Transcript EBAA Privacy Workgroup - Eye Bank Association of America

HIPAA PRIVACY WORK
GROUP
FOR EYE BANKS
EBAA HIPAA PRIVACY WORK GROUP
Christina W. Strong, Esq., Facilitator
Eye Banks
ARE NOT
typically subject to HIPAA.
HIPAA Overview
H
I
P
A
A
• 1996
ealth
• Portability and accessibility
- Pre-existing conditions
nsurance
- Enrollment at “life events”
ortability & • Accountability
- Administrative
ccountability Simplification
- Privacy /Security Rule
ct
- Enforcement
- Breach
HITECH Act
Health
Information
Technology for
Electronic and
Clinical
Health
• 2009
• Part of ARRA, aka the
“Stimulus Bill”
• EMR/EHR Adoption
Rules and Incentives
• Increased HIPAA Fines
and Penalties
• Expanded
Applicability of HIPAA
Allowable Disclosures
HIPAA allows for the use and disclosure of PHI
without authorization under 45 CFR 164:
• 164.512(b) FDA-regulated products:
tracking, adverse events, post market
surveillance
• 164.512(g) Coroners and Medical
examiners: for determining cause of death
• 164.512(h) Cadaveric organ, eye or tissue
donation facilitation
Who is Subject to HIPAA
• Covered Entities
• Business Associates
Covered Entity
• (A health plan).
• (A health care clearinghouse).
• A health care provider who transmits
any health information in electronic
form in connection with a transaction
covered by this chapter.
• 45 CFR 160.103
Covered Entity – Exception #1
“We delete from the definition of ‘‘health care’’
activities related to the procurement or banking
of blood, sperm, organs, or any other tissue for
administration to patients…
“Consequently, such procurement or banking
activities are not considered health care and the
organizations that perform such activities are
not considered health care providers for
purposes of this rule.”
HIPAA Privacy Final Rule, Federal Register/Vol. 65, No. 250/
Thursday, December 28, 2000, p. 82571-2
Covered Entity – Exception #2
Business Associate
With respect to a covered entity, a person who:
• On behalf of such covered entity,
• But other than as a member of its workforce,
• Performs or assists in the performance of
• A function or activity involving the use or
disclosure of individually identifiable health
information…
45 CFR 160.103
Business Associate (BA)
•
•
•
•
•
•
•
•
•
•
Claims processing or administration
Data analysis
Processing or administration
Utilization review
Quality Assurance
Billing
Benefit Management
Practice Management
Repricing
Any other function regulated in this subchapter
…On behalf of the covered entity
Business Associate (BA)
…
•
•
•
•
•
•
•
•
•
Legal
Actuarial
Accounting
Consulting
Data Aggregation
Management
Administrative
Accreditation
Financial Services
Business Associate – NOT US
HIPAA Privacy Final Rule, Federal Register/Vol. 65, No. 250/
Thursday, December 28, 2000, p. 82688.
Business Associate – What’s the
Problem
• HIPAA now applies directly to Business Associates
• Civil and Criminal Penalties now apply directly to BAs
• Must report Covered Entity for HIPAA non-compliance
• Subject to HIPAA Audit by Heath and Human Services
Signing a Business Associate Agreement subjects an
exempt organization to HIPAA compliance
What’s so Bad about Being a BA
Business Associates subject to HIPAA Fines and Penalties:
“Authority to impose civil money penalties on business
associates for violations of the HITECH Act is provided
by sections 13401(b) and 13404(c).”
Breach Notification for Unsecured Protected Health Information,
Interim Final Rule, Federal Register / Vol. 74, No. 162 / Monday,
August 24, 2009
Business Associate - Implications
Business Associates are subject to HIPAA Audit by HHS:
“The protocol and audit program performance requested under
this contract shall assist OCR in operating an audit program that
effectively implements the statutory requirement to audit
covered entity and business associate compliance with the
HIPAA privacy and security standards as amended by ARRA.”
Federal Business Opportunities (FBO.gov)
Defend your Status
Document for your partners:
• 512(h) disclosures allowed without
authorization
• Covered Entity –NOT for Eye Banks
• Business Associate -NOT for Eye Banks
• Your dedication to donor privacy and data
security (including compliance with 21 CFR
Part 11)