Hitech Act
Upcoming SlideShare
Loading in...5
×
 

Hitech Act

on

  • 5,003 views

 

Statistics

Views

Total Views
5,003
Views on SlideShare
4,984
Embed Views
19

Actions

Likes
3
Downloads
169
Comments
0

1 Embed 19

http://www.slideshare.net 19

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Hitech Act Hitech Act Presentation Transcript

  • The Health Information Technology for Economic and Clinical Health (HITECH) Act A Practical Application
  • Your Presenters Stacey Gutwillig Partner Deloitte & Touche LLP sgutwillig@deloitte.com (617) 437-2637 Mark Steinhoff Director Deloitte & Touche LLP msteinhoff @deloitte.com (617) 437-2614 Dan Hoye Manager Deloitte & Touche LLP dhoye@deloitte.com (617) 437-3528 Copyright © 2010 Deloitte Development LLC. All rights reserved. 1
  • Contents • The American Recovery and Reinvestment Act (ARRA) of 2009 and HITECH overview • Overview of HITECH goals • Ways to address HITECH provisions • Implementation Dates • Case studies • Penalties and Enforcement • Potential Business Impacts of the HITECH Act • Security and privacy overlaps Copyright © 2010 Deloitte Development LLC. All rights reserved. 2
  • The American Recovery and Reinvestment Act of 2009 and HITECH $38 billion total HITECH expenditures 2008 US (5% of Stimulus) ARRA Stimulus Federal $787 billion Budget $2.9 trillion (27%) $$$$ Federal Spending for ARRA includes federal tax cuts, expansion of unemployment benefits and other social welfare provisions, and domestic spending in education, health care, and infrastructure, including the energy sector. Copyright © 2010 Deloitte Development LLC. All rights reserved. 3
  • Health Information Technology for Economic and Clinical Health Act or HITECH Act Four major goals of the HITECH bill intended to advance the use of health information technology (Health IT or HIT): 1. Government leadership in developing standards by 2010 that allow for the nationwide electronic exchange and use of health information 2. Investing $20 billion in health information technology infrastructure and Medicare and Medicaid incentives to encourage doctors and hospitals to use HIT to electronically exchange patients’ health information. 3. Strengthening Federal privacy and security law to protect identifiable health information from misuse as the health care sector increases use of Health IT. 4. Saving the government $10 billion, and generating additional savings throughout the health sector, through improvements in quality of care/errors and care coordination As a result of this legislation, the Congressional Budget Office estimates that approximately 90 percent of doctors and 70 percent of hospitals will be using comprehensive electronic health records within the next decade Copyright © 2010 Deloitte Development LLC. All rights reserved. 4
  • Why the HITECH Act is Getting Such Attention? “….the American Recovery and Reinvestment Act (ARRA)…puts into law new privacy requirements that experts have called ‘the biggest change to the healthcare privacy and security environment since the original HIPAA privacy rule. ….According to a 2009 study by the Ponemon Institutea, the healthcare industry is among the top three industries most frequently victimized by data breaches, risking the medical and financial well being of breach victims and the credibility and future business of the healthcare provider’” – Over 44% of all cases in the 2009 year study involved third-party mistakes or flubs. Data breaches involving outsourced data to third parties are the most costly. aFourth Annual US Cost of Data Breach Study, Benchmark Study of Companies By Dr. Larry Ponemon Sponsored by PGP Corporation Independently conducted by Ponemon Institute LLC Publication Date: January 2009 Copyright © 2010 Deloitte Development LLC. All rights reserved. 5
  • Current state — Patient information network *Each color represents a unique encounter Various organizations access this networked Web on a national scale, gathering similar information about many patients Collective Medical Information Consuming Organizations Copyright © 2010 Deloitte Development LLC. All rights reserved. 6
  • Future state — The National Health Information Network (NHIN) In the mature state of the NHIN, geography will no longer be a consideration, as health care entities will have access to each other, creating a flux of health information. Future state fully developed and interoperable NHIN Value of the NHIN • Electronic Health Records (EHRs) will be the basis of information exchanges on the NHIN, with different entities accessing different components of EHRs. • Health care system entities and public health institutions will be able to access the NHIN, utilizing the full power of the availability of national health information. • Administrative, clinical, and public health costs will be reduced nationally, as health information may be accessed from and shared with other entities. • Interoperability between existing health systems will be the cornerstone to the NHIN in achieving goals. Copyright © 2010 Deloitte Development LLC. All rights reserved. 7
  • Recent New England Journal of Medicine survey finds very low use of EHR in U.S. hospitals1 • Survey of acute care hospitals that are American Hospital Method Association (AHA) members. The study received responses from 3,049 hospitals (63%) • 1.5% have a comprehensive electronic records system present in all clinical units (i.e., present in all clinical units), Results • 7.6% have at least a basic system present in at least one unit (i.e., present in at least one clinical unit). Significant findings related to barriers to EHR adoption in hospitals Among hospitals without a Record (EHR): • Inadequate capital for purchase (74%) was the most cited barrier, and EHR maintenance cost was 2nd most frequently cited barrier (44%) • Additional barriers cited in study include: – Physician resistance (36%) – Unclear Return on Investment (ROI) (32%) – Lack of staff with expertise in Health Information Technology (HIT) (30%) • For hospitals with an existing EHR, the above barriers were less likely to be cited except for physician resistance. 1 New England Journal of Medicine (NEJM) Volume 360:1628-1638 April 16, 2009 Copyright © 2010 Deloitte Development LLC. All rights reserved. 8
  • Some differences between HITECH and HIPAA General HIPAA HITECH Act • CEs included PHI custodians • CEs include PHI custodians as well as business • CEs were not actively audited associates (e.g. suppliers, outreach organizations, • No defined penalty structure for neglectful and other organizations doing business with the privacy practices primary CE) • Allows 10 years for compliance – Contracts are required with business associates defining use of PHI • DHHS to conduct periodic audits within first 12 months after new rules enacted • Increased, tiered penalty structure with fines ranging from $25K to $1.5M including mandatory penalties for cases of “willful neglect” – Proof of harm no longer required to levy penalties – Interpretation of breach cases and penalties will be made by state Attorneys General • Compliance required within 12 – 18 months Copyright © 2010 Deloitte Development LLC. All rights reserved. 9
  • Some differences between HITECH and HIPAA Breach Notification HIPAA HITECH Act • State security breach laws mandated • Applies to breaches on or after September 23, notification only for electronic PHI 2009 • Burden of notification fell on “data owners”, • CE must provide notification within 60 days excluding any organization that did not after PHI in any form is breached “own” the data – Starts from first day breach is known to • If data owner determined that it had an the CE/business associate or should obligation to notify of data breach, it was reasonably have been known required only to send letters to the affected – Requirements are specific for content, individuals within “a reasonable amount of timing, and obligations time” • Obligation to notify falls on CE and/or business associates • Breach impacting more than 500 individuals requires “immediate” notification to DHHS, making the breach public – If more than 500 individuals and affecting a single state or jurisdiction, notice must be made to prominent media outlets • In cases affecting less than 500 individuals, the CE must maintain a log of breaches and submit annually to DHHS, which will be posted on a public website Copyright © 2010 Deloitte Development LLC. All rights reserved. 10
  • HITECH Act — Key Implementation Dates2 Provision Guidance/Regulations Effective Date Health Insurance Health and Human Services (HHS) issued an initial set of February 17, 2010 Portability and standards for implementation and certification criteria for Accountability Act (HIPAA) the electronic exchange and use of health information on security and privacy January 13, 2010 provisions to business Associates Annual guidance on appropriate technical safeguards from Department of Health and Human Services (DHHS) Breach Notification DHHS and Federal Trade Commission (FTC ) issued No later than September 23, 2009 interim final regulations on August 24, 2009 Disclosure Restrictions DHHS to issue guidance on what constitutes “minimum February 17, 2010 necessary” no later than August 17, 2010 Accounting of Disclosures DHHS to issue regulations on what information must be January 1, 2014 if EHR acquired before collected about disclosures by June 30, 2010 January 1, 2009 As early as January 1, 2011 if EHR acquired after January 1, 2009 Prohibition on Sale of EHR DHHS to issue regulations by August 17, 2010 No later than February 17, 2011 Marketing and Fundraising None February 17, 2010 Penalties and Enforcement DHHS to issue regulations for penalties as related to willful Penalties as related to willful neglect by neglect no later than August 17, 2010 February 17, 2011 Government Accountability office (GAO) to submit a report Tiered increase in civil penalties and to DHHS detailing individual remuneration for civil penalty state attorney general enforcement or settlement amounts no later than February 17, 2012 effective February 17, 2009 2 As of January 26, 2010 Copyright © 2010 Deloitte Development LLC. All rights reserved. 11
  • Some ways to address the provisions of the act… Provision of the Act Action Steps: Investment in Health IT Implementation of electronic health records systems and Infrastructure infrastructure HIPAA Privacy & Security Assessment HIPAA Security and Privacy HIPAA Strategy & Program Development Provisions to Business Associates Business Associate Assessments Incident Response Program Development Breach Notification Data Protection Technology Implementation Update current policies, procedures, and controls to support: • the requirement of specific authorization from patients Marketing and Fundraising to use PHI for marketing/fundraising • the patient’s right to opt-out of any communication that relates to fundraising. Copyright © 2010 Deloitte Development LLC. All rights reserved. 12
  • Some ways to address the provisions of the act… Provision of the Act Action Steps: Update current policies, procedures, and controls to support: • the ability for a patient to request PHI not be disclosed when Disclosure Restrictions paying for the service fully out-of-pocket. • the collection and disclosure of the minimum set of PHI practicable to perform business operations Develop policies, procedures, and controls to support the following requirements: • Covered Entities (CEs) and business associates to produce an accounting of all disclosures of a patient’s PHI, upon request Accounting of Disclosures • CEs must either account for PHI disclosures made by business associates or provide a list of all business associates acting on behalf of the CE Update current policies, procedures, and controls to support: Prohibition on Sale of EHR • the requirement of specific authorization from patients prior to receiving direct or indirect remuneration for sale of PHI Copyright © 2010 Deloitte Development LLC. All rights reserved. 13
  • Case Study Major U.S. - Based Medical Devices Company Implementation of Data Privacy Program Background The company determined that a review of current data privacy practices and controls was needed due to a combination of data privacy inquiries from customers and a global ERP deployment including European operations. The key drivers were: § Compliance with Federal, state and international regulatory requirements § Risk of breach of contractual agreements with customers § Business operations interruption in EU Outcome § Addressed privacy and related business risk (including HITECH considerations) § Registered as Safe Harbor compliant for both Customer and HR § Global employee and customer privacy policies deployed (including HITECH considerations) § Data Protection strategy influenced by data privacy rollout § Options for de-identification of patient data developed for R&D § Strategies for movement of Test Data (ERP) developed via Model Contracts § Information Security strategy informed by Data Privacy initiative Copyright © 2010 Deloitte Development LLC. All rights reserved. 14
  • Case Study Global Life Sciences and Medical Device Company Current State Assessment and Gap Analysis Background Following a lost, unencrypted laptop containing PHI resulting in breach notification in conjunction with the passage of the HITECH Act, the company determined they needed a better understanding of their data privacy policies and practices. A current state assessment was performed a special focus on: § compliance with HIPAA privacy and security rules § Business Associate Agreements with organizations Lessons Learned Outcome § PHI was used for secondary uses in their R&D § Identified significant areas of exposure to the division that were not permitted per customer company based on non-compliance with HIPAA contracts and BAAs. privacy rule § BAAs were not in place with a number of their customers and customer that did have BAAs were § Updated BAAs template contracts to address not consistent. HIPAA/HITECH requirements § Assessment findings exposed more significant § Revised privacy policies and standards (e.g. issues with the company’s vendor management notice language) process and procedures. § Developed a working relationship between the § The underlying information security program did information security and privacy functions. not support the privacy policies and as a result the company was not in compliance with the § Revised and expanded their information security HIPAA privacy and security rules. policy Copyright © 2010 Deloitte Development LLC. All rights reserved. 15
  • Case Study Major Network of Teaching Hospitals Current State Assessment and Gap Analysis Background Faced with multiple and evolving healthcare regulatory requirements, the company decided to assess and prioritize information security risks and to determine current state capability to comply with the regulations and to manage identified risks. Outcome § An information security risk management roadmap was developed to address key risk and capability gaps in order to align with healthcare regulatory requirements. § A matrix comprised of a rationalized set of 86 legal and regulatory requirements, was organized into 12 functional risk areas to serve as the baseline for the assessment. Ø The matrix included requirements from HIPAA/HITECH, the Red Flag Rules, statutory requirements, etc. § In summary, the company identified and initiated procedures and tools to secure EPHI and PII. As a result, the company can now demonstrate progress with the outlined remediation activities in preparation for the implementation of HITECH related requirements, reviews and audits. Copyright © 2010 Deloitte Development LLC. All rights reserved. 16
  • Case Study Global Telecommunications Company Current State Assessment and Gap Analysis Background Faced with multiple and evolving regulatory requirements, including HIPAA/HITECH, the company performed a current state assessment of its information security policies to determine if the current state of the policies complied with HIPAA/HITECH requirements. Lessons Learned § The company had not updated information security policies and procedures since the Privacy Act of 2003. § Policies were developed by Legal Departments to comply with the Privacy Act ,however, only consisted of a recital of the provisions within the Privacy Act. § The client was out of compliance with its outdated policies and therefore was out of compliance with HIPAA/HITECH requirements. § The company identified that the existing breach notification policy/process was: Ø focused on technological risks and did not address privacy risks throughout the organization Ø did not include up to date escalation procedures § The company overhauled all information security and privacy policies to address current practices and regulatory requirements. Copyright © 2010 Deloitte Development LLC. All rights reserved. 17
  • Case Study Multi-institutional Network of Hospitals across the Northeast Implementation of Data Privacy Program Background The company faced several immediate and long-term regulatory, security and personnel challenges including: § vacant Chief Information Security Officer position due to personnel changes § minimal progress in managing system wide enterprise security risks § management and regulatory pressure to comply with security requirements Solution The company developed a plan to meet these challenges by creating a prioritized roadmap for FY2010 and: § performed information security risk assessment to define current and future state across information security domains and capabilities. § defined short/medium term focus, including prioritized security implementation plan. § developed organizational redesign for Information Security Office, including governance model, roles and responsibilities across health system. § established structured security program management and reporting of key risks. § provided subject matter experience to key initiatives across the system, including HITECH response. § executed Information Security plan and strategy for 2009 and identified priorities for 2010. Copyright © 2010 Deloitte Development LLC. All rights reserved. 18
  • Penalties & Enforcement • Expanded resources and significant funding for Penalties DHHS enforcement Department of • State Attorneys General Health & authorized to pursue Human actions on behalf of state Services • New penalty tiers per citizens HIPAA violation (max/year) • Vendor breaches enforced • Unknowing ($25K) by the Federal Trade • Reasonable cause Commission as an unfair Federal State Trade Attorneys ($100K) and deceptive act or practice Commission General • Willful Neglect ($250K) • Uncorrected willful neglect ($1.5M) • Civil and criminal liability for HIPAA violations extended to business associates • Mandatory investigations and civil penalties for violations due to willful Enforcement neglect Copyright © 2010 Deloitte Development LLC. All rights reserved. 19
  • Potential Business Impacts of the HITECH Act Positives: • Improved individual patient data availability • Stimulus funding for early EHR adoption • Improved tracking of chronic disease management • Evaluation of health care based on value enabled by the collection of de- identified price and quality information that can be compared. Challenges: • Creates additional needs to monitor controls to mitigate the risks due to heightened oversight and enforcement • Process re-engineering, system changes, and logical/physical security mechanisms changes required • Create new legal processes for Breach notification, data storage, etc. • Expanded needs for contractual language to include written requirements • Assessment/Re-engineering of how PHI is exchanged between parties Copyright © 2010 Deloitte Development LLC. All rights reserved. 20
  • Security/Privacy OVERLAP with HITECH COMPLIANCE • The following are the TOP1 Security/Privacy Issues within Healthcare/Lifesciences Organizations: 1. Lack of visibility into third parties/business associate privacy practices (esp. older agreements) 2. Lack of adequate training to the organization including specific trainings to those who handle personal healthcare information (PHI) 3. Lack of adequate privacy program 4. Lack of formal privacy risk assessment process 5. Large number of records are stored in hardcopy format (i.e. Lack of EHR) 6. Inappropriate use and/or collection of information and information leakage 7. Inadequate segregation of duties (access to information) 8. Inappropriate encryption techniques/technologies 9. Lack of process to identify and classify PHI 10. Lack of compliance with Records Management/Retention Policy 11. Inappropriate conduct of internal employees 12. Exposure to external threats All with impacts to HITECH compliance 1 Based on respondent results set forth in the Deloitte* 2009 Life Sciences & Health Care Security Study * As used in this document, “Deloitte” means Deloitte & Touche LLP, a subsidiary of Deloitte LLP. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Copyright © 2010 Deloitte Development LLC. All rights reserved. 21
  • Contact Info Stacey Gutwillig Partner Deloitte & Touche LLP sgutwillig@deloitte.com (617) 437-2637 Mark Steinhoff Director Deloitte & Touche LLP msteinhoff@deloitte.com (617) 437-2614 Dan Hoye Manager Deloitte & Touche LLP dhoye@deloitte.com (617) 437-3528 Copyright © 2010 Deloitte Development LLC. All rights reserved. 22
  • Disclaimer This presentation contains general information only and Deloitte is not, by means of this presentation, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This presentation is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. In addition, this article contains the results of a survey conducted by Deloitte. The information obtained during the survey was taken “as is” and was not validated or confirmed by Deloitte. Deloitte, its affiliates, and related entities shall not be responsible for any loss sustained by any person who relies on this presentation. Copyright © 2010 Deloitte Development LLC. All rights reserved. 23