Download presentation
Presentation is loading. Please wait.
1
HITECH’s Impact on Research
August 18, 2009
2
HITECH Act (1) Health Information Technology for Economic and Clinical Health Act Part of American Recovery and Reinvestment Act of 2009 (Stimulus Bill) Creates new federal Health and Human Services (HHS) Office Office of the National Coordinator for Health Information Technology (ONC)
3
HITECH Act (2) ONC to manage/allocate $20 billion in support of Health Information Technology (HIT) projects investment in HIT infrastructure to facilitate a nation wide HI network standards development incentives through Medicare & Medicaid reimbursement for using EHR technology Additional HIPAA Privacy and Security rules
4
New Rules Largest impact in clinical care arena
Three provisions affect research Notification of breaches Sale of PHI Audits
5
Notification of Breaches (1)
Notifications required when unsecured PHI is part of a security breach HHS has issued draft guidance on how to ‘secure’ PHI Only two acceptable methods; but are requesting feedback on additional security paramaters Encryption Data at rest (consistent with Nat. Inst. Of Standards & Technology Pub. # ) Data in motion (comply with requirements of Fed. Info. Processing Standards 140-2) Destruction ‘breach’ broadly defined to include unauthorized acquisition, access, use or disclosure of PHI that compromises its security, privacy or integrity; excludes inadvertent disclosure when information is not further acquired, accessed, used or disclosed
6
Notification of Breaches (2)
Must notify subject without unreasonable delay; at least within 60 days after discovery of breach A brief description of what happened PHI involved in the breach Steps the individual should take to protect him/herself What you are doing to investigate the breach, to mitigate losses and to prevent further breaches Contact information (a toll free #, address, website or postal address)
7
Notification of Breaches (3)
Must notify prominent media outlets if breach affects 500 or more individuals Must notify Health and Human Services immediate notification if 500 or more subjects affected by the breach; posted on HHS website smaller breaches reported annually Effective 30 days following issuance of HHS regulations—approximately September 15, 2009
8
Sale of PHI Requires patient authorization Exception for research
As long as the price charged is limited to data preparation and transmittal costs Awaiting guidance on what can be considered a ‘preparation’ cost
9
Audits Secretary of HHS to conduct periodic audits of CEs to ensure compliance Not a current requirement of HIPAA Privacy/Security Rules Criminal and civil penalties Not new What is new Apply to individual employees as well as organization Civil penalties substantially increased Was $100/violation up to $25K/year for same violation Now range of $100 to $50K/violation up to $25K to $1.5M/year Range based on level of culpability Penalties collected used to fund enforcement efforts Patients to receive a portion of the penalties
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.