Becoming HITECH - 9/2009


Published on

Migration from HIPAA to HITECH

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • <number>
  • <number>
  • <number>
  • <number>
  • <number>
  • <number>
  • <number>
  • <number>
  • <number>
  • <number>
  • <number>
  • <number>
  • Becoming HITECH - 9/2009

    1. 1. Becoming HITECH Review of the HITECH Act and its role in a holistic approach to compliance September 30, 2009
    2. 2. Agenda • About Us • Obligations of Healthcare Providers • Review of HIPAA and Red Flags Rule Objectives • Discussion on HITECH – Objectives and Requirements – Placement in ARRA – Funding Opportunities • Rethinking your Patient Privacy, Security, and Protection Strategy Becoming HITECH
    3. 3. About Us Scott A. Rogerson, CISA, CAPM The Hill Group, Inc.
    4. 4. • Management consulting firm • Founded in 1953 • Headquartered in Pittsburgh, PA • Affiliated with several consulting firms across the United States About Us Becoming HITECH
    5. 5. • Strategy • Operations and Process Improvement • Performance and Diagnostic Measurement • Organizational Development • Workforce and Economic Development Strategy Our Services Becoming HITECH
    6. 6. Health Care Providers and Associations Our Clients Include Becoming HITECH
    7. 7. Privacy, Security, Protection Obligations of Healthcare Providers
    8. 8. Security and Protection Obligations • These obligations include ensuring the following: – Completeness – Accuracy – Confidentiality – Protection • Additional areas of data management not addressed are: – Availability – Reliability Healthcare providers are obligated to secure all data accepted from patients for treatment or other health care operations and to ensure that the privacy of that information is upheld. Becoming HITECH
    9. 9. • Purpose: Require the implementation of administrative, technical, and physical safeguards to: – Ensure data integrity and confidentiality – Protect against reasonably anticipated • Threats or hazards to the security or integrity of data • Unauthorized use or disclosure HIPAA Purpose Becoming HITECH
    10. 10. • Privacy policies and procedures • Privacy notice • Privacy official • Workforce training and enforcement • Mitigation process • Complaint process • Implement safeguards – Administrative – Technical – Physical • Retain policies, procedure, notices for six years HIPAA Requirements Becoming HITECH
    11. 11. • Purpose: Preventing an individual with unauthorized data from obtaining unauthorized services • Four Elements of Compliance for the Red Flags Rule: 1. Identify Red Flags for covered accounts and incorporate those red flags into the Program 2. Detect Red Flags that have been incorporated into the Program 3. Respond appropriately to any Red Flags that are detected to prevent and mitigate identity theft 4. Update the Program at least annually to reflect changes in risks to customers or to the safety and soundness of the financial institution or creditor from identity theft • Compliance Date: November 1, 2009 Red Flags Purpose and Requirements Becoming HITECH
    12. 12. Discussion on HITECH
    13. 13. • Health Information Technology for Economic and Clinical Health Act – Title XIII and Title IV of Division B of the American Recovery and Reinvestment Act of 2009 • Objective: “Utilization of an electronic health record for each person in the United States by 2014” – Requirements for Achievement: • Confidence in Systems • Confidence in Organizations • Funding for Implementation • Effective Date: September 23, 2009 but enforcement will be delayed until February 22, 2010 HITECH Overview Becoming HITECH
    14. 14. HITECH: Supplements to HIPAA • Extension of “covered entity” requirements to the “business associate” • State Attorney General Enforcement • Establishes breach notification requirements • Breach – “Unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security or privacy of such information” Becoming HITECH
    15. 15. • Perform Risk Assessment to: – Define the “harm threshold” – Determine if breach falls into one of the seven exception criteria • Disclosure to the Individual • Disclosure for Treatment, Payment and Health Care Operations (TPO) • Opportunity to Agree or Object • “Incident to” • Limited Data Set / De-identified Data • Has Authorization • Public Policy (Legal Requirement, Law Enforcement, etc.) HITECH: Identifying a Breach Becoming HITECH
    16. 16. • HITECH requires that notification be communicated within 60 from the day the breach is: – Known by someone in the organization (other than the person committing the breach) – By exercising reasonable diligence would have been known – Must provide notification without “unreasonable delay” • Business Associate (BA) Notification Requirement – Notify affected covered entity/entities of breach – The covered entity is then required to notify individuals (unless contract states otherwise) • If BA is agent of covered entity – Must notify individuals within 60 days of BA discovery • If BA is independent contractor – Must notify individuals within 60 days of being notified HITECH: Breach Requirements Becoming HITECH
    17. 17. HITECH: Required Notification • The required notification activities depend upon: – Number of individuals impacted – Location in which the individuals reside • The breach notification must include the following in “plain language”: – Brief description of what happened – Types of information involved – Steps affected individuals should take to protect themselves – Definition of the steps the covered entity is taking to mitigate harm to individuals – Contact procedures for individuals with additional questions Becoming HITECH
    18. 18. HITECH: Notification Req. I d e n t if y B r e a c h N o t if y I n d iv id u a l N o t if y P u b lic S t a r t E n d 60Days Once potential breach has been identified, perform risk assessment to determine if “harm threshold” indicates breach occurred. Notify the individuals affected by the breach using a written notice, including appropriate information. If individual(s) cannot be reached, follow substitute notice procedure. Determine if need exists to notify major media outlets, HHS Secretary, and/or credit reporting agencies of breach. Refer to Decision Tree for Additional Detail Becoming HITECH
    19. 19. • Title IV – Medicare and Medicaid Health Information Technology; Miscellaneous Medicare Provisions of the ARRA includes the following provisions: – Additional funding for eligible professionals adopting EHR prior to 2014 – Penalties for professionals not adopting by 2014 • “Meaningful Use” Requirement for Adoption – Connected in a manner that provides for electronic exchange of health information – Provider is able to generate and submit measurements of EHR use in their practice • A “significant hardship” exemption exists HITECH: Incentives for EHR Becoming HITECH
    20. 20. HITECH: The “Carrot” and the “Stick” MU Year 2011 2012 2013 2014 2015 2016 2017 2018 2019 Total 2011 $18,000 $12,000 $8,000 $4,000 $2,000 $44,000 2012 $18,000 $12,000 $8,000 $4,000 $2,000 $44,000 2013 $15,000 $12,000 $8,000 $4,000 $39,000 2014 $12,000 $8,000 $4,000 $24,000 2015 None - 1% - 2% - 3% - 4% - 5% - ?? Becoming HITECH
    21. 21. Rethinking your Patient Privacy, Security, and Protection Strategy
    22. 22. Risk Assessment Process • HIPAA, Red Flags, and HITECH require the performance of a risk assessment to determine the necessary safeguards • When performing this assessment, the following should be considered for each risk area: – Likelihood – Impact – Effectiveness • Prevention • Detection • Mitigation Becoming HITECH
    23. 23. Risk Assessment Areas • Areas to Consider: – Current Policies / Procedures • Design Effectiveness • Operating Effectiveness – Application Risks • Role-based Access • Application Controls – Data Assessment (Create, Transmit, Store, Dispose) • Creation • Storage (primary and secondary) • Transmission • Disposal – Organization – External Risks • Environmental Risks (Flood, Power Failure) • Liability – Business Associate/Vendor Agreements Becoming HITECH
    24. 24. Remediation Efforts • No policy, procedure, or application should be implemented solely for regulatory purposes • People and Process are still the critical components to a efficient, effective, and compliant organization – The individuals who own the information may be your most effective (and least costly) detective control • Physical / Technical safeguards should be integrated into the processes utilizing the technology to increase efficiency, reliability, and utilization of the information • Compliance practices should be customized to the organization Becoming HITECH
    25. 25. Discussion and Q&A
    26. 26. Thank You If you have any additional questions, please feel free to contact me: Scott A. Rogerson, CISA, CAPM 412-722-1111 The Hill Group, Inc. 2 East Main Street Carnegie, PA 15106-2456 USA Becoming HITECH