0
Gurvinder Singh (CISSP)
Gurvinder@jasgur.com
San Antonio Chapter of The Healthcare Information and
Management Systems Soci...
OBJECTIVES
• Overview of HITECH
• Changes to HIPAA under HITECH
• Business Associates & Effects on BAA
• The Breach Notifi...
DISCLAIMER
(NOT SO FINE PRINT)
The information contained in this session is not
intended to serve as legal advice nor shou...
DEFINITIONS
• Protected Health Information (PHI)
• Any oral or recorded information in any form or medium that is
• Create...
DEFINITONS
• Privacy Rule
• Relates to privacy of any protected health information
(PHI)
• Security Rule
• Relates specifi...
Administrative
Simplification
[Accountability]
Insurance
Reform
[Portability]
Health Insurance
Portability and Accountabil...
 Increased penalties for HIPAA Violations
(tiered civil monetary penalties)
 Required Audits and Investigations
 Increa...
REQUIREMENT COMPLIANCE DATE
1. Business Associates February 2010
2. Breach Notification September 2009
3. Self-Payment Dis...
WHO IS A BUSINESS ASSOCIATE?
• If an entity that is not a covered entity is doing something ―ON YOUR
BEHALF‖, and is not t...
BUSINESS ASSOCIATES
PRIVACY RULE IMPACT
• Under Section 13404, a business associate may only use or
disclose PHI in a mann...
Under Section 13401, business associates will be required to
comply with provisions of the HITECH Act, and with the
follow...
BREACH
• Notification required upon ―discovery‖ of a ―breach‖ of
―unsecured PHI‖
• ―Breach‖ defined as unauthorized
acquis...
13
 Applies to all electronic “unsecured PHI” or unencrypted
 Requires notification to the Federal Government
if more th...
CIVIL MONETARY PENALTIES – HITECH
Old rule was: Maximum civil penalty of $100 per violation up to $25,000/year for multipl...
TYPE OF BREACHES WITH MORE THAN 500 RECORDS BREACHED ACROSS USA
DEPARTMENT OF HEALTH AND HUMAN SERVICES (HHS)
http://www.h...
TYPE OF BREACHES IN TEXAS
DEPARTMENT OF HEALTH AND HUMAN SERVICES (HHS)
http://www.hhs.gov/ocr/privacy/hipaa/administrativ...
LOCATION OF BREACHES ACROSS USA
DEPARTMENT OF HEALTH AND HUMAN SERVICES (HHS)
Laptop, 27%
Paper, 27%
Other Portable
Electr...
LOCATION OF BREACHES IN TEXAS
DEPARTMENT OF HEALTH AND HUMAN SERVICES (HHS)
http://www.hhs.gov/ocr/privacy/hipaa/administr...
CASE STUDY 1- ALASKA DEPARTMENT OF
HEALTH AND SOCIAL SERVICES (DHSS)
• June 2012: Alaska DHSS settles HIPAA security case ...
CASE STUDY 2- PHOENIX CARDIAC SURGERY
(5 PHYSICIAN PRACTICE)
• April 2012: Phoenix Cardiac Surgery settles with HHS for $1...
CASE STUDY 3 - CRIMINAL PROCEEDINGS
• ―Seattle Man Pleads Guilty in First Ever Conviction for HIPAA
Rules Violation,‖ Augu...
WHAT CAN WE LEARN?
• You won’t escape the notice of the HHS just because
you are a small practice. Every
practice, hospita...
WHAT CAN WE LEARN (CONTINUED)?
• Physicians are not exempt from responsibility. Physicians may
not want to use the hospita...
WHAT CAN YOU DO?
SHORT HITECH-HIPAA CHECKLIST :
 Put together a breach notification policy.
 HIPAA Security Risk Analysi...
RESOURCES
• Risk Assessment Basics from HIMSS
www.himss.org/asp/ContentRedirector.asp?ContentID=76250
• Tools and methods ...
QUESTIONS
Upcoming SlideShare
Loading in...5
×

Hitech changes-to-hipaa

250

Published on

Published in: Health & Medicine, Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
250
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
3
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide
  • HHS’ Office for Civil Rights is responsible for enforcing the Privacy and Security Rules. Enforcement of the Privacy Rule began April 14, 2003 for most HIPAA covered entities.The American Recovery and Reinvestment Act of 2009 (ARRA) requires HHS to audit covered entity and business associate compliance with the HIPAA privacy and security standards. In summary, since the compliance date in April 2003, HHS has received over 71,849 HIPAA complaints. Resolved ninety-one percent of complaints received (over 65,460): through investigation and enforcement resolved (over 16,708)requiring changes in privacy practices and other corrective actions by the covered entities.through investigation and finding no violation (8,514); and through closure of cases that were not eligible for enforcement (40,238).Previously, HIPAA violations were investigated and enforced through the federal Department of Health and Human Services and Department of Justice, but now state attorneys general also have authority to bring aHIPAA enforcement action.
  • Ignorance is not an excuse to anything. It does not matter if you are an IT organization that is not HIPAA compliant and you work with clients who are not HIPAA compliant that have PHI on your equipment, you could be fined. You cannot say you did not know to HHS. That is not an excuse, you should have known and you could be fined.Effective February 17, 2010Business Associates are directly accountable for HIPAA compliance in addition to contractual requirements.Patients may request restrictions to billing disclosures when they self-payLimited Data Sets are considered the default standard for complying with HIPAA’s Minimum Necessary standardPatients may request electronic copies of their PHI when the data is held in an EHR and that their records be sent to others in an electronic format.Limitations and prohibitions on using PHI for marketing and fundraising are strengthened and sale of PHI is prohibited.Phased in beginning 1/1/2011All disclosures of PHI from an EHR must be accounted for, including those for treatment, payment and healthcare operations
  • For HIPAA Business Associates, HITECH imposes even more serious changes:Business Associates are now responsible for following all HIPAA Privacy and Security regulations with respect to all protected health information that they obtain or generate.Unauthorized use or disclosure by Business Associates of any protected health information leaves the Business Associate equally liable to damages and unfavorablepublicity.
  • Many vendors do not know what are the changes to HIPAA imposed by HITECH. Really! We have spoken to many professionals who are surprised that HIPAA is changing and who are now scrambling to figure out “what to do”.The HITECH changes are very significant for Business Associates. In the old scheme, all burden and liability was on the customer (the Covered Entity) and most Business Associate agreements just said things like “be sure to use our services in a way that doesn’t violate HIPAA”. The Business Associate was under no obligation to follow HIPAA Security and Privacy rules themselves.Vendors will probably have to revise their privacy policies and Business Associate Agreements.
  • As required by section 13402(e)(4) of the HITECH Act, the Secretary must post a list of breaches of unsecured protected health information affecting 500 or more individuals. 
  • As required by section 13402(e)(4) of the HITECH Act, the Secretary must post a list of breaches of unsecured protected health information affecting 500 or more individuals. 
  • Transcript of "Hitech changes-to-hipaa"

    1. 1. Gurvinder Singh (CISSP) Gurvinder@jasgur.com San Antonio Chapter of The Healthcare Information and Management Systems Society (HIMSS) HITECH CHANGES TO HIPAA WHY SHOULD YOU CARE?
    2. 2. OBJECTIVES • Overview of HITECH • Changes to HIPAA under HITECH • Business Associates & Effects on BAA • The Breach Notification Rule
    3. 3. DISCLAIMER (NOT SO FINE PRINT) The information contained in this session is not intended to serve as legal advice nor should it substitute for legal counsel. The material in this presentation is designed to provide information. The presentation is not exhaustive, and attendees are encouraged to seek additional detailed legal guidance to supplement the information contained herein.
    4. 4. DEFINITIONS • Protected Health Information (PHI) • Any oral or recorded information in any form or medium that is • Created or received by the covered entity/BA –AND- • Relates to past, present or future condition of an individual • Any information that contains a subset of demographic information collected from an individual • Any information that identifies an individual, or where there is a reasonable basis to believe information can be used to identify an individual • Includes any data transmitted or maintained in any form
    5. 5. DEFINITONS • Privacy Rule • Relates to privacy of any protected health information (PHI) • Security Rule • Relates specifically to electronic PHI (ePHI) at rest or in transit
    6. 6. Administrative Simplification [Accountability] Insurance Reform [Portability] Health Insurance Portability and Accountability Act (HIPAA) Privacy Compliance Date: 4/14/2003 Security Compliance Date: 4/20/2005 Fraud and Abuse (Accountability) HITECH Health Information Technology for Economic and Clinical Health 9/18/2009 (HITECH) HEALTH INFORMATION TECHNOLOGY FOR ECONOMIC AND CLINICAL HEALTH (ARRA) AMERICAN RECOVERY AND REINVESTMENT ACT OF 2009
    7. 7.  Increased penalties for HIPAA Violations (tiered civil monetary penalties)  Required Audits and Investigations  Increased enforcement and oversight activities  State Attorneys General will have enforcement authority and may sue for damages and injunctive relief.  Increased Breach Notification Rules HITECH Act (ARRA) How it changed HIPAA? No more a Paper Tiger
    8. 8. REQUIREMENT COMPLIANCE DATE 1. Business Associates February 2010 2. Breach Notification September 2009 3. Self-Payment Disclosures February 2010 4. Minimum Necessary August 2010 5. Accounting of Disclosures January 2011/2014 HITECH Act (ARRA) Health Information Technology for Economic and Clinical Health
    9. 9. WHO IS A BUSINESS ASSOCIATE? • If an entity that is not a covered entity is doing something ―ON YOUR BEHALF‖, and is not treatment, you need a BA Agreement with them. • Applies to payment and health care operations Examples of Business Associates. • A third party administrator that assists a health plan with claims processing. • A CPA firm whose accounting services to a health care provider involve access to protected health information. • An attorney whose legal services to a health plan involve access to protected health information. • A consultant that performs utilization reviews for a hospital. • A health care clearinghouse that translates a claim from a non-standard format into a standard transaction on behalf of a health care provider and forwards the processed transaction to a payer. • An independent medical transcriptionist that provides transcription services to a physician. • A pharmacy benefits manager that manages a health plan’s pharmacist network. http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/businessassociates.html
    10. 10. BUSINESS ASSOCIATES PRIVACY RULE IMPACT • Under Section 13404, a business associate may only use or disclose PHI in a manner that complies with 45 C.F.R. § 164.504(e) (which describes the requirements for business associate agreements) • Thus, business associates will now be regulated directly through a statutory requirement rather than indirectly through a contract. Business associates also must comply with the applicable provisions of the HITECH Act. • Business associates will be subject to civil and criminal penalties if they violate these provisions.
    11. 11. Under Section 13401, business associates will be required to comply with provisions of the HITECH Act, and with the following provisions of the Security Rule: • § 164.308 (Administrative Safeguards); • § 164.310 (Physical Safeguards); • § 164.312 (Technical Safeguards); • § 164.316 (Policies and Procedures). BUSINESS ASSOCIATES SECURITY RULE IMPACT
    12. 12. BREACH • Notification required upon ―discovery‖ of a ―breach‖ of ―unsecured PHI‖ • ―Breach‖ defined as unauthorized acquisition, access, use or disclosure of unsecured Patient Health Information (PHI) which compromises the security or privacy of such information • ―Compromises‖ means creates a ―significant risk of financial, reputation or other harm to the individual‖ • Requires risk assessment: fact specific analysis (consider nature of information, recipient, mitigation) to determine if significant harm exists.
    13. 13. 13  Applies to all electronic “unsecured PHI” or unencrypted  Requires notification to the Federal Government if more than 500 individuals effected no later than 60 days  Annual notification if less that 500 individuals effected  Requires notification to a major media outlet  Breach will be listed on a public website  Requires individual notification to patients in plain language  Criminal penalties - may apply to individual or employee of a covered entity Federal Breach Notification Law – Effective Sept 2009
    14. 14. CIVIL MONETARY PENALTIES – HITECH Old rule was: Maximum civil penalty of $100 per violation up to $25,000/year for multiple violations of same requirement New rule is: Tiered civil penalty structure: • Innocent mistakes (did not know and would not have known violation occurred after reasonable diligence)—$100 per violation (max $25,000) to $50,000 (max $1.5 mil). • Reasonable cause and not willful neglect—$1,000 per violation up to a maximum of $100,000/year for multiple violations of same requirement • Willful neglect but corrected within 30 days—up to $10,000 per violation, up to a maximum of $250,000/year for multiple violations of the same requirement • Willful neglect—up to $50,000 per violation that is not timely corrected, up to a maximum of $1,500,000/year for multiple violations of the same requirement
    15. 15. TYPE OF BREACHES WITH MORE THAN 500 RECORDS BREACHED ACROSS USA DEPARTMENT OF HEALTH AND HUMAN SERVICES (HHS) http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html (As of July 3rd 2012) Theft, 52% Unauthorized Access/Disclos ure, 22% Loss, 15% Hacking/IT Incident, 6% Improper Disposal, 5%
    16. 16. TYPE OF BREACHES IN TEXAS DEPARTMENT OF HEALTH AND HUMAN SERVICES (HHS) http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html (As of July 3rd 2012) Theft, 64% Loss, 8% Unauthorized Access/Disclos ure, 8% Improper Disposal, 11% Hacking/IT Incident, 6% Unknown, 3%
    17. 17. LOCATION OF BREACHES ACROSS USA DEPARTMENT OF HEALTH AND HUMAN SERVICES (HHS) Laptop, 27% Paper, 27% Other Portable Electronic Device, 15% Computer, 15% Network Server, 10% Other, 6% http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html (As of July 3rd 2012)
    18. 18. LOCATION OF BREACHES IN TEXAS DEPARTMENT OF HEALTH AND HUMAN SERVICES (HHS) http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html (As of July 3rd 2012) Laptop, 30% Network Server, 16% Other Portable Electronic Device, 16% Paper, 16% Computer, 11% Electronic Medical Record, 3% E-mail, 3% Other, 3% Other (X-ray films), 3%
    19. 19. CASE STUDY 1- ALASKA DEPARTMENT OF HEALTH AND SOCIAL SERVICES (DHSS) • June 2012: Alaska DHSS settles HIPAA security case for $1,700,000 • Portable electronic storage device (USB hard drive) possibly containing ePHI was stolen from the vehicle of a DHSS employee. • HHS concluded that the Alaska Medicaid office did not have sufficient policies and procedures to protect patient information. • The state health department had not completed a risk analysis for patient data • NOT instituted security training for state workers • NOT implemented data encryption efforts that are required by HIPAA. http://www.hhs.gov/news/press/2012pres/06/20120626a.html
    20. 20. CASE STUDY 2- PHOENIX CARDIAC SURGERY (5 PHYSICIAN PRACTICE) • April 2012: Phoenix Cardiac Surgery settles with HHS for $100,000 • Posted clinical and surgical appointments for its patients containing PHI on an Internet-based calendar that was publicly accessible. • HHS investigation also revealed the following issues: • Phoenix Cardiac Surgery failed to implement adequate policies and procedures to appropriately safeguard patient information; • Phoenix Cardiac Surgery failed to document that it trained any employees on its policies and procedures on the Privacy and Security Rules; • Phoenix Cardiac Surgery failed to identify a security official and conduct a risk analysis; and • Phoenix Cardiac Surgery failed to obtain business associate agreements with Internet-based email and calendar services where the provision of the service included storage of and access to its ePHI. http://www.hhs.gov/news/press/2012pres/04/20120417a.html
    21. 21. CASE STUDY 3 - CRIMINAL PROCEEDINGS • ―Seattle Man Pleads Guilty in First Ever Conviction for HIPAA Rules Violation,‖ August 19, 2004. • Richard Gibson, an employee at the Seattle Cancer Care Alliance, got cancer patient’s name, DOB, and SSN and got credit cards in patients’ names. • $9,000 for jewelry, home improvements, etc. • Got maximum sentence: 16 months prison.
    22. 22. WHAT CAN WE LEARN? • You won’t escape the notice of the HHS just because you are a small practice. Every practice, hospital, facility, healthcare entity and anyone that has access to Protected Health Information (PHI) must be compliant with the HIPAA Privacy and Security Rules. • Patients are paying attention and want their information protected! Patients will not hesitate to report a practice if they feel their privacy is being breached. Let your patients know that you take their privacy seriously and what you are doing in your entity to protect their privacy. http://www.managemypractice.com/what-can-we-learn-about-hipaa-from-phoenix-cardiac-surgery/
    23. 23. WHAT CAN WE LEARN (CONTINUED)? • Physicians are not exempt from responsibility. Physicians may not want to use the hospital or practice network email – they may want to use their personal Gmail, Yahoo, Hotmail or AOL account for office business but it is easy to forget and use personal email to hand off patients, discuss appointments and ask for refill approvals. Non-secured email services are NOT the right way to send any patient information. • Understand your technology. This is why the risk assessment is so important – you must identify any process or technology you are currently using that has the potential for PHI to be accessed inappropriately. Understand and mitigate your risk! http://www.managemypractice.com/what-can-we-learn-about-hipaa-from-phoenix-cardiac-surgery/
    24. 24. WHAT CAN YOU DO? SHORT HITECH-HIPAA CHECKLIST :  Put together a breach notification policy.  HIPAA Security Risk Analysis (§164.308(a)(1)(ii)(A)) is required by law to be performed by every Covered Entity and Business Associate.  Find all your existing business associate agreements and update them.  Educate your staff about HITECH and document the trainings.  Encrypt if you can, or at least where you can.  Monitor DHHS activities for the publication of additional guidance and proposed regulations. This is also a good time to review all your HIPAA policies and re-educate your staff. The rules have changed, and the risks are much, much higher.
    25. 25. RESOURCES • Risk Assessment Basics from HIMSS www.himss.org/asp/ContentRedirector.asp?ContentID=76250 • Tools and methods available for risk analysis and risk management http://www.hhs.gov/ocr/hipaa • 45 CFR Parts 160 and 164, Breach Notification for Unsecured Protected Health Information; Interim Final Rule, Health and Human Services (HHS), August 2009 http://edocket.access.gpo.gov/2009/pdf/E9-20169.pdf • HIPAA information webpage http://www.hhs.gov/ocr/privacy/hipaa/understanding/index.html • http://www.linkedin.com/groups/All-Things-HITECH-3873240
    26. 26. QUESTIONS
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×