Slide 1 - WV HOSA

Document Sample
Slide 1 - WV HOSA Powered By Docstoc
					            HIPAA Update:
So what’s new with HIPAA?? And, what
     does it have to do with you?

             WV Attorney General’s Office
             Consumer Protection Division

      Ellen Cannon, WV DHHR HIPAA Privacy Officer
      Show me the money!
• $2B to ONC
• $17.2B for EHR incentives through
• $4.7B for Nat’l Telecommunications and
  Information Administration’s Broadband
  Technology Opportunities Program
• $2.5B for USDA’s Distance Learning,
  Telemedicine and Broadband Program
        Even More Money!
• $1.5B for health centers from HRSA
• $1.1B for Comparative effectiveness research
  within AHRQ, NIH and HHS
• $85M for Health IT within Indian Health Svs
• $500M for SSA
• $50M for IT within the VA
       New HIPAA Provisions
•   Major impact on HIPAA Business Associates
•   New breach notification requirements
•   Greater patient and consumer rights
•   More aggressive enforcement
•   Note: most provisions effective February
When you leave here, will you know
all of the new HIPAA Requirements?
• NO! Do you have
  5 hours??
• HHS is still in
• Guidance and regs
  are forthcoming
 New HIPAA Business Associate
• Feds have increased control over BAs (vendors to
  HIPAA covered entities, such as a billing company)
• Civil and criminal penalties now apply directly
• Makes certain HIPAA privacy and security regs
  apply directly to BAs
• Makes clear that PHR and HIE vendors are BAs
• Requires BA to notify covered entity of a breach,
  without unreasonable delay, but no longer than 60
        New Breach Notification
           Requirements for
       Covered Entities and PHRs

• Must notify impacted individuals without
  unreasonable delay, but no longer than 60 days
• If more than 500 individuals are impacted, the
  Secretary of HHS and media must be given notice.
  If less than 500, annual reports must be made to
• HHS will “out” those involved in breaches >500 on a
  website and to notify Congress
• New breach notification requirements for PHRs
       New Consumer Rights
• Covered entities, such as a primary care center,
  hospital, physician or health plan, will need to be
  able to restrict disclosure of health information for
  payment or operations, if a consumer requests the
  restriction and pays out of pocket.
• For many medical care providers this one may be
  difficult. Coding may be needed to prevent billing
  information from going to insurance plans
New Consumer Rights Cont’d
• For covered entities that have an EHR,
  they, or their vendor will need to respond
  to a consumer’s request for an accounting
  of all disclosures for TPO for 3 years prior.
  For entities with EHR prior to January
  2009, applies to disclosures after January
  2014. Regulations interpret EHRs to be
  more than physician records.
New Consumer Rights Cont’d
• For covered entities that have an EHR, they
  will also have to provide an individual with a
  copy of their health information in electronic
  format, upon request
• OCR will develop national and regional
  initiatives to support consumer education
  around privacy and security requirements and
  uses of health information
           New Requirements
• Prohibits a covered entity or business associate from
  receiving remuneration in exchange for PHI, without
  individual authorization. Exceptions: public health,
  research, treatment, sale of a business, BA activities,
  individual access, etc.
• New restrictions around marketing and fundraising.
  Targets communications paid by 3d parties, such as
  from drug companies.
• OCR will issue new guidance regarding limitation of
  uses, disclosures and requests for PHI to a limited data
  set, or if necessary, to the minimum necessary
  information. Existing exceptions still in force.
       Enforcement Changes
• Individuals can be prosecuted for criminal violations
• Creates 4 tiers of violations: from where an
  individual did not know, to willful neglect not
• Penalties range from $100 to $50K+. Limit of
• State AG can now bring suit
• HHS will develop a process to share money
  penalties or settlements with harmed individuals
• Periodic audits of covered entities and BAs by HHS
Covered Entities Should Develop
        an Action Plan
• Conduct self assessment about new requirements
• Update risk assessment
• Update policies and procedures; revise breach
  reporting and notification procedures
• Evaluate impact of HHS guidance re encryption,
  etc. and determine how PHI will be secured
• Update business associate agreements
• Conduct staff training
           Enforcement Changes
• Four categories of violations - increasing levels of culpability;
• Four corresponding tiers of penalty amounts that significantly
  increase the minimum penalty amount for each violation; and
• A maximum penalty amount of $1.5 million for all violations of an
  identical provision.
• Striking the previous bar on the imposition of penalties if the covered
  entity did not know and with the exercise of reasonable diligence
  would not have known of the violation (such violations are now
  punishable under the lowest tier of penalties); and
• Prohibition on the imposition of penalties for any violation that is
  corrected within a 30-day time period, as long as the violation was
  not due to willful neglect.

• All of the above effective on February 18, 2009
       Civil Monetary Penalties
• The CMP are significantly increased.
• From $100 for each violation to $1,000 per violation for a
  violation due to "reasonable cause and not to willful
  neglect" (with a maximum penalty of $100,000);
• $10,000 for each violation that was due to willful neglect
  and is corrected (subject to a $250,000 maximum
• and $50,000 for each violation if the violation is not
  corrected properly (subject to a maximum penalty of
  $1,500,000 during a calendar year).
            HITECH Act Rulemaking and
            Implementation Update 3/15/10
•   OCR will implement important privacy and security provisions of the Health
    Information Technology for Economic and Clinical Health (HITECH) Act
    through notice and comment rulemaking, as required by the Administrative
    Procedure Act. These provisions include: business associate liability; new
    limitations on the sale of protected health information, marketing, and
    fundraising communications; and stronger individual rights to access
    electronic medical records and restrict the disclosure of certain
    information. OCR continues work on a Notice of Proposed Rulemaking
    (NPRM) regarding these provisions. Although the effective date (February
    17, 2010) for many of these HITECH Act provisions has passed, the NPRM
    and the final rule that follows will provide specific information regarding the
    expected date of compliance and enforcement of these new requirements.
    HITECH Act Rulemaking and Implementation
             Update 3/15/10 (Cont.)
•   However, interim final rules implementing HITECH Act provisions in two
    areas have already been issued and are currently in effect: enforcement
    and breach notification. New civil money penalty amounts apply to
    HIPAA Privacy and Security Rule violations occurring after February 17,
    2009. Covered entities and business associates must comply now with
    breach notification obligations for breaches that are discovered on or after
    September 23, 2009. OCR announced previously that it would use its
    enforcement discretion not to impose fiscal sanctions with regard to
    breaches discovered before February 22, 2010. Since that date has passed,
    OCR will enforce the Breach Notification Interim Final Rule, including with
    the possible imposition of sanctions, as it does with the HIPAA Privacy and
    Security Rule requirements.
              Breach Notification
• Rules have been published
• A breach is, generally, an impermissible use or
  disclosure under the Privacy Rule that
  compromises the security or privacy of the
  protected health information such that the use or
  disclosure poses a significant risk of financial,
  reputational, or other harm to the affected
• OCR Breach Notification web site
       Breach Does Not Mean
• unintentional acquisition, access, or use of
  protected health information by an employee or
  individual acting under the authority of a covered
  entity or business associate if such acquisition,
  access, or use was made in good faith and within
  the course and scope of the employment or other
  professional relationship of such employee or
  individual, respectively, with the covered entity or
  business associate; and such information is not
  further acquired, accessed, used, or disclosed by
  any person;
           Breach Does Not Mean

• or any inadvertent disclosure from an individual
  who is otherwise authorized to access protected
  health information at a facility operated by a
  covered entity or business associate to another
  similarly situated individual at same facility; and
  any such information received as a result of
  such disclosure is not further acquired,
  accessed, used, or disclosed without
  authorization by any person
            Breach Does Not Mean

• if the covered entity or business associate has a
  good faith belief that the unauthorized individual,
  to whom the impermissible disclosure was
  made, would not have been able to retain the
      Unsecured Protected Health
• Covered entities and business associates must
  only provide the required notification if the
  breach involved unsecured protected health
  information. Unsecured protected health
  information is protected health information that
  has not been rendered unusable, unreadable, or
  indecipherable to unauthorized individuals
  through the use of a technology or methodology
  specified by the Secretary in guidance.
• Unsecured Protected Health
  Information and Guidance
• This guidance was issued in April 2009
             Use Encryption
• Data in Transit –Use the e-mail encryption
• Data at Rest – Use whole drive encryption.
• Data at Rest – Use encryption for CDs, DVDs,
  and jump or thumb drives.
You need to be aware of data use and manage the
  security of the data. Consider the cost of
  notification against the purchase price of
             CLIA Program and HIPAA Privacy
            Rule; Patients’ Access to Test Reports

• NPRM open for comment until no later than 5 p.m. on November 14,
• HITECH created a Federal advisory committee known as the Health
  Information Technology (HIT) Policy Committee which can look at
  barriers to implementation an interoperable, nationwide health
  information infrastructure. The committee recommended that the
  CLIA exemption from provision of information to the patient is barrier
  exchange of data and should be taken down.
• Amends (CLIA) regulations to specify that, upon a patient’s request,
  the laboratory may provide access to completed test reports that,
  using the laboratory’s authentication process, can be identified as
  belonging to that patient. Removes an exemption from HIPAA so
  that CLIA labs that are HIPAA covered entities must comply with
Ellen Cannon, HIPAA Privacy Officer
        Phone 304-558-5965
              WV DHHR
        State Capitol Complex
           Bldg 3 Room 215
        Charleston WV 25305

     Original presentation prepared by
         Sallie Milam, JD, CIPP/G
          Samantha Stamper

Shared By: