The HIPAA Rules require that when a HIPAA-covered entity (a provider, plan or clearinghouse) or a business associate of a covered entity uses or discloses protected health information (“PHI”), or when it requests PHI from another covered entity or business associate, the covered entity or business associate must make “reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.”
Click here to read more about the HIPAA “minimum necessary” standard—one of the most essential, yet vague, aspects of the HIPAA Rules.
Continue reading “HIPAA Minimum Necessary Standard Should Be Key Component of Policies and Procedures, Now More Than Ever”
The 2013 Amendments include a number of sweeping changes to the HIPAA Rules, including the expansion of the definition of a business associate to include their subcontractors that handle protected health information (“PHI”); a lower threshold for determining whether a breach has occurred for reporting purposes; and restrictions on “marketing” activities and the “sale” of PHI.
Click here to read this Overview Summary of the 2013 Amendments. Duane Morris is issuing a series of Alerts on the 2013 Amendments. Please see the in-depth Alerts already distributed by the firm on changes under the 2013 Amendments to the definition of a business associate and changes to the breach notification requirements. We will continue to issue Alerts on discrete HIPAA topics.
One of the most significant changes in the final HIPAA amendments is the Breach Notification Rule, which modifies and clarifies the definition of “breach” and the risk-assessment approach required for breach notification. In light of this heightened standard, covered entities, business associates and downstream contractors should consider carefully reviewing their breach notification policies and procedures, training materials and contractual arrangements in an effort to avoid potential liability under the Breach Notification Rule.
Click here for more information on the most significant changes to the Breach Notification Rule.
Among the most significant changes of the Final HIPAA amendments are the provisions that extend the Privacy and Security Rules’ stringent compliance obligations to business associates (BA) and expand the definition of BAs to include subcontractors of BAs. Why the changes? The HITECH Act of 2009 specifically extends direct liability to BAs and expands the list of obligations for BAs. The Department of Health & Human Services extends BA obligations even further to ensure the privacy and security of all PHI throughout the HIPAA ecosystem.
Click here to read a summary of the key provisions under the 2013 amendments, as well as factors that may be worthwhile for covered entities and business associates to consider in light of these amendments.
A few thoughts on HIPAA
Real case scenario. A health care provider’s car gets broken into and private health information (“PHI”) is stolen, along with other items. Next steps? Once the provider determines that a breach of unsecured PHI has occurred (an incidental disclosure of PHI does not constitute a breach), the provider should perform a risk assessment to determine whether the event poses a significant risk of financial, reputational or other harm to the patient.
Continue reading “Some Thoughts on HIPAA”
On December 28, 2010, the Office of the Inspector General published a notice of intent to develop regulations in the Federal Register soliciting recommendations for modifications to the safe harbors under the anti-kickback statute and suggestions for new safe harbors and OIG Special Fraud Alerts. The solicitation was published in accordance with Section 205 of the Health Insurance Portability and Accountability Act of 1996, which requires HHS to publish this formal solicitation annually. The notice lists the criteria that HHS will consider in reviewing the proposals submitted and recommends that proposals be accompanied by supporting data and/or justifications.
To read the notice published in the Federal Register, please go to: http://www.gpo.gov/fdsys/pkg/FR-2010-12-28/pdf/2010-32705.pdf.