2010 Hipaa Rules 011310

HIPAA Privacy and Security
New HITECH Act Requirements for 2010

Jan 13, 2010 | 1:00-2:15 pm Central

© 2009 Open Health IT Exchange. All rights reserved. | 011310 | Slide 1 of 29

Speakers

• Colleen Sauter, Moderator
Administrator, OHITX

• Grant Peterson, J.D.
DGPeterson, LLC
HIPAA Privacy and Security Consulting


Grant Peterson, J.D.

• Grant provides personal compliance consulting to healthcare organizations, with services
including compliance strategies, HIPAA audits and Privacy Officer outsourcing to meet short and
long-term needs.

• In 2001, he developed a Web-based compliance program to deliver HIPAA training and tools in
versions designed specifically for medical clinics, long-term care facilities and business associates.

• Grant has more than 25 years of experience creating and managing several professional service
firms specializing in the design, development and integration of regulatory and technology-based
programs for insurance, banking and healthcare.

• Grant holds a B.S. degree in Public Administration from Minnesota State University, and a Juris
Doctor (J.D.) law degree from Hamline University School of Law.


Agenda

• Welcome

• Program Notes

• HITECH Act
– New Privacy & Security Requirements

– Comments on delayed FTC Red Flags Rule

• Resources

• Q&A


HIPAA Overview

HIPAA History and Timeline

HIPAA Privacy Rule April 2003

HIPAA Security Rule April 2005

HIPSA (Senate Bill) July 2007

HITECH Act February 2009


HITECH Act – H. R. 1-146

Part 1 - Improved Privacy and Security Provision

13401 Application of Security Provisions and Penalties to Business
Associates + HHS Annual Guidance

13402 Notification in the Case of Breach

13403 Education on Health Information Privacy

13404 Application of Privacy Provisions to Business Associates of
Covered Entities

13405 Restrictions on Certain Disclosures and Sales of Health
Information, Accounting of Certain PHI Disclosures, Access of
Certain Information in Electronic Format


HITECH Act – H. R. 1-146 cont.

Part 1 cont. - Improved Privacy and Security Provision

13406 Conditions on Certain Contacts as Part of Health Care
Operations

13407 Temporary Breach Notification for Vendors of PHR and other
Non-HIPAA Covered Entities

13408 Business Associate Contracts Required for Certain Entities

13409 Clarification of Application of Wrongful Disclosures Criminal
Penalties

13410 Improved Enforcement

13411 Audits


Business Associates – Section 13401

Application of Security Provisions and Penalties to
Business Associates + HHS Annual Guidance
• §164.308 Administrative Safeguards (Security Rule)

• §164.310 Physical Safeguards (Security Rule)

• §164.312 Technical safeguards (Security Rule)

• § 164.316 Policies and Procedures and Documentation Requirements (Security Rule)
RESOURCE/ HIPAA Administrative Simplification

• Application of Civil and Criminal Penalties, Sections 1176 and 1177 of the Social Security Act
RESOURCE/ Application of Civil and Criminal Penalties

• HHS Annual Guidance on Most Effective and Appropriate Technical Safeguards in Carrying Out
the Above


Data Breach Notification – Section 13402

Definition of Breach
• Is defined in the Act as ‘‘the unauthorized acquisition, access, use, or disclosure of
protected health information (PHI) which compromises the security or privacy of such
information, except where an unauthorized person to whom such information is
disclosed would not reasonably have been able to retain such information.’’

• Exceptions include: The unauthorized acquisition, access, or use of PHI is
unintentional or if such acquisition, access, or use was made in good faith and such
information is not further acquired, accessed, used, or disclosed.

• The risk of harm standard requires that a Covered Entity undertake
some form of risk assessment in the event of a breach, and based
upon the assessment, determine in good faith whether it is necessary
to notify the individual of the breach.
RESOURCE/ HIPAA Breach Notification


Breach Notification – Section 13402 cont.

Breach of “Unsecured” Protected Health Information

• Section 13402(h) of the Act defines ‘‘unsecured protected health information’’ to
mean protected health information that is not secured through the use of a
technology or methodology specified by the Secretary in guidance.

• According to HHS, the specified technologies and methodologies “create the
functional equivalent of a safe harbor.”

• HHS explains what is secured through the use of a technology or methodology...
“In consultation with information security experts at NIST, we have identified two
methods for rendering PHI unusable, unreadable, or indecipherable to unauthorized
individuals:

1. encryption
2. destruction



Following the discovery of a breach of unsecured PHI

• A covered entity must notify each individual whose unsecured PHI has been, or is
reasonably believed to have been, inappropriately accessed, acquired, or disclosed in
the breach [section 13402(a)]

• Additionally, following the discovery of a breach by a business associate, the business
associate must notify the covered entity of the breach and identify for the covered
entity the individuals whose unsecured PHI has been, or is reasonably believed to have
been, breached [section 13402(b)]

• The Act requires the notifications to be made without unreasonable delay but in no
case later than 60 calendar days after discovery of the breach



Notice Following the discovery of a breach
• The notice shall be made in writing, except under circumstances where the Covered
Entity does not have the correct contact information for the affected individual, or
where there is particular urgency to the notification. The notice to affected
individuals must contain the following 5 elements:

1. A brief description of what occurred with respect to the breach, including, to
the extent known, the date of the breach and the date on which the breach was
discovered;
2. A description of the types of unsecured PHI that were disclosed during the
breach;
3. A description of the steps the affected individual should take in order to
protect himself or herself from potential harm caused by the breach;
4. A description of what the Covered Entity is doing to investigate and mitigate
the breach and to prevent future breaches; and
5. Instructions for the individual to contact the Covered Entity


Education – Section 13403

Education on Health Information Privacy

• Regional Office Privacy Advisors and Education Initiative

• Guidance and Education to covered entities, business associates and
individuals on rights and responsibilities related to federal privacy and
security requirements for protected health information


Business Associate – Section 13404

Application of Privacy Provisions to Business
Associates of Covered Entities
• Section 13404 of the Act requires HIPAA business associates to comply with 45 CFR
§ 164.504(e), which sets forth the privacy terms required in HIPAA business associate
agreements. While these contract obligations have always been enforceable by
covered entities, they are now enforceable by the government through HIPAA.
Business associates also are required to comply with the additional privacy
requirements imposed by the Act described below.

• Business associates must take reasonable steps to cure a breach of, or terminate, a
Business Associate Agreement if it becomes aware of a pattern of activity or practice
by a covered entity that violates the agreement. If a business associate
fails to take reasonable steps to cure the breach, terminate the
agreement, or report the problem to HHS, then the business associate
may be liable for civil and/or criminal penalties under the Act.
RESOURCE/ Sample Business Associate Agreement (BAA)


Restrictions, Accounting, Access – Section 13405

Restrictions on Certain Disclosures and Sales of Health
Information, Accounting of Certain PHI Disclosures,
Access of Certain Information in Electronic Format

• 13405(a) A covered entity must comply with the requested restriction if the disclosure
would be to a health plan for purposes of carrying out payment or health care
operations—but not for treatment; and the PHI pertains solely to a health care item or
service for which the health care provider involved has been fully paid by the patient.

• 13405(b) Disclosures limited to the Limited Data Set or Minimum Necessary. The Act
requires the Covered Entity to make the determination of Minimum Necessary, rather
than relying on others.

• Section 13405(c) of the Act provides that disclosures made through an EHR for
treatment, payment and health care operations purposes must be included in the
accounting, but information is limited to three years of disclosure information (rather
than six).


Restrictions, Accounting, Access – Section 13405 cont.

Restrictions on Certain Disclosures and Sales of Health
Information, Accounting of Certain PHI Disclosures,
Access of Certain Information in Electronic Format
• Section 13405(d) of the Act now prohibits indirect and direct remuneration for a
disclosure of PHI without the individual’s authorization. The authorization document
must also explain whether PHI can be further exchanged for remuneration by the
downstream entity receiving the PHI. The statute contains several exceptions where a
covered entity is still permitted to receive remuneration for disclosures, such as public
health, research, treatment, sale or merger of a CE, to a business associate for work
functions, to an individual who requests copies of their PHI etc.

• Section 13405(e) In the case that the CE uses or maintains an EHR, individuals have
the right to obtain a copy in electronic format.


Marketing – Section 13406

Conditions on Certain Contacts as Part of Health
Care Operations

• Section 13406(a), communications which are deemed part of health care operations
and excluded from the definition of marketing as contained in 164.501(1)(i), (ii) or (iii)
are now limited to those communications for which the covered entity has not been
paid directly or indirectly, unless the communication involves a drug or biologic
currently being prescribed. Otherwise, an authorization from the individual is needed.

• Section 13406(b) All fund-raising communications must provide for the opportunity to
opt-out of receiving further communications.


Temporary Breach Notification – Section 13407

Temporary Breach Notification Requirement for Vendors of Personal
Health Records and Other Non-HIPAA Covered Entities

• The HITECH Act includes two sets of new breach notification requirements. Section
13402 (previously discussed) of the HITECH Act requires HIPAA covered entities to
notify individuals if there has been a breach involving their “unsecured PHI.” Section
13407 of the HITECH Act includes breach notification requirements for vendors of
personal health records (PHR) and related entities that are not subject to the HIPAA
requirements and therefore not covered by the Section 13402 requirements.

• Federal Trade Commission, Health Breach Notification Rule, 16 CFR Part 318 was
created pursuant to HITECH Act Section 13407(g). The rule requires vendors of
personal health records and related entities to notify consumers when
the security of their individually identifiable health information has
been breached. The rule is effective September 24, 2009.
Full compliance is required by February 22, 2010.
RESOURCE/ HIPAA Breach Notification


Business Associate Contracts – Section 13408

Business Associate Contracts Required for Certain Entities

• Section 13408 of the Act identifies additional entities that are to be considered
business associates and with whom covered entities must have written agreements (or
other arrangement). These are organizations that transmit protected health
information to the covered entity (or its business associates), such a Health
Information Exchange Organization, a Regional Health Information Organization, an
E-prescribing Gateway, or each vendor that contracts with a Covered Entity to offer a
Personal Health Record as part of its EHR, is required to enter into a written contract
and shall be treated as a business associate.


Wrongful Disclosures – Section 13409

Clarification of Application of Wrongful Disclosures
Criminal Penalties
• Section 1177(a) of the Social Security Act (42 U.S.C. 1320d-6(a)) is amended by adding at the
end the following new sentence: “For purposes of the previous sentence, a person (including
an employee or other individual) shall be considered to have obtained or disclosed
individually identifiable health information in violation of this part if the information is
maintained by a covered entity (as defined in the HIPAA privacy regulation described in
section 1180(b)(3)) and the individual obtained or disclosed such information without
authorization.” This provision clarifies that an individual does not need to be a HIPAA covered
entity to be subject to the criminal penalties in 42 U.S.C. § 1320d-6(a).

• The base penalty is a $50,000 fine, imprisonment for not more than one year, or both. For
offenses committed under false pretenses, the fine is not more than $100,000, imprisonment
for not more than five years, or both. And if the offense is committed with the intent to sell,
transfer, or use individually identifiable health information for commercial advantage,
personal gain, or malicious harm, the fine is not more than $250,000, imprisonment for not
more than 10 years, or both.


Improved Enforcement – Section 13410

Improved Enforcement
• Section 13410 makes a variety of changes to the civil penalty provisions. First, the Act
adds that noncompliance for willful neglect requires HHS to formally investigate a
complaint and to impose a civil penalty. HHS is required to implement regulations,
and these statutory amendments will be effective in 24 months.

• The section also requires civil penalties collected for privacy or security violations to
go to the HHS Office for Civil Rights to fund enforcement. The Government
Accountability Office is also directed to issue a report on sharing a percentage of
these penalties with individuals who are harmed, and HHS is directed to issue
regulations within three years.

• States Attorney General may bring a civil action to enjoin privacy or security
violations or obtain damages on behalf of state residents for such violations.


Improved Enforcement – Section 13410 cont.

Enhanced Enforcement Options and Increased
Penalties for Non-Compliance
• The Act also increases the amount of civil penalties from the present $100 per violation (up to $25,000 per
identical violation), to the following tiered civil penalties:

1. If the person did not know (and by exercising reasonable diligence would not have known) that such
person violated a provision, the civil penalty is between $100 - $50,000 for each violation, up to a total
of $25,000-$1,500,000 for all violations of an identical requirement;

2. If the violation was due to reasonable cause and not to willful neglect, the civil penalty is between
$1,000 - $50,000 for each violation, up to a total of $100,000-$1,500,000 for all violations of an
identical requirement;

3. If the violation was due to willful neglect, the civil penalty is between $10,000 - $50,000 for each
violation, up to a total of $250,000-$1,500,000 for all violations of an identical requirement if the
violation was corrected during the 30 day period beginning on the first date the person liable for the
penalty knew, or by exercising reasonable diligence would have known, that the failure to comply
occurred.

4. If the violation is not corrected within 30 days, the penalties increase to $50,000 for each violation, up
to a total of $1,500,000 for all violations of an identical requirement.


Audits – Section 13411 cont.

Audits

• Section 13411 requires the Secretary of HHS to conduct periodic audits to
ensure that covered entities and business associates are in compliance with
HIPAA Covered entities and business associates should prepare for audits to
begin no later than February 17, 2010 for all HIPAA requirements.


FTC Red Flags Rule

Red Flag Rule
• The Identity Theft Red Flags Rule was promulgated under the Fair and Accurate Credit Transactions
Act, in which Congress directed the Commission and other agencies to develop regulations requiring
“creditors” and “financial institutions” to address the risk of identity theft.

• Health care providers who periodically allow patients to pay for medical services over time through a
series of payments should have written policies that identify the “red flags” or indicators of possible
identity theft they may come across in the course of business, establish procedures to detect those red
flags and to respond appropriately to mitigate and prevent harm, and develop procedures for training
staff and keeping applicable policies current. Health care providers should also have procedures in
place to ensure that their vendors are in compliance with the Red Flag Rules and amend existing
business associate agreements or asking for copies of the vendors’ Red Flag policies.

• The Federal Trade Commission is delaying enforcement of the “Red Flags” Rule until
June 1, 2010, for financial institutions and creditors subject to enforcement by the FTC
RESOURCE/ Red Flag Rule


HIPAA Privacy and Security Assessment

Framework for Managing Risk

• PHI, ePHI, Patient, Organization, Vendors
• Methodical, repeatable, risk-based approach to implementing effective risk
management
• Life cycle that facilitates continuous monitoring and improvement
• Purpose and scope
• Applicability
• Audience
• How and why to use assessment
RESOURCES/ CMS Security Audit


Next Steps
Task Completed
Amend Business Associate Agreements:
•New Obligations
•Red Flags Rule

Create Policies & Procedures to Address Notification of Breach

Create Policies & Procedures to Address:
•Disclosures and Sales of Health Information
•Accounting of PHI
•Disclosures and Access of Certain Information in Electronic Format
Amend Marketing Policies & Procedures, Review Communications, Need for
Authorization and Fund Raising Opt-Out

Review Health Breach Notification, Create Policies & Procedures as Required

Create Policy & Procedures on Wrongful Disclosures

Develop Training & Awareness Campaign to Address HITECH Act

Consider Framework to Manage HIPAA Compliance

RESOURCES/ Standards Checklist and 2010 New Guidelines


Q&A


Thank You!

For more information on OHITX or today’s session, please contact
Colleen Sauter csauter@ohitx.org.

To access the resource section, please click here:


Disclaimer

This Webinar IS NOT Legal Advice

• These materials should not be considered as, or as a substitute for, legal advice and they
are not intended to, nor do they create an attorney-client relationship. Because the
materials included here are general, they may not apply to a particular individual legal
or factual circumstance.

• The reader should not take, or refrain from taking, any action based on the information
contained herein without first obtaining professional counsel.

• The views expressed herein do not necessarily reflect the views of OHITX


2010 Hipaa Rules 011310

More Related Content

What's hot

Viewers also liked

Similar to 2010 Hipaa Rules 011310

More from GuardEra Access Solutions, Inc.

2010 Hipaa Rules 011310