Hinkley, a partner in the law firm Pillsbury Winthrop Shaw Pittman; and McGraw, director of the health privacy project at the Center for Democracy and Technology, and a member of the HIT Policy Committee that advises federal officials, also will draw on the practical experiences they’ve had with privacy breaches.
They’ll explain, for instance, when there is a basis for justifying that a breach has not and will not cause significant harm, and thus need not be reported and affected patients notified. That “harm threshold” provision in existing HIPAA law has been a bone of contention, and there could be changes in the final rule. Among other issues, Hinkley and McGraw also will address the current HIPAA obligations of business associates and subcontractors and how that could significantly change in the final rule.
For all organizations covered under the privacy, security and breach rules, “it’s time for a HIPAA tune-up,” Hinkley says. “HIPAA is the legal requirement, it needs to be part of your culture and it needs to be properly understood.”
As organizations join health information exchange initiatives and start talking to each other about their internal privacy/security policies as they seek common compliance via HIEs, some are painfully learning that their compliance hasn’t been adequate, Hinkley says. “So, be open to changes in your privacy policies and attitudes as they could change with health information exchange. There’s a lot of misconceptions out there.”
The session, “Trends and Recent Developments in Patient Privacy,” is scheduled on Feb. 21 at 12:15 p.m.
Be the first to comment on this post using the section below.