Program Schedule

12 pm ET Introduction

Overview

  • •   “Covered entities”, “hybrid entities” and “covered components of hybrid entities”—higher education examples
  • •   “Protected health information (PHI)”
  • •   “Business associates”—higher education examples
  • •   Basic Privacy and Security requirements
  • •   HIPAA and FERPA
  • •   HITECH Act and January 25 Omnibus Rule

Changes in Breach Notification Rule

  • •   Definition of breach—unsecured PHI
  • •   Notification obligations
  • •   Prior rule: “significant risk of financial, reputational or other harm”
  • •   New rule: presumption for notification
  • •   New rule: notify unless risk assessment demonstrates low probability of compromise of PHI
  • •   How to conduct risk assessment and factors to consider
  • •   Effective date

Required Changes to Notifications of Privacy Practices

  • •   Current requirements
  • •   New required statements
  • •   Posting/distribution requirements for covered entities

Changes Regarding business associates and business associate Agreements

  • •   Broadened definition of “business associate”—storing and maintaining ePHI—application to cloud service providers?
  • •   Application to subcontractors of business associates
  • •   Identification of institution’s business associates; identification of institution’s provision of business associate services, including subcontractor services(?)
  • •   New requirement that health care component of hybrid entities now include all business associate functions (for example billing and compliance)—impact for institutions
  • •   Direct liability of business associates and B.A. sub-contractors for non-compliance with provisions of Security and Privacy Rules—examples
  • •   Required/recommended changes to institutional business associate agreements
  • •   Transition period to revised business associate agreements
  • •   B.A. agreement compliance checklist for institutions

Changes Regarding Use of PHI in Research

  • •   Current rules governing use of PHI in university research - examples
  • •   Use of compound patient authorizations for clinical trial participation and for other purposes
  • •   Authorizations for use of PHI in connection with future research

Changes Regarding Marketing Activities, Sale of PHI, and Fundraising

  • •   Marketing: expanded definition and examples of marketing activities/communications requiring individual authorization
  • •   Sale: prohibition on sale of PHI and exceptions
  • •   Fundraising: disclosure of limited PHI for purposes of fundraising — conditions and examples

Expanded Patient Access to Electronic PHI

    Agency Enforcement

    • •   Four tier civil monetary penalty structure
    • •   Expansion to business associates
    • •   Cap on violation of “identical” provisions
    • •   New civil monetary penalty liability for acts of “agents”
    • •   Affirmative defenses
    • •   Examples of recent agency audit and enforcement activity

    Key Compliance Steps for Institutions

      2 pm ET   Conclusion