1. HITECH and HIPAA Presented by Rhonda Anderson, RHIA Anderson Health Information Systems, Inc office@ahis.netoffice@ahis.net 714 -558 - 3887

2. HITECH & HIPAA ACCESS HITECH HIPAA SB 541 BREACHES Privacy and Security

3. Agenda 1. What is HITECH 2. Breach Reporting 3. Business Associate Agreements 4. SB 541 – California 5. Penalties

4. Part of the American Recovery and Reinvestment Act of 2009 Applies the HIPAA privacy and security rules and their penalties to HIPAA business associates Creates a new breach reporting requirement for HIPPA CEs and BAs Effective Date February 2009 Part of the American Recovery and Reinvestment Act of 2009 Applies the HIPAA privacy and security rules and their penalties to HIPAA business associates Creates a new breach reporting requirement for HIPPA CEs and BAs Effective Date February 2009 California legislature that enforces reporting requirements for unlawful or unauthorized access, use or disclosure of a patient’s medical information Reporting requirement within 5 days of discovery Effective Date 2009 California legislature that enforces reporting requirements for unlawful or unauthorized access, use or disclosure of a patient’s medical information Reporting requirement within 5 days of discovery Effective Date 2009 Health Insurance Portability and Accountability Act Guidance for Privacy and Security of protected health information 45CFR 160 -164 Effective Date 2003 Health Insurance Portability and Accountability Act Guidance for Privacy and Security of protected health information 45CFR 160 -164 Effective Date 2003 HIPAA SB 541 HITECH ACT

5. HITECH Vocabulary Breach – the unauthorized acquisition, access, use or disclosure of protected health information which compromises the security or privacy of such information Unsecured PHI – PHI that is not secured through the use of a technology or methodology that renders PHI “unusable, unreadable, or indecipherable to unauthorized individuals. Acceptable methodologies – Encryption as specified in the HIPAA security rule Shredding or destroying of non-electronic PHI

6. HITECH Reporting Requirements Notification to each individual whose unsecured PHI has been or is reasonably believed by the CE to have been accessed, acquired or disclosed as a result of such breach without reasonable delay no later than 60 days of discovery of the breach by the CE or BA Notice must be made by first-class mail or email if specified by an individual.

7. If there are more than 10 affected individuals, the entity must do a conspicuous web site posting or notice in major print or broadcast media If there are more than 500 individuals all residents of the same State or jurisdiction the entity must provide immediate notice to HHS and notice to the media

8. Business associates must adhere to the same reporting timeline but are not required to provide notice of breach to the individual but instead notify the covered entity of a breach along with identification of the each affected individual The Covered Entity is then responsible for notifying each affected individual The clock starts for the CE when the BA reports the breach

9. Covered entities and Business associates are required to keep a log of breaches and submit it within 60 days after the end of the year unless immediate notification is required such as in the case of more than 500 affected individuals Documentation should also be maintained for suspected breaches that after investigation are deemed as not constituting a Breach under the HITECH requirements

10. The notice to individuals must contain a description of what happened and the unsecured PHI involved, steps for individuals to protect themselves, a description of the covered entity’s efforts to investigate, mitigate and prevent further breaches and contact information.

11. The HIPAA requirement for a six year accounting of disclosures still applies to non EHR disclosures.

12. Under HITECH covered entities and business associates are required to maintain an accounting of disclosures made through HER including disclosures made for treatment, payment and health care operations. Information is limited to three years of disclosure information rather than the current 6 year requirement under HIPAA

13. BA Agreements AHIS has updated the business associate agreement policy to include the new HITECH requirements Covered entities must update all business associate agreements and ensure that they include HITECH requirements

14. No Safe Harbor California covered entities are still required to report unlawful or unauthorized access, use or disclosure of a patient’s medical information within 5 days to comply with SB 541 – which has been in effect since January 2009

15. Penalties SB-541 – failure to report within 5 days $100 per day for each day that the unlawful or unauthorized access, use or disclosure is not reported up to a maximum of $250,000.

16. HIPPA civil penalties under new HITECH provisions Effective November 30, 2009 Violation CategoryEach Violation All such violations of an identical provision in a calendar year Did not know$100-50,000$1,500,000 Reasonable Cause$1,000-50,0001,500,000 Willful neglect corrected within 30 days $10,000-50,0001,500,000 Willful neglect - not corrected $50,0001,500,000

17. Risk analysis and implementation AHIS will help you analyze possible areas of risk Provide you with guidance on documentation of investigation and notification of breaches

18. AHIS as your partner Implementation Plan Risk Analysis Policy and Procedure Current system review Action as needed