Get documents about "HIPAA PRIVACY _ SECURITY CHANGES UNDER THE HITECH ACT
Document Sample
HIPAA/HITECH Update
Getting Ready for HIPAA on Steroids
This content of this
presentation is
informational and is not
intended as, and does not
constitute legal advice.
Disclaimer
• This presentation does not include a
review regulations that may continue to
apply after the publication of the revisions
to HIPAA Privacy and Security regulations.
• The documents and agreements provided
are examples and may not meet the
requirements of your state’s laws.
• You are advised to consult with your state
board or legal counsel familiar with your
state’s laws to determine which state laws
and regulations will impact your practice.
HIPAA Privacy
and Security Rules
• The compliance dates for the HIPAA
Privacy and Security Rules were April 14,
2003 and April 20, 2005.
• Your practice should have already
implemented the requirements and be
actively monitoring compliance under both
rules.
• If you are playing “catch-up” with
compliance, now is the time to update
your existing policies and practices.
American Recovery and
Reinvestment Act
• On February 17, 2009, the American Recovery
and Reinvestment Act of 2009 (ARRA), also
referred to as the “Stimulus Package,” was signed
into law.
• Several provisions of this law include important
changes to the HIPAA Privacy and Security Rules.
• These changes are covered under the Health
Information Technology for Economic and Clinical
Health Act (HITECH Act) provisions of the ARRA.
• You will have to be in compliance with the HIPAA
privacy and security rules in order to receive
payments for meaningful use of electronic health
records (EHRs) under the HITECH Act.
The HITECH Act
• Expands the scope of businesses covered by the
HIPAA Privacy and Security Rules by requiring
entities defined as Business Associates to comply
with many of the provisions of these rules.
• Requires all covered entities to comply with new
security breach notification rules.
• Introduces modifications to the HIPAA Privacy
Rule which all covered entities and their Business
Associates must adhere to.
• Clarifies and strengthens penalties and
enforcement powers for violation of the HIPAA
Privacy and Security Rules.
• Provides for periodic audits by DHHS to ensure
compliance with the Rules.
HIPAA/HITECH Update
Business Associate Changes
A Business Associate is a person
or entity that performs a function
or activity on behalf of your
practice involving the use and/or
disclosure of PHI, but is NOT a
part of your workforce.
Examples of Business
Associates
• Billing Service/Agency • Practice Management
• Collection Agency Software Vendor
• Accountant/Attorney/ • Electronic Medical
Other Consultant Who Records Software Vendor
Needs Access To PHI • Hardware Maintenance
• Answering Service Service
• Lockbox Service • Off-Site Record Storage
• Transcription Service • Other Independent
Contractors Who Provide
Business/Administrative
Services On-Site
Changes in Business
Associates
• Business Associates are now subject to
most of the same HIPAA Privacy and
Security requirements that covered
entities must comply with, including the
new changes under the Act.
• They are now subject to the same civil and
criminal penalties that covered entities
face.
• Business Associates must also incorporate
language confirming their required
compliance into their agreements with
covered entities. (Form 713)
Expanded Definition of a
Business Associate
• Organizations that provide PHI as a data
transmission service such as:
• An Electronic Prescribing “Gateway” which routes
prescribing transactions to payers, pharmacies,
pharmacy benefit managers, and mail order
houses.
• A Health Information Exchange Organization
(HIE) which has the capability to electronically
move clinical information among disparate
healthcare information systems while maintaining
the meaning of the information being exchanged
for the purpose of facilitating efficient and timely
access to patient information.
Expanded Definition of a
Business Associate
• A Regional Health Information Organization
(RHIO) which is a geographically defined entity
that arranges for the electronic exchange of
information and develops and maintains HIE
standards;
• Organizations that routinely require access to
PHI.
• Vendors who contract with covered entities to
offer personal health records (PHR) to
individuals, including organizations that provide
products or services through the website of a PHR
vendor.
Update Your List of
Business Associates
• Review your files for contracts or other
arrangements that are currently in place.
• Review your accounts payable list
probably includes all or most of your
Business Associates.
• Each time your practice adds or
discontinues a relationship with a Business
Associate, the list needs to be updated to
reflect these changes. (Form 715)
Update Your List of
Business Associates
• Each time the scope of services provided
by a Business Associate changes,
reexamine the relationship to confirm that
the party continues to serve as a Business
Associate.
• Failure to know who your Business
Associates are and to have Business
Associate agreements in place with them
can subject your practice to significant risk
under HIPAA.
Update Your Business
Associate Agreements
• Revise the Business Associate Agreements
you already have in place to ensure they
contain the required verbiage indicating
that as a Business Associate, they must
also comply with the HIPAA Privacy and
Security Rules.
• Execute HIPAA compliant Business
Associate Agreements with any new
Business Associates.
HIPAA/HITECH Update
Breaches of PHI
Breaches of Unsecured PHI
• In the event that you become aware that an
individual’s “unsecured” PHI has been accessed,
acquired, or disclosed by your practice or by a
Business Associate of your organization, there are
certain notification actions you must take under
the ARRA.
• However, if the PHI is “secured” in accordance
with DHHS guidance, your organization will NOT
have to comply with the notification
requirements.
• Business Associates who experience a breach of
unsecured PHI are required to notify your
organization by providing the identity of the
individual(s) whose information was access,
acquired or disclosed.
What Is Unsecured PHI?
• Unsecured PHI is PHI that is not
secured through the use of a
technology or methodology specified
by the DHHS Secretary.
• Encryption and Destruction are the
two acceptable ways to secure PHI.
What Is Encryption?
• Encryption converts the message in a file
or document from a readable to an
unreadable format through the use of an
algorithmic process.
• Decryption is the reverse, allowing
encrypted information to be converted
from an unreadable format.
• DHHS advises covered entities and
Business Associates to keep encryption
keys on a separate device form the data
that is to be encrypted or decrypted.
“Data at Rest” Versus
“Data in Motion”
• Data at rest is PHI which resides in
databases, file systems, and other
structured storage methods.
• Data in motion is PHI that is moving
through a network, including wireless
transmission, such as e-mail or another
form of electronic interchange.
Encryption for Data at Rest
• Must be consistent with the U.S.
Department of Commerce’s National
Institute of Standards and Technology
(NIST) Special Publication 800-111. This
publication is entitled Guide to Storage
Encryption Technologies for End Use
Devices, November 2007.
• Online at:
• http://csrc.nist.gov/publications/nistpubs/
800-111/SP800-111.pdf
Encryption for Data
in Motion
• Must comply with the requirements of the
Federal Information Processing Standards
(FIPS) 140-2. These include, as
appropriate, standards described in the
following NIST Special Publications:
• 800-52, Guidelines for the Selection and
Use of Transport Layer Security (TLS)
Implementations, June 2005.
• http://all.net/books/standards/NIST-
CSRC/csrc.nist.gov/publications/nistpubs
/800-52/SP800-52.pdf
More NIST Special
Publications
• 800-77, Guide to IPsec VPNs, December
2005.
• http://csrc.nist.gov/publications/nistpubs
/800-77/sp800-77.pdf
• 800-113, Guide to SSL VPNs, July 2008.
• http://csrc.nist.gov/publications/nistpubs
/800-113/SP800-113.pdf
Destruction of Paper, Film
and Hard Copy Media
• Must be shredded or destroyed such that
PHI cannot be read or otherwise
reconstructed.
• For Electronic Media, destruction is
defined as that which has been “purged or
destroyed consistent with NIST Special
Publication 800-88, Guidelines for Media
Sanitation.
• http://csrc.nist.gov/publications/nistpubs
/800-88/NISTP800-88_rev1.pdf
Additional Guidance
• August 24, 2009 Federal Register (Volume
74, Number 162).
• Updated annually
• You should review DHHS guidance
periodically.
HIPAA/HITECH Update
Breach Notification
Breach Notification
• Covered entities must comply with the breach
notification rules by September 23, 2009.
• If your practice does not implement procedures
to render PHI “secured,” you must comply with
the breach notification requirements in the event
PHI is accessed, acquired or disclosed to an
unauthorized party.
• If your Business Associates do NOT implement
these procedures, they will be required to notify
your practice in the event of a breach, and then
you must provide notice due to the Business
Associate’s breach.
Definition of Breach
• Use or disclosure that “compromises the
security or privacy” of PHI.
• That “poses a significant risk of financial,
reputational, or other harm to the
individual”.
• If a breach occurs, you should take into
account the likely risk of harm caused by a
breach in determining whether breach
notification is required.
If A Breach of Unsecured
Data Occurs
• Determine whether the breach constituted
a violation of the HIPAA Privacy Rule.
• If the use or disclosure of PHI does not
violate the Privacy Rule, then it would not
qualify as a potential breach, and
individual notification is not necessary.
• A breach can occur when PHI is accessed
by an employee of your practice who was
not authorized to have access and can
trigger notification requirements.
How to Assess the
Potential Risk
• Who used or disclosed PHI in an
unauthorized manner?
• To whom was the PHI impermissibly
disclosed?
• What type of PHI was used or disclosed?
• How much PHI was used or disclosed?
The Steps of Breach
Notification
• Notify the individual whose unsecured PHI has
been, or is reasonably believed, to have been
accessed, acquired or disclosed. (Form 717)
• Notification must be made “without reasonable
delay,” but no later than 60 calendar days after
the discovery of a breach by your practice or your
Business Associate(s).
• Notification must be documented as required. If
delay in notification occurs, you must provide
evidence or documentation which demonstrates
the reason for the delay. (716)
The Steps of Breach
Notification
• Notification must be in writing and sent via first-
class mail to the individual (or the individual’s
next of kin if the individual is deceased) at the
individual’s (or next of kin’s) last known address.
• Notification can also be sent via email if specified
by the individual.
• You must also provide follow-up mailings or
emails should additional information become
available.
• If you have insufficient or outdated contact
information for the individual (e.g., address,
phone number, email address, etc.), you must
utilize an alternative method for notifying the
individual (email vs. post).
Notification Involving 10 or More
Individuals with Insufficient/
Outdated Info
• You must prominently post a notice on your
website’s homepage.
• Or post a notice in major print or broadcast media
in the geographic areas where the affected
individuals are likely to reside.
• Regardless of where the information is posted,
you must include a toll-free number that an
individual can call to determine whether their PHI
is included as part of the breach.
• The notice shall be posted for a period of time as
determined by the DHHS Secretary.
All Breach Notifications
Must Include (Form 717)
• Brief description of what happened
• Date the breach occurred
• Date you or you Business Associate
discovered the breach (if known)
• Description of the types of unsecured PHI
involved in the breach such as the
individuals’ name, Social Security number,
date of birth, home address, account
number or disability code
All Breach Notifications
Must Include (Form 717)
• Steps the individual should take to protect
themselves from potential harm resulting
from the breach
• Brief description of what you or your
Business Associate is doing to investigate
the breach, mitigate losses, and protect
against further breaches
• Mechanism for the individual to contact
you and ask questions or request
additional information such as toll-free
telephone number, email address, website,
or postal address
Breach Log (Form 716)
• You must maintain a log and document
breaches occurring for incidences
involving fewer than 500 individuals.
• Submit the log to the DHHS Secretary
annually.
• No later than sixty days after the end of
each calendar year.
Breaches Involving More
Than 500 Individuals
• Notify prominent media outlets serving the state
or jurisdiction in which the individuals live.
• Notify the DHHS Secretary immediately with
respect to the breach as instructed on the HHS
website.
• Notification forms can be found online at
• www.hhs.gov/ocr/privacy/hipaa/administrative/
breachnotificationrule/brinstruction.html
• There is one form for breaches affecting 500 or
more individuals and one for breaches affecting
fewer than 500 individuals.
Breaches Involving More
Than 500 Individuals
• Notify the DHHS Secretary immediately
with respect to the breach as instructed by
the HHS website.
• The DHHS Secretary will make information
regarding the breach available to the
public on the DHHS website via a listing of
covered entities involved in the breach.
Law Enforcement
• If a law enforcement official determines
that a breach notification or posting would
obstruct a criminal investigation or
threaten national security, the notification
or posting may be delayed.
• The covered entity is required to comply
with law enforcement requests regarding
notification.
DHHS Annual Breach Report
• Each year, beginning February 17, 2010,
the DHHS Secretary is required to provide
a report regarding breach notifications to
the Senate Committee on Finance, the
Senate Committee on Health, Education,
Labor, and Pensions, and the House of
Representatives Committee on Energy and
Commerce.
• The report will include information on the
number and nature of the breaches and
the actions taken in response to them.
HIPAA/HITECH Update
Revised Notice of Privacy
Practices
Revised Notice of
Privacy Practices
• With implementation of the HITECH Act, your
practice must comply with an individual’s request
to restrict disclosure or limit access to their PHI
(Form 711) if:
• The disclosure is to a health plan for purposes of
payment for healthcare services or healthcare
operations.
• You do NOT have to comply with the individual’s
request as it relates to treatment, and
• The PHI being disclosed is associated with
healthcare services for which you have been paid
“in full out of pocket” (i.e., only by the patient).
Important Note
• You do NOT have to comply for a request for
information from third parties when the patient
has paid in full out of pocket (cash) for non-
covered services, such as wellness care, unless
requested to do so by the patient.
• Limit your disclosure of information only to those
services which have been paid for by the
insurance company.
• This does not include services for which a super
bill or insurance claim form was generated by
your practice for submission for reimbursement
to an insurance company by the patient.
Replace Your Current
Notice of Privacy Practices
• Make your revised Notice of Privacy Practices
available for viewing to all new patients on their
first date of service (Form 708).
• Have available copies of the revised Notice for
redistribution if requested.
• Obtain written acknowledgement from the patient
that they received a copy of the Notice. (Form 709)
• Document the reason given if you are unable to
obtain such authorization in the patient’s chart.
(Form 710).
Notice of Privacy Practices
• A printed copy does not have to be given
to each patient unless requested.
• Keep in a readily accessed location, such
as at your front desk.
Retention Policy
• You must retain a complete copy of each
version of the Notice of Privacy Practices
for 6 years.
• If you provide information to patients via
your website, you must post the Notice on
your web site.
• The Notice can also be provided by email.
• The patient must agree before this Notice
can be sent electronically.
HIPAA/HITECH Update
Disclosure of PHI
Disclosure of PHI &
“Reasonable Efforts”
• Prior to the HITECH Act, you had to make
reasonable efforts to use or disclose, or to request
from another covered entity, only the “minimum
necessary” amount of PHI required to achieve the
purpose of the particular use or disclosure.
• Some covered entities require the use of PHI that
is not completely de-identified for certain
activities.
• Uses and disclosures of a limited data set are
permitted, as long as they are used for research,
public health, and health care operations
purposes only.
What Is a Limited Data Set?
• PHI that excludes specific, readily
identifiable information about the
individuals as well as their relatives,
employers and members of their
households.
• 16 of the 18 individually identifiable data
items must be removed from the limited
data set.
Items That Can Remain
In a Limited Data Set
• Date References:
– Admission, Discharge and Service Dates;
Date of Death; Age (Including Age 90
and Over)
• Any Geographic Subdivision:
– Town or City, State or Five-digit Zip
Codes but Excluding Postal Addresses
DHHS Guidance
• Under the current Privacy Rule, you must
implement policies and procedures to ensure the
“minimum necessary” uses and disclosures of
PHI.
• The DHHS Secretary is required to provide
guidance as to what constitutes “minimum
necessary” no later than 18 months after the Act
was enacted (or by August 16, 2010).
• You must be compliant with any additional
guidance regarding the “minimum necessary”
standard no later than 6 months after the DHHS
Secretary formally announces such guidance.
Original Privacy Rule
Accounting of Disclosures
• Covered entities were not required to
issue an accounting of disclosures to
individuals if the request was related to
treatment, payment or health care
operations.
• You could also provide a hard copy of PHI
in response to a request for electronic
access if the PHI was easy to produce in
an electronic format.
• You were also allowed to charge the
individual for copying, postage and labor.
New HITECH Rule
Accounting of Disclosures
• If a covered entity “uses or maintains” an
electronic health record (EHR), the individual has
the right to request and receive an accounting of
all disclosures including those related to
treatment, payment and health care operations.
• While individuals can currently request an
accounting of non-TPO disclosures of PHI dating
back 6 years, the HITECH Act stipulates that
individuals may request an accounting of
disclosures for TPO only up to 3 years prior to the
date of the request.
• TPO - Treatment, Payment or Health Care
Operations
Request for an
Accounting of Disclosures
• Patients have the right to obtain from a copy of
the information disclosed in an electronic format.
• They can ask you to transmit a copy of the
requested information to an entity or person
designated by the individual.
• This assumes that the information provided by
the individual is understandable and specific.
• You may charge patients for providing a copy or
summary of the information.
• The charge cannot be greater than the labor costs
related to fulfilling the request.
Two Ways to Provide an
Accounting of Disclosures
• Accounting for disclosures of PHI that are
made by your practice and your Business
Associates on behalf of your practice.
• Accounting for disclosures of PHI that are
made by your practice only, but including
a list of all your Business Associates
including contact information such as
mailing address, telephone number and
email.
“Phased in” Implementation
of Disclosure Accounting
• If your practice acquired an EHR as of
January 1, 2009, you must comply with
the new accounting for disclosures
provisions by January 14, 2014.
• If your practice acquired an EHR after
January 1, 2009, you must comply by
January 1, 2011 or the on date you acquire
an EHR.
HIPAA/HITECH Update
Compensation In Exchange
For Access to PHI
Compensation In Exchange
For Access to PHI
• The HITECH Act prohibits you or your
Business Associates from directly or
indirectly receiving compensation in
exchange for access to another
individual’s PHI…
• Unless the covered entity receives a
HIPAA-compliant Authorization from the
individual specifically allowing such
compensation.
Exceptions to the
No Compensation Rule
• Public health activities including reporting
communicable diseases such as TB, STD
and H1N1
• Research (and the price charged reflects
the costs of preparation and transmittal of
the data for research purposes)
• Treatment of an individual
• Health care operations, including when the
organization is being sold, transferred,
merged or consolidated
Exceptions to the
No Compensation Rule
• Activities between an organization and its
Business Associate(s) for activities
performed by the Business Associate at
the specific request of the organization (A
Business Associate Agreement must be in
place)
• Providing an individual with a copy of
his/her PHI
• Other activities as determined by the
DHHS Secretary
DHHS Guidance
• The DHHS Secretary is required to publicly
announce specific regulations associated
with the No Compensation section of the
Act.
• You must be compliant with this
component of the regulation beginning 6
months after the regulations are issued
(presumably February 17, 2011).
Narrowed Definition of
Health Care Operations
• Communication from you or your Business
Associates that encourages individuals to
purchase a product or service may be
considered a health care operation only if
the communication is:
• For the treatment of the individual
• For case management or care coordination
for a individual or to direct or recommend
alternative treatments, therapies,
providers or care settings
• Associated with or included in a Plan of
Benefits provided by a covered entity
Communications Considered Health
Care Operation (Exceptions)
• Describe a drug or biologic that is currently being
prescribed to the individual to whom the
communication is directed and the payment
received for such communication is a “reasonable
amount”
• The communication is made by you and you have
a valid Authorization permitting the
communications
• The communication is made by your Business
Associate on your behalf and is consistent with
your Business Associate Agreement.
Communications Considered Health
Care Operation (Exceptions)
• Any written fundraising communication
only if the individual is given the
opportunity to “opt out” and not receive
further communication.
• If the individual decides to opt out and no
longer authorizes use of their PHI for
fundraising purposes.
• You must obtain this in writing via the
Authorization Process included in the
Privacy Rule.
Changes in the Enforcement of the
HIPAA Privacy & Security Rules
• Enforcement of the HIPAA Privacy Rule
was the responsibility of the Office of Civil
Rights (OCR), and enforcement of the
HIPAA Security Rule was handled by the
Centers for Medicare & Medicaid Services
(CMS).
• On July 27, 2009, the DHHS Secretary
announced that enforcement of the
Security Rule would be shifted from CMS
to OCR.
Compliance Audits
• Enforcement of the HIPAA has historically
been primarily complaint driven.
• Beginning February 17, 2009 periodic
prospective compliance audits of covered
entities and Business Associates were
instituted.
• The Act revised the circumstances and
amount of civil monetary penalties (CMP)
should the Privacy or Security Rules be
violated.
Description of Violation
& Monetary Penalty
• Tier A: The individual accused of violating
the Rule(s) did not know (and by
“exercising reasonable diligence” would
not have known) that the Rule(s) was
violated
– $100 per violation not to exceed
$25,000 per calendar year
• Tier B: The violation was due to
“reasonable cause” not willful neglect
– $1,000 per violation not to exceed
$100,000 per calendar year
Description of Violation
& Monetary Penalty
• Tier C: The violation was due to willful
neglect and the violation was corrected
– $10,000 per violation not to exceed
$250,000 per calendar year
• Tier D: The violation was due to willful
neglect and the violation was not
corrected
– $50,000 per violation not to exceed
$1,500,000 per calendar year
Maximum Penalties
• The maximum penalty cannot exceed
$50,000 per violation or $1,500,000 per
calendar year for similar violations
regardless of the type of violation
• If a preliminary investigation results in
possible violation of the HIPAA Privacy
and/or Security Rules due to willful
neglect, the DHHS Secretary will conduct a
Formal Investigation.
State Attorneys General
• State attorneys general may now “bring
civil action upon an individual(s) who
violates the HIPAA Privacy and/or Security
Rules.”
• They may obtain damages if there is
reason to believe that PHI of one or more
state residents has been violated.
State Attorneys General
• The attorney general will notify the DHHS
Secretary in writing and provide a copy of
the complaint for the Secretary’s review.
• The Secretary reserves can intervene and
be heard on all matters surrounding the
complaint, or file a petition for appeal.
• A state may not bring action on a case that
DHHS is already involved in.
Damages for Violations
• Calculated by multiplying the number of
violations by up to $100.
• The total amount of damages cannot
exceed $25,000 in a calendar year.
• Any violations occurring after February 17,
2009 are subject to the revised civil
monetary penalty tiers and actions by the
State Attorneys General.
• The Act clarifies that HIPAA’s criminal
penalties can be enforced against
employees of a covered entity.
HIPAA/HITECH Update
Supplemental HIPAA
Staff Training
Supplemental HIPAA
Staff Training
• Any time there is a material change to your
practice’s Privacy and/or Security Policies,
the employees whose functions and
responsibilities are affected by the change
are required to receive additional training.
(Form 707B, Form 720)
• Your entire staff is required to be trained
on the changes to the organization’s
Privacy and Security Policies and how they
affect their individual job responsibilities.
HIPAA Staff Privacy and
Security Policy Training
• All new employees are required to receive
training on the Privacy and Security Rules
(including the HITECH Act provisions) as a part of
their initial employee orientation regardless of
their previous healthcare experience.
• Existing employees only need to receive
additional Privacy & Security Policy training if the
regulations are revised and/or changed or if the
Privacy and/or Security Official identifies an area
of non-compliance in the organization that
warrants additional staff training.
• Employees should be encouraged to ask questions
during the training or at any future date.
HIPAA Staff Training
Documentation
• All staff should be given a copy of your
updated Privacy and Security Policies and
should sign them as proof that they have
reviewed and understood them.
• Upon signing, the forms should be placed
in their personnel files.
• All staff training related to the Privacy and
Security Policies and Procedures must be
documented.
• Records of staff Privacy and Security Rule
training must be maintained for 6 years.
The Privacy and/or
Security Official
• Responsible for monitoring compliance with the
Privacy and Security Rules.
• Any incident should be documented in the
Incident Event Log.
• All employees should be encouraged to
communicate openly with the Privacy and/or
Security Official concerning any potential privacy
or security breaches
• And to provide recommendations for how your
practice could be better organized to protect
individuals’ confidentiality.
• The Privacy and/or Security Official should
conduct periodic walk-throughs of the practice.
The Privacy and/or
Security Official
• No staff member exposed to any PHI in
any way is exempt from adhering to the
Privacy and Security Rules.
• If staff is aware of a possible violation of
the Privacy and/or Security Rule that
involves the Privacy and/or Security
Official, then they should communicate it
to a practice owner or other individual in a
leadership capacity.
HIPAA/HITECH Update
Getting Ready for HIPAA on Steroids
