Hipaa in the era of ehr mo dept hss


Published on

Published in: Technology, Health & Medicine
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Hipaa in the era of ehr mo dept hss

  1. 1. HIPAA in the Era of EHR<br />Rural Hospital Health Information Technology Conference<br />May 27, 2010<br />Stacy Harper, JD, MHSA, CPC<br />Forbes Law Group, LLC<br />(913) 341 – 8619<br />sharper@forbeslawgroup.com <br />
  2. 2. Summary of HIPAA to Date<br />Impact of EMR Implementation<br />Considerations with EHR<br />Overview<br />
  3. 3. Administrative Simplification<br />Privacy<br />Security<br />HITECH<br />Summary of HIPAA To Date<br />
  4. 4. Standardized Electronic Transactions and Code Sets<br />Unique Identifier for Employers<br />Unique Identifier for Providers<br />Unique Identifier for Health Plans<br />HIPAA Administrative Simplification<br />
  5. 5. April 14, 2003<br />Applies to all Protected Health Information<br />Included requirements for:<br />Safeguards<br />Notice of Privacy Practices<br />Use and Disclosure of Protected Health Information<br />Patient Rights<br />Business Associates<br />Other General Requirements<br />HIPAA Privacy<br />
  6. 6. April 14, 2005<br />Applies to Electronic Protected Health Information (EPHI)<br />Included Requirements related to:<br />Safeguards and protection of EPHI<br />Device and Media Controls<br />Contingency and Back Up Plan<br />Individual Access to Information<br />Information System Activity Review<br />HIPAA Security<br />
  7. 7. February 17, 2010 (with few exceptions)<br />Applies to all protected health information<br />Privacy and Security Provisions now apply to Business Associates<br />Breach is Distinguished from a Violation<br />Requirements of Notice of Breach<br />Disclosures of Information to Payors<br />Electronic Health Record Accounting and Access<br />New Penalties<br />Enforcement by State Attorney General<br />Guidance from HHS<br />HIPAA HITECH<br />
  8. 8. “An unauthorized acquisition, access, use, or disclosure of phi which compromises the security or privacy of such information, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information.”<br />Exceptions <br />Clarifications from HHS<br />HITECH- Definition of Breach<br />
  9. 9. Step 1: Was the Information Secure?<br />Determination of Breach<br />
  10. 10. Approved Methods:<br />Encryption<br />Destruction<br />But NOT<br />Access Controls<br />Redaction<br />Limited Data Set<br />HITECH- Methods of Rendering PHI Unusable<br />
  11. 11. Step 1: Was the Information Secure?<br />Step 2: Do One of the Exclusions Apply?<br />Determination of Breach<br />
  12. 12. Workforce Use – Unintentional acquisition, access or use of PHI by a workforce member if the PHI is not further used or disclosed in a manner that violates the Privacy Rule<br />Workforce Disclosure - Unintentional disclosure of PHI by a workforce member if the PHI is not further used or disclosed in a manner that violates the Privacy Rule <br />No Way to Retain Info – Unauthorized disclosure to which the CE or BA has a good faith belief that the unauthorized person to whom the PHI is disclosed would not reasonably have been able to retain info.<br />Exclusions to Breach<br />
  13. 13. Step 1: Was the Information Secure?<br />Step 2: Do One of the Exclusions Apply?<br />Step 3: Does the Use/Disclosure Pose a Significant Risk to the Individual?<br />Determination of Breach<br />
  14. 14. Covered Entity to Covered Entity – Inadvertent disclosure of PHI from one covered entity or BA employee to another similarly situated covered entity or BA employee, provided that PHI is not further used or disclosed in any manner that violates the Privacy Rule. <br />Immediate Steps to Mitigate– Were immediate steps taken to mitigate the harm including return or destruction of the information and a written confidentiality agreement<br />Types of information included– Was the information disclosed limited to the name of the individual or a limited data set?<br />Guidance for Significant Risk<br />
  15. 15. Effective 9/23/09, but HHS will not impose sanctions until 2/22/10<br />Business Associate must notify Covered Entity of breach including individuals whose information was included in the breach<br />Covered Entity has 60 days from the day discovered to notify the individual of a breach<br />Day discovered is the date when provider knew or could have known through reasonable diligence<br />Increases importance of system to check for breaches to phi and track compliance with HIPAA privacy and security regulations<br />HITECH- Notice of Breach<br />
  16. 16. Notice of Breach must include:<br />A description of what happened including the date of breach and date of discovery<br />A description of the types of phi involved<br />Steps the individual should take to protect themselves<br />Steps taken by the provider to investigate, mitigate, and protect against further disclosure<br />Contact information for questions including a toll-free telephone number, e-mail address, website, or postal address<br />HITECH- Notice of Breach<br />
  17. 17. Notice must be provided to:<br />Individual<br />In writing to last known address<br />Website<br />If the provider does not have current contact information on more than 10 patients involved <br />Media<br />If breach affected more than 500 patients in one state or jurisdiction<br />Secretary of HHS<br />Within 60 days if more than 500 people affected<br />Annual report of breaches affecting less than 500 people<br />HITECH- Notice of Breach<br />
  18. 18. HIPAA Security Now Applies to Medical Records<br />Increased Risk of Breach<br />Importance of Monitoring<br />Implementation and IT Considerations<br />Impact of EMR Implementation<br />
  19. 19. Safeguards and protection of EPH<br />Perform a New Risk Assessment<br />Physical Access to EPHI<br />Encryption and Decryption of Data<br />Tracking of Changes and Maintaining Integrity<br />Remote Access<br />Device and Media Control<br />Use, Re-use, and Destruction<br />New Concerns re: Copiers and Scan to E-mail<br />EMR and HIPAA Security<br />
  20. 20. Contingency and Back Up Plan<br />New criticality analysis<br />Redundancy and Back-Up Systems<br />Emergency Mode and Recovery Operations<br />Individual Access to Information<br />Determination of Access Levels<br />Granting, Modifying or Terminating Authority<br />Protection of User Names and Passwords<br />Automatic Log Off<br />EMR and HIPAA Security<br />
  21. 21. Information System Activity Review<br />Review of log on attempts<br />Audit logs<br />Access reports<br />Security incidents<br />Other system activity<br />EMR and HIPAA Security<br />
  22. 22. More methods of access <br />Records more likely to leave the facility<br />Increased transferability of information<br />More interest in the information<br />Greater impact if a breach occurs<br />Increased Risk of Breach<br />
  23. 23. Type of Entity with Breach over 500<br />
  24. 24. Method of Breach<br />
  25. 25. Location of Breach<br />
  26. 26. Notice from the date you knew or should have known of the breach<br />Increased penalties and scrutiny<br />Failure to monitor can result in increased liability<br />Renew the training for your staff and get them involved<br />Importance of Monitoring<br />
  27. 27. Incorporate the HIPAA discussion into your implementation plan<br />Consider “upgrading” some of the hardware and other software options to improve encryption and security<br />Security programs for handheld devices<br />Implementation and IT Considerations<br />
  28. 28. Created Framework for Communication<br />Opt-In versus Opt-Out<br />Specificity of Patient Consent<br />Who is responsible for Security<br />Modification of State privacy laws<br />Current focus is at the state level<br />Future amendments to HIPAA to encourage sharing of information?<br />Considerations with EHR<br />
  29. 29. Questions??<br />Stacy Harper, JD, MHSA, CPC<br />Forbes Law Group, LLC<br />10740 Nall Avenue, Suite 330<br />Overland Park, KS 66211<br />(913) 641-8619<br />sharper@forbeslawgroup.com<br />