Presentation is loading. Please wait.

Presentation is loading. Please wait.

CAHF 2010 HIPAA II and HITECH “Your Plan” Rhonda Anderson, RHIA, President Lizeth Flores, RHIT, Consultant Anderson Health Information Systems, Inc. 940.

Published byCynthia Hudson Modified over 9 years ago

Similar presentations

Presentation on theme: "CAHF 2010 HIPAA II and HITECH “Your Plan” Rhonda Anderson, RHIA, President Lizeth Flores, RHIT, Consultant Anderson Health Information Systems, Inc. 940."— Presentation transcript:

1 CAHF 2010 HIPAA II and HITECH “Your Plan” Rhonda Anderson, RHIA, President Lizeth Flores, RHIT, Consultant Anderson Health Information Systems, Inc. 940 W. 17 th Street, Suite B Santa Ana, CA 92706

2 Objectives The participants will identify the following and what it means to you and your staff: 1.HiTech Final rule - key points 2.Determining Risks from a risk assessment in your organization 3.Policies and Procedures, Privacy and Security - update 4.Steps to Protect Your Organization 5.Security, who establishes access to records and at what level? 6.Role of Office of Civil Rights 7.What you should do to meet the HiTech Requirements 8.Introduction to 'Meaningful Use' 2

3 Applicability Breach Notification applies to HIPAA covered entities BA that: Access Maintain, modify, record, store, use, hold, or disclosed secured PHI 3

4 General Reg. Act Requires HIPAA – Covered entities (CEs) provide notification to affected individual of breach of unsecured PHI CEs provide notification to the media breaches in some situations!!!! 4

5 Unsecured PHI – Breach by BA BA = Notify CE of Breach BA = Agreement to include notification and indemnification and will meet requirements HHS posts list of CE with breach of unsecured PHI 5

6 Exceptions CE & BA that implement the specified technology and methodologies with request to safeguarding. CE & BA NOT required to provide notifications in event of a breach PHI. 6

7 Exceptions -2 CE & BA not required to provide notification in event of a breach PHI IF PHI safeguarded using technologies and methods not considered “unsecured” (Reference Federal Register Vol. 74, No. 162, Page 42740-42741 (8/24/09) ) http://frwebgate.access.gpo.gov/cgi- bin/getdoc.cgi?dbname=2009_register&docid= DOCID:fr24au09-10.pdfhttp://frwebgate.access.gpo.gov/cgi- bin/getdoc.cgi?dbname=2009_register&docid= DOCID:fr24au09-10.pdf 7

8 Applicability New Subpart D to part 164 – Title 45 – Code of Federal Regulations 8

9 Breaches Effective NOW – BA as of Feb 2010 All should begin sanctions -- Feb 2010. Document efforts to meet compliance!!! NOW if not before. 9

10 Breach Notification Apply To 10 1. Business Associate Agreements 2. SB 541, 337 – California 3. Penalties

11 Vendors of a PHR On occasions are a BA or a CE Notification made on behalf of the CE may in part, satisfy the reporting requirements 11

12 Requirements Breach discovery (unsecured PHI) PHI the CE notifies: Each individual of breach of UNSECURED PHI – has or believed to access acquired, USED or disclosed breach. 45 CFR 164.04 12

13 Breach Discovered Discovered = Incident becomes KNOWN – Not when CE or BA concludes analysis = Breach occurred 13

14 Breach Treated As Discovered 1 st day breach known to CE OR Exercise reasonable diligence = CE (45 CFR 164-404 14

15 Breach “Discovered” When the clock starts = Notifications = No case later than 60 calendar days BA discovers = Breach = Report to CE >> Clock starts re: notification 15

16 CE Ensure BA Contracts = language re: BA notification and requirements 16

17 In-Service CE & BA are trained (all staff trained and aware of IMPORTANCE timely reporting of privacy and security incidents 17

18 Exceptions Unintentional break by a staff member or person acting for CE or BA Acquisition made = good faith – within authority scope – NO – Further use or disclosure 18

19 Exceptions – Example #1 - Unintentional Physical Therapist reviews record realizes does not = the correct resident within scope of contract of who they should be treating. 19

20 Exceptions – Example #2 – Inadvertent Disclosure Person authorized to access PHI for CE or BA discloses PHI to another person at CE or BA. PHI = No further use or disclosure 20

21 Exceptions – Example #3 – Inadvertent Disclosure Director of Nursing receives an email from hospital not intended for her – re: PHI – email referred to correct person and deleted 21

22 Exceptions Not Reasonably Able to Retain – Example #4 Unauthorized person to whom the disclosure made not reasonably able to retain such information. PHI given to “unauthorized” – wrong resident - exchange right away for correct information. 22

23 Exception – Proof is On “U” CE or BA – has burden of proof to show = no breach = why breach notice = not required. Document – why not allowed – use or disclosure falls under an exception. 23

24 Limited Data Set & De-ID Information CE-BA – Created Limited Data Sets & De- ID PHI through redaction if removal identifiers result information = criteria 45 CFR 164.514(e)(2) or 164.514(b) (H.O. #1) Exception – PHI redacted – may not require notification – cannot be identified to a resident - PHI 24

25 Limited Data Set & De-ID Information -3 Loss/Theft – Redacted information Loss/Theft = Not require notification because under Rules – because > information not PHI – i.e. de-identified information OR Redacted info does not compromise security & privacy = No Breach 25

26 Limited Data Set Created by direct ID from PHI Include in Risk Assessment 26

27 HHS = Exception Statement Narrow exception would not apply if for example zip code information or contains birthdates and zip code information ? Re: ID is there risk of reidenfication poses a significant risk harm to the individual 27

28 Responsibility CE is not responsible for breach if 3 rd party unless = role as an agent of the CE or BA 28

29 3 rd Party Responsibility Receive BA or CE provided info to 3 rd party Breached = 3 rd Party Used-disclosed not permissible Determine if privacy & security compromised Responsible for complying with Rule http://frwebgate2.access.gpo.gov/cgi- bin/TEXTgate.cgi?WAISdocID=oHkL0Q/0/1/0 &WAISaction=retrievehttp://frwebgate2.access.gpo.gov/cgi- bin/TEXTgate.cgi?WAISdocID=oHkL0Q/0/1/0 &WAISaction=retrieve 29

30 Limited Data Sets – Burden of Proof PHI = No zip code or Birthdate = lost information did not include identifiers 30

31 Risk Assessment of the Breach Establish Breach = Violates Privacy Rule CE = ?? Whether the violation compromise Security/Privacy of PHI 31

32 Risk Assessment – Security / Privacy Compromise PHI Significant Risk of $$ - Reputation Harm to person 32

33 Breach – Risk Assessment Steps Who impermissibly used or to whom the information was impermissibly disclosed Obtaining the recipient’s assurances that information will not be further used or disclosed Steps eliminate or reduce the risk of harm less than “significant risk” 33

34 Breach – Risk Assessment Steps -2 Security & privacy of the information has not been compromised, no breach Impermissible disclosed PHI is returned prior to it being accessed –may not be breach CE & BA should also consider the type & amount of PHI involved in the breach. If PHI does not pose significant risk of financial, reputational, or other harm, violation is not a breach. 34

35 Risk Assessment Documentation CEs & BAs demonstrate in writing that no breach has occurred because it did not pose a significant risk of harm. CE & BAs document risk assessments. PHI is a limited data set that does not include zip codes, dates of birth, documentation to demonstrate that the lost information did not include these identifiers. 35

36 Notification Content No later than 60 days following the discovery of a breach, notification must be made to the individual. A brief description of what happened, date it happened, and when discovered (if known); Description of the types of unsecured PHI that was involved in the breach (name, date of birth, diagnosis) Steps the impacted persons take to protect themselves from potential harm (check credit reports in cases of financial information being breached) 36

37 Notification Content -2 No later than 60 days…(con’t.) Description of what the covered entity is doing to investigate & mitigate harm protect against future breaches Contact procedures for the person to ask questions or seek additional information Written in plain language (45 CFR § 164.404(c)) 37

38 Notification Requirements Written notices to the individual, if contact information is insufficient or out of date, is required. Breach notice must be made: To the individual in written form by first-class mail at their last known address, electronic mail, provided the individual agrees Individual affected by a breach is a minor, otherwise lacks legal capacity due to a physical or mental condition, notice representative of the individual 38

39 Notification Requirements -2 Written notices (con’t) Individual is deceased, notice must be sent to the last known address of the next of kin. Next of kin personal representative is only required if the covered entity knows that the individual is deceased, has address of the next of kin or personal representative 39

40 Substitute Notices CE does not have sufficient contact information or if notices returned as undelivered, the CE must provide substitute notice for the unreachable individuals. Decedents, a CE is not required to provide substitute notice either does not have contact information. 40

41 Substitute Notices -2 Fewer than 10 individuals for whom the covered entity insufficient or out-of-date contact information to provide the written notice; provide substitute notice to such individuals through an alternative form of written notice, telephone, other means. 41

42 Substitute Notices -3 Posting a notice on the web site of the CE or at another location. Posting should not disclose any information which would identify an individual 42

43 Substitute Notices -4 CE insufficient or out-of-date contact information for 10 or more individuals, the rule requires CE provide substitute notice: A conspicuous posting for a period of 90 days. Notification must include a toll-free phone number, active for 90 days. A major print or broadcast media notice in geographic areas where the individuals affected by the breach likely reside. 43

44 Urgent Situations Notice by telephone or other means may be made, written notice, cases deemed by the CE to require immediate notification because of possible imminent misuse or unsecured PHI. Notice, in addition to, and not in lieu of direct written notice. 44

45 Notification to the Media Notice to media outlets serving State or jurisdiction, following a breach of unsecured PHI involving 500 or more residents of the State or jurisdiction. Supplement, not substitute for, individual notices. Media must be notified within 60 days of the discovery of the breach of unsecured PHI. 45

46 Notification to the Media -2 The notice must include: Brief description of what happened, including date it happened and when discovered (if known) Description of the types of unsecured PHI involved in the breach (name, date of birth, diagnosis Steps the impacted persons take to protect themselves from potential harm (check credit reports in cases of financial information being breached) 46

47 Notification to the Media -3 The notice must include (con’t): Description of what the covered entity is doing to investigate & mitigate harm protect against future breaches Contact procedures for questions or seek additional information (toll-free telephone number, an email address, a website, or postal address (45 CFR § 164.404(c)) 47

48 Notification to the Media -4 Breach, another state, of 600 individuals, 200 reside in California and 400 reside in Nevada, did not affect 500 or more residents of any one State. 48 Notification to the media is not required Notifications to both California & Nevada still applies.

49 Notification to the Secretary of HHS Breaches of unsecured PHI involving less than 500 individuals, CE maintains a log of such breaches, annually submit the log to the Office of Civil Right (OCR) documenting the breaches. Breaches involving 500 or more people, CE is required to notify the OCR immediately. 49

50 HITECH Act Who enforces for failure to notify or when notification is provided in an untimely matter? Department of Health and Human Services HIPAA covered entities and their business associates. 50

51 HITECH Act -2 Subpart D – Breach Untimely notification – Enforces failure to notify timely – Attorney General Untimely Notification – Federal Trade Commission Office of Civil Rights Notification 51

52 Notification by a Business Associate (in review) Breach shall be treated as discovered by a BA first day on which such breach is known to the BA, by exercising reasonable intelligence. 52

53 Notification by a Business Associate(in review) -2 BA is required to: Notify the CE without unreasonable delay no case later than 60 days following the discovery of the breach that the CE can notify affected individuals. Identity of each individuals whose unsecured PHI has been or is reasonably believed to have been breached or other available information that the CE is required to include in the notification to the individual. 53

54 Law Enforcement Delay Law enforcement official determines notification notice would impede a criminal investigation. CE or BA must temporarily delay notification. 54

55 Law Enforcement Delay -2 Written Request – Law enforcement provides a written statement that: Delay is necessary Notification would impede criminal investigation Cause damage to national security Specifies the time for which a delay is required 55

56 Law Enforcement Delay -3 Oral Request – The law enforcement states orally that: 56 Notification would impede criminal investigation Cause damage to national security CE or BA required to document the statement and identity of the official

57 Personal Health Records (PHRs) The Federal Trade Commission (FTC) imposes similar breach notification requirements upon vendors of PHRs and third party service providers. A breach of security of unsecured PHR identifiable health information 57

58 Personal Health Records (PHRs) -2 Entity providers PHRs to customers of HIPAA CE through a BA. PHRs directly to the public, a breach of its records occurs, certain cases, described in its rule, FTC will deem compliance. May be appropriate for the vendor to provide the same breach notice. 58

59 HITECH Flow Chart See H.O. #2 59

60 HITECH Flow Chart -2 60

61 HITECH Flow Chart -3 61

62 HITECH Flow Chart -4 62

63 Notice To Individuals Must contain a description of what happened and the unsecured PHI involved, steps for individuals to protect themselves, a description of the covered entity’s efforts to investigate, mitigate and prevent further breaches and contact information. 63

64 HIPAA – Retention of Disclosures The HIPAA requirement for a six year accounting of disclosures still applies to non EHR disclosures. 64

65 Accounting Of Disclosures Under HITECH covered entities and business associates are required to maintain an accounting of disclosures made through HER including disclosures made for treatment, payment and health care operations. Information is limited to three years of disclosure information rather than the current 6 year requirement under HIPAA. 65

66 HIPAA Civil Penalties Under New HITECH Provisions Effective November 30, 2009 66

67 BA Agreement Update the business associate agreement policy to include the new HITECH requirements Covered entities must update all business associate agreements and ensure that they include HITECH requirements 67

68 California - Breach PHI – incl. medical information (1798.29(e)(4) and (1798.29 (e) (5) Notify breach of computerized data containing PHI (1798.29(a) PHI protection 1798.81.5 Proper disposal and destruction of records containing PHI (1798.81 http://www.leginfo.ca.gov/cgi- bin/displaycode?section=civ&group=01001- 02000&file=1798.25-1798.29http://www.leginfo.ca.gov/cgi- bin/displaycode?section=civ&group=01001- 02000&file=1798.25-1798.29 68

69 California CE Required to report unlawful or unauthorized access, use or disclosure of a patient’s medical information within 5 working days to comply with SB 541 –337 which has been in effect since January 2009. (See H.O. #3.) 69

70 Penalties SB-541 – AB337 - failure to report within 5 working days $100 per day for each day that the unlawful or unauthorized access, use or disclosure is not reported up to a maximum of $250,000 70

71 HITECH/CALIFORNIA --Risk Analysis & Implementation Analyze possible areas of risk Guidance on documentation of investigation and notification of breaches Breach Response policies and procedures Breach Response – process Analysis of where you stand with security?? encryption?? Exposure (YOU) and (BA)?? See checklist (H.O. #4) 71

72 California Privacy and Security & More!! There is more in California SB1386 – Security Breaches =encryption AB1950 – Protection of personal data AB1298 – Encrypted medical hx., etc. AB211 fines SB 541-337 Breaches 72

73 Security/Access Control Does your current E.H.R. have a grid of security and access controls if ask for it? Is your data destruction and manual destruction of records secure? How do you know? Who is responsible? 73

74 Liability ??? Lets review!! There are no true absolute tools for PHI breach, but there may be tools you can develop for yourself that matches your system, i.e., access control logs/HIPAA logs in some companies, sign on/off logs, etc. Job duties vs. the assigned data screens 74

75 Liability -2 What kind of insurance do you have? What will offer for mitigation if this does happen where there is a breach? Theft of identity???? Is potential – so how will you cover that? 75

76 Liability -3 Breach notifications $$ Cost of monitoring services/contract or employees $$ Legal costs possibly $$ Call center $$ Identity theft insurance for breach notice ???other costs – Administrative – Staff?? 76

77 What Is Next With HIPAA? What is next with HIPAA 5010? ARRA/HITECH’s HIPAA “II” Revised guidance Electronic Health Record, requirements, interoperability Meaningful Use 77

78 Certification of E.H.R. (billing, too)! http://healthit.hhs.gov/certification Find out is your electronic record (clinical or billing) certified! Have they applied! Will they apply?? When?? 78

79 There is More!! Is your organization ready for what is in our future? More in requirements coming on the breaches, electronic record monitoring policies and procedures, assurances of security and privacy, assessment of your risk ongoing. 5010, ICD -10, More ARRA!! 79

80 Recap Make your TO DO LIST 80

81 Resources AHIS - Prior Presentations AHIMA Federal Register California Office of Health Information Integrity. 81

82 Evaluation Rhonda Anderson, RHIA rhonda@ahis.net Lizeth Flores, RHIT lizeth@ahis.net Anderson Health Information Systems, Inc. 940 W. 17 th Street, Suite B Santa Ana, CA 92706 714-558-3887 82

Download ppt "CAHF 2010 HIPAA II and HITECH “Your Plan” Rhonda Anderson, RHIA, President Lizeth Flores, RHIT, Consultant Anderson Health Information Systems, Inc. 940."

Similar presentations

HIPAA Privacy Practices. Notice A copy of the current DMH Notice must be posted at each service site where persons seeking DMH services will be able to.

HIPAA Privacy Practices. Notice A copy of the current DMH Notice must be posted at each service site where persons seeking DMH services will be able to.
HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.

HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.
“Reaching across Arizona to provide comprehensive quality health care for those in need” Our first care is your health care Arizona Health Care Cost Containment.

“Reaching across Arizona to provide comprehensive quality health care for those in need” Our first care is your health care Arizona Health Care Cost Containment.
HIPAA Basics Brian Fleetham Dickinson Wright PLLC.

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.

HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
HIPAA Privacy Rule Training

HIPAA Privacy Rule Training
HIPAA – Privacy Rule and Research USCRF Research Educational Series March 19, 2003.

HIPAA – Privacy Rule and Research USCRF Research Educational Series March 19, 2003.
The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.

The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.
1 HIPAA Privacy and Security Cindy Cummings, RHIT.

1 HIPAA Privacy and Security Cindy Cummings, RHIT.
Changes to HIPAA (as they pertain to records management) Health Information Technology for Economic Clinical Health Act (HITECH) – federal regulation included.

Changes to HIPAA (as they pertain to records management) Health Information Technology for Economic Clinical Health Act (HITECH) – federal regulation included.
1 Navigating the Privacy and Security Issues: HITECH Overview Rebecca L. Williams, RN, JD Partner Co-chair of HIT/HIPAA Practice Davis Wright Tremaine.

1 Navigating the Privacy and Security Issues: HITECH Overview Rebecca L. Williams, RN, JD Partner Co-chair of HIT/HIPAA Practice Davis Wright Tremaine.
Key Changes to HIPAA from the Stimulus Bill (ARRA) Children’s Health System Department Leadership Meeting October 28, 2009 Kathleen Street Privacy Officer/Risk.

Key Changes to HIPAA from the Stimulus Bill (ARRA) Children’s Health System Department Leadership Meeting October 28, 2009 Kathleen Street Privacy Officer/Risk.
HIPAA CHANGES: HITECH ACT AND BREACH NOTIFICATION RULES February 3, 2010 Kristen L. Gentry, Esq. Catherine M. Stowers, Esq.

HIPAA CHANGES: HITECH ACT AND BREACH NOTIFICATION RULES February 3, 2010 Kristen L. Gentry, Esq. Catherine M. Stowers, Esq.
NAU HIPAA Awareness Training

NAU HIPAA Awareness Training
1 Louisiana Department of Health and Hospitals Basic HIPAA Privacy Training: Policies and Procedures 01/09/2009 0.

1 Louisiana Department of Health and Hospitals Basic HIPAA Privacy Training: Policies and Procedures 01/09/
 July 10, 2013 Richard D. Sanders T HE S ANDERS L AW F IRM, P.C. 7 Piedmont Center, Suite 300 3525 Piedmont Road Atlanta, Georgia 30305 (404) 364-1819.

 July 10, 2013 Richard D. Sanders T HE S ANDERS L AW F IRM, P.C. 7 Piedmont Center, Suite Piedmont Road Atlanta, Georgia (404)
Thank You For Your Participation Kansas City   Omaha  Overland Park St. Louis  Jefferson City www.spencerfane.com www.UBAbenefits.com This Employer.

Thank You For Your Participation Kansas City   Omaha  Overland Park St. Louis  Jefferson City This Employer.
HIPAA Regulations What do you need to know?.

HIPAA Regulations What do you need to know?.
COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.

COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.
Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.

Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.

Similar presentations

Ads by Google