discuss the information that needs to be added or removed to meet requirements most efficiently and economically.
Why should you attend:
New updates to the HIPAA regulations now in effect contain numerous changes based, for the most part, on The HITECH Act passed in 2009. Some of the most significant changes have to do with changes to individual rights under HIPAA that must be listed in an entity's HIPAA Notice of Privacy Practices. All HIPAA Covered Entities that currently provide a Notice of Privacy Practices must update their NPPs to reflect the changes in individual rights. Violations are subject to enforcement that can include fines up to $50,000. Changes will be necessary in areas of patient access to records, restrictions of disclosures, marketing, fundraising, breach notification, and more.
Included are new requirements for the NPP to include notice of fundraising activity and an opportunity to opt out, new requirements for individuals to provide authorization for the sale of PHI, new rights of access to electronic records, new rights to restrict certain disclosures, and rights of notice in the event of a breach. Health Plans also have changes related to the Genetic Information Nondiscrimination Act (GINA) that must be reflected in their NPPs.
Reimbursed marketing activity that may have been permissible without authorization from the individual under the old rules used to require notice in the NPP. Now all such marketing activity paid for by a third party wishing to promote a product or service will require authorization, and no longer needs to be specifically listed in the NPP.
The changes are numerous and many are subtle and require an in depth examination of your Notice of Privacy Practices.
Areas Covered in the Session:
All HIPAA Notices of Privacy Practices should have been updated to meet the new rules by September 23, 2013 The schedule of implementation and scope of the changes will be described
Notices will need to include mention of the right to be notified in the event of a breach of the privacy or security of their Protected Health Information
Individuals have a new right to request electronic copies of information held electronically that must be reflected in the NPP
Individuals have new rights to restrict disclosure of encounter information to an insurer if it is paid fully out of pocket by the individual The NPP must identify this right
Fundraising activity must be described in the NPP, with an opportunity to opt-out
You do NOT have to include information about reimbursed marketing activity in NPPs any more, but you do always need to get an authorization
Health Plans must include in their NPPs new changes pertaining to GINA, restricting the use of genetic information in enrolment
How you should update your NPP – how do you document it, to whom does it go, and how?
Who Will Benefit:
Compliance Director
CEO
CFO
Privacy Officer
Security Officer
Information Systems Manager
HIPAA Officer
Chief Information Officer
Health Information Manager
Healthcare Counsel/lawyer
Office Manager
Contracts Manager
Jim Sheldon-Dean is the founder and director of compliance services at Lewis Creek Systems, LLC, a Vermont-based consulting firm founded in 1982, providing information privacy and security regulatory compliance services to a wide variety of health care entities.
Sheldon-Dean serves on the HIMSS Information Systems Security Workgroup, has co-chaired the Workgroup for Electronic Data Interchange Privacy and Security Workgroup, and is a recipient of the WEDI 2011 Award of Merit. He is a frequent speaker regarding HIPAA and information privacy and security compliance issues at seminars and conferences, including speaking engagements at numerous regional and national healthcare association conferences and conventions and the annual NIST/OCR HIPAA Security Conference in Washington, D.C.
