CAHF 2010 HIPAA II and HITECH “Your Plan” Rhonda Anderson, RHIA, President Lizeth Flores, RHIT, Consultant Anderson Health Information Systems, Inc. 940 W. 17 th Street, Suite B Santa Ana, CA 92706

Objectives The participants will identify the following and what it means to you and your staff: 1.HiTech Final rule - key points 2.Determining Risks from a risk assessment in your organization 3.Policies and Procedures, Privacy and Security - update 4.Steps to Protect Your Organization 5.Security, who establishes access to records and at what level? 6.Role of Office of Civil Rights 7.What you should do to meet the HiTech Requirements 8.Introduction to 'Meaningful Use' 2

Applicability Breach Notification applies to HIPAA covered entities BA that: Access Maintain, modify, record, store, use, hold, or disclosed secured PHI 3

General Reg. Act Requires HIPAA – Covered entities (CEs) provide notification to affected individual of breach of unsecured PHI CEs provide notification to the media breaches in some situations!!!! 4

Unsecured PHI – Breach by BA BA = Notify CE of Breach BA = Agreement to include notification and indemnification and will meet requirements HHS posts list of CE with breach of unsecured PHI 5

Exceptions CE & BA that implement the specified technology and methodologies with request to safeguarding. CE & BA NOT required to provide notifications in event of a breach PHI. 6

Exceptions -2 CE & BA not required to provide notification in event of a breach PHI IF PHI safeguarded using technologies and methods not considered “unsecured” (Reference Federal Register Vol. 74, No. 162, Page (8/24/09) ) bin/getdoc.cgi?dbname=2009_register&docid= DOCID:fr24au09-10.pdfhttp://frwebgate.access.gpo.gov/cgi- bin/getdoc.cgi?dbname=2009_register&docid= DOCID:fr24au09-10.pdf 7

Applicability New Subpart D to part 164 – Title 45 – Code of Federal Regulations 8

Breaches Effective NOW – BA as of Feb 2010 All should begin sanctions -- Feb Document efforts to meet compliance!!! NOW if not before. 9

Breach Notification Apply To Business Associate Agreements 2. SB 541, 337 – California 3. Penalties

Vendors of a PHR On occasions are a BA or a CE Notification made on behalf of the CE may in part, satisfy the reporting requirements 11

Requirements Breach discovery (unsecured PHI) PHI the CE notifies: Each individual of breach of UNSECURED PHI – has or believed to access acquired, USED or disclosed breach. 45 CFR

Breach Discovered Discovered = Incident becomes KNOWN – Not when CE or BA concludes analysis = Breach occurred 13

Breach Treated As Discovered 1 st day breach known to CE OR Exercise reasonable diligence = CE (45 CFR

Breach “Discovered” When the clock starts = Notifications = No case later than 60 calendar days BA discovers = Breach = Report to CE >> Clock starts re: notification 15

CE Ensure BA Contracts = language re: BA notification and requirements 16

In-Service CE & BA are trained (all staff trained and aware of IMPORTANCE timely reporting of privacy and security incidents 17

Exceptions Unintentional break by a staff member or person acting for CE or BA Acquisition made = good faith – within authority scope – NO – Further use or disclosure 18

Exceptions – Example #1 - Unintentional Physical Therapist reviews record realizes does not = the correct resident within scope of contract of who they should be treating. 19

Exceptions – Example #2 – Inadvertent Disclosure Person authorized to access PHI for CE or BA discloses PHI to another person at CE or BA. PHI = No further use or disclosure 20

Exceptions – Example #3 – Inadvertent Disclosure Director of Nursing receives an from hospital not intended for her – re: PHI – referred to correct person and deleted 21

Exceptions Not Reasonably Able to Retain – Example #4 Unauthorized person to whom the disclosure made not reasonably able to retain such information. PHI given to “unauthorized” – wrong resident - exchange right away for correct information. 22

Exception – Proof is On “U” CE or BA – has burden of proof to show = no breach = why breach notice = not required. Document – why not allowed – use or disclosure falls under an exception. 23

Limited Data Set & De-ID Information CE-BA – Created Limited Data Sets & De- ID PHI through redaction if removal identifiers result information = criteria 45 CFR (e)(2) or (b) (H.O. #1) Exception – PHI redacted – may not require notification – cannot be identified to a resident - PHI 24

Limited Data Set & De-ID Information -3 Loss/Theft – Redacted information Loss/Theft = Not require notification because under Rules – because > information not PHI – i.e. de-identified information OR Redacted info does not compromise security & privacy = No Breach 25

Limited Data Set Created by direct ID from PHI Include in Risk Assessment 26

HHS = Exception Statement Narrow exception would not apply if for example zip code information or contains birthdates and zip code information ? Re: ID is there risk of reidenfication poses a significant risk harm to the individual 27

Responsibility CE is not responsible for breach if 3 rd party unless = role as an agent of the CE or BA 28

3 rd Party Responsibility Receive BA or CE provided info to 3 rd party Breached = 3 rd Party Used-disclosed not permissible Determine if privacy & security compromised Responsible for complying with Rule bin/TEXTgate.cgi?WAISdocID=oHkL0Q/0/1/0 &WAISaction=retrievehttp://frwebgate2.access.gpo.gov/cgi- bin/TEXTgate.cgi?WAISdocID=oHkL0Q/0/1/0 &WAISaction=retrieve 29

Limited Data Sets – Burden of Proof PHI = No zip code or Birthdate = lost information did not include identifiers 30

Risk Assessment of the Breach Establish Breach = Violates Privacy Rule CE = ?? Whether the violation compromise Security/Privacy of PHI 31

Risk Assessment – Security / Privacy Compromise PHI Significant Risk of $$ - Reputation Harm to person 32

Breach – Risk Assessment Steps Who impermissibly used or to whom the information was impermissibly disclosed Obtaining the recipient’s assurances that information will not be further used or disclosed Steps eliminate or reduce the risk of harm less than “significant risk” 33

Breach – Risk Assessment Steps -2 Security & privacy of the information has not been compromised, no breach Impermissible disclosed PHI is returned prior to it being accessed –may not be breach CE & BA should also consider the type & amount of PHI involved in the breach. If PHI does not pose significant risk of financial, reputational, or other harm, violation is not a breach. 34

Risk Assessment Documentation CEs & BAs demonstrate in writing that no breach has occurred because it did not pose a significant risk of harm. CE & BAs document risk assessments. PHI is a limited data set that does not include zip codes, dates of birth, documentation to demonstrate that the lost information did not include these identifiers. 35

Notification Content No later than 60 days following the discovery of a breach, notification must be made to the individual. A brief description of what happened, date it happened, and when discovered (if known); Description of the types of unsecured PHI that was involved in the breach (name, date of birth, diagnosis) Steps the impacted persons take to protect themselves from potential harm (check credit reports in cases of financial information being breached) 36

Notification Content -2 No later than 60 days…(con’t.) Description of what the covered entity is doing to investigate & mitigate harm protect against future breaches Contact procedures for the person to ask questions or seek additional information Written in plain language (45 CFR § (c)) 37

Notification Requirements Written notices to the individual, if contact information is insufficient or out of date, is required. Breach notice must be made: To the individual in written form by first-class mail at their last known address, electronic mail, provided the individual agrees Individual affected by a breach is a minor, otherwise lacks legal capacity due to a physical or mental condition, notice representative of the individual 38

Notification Requirements -2 Written notices (con’t) Individual is deceased, notice must be sent to the last known address of the next of kin. Next of kin personal representative is only required if the covered entity knows that the individual is deceased, has address of the next of kin or personal representative 39

Substitute Notices CE does not have sufficient contact information or if notices returned as undelivered, the CE must provide substitute notice for the unreachable individuals. Decedents, a CE is not required to provide substitute notice either does not have contact information. 40

Substitute Notices -2 Fewer than 10 individuals for whom the covered entity insufficient or out-of-date contact information to provide the written notice; provide substitute notice to such individuals through an alternative form of written notice, telephone, other means. 41

Substitute Notices -3 Posting a notice on the web site of the CE or at another location. Posting should not disclose any information which would identify an individual 42

Substitute Notices -4 CE insufficient or out-of-date contact information for 10 or more individuals, the rule requires CE provide substitute notice: A conspicuous posting for a period of 90 days. Notification must include a toll-free phone number, active for 90 days. A major print or broadcast media notice in geographic areas where the individuals affected by the breach likely reside. 43

Urgent Situations Notice by telephone or other means may be made, written notice, cases deemed by the CE to require immediate notification because of possible imminent misuse or unsecured PHI. Notice, in addition to, and not in lieu of direct written notice. 44

Notification to the Media Notice to media outlets serving State or jurisdiction, following a breach of unsecured PHI involving 500 or more residents of the State or jurisdiction. Supplement, not substitute for, individual notices. Media must be notified within 60 days of the discovery of the breach of unsecured PHI. 45

Notification to the Media -2 The notice must include: Brief description of what happened, including date it happened and when discovered (if known) Description of the types of unsecured PHI involved in the breach (name, date of birth, diagnosis Steps the impacted persons take to protect themselves from potential harm (check credit reports in cases of financial information being breached) 46

Notification to the Media -3 The notice must include (con’t): Description of what the covered entity is doing to investigate & mitigate harm protect against future breaches Contact procedures for questions or seek additional information (toll-free telephone number, an address, a website, or postal address (45 CFR § (c)) 47

Notification to the Media -4 Breach, another state, of 600 individuals, 200 reside in California and 400 reside in Nevada, did not affect 500 or more residents of any one State. 48 Notification to the media is not required Notifications to both California & Nevada still applies.

Notification to the Secretary of HHS Breaches of unsecured PHI involving less than 500 individuals, CE maintains a log of such breaches, annually submit the log to the Office of Civil Right (OCR) documenting the breaches. Breaches involving 500 or more people, CE is required to notify the OCR immediately. 49

HITECH Act Who enforces for failure to notify or when notification is provided in an untimely matter? Department of Health and Human Services HIPAA covered entities and their business associates. 50

HITECH Act -2 Subpart D – Breach Untimely notification – Enforces failure to notify timely – Attorney General Untimely Notification – Federal Trade Commission Office of Civil Rights Notification 51

Notification by a Business Associate (in review) Breach shall be treated as discovered by a BA first day on which such breach is known to the BA, by exercising reasonable intelligence. 52

Notification by a Business Associate(in review) -2 BA is required to: Notify the CE without unreasonable delay no case later than 60 days following the discovery of the breach that the CE can notify affected individuals. Identity of each individuals whose unsecured PHI has been or is reasonably believed to have been breached or other available information that the CE is required to include in the notification to the individual. 53

Law Enforcement Delay Law enforcement official determines notification notice would impede a criminal investigation. CE or BA must temporarily delay notification. 54

Law Enforcement Delay -2 Written Request – Law enforcement provides a written statement that: Delay is necessary Notification would impede criminal investigation Cause damage to national security Specifies the time for which a delay is required 55

Law Enforcement Delay -3 Oral Request – The law enforcement states orally that: 56 Notification would impede criminal investigation Cause damage to national security CE or BA required to document the statement and identity of the official

Personal Health Records (PHRs) The Federal Trade Commission (FTC) imposes similar breach notification requirements upon vendors of PHRs and third party service providers. A breach of security of unsecured PHR identifiable health information 57

Personal Health Records (PHRs) -2 Entity providers PHRs to customers of HIPAA CE through a BA. PHRs directly to the public, a breach of its records occurs, certain cases, described in its rule, FTC will deem compliance. May be appropriate for the vendor to provide the same breach notice. 58

HITECH Flow Chart See H.O. #2 59

HITECH Flow Chart -2 60

HITECH Flow Chart -3 61

HITECH Flow Chart -4 62

Notice To Individuals Must contain a description of what happened and the unsecured PHI involved, steps for individuals to protect themselves, a description of the covered entity’s efforts to investigate, mitigate and prevent further breaches and contact information. 63

HIPAA – Retention of Disclosures The HIPAA requirement for a six year accounting of disclosures still applies to non EHR disclosures. 64

Accounting Of Disclosures Under HITECH covered entities and business associates are required to maintain an accounting of disclosures made through HER including disclosures made for treatment, payment and health care operations. Information is limited to three years of disclosure information rather than the current 6 year requirement under HIPAA. 65

HIPAA Civil Penalties Under New HITECH Provisions Effective November 30,

BA Agreement Update the business associate agreement policy to include the new HITECH requirements Covered entities must update all business associate agreements and ensure that they include HITECH requirements 67

California - Breach PHI – incl. medical information ( (e)(4) and ( (e) (5) Notify breach of computerized data containing PHI ( (a) PHI protection Proper disposal and destruction of records containing PHI ( bin/displaycode?section=civ&group= &file= http:// bin/displaycode?section=civ&group= &file=

California CE Required to report unlawful or unauthorized access, use or disclosure of a patient’s medical information within 5 working days to comply with SB 541 –337 which has been in effect since January (See H.O. #3.) 69

Penalties SB-541 – AB337 - failure to report within 5 working days $100 per day for each day that the unlawful or unauthorized access, use or disclosure is not reported up to a maximum of $250,000 70

HITECH/CALIFORNIA --Risk Analysis & Implementation Analyze possible areas of risk Guidance on documentation of investigation and notification of breaches Breach Response policies and procedures Breach Response – process Analysis of where you stand with security?? encryption?? Exposure (YOU) and (BA)?? See checklist (H.O. #4) 71

California Privacy and Security & More!! There is more in California SB1386 – Security Breaches =encryption AB1950 – Protection of personal data AB1298 – Encrypted medical hx., etc. AB211 fines SB Breaches 72

Security/Access Control Does your current E.H.R. have a grid of security and access controls if ask for it? Is your data destruction and manual destruction of records secure? How do you know? Who is responsible? 73

Liability ??? Lets review!! There are no true absolute tools for PHI breach, but there may be tools you can develop for yourself that matches your system, i.e., access control logs/HIPAA logs in some companies, sign on/off logs, etc. Job duties vs. the assigned data screens 74

Liability -2 What kind of insurance do you have? What will offer for mitigation if this does happen where there is a breach? Theft of identity???? Is potential – so how will you cover that? 75

Liability -3 Breach notifications $$ Cost of monitoring services/contract or employees $$ Legal costs possibly $$ Call center $$ Identity theft insurance for breach notice ???other costs – Administrative – Staff?? 76

What Is Next With HIPAA? What is next with HIPAA 5010? ARRA/HITECH’s HIPAA “II” Revised guidance Electronic Health Record, requirements, interoperability Meaningful Use 77

Certification of E.H.R. (billing, too)! Find out is your electronic record (clinical or billing) certified! Have they applied! Will they apply?? When?? 78

There is More!! Is your organization ready for what is in our future? More in requirements coming on the breaches, electronic record monitoring policies and procedures, assurances of security and privacy, assessment of your risk ongoing. 5010, ICD -10, More ARRA!! 79

Recap Make your TO DO LIST 80

Resources AHIS - Prior Presentations AHIMA Federal Register California Office of Health Information Integrity. 81

Evaluation Rhonda Anderson, RHIA Lizeth Flores, RHIT Anderson Health Information Systems, Inc. 940 W. 17 th Street, Suite B Santa Ana, CA