• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
American Recovery and Reinvestment Act of 2009

American Recovery and Reinvestment Act of 2009






Total Views
Views on SlideShare
Embed Views



0 Embeds 0

No embeds



Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

    American Recovery and Reinvestment Act of 2009 American Recovery and Reinvestment Act of 2009 Presentation Transcript

    • American Recovery and Reinvestment Act of 2009 Changes to HIPAA and the Impact to YOU
    • American Recovery and Reinvestment Act of 2009 (ARRA)
      • The goal: to stimulate the US economy, but impacts go beyond economic/financial arenas
      • Privacy and security provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) are expanded:
        • HIPAA regulations apply to business associates
        • Breach notification requirements
        • Regional privacy advisors and education campaign
        • Improved enforcement
    • Today’s Objectives
      • To make members of the UAB/UABHS workforce aware of new HIPAA regulations or changes in current HIPAA regulations with regard to the following:
        • Breach and Breach Notification
        • Enforcement
        • Business Associate Agreements
    • First Federal Definition of Breach
      • Breach:
        • The unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security or privacy of the information
        • Exceptions:
          • Unintentional acquisition, access, or use of PHI by an employee or individual acting under the authority of a covered entity
          • Inadvertent disclosure of PHI from one person authorized to access PHI at a covered entity to another person authorized to access protected health information at the covered entity
          • Unauthorized disclosures in which an unauthorized person to whom protected health information is disclosed would not reasonably have been able to retain the information
    • What constitutes a breach?
      • A breach could result from
        • Failing to log off when leaving a workstation
        • Unauthorized access to PHI
        • Sharing confidential information, including passwords
        • Having patient-related conversations in public settings
        • Improper disposal of confidential materials in any form
        • Copying or removing PHI/ePHI from the appropriate area
      • Why?
        • Curiosity
        • Laziness
        • Compassion
        • Greed or malicious intent
    • So…
      • Bill, a billing employee, receives and opens an email containing PHI which a nurse, Nancy, mistakenly sent to Bill. Bill notices that he is not the intended recipient, alerts Nancy to the misdirected email, and deletes it. Bill unintentionally accessed PHI that he was not authorized to access. However, he opened the email within the scope of his job for the covered entity. He did not further use or disclose the PHI. Was this a breach of PHI?
    • And the answer is…
      • No. This was not a breach of PHI as long as Bill did not further use or disclose the information accessed in a manner not permitted by the Privacy Rule.
    • What about…
      • Rhonda is a receptionist for a covered entity, and, due to her work responsibilities, she is not authorized to access PHI. Rhonda decides to look through patient files to learn about a friend’s last visit to the doctor. Does Rhonda’s action constitute a breach?
    • The answer is…
      • Yes. Rhonda accessed PHI without a work-related need to know. This access was not unintentional, done in good faith, or within the scope of her job for the covered entity.
    • How about this? How about this?
    • Breach Notification
      • If it is determined that a breach of PHI occurred, then the covered entity must notify the affected individual (or next of kin) as soon as possible but not later than 60 days from discovering the breach.
        • First class letter (or email if appropriate) detailing the breach
        • Add to breach log maintained and submitted annually to the Department of Health and Human Services to be posted on their website
        • If more than 500 individuals are affected additional requirements include
          • Immediate notification of the Department of Health and Human Services to post on their website
          • Notify major media outlets in covered entity area
          • Post on covered entity website home page for 90 days
    • Breach Notification
      • September 23, 2009: Breach notification regulations take effect
      • February 22, 2010: Department of Health and Human Services (HHS) begins enforcement of the rule.
    • Breach Notification Process at UAB/UABHS
      • The UAB/UABHS Privacy Office is responsible for overseeing and/or managing the breach investigation and notification processes.
        • Privacy Complaints and Suspected Breach Response Procedures
          • The Covered Entity’s Entity Privacy Coordinator (EPC) will notify Privacy Officer (PO) and lead the preliminary investigation.
          • EPCs will provide PO with all necessary documentation.
        • Breach Notification Procedures
          • PO will notify appropriate UAB/UABHS officials.
          • PO and Legal, with UAB HIPAA Security Officer, will determine risks and actions to be taken.
          • EPC and the Covered Entity will notify patients as directed by PO and Legal.
    • Breach Notification Process at UAB/UABHS
      • Step by step procedures provided to EPCs
      • Although each breach will be considered on a case-by-case basis, templates for notification letters and media press releases available
      • Assistance for posting to UAB/UABHS website provided
      • Procedure for establishing a toll-free call-in number for affected individuals available
      • Credit monitoring services may be offered to impacted individuals.
      • Department in which breach occurs will be responsible for cost of patient notification, credit monitoring and other associated costs.
    • Enhanced Enforcements
      • ARRA provides that the HIPAA criminal and civil fines and penalties can be enforced against INDIVIDUALS as well as covered entities who obtain or disclose PHI without authorization.
      • State attorneys general can pursue civil cases against INDIVIDUALS who violate the HIPAA privacy and security regulations.
      • Four tiers of civil monetary penalties available to HHS:
        • Civil monetary penalties include fines from $100 per violation up to $1.5 million for a series of identical violations during a calendar year
      • Criminal penalties for “wrongful disclosure” continue which include both large fines of $50,000 to $250,000 and up to 10 years in prison
    • A Breach has Many Risks
      • Risks to Individual whose PHI is compromised:
        • Embarrassment, misuse of personal data, victim of fraud or scams, identity theft
      • Risks to Employee:
        • Loss of data, time, funding, reputation; embarrassment; disciplinary action up to and including termination; fines; penalties; prosecution
      • Risks to the Institution:
        • Loss of information and equipment, trust of constituencies, reputation, future grant awards; negative publicity; penalties; fines; litigation
      • Risks to Research:
        • Loss of data or data integrity, funding in jeopardy
    • Any Good News?
      • ARRA further identified the information to which the breach notification provisions apply. It defined “unsecured protected health information” as PHI that is not secured through the use of a technology or methodology that renders it unusable, unreadable, or indecipherable and that is developed or endorse by the American National Standards Institute.
      • Therefore, for breaches involving the misuse, loss, or inappropriate disclosure of paper or electronic data, there are some “home free” methods under which the loss would indicate no harm done:
        • Paper=secured by use of crosscut shredder (destroyed)
        • Electronic data=encrypted data files and/or transmissions
    • A Coordinated Effort
      • When receiving a privacy complaint, learning of a suspected breach in privacy or security, or noticing something is “just not right,” we must work together
        • immediately
        • cooperatively
        • efficiently
        • carefully
        • confidentially
    • Reminders
      • Documents containing PHI or other sensitive information must be shredded when no longer needed. Shred immediately or place in securely locked boxes or rooms to await shredding.
      • Media, such as CDs, disks, or thumb drives, containing PHI/sensitive information must be cleaned or sanitized before reallocating or destroying.
      • “ Sanitize” means to eliminate confidential or sensitive information from computer/electronic media by either overwriting the data or magnetically erasing data from the media.
      • If media are to be destroyed, then once they are sanitized, place them in specially marked secure containers for destruction.
        • NOTES: Deleting a file does not actually remove the data from the media.
      • Formatting does not constitute sanitizing the media.
      • Contact your information systems representative for assistance with sanitization and destruction methods.
    • More Reminders
      • Store sensitive and confidential information securely in a directory on a secure network file server. Information stored on the hard drive (C: drive) of a computer or portable computing device (PCD) can be lost or compromised. PCDs include handheld, notebook, and laptop computers, personal digital assistants (PDAs), and portable memory devices such as flash disks, thumb drives, jump drives, etc.
      • Use of PCDs for ePHI must be approved by senior management.
      • PCDs must be inventoried and maintain appropriate security protection. PCDs used for PHI must be encrypted. Ask your information systems representative for help securing PCDs.
    • Your Responsibility
      • If you notice, hear, see, or witness any activity that you think might be a breach of privacy or security, please let someone know immediately. It is much better to investigate and discover no breach than to wait and later discover that something DID happen. The 60-day clock of notifying affected individuals begins when the breach SHOULD have been discovered.
      • Continue to be mindful of HIPAA privacy and security regulations, and practice the provisions of the UAB/UABHS privacy and security core standards. Additionally, the basic HIPAA training is always available for review on the UAB/UABHS HIPAA website at http://www.hipaa.uab.edu/pdffiles/UABHS_HIPAA_training_08_2009.pdf
      • Refer to the UAB/UABHS Information Security Handbook at www.hipaa.uab.edu/pdffiles/Information_Security_Handbook_03_2009.pdf
    • Business Associate Agreements (BAAs)
      • Review: A BAA is required before a covered entity can contract with a third party individual or vendor (subcontractor) to perform activities or functions which will involve the use or disclosure of the covered entity’s PHI.
      • Make sure your department has BAAs for vendors that access our PHI.
      • The UAB/UABHS BAA is being revised and will be available for use beginning October 1, 2009.
      • At this time, current BAAs will not have to be replaced with the new format; however, that could change depending upon additional guidance from the Department of Health and Human Services.
      • Biggest change: Entities must maintain a list of all active BAAs and copies of the fully executed BAAs.
    • Additional Communications
      • The American Recovery and Reinvestment Act of 2009 (ARRA) brought with it major impacts to the HIPAA privacy and security regulations. These changes do not occur over a period of several years as was experienced with the enforcement of HIPAA.
      • This update provides the most immediate changes to HIPAA compliance.
      • Additional guidance is expected from the Department of Health and Human Services.
      • Other meetings, announcements, trainings, and awareness activities are most probable.
      • So, until next time…
      • Thank you!