The American Recovery and  Reinvestment Act (ARRA) of 2009:  Privacy and Security  Provisions and Impacts Lisa A. Gallaghe...
Introduction and Background <ul><li>On February 17, 2009, President Obama signed into law the American Recovery and Reinve...
Fast Forward from HIPAA: Greater Threat, Bigger Target (1) <ul><li>Electronic administrative transactions are now standard...
Fast Forward from HIPAA: Greater Threat, Bigger Target (2) <ul><li>Security risks are ubiquitous, and increasingly nefario...
What New Provisions Attempt to Do <ul><li>Encourage – and indeed enable – the realization of a National Health Information...
Business Associates (BAs):  Before and After <ul><li>Pre-ARRA </li></ul><ul><ul><li>BAs were outside direct HHS regulation...
Business Associates (BAs):  Impacts (1) <ul><li>Significantly enhances the security of protected health information (PHI) ...
Business Associates (BAs):  Impacts (2) <ul><li>Some existing BA agreements may need to be modified </li></ul><ul><li>BA a...
Breach Notification: Before and After <ul><li>Pre-ARRA </li></ul><ul><ul><li>HIPAA required covered entities to mitigate p...
<ul><li>Post-ARRA </li></ul><ul><ul><li>We finally have legal definitions of Electronic Health Record (EHR) and Personal H...
<ul><li>Post-ARRA (cont.) </li></ul><ul><ul><li>Protected health information “protection” requires technology or method as...
<ul><li>Post-ARRA (cont.) </li></ul><ul><ul><li>Comparable requirement imposed on “PHR-entities” – including vendors, info...
Breach Notification: Impacts (1) <ul><li>We have definitions, but many questions remain… </li></ul><ul><ul><li>Electronic ...
Breach Notification: Impacts (2) <ul><li>For covered entities, increases cost and risk of adverse publicity </li></ul><ul>...
Breach Notification: Impacts (3) <ul><li>Overlap with many state notification laws will require careful analysis in develo...
<ul><li>Pre-ARRA </li></ul><ul><ul><li>No restrictions on payment for PHI within HIPAA allowed exceptions </li></ul></ul><...
<ul><li>Post-ARRA </li></ul><ul><ul><li>CE may not receive payment for PHI without the individual’s authorization, except ...
<ul><li>Post-ARRA (cont.) </li></ul><ul><ul><li>If sufficient for intended purpose, CEs must use or disclose only a “limit...
Restrictions on Use and Disclosure of PHI:  Impacts <ul><li>Significantly stronger protection of PHI against commercial ex...
Patient Rights: Before and After <ul><li>Pre-ARRA </li></ul><ul><ul><li>If patient requests that information not be shared...
Patient Rights: Before and After <ul><li>Post-ARRA </li></ul><ul><ul><li>If patient requests that information not be share...
Patient Rights:  Impacts (1) <ul><li>Strengthens patient privacy and accountability rights, and right to anonymous care </...
Patient Rights:  Impacts (2) <ul><li>Covered entities (CEs) may charge labor costs for providing electronic copy of record...
Enhanced Enforcement and Penalties: Before and After <ul><li>Pre-ARRA </li></ul><ul><ul><li>Department of Justice (DOJ) in...
Enhanced Enforcement and Penalties: Before and After <ul><li>Post-ARRA </li></ul><ul><ul><li>Any  person  who obtains PHI ...
Enhanced Enforcement and Penalties: Impacts <ul><li>Strengthened penalties, enforcement mechanisms, and penalties should i...
Resources <ul><li>“ One-stop Shop” on the ARRA:  himss.org/EconomicStimulus </li></ul><ul><li>Summary  himss.org/content/f...
Upcoming SlideShare
Loading in …5
×

Economic Stimulus Package V4

751 views

Published on

Discussion of ARRA privacy and security requirements and impacts

Published in: Health & Medicine, Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
751
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
1
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Economic Stimulus Package V4

    1. 1. The American Recovery and Reinvestment Act (ARRA) of 2009: Privacy and Security Provisions and Impacts Lisa A. Gallagher, BSEE, CISM, CPHIMS Senior Director, Privacy and Security HIMSS Dixie B. Baker, Ph.D., FHIMSS Senior Vice President, Chief Technology Officer, Health Solutions SAIC
    2. 2. Introduction and Background <ul><li>On February 17, 2009, President Obama signed into law the American Recovery and Reinvestment Act of 2009 (ARRA), designated as H.R. 1. </li></ul><ul><li>ARRA is a law , not a regulation – some provisions are directly effective, others require interpretation, regulation, and guidance </li></ul><ul><li>Best to familiarize your organization with the new law now and assess potential impact </li></ul><ul><li>Meanwhile, take advantage of the opportunity to provide input: </li></ul><ul><ul><li>Track regulatory activity </li></ul></ul><ul><ul><li>Express your views and concerns to the Department of Health and Human Services (HHS) </li></ul></ul><ul><li>Today’s presentation is based on what we know today – watch www.himss.org/EconomicStimulus for up-to-the-minute information </li></ul>
    3. 3. Fast Forward from HIPAA: Greater Threat, Bigger Target (1) <ul><li>Electronic administrative transactions are now standard practice </li></ul><ul><li>Electronic Health Records (EHRs) have been widely adopted by large health systems and are now penetrating into private practices </li></ul><ul><li>Health Information Exchanges (HIEs) are springing up throughout the country, facilitating EHR sharing, e-prescribing, public health surveillance, and other shared services </li></ul><ul><li>Personal Health Records (PHRs) and health record banks have emerged – until now, completely outside the reach of the Health Insurance Portability and Accountability Act (HIPAA) </li></ul>
    4. 4. Fast Forward from HIPAA: Greater Threat, Bigger Target (2) <ul><li>Security risks are ubiquitous, and increasingly nefarious </li></ul><ul><ul><li>Virtually everyone is targeted by spyware on a daily basis, and many have been victimized by identity theft </li></ul></ul><ul><ul><li>Both techno-savvy and not-so-savvy consumers now recognize that the use of computers introduces new risks to their health information and their personal privacy </li></ul></ul><ul><li>U.S. has experienced terrorist and bioterrorist attacks, and natural disasters requiring rapid medical containment and response </li></ul><ul><li>Virtually no one has been penalized for HIPAA violations </li></ul>
    5. 5. What New Provisions Attempt to Do <ul><li>Encourage – and indeed enable – the realization of a National Health Information Network (NHIN) to improve the efficiency and quality of the U.S. healthcare system, and the health and safety of our people </li></ul><ul><li>Broaden the scope of applicability for the HIPAA Privacy and Security Rules to encompass many large entities that handle large amounts of sensitive health information, but were previously excluded </li></ul><ul><li>Provide transparency for breach victims </li></ul><ul><li>Strengthen enforcement and sanctions </li></ul><ul><li>Strengthen patients’ privacy rights </li></ul>
    6. 6. Business Associates (BAs): Before and After <ul><li>Pre-ARRA </li></ul><ul><ul><li>BAs were outside direct HHS regulation, oversight and penalties </li></ul></ul><ul><ul><ul><li>Requirements contained in contracts with covered entities (CEs) </li></ul></ul></ul><ul><ul><li>Health Information Exchanges (HIEs, including RHIOs, ePrescribing networks, etc.) not involved in HIPAA transactions were excluded </li></ul></ul><ul><li>Post-ARRA </li></ul><ul><ul><li>BAs – including HIEs – must implement the same HIPAA administrative, physical, and technical security controls as CEs </li></ul></ul><ul><ul><li>BAs are subject to the same penalties as covered entities </li></ul></ul>ARRA = American Recovery and Reinvestment Act;; RHIOs = Regional Health Information Organizations
    7. 7. Business Associates (BAs): Impacts (1) <ul><li>Significantly enhances the security of protected health information (PHI) and the privacy of patients! </li></ul><ul><li>Exposes technology vendors, practice management companies, transcription services, billing services, attorneys, accountants and many other types of BAs – including HIEs – to direct regulation, and civil and criminal penalties under HIPAA </li></ul><ul><ul><li>Increases risk to entities previously outside HIPAA or obligated only by contract </li></ul></ul><ul><ul><li>Decreases risk to covered entities by increasing assurance of compliance </li></ul></ul><ul><ul><li>Risk translates into cost </li></ul></ul>HIEs = Health Information Exchanges
    8. 8. Business Associates (BAs): Impacts (2) <ul><li>Some existing BA agreements may need to be modified </li></ul><ul><li>BA agreements will need to be negotiated among covered entities participating in HIEs </li></ul><ul><li>BAs will need to strengthen their security to assure compliance </li></ul><ul><li>Annual guidance to be provided by HHS and aimed at BAs should benefit both covered entities and BAs </li></ul><ul><li>Directive for HHS and FTC to study potential expansion of HIPAA to other organizations should be interpreted as wake-up call for companies that are neither covered entities nor BAs </li></ul>HIEs = Health Information Exchanges; HHS = Health and Human Services; FTC = Federal Trade Commission
    9. 9. Breach Notification: Before and After <ul><li>Pre-ARRA </li></ul><ul><ul><li>HIPAA required covered entities to mitigate potentially harmful effects of improper disclosures, but it did not expressly mandate notification </li></ul></ul><ul><ul><li>Encryption type or standard unspecified </li></ul></ul><ul><ul><li>No legal definitions of Electronic Health Record (EHR) and Personal Health Record (PHR) </li></ul></ul><ul><ul><li>PHR vendors, information-providers, and marketers were outside scope of HIPAA </li></ul></ul>ARRA = American Recovery and Reinvestment Act
    10. 10. <ul><li>Post-ARRA </li></ul><ul><ul><li>We finally have legal definitions of Electronic Health Record (EHR) and Personal Health Record (PHR)! </li></ul></ul><ul><ul><ul><li>EHR: an electronic record of health-related information on an individual that is created, gathered, managed, and consulted by authorized health care clinicians and staff </li></ul></ul></ul><ul><ul><ul><li>PHR: an electronic record of PHR identifiable health information on an individual that can be drawn from multiple sources and that is managed, shared, and controlled by or primarily for the individual </li></ul></ul></ul>Breach Notification: Before and After ARRA = American Recovery and Reinvestment Act
    11. 11. <ul><li>Post-ARRA (cont.) </li></ul><ul><ul><li>Protected health information “protection” requires technology or method as specified by Secretary HHS/endorsed by ANSI-accredited Standards Development Organization (SDO) </li></ul></ul><ul><ul><li>Covered entities must promptly (within 60 days) notify </li></ul></ul><ul><ul><ul><li>Individuals affected by breach, </li></ul></ul></ul><ul><ul><ul><li>If more than 500 people are affected, must notify the media and HHS </li></ul></ul></ul>Breach Notification: Before and After ARRA = American Recovery and Reinvestment Act; HHS = Health and Human Services
    12. 12. <ul><li>Post-ARRA (cont.) </li></ul><ul><ul><li>Comparable requirement imposed on “PHR-entities” – including vendors, information providers, and marketers of products and services – except that they must report to the Federal Trade Commission (FTC) instead of HHS </li></ul></ul><ul><ul><li>BAs (remember – this includes HIEs) must notify the covered entity </li></ul></ul>Breach Notification: Before and After ARRA = American Recovery and Reinvestment Act; PHR = Personal Health Record; BAs = Business Associates; HIEs = Health Information Exchanges
    13. 13. Breach Notification: Impacts (1) <ul><li>We have definitions, but many questions remain… </li></ul><ul><ul><li>Electronic Health Record (EHR) is created by an “authorized health care clinician or staff” member that may not be a “covered entity” – so a health record created by an insurance company is not an EHR, nor is a record that is created by a clinician but never consulted </li></ul></ul><ul><ul><li>Where do the Personal Health Record (PHR) scope boundaries lie? Is a gym’s record of exercise, weight, diet, etc. a PHR? </li></ul></ul><ul><ul><li>How is the primary purpose of a PHR determined? If a vendor provides a PHR for the business purpose of selling advertising, does that take the record outside the scope? </li></ul></ul>
    14. 14. Breach Notification: Impacts (2) <ul><li>For covered entities, increases cost and risk of adverse publicity </li></ul><ul><ul><li>CEs likely to contractually pass on breach notification requirement to BAs – along with inherited cost and risk </li></ul></ul><ul><ul><li>For HIEs, may not be clear who is “at fault” -- especially within allowed 60 days </li></ul></ul><ul><li>New (likely unanticipated) cost and risk for “PHR-related entities” – including vendors, information-providers, and marketers of products and services </li></ul><ul><ul><li>Currently in denial </li></ul></ul><ul><ul><li>Ultimately will need to revisit business models to deal with unanticipated regulation and heightened scrutiny from the FTC </li></ul></ul>CEs = Covered Entities; BAs = Business Associates; HIEs =Health Information Exchanges; PHR = Personal Health Record; FTC= Federal Trade Commission
    15. 15. Breach Notification: Impacts (3) <ul><li>Overlap with many state notification laws will require careful analysis in developing security breach notification action plans </li></ul><ul><li>Other organizations should carefully monitor the future extension of HIPAA to a wider range of industry participants </li></ul>
    16. 16. <ul><li>Pre-ARRA </li></ul><ul><ul><li>No restrictions on payment for PHI within HIPAA allowed exceptions </li></ul></ul><ul><ul><li>Many “marketing” communications were considered “operations” under HIPAA and therefore did not require authorization </li></ul></ul><ul><ul><li>“Minimum necessary” is determined by the CE </li></ul></ul>Restrictions on Use and Disclosure of PHI: Before and After ARRA = American Recovery and Reinvestment Act; CEs = Covered Entities; PHI = Protected Health Information
    17. 17. <ul><li>Post-ARRA </li></ul><ul><ul><li>CE may not receive payment for PHI without the individual’s authorization, except for disclosures for limited purposes such as public health, treatment or research </li></ul></ul><ul><ul><ul><li>Payment for research disclosures may not exceed the cost of preparing and transmitting the data </li></ul></ul></ul><ul><ul><li>Marketing exceptions no longer permitted without individual’s authorization if the CE receives payment from another party </li></ul></ul>Restrictions on Use and Disclosure of PHI: Before and After ARRA = American Recovery and Reinvestment Act; CEs = Covered Entities; PHI = Protected Health Information
    18. 18. <ul><li>Post-ARRA (cont.) </li></ul><ul><ul><li>If sufficient for intended purpose, CEs must use or disclose only a “limited data set” that excludes names, street addresses, social security numbers and other identifiers but is not fully “de-identified” </li></ul></ul><ul><ul><ul><li>HHS to issue regulations providing guidance on “minimum necessary” within 18 months </li></ul></ul></ul>Restrictions on Use and Disclosure of PHI: Before and After PHI = Protected Health Information; ARRA = American Recovery and Reinvestment Act; CEs = Covered Entities; HHS = Health and Human Services
    19. 19. Restrictions on Use and Disclosure of PHI: Impacts <ul><li>Significantly stronger protection of PHI against commercial exploitation! </li></ul><ul><li>Eliminates source of revenue for covered entities – will need to revise business models </li></ul><ul><li>Eliminates marketing channel for companies offering medical products and services </li></ul><ul><li>CEs may need to modify existing data sharing arrangements that no longer are permissible </li></ul>PHI = Protected Health Information; CEs = Covered Entities
    20. 20. Patient Rights: Before and After <ul><li>Pre-ARRA </li></ul><ul><ul><li>If patient requests that information not be shared with health plan, entity must process request, but is not obligated to honor it </li></ul></ul><ul><ul><li>Patient has right to inspect and copy PHI </li></ul></ul><ul><ul><li>Disclosures for treatment, payment and healthcare operations (TPO) are exempt from HIPAA’s Accounting of Disclosures requirement </li></ul></ul><ul><ul><li>CE must include in any fundraising materials it sends to individuals a description of how to opt out of receiving any further fundraising communications, and must make reasonable efforts to comply to opt-out requests </li></ul></ul>ARRA = American Recovery and Reinvestment Act; CEs = Covered Entities; PHI = Protected Health Information
    21. 21. Patient Rights: Before and After <ul><li>Post-ARRA </li></ul><ul><ul><li>If patient requests that information not be shared with health plan, and pays full bill, CE must honor request </li></ul></ul><ul><ul><li>CEs that maintain EHRs must provide copies in electronic form, and at individual’s request, must transmit copies to named third parties </li></ul></ul><ul><ul><li>CEs that maintain EHRs must, at an individual’s request, provide an accounting of all PHI disclosures from that system, including for treatment, payment and healthcare operations (TPO), during the prior three years </li></ul></ul><ul><ul><li>Fundraising materials must provide a “clear and conspicuous” opportunity to opt-out, and choice to opt-out must be treated as a “revocation of authorization” </li></ul></ul>ARRA = American Recovery and Reinvestment Act; CEs = Covered Entities; EHRs = Electronic Health Records
    22. 22. Patient Rights: Impacts (1) <ul><li>Strengthens patient privacy and accountability rights, and right to anonymous care </li></ul><ul><li>Withholding health information from health plans presents significant implementation challenges </li></ul><ul><ul><li>Does it refer to a visit, an encounter, a procedure? If a withheld procedure results in adverse reaction that requires follow-on treatment, is that a separate instance? What if the patient wants the follow-on treatment billed to insurance? </li></ul></ul><ul><ul><li>Will require changes to both administrative and clinical systems </li></ul></ul><ul><ul><li>How is the withheld information reflected in a longitudinal record? </li></ul></ul>
    23. 23. Patient Rights: Impacts (2) <ul><li>Covered entities (CEs) may charge labor costs for providing electronic copy of record – likely to be improvement over charges for paper copies </li></ul><ul><li>Requires CE to account for its own disclosures – and provides options for accounting for PHI disclosures from systems operated by BAs </li></ul><ul><ul><li>Each BA agreement must address the expectation regarding accounting for disclosures </li></ul></ul>PHI = Protected Health Information; BAs = Business Associates
    24. 24. Enhanced Enforcement and Penalties: Before and After <ul><li>Pre-ARRA </li></ul><ul><ul><li>Department of Justice (DOJ) interpretation exempted individuals from civil and criminal prosecution – only “Covered Entities” could be prosecuted </li></ul></ul><ul><ul><li>HHS could not impose civil penalty on anyone subject to a criminal offense – even if the DOJ did not prosecute </li></ul></ul>ARRA = American Recovery and Reinvestment Act; HHS = Health and Human Services
    25. 25. Enhanced Enforcement and Penalties: Before and After <ul><li>Post-ARRA </li></ul><ul><ul><li>Any person who obtains PHI without authorization may be prosecuted </li></ul></ul><ul><ul><li>HHS cannot impose civil penalty on anyone who is convicted of criminal offense </li></ul></ul><ul><ul><li>Incorporates notion of “willful neglect” – for which HHS must impose a penalty </li></ul></ul><ul><ul><li>New tiered civil penalties that consider degree of knowledge and culpability </li></ul></ul><ul><ul><li>State Attorneys General may bring civil actions on behalf of residents damaged by HIPAA violations </li></ul></ul><ul><ul><li>HHS Secretary required to perform periodic compliance audits </li></ul></ul>ARRA = American Recovery and Reinvestment Actt; PHI = Protected Health Information’ HHS = Health and Human Services
    26. 26. Enhanced Enforcement and Penalties: Impacts <ul><li>Strengthened penalties, enforcement mechanisms, and penalties should increase assurance that individual privacy will be protected </li></ul><ul><li>Changes send HHS a clear message that Congress is unhappy with the current state of virtual non-enforcement – sure to see changes </li></ul><ul><li>Individual violators likely to be singled out </li></ul><ul><li>Heightened enforcement increases risk to CEs and BAs – will need to implement stronger enforcement within their organizations, increasing cost and assurance of compliance </li></ul>HHS = Health and Human Services; CEs = Covered Entities; BAs = Business Associates
    27. 27. Resources <ul><li>“ One-stop Shop” on the ARRA: himss.org/EconomicStimulus </li></ul><ul><li>Summary himss.org/content/files/HIMSSSummaryOfARRA.pdf </li></ul><ul><li>Analysis himss.org/EconomicStimulus </li></ul><ul><li>FAQs himss.org/EconomicStimulus/docs/HIMSS_FAQs_ARRA.pdf </li></ul><ul><li>HIMSS09 Sessions on ARRA himssconference.org/education/ESPSessions.aspx </li></ul><ul><li>HIMSS P&S Toolkit http://www.himss.org/ASP/privacySecurityTree.asp?faid=78&tid=4 </li></ul>

    ×