CAHF 2010HIPAA II and HITECH

“Your Plan”

Rhonda Anderson, RHIA, President

Lizeth Flores, RHIT, ConsultantAnderson Health Information Systems, Inc.

940 W. 17th Street, Suite B

Santa Ana, CA 92706

Objectives

• The participants will identify the following and what it means to you and your staff:

1. HiTech Final rule - key points2. Determining Risks from a risk assessment in your

organization3. Policies and Procedures, Privacy and Security - update4. Steps to Protect Your Organization 5. Security, who establishes access to records and at what

level?6. Role of Office of Civil Rights7. What you should do to meet the HiTech Requirements8. Introduction to 'Meaningful Use'

2

Applicability

• Breach Notification applies to HIPAA covered entities BA that:• Access• Maintain, modify, record, store, use, hold, or

disclosed secured PHI

3

General Reg. Act Requires

• HIPAA – Covered entities (CEs) provide notification to affected individual of

breach of unsecured PHI• CEs provide notification to the media

breaches in some situations!!!!

4

Unsecured PHI – Breach by BA

• BA = Notify CE of Breach

• BA = Agreement to include notification and indemnification and will meet requirements

• HHS posts list of CE with breach of unsecured PHI

5

Exceptions

• CE & BA that implement the specified technology and methodologies with request to safeguarding.

• CE & BA NOT required to provide notifications in event of a breach PHI.

6

Exceptions -2

• CE & BA not required to provide notification in event of a breach PHI IF• PHI safeguarded using technologies and

methods not considered “unsecured” (Reference Federal Register Vol. 74, No. 162, Page 42740-42741 (8/24/09) )

• http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=2009_register&docid=DOCID:fr24au09-10.pdf

7

Applicability

• New Subpart D to part 164 – Title 45 – Code of Federal Regulations

8

Breaches Effective

• NOW – BA as of Feb 2010

• All should begin sanctions -- Feb 2010.

• Document efforts to meet compliance!!! NOW if not before.

9

Breach Notification Apply To

10

1. Business Associate Agreements 1. Business Associate Agreements

2. SB 541, 337 – California 2. SB 541, 337 – California

3. Penalties 3. Penalties

Vendors of a PHR

• On occasions are a BA or a CE

• Notification made on behalf of the CE may in part, satisfy the reporting requirements

11

Requirements

• Breach discovery (unsecured PHI) PHI the CE notifies:• Each individual of breach of

UNSECURED PHI – has or believed to access acquired, USED or disclosed breach. 45 CFR 164.04

12

Breach Discovered

• Discovered = Incident becomes KNOWN – Not when CE or BA concludes analysis = Breach occurred

13

Breach Treated As Discovered

• 1st day breach known to CE

OR

• Exercise reasonable diligence = CE (45 CFR 164-404

14

Breach “Discovered”

• When the clock starts = Notifications = No case later than 60 calendar days

• BA discovers = Breach = Report to CE >> Clock starts re: notification

15

CE Ensure

• BA Contracts = language re: BA notification and requirements

16

In-Service

• CE & BA are trained (all staff trained and aware of IMPORTANCE timely reporting of privacy and security incidents

17

Exceptions

• Unintentional break by a staff member or person acting for CE or BA

• Acquisition made = good faith – within authority scope – NO – Further use or disclosure

18

Exceptions – Example #1 - Unintentional

• Physical Therapist reviews record realizes does not = the correct resident within scope of contract of who they should be treating.

19

Exceptions – Example #2 – Inadvertent Disclosure

• Person authorized to access PHI for CE or BA discloses PHI to another person at CE or BA. PHI = No further use or disclosure

20

Exceptions – Example #3 – Inadvertent Disclosure

• Director of Nursing receives an email from hospital not intended for her – re: PHI – email referred to correct person and deleted

21

Exceptions Not Reasonably Able to Retain – Example #4

• Unauthorized person to whom the disclosure made not reasonably able to retain such information.

• PHI given to “unauthorized” – wrong resident - exchange right away for correct information.

22

Exception – Proof is On “U”

• CE or BA – has burden of proof to show = no breach = why breach notice = not required.

• Document – why not allowed – use or disclosure falls under an exception.

23

Limited Data Set & De-ID Information

• CE-BA – Created Limited Data Sets & De-ID PHI through redaction if removal identifiers result information = criteria 45 CFR 164.514(e)(2) or 164.514(b)(H.O. #1)

• Exception – PHI redacted – may not require notification – cannot be identified to a resident - PHI

24

Limited Data Set & De-ID Information -3

• Loss/Theft – Redacted information

• Loss/Theft = Not require notification because under Rules – because > information not PHI – i.e. de-identified information

OR

• Redacted info does not compromise security & privacy = No Breach

25

Limited Data Set

• Created by direct ID from PHI

• Include in Risk Assessment

26

HHS = Exception Statement

• Narrow exception would not apply if for example zip code information or contains birthdates and zip code information

• ? Re: ID is there risk of reidenfication poses a significant risk harm to the individual

27

Responsibility

• CE is not responsible for breach if 3rd party unless = role as an agent of the CE or BA

28

3rd Party Responsibility

• Receive BA or CE provided info to 3rd party

• Breached = 3rd Party

• Used-disclosed not permissible

• Determine if privacy & security compromised

• Responsible for complying with Rule• http://frwebgate2.access.gpo.gov/cgi-bin/TEXT

gate.cgi?WAISdocID=oHkL0Q/0/1/0&WAISaction=retrieve 29

Limited Data Sets – Burden of Proof

• PHI = No zip code or Birthdate = lost information did not include identifiers

30

Risk Assessment of the Breach

• Establish Breach = Violates Privacy Rule

• CE = ?? Whether the violation compromise Security/Privacy of PHI

31

Risk Assessment –Security / Privacy

• Compromise PHI

• Significant Risk of $$ - Reputation

• Harm to person

32

Breach – Risk Assessment Steps

• Who impermissibly used or to whom the information was impermissibly disclosed

• Obtaining the recipient’s assurances that information will not be further used or disclosed

• Steps eliminate or reduce the risk of harm less than “significant risk”

33

Breach – Risk Assessment Steps -2

• Security & privacy of the information has not been compromised, no breach

• Impermissible disclosed PHI is returned prior to it being accessed –may not be breach

• CE & BA should also consider the type & amount of PHI involved in the breach. • If PHI does not pose significant risk of financial,

reputational, or other harm, violation is not a breach.

34

Risk Assessment Documentation

• CEs & BAs demonstrate in writing that no breach has occurred because it did not pose a significant risk of harm.

• CE & BAs document risk assessments.• PHI is a limited data set that

does not include zip codes, dates of birth, documentation to demonstrate that the lost information did not include these identifiers.

35

Notification Content

• No later than 60 days following the discovery of a breach, notification must be made to the individual.• A brief description of what happened, date it

happened, and when discovered (if known);• Description of the types of unsecured PHI that

was involved in the breach (name, date of birth, diagnosis)

• Steps the impacted persons take to protect themselves from potential harm (check credit reports in cases of financial information being breached)

36

Notification Content -2

• No later than 60 days…(con’t.)• Description of what the covered entity is doing

to investigate & mitigate harm protect against future breaches

• Contact procedures for the person to ask questions or seek additional information

• Written in plain language

• (45 CFR § 164.404(c))

37

Notification Requirements

• Written notices to the individual, if contact information is insufficient or out of date, is required. Breach notice must be made:• To the individual in written form by first-class

mail at their last known address, electronic mail, provided the individual agrees

• Individual affected by a breach is a minor, otherwise lacks legal capacity due to a physical or mental condition, notice representative of the individual

38

Notification Requirements -2

• Written notices (con’t)• Individual is deceased, notice must be sent to

the last known address of the next of kin. Next of kin personal representative is only required if the covered entity knows that the individual is deceased, has address of the next of kin or personal representative

39

Substitute Notices

• CE does not have sufficient contact information or if notices returned as undelivered, the CE must provide substitute notice for the unreachable individuals.

• Decedents, a CE is not required to provide substitute notice either does not have contact information.

40

Substitute Notices -2

• Fewer than 10 individuals for whom the covered entity insufficient or out-of-date contact information to provide the written notice; provide substitute notice to such individuals through an alternative form of written notice, telephone, other means.

41

Substitute Notices -3

• Posting a notice on the web site of the CE or at another location.

• Posting should not disclose any information which would identify an individual

42

Substitute Notices -4

• CE insufficient or out-of-date contact information for 10 or more individuals, the rule requires CE provide substitute notice:• A conspicuous posting for a period of 90 days.

Notification must include a toll-free phone number, active for 90 days.

• A major print or broadcast media notice in geographic areas where the individuals affected by the breach likely reside.

43

Urgent Situations

• Notice by telephone or other means may be made, written notice, cases deemed by the CE to require immediate notification because of possible imminent misuse or unsecured PHI.

• Notice, in addition to, and not in lieu of direct written notice.

44

Notification to the Media

• Notice to media outlets serving State or jurisdiction, following a breach of unsecured PHI involving 500 or more residents of the State or jurisdiction.

• Supplement, not substitute for, individual notices.

• Media must be notified within 60 days of the discovery of the breach of unsecured PHI. 45

Notification to the Media -2

• The notice must include:• Brief description of what happened,

including date it happened and when discovered (if known)

• Description of the types of unsecured PHI involved in the breach (name, date of birth, diagnosis

• Steps the impacted persons take to protect themselves from potential harm (check credit reports in cases of financial information being breached) 46

Notification to the Media -3

• The notice must include (con’t):• Description of what the covered entity is doing

to investigate & mitigate harm protect against future breaches

• Contact procedures for questions or seek additional information (toll-free telephone number, an email address, a website, or postal address

• (45 CFR § 164.404(c))

47

Notification to the Media -4

• Breach, another state, of 600 individuals, 200 reside in California and 400 reside in Nevada, did not affect 500 or more residents of any one State.

48

• Notification to the media is not required

• Notifications to both California & Nevada still applies.

Notification to the Secretary of HHS

• Breaches of unsecured PHI involving less than 500 individuals, CE maintains a log of such breaches, annually submit the log to the Office of Civil Right (OCR) documenting the breaches.

• Breaches involving 500 or more people, CE is required to notify the OCR immediately.

49

HITECH Act

• Who enforces for failure to notify or when notification is provided in an untimely matter?• Department of Health and Human Services

• HIPAA covered entities and their business associates.

50

HITECH Act -2

• Subpart D – Breach• Untimely notification – Enforces failure to

notify timely – Attorney General• Untimely Notification – Federal Trade

Commission• Office of Civil Rights Notification

51

Notification by a Business Associate (in review)

• Breach shall be treated as discovered by a BA first day on which such breach is known to the BA, by exercising reasonable intelligence.

52

Notification by a Business Associate(in review) -2

• BA is required to:• Notify the CE without unreasonable delay no case

later than 60 days following the discovery of the breach that the CE can notify affected individuals.

• Identity of each individuals whose unsecured PHI has been or is reasonably believed to have been breached or other available information that the CE is required to include in the notification to the individual.

53

Law Enforcement Delay

• Law enforcement official determines notification notice would impede a criminal investigation.

• CE or BA must temporarily delay notification.

54

Law Enforcement Delay -2

• Written Request – Law enforcement provides a written statement that:• Delay is necessary• Notification would impede criminal

investigation• Cause damage to national security• Specifies the time for which

a delay is required

55

Law Enforcement Delay -3

• Oral Request – The law enforcement states orally that:

56

• Notification would impede criminal investigation

• Cause damage to national security

• CE or BA required to document the statement and identity of the official

Personal Health Records (PHRs)

• The Federal Trade Commission (FTC) imposes similar breach notification requirements upon vendors of PHRs and third party service providers.• A breach of security of unsecured PHR

identifiable health information

57

Personal Health Records (PHRs) -2

• Entity providers PHRs to customers of HIPAA CE through a BA.

• PHRs directly to the public, a breach of its records occurs, certain cases, described in its rule, FTC will deem compliance .

• May be appropriate for the vendor to provide the same breach notice.

58

HITECH Flow Chart

• See H.O. #2

59

HITECH Flow Chart -2

60

HITECH Flow Chart -3

61

HITECH Flow Chart -4

62

Notice To Individuals

• Must contain a description of what happened and the unsecured PHI involved, steps for individuals to protect themselves, a description of the covered entity’s efforts to investigate, mitigate and prevent further breaches and contact information.

63

HIPAA – Retention of Disclosures

• The HIPAA requirement for a six year accounting of disclosures still applies to non EHR disclosures.

64

Accounting Of Disclosures

• Under HITECH covered entities and business associates are required to maintain an accounting of disclosures made through HER including disclosures made for treatment, payment and health care operations.

• Information is limited to three years of disclosure information rather than the current 6 year requirement under HIPAA.

65

HIPAA Civil Penalties Under New HITECH Provisions

Effective November 30, 2009

Violation Category Each Violation

All such violations of an identical provision in a calendar year

Did not know $100-50,000 $1,500,000

Reasonable Cause $1,000-50,000 1,500,000

Willful neglect corrected within 30

days $10,000-50,000 1,500,000

Willful neglect - not corrected

$50,000 1,500,000

66

BA Agreement

• Update the business associate agreement policy to include the new HITECH requirements

• Covered entities must update all business associate agreements and ensure that they include HITECH requirements

67

California - Breach

• PHI – incl. medical information (1798.29(e)(4) and (1798.29 (e) (5)

• Notify breach of computerized data containing PHI (1798.29(a)

• PHI protection 1798.81.5• Proper disposal and destruction of records

containing PHI (1798.81• http://www.leginfo.ca.gov/cgi-bin/displaycode?sec

tion=civ&group=01001-02000&file=1798.25-1798.29

68

California CE

• Required to report unlawful or unauthorized access, use or disclosure of a patient’s medical information within 5 working days to comply with SB 541 –337 which has been in effect since January 2009. (See H.O. #3.)

69

Penalties

• SB-541 – AB337 - failure to report within 5 working days • $100 per day for each day that the unlawful or

unauthorized access, use or disclosure is not reported up to a maximum of $250,000

70

HITECH/CALIFORNIA --Risk Analysis & Implementation

• Analyze possible areas of risk • Guidance on documentation of investigation

and notification of breaches • Breach Response policies and procedures• Breach Response – process• Analysis of where you stand with security??

encryption?? Exposure (YOU) and (BA)??• See checklist (H.O. #4)

71

California Privacy and Security & More!!

• There is more in California• SB1386 – Security Breaches =encryption• AB1950 – Protection of personal data• AB1298 – Encrypted medical hx., etc.• AB211 fines• SB 541-337 Breaches

72

Security/Access Control

• Does your current E.H.R. have a grid of security and access controls if ask for it?

• Is your data destruction and manual destruction of records secure? How do you know? Who is responsible?

73

Liability ???

• Lets review!!• There are no true absolute tools for PHI breach,

but there may be tools you can develop for yourself that matches your system, i.e., access control logs/HIPAA logs in some companies, sign on/off logs, etc.

• Job duties vs. the assigned data screens

74

Liability -2

• What kind of insurance do you have?

• What will offer for mitigation if this does happen where there is a breach?

• Theft of identity???? Is potential – so how will you cover that?

75

Liability -3

• Breach notifications $$

• Cost of monitoring services/contract or employees $$

• Legal costs possibly $$

• Call center $$

• Identity theft insurance for breach notice

• ???other costs – Administrative – Staff??

76

What Is Next With HIPAA?

• What is next with HIPAA 5010? ARRA/HITECH’s HIPAA “II”

• Revised guidance

• Electronic Health Record, requirements, interoperability

• Meaningful Use

77

Certification of E.H.R. (billing, too)!

• http://healthit.hhs.gov/certification

• Find out is your electronic record (clinical or billing) certified! Have they applied! Will they apply?? When??

78

There is More!!

• Is your organization ready for what is in our future?• More in requirements coming on the breaches,

electronic record monitoring policies and procedures, assurances of security and privacy, assessment of your risk ongoing.

• 5010, ICD -10, More ARRA!!

79

Recap

• Make your TO DO LIST

80

Resources

• AHIS - Prior Presentations

• AHIMA

• Federal Register

• California Office of Health Information Integrity.

81

Evaluation

Rhonda Anderson, RHIA

rhonda@ahis.net

Lizeth Flores, RHIT

lizeth@ahis.net

Anderson Health Information Systems, Inc.

940 W. 17th Street, Suite B

Santa Ana, CA 92706

714-558-388782