HIPAA Update: So what’s new with HIPAA?? And, what does it have to do with you? Ellen Cannon, WV DHHR HIPAA Privacy Officer WV Attorney General’s Office Consumer Protection Division

Show me the money! $2B to ONC $17.2B for EHR incentives through Medicare/Medicaid $4.7B for Nat’l Telecommunications and Information Administration’s Broadband Technology Opportunities Program $2.5B for USDA’s Distance Learning, Telemedicine and Broadband Program

Even More Money! $1.5B for health centers from HRSA $1.1B for Comparative effectiveness research within AHRQ, NIH and HHS $85M for Health IT within Indian Health Svs $500M for SSA $50M for IT within the VA

New HIPAA Provisions Major impact on HIPAA Business Associates New breach notification requirements Greater patient and consumer rights More aggressive enforcement Note: most provisions effective February 2010

When you leave here, will you know all of the new HIPAA Requirements? NO! Do you have 5 hours?? HHS is still in interpretive process Guidance and regs are forthcoming

New HIPAA Business Associate Requirements Feds have increased control over BAs (vendors to HIPAA covered entities, such as a billing company) Civil and criminal penalties now apply directly Makes certain HIPAA privacy and security regs apply directly to BAs Makes clear that PHR and HIE vendors are BAs Requires BA to notify covered entity of a breach, without unreasonable delay, but no longer than 60 days

New Breach Notification Requirements for Covered Entities and PHRs Must notify impacted individuals without unreasonable delay, but no longer than 60 days If more than 500 individuals are impacted, the Secretary of HHS and media must be given notice. If less than 500, annual reports must be made to HHS HHS will “out” those involved in breaches >500 on a website and to notify Congress New breach notification requirements for PHRs

New Consumer Rights Covered entities, such as a primary care center, hospital, physician or health plan, will need to be able to restrict disclosure of health information for payment or operations, if a consumer requests the restriction and pays out of pocket. For many medical care providers this one may be difficult. Coding may be needed to prevent billing information from going to insurance plans

New Consumer Rights Cont’d For covered entities that have an EHR, they, or their vendor will need to respond to a consumer’s request for an accounting of all disclosures for TPO for 3 years prior. For entities with EHR prior to January 2009, applies to disclosures after January Regulations interpret EHRs to be more than physician records.

New Consumer Rights Cont’d For covered entities that have an EHR, they will also have to provide an individual with a copy of their health information in electronic format, upon request OCR will develop national and regional initiatives to support consumer education around privacy and security requirements and uses of health information

New Requirements Prohibits a covered entity or business associate from receiving remuneration in exchange for PHI, without individual authorization. Exceptions: public health, research, treatment, sale of a business, BA activities, individual access, etc. New restrictions around marketing and fundraising. Targets communications paid by 3d parties, such as from drug companies. OCR will issue new guidance regarding limitation of uses, disclosures and requests for PHI to a limited data set, or if necessary, to the minimum necessary information. Existing exceptions still in force.

Enforcement Changes Individuals can be prosecuted for criminal violations Creates 4 tiers of violations: from where an individual did not know, to willful neglect not corrected Penalties range from $100 to $50K+. Limit of $1.5M State AG can now bring suit HHS will develop a process to share money penalties or settlements with harmed individuals Periodic audits of covered entities and BAs by HHS

Covered Entities Should Develop an Action Plan Conduct self assessment about new requirements Update risk assessment Update policies and procedures; revise breach reporting and notification procedures Evaluate impact of HHS guidance re encryption, etc. and determine how PHI will be secured Update business associate agreements Conduct staff training

Enforcement Changes Four categories of violations - increasing levels of culpability; Four corresponding tiers of penalty amounts that significantly increase the minimum penalty amount for each violation; and A maximum penalty amount of $1.5 million for all violations of an identical provision. Striking the previous bar on the imposition of penalties if the covered entity did not know and with the exercise of reasonable diligence would not have known of the violation (such violations are now punishable under the lowest tier of penalties); and Prohibition on the imposition of penalties for any violation that is corrected within a 30-day time period, as long as the violation was not due to willful neglect. All of the above effective on February 18, 2009

Civil Monetary Penalties The CMP are significantly increased. From $100 for each violation to $1,000 per violation for a violation due to "reasonable cause and not to willful neglect" (with a maximum penalty of $100,000); $10,000 for each violation that was due to willful neglect and is corrected (subject to a $250,000 maximum penalty); and $50,000 for each violation if the violation is not corrected properly (subject to a maximum penalty of $1,500,000 during a calendar year).

HITECH Act Rulemaking and Implementation Update 3/15/10 urb.htmlhttp:// urb.html OCR will implement important privacy and security provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act through notice and comment rulemaking, as required by the Administrative Procedure Act. These provisions include: business associate liability; new limitations on the sale of protected health information, marketing, and fundraising communications; and stronger individual rights to access electronic medical records and restrict the disclosure of certain information. OCR continues work on a Notice of Proposed Rulemaking (NPRM) regarding these provisions. Although the effective date (February 17, 2010) for many of these HITECH Act provisions has passed, the NPRM and the final rule that follows will provide specific information regarding the expected date of compliance and enforcement of these new requirements.

HITECH Act Rulemaking and Implementation Update 3/15/10 (Cont.) However, interim final rules implementing HITECH Act provisions in two areas have already been issued and are currently in effect: enforcement and breach notification. New civil money penalty amounts apply to HIPAA Privacy and Security Rule violations occurring after February 17, Covered entities and business associates must comply now with breach notification obligations for breaches that are discovered on or after September 23, OCR announced previously that it would use its enforcement discretion not to impose fiscal sanctions with regard to breaches discovered before February 22, Since that date has passed, OCR will enforce the Breach Notification Interim Final Rule, including with the possible imposition of sanctions, as it does with the HIPAA Privacy and Security Rule requirements.

Breach Notification Rules have been published A breach is, generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information such that the use or disclosure poses a significant risk of financial, reputational, or other harm to the affected individual. OCR Breach Notification web site ive/breachnotificationrule/index.htmlOCR Breach Notification web site ive/breachnotificationrule/index.html

Breach Does Not Mean unintentional acquisition, access, or use of protected health information by an employee or individual acting under the authority of a covered entity or business associate if such acquisition, access, or use was made in good faith and within the course and scope of the employment or other professional relationship of such employee or individual, respectively, with the covered entity or business associate; and such information is not further acquired, accessed, used, or disclosed by any person;

Breach Does Not Mean or any inadvertent disclosure from an individual who is otherwise authorized to access protected health information at a facility operated by a covered entity or business associate to another similarly situated individual at same facility; and any such information received as a result of such disclosure is not further acquired, accessed, used, or disclosed without authorization by any person

Breach Does Not Mean if the covered entity or business associate has a good faith belief that the unauthorized individual, to whom the impermissible disclosure was made, would not have been able to retain the information.

Unsecured Protected Health Information Covered entities and business associates must only provide the required notification if the breach involved unsecured protected health information. Unsecured protected health information is protected health information that has not been rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the Secretary in guidance.

Guidance Unsecured Protected Health Information and Guidance This guidance was issued in April nistrative/breachnotificationrule/brguidanc e.htmlhttp:// nistrative/breachnotificationrule/brguidanc e.html

Use Encryption Data in Transit –Use the encryption program. Data at Rest – Use whole drive encryption. Data at Rest – Use encryption for CDs, DVDs, and jump or thumb drives. You need to be aware of data use and manage the security of the data. Consider the cost of notification against the purchase price of security.

CLIA Program and HIPAA Privacy Rule; Patients’ Access to Test Reports NPRM open for comment until no later than 5 p.m. on November 14, HITECH created a Federal advisory committee known as the Health Information Technology (HIT) Policy Committee which can look at barriers to implementation an interoperable, nationwide health information infrastructure. The committee recommended that the CLIA exemption from provision of information to the patient is barrier exchange of data and should be taken down. Amends (CLIA) regulations to specify that, upon a patient’s request, the laboratory may provide access to completed test reports that, using the laboratory’s authentication process, can be identified as belonging to that patient. Removes an exemption from HIPAA so that CLIA labs that are HIPAA covered entities must comply with HIPAA.

Ellen Cannon, HIPAA Privacy Officer Phone FAX WV DHHR State Capitol Complex Bldg 3 Room 215 Charleston WV Original presentation prepared by Sallie Milam, JD, CIPP/G Samantha Stamper