Arkansas Healthcare Association of Access Managers 2009 Fall Meeting November 19, 2009

TOPICS HIPAA Revisions Security Breach & Red Flags Rule EMTALA

HIPAA The American Recovery and Reinvestment Act of 2009 contained several revisions to the HIPAA regulations. Some of these revisions became effective in 2009, and others will be implemented over the next few years.

HIPAA REVISIONS PENALTIES (effective now)

HIPAA Penalties The revisions clarify that criminal penalties will also be extended to employees of Covered Entities. Civil money penalties have been increased and will be tiered based on the type of violation. Monies received from penalties or settlements will be transferred to the Office for Civil Rights, and by 2012, individuals who are harmed by HIPAA violations will be able to receive a percentage of these monies as damages.

HIPAA Penalties Unknowing violations: $100 to $50,000 per violation, up to a maximum of $1,500,000 per year. Violations due to reasonable cause: $1000 to $50,000 per violation, up to a maximum of $1,500,000 per year. Violations due to willful neglect: (if the violation is corrected): $10,000 to $50,000 per violation, up to a maximum of $1,500,000 per year Violations due to willful neglect: (that are not corrected): At least $50,000 per violation, up to a maximum of $1.5 million per year. Note, the limits refer to “violations of identical requirement or prohibition.” So, if there is more than one type of violation, penalties may be dramatically increased.

HIPAA REVISIONS BREACHNOTIFICATIONREQUIREMENTS (effective now)

Breach Notification Requirements Covered Entities are now required to notify affected individuals of a Breach of unsecured PHI.

Breach Notification Requirements A “Breach” means a use or disclosure of PHI in a manner not allowed under the HIPAA regulations that poses a significant risk of financial, reputational or other harm to the affected individuals. “Unsecured PHI” is PHI that has not been encrypted, destroyed or otherwise made unreadable to unauthorized individuals.

Breach Notification Requirements If a HIPAA violation occurs, a “risk assessment” must be performed to determine whether the violation was also a Breach (whether the impermissible use or disclosure results in a serious risk of harm).

Breach Notification Requirements Risk assessments should be fact specific and must be documented. Documentation must be kept for 6 years and must include whether the incident was determined to be a Breach and the reason for the determination.

Breach Notification Requirements Exceptions to Breach: 1.Unintentional use or disclosure by an employee acting within the scope of employment if no additional use or disclosure occurs. 2.Inadvertent disclosure from one authorized person to another authorized person at the Covered Entity. 3.Unauthorized disclosure if the person who received the disclosure couldn’t reasonably be expected to keep or remember the information.

Breach Notification Requirements If a Breach has occurred, steps must be taken to reduce harmful effects of the Breach. Examples include: Notifying law enforcement Contacting affected individuals Updating security, changing pass codes, etc.

Breach Notification Requirements Risk assessments and actions to mitigate must be taken in a timely manner. A Breach is “discovered” when the incident is discovered, not when there is a determination that the incident was a Breach. Notice must be provided as soon as reasonably possible, within a maximum of 60 days – unless law enforcement requests a delay.

Breach Notification Requirements Notice to Individuals: 1.Written notice, in clear language; 2.Description of the incident; 3.Description of the information involved; 4.Description of the investigation and what is being done to mitigate harm; 5.Steps individuals should take to protect themselves; 6.Contact procedures for obtaining additional information.

Breach Notification Requirements Notice to Individuals: Must be sent by first-class mail. Substitute notice may be provided if contact information is out-of-date (website, newspapers, radio or TV). Notice on the website must be posted for 90 days.

Breach Notification Requirements Notice to the Media: If a Breach involves more than 500 residents of a state or jurisdiction (city or county), notice to the media must be provided in addition to individual notice.

Breach Notification Requirements Notice to the Secretary of HHS: If a Breach involves 500 or more individuals (regardless of where they are located), the Secretary of HHS must be notified at the same time and in the same manner as individuals. If a Breach involves less than 500 individuals, a log must be maintained of the Breach. This log must be submitted to the Secretary annually.

Breach Notification Requirements All members of the Covered Entity’s workforce (employees, medical staff, students, contractors, etc.) must be trained on identifying and reporting possible Breaches. Policies for identifying and responding to Breaches must be established, and these policies must provide for sanctions if individuals fail to comply.

New HIPAA Provisions ACCOUNTINGforDisclosures (coming soon)

Accounting for Disclosures If Covered Entities use electronic health records, they will soon have to begin accounting for disclosures for treatment, payment and health care operations. Individuals have a right to receive an accounting of these disclosures for three years. A reasonable fee may be imposed when an individual requests an accounting of these types of disclosures, but it cannot exceed more than the entity’s labor cost in responding to the request.

Accounting for Disclosures Covered Entities with electronic health records as of January 1, 2009, must comply on and after January 1, Covered Entities that begin using electronic health records after January 1, 2009 must comply on the later of January 1, 2011 or the date they acquire the electronic health record.

HIPAA Preview of Coming Attractions : Penalties will apply to Business Associates in the same manner as they apply to Covered Entities. Covered Entities will be required to comply with requests not to disclose PHI for treatment, payment or healthcare operations if the PHI pertains solely to health care paid in full by the individual, out-of-pocket. Disclosures must be limited to the limited data set or “minimum necessary” to accomplish the purpose of the disclosure. There will be new marketing restrictions, and individuals will have to be given the opportunity to opt out of fundraising activities.

HIPAA Preview of Coming Attractions: DHHS will establish a method for individuals who are harmed by HIPAA violations to receive a percent of civil money penalties collected. State Attorneys General will be able to sue Covered Entities for HIPAA violations on behalf of state residents. The OIG will begin performing random audits to make sure that Covered Entities and Business Associates are in compliance with HIPAA.

HIPAA Preparing for Change: Update HIPAA Policies Update Business Associate Agreements Revise Notices of Privacy Practices Re-train Employees

QuestionsaboutHIPAA?

SECURITYBREACH

SECURITY BREACH A security breach, under Arkansas law, is unauthorized acquisition of data that compromises the security, confidentiality or integrity of personal information, such as a patient’s medical record or account information. The good faith acquisition of personal information by an employee for the legitimate purposes of the business is not a security breach so long as the information is not otherwise used or subject to further unauthorized disclosure.

SECURITY BREACH “Personal information" means an individual's first name or first initial and his or her last name in combination with any of the following: a.Social security number; b.Driver's license or Arkansas identification number; c.Account number, credit card number, or debit card number and any security code, or password; and d.Medical information. "Records" means any material that contains sensitive personal information in electronic form. "Records" does not include any publicly available directories containing information an individual has voluntarily consented to have publicly listed, such as name, address, or phone number

SECURITY BREACH Arkansas requires businesses that maintain “personal information” (account information, medical information, etc.) about Arkansas residents to implement and maintain reasonable security procedures and practices appropriate to protect this information from unauthorized access, destruction, use, modification or disclosure.

SECURITY BREACH Arkansas also requires business to disclosure security breaches to the affected individuals. The disclosure must be made “without unreasonable delay”. Notification may be delayed only if a law enforcement agency determines that notification will impede a criminal investigation.

Federal Law – Red Flags Rule Requires “Creditors” to implement an identity theft prevention program. Creditor has been broadly defined to include anyone that regularly grants the right to defer payment of a debt – this includes the majority of hospitals and physician practices.

Federal Law – Red Flags Rule The Red Flags Rule requires: (i) written policies to address the protection and security of personal information of customers; (ii) routine audits to monitor for and identify unauthorized access; (iii) methods for notifying individuals and mitigating damages if a identity theft occurs; and (iv)periodic review and revision of policies, if necessary.

Red Flags Rule DEFINITIONS: “Covered Account” - (i) an account that involves multiple payments or transactions, including one or more deferred payments; or (ii) an account that has a reasonably foreseeable risk of identity theft to customers or to the safety and soundness of the institution. “Identity Theft” - fraud that involves stealing money or receiving benefits by using another person’s identity. “Red Flag” – a pattern, practice or specific activity that indicates possible existence of identity theft.

Red Flags Rule Compliance: Perform a risk assessment to identify accounts that have a high risk of use in identity theft (“Covered Accounts”). Any patient account or payment plan that involves multiple payments would likely be a Covered Account. For healthcare providers this will include all patient accounts.

Red Flags Rule Compliance: Develop policies and procedures to address the protection and security of personal information of customers; Perform routine audits to monitor for and identify unauthorized access; and Notify individuals and mitigate damages if a security breach occurs.

Red Flags Rule Four Main Requirements: Identify red flags Detect red flags Respond to red flags Update the program as needed

Red Flags Rule Examples of Red Flags: Suspicious or altered documents. Identification cards that are inconsistent with the person’s appearance. Failure or refusal to provide identifying information. Inability to verify insurance information. Notice from a patient of possible identity theft. Routine audit reveals unauthorized account access.

Red Flags Rule Examples of Red Flags: Medical information provided by the patient differs from that in the medical record. Family members or friends reveal suspicious information to staff members, such as calling the patient by a different name. Reports from patients that they received bills for services that were not received.

Red Flags Rule Detect Relevant Red Flags: Once relevant Red Flags have been identified, procedures must be adopted to detect Red Flags so appropriate responses may be implemented.

Red Flags Rule Detect Relevant Red Flags: All appropriate employees must be educated on identifying relevant Red Flags and notifying the appropriate individual any time a Red Flag is detected.

Red Flags Rule Detect Relevant Red Flags: Measures to detect Red Flags should be based on the risk assessment. Examples include: Collecting identifying information each time a new account is opened; Viewing a photo ID or insurance card; Comparing patient information with information already contained in existing records.

Red Flags Rule Detect Relevant Red Flags: For providers who do not deal directly with patients, an alternate method of verifying the patient’s identity should be used. This might include contacting patients, patient representatives, and/or insurance companies to confirm validity of information received, or requesting copies of identifying information used by the patient referral source.

Red Flags Rule Detect Relevant Red Flags: Any time a Red Flag is detected: * The event should be documented; * The appropriate individual should be notified; and * An investigation should be conducted.

Red Flags Rule Response to Red Flags: The response to Red Flags should be based on the results of the investigation. Responses should be geared toward mitigation of harmful effects.

Red Flags Rule Response Examples: Contact the patient Notify law enforcement Correct the medical record Correct the account Change passwords or security codes Update computer security Determine no action is necessary

Red Flags Rule Response: If an investigation leads to a reasonable belief that identity theft has occurred, affected individuals should be provided with information regarding: * The scope of the breach; * The information accessed; * How the information was used (if known); & * Actions taken to remedy the situation.

Red Flags Rule Documentation: All incidents of actual or suspected identity theft must be documented. This documentation must be maintained for 5 years after the account is closed or becomes dormant.

Red Flags Rule Documentation should include: Identifying information about the individual; A description of any document relied on to verify identity; A description of any additional measures used to verify identity; and A description of the discrepancies discovered.

Red Flags Rule Updates -- Periodic risk assessments must be performed and polices updated in response to: New accounts, Changes in business practices, Experiences with identity theft, Changes in methods to detect, prevent and mitigate identity theft, or Changes in identity theft experienced by the industry.

Red Flags Rule Compliance Reports: Periodic compliance reports must be provided to the governing body. These reports must detail the effectiveness of the policy, recommendations for policy revisions, any incidents of identity theft and the actions taken in response.

QUESTIONSabout RED FLAGS?

EMTALA

3 Primary Requirements Medical Screening Exam (MSE) Necessary Stabilizing Treatment Appropriate Transfer

MSE Must perform on anyone who “Comes to the Emergency Department” and requests examination or treatment of a medical condition in order to determine whether an emergency exists. The MSE must be appropriate for the patient’s symptoms, within the hospital’s capabilities.

EMTALA “ Comes to the Emergency Department” means : Presents at the hospital’s dedicated ED & requests an exam or treatment; Presents on hospital property, other than the ED, and requests exam or treatment for what may be an emergency; Is in an ambulance owned & operated by the hospital for exam and treatment, but is not on hospital grounds; or Is in a non-hospital owned ambulance on hospital property for exam & treatment of a medical condition.

NO DELAY IN TREATMENT An MSE (and necessary stabilizing treatment) may not be delayed to inquire about method of payment or insurance status.

NO DELAY IN TREATMENT Insurance authorization may not be done until after appropriate screening and necessary stabilizing treatment are provided.

NO DELAY IN TREATMENT Registration procedures may be followed so long as they do not delay medical screening or treatment. The registration process may not discourage individuals from remaining for further evaluation.

NO DELAY IN TREATMENT CMS has indicated that any procedures, signs, etc., that induce an individual to leave the ED before they receive an MSE places the hospital at risk of an EMTALA violation.

NO DELAY IN TREATMENT If ED patients who do not have emergencies are expected to pay for services at the time of treatment, such financial discussions should not occur until after the patient has received an MSE and it has been determined that no emergency condition exists.

NO DELAY IN TREATMENT A hospital was recently fined for violating EMTALA because a patient with chest pain left the ED without treatment after he read a sign which stated payment for non- emergency conditions was expected at the time of service.

What is an MSE? Determines whether or not an emergency medical condition exists. More than initial screening or triage. “The process required to reach with reasonable clinical confidence, the point at which it can be determined whether a medical emergency does or does not exists.” Can be brief and simple or very complex, depending on the patient.

What is an Emergency Medical Condition? A medical condition with acute symptoms of sufficient severity (including severe pain) that absence of immediate medical attention could reasonably be expected to result in: Serious risk to an individual’s health; Serious impairment to bodily functions; or Serious dysfunction of an organ or body part

MSE If an individual Comes to the Emergency Department and requests an exam or treatment, and the nature of the request makes it clear that the medical condition is not an emergency, the hospital must only perform a screening that is appropriate for the patient to determine an emergency medical condition does not exist.

Who May Conduct an MSE? A person who is determined qualified by Hospital bylaws or rules and regulations to provide emergency care, & who can provide any necessary stabilizing treatment or an appropriate transfer, if an emergency medical condition exists.

EMTALA Under Arkansas Law: ONLY A PHYSICIAN CAN DETERMINE IF AN EMERGENCY MEDICAL CONDITION EXISTS

STABILIZING TREATMENT If any individual is determined to have an emergency medical condition, the Hospital must either: Stabilize the medical condition (within its capabilities); OR OR Transfer the individual to another facility in accordance with the regulations.

EMTALA A hospital’s EMTALA obligation ends when a physician has made a decision that: No emergency exists; That an emergency exists which requires transfer to another facility, or the patient requests transfer to another facility; or That an emergency exists and the patient is admitted to the hospital for further stabilizing treatment.

ON-CALL PHYSICIAN If the emergency department physician determines an on-call specialist physician’s services are necessary, and the on-call physician is notified and fails or refuses to appear within a reasonable time and transfer is ordered, both the hospital & the on-call physician are at risk for violating EMTALA.

PENALTIES Penalties for EMTALA violations include fines of up to $50,000 per violation, and termination from the Medicare and Medicaid programs.

Friday, Eldredge & Clark, LLP Jennifer Smith (501) Lynda Johnson (501)