Impact of HITECH Act on HIPAA and the interface New Hampshire Privacy Law Cinde Warmington Shaheen & Gordon, P.A. 107 Storrs Street P.O. Box 2703 Concord,

Slides:



Advertisements
Similar presentations
HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.
Advertisements

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
1. As a Florida KidCare community partner families entrust you to not only help them navigate the Florida KidCare system but to keep the information they.
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
HIPAA – Privacy Rule and Research USCRF Research Educational Series March 19, 2003.
The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.
Navigating HIPAA & Recent Healthcare Reform: What You Need to Know.
HIPAA What’s New? What Is HIPAA Health Insurance Portability and Accountability Act of 1996 Health Insurance Portability and Accountability Act.
Changes to HIPAA (as they pertain to records management) Health Information Technology for Economic Clinical Health Act (HITECH) – federal regulation included.
1 Navigating the Privacy and Security Issues: HITECH Overview Rebecca L. Williams, RN, JD Partner Co-chair of HIT/HIPAA Practice Davis Wright Tremaine.
Key Changes to HIPAA from the Stimulus Bill (ARRA) Children’s Health System Department Leadership Meeting October 28, 2009 Kathleen Street Privacy Officer/Risk.
HIPAA CHANGES: HITECH ACT AND BREACH NOTIFICATION RULES February 3, 2010 Kristen L. Gentry, Esq. Catherine M. Stowers, Esq.
 July 10, 2013 Richard D. Sanders T HE S ANDERS L AW F IRM, P.C. 7 Piedmont Center, Suite Piedmont Road Atlanta, Georgia (404)
Thank You For Your Participation Kansas City   Omaha  Overland Park St. Louis  Jefferson City This Employer.
HIPAA Regulations What do you need to know?.
COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.
2014 HIPAA Refresher Omnibus Rule & HIPAA Security.
Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.
Professional Nursing Services.  Privacy and Security Training explains:  The requirements of the federal HIPAA/HITEC regulations, state privacy laws.
Health IT Privacy and Security Policy Jodi Daniel, J.D., M.P.H. Director, Office of Policy and Research, Office of the National Coordinator for Health.
I.D. Theft Alaska’s New Protection of Personal Information Act Ed Sniffen Senior Assistant Attorney General Alaska Department of Law.
Health Insurance Portability & Accountability Act (HIPAA)
PRIVACY BREACHES A “breach of the security of the system”: –Is the “unauthorized acquisition of computerized data that compromises the security, confidentiality,
Responding to a Data Security Breach
OCR HITECH Enforcement Tips: Prevent, Detect and Quickly Correct HIPAA COW 2010 Spring Conference Privacy/Security Session 1 HIPAA Privacy Best Practices:
March 19, 2009 Changes to HIPAA Privacy and Security Requirements Joel T. Kopperud Scott A. Sinder Rhonda M. Bolton.
Security Breach Notification © 2009 Fox Rothschild A Webinar for the Medical Society of New Jersey October 28, 2009 Presented by Helen Oscislawski, Esq.
Walking Through the Breach Notification Process - Beginning to End HIPAA COW Presentation and Panel April 8, 2011.
Financial Data Protection and Consumer Notification of Data Security Breach Act of 2006 Sara Juster, JD Vice President/Corporate Compliance Officer Nebraska.
© Copyright 2014 Saul Ewing LLP The Coalition for Academic Scientific Computation HIPAA Legal Framework and Breach Analysis Presented by: Bruce D. Armon,
HIPAA COMPLIANCE IN YOUR PRACTICE MARIBEL VALENTIN, ESQUIRE.
Office of the Secretary Office for Civil Rights (OCR) HIPAA Privacy and Security Rules Updates HIPAA COW 2010 Spring Conference April 16, 2010.
Notice of Privacy Practices Nebraska SNIP Privacy Subgroup July 18, 2002 Michael J. Brown, MHA, CPA Vice-President, Administrative & Regulatory Affairs,
From HIPAA to HITECH OMH Briefing.
Milada R. Goturi Tonya M. Oliver Thompson Coburn LLP 1.
HIPAA PRIVACY AND SECURITY AWARENESS.
California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. :: 1 NEW OBLIGATIONS.
HIPAA and HITECH The Latest Developments Presented By: Michele Madison Partner, Healthcare Practice Morris, Manning & Martin, LLP
Confidentiality, Consents and Disclosure Recent Legal Changes and Current Issues Presented by Pam Beach, Attorney at Law.
Quality Integrity Stewardship Courtesy Care Accountability Medical Records ARMA Florida Gulf Coast Chapter Michael Spake Lakeland Regional Medical Center.
LAW SEMINARS INTERNATIONAL CLOUD COMPUTING: LAW, RISKS AND OPPORTUNITIES Developing Effective Strategies for Compliance With the HITECH Act and HIPAA’s.
Privacy and Security Laws for Health Care Organizations Presented by Robert J. Scott Scott & Scott, LLP
Arkansas State Law Which Governs Sensitive Information…… Part 3B
HITECH Act and HIPAA: Important Compliance Update Susan E. Ziel Gerald “Jud” DeLoss.
Health Insurance Portability and Accountability Act (HIPAA) CCAC.
Health Insurance Portability and Accountability Act of 1996 HIPAA Privacy Training for County Employees.
HIPAA BASIC TRAINING Presented by Anderson Health Information Systems, Inc.
HIPAA PRACTICAL APPLICATION WORKSHOP Orientation Module 1B Anderson Health Information Systems, Inc.
HIPAA THE PRIVACY RULE. 2 HISTORY In 2000, many patients that were newly diagnosed with depression received free samples of anti- depressant medications.
The American Recovery and Reinvestment Act of 2009: Changes to HIPAA Privacy and Security Requirements And its Impact on Hospitals Presented By: Michele.
HealthBridge is one of the nation’s largest and most successful health information exchange organizations. Tri-State REC: Privacy and Security Issues for.
Rhonda Anderson, RHIA, President  …is a PROCESS, not a PROJECT 2.
Copyright ©2014 by Saunders, an imprint of Elsevier Inc. All rights reserved 1 Chapter 02 Compliance, Privacy, Fraud, and Abuse in Insurance Billing Insurance.
HITECH and HIPAA Presented by Rhonda Anderson, RHIA Anderson Health Information Systems, Inc
A Road Map to Research at Jefferson: HIPAA Privacy and Security Rules for Researchers Presented By: Privacy Officer/Office of Legal Counsel October 2015.
We’ve Had A Breach – Now What? Garfunkel Wild, P.C. 411 Hackensack Avenue 6 th Floor Hackensack, New Jersey Broadway Albany,
Top 10 Series Changes to HIPAA Devon Bernard AOPA Reimbursement Services Coordinator.
Finally, the Final HIPAA/HITECH Regulations are Here! By LYNDA M. JOHNSON Friday, Eldredge & Clark.
Configuring Electronic Health Records Privacy and Security in the US Lecture b This material (Comp11_Unit7b) was developed by Oregon Health & Science University.
HIPAA: Breach Notification By: Office of University Counsel For: Jefferson IRB Continuing Education September 2014.
HIPAA Privacy Rule Positive Changes Affecting Hospitals’ Implementation of the Rule.
AND CE-Prof, Inc. January 28, 2011 The Greater Chicago Dental Academy 1 Copyright CE-Prof, Inc
HIPAA TRIVIA Do you know HIPAA?. HIPAA was created by?  The Affordable Care Act  Health Insurance companies  United States Congress  United States.
HIPAA Training Workshop #3 Individual Rights Kaye L. Rankin Rankin Healthcare Consultants, Inc.
HIPAA PRIVACY & SECURITY TRAINING
Enforcement, Business Associates and Breach Notification. Oh my!
HIPPA/HITECH Act Requirements Under the Business Associate Agreement Between CNI and Military Health Services.
Data Breaches in Employee Benefits
HITECH’s Impact on Research
Presentation transcript:

Impact of HITECH Act on HIPAA and the interface New Hampshire Privacy Law Cinde Warmington Shaheen & Gordon, P.A. 107 Storrs Street P.O. Box 2703 Concord, NH (603)

Understanding HITECH This presentation is for informational purposes only. It does not constitute legal advice. You should seek the advice of counsel if you need legal assistance. 2

HITECH The Health Information Technology for Economic and Clinical Health Act (HITECH) was enacted as part of the American Recovery and Reinvestment Act of 2009 (ARRA) on February 17, Contains provisions affecting HIPAA including breach notification requirements. Interim final rule on breach notifications was issued August 24, 2009 effective September 23, Fed. Reg Sanctions will not be imposed for failure to comply with notification requirements for breaches which are discovered before February 22,

Breach Notification Requirements Prior to HITECH, there was no affirmative duty under HIPAA to notify an individual if protected health information (PHI) was breached unless the breach involved “personal information” as defined under NH law and notification was required under RSA 359-C:20; HIPAA does include a duty to mitigate harm (which may require notification of the individual); and HIPAA does include a duty to keep an accounting of certain disclosures which individuals can request; But there was no explicit duty to notify individuals of a breach. 4

Breach Notification Requirements HITECH imposes an affirmative duty to notify each individual whose “unsecured PHI” is breached. “A covered entity shall, following the discovery of a breach of unsecured protected health information, notify each individual whose unsecured protected health information has been, or is reasonably believed by the covered entity to have been, accessed, acquired, used, or disclosed as a result of a breach.” 45 CFR §

What is a breach? Breach means the acquisition, access, use, or disclosure of protected health information not permitted under HIPAA which compromises the security or privacy of the PHI. “Compromises the security or privacy of the PHI means poses a significant risk of financial, reputational, or other harm to the individual.” 45 CFR § (1)(i) 6

What is “unsecured” protected health information? PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology specified in guidance issued by Secretary of DHHS. 45 CFR § Approved technologies/methodologies include Encryption Destruction 7

Encryption Means “the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key.” 45 CFR § Requires that the confidential process or key has not been breached. 8

Encryption Valid encryption processes: “Data at rest” are set forth in NIST Special Publication Valid encryption processes for “data in motion” must comply with the Federal Information Processes (FIPS 140-2). Available at 9

Valid Destruction Processes: Paper, film or other hard copy media must be shredded or destroyed in such a way that the PHI cannot be read or otherwise reconstructed. Electronic media must be cleared, purged or destroyed so that PHI cannot be retrieved consistent with NIST Special Publication Available at 10

Is there a breach? If the PHI is encrypted or destroyed through a means specified in DHHS guidance, disclosure of the PHI will not result in a breach. …and, therefore, no notification is required. 11

Is there a breach? Does the improper acquisition, access, use or disclosure compromise the security or privacy of the PHI? In other words, does it impose a significant risk of financial, reputational or other harm to the individual? The covered entity (or business associate) must perform a risk assessment. 12

Factors to be considered in performing risk assessment Who used the PHI? Who received the PHI? Was the disclosure to another covered entity? Was there evidence that the information was accessed? What was the nature of the information disclosed? Was the covered entity able to take immediate steps to mitigate the harm? 13

Examples from preamble to Interim Final Rule: If disclosure was to another covered entity, there may be less risk of harm to the individual; If a lost or stolen laptop is returned and testing shows PHI was not accessed, the risk of harm is lessened; If the PHI included only limited information not likely to cause harm (e.g. patient’s name and name of hospital where patient was treated); If the covered entity obtains immediate assurances from recipient that PHI will not be disclosed and will be destroyed, risk of harm may be lessened. 14

Risk Assessment Each risk assessment will be individual and fact specific; The covered entity or business associate must document the risk assessment, the factors considered to support conclusions; The burden of proof is on the covered entity or business associate to show no breach has occurred; If no risk of harm then no breach notification. 15

Breach notification requirements Timeliness If the covered entity determines there is a breach, each individual must be notified without unreasonable delay but no later than sixty (60) days after discovery. If a business associate determines there is a breach, it must notify the covered entity. 16

Breach notification requirement When is the breach discovered? On the first day the covered entity or business associate knows of the breach or would have known if it had exercised reasonable diligence. 17

Breach notification requirements Covered entity’s written notification of the breach must include: Brief description of what happened; Date of the breach and date of discovery of the breach, if known; Description of information disclosed; Any steps individuals should take to protect themselves; Brief description of what the covered entity is doing to investigate the breach, mitigate any harm and prevent future breaches; and Toll free number, address, website or postal address where individuals can receive additional information. 18

Notice must be written in plain language: Must take reasonable steps to ensure that meaningful access for individuals with Limited English Proficiency (may have to translate). Must ensure effective communications with individuals with disabilities (may require notice be made in Braille, large print or audio). 19

Methods of Notification Written notice must be: By first class mail; To last known address or by if individual agrees to electronic notice*; Must notify next of kin or personal representative if individual is deceased and address is known. *Covered entities may want to start obtaining this consent at time of patient registration. 20

Substitute Notice: If contact information is insufficient or out-of-date, substitute notice must be provided. Substitute notice is not required if person is deceased and there is insufficient contact information for next of kin or personal representative. 21

Substitute Notice If there is insufficient or out-of-date contact information for fewer than 10 individuals, then substitute notice can be provided by an alternative form of written notice, telephone or other means. 22

Substitute Notice From a practical perspective what does this mean? If covered entity does not have a valid street address but does have an address, the can be used and without individual’s consent. If the covered entity has a phone number and not an or street address, the individual can be notified by telephone. It may not be immediately clear whether there are more or less than ten individuals with insufficient contact information (returned mail may be first notice that info is out-of-date). 23

Substitute Notice If there is insufficient or out-of-date contact information for 10 or more individuals, substitute notice shall be either: Conspicuous posting for 90 days on home page of covered entity’s web-site; Conspicuous notice in major print or broadcast media in geographic areas where affected individuals may reside; Must include a toll-free number where an individual can learn whether their information may have been breached. 24

Substitute Notice Practical Concerns regarding the cost of providing notice with toll-free number Since public notice will not identify the 10 or more affected individuals, notice may prompt a deluge of calls from unaffected individuals at a substantial cost to covered entity. DHHS notes that the toll-free number is statutorily required. DHHS suggests that notice can include another means of determining if the person is affected by the breach. 25

Notice in Urgent Situations In addition to written notice, the covered entity may provide notice by telephone if it is urgent because of possible, imminent misuse of PHI. 26

Breach involving more than 500 residents For breaches involving more than 500 residents of a State or jurisdiction. Covered entity must notify prominent media outlets in the State or jurisdiction. Notice must be without reasonable delay but no later than sixty (60) days after discovery of the breach. Notification must include the same information that would be given to the individuals (except would not identify the individuals). Notice would most likely be in the form of a press release. 27

Notification to the Secretary of DHHS For breaches involving 500 or more individuals, must notify DHHS at the same time as individuals are notified. For breaches involving less than 500 individuals, the covered entity must maintain a log of breaches and submit annually to Secretary within 60 days after the end of the calendar year. 28

Administration Covered entity must train its workforce; Covered entity must have appropriate sanctions against workforce members who fail to comply with its privacy policies; Covered entity must change its policies and procedures. Covered entity must revise its Business Associates Agreements 29

Notification by Business Associate Business associate must notify covered entity of a breach without unreasonable delay but not later than sixty (60) days after discovery. Notification shall include the identification of individuals whose PHI has been breached. Business associate will provide covered entity with additional information needed for notice as required above or promptly thereafter as information becomes available. 30

NH State Law RSA 359-C:20 Requires notification of individuals in the event of a security breach of computerized personal information if there is a determination that misuse of the information has occurred or is likely to occur or if a determination cannot be made. Health care providers must also notify the Attorney General’s office. 31

NH State Law RSA 359-C:20 Personal information is more limited than PHI Personal information includes: o An individual’s first name or initial and last name in combination with any of the following data elements when the name or the data element is not encrypted: Social Security Number; Driver’s license number or other government ID number or Account number, credit card number, or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account. 32

NH State Law RSA 359-C:20 Notification Requirements Written Notice Electronic (if that is the primary means of communication with individuals) Telephonic notice (must keep a log) HIPAA require written notification. 33

NH State Law RSA 359-C:20 Substitute Notice If cost of notice would exceed $5000*, or Affected class of individuals exceed 1000*; or There is insufficient contact information to provide notice; then o Substitute notice can be given via: ; Conspicuous posting on web-site; or Notification of major statewide media. *HIPAA breach notifications requirements will preempt. 34

NH State Law RSA 359-C:20 Notice includes:* General description of incident; Approximate date of breach; Type of information involved; and Telephonic contact information where affected person can call. * Notice will also need to comply with HIPAA requirements. If more than 1000 are affected then, must also notify all consumer reporting credit agencies, without unreasonable delay (but notice is not required to include names of affected persons). 35

HIPAA/ State Law Interface See decision matrix attached as pdf document. 36

Accounting for Disclosures A new requirement to account for disclosures made for treatment, payment and healthcare operations for covered entities using an EHR. Effective Dates: By 1/1/2014 for EHRs acquired as of 1/1/2009. By the later of 1/1/2011 or the date the EHR is acquired for EHRs acquired after 1/1/2009. Individuals entitled to receive an accounting for such disclosure for a period of three years. This accounting is of “disclosures” and not “uses”. It is not the same as an audit trail. 37

“Minimum Necessary” Covered entity must limit disclosure of PHI to a limited data set rather than minimum necessary to the extent practicable – this will sunset when guidance concerning “minimum necessary” is issued. Secretary shall issue guidelines on what constitutes minimum necessary by August 10,

Requested Restrictions Currently an individual can request restrictions on the use and disclosure of PHI but covered entity does not have to agree to such requests. Under HITECH, covered entities must comply with a request if: The disclosure is to a health plan for payment or healthcare operations; and The PHI pertains to an item or service for which the healthcare provider has been paid out-of- pocket in full. Effective Feb

Access to Info in EHR Individual has a right to receive information stored in a EHR in an electronic format. If directed by an individual, covered entity must transfer a copy to someone designated by the individual. Charge cannot be greater than labor costs for responding to request. Effective Feb

Marketing and Fundraising- HIPAA Changes (Effective 2/2010) If remuneration is received, an authorization is required except in very limited circumstances. Marketing communications are not defined as health care operations except for treatment, case. management, care coordination, alternative therapies, providers or care settings or descriptions of covered entities own services. Fundraising communications will need to include a clear and conspicuous opportunity to opt out. 41

Marketing Changes –NH State Law (Effective 1/1/ 2010) Under HB Marketing means: (1) To make a communication about a product or service that encourages recipients of the communication to purchase or use the product or service, unless the communication is made by the individual’s health care provider: o For treatment of the individual; o For case management or care coordination for the individual; o To direct or recommend alternative treatments, therapies, health care providers or settings of care. o For treatment-related reminders or health promotion activities by health care providers. (2) An arrangement whereby the health care provider discloses PHI in exchange for payment so that third party can make a marketing communication about its own products/services. An authorization is required for any use or disclosure of marketing information. To the extent State law is contrary to HIPAA and more protective of privacy, State law will preempt HIPAA. 42

Fundraising-NH Law Fundraising communications must include a clear and conspicuous opportunity to opt out of receiving such communications. Notice must be provided: o 60 days prior to any fundraising communication; or o In the Notice of Privacy Practices if the notice is given prior to any fundraising communication; o In any subsequent fundraising communications. Once a person opts out, it is treated as a revocation of an authorization. 43

Marketing and Fundraising- NH Law Enforcement: An aggrieved individual may bring a civil action under RSA 332-I:4 or 332-I:5 and, if successful, shall be awarded special or general damages of not less than $1000 for each violation, for each violation, and costs and reasonable legal fees. The interface between state and federal law still to be determined. 44

Prohibition on the Sale of EHR/PHI HITECH prohibits a covered entity from receiving directly or indirect remuneration in exchange for PHI unless the person provides a valid authorization. Exceptions o Pubic health activities; o Research ( price is for preparation and transmittal of data) o For treatment of the individual o For health care operations associate with the sale/merge/consolidation of the covered entity o Payment by the covered entity for the services of a business associate; o To provide individual a copy of record 45

Prohibition on the Sale of EHR/PHI Secretary to promulgate regulations not later than 18 months after enactment. Prohibition becomes effective 6 months after regualtions are promulgated. 46

Business Associates Breach notification requirements apply. Security Rule Sections 45 CFR §§ , 310, 312, 316 apply. HIPAA provisions governing use and disclosure of PHI apply to business associates. Civil and criminal penalties now apply to business associates. Business Associates will need to maintain an accounting of any disclosures of EHR. 47

HIPAA Enforcement and Penalties Violation category – Section 1176(a)(1) Each violationAll such violations of an identical provision in a calendar year (A) Did Not Know…$100-$50,000$1,500,000 (B) Reasonable Cause…$1,000-$50,000$1,500,000 (C)(i) Willful Neglect-Corrected…$10,000-$50,000$1,500,000 (C)(ii) Willful Neglect-Not Corrected… $50,000$1,500, CATEGORIES OF VIOLATIONS AND RESPECTIVE PENALTY AMOUNTS AVAILABLE

HIPAA Enforcement and Penalties Reasonable cause means circumstances that would make it unreasonable for the covered entity, despite the exercise of ordinary business care and prudence, to comply with the [HIPAA] provision violated. Reasonable diligence means the business care and prudence expected from a person seeking to satisfy a legal requirement under similar circumstances. Willful neglect means conscious, intentional failure or reckless indifference to the obligation to comply with the [HIPAA] provision violated. 49

HIPAA Enforcement and Penalties HIPAA imposes a minimum penalty amount in each category Previously, a covered entity would have an affirmative defense if it did not know or reasonably would not have known of the violation; HITECH removes this affirmative defense; However, if the violation is not due to willful neglect and is corrected within 30 days of discovery (or the date covered should have know by exercising reasonable diligence), this will be an affirmative defense 50

HIPAA Enforcement and Penalties Secretary still has discretion to limit or waive penalties in cases due to reasonable cause and not willful neglect. No later than 3 years after enactment, the Secretary shall establish a methodology under which an individual harmed may receive a percentage of the penalties collected. 51

Enforcement by State Attorneys General State Attorneys General may bring a civil action on behalf of residents of the State who have been or are threatened or adversely affected by any person violating the statute: o State may seek equitable injunctive relief. o Damages calculated by multiplying $100 times the number of violations. o Total amount of damages for identical violations in a calendar year is $25,000. o State may seek payment of attorney fees. 52