Slide 1 - HealthBridge.ppt by zhaonedx


									                                       Tri-State REC:
                                          Basic Privacy and
                                           Security Issues
                                       for Physician Practices

                                             Claudia Allen
                                            Privacy Officer
 HealthBridge is one of the nation’s
 largest and most successful health
information exchange organizations.
ARRA Privacy Provisions

 American Recovery and Reinvestment Act of 2009
   (“ARRA”) :
 • Establishes the Office of the National Coordinator for Health
   Information Technology (“ONC”)
 • Extends HIPAA Privacy and Security requirements to Business
   Associates (“BA”)
 • Establishes breach identification and notification requirements
 • Calls for education initiatives on the uses of health information
 • Establishes further restrictions on “sales” of health information
 • New disclosure accounting requirements
 • New access requirements for EHR by individuals
 • Increased enforcement initiatives
 • Generally effective February 17, 2010

A Bit of History

 • HIPAA passed in 1996, but the Privacy and
   Security Rules went into effect in 2003
 • HIPAA does not pre-empt state law if the state
   law requires a higher standard
 • Covered Entities are subject to rules protecting
   the privacy/confidentiality of Protected Health
   Information (“PHI”)

A Bit of History (cont.)

 • Covered Entities
    • Providers of health care services
       • Physicians, dentists, chiropractors, psychologists
    • Clinics, Nursing Homes, Pharmacies, Laboratories
    • Health Plans and Clearinghouses

 • PHI is medically related information that is
    • Identifiable to the individual
        • E.g, Name, address, phone, birth date,
          social security number
    • Transmitted or maintained by
        • electronic media
        • in any other media

A Bit of History (cont.)

  Permitted Uses of PHI
    without consent:
  • Treatment
  • Payment
  • Operation of Business
  • Limited data set
    (de-identified) for research,
    public health
  • Required by law

A Bit of History (cont.)

 Business Associates required to enter into an
   agreement with CEs to protect PHI

 • Breach by the BA would
   subject the CE to liability
 • Redress against BA was
   by breach of contract lawsuit

An Overview for Physician Practices
1. Business Associates

 ARRA and HITECH Extends Privacy and Security to Business
   Associates (“BA”)
 • Business Associates directly subject to the Security Rule and
   privacy/confidentiality requirements
     • Breach by BA results in liability for CE’s criminal and civil
        • Four tiers ranging from $100 to $50,000 per violation
        • Individuals harmed may recover part of penalty
        • States Attorney General authorized to bring suit
            • Attorneys fees may be awarded
     • BA required to respond to privacy non-compliance by CE
 • BA Contracts are now required with entities that provide data
   transmission of PHI on a regular basis such as Health Information

2. Breach Notification

 AARA Requires Breach Notification of Unsecured PHI
 • Breach is defined as unauthorized acquisition, access, use or
   disclosure of Unsecured PHI (“UPHI”) which compromises the
   security or privacy of information
 • Unsecured PHI is defined as PHI that is not secured through the use
   of technology or methodology specified by the Secretary that
   renders the information unusable, unreadable, or undecipherable to
   unauthorized persons.
 • Breach does not include:
    • Unintentional acquisition, access or use
       • made in good faith within the course of employment with BA or CE
         and not further acquired, used, or disclosed by any person
       • made by an individual acting under the authority of the CE or BA
       • of information the disclosure of which could not reasonably be

Breach Notification (cont.)

 • Notification upon discovery of Breach
    • CEs must notify each individual whose UPHI is breached
    • BA must notify the CE
    • Time period: without unreasonable delay but no later than 60
      calendar days after discovery (first day known or should have
      been known)
        • Burden on discoverer
        • Written notice by mail unless urgent
        • If more than 9 individuals involved, posting on web
        • Notice to media if over 500 residents in state or jurisdiction
        • Immediate notice to Secretary if over 500 affected
        • Breach log required to be sent to Secretary annually

Breach Notification (cont.)

 • Breach Notice contains
    • Description of what happened
    • Description of types of data involved
    • Steps individuals should take to protect themselves
    • What CE is doing to investigate, mitigate losses, and protect
      from further breaches
    • Contact procedures

3. Disclosure Accounting

 ARRA Requires Accounting for Disclosures of EHR
   • CEs are required to account for all disclosures of PHI
     including those for Payment, Treatment and
   • Records for the prior 3 years must be provided
   • CEs with EHR technology prior to January 1, 2009
     must comply by January 1, 2014
   • CEs acquiring EHR technology after January 1, 2009
     must comply by January 1, 2011 or if later, when it
     acquires EHR.

4. Prohibition on Sale of Data

ARRA Prohibits Sales of EHR Data or PHI
• No direct or indirect remuneration in exchange for PHI
  unless covered by a valid authorization.
• Exceptions:
   • Public Health
   • Research Data where cost is all that is reimbursed
   • Exchange for health care operations or treatment as
     permitted by regulation

5. Disclosure Restrictions

ARRA allows restrictions on Disclosures

• Individuals may restrict disclosure to a health plan for
  payment or operations
• Individual must have paid out of pocket in full

Practical Guidance

 • Inventory and review all BAAs to
   determine if they need to be amended.
     • ARRA Security and Privacy
       provisions are required to be
       incorporated into the BA
 • Review all policies and procedures to
   incorporate the new obligations of
 • Modify training of personnel to include
   the changes made by ARRA.
 • Enter into BA Agreements with any
   organizations with which the CE transmits
   Health Information electronically.

Practical Guidance

 • Conduct a risk assessment to determine if office procedures are
   consistent with protecting PHI:
       Doors locked except for business entrances and exits during business hours
       Employee access restricted during non-business hours
       Patients, families not allowed access to provider offices
       Patient sign-up sheets not visible to non-employees
       Employees’ visitors not allowed access
       Employees are restricted from mentioning patients on social media sites
       Remote access to data is limited, inventoried
       Portable electronics secured, if not encrypted
       Keys, pass codes inventoried
       Workstations secured, screens not in view of public
       Implement procedures for terminated employees to limit access to PHI
       Implement procedures to report suspicious activity
       Implement hiring practices that minimize risk, check references and background
       Conduct periodic training on privacy and security


       The Tri-State REC can help!





To top