Changes to HIPAA (as they pertain to records management) Health Information Technology for Economic Clinical Health Act (HITECH) – federal regulation included in the American Recovery and Reinvestment Act of 2009 The following government websites provide detailed information on the above Acts.

Increased Enforcement State Attorney General –May bring civil action on behalf of state residents. CA Office of Health Information Integrity –Oversees health care providers –Responds to filed complaints and referrals from CPDH or CA Attorney General –Imposes administrative penalties on individuals California Department of Public Health –Oversees health care facilities –Responds to notifications of violations reported by health care facilities –Imposes administrative penalties on facilities

Increased Penalties Health care professionals – Penalties can be as high as $2,500-$250,000 Health care facilities – Penalties can be as high as $25,000-$250,000 Penalties assessed for willful neglect and uncorrected violations can be as high as $1,500,000 Health care facilities can be fined $100/day for not reporting violations to the CDPH after 5 days of discovery.

Assessment of Penalties by CDPH Factors History of compliance – Can the facility show they have the policies in place to prevent breaches or violations? Ability to detect violations – Does the facility perform regular audits to test their policy? Efforts to correct and prevent future violations – Has the facility responded to violations by implementing new policies or putting protections in place? Other factors considered outside of the facility’s control.

Accounting of Disclosures Must be able to track any disclosure of a patient’s medical information. Information must be made available upon the patient’s request. With regards to EHR, legislators expect providers to know at all times who has accessed data and when they accessed it. All disclosures for the last 3 years should be available.

Business Associates Direct responsibility and liability for HIPAA violations Subject to the same civil and criminal penalties It is the responsibility of the business associate to notify the health care provider. The healthcare provider is responsible for notifying the patient. Business associate agreements should be revised to reflect these changes.

Breach Notification (to the individual) Covered entities must notify affected individuals. Notification must be made within 60 days of recovery If 10+ parties are unreachable, notification must be listed publicly If more than 500 are affected notice must be provided via major media outlets. HHS must be notified immediately. All breaches must be reported annually to HHS.

Reporting Requirements for Licensed Health Facilities Includes unauthorized access to, or use or disclosure of patient’s medical information Notify affected patient Notify CDPH within 5 days of detection –Administrative penalties may be reduced or waived if the facility can show they had the necessary measures in place to prevent and detect violations by individual employees. –Facility will be fined $100/day for non-reporting after 5 days. –Detected by the facility has been defined as; a manager, supervisor, compliance officer, privacy officer or someone in a responsible position has knowledge of events constituting a breach.

Recommendations Pouch Services Audit of disclosures - Box/file tracking by barcode label shows who requested what and when. Monthly shred consoles or bins – protects PHI from unauthorized access prior to certified destruction. Professional Records Management Company –Shares burden and liability or protecting patient health information. –Partnering with a RIM professional shows you are taking adequate security measures to protect information. Will likely factor into assessment of penalties.