American Recovery and Reinvestment Act of 2009Presentation Transcript
American Recovery and Reinvestment Act of 2009 Changes to HIPAA and the Impact to YOU
American Recovery and Reinvestment Act of 2009 (ARRA)
The goal: to stimulate the US economy, but impacts go beyond economic/financial arenas
Privacy and security provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) are expanded:
HIPAA regulations apply to business associates
Breach notification requirements
Regional privacy advisors and education campaign
To make members of the UAB/UABHS workforce aware of new HIPAA regulations or changes in current HIPAA regulations with regard to the following:
Breach and Breach Notification
Business Associate Agreements
First Federal Definition of Breach
The unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security or privacy of the information
Unintentional acquisition, access, or use of PHI by an employee or individual acting under the authority of a covered entity
Inadvertent disclosure of PHI from one person authorized to access PHI at a covered entity to another person authorized to access protected health information at the covered entity
Unauthorized disclosures in which an unauthorized person to whom protected health information is disclosed would not reasonably have been able to retain the information
What constitutes a breach?
A breach could result from
Failing to log off when leaving a workstation
Unauthorized access to PHI
Sharing confidential information, including passwords
Having patient-related conversations in public settings
Improper disposal of confidential materials in any form
Copying or removing PHI/ePHI from the appropriate area
Greed or malicious intent
Bill, a billing employee, receives and opens an email containing PHI which a nurse, Nancy, mistakenly sent to Bill. Bill notices that he is not the intended recipient, alerts Nancy to the misdirected email, and deletes it. Bill unintentionally accessed PHI that he was not authorized to access. However, he opened the email within the scope of his job for the covered entity. He did not further use or disclose the PHI. Was this a breach of PHI?
And the answer is…
No. This was not a breach of PHI as long as Bill did not further use or disclose the information accessed in a manner not permitted by the Privacy Rule.
Rhonda is a receptionist for a covered entity, and, due to her work responsibilities, she is not authorized to access PHI. Rhonda decides to look through patient files to learn about a friend’s last visit to the doctor. Does Rhonda’s action constitute a breach?
The answer is…
Yes. Rhonda accessed PHI without a work-related need to know. This access was not unintentional, done in good faith, or within the scope of her job for the covered entity.
How about this? How about this?
If it is determined that a breach of PHI occurred, then the covered entity must notify the affected individual (or next of kin) as soon as possible but not later than 60 days from discovering the breach.
First class letter (or email if appropriate) detailing the breach
Add to breach log maintained and submitted annually to the Department of Health and Human Services to be posted on their website
If more than 500 individuals are affected additional requirements include
Immediate notification of the Department of Health and Human Services to post on their website
Notify major media outlets in covered entity area
Post on covered entity website home page for 90 days
September 23, 2009: Breach notification regulations take effect
February 22, 2010: Department of Health and Human Services (HHS) begins enforcement of the rule.
Breach Notification Process at UAB/UABHS
The UAB/UABHS Privacy Office is responsible for overseeing and/or managing the breach investigation and notification processes.
Privacy Complaints and Suspected Breach Response Procedures
The Covered Entity’s Entity Privacy Coordinator (EPC) will notify Privacy Officer (PO) and lead the preliminary investigation.
EPCs will provide PO with all necessary documentation.
Breach Notification Procedures
PO will notify appropriate UAB/UABHS officials.
PO and Legal, with UAB HIPAA Security Officer, will determine risks and actions to be taken.
EPC and the Covered Entity will notify patients as directed by PO and Legal.
Breach Notification Process at UAB/UABHS
Step by step procedures provided to EPCs
Although each breach will be considered on a case-by-case basis, templates for notification letters and media press releases available
Assistance for posting to UAB/UABHS website provided
Procedure for establishing a toll-free call-in number for affected individuals available
Credit monitoring services may be offered to impacted individuals.
Department in which breach occurs will be responsible for cost of patient notification, credit monitoring and other associated costs.
ARRA provides that the HIPAA criminal and civil fines and penalties can be enforced against INDIVIDUALS as well as covered entities who obtain or disclose PHI without authorization.
State attorneys general can pursue civil cases against INDIVIDUALS who violate the HIPAA privacy and security regulations.
Four tiers of civil monetary penalties available to HHS:
Civil monetary penalties include fines from $100 per violation up to $1.5 million for a series of identical violations during a calendar year
Criminal penalties for “wrongful disclosure” continue which include both large fines of $50,000 to $250,000 and up to 10 years in prison
A Breach has Many Risks
Risks to Individual whose PHI is compromised:
Embarrassment, misuse of personal data, victim of fraud or scams, identity theft
Risks to Employee:
Loss of data, time, funding, reputation; embarrassment; disciplinary action up to and including termination; fines; penalties; prosecution
Risks to the Institution:
Loss of information and equipment, trust of constituencies, reputation, future grant awards; negative publicity; penalties; fines; litigation
Risks to Research:
Loss of data or data integrity, funding in jeopardy
Any Good News?
ARRA further identified the information to which the breach notification provisions apply. It defined “unsecured protected health information” as PHI that is not secured through the use of a technology or methodology that renders it unusable, unreadable, or indecipherable and that is developed or endorse by the American National Standards Institute.
Therefore, for breaches involving the misuse, loss, or inappropriate disclosure of paper or electronic data, there are some “home free” methods under which the loss would indicate no harm done:
Paper=secured by use of crosscut shredder (destroyed)
Electronic data=encrypted data files and/or transmissions
A Coordinated Effort
When receiving a privacy complaint, learning of a suspected breach in privacy or security, or noticing something is “just not right,” we must work together
Documents containing PHI or other sensitive information must be shredded when no longer needed. Shred immediately or place in securely locked boxes or rooms to await shredding.
Media, such as CDs, disks, or thumb drives, containing PHI/sensitive information must be cleaned or sanitized before reallocating or destroying.
“ Sanitize” means to eliminate confidential or sensitive information from computer/electronic media by either overwriting the data or magnetically erasing data from the media.
If media are to be destroyed, then once they are sanitized, place them in specially marked secure containers for destruction.
NOTES: Deleting a file does not actually remove the data from the media.
Formatting does not constitute sanitizing the media.
Contact your information systems representative for assistance with sanitization and destruction methods.
Store sensitive and confidential information securely in a directory on a secure network file server. Information stored on the hard drive (C: drive) of a computer or portable computing device (PCD) can be lost or compromised. PCDs include handheld, notebook, and laptop computers, personal digital assistants (PDAs), and portable memory devices such as flash disks, thumb drives, jump drives, etc.
Use of PCDs for ePHI must be approved by senior management.
PCDs must be inventoried and maintain appropriate security protection. PCDs used for PHI must be encrypted. Ask your information systems representative for help securing PCDs.
If you notice, hear, see, or witness any activity that you think might be a breach of privacy or security, please let someone know immediately. It is much better to investigate and discover no breach than to wait and later discover that something DID happen. The 60-day clock of notifying affected individuals begins when the breach SHOULD have been discovered.
Continue to be mindful of HIPAA privacy and security regulations, and practice the provisions of the UAB/UABHS privacy and security core standards. Additionally, the basic HIPAA training is always available for review on the UAB/UABHS HIPAA website at http://www.hipaa.uab.edu/pdffiles/UABHS_HIPAA_training_08_2009.pdf
Refer to the UAB/UABHS Information Security Handbook at www.hipaa.uab.edu/pdffiles/Information_Security_Handbook_03_2009.pdf
Business Associate Agreements (BAAs)
Review: A BAA is required before a covered entity can contract with a third party individual or vendor (subcontractor) to perform activities or functions which will involve the use or disclosure of the covered entity’s PHI.
Make sure your department has BAAs for vendors that access our PHI.
The UAB/UABHS BAA is being revised and will be available for use beginning October 1, 2009.
At this time, current BAAs will not have to be replaced with the new format; however, that could change depending upon additional guidance from the Department of Health and Human Services.
Biggest change: Entities must maintain a list of all active BAAs and copies of the fully executed BAAs.
The American Recovery and Reinvestment Act of 2009 (ARRA) brought with it major impacts to the HIPAA privacy and security regulations. These changes do not occur over a period of several years as was experienced with the enforcement of HIPAA.
This update provides the most immediate changes to HIPAA compliance.
Additional guidance is expected from the Department of Health and Human Services.
Other meetings, announcements, trainings, and awareness activities are most probable.