Your SlideShare is downloading. ×
0
HIPAA Privacy and Security
New HITECH Act Requirements for 2010

Jan 13, 2010 | 1:00-2:15 pm Central

                    ...
Speakers


• Colleen Sauter, Moderator
  Administrator, OHITX



• Grant Peterson, J.D.
  DGPeterson, LLC
  HIPAA Privacy ...
Grant Peterson, J.D.

•   Grant provides personal compliance consulting to healthcare organizations, with services
    inc...
Agenda

• Welcome

• Program Notes

• HITECH Act
  – New Privacy & Security Requirements

  – Comments on delayed FTC Red ...
HIPAA Overview

HIPAA History and Timeline


HIPAA Privacy Rule     April 2003


HIPAA Security Rule    April 2005

HIPSA ...
HITECH Act – H. R. 1-146

Part 1 - Improved Privacy and Security Provision

 13401   Application of Security Provisions an...
HITECH Act – H. R. 1-146 cont.

Part 1 cont. - Improved Privacy and Security Provision

 13406   Conditions on Certain Con...
Business Associates – Section 13401

Application of Security Provisions and Penalties to
Business Associates + HHS Annual ...
Data Breach Notification – Section 13402

Definition of Breach
•   Is defined in the Act as ‘‘the unauthorized acquisition...
Breach Notification – Section 13402 cont.

Breach of “Unsecured” Protected Health Information

•   Section 13402(h) of the...
Breach Notification – Section 13402 cont.

Following the discovery of a breach of unsecured PHI

•   A covered entity must...
Breach Notification – Section 13402 cont.

Notice Following the discovery of a breach
•   The notice shall be made in writ...
Education – Section 13403

Education on Health Information Privacy

•   Regional Office Privacy Advisors and Education Ini...
Business Associate – Section 13404

Application of Privacy Provisions to Business
Associates of Covered Entities
•   Secti...
Restrictions, Accounting, Access – Section 13405

Restrictions on Certain Disclosures and Sales of Health
Information, Acc...
Restrictions, Accounting, Access – Section 13405 cont.

Restrictions on Certain Disclosures and Sales of Health
Informatio...
Marketing – Section 13406

Conditions on Certain Contacts as Part of Health
Care Operations

•   Section 13406(a), communi...
Temporary Breach Notification – Section 13407

Temporary Breach Notification Requirement for Vendors of Personal
Health Re...
Business Associate Contracts – Section 13408

Business Associate Contracts Required for Certain Entities

•   Section 1340...
Wrongful Disclosures – Section 13409

Clarification of Application of Wrongful Disclosures
Criminal Penalties
•   Section ...
Improved Enforcement – Section 13410

Improved Enforcement
•   Section 13410 makes a variety of changes to the civil penal...
Improved Enforcement – Section 13410 cont.

Enhanced Enforcement Options and Increased
Penalties for Non-Compliance
•   Th...
Audits – Section 13411 cont.


Audits

•   Section 13411 requires the Secretary of HHS to conduct periodic audits to
    e...
FTC Red Flags Rule

Red Flag Rule
•    The Identity Theft Red Flags Rule was promulgated under the Fair and Accurate Credi...
HIPAA Privacy and Security Assessment

Framework for Managing Risk

  •   PHI, ePHI, Patient, Organization, Vendors
  •   ...
Next Steps
Task                                                                                                      Compl...
Q&A




      © 2009 Open Health IT Exchange. All rights reserved. | 011310 | Slide 27 of 29
Thank You!

For more information on OHITX or today’s session, please contact
Colleen Sauter csauter@ohitx.org.

To access ...
Disclaimer

This Webinar IS NOT Legal Advice

•   These materials should not be considered as, or as a substitute for, leg...
Upcoming SlideShare
Loading in...5
×

2010 Hipaa Rules 011310

3,070

Published on

2010 updates to HIPAA Security

0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
3,070
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
124
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Transcript of "2010 Hipaa Rules 011310"

  1. 1. HIPAA Privacy and Security New HITECH Act Requirements for 2010 Jan 13, 2010 | 1:00-2:15 pm Central © 2009 Open Health IT Exchange. All rights reserved. | 011310 | Slide 1 of 29
  2. 2. Speakers • Colleen Sauter, Moderator Administrator, OHITX • Grant Peterson, J.D. DGPeterson, LLC HIPAA Privacy and Security Consulting © 2009 Open Health IT Exchange. All rights reserved. | 011310 | Slide 2 of 29
  3. 3. Grant Peterson, J.D. • Grant provides personal compliance consulting to healthcare organizations, with services including compliance strategies, HIPAA audits and Privacy Officer outsourcing to meet short and long-term needs. • In 2001, he developed a Web-based compliance program to deliver HIPAA training and tools in versions designed specifically for medical clinics, long-term care facilities and business associates. • Grant has more than 25 years of experience creating and managing several professional service firms specializing in the design, development and integration of regulatory and technology-based programs for insurance, banking and healthcare. • Grant holds a B.S. degree in Public Administration from Minnesota State University, and a Juris Doctor (J.D.) law degree from Hamline University School of Law. © 2009 Open Health IT Exchange. All rights reserved. | 011310 | Slide 3 of 29
  4. 4. Agenda • Welcome • Program Notes • HITECH Act – New Privacy & Security Requirements – Comments on delayed FTC Red Flags Rule • Resources • Q&A © 2009 Open Health IT Exchange. All rights reserved. | 011310 | Slide 4 of 29
  5. 5. HIPAA Overview HIPAA History and Timeline HIPAA Privacy Rule April 2003 HIPAA Security Rule April 2005 HIPSA (Senate Bill) July 2007 HITECH Act February 2009 © 2009 Open Health IT Exchange. All rights reserved. | 011310 | Slide 5 of 29
  6. 6. HITECH Act – H. R. 1-146 Part 1 - Improved Privacy and Security Provision 13401 Application of Security Provisions and Penalties to Business Associates + HHS Annual Guidance 13402 Notification in the Case of Breach 13403 Education on Health Information Privacy 13404 Application of Privacy Provisions to Business Associates of Covered Entities 13405 Restrictions on Certain Disclosures and Sales of Health Information, Accounting of Certain PHI Disclosures, Access of Certain Information in Electronic Format © 2009 Open Health IT Exchange. All rights reserved. | 011310 | Slide 6 of 29
  7. 7. HITECH Act – H. R. 1-146 cont. Part 1 cont. - Improved Privacy and Security Provision 13406 Conditions on Certain Contacts as Part of Health Care Operations 13407 Temporary Breach Notification for Vendors of PHR and other Non-HIPAA Covered Entities 13408 Business Associate Contracts Required for Certain Entities 13409 Clarification of Application of Wrongful Disclosures Criminal Penalties 13410 Improved Enforcement 13411 Audits © 2009 Open Health IT Exchange. All rights reserved. | 011310 | Slide 7 of 29
  8. 8. Business Associates – Section 13401 Application of Security Provisions and Penalties to Business Associates + HHS Annual Guidance • §164.308 Administrative Safeguards (Security Rule) • §164.310 Physical Safeguards (Security Rule) • §164.312 Technical safeguards (Security Rule) • § 164.316 Policies and Procedures and Documentation Requirements (Security Rule) RESOURCE/ HIPAA Administrative Simplification • Application of Civil and Criminal Penalties, Sections 1176 and 1177 of the Social Security Act RESOURCE/ Application of Civil and Criminal Penalties • HHS Annual Guidance on Most Effective and Appropriate Technical Safeguards in Carrying Out the Above © 2009 Open Health IT Exchange. All rights reserved. | 011310 | Slide 8 of 29
  9. 9. Data Breach Notification – Section 13402 Definition of Breach • Is defined in the Act as ‘‘the unauthorized acquisition, access, use, or disclosure of protected health information (PHI) which compromises the security or privacy of such information, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information.’’ • Exceptions include: The unauthorized acquisition, access, or use of PHI is unintentional or if such acquisition, access, or use was made in good faith and such information is not further acquired, accessed, used, or disclosed. • The risk of harm standard requires that a Covered Entity undertake some form of risk assessment in the event of a breach, and based upon the assessment, determine in good faith whether it is necessary to notify the individual of the breach. RESOURCE/ HIPAA Breach Notification © 2009 Open Health IT Exchange. All rights reserved. | 011310 | Slide 9 of 29
  10. 10. Breach Notification – Section 13402 cont. Breach of “Unsecured” Protected Health Information • Section 13402(h) of the Act defines ‘‘unsecured protected health information’’ to mean protected health information that is not secured through the use of a technology or methodology specified by the Secretary in guidance. • According to HHS, the specified technologies and methodologies “create the functional equivalent of a safe harbor.” • HHS explains what is secured through the use of a technology or methodology... “In consultation with information security experts at NIST, we have identified two methods for rendering PHI unusable, unreadable, or indecipherable to unauthorized individuals: 1. encryption 2. destruction © 2009 Open Health IT Exchange. All rights reserved. | 011310 | Slide 10 of 29
  11. 11. Breach Notification – Section 13402 cont. Following the discovery of a breach of unsecured PHI • A covered entity must notify each individual whose unsecured PHI has been, or is reasonably believed to have been, inappropriately accessed, acquired, or disclosed in the breach [section 13402(a)] • Additionally, following the discovery of a breach by a business associate, the business associate must notify the covered entity of the breach and identify for the covered entity the individuals whose unsecured PHI has been, or is reasonably believed to have been, breached [section 13402(b)] • The Act requires the notifications to be made without unreasonable delay but in no case later than 60 calendar days after discovery of the breach © 2009 Open Health IT Exchange. All rights reserved. | 011310 | Slide 11 of 29
  12. 12. Breach Notification – Section 13402 cont. Notice Following the discovery of a breach • The notice shall be made in writing, except under circumstances where the Covered Entity does not have the correct contact information for the affected individual, or where there is particular urgency to the notification. The notice to affected individuals must contain the following 5 elements: 1. A brief description of what occurred with respect to the breach, including, to the extent known, the date of the breach and the date on which the breach was discovered; 2. A description of the types of unsecured PHI that were disclosed during the breach; 3. A description of the steps the affected individual should take in order to protect himself or herself from potential harm caused by the breach; 4. A description of what the Covered Entity is doing to investigate and mitigate the breach and to prevent future breaches; and 5. Instructions for the individual to contact the Covered Entity © 2009 Open Health IT Exchange. All rights reserved. | 011310 | Slide 12 of 29
  13. 13. Education – Section 13403 Education on Health Information Privacy • Regional Office Privacy Advisors and Education Initiative • Guidance and Education to covered entities, business associates and individuals on rights and responsibilities related to federal privacy and security requirements for protected health information © 2009 Open Health IT Exchange. All rights reserved. | 011310 | Slide 13 of 29
  14. 14. Business Associate – Section 13404 Application of Privacy Provisions to Business Associates of Covered Entities • Section 13404 of the Act requires HIPAA business associates to comply with 45 CFR § 164.504(e), which sets forth the privacy terms required in HIPAA business associate agreements. While these contract obligations have always been enforceable by covered entities, they are now enforceable by the government through HIPAA. Business associates also are required to comply with the additional privacy requirements imposed by the Act described below. • Business associates must take reasonable steps to cure a breach of, or terminate, a Business Associate Agreement if it becomes aware of a pattern of activity or practice by a covered entity that violates the agreement. If a business associate fails to take reasonable steps to cure the breach, terminate the agreement, or report the problem to HHS, then the business associate may be liable for civil and/or criminal penalties under the Act. RESOURCE/ Sample Business Associate Agreement (BAA) © 2009 Open Health IT Exchange. All rights reserved. | 011310 | Slide 14 of 29
  15. 15. Restrictions, Accounting, Access – Section 13405 Restrictions on Certain Disclosures and Sales of Health Information, Accounting of Certain PHI Disclosures, Access of Certain Information in Electronic Format • 13405(a) A covered entity must comply with the requested restriction if the disclosure would be to a health plan for purposes of carrying out payment or health care operations—but not for treatment; and the PHI pertains solely to a health care item or service for which the health care provider involved has been fully paid by the patient. • 13405(b) Disclosures limited to the Limited Data Set or Minimum Necessary. The Act requires the Covered Entity to make the determination of Minimum Necessary, rather than relying on others. • Section 13405(c) of the Act provides that disclosures made through an EHR for treatment, payment and health care operations purposes must be included in the accounting, but information is limited to three years of disclosure information (rather than six). © 2009 Open Health IT Exchange. All rights reserved. | 011310 | Slide 15 of 29
  16. 16. Restrictions, Accounting, Access – Section 13405 cont. Restrictions on Certain Disclosures and Sales of Health Information, Accounting of Certain PHI Disclosures, Access of Certain Information in Electronic Format • Section 13405(d) of the Act now prohibits indirect and direct remuneration for a disclosure of PHI without the individual’s authorization. The authorization document must also explain whether PHI can be further exchanged for remuneration by the downstream entity receiving the PHI. The statute contains several exceptions where a covered entity is still permitted to receive remuneration for disclosures, such as public health, research, treatment, sale or merger of a CE, to a business associate for work functions, to an individual who requests copies of their PHI etc. • Section 13405(e) In the case that the CE uses or maintains an EHR, individuals have the right to obtain a copy in electronic format. © 2009 Open Health IT Exchange. All rights reserved. | 011310 | Slide 16 of 29
  17. 17. Marketing – Section 13406 Conditions on Certain Contacts as Part of Health Care Operations • Section 13406(a), communications which are deemed part of health care operations and excluded from the definition of marketing as contained in 164.501(1)(i), (ii) or (iii) are now limited to those communications for which the covered entity has not been paid directly or indirectly, unless the communication involves a drug or biologic currently being prescribed. Otherwise, an authorization from the individual is needed. • Section 13406(b) All fund-raising communications must provide for the opportunity to opt-out of receiving further communications. © 2009 Open Health IT Exchange. All rights reserved. | 011310 | Slide 17 of 29
  18. 18. Temporary Breach Notification – Section 13407 Temporary Breach Notification Requirement for Vendors of Personal Health Records and Other Non-HIPAA Covered Entities • The HITECH Act includes two sets of new breach notification requirements. Section 13402 (previously discussed) of the HITECH Act requires HIPAA covered entities to notify individuals if there has been a breach involving their “unsecured PHI.” Section 13407 of the HITECH Act includes breach notification requirements for vendors of personal health records (PHR) and related entities that are not subject to the HIPAA requirements and therefore not covered by the Section 13402 requirements. • Federal Trade Commission, Health Breach Notification Rule, 16 CFR Part 318 was created pursuant to HITECH Act Section 13407(g). The rule requires vendors of personal health records and related entities to notify consumers when the security of their individually identifiable health information has been breached. The rule is effective September 24, 2009. Full compliance is required by February 22, 2010. RESOURCE/ HIPAA Breach Notification © 2009 Open Health IT Exchange. All rights reserved. | 011310 | Slide 18 of 29
  19. 19. Business Associate Contracts – Section 13408 Business Associate Contracts Required for Certain Entities • Section 13408 of the Act identifies additional entities that are to be considered business associates and with whom covered entities must have written agreements (or other arrangement). These are organizations that transmit protected health information to the covered entity (or its business associates), such a Health Information Exchange Organization, a Regional Health Information Organization, an E-prescribing Gateway, or each vendor that contracts with a Covered Entity to offer a Personal Health Record as part of its EHR, is required to enter into a written contract and shall be treated as a business associate. © 2009 Open Health IT Exchange. All rights reserved. | 011310 | Slide 19 of 29
  20. 20. Wrongful Disclosures – Section 13409 Clarification of Application of Wrongful Disclosures Criminal Penalties • Section 1177(a) of the Social Security Act (42 U.S.C. 1320d-6(a)) is amended by adding at the end the following new sentence: “For purposes of the previous sentence, a person (including an employee or other individual) shall be considered to have obtained or disclosed individually identifiable health information in violation of this part if the information is maintained by a covered entity (as defined in the HIPAA privacy regulation described in section 1180(b)(3)) and the individual obtained or disclosed such information without authorization.” This provision clarifies that an individual does not need to be a HIPAA covered entity to be subject to the criminal penalties in 42 U.S.C. § 1320d-6(a). • The base penalty is a $50,000 fine, imprisonment for not more than one year, or both. For offenses committed under false pretenses, the fine is not more than $100,000, imprisonment for not more than five years, or both. And if the offense is committed with the intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm, the fine is not more than $250,000, imprisonment for not more than 10 years, or both. © 2009 Open Health IT Exchange. All rights reserved. | 011310 | Slide 20 of 29
  21. 21. Improved Enforcement – Section 13410 Improved Enforcement • Section 13410 makes a variety of changes to the civil penalty provisions. First, the Act adds that noncompliance for willful neglect requires HHS to formally investigate a complaint and to impose a civil penalty. HHS is required to implement regulations, and these statutory amendments will be effective in 24 months. • The section also requires civil penalties collected for privacy or security violations to go to the HHS Office for Civil Rights to fund enforcement. The Government Accountability Office is also directed to issue a report on sharing a percentage of these penalties with individuals who are harmed, and HHS is directed to issue regulations within three years. • States Attorney General may bring a civil action to enjoin privacy or security violations or obtain damages on behalf of state residents for such violations. © 2009 Open Health IT Exchange. All rights reserved. | 011310 | Slide 21 of 29
  22. 22. Improved Enforcement – Section 13410 cont. Enhanced Enforcement Options and Increased Penalties for Non-Compliance • The Act also increases the amount of civil penalties from the present $100 per violation (up to $25,000 per identical violation), to the following tiered civil penalties: 1. If the person did not know (and by exercising reasonable diligence would not have known) that such person violated a provision, the civil penalty is between $100 - $50,000 for each violation, up to a total of $25,000-$1,500,000 for all violations of an identical requirement; 2. If the violation was due to reasonable cause and not to willful neglect, the civil penalty is between $1,000 - $50,000 for each violation, up to a total of $100,000-$1,500,000 for all violations of an identical requirement; 3. If the violation was due to willful neglect, the civil penalty is between $10,000 - $50,000 for each violation, up to a total of $250,000-$1,500,000 for all violations of an identical requirement if the violation was corrected during the 30 day period beginning on the first date the person liable for the penalty knew, or by exercising reasonable diligence would have known, that the failure to comply occurred. 4. If the violation is not corrected within 30 days, the penalties increase to $50,000 for each violation, up to a total of $1,500,000 for all violations of an identical requirement. © 2009 Open Health IT Exchange. All rights reserved. | 011310 | Slide 22 of 29
  23. 23. Audits – Section 13411 cont. Audits • Section 13411 requires the Secretary of HHS to conduct periodic audits to ensure that covered entities and business associates are in compliance with HIPAA Covered entities and business associates should prepare for audits to begin no later than February 17, 2010 for all HIPAA requirements. © 2009 Open Health IT Exchange. All rights reserved. | 011310 | Slide 23 of 29
  24. 24. FTC Red Flags Rule Red Flag Rule • The Identity Theft Red Flags Rule was promulgated under the Fair and Accurate Credit Transactions Act, in which Congress directed the Commission and other agencies to develop regulations requiring “creditors” and “financial institutions” to address the risk of identity theft. • Health care providers who periodically allow patients to pay for medical services over time through a series of payments should have written policies that identify the “red flags” or indicators of possible identity theft they may come across in the course of business, establish procedures to detect those red flags and to respond appropriately to mitigate and prevent harm, and develop procedures for training staff and keeping applicable policies current. Health care providers should also have procedures in place to ensure that their vendors are in compliance with the Red Flag Rules and amend existing business associate agreements or asking for copies of the vendors’ Red Flag policies. • The Federal Trade Commission is delaying enforcement of the “Red Flags” Rule until June 1, 2010, for financial institutions and creditors subject to enforcement by the FTC RESOURCE/ Red Flag Rule © 2009 Open Health IT Exchange. All rights reserved. | 011310 | Slide 24 of 29
  25. 25. HIPAA Privacy and Security Assessment Framework for Managing Risk • PHI, ePHI, Patient, Organization, Vendors • Methodical, repeatable, risk-based approach to implementing effective risk management • Life cycle that facilitates continuous monitoring and improvement • Purpose and scope • Applicability • Audience • How and why to use assessment RESOURCES/ CMS Security Audit © 2009 Open Health IT Exchange. All rights reserved. | 011310 | Slide 25 of 29
  26. 26. Next Steps Task Completed Amend Business Associate Agreements: •New Obligations •Red Flags Rule Create Policies & Procedures to Address Notification of Breach Create Policies & Procedures to Address: •Disclosures and Sales of Health Information •Accounting of PHI •Disclosures and Access of Certain Information in Electronic Format Amend Marketing Policies & Procedures, Review Communications, Need for Authorization and Fund Raising Opt-Out Review Health Breach Notification, Create Policies & Procedures as Required Create Policy & Procedures on Wrongful Disclosures Develop Training & Awareness Campaign to Address HITECH Act Consider Framework to Manage HIPAA Compliance RESOURCES/ Standards Checklist and 2010 New Guidelines © 2009 Open Health IT Exchange. All rights reserved. | 011310 | Slide 26 of 29
  27. 27. Q&A © 2009 Open Health IT Exchange. All rights reserved. | 011310 | Slide 27 of 29
  28. 28. Thank You! For more information on OHITX or today’s session, please contact Colleen Sauter csauter@ohitx.org. To access the resource section, please click here: © 2009 Open Health IT Exchange. All rights reserved. | 011310 | Slide 28 of 29
  29. 29. Disclaimer This Webinar IS NOT Legal Advice • These materials should not be considered as, or as a substitute for, legal advice and they are not intended to, nor do they create an attorney-client relationship. Because the materials included here are general, they may not apply to a particular individual legal or factual circumstance. • The reader should not take, or refrain from taking, any action based on the information contained herein without first obtaining professional counsel. • The views expressed herein do not necessarily reflect the views of OHITX © 2009 Open Health IT Exchange. All rights reserved. | 011310 | Slide 29 of 29
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×