2. OBJECTIVES
• Overview of HITECH
• Changes to HIPAA under HITECH
• Business Associates & Effects on BAA
• The Breach Notification Rule
3. DISCLAIMER
(NOT SO FINE PRINT)
The information contained in this session is not
intended to serve as legal advice nor should it
substitute for legal counsel. The material in this
presentation is designed to provide information. The
presentation is not exhaustive, and attendees are
encouraged to seek additional detailed legal guidance
to supplement the information contained herein.
4. Administrative
Simplification
[Accountability]
Insurance
Reform
[Portability]
Health Insurance
Portability and Accountability Act
(HIPAA)
Privacy
Compliance Date:
4/14/2003
Security
Compliance Date:
4/20/2005
Fraud and
Abuse
(Accountability)
HITECH
Health
Information
Technology for
Economic and
Clinical
Health
9/18/2009
(HITECH) HEALTH INFORMATION TECHNOLOGY FOR ECONOMIC AND CLINICAL HEALTH
(ARRA) AMERICAN RECOVERY AND REINVESTMENT ACT OF 2009
5. Increased penalties for HIPAA Violations
(tiered civil monetary penalties)
Required Audits and Investigations
Increased enforcement and oversight activities
State Attorneys General will have enforcement
authority and may sue for damages and injunctive
relief.
Increased Breach Notification Rules
HITECH Act (ARRA)
How it changed HIPAA? No more a Paper Tiger
6. REQUIREMENT COMPLIANCE DATE
1. Business Associates February 2010
2. Breach Notification September 2009
3. Self-Payment Disclosures February 2010
4. Minimum Necessary August 2010
5. Accounting of Disclosures January 2011/2014
HITECH Act Phases (ARRA)
Health Information Technology for Economic and Clinical Health
7. WHO IS A BUSINESS ASSOCIATE?
• If an entity that is not a covered entity is doing something “ON YOUR
BEHALF”, and is not treatment, you need a BA Agreement with them.
• Applies to payment and health care operations
Examples of Business Associates.
• A third party administrator that assists a health plan with claims processing.
• A CPA firm whose accounting services to a health care provider involve access to protected health information.
• An attorney whose legal services to a health plan involve access to protected health information.
• A consultant that performs utilization reviews for a hospital.
• A health care clearinghouse that translates a claim from a non-standard format into a standard transaction on behalf
of a health care provider and forwards the processed transaction to a payer.
• An independent medical transcriptionist that provides transcription services to a physician.
• A pharmacy benefits manager that manages a health plan’s pharmacist network.
http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/businessassociates.html
8. BUSINESS ASSOCIATES
PRIVACY RULE IMPACT
• Under Section 13404, a business associate may only use or
disclose PHI in a manner that complies with 45 C.F.R. §
164.504(e) (which describes the requirements for business
associate agreements)
• Thus, business associates will now be regulated directly
through a statutory requirement rather than indirectly through a
contract. Business associates also must comply with the
applicable provisions of the HITECH Act.
• Business associates will be subject to civil and criminal
penalties if they violate these provisions.
9. Under Section 13401, business associates will be required to
comply with provisions of the HITECH Act, and with the
following provisions of the Security Rule:
• § 164.308 (Administrative Safeguards);
• § 164.310 (Physical Safeguards);
• § 164.312 (Technical Safeguards);
• § 164.316 (Policies and Procedures).
BUSINESS ASSOCIATES
SECURITY RULE IMPACT
10. BREACH
• Notification required upon “discovery” of a “breach” of
“unsecured PHI”
• “Breach” defined as unauthorized acquisition, access,
use or disclosure of unsecured Patient Health
Information (PHI) which compromises the security or
privacy of such information
• “Compromises” means creates a “significant risk of
financial, reputation or other harm to the individual”
• Requires risk assessment: fact specific analysis
(consider nature of information, recipient, mitigation) to
determine if significant harm exists.
11. 11
Applies to all electronic “unsecured PHI” or unencrypted
Annual notification if less that 500 individuals effected
Requires notification to the Federal Government
if more than 500 individuals effected no later than 60
days
Requires notification to a major media outlet
Breach will be listed on a public website
Requires individual notification to patients in plain
language
Criminal penalties - may apply to individual or employee of
a covered entity
Federal Breach Notification Law – Effective Sept 2009
12. CIVIL MONETARY PENALTIES – HITECH
Old rule was: Maximum civil penalty of $100 per violation up to $25,000/year for multiple
violations of same requirement
New rule is: Tiered civil penalty structure:
• Innocent mistakes (did not know and would not have known violation occurred after
reasonable diligence)—$100 per violation (max $25,000) to $50,000 (max $1.5 mil).
• Reasonable cause and not willful neglect—$1,000 per violation up to a maximum of
$100,000/year for multiple violations of same requirement
• Willful neglect but corrected within 30 days—up to $10,000 per violation, up to a
maximum of $250,000/year for multiple violations of the same requirement
• Willful neglect—up to $50,000 per violation that is not timely corrected, up to a
maximum of $1,500,000/year for multiple violations of the same requirement
13. TYPE OF BREACHES WITH MORE THAN 500 RECORDS BREACHED ACROSS USA
DEPARTMENT OF HEALTH AND HUMAN SERVICES (HHS)
Theft
52%
Unauthorized
Access/Disclos
ure
19%
Loss
13%
Hacking/IT
Incident
6%
Improper
Disposal
5%
Theft,
Unauthorized
Access/Disclos
ure
3%
Theft, Loss
2%
http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html
(As of July 3rd 2012)
14. TYPE OF BREACHES IN TEXAS
DEPARTMENT OF HEALTH AND HUMAN SERVICES (HHS)
http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html
(As of July 3rd 2012)
Theft, 64%Unauthorized
Access/Disclos
ure, 8%
Improper
Disposal, 8%
Theft/Loss, 8%
Hacking/IT
Incident, 6%
Loss, Improper
Disposal, 3%
Unknown, 3%
15. LOCATION OF BREACHES ACROSS USA
DEPARTMENT OF HEALTH AND HUMAN SERVICES (HHS)
Laptop, 27%
Paper, 27%
Other Portable
Electronic
Device, 15%
Computer,
15%
Network
Server, 10%
Other, 6%
http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html
(As of July 3rd 2012)
16. LOCATION OF BREACHES IN TEXAS
DEPARTMENT OF HEALTH AND HUMAN SERVICES (HHS)
http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html
(As of July 3rd 2012)
Laptop, 30%
Network
Server,
16%Other Portable
Electronic
Device, 16%
Paper, 16%
Computer, 11%
Electronic
Medical Record,
3%
E-mail, 3% Other, 3% Other (X-ray
films), 3%
17. CASE STUDY 1- ALASKA DEPARTMENT OF
HEALTH AND SOCIAL SERVICES (DHSS)
• June 2012: Alaska DHSS settles HIPAA security case for $1,700,000
• Portable electronic storage device (USB hard drive) possibly
containing ePHI was stolen from the vehicle of a DHSS employee.
• HHS concluded that the Alaska Medicaid office did not have sufficient
policies and procedures to protect patient information.
• The state health department had not completed a risk analysis for
patient data
• NOT instituted security training for state workers
• NOT implemented data encryption efforts that are required by
HIPAA.
http://www.hhs.gov/news/press/2012pres/06/20120626a.html
18. CASE STUDY 2- PHOENIX CARDIAC SURGERY
(5 PHYSICIAN PRACTICE)
• April 2012: Phoenix Cardiac Surgery settles with HHS for $100,000
• Posted clinical and surgical appointments for its patients containing PHI on
an Internet-based calendar that was publicly accessible.
• HHS investigation also revealed the following issues:
• Phoenix Cardiac Surgery failed to implement adequate policies and
procedures to appropriately safeguard patient information;
• Phoenix Cardiac Surgery failed to document that it trained any employees
on its policies and procedures on the Privacy and Security Rules;
• Phoenix Cardiac Surgery failed to identify a security official and conduct a
risk analysis; and
• Phoenix Cardiac Surgery failed to obtain business associate agreements
with Internet-based email and calendar services where the provision of the
service included storage of and access to its ePHI.
http://www.hhs.gov/news/press/2012pres/04/20120417a.html
19. CASE STUDY 3 - CRIMINAL PROCEEDINGS
• “Seattle Man Pleads Guilty in First Ever Conviction for HIPAA
Rules Violation,” August 19, 2004.
• Richard Gibson, an employee at the Seattle Cancer Care
Alliance, got cancer patient’s name, DOB, and SSN and got
credit cards in patients’ names.
• $9,000 for jewelry, home improvements, etc.
• Got maximum sentence: 16 months prison.
20. WHAT CAN WE LEARN?
• You won’t escape the notice of the HHS just because
you are a small practice. Every practice, hospital, facility,
healthcare entity and anyone that has access to Protected
Health Information (PHI) must be compliant with the HIPAA
Privacy and Security Rules.
• Patients are paying attention and want their information
protected! Patients will not hesitate to report a practice if
they feel their privacy is being breached. Let your patients
know that you take their privacy seriously and what you are
doing in your entity to protect their privacy.
http://www.managemypractice.com/what-can-we-learn-about-hipaa-from-phoenix-cardiac-surgery/
21. WHAT CAN WE LEARN (CONTINUED)?
• Physicians are not exempt from responsibility. Physicians may
not want to use the hospital or practice network email – they may
want to use their personal Gmail, Yahoo, Hotmail or AOL account for
office business but it is easy to forget and use personal email to
hand off patients, discuss appointments and ask for refill approvals.
Non-secured email services are NOT the right way to send any
patient information.
• Understand your technology. This is why the risk assessment is so
important – you must identify any process or technology you are
currently using that has the potential for PHI to be accessed
inappropriately. Understand and mitigate your risk!
http://www.managemypractice.com/what-can-we-learn-about-hipaa-from-phoenix-cardiac-surgery/
22. WHAT CAN YOU DO?
SHORT HITECH-HIPAA CHECKLIST :
Put together a breach notification policy.
HIPAA Security Risk Analysis (§164.308(a)(1)(ii)(A)) is required by law to
be performed by every Covered Entity and Business Associate.
Find all your existing business associate agreements and update them.
Educate your staff about HITECH and document the trainings.
Encrypt if you can, or at least where you can.
Monitor DHHS activities for the publication of additional guidance and
proposed regulations.
This is also a good time to review all your HIPAA policies and re-educate your
staff. The rules have changed, and the risks are much, much higher.
23. RESOURCES
• Risk Assessment Basics from HIMSS
www.himss.org/asp/ContentRedirector.asp?ContentID=76250
• Tools and methods available for risk analysis and risk management
http://www.hhs.gov/ocr/hipaa
• 45 CFR Parts 160 and 164, Breach Notification for Unsecured Protected
Health Information; Interim Final Rule, Health and Human Services (HHS),
August 2009
http://edocket.access.gpo.gov/2009/pdf/E9-20169.pdf
• HIPAA information webpage
http://www.hhs.gov/ocr/privacy/hipaa/understanding/index.html
• Compliance and Enforcement Case Examples
http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/index.html