Hipaa Goes Hitech


Published on

Explore the changes to the HIPAA privacy and security rules as a result of the American Reinvestment and Recovery Act.

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Hipaa Goes Hitech

  1. 1. Content Covered: Expansion of Security and Privacy Rules
  2. 2. <ul><li>Privacy & Security Division </li></ul>
  3. 3. <ul><li>The American Recovery and Reinvestment Act OF 2009, commonly known as the “Stimulus Bill,” was signed into law by president Obama on February 17,2009. </li></ul><ul><li>$787 billion economic package </li></ul><ul><li>$ 24.3 million dedicated to </li></ul><ul><li>Privacy & Security </li></ul>
  4. 4. <ul><li>. </li></ul>
  5. 5. <ul><li>The Bill accomplishes strengthening federal privacy and security law to protect identifiable health information from misuse through: </li></ul><ul><li>Expansion of Security & Privacy Rules </li></ul><ul><li>New Requirements to Notify Patients when a breach occurs </li></ul><ul><li>Increased Enforcement and Penalties </li></ul>
  6. 6. <ul><li>Protected health information is information about the patient, their health, and healthcare services they receive. </li></ul><ul><li>Examples: </li></ul><ul><li>Why the patient was admitted... </li></ul><ul><li>Patient’s history of mental illness… </li></ul><ul><li>Patient’s physical health… </li></ul><ul><li>Patient’s name, address or date of birth… </li></ul><ul><li>Patient’s diet plan indicating diabetic restrictions… </li></ul>
  7. 7. <ul><li>a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, Springhill. </li></ul>
  8. 8. <ul><li>The new law extends HIPAA privacy and security requirements to cover our business associates. </li></ul><ul><li>Pre-ARRA Rule: </li></ul><ul><ul><li>Business Associates were not directly subject to the HIPAA privacy and security rules. </li></ul></ul><ul><li>Now HIPAA obligations that govern administrative, </li></ul><ul><li>physical and technical safeguards, and require security policies and procedures, apply directly to our Business Associates. </li></ul>
  9. 9. <ul><li>In effect, business associates are now subject to the same requirements for protected health information data security as Springhill- along with the same penalties for noncompliance. </li></ul>
  10. 10. Springhill must amend business associate agreements to incorporate expanded privacy and security rule obligations. EXPANDED OBLIGATIONS
  11. 11. <ul><li>The monetary penalties for violations of HIPAA have also INCREASED , and the percentage of the penalties collected will be distributed to those individuals harmed by the violations. </li></ul>
  12. 12. <ul><li>The authority for the administration and enforcement of the HIPAA Security Rule, which had previously been delegated to the Centers for Medicare and Medicaid Services, now belongs to the Office for Civil Rights. </li></ul>
  13. 13. <ul><li>The Act provides individuals with a right to obtain their PHI in an electronic format (i.e. ePHI). An individual can also designate that a third party be the recipient of the ePHI. </li></ul>
  14. 14. <ul><li>In the case that an individual requests that a covered entity restrict the disclosure of PHI , the covered entity must comply with the requested restriction if— </li></ul><ul><li>the protected health information pertains solely to a health care item or service for which the health care provider involved has been paid out of pocket in full . </li></ul>Previously, HIPAA allowed covered entities to decline a patient’s request to restrict disclosure of information related to self-pay services. Now, however, if a patient pays for a procedure or testing rather than filing an insurance claim, they have the right to restrict disclosure of any information related to those services.
  15. 15. <ul><li>Patients can request an AOD that includes a full accounting of PHI disclosures including those for treatment, payment, healthcare operations. </li></ul>Can go back 3 years. The effective date depends upon acquired EHR date. We must now include treatment, payment and healthcare operations in AOD.
  16. 16. <ul><li>Covered Entities and Business Associates must limit their uses, disclosures or requests for PHI to a &quot;limited data set,&quot; if practicable, or, if needed, the minimum necessary to accomplish the intended purpose of the use, disclosure or request. </li></ul><ul><li>To comply with this requirement, Covered Entities and Business Associates must educate their workforce members about the new minimum necessary and limited data set standards. </li></ul>
  17. 17. <ul><li>Minimum Penalties </li></ul><ul><ul><li>“ Did not know” </li></ul></ul><ul><ul><li>Tier A $100 </li></ul></ul><ul><ul><li>“ Reasonable cause” </li></ul></ul><ul><ul><li>Tier B $1,000 </li></ul></ul><ul><ul><li>“ Willful neglect” </li></ul></ul><ul><ul><li>Tier C $10,000 </li></ul></ul><ul><ul><li>“ Uncorrected violation” </li></ul></ul><ul><ul><li>Tier D $50,000 </li></ul></ul><ul><li>Maximum Penalties </li></ul><ul><ul><li>Tier A $25,000 </li></ul></ul><ul><ul><li>Tier B $100,000 </li></ul></ul><ul><ul><li>Tier C $250,000 </li></ul></ul><ul><ul><li>Tier D $1,500,000 </li></ul></ul>
  18. 18. <ul><li>“ Breach ” generally is the unauthorized </li></ul><ul><li>acquisition, access, use or disclosure of protected health information that </li></ul><ul><li>compromises the privacy or security of that </li></ul><ul><li>information. </li></ul>
  19. 19. <ul><li>Springhill must provide notice via first class mail to the affected person within 60 days of a breach!! </li></ul><ul><li>Among other things, the notice must include: </li></ul><ul><li>A description of what happened and the date of the breach </li></ul><ul><li>A description of the information involved in the breach, </li></ul><ul><li>The steps the person should take to protect himself, and </li></ul><ul><li>A description of the covered entity’s investigation and mitigation efforts. </li></ul>
  20. 20. <ul><li>In any case in which 500 or more persons are affected by a breach, Springhill must provide notice to major local media outlets. Under 500 must be reported annually to the Department of Health and Human Services. </li></ul>
  21. 21. August 2009 : Breach notification provisions and PHI breach notification February 2010 : Business Associates and Marketing; Employees of covered entities may have independent criminal liability August 2010 : Minimum Necessary and Prohibition on sale of electronic health records/PHRs. January 2011 : Accounting for Disclosures February 2011 : Enforcement for ‘ willful neglect’
  22. 22. <ul><li>The Secretary shall provide for periodic audits to ensure that covered entities and business associates that are subject to the requirements. </li></ul>
  23. 23. Health Information Technology American Recovery and Reinvestment Act (Recovery Act) Implementation Plan Office of the National Coordinator for Health Information Technology Funding Table Total Appropriated (Dollars in Millions) Privacy and Security* $ 24.285 National Institute of Standards and Technology (NIST) 20.000 Regional HIT Exchange 300.000 Unspecified 1,655.715 Total, Health Information Technology $ 2,000.000 *Note: This dollar figure, $24,285,000, includes an estimated $9.5 million for audits by the Office for Civil Rights and the Centers for Medicare & Medicaid Services.
  24. 24. <ul><li>Springhill is responsible for reporting a breach in a timely manner and you can help. </li></ul><ul><li>If you suspect a breach to have occurred, immediately alert the Privacy Officer or call the anonymous compliance hotline. </li></ul>