hitech act

The Health Information Technology for Economic and Clinical Health (HITECH) Act

A Practical Application

1Copyright © 2010 Deloitte Development LLC. All rights reserved.

Your Presenters

Stacey GutwilligPartnerDeloitte & Touche [email protected](617) 437-2637

Mark SteinhoffDirectorDeloitte & Touche LLPmsteinhoff @deloitte.com(617) 437-2614

Dan HoyeManagerDeloitte & Touche [email protected](617) 437-3528

mailto:[email protected]



Contents

• The American Recovery and Reinvestment Act (ARRA) of 2009 and HITECH overview

• Overview of HITECH goals• Ways to address HITECH provisions• Implementation Dates• Case studies• Penalties and Enforcement• Potential Business Impacts of the HITECH Act• Security and privacy overlaps


Federal Spending for ARRA includes federal tax cuts, expansion of unemployment benefits and other social welfare provisions, and domestic spending in education,

health care, and infrastructure, including the energy sector.

ARRA Stimulus$787 billion(27%)

2008 US Federal Budget$2.9 trillion

$38 billion total HITECH expenditures(5% of Stimulus)

The American Recovery and Reinvestment Act of 2009 and HITECH

$$$$


Health Information Technology for Economic and Clinical Health Act or HITECH ActFour major goals of the HITECH bill intended to advance the use of health information technology (Health IT or HIT):1. Government leadership in developing standards by 2010 that allow for the nationwide

electronic exchange and use of health information2. Investing $20 billion in health information technology infrastructure and Medicare

and Medicaid incentives to encourage doctors and hospitals to use HIT to electronically exchange patients’ health information.

3. Strengthening Federal privacy and security law to protect identifiable health information from misuse as the health care sector increases use of Health IT.

4. Saving the government $10 billion, and generating additional savings throughout the health sector, through improvements in quality of care/errors and care coordination

As a result of this legislation, the Congressional Budget Office estimates that approximately 90 percent of doctors and 70 percent of hospitals will be using comprehensive electronic health

records within the next decade


Why the HITECH Act is Getting Such Attention?“….the American Recovery and Reinvestment Act (ARRA)…puts

into law new privacy requirements that experts have called ‘the biggest change to the healthcare privacy and security environment since the original HIPAA privacy rule.

….According to a 2009 study by the Ponemon Institutea, the healthcare industry is among the top three industries most frequently victimized by data breaches, risking the medical and financial well being of breach victims and the credibility and future business of the healthcare provider’”

– Over 44% of all cases in the 2009 year study involved third-party mistakes or flubs. Data breaches involving outsourced data to third parties are the most costly.

a Fourth Annual US Cost of Data Breach Study, Benchmark Study of Companies By Dr. Larry Ponemon Sponsored by PGP Corporation Independently conducted by Ponemon Institute LLC Publication Date: January 2009


Various organizations access this networked Web on a national scale, gathering similar information about many patients

Current state — Patient information network

*Each color represents a unique encounter

Collective Medical Information Consuming Organizations


In the mature state of the NHIN, geography will no longer be a consideration, as health care entities will have access to each other, creating a flux of health information.

Future state — The National Health Information Network (NHIN)

• Electronic Health Records (EHRs) will be the basis of information exchanges on the NHIN, with different entities accessing different components of EHRs.

• Health care system entities and public health institutions will be able to access the NHIN, utilizing the full power of the availability of national health information.

• Administrative, clinical, and public health costs will be reduced nationally, as health information may be accessed from and shared with other entities.

• Interoperability between existing health systems will be the cornerstone to the NHIN in achieving goals.

Future state fully developed and interoperable NHIN Value of the NHIN


Among hospitals without a Record (EHR):• Inadequate capital for purchase (74%) was the most cited barrier, and EHR

maintenance cost was 2nd most frequently cited barrier (44%)• Additional barriers cited in study include:

– Physician resistance (36%)– Unclear Return on Investment (ROI) (32%)– Lack of staff with expertise in Health Information Technology (HIT) (30%)

• For hospitals with an existing EHR, the above barriers were less likely to be cited except for physician resistance.

Recent New England Journal of Medicine survey finds very low use of EHR in U.S. hospitals1

Method• Survey of acute care hospitals that are American Hospital

Association (AHA) members. The study received responses from 3,049 hospitals (63%)

• 1.5% have a comprehensive electronic records system present in all clinical units (i.e., present in all clinical units),

• 7.6% have at least a basic system present in at least one unit (i.e., present in at least one clinical unit).

Results

Significant findings related to barriers to EHR adoption in hospitals

1 New England Journal of Medicine (NEJM) Volume 360:1628-1638 April 16, 2009


Some differences between HITECH and HIPAAGeneral

HIPAA• CEs included PHI custodians• CEs were not actively audited• No defined penalty structure for neglectful

privacy practices• Allows 10 years for compliance

HITECH Act• CEs include PHI custodians as well as business

associates (e.g. suppliers, outreach organizations, and other organizations doing business with the primary CE)

– Contracts are required with business associates defining use of PHI

• DHHS to conduct periodic audits within first 12 months after new rules enacted

• Increased, tiered penalty structure with fines ranging from $25K to $1.5M including mandatory penalties for cases of “willful neglect”

– Proof of harm no longer required to levy penalties

– Interpretation of breach cases and penalties will be made by state Attorneys General

• Compliance required within 12 – 18 months


Some differences between HITECH and HIPAA Breach NotificationHIPAA• State security breach laws mandated

notification only for electronic PHI• Burden of notification fell on “data owners”,

excluding any organization that did not “own” the data

• If data owner determined that it had an obligation to notify of data breach, it was required only to send letters to the affected individuals within “a reasonable amount of time”

HITECH Act• Applies to breaches on or after September 23,

2009• CE must provide notification within 60 days

after PHI in any form is breached– Starts from first day breach is known to

the CE/business associate or should reasonably have been known

– Requirements are specific for content, timing, and obligations

• Obligation to notify falls on CE and/or business associates

• Breach impacting more than 500 individuals requires “immediate” notification to DHHS, making the breach public

– If more than 500 individuals and affecting a single state or jurisdiction, notice must be made to prominent media outlets

• In cases affecting less than 500 individuals, the CE must maintain a log of breaches and submit annually to DHHS, which will be posted on a public website


Provision Guidance/Regulations Effective DateHealth Insurance Portability and Accountability Act (HIPAA) security and privacy provisions to business Associates

Health and Human Services (HHS) issued an initial set of standards for implementation and certification criteria for the electronic exchange and use of health information on January 13, 2010

Annual guidance on appropriate technical safeguards from Department of Health and Human Services (DHHS)

February 17, 2010

Breach Notification DHHS and Federal Trade Commission (FTC ) issued interim final regulations on August 24, 2009

No later than September 23, 2009

Disclosure Restrictions DHHS to issue guidance on what constitutes “minimum necessary” no later than August 17, 2010

February 17, 2010

Accounting of Disclosures DHHS to issue regulations on what information must be collected about disclosures by June 30, 2010

January 1, 2014 if EHR acquired before January 1, 2009

As early as January 1, 2011 if EHR acquired after January 1, 2009

Prohibition on Sale of EHR DHHS to issue regulations by August 17, 2010 No later than February 17, 2011

Marketing and Fundraising None February 17, 2010

Penalties and Enforcement DHHS to issue regulations for penalties as related to willful neglect no later than August 17, 2010

Government Accountability office (GAO) to submit a report to DHHS detailing individual remuneration for civil penalty or settlement amounts no later than February 17, 2012

Penalties as related to willful neglect by February 17, 2011

Tiered increase in civil penalties and state attorney general enforcement effective February 17, 2009

HITECH Act — Key Implementation Dates2

2 As of January 26, 2010


Some ways to address the provisions of the act…

Provision of the Act Action Steps:

Investment in Health IT Infrastructure

Implementation of electronic health records systems and infrastructure

HIPAA Security and Privacy Provisions to Business Associates

HIPAA Privacy & Security AssessmentHIPAA Strategy & Program DevelopmentBusiness Associate Assessments

Breach Notification Incident Response Program DevelopmentData Protection Technology Implementation

Marketing and Fundraising

Update current policies, procedures, and controls to support:

• the requirement of specific authorization from patients to use PHI for marketing/fundraising

• the patient’s right to opt-out of any communication that relates to fundraising.


Some ways to address the provisions of the act…Provision of the Act Action Steps:

Disclosure Restrictions


• the ability for a patient to request PHI not be disclosed when paying for the service fully out-of-pocket.

• the collection and disclosure of the minimum set of PHI practicable to perform business operations

Accounting of Disclosures

Develop policies, procedures, and controls to support the following requirements:

• Covered Entities (CEs) and business associates to produce an accounting of all disclosures of a patient’s PHI, upon request

• CEs must either account for PHI disclosures made by business associates or provide a list of all business associates acting on behalf of the CE

Prohibition on Sale of EHR


• the requirement of specific authorization from patients prior to receiving direct or indirect remuneration for sale of PHI


Case Study

Major U.S. - Based Medical Devices Company

Implementation of Data Privacy Program

BackgroundThe company determined that a review of current data privacy practices and controls was needed due to a combination of data privacy inquiries from customers and a global ERP deployment including European operations. The key drivers were:§ Compliance with Federal, state and international regulatory requirements§ Risk of breach of contractual agreements with customers§ Business operations interruption in EU

Outcome§ Addressed privacy and related business risk (including HITECH considerations)§ Registered as Safe Harbor compliant for both Customer and HR§ Global employee and customer privacy policies deployed (including HITECH considerations)§ Data Protection strategy influenced by data privacy rollout§ Options for de-identification of patient data developed for R&D§ Strategies for movement of Test Data (ERP) developed via Model Contracts§ Information Security strategy informed by Data Privacy initiative


Case Study

Global Life Sciences and Medical Device Company

Current State Assessment and Gap Analysis

BackgroundFollowing a lost, unencrypted laptop containing PHI resulting in breach notification in conjunction with the passage of the HITECH Act, the company determined they needed a better understanding of their data privacy policies and practices. A current state assessment was performed a special focus on:

§ compliance with HIPAA privacy and security rules§ Business Associate Agreements with organizations

Lessons Learned

§ PHI was used for secondary uses in their R&D division that were not permitted per customer contracts and BAAs.

§ BAAs were not in place with a number of their customers and customer that did have BAAs were not consistent.

§ Assessment findings exposed more significant issues with the company’s vendor management process and procedures.

§ The underlying information security program did not support the privacy policies and as a result the company was not in compliance with the HIPAA privacy and security rules.

Outcome

§ Identified significant areas of exposure to the company based on non-compliance with HIPAA privacy rule

§ Updated BAAs template contracts to address HIPAA/HITECH requirements

§ Revised privacy policies and standards (e.g. notice language)

§ Developed a working relationship between the information security and privacy functions.

§ Revised and expanded their information security policy


Case Study

Major Network of Teaching Hospitals


BackgroundFaced with multiple and evolving healthcare regulatory requirements, the company decided to assess and prioritize information security risks and to determine current state capability to comply with the regulations and to manage identified risks.

Outcome§ An information security risk management roadmap was developed to address key risk and capability gaps in

order to align with healthcare regulatory requirements.

§ A matrix comprised of a rationalized set of 86 legal and regulatory requirements, was organized into 12 functional risk areas to serve as the baseline for the assessment. Ø The matrix included requirements from HIPAA/HITECH, the Red Flag Rules, statutory requirements, etc.

§ In summary, the company identified and initiated procedures and tools to secure EPHI and PII. As a result, the company can now demonstrate progress with the outlined remediation activities in preparation for the implementation of HITECH related requirements, reviews and audits.


Case Study

Global Telecommunications Company


BackgroundFaced with multiple and evolving regulatory requirements, including HIPAA/HITECH, the company performed a current state assessment of its information security policies to determine if the current state of the policies complied with HIPAA/HITECH requirements.

Lessons Learned

§ The company had not updated information security policies and procedures since the Privacy Act of 2003.

§ Policies were developed by Legal Departments to comply with the Privacy Act ,however, only consisted of a recital of the provisions within the Privacy Act.

§ The client was out of compliance with its outdated policies and therefore was out of compliance with HIPAA/HITECH requirements.

§ The company identified that the existing breach notification policy/process was:Ø focused on technological risks and did not address privacy risks throughout the organizationØ did not include up to date escalation procedures

§ The company overhauled all information security and privacy policies to address current practices and regulatory requirements.


Case Study

Multi-institutional Network of Hospitals across the Northeast

Implementation of Data Privacy Program

BackgroundThe company faced several immediate and long-term regulatory, security and personnel challenges including:§ vacant Chief Information Security Officer position due to personnel changes§ minimal progress in managing system wide enterprise security risks§ management and regulatory pressure to comply with security requirements

SolutionThe company developed a plan to meet these challenges by creating a prioritized roadmap for FY2010 and:

§ performed information security risk assessment to define current and future state across information security domains and capabilities.

§ defined short/medium term focus, including prioritized security implementation plan.

§ developed organizational redesign for Information Security Office, including governance model, roles and responsibilities across health system.

§ established structured security program management and reporting of key risks.

§ provided subject matter experience to key initiatives across the system, including HITECH response.

§ executed Information Security plan and strategy for 2009 and identified priorities for 2010.


Penalties & Enforcement

• Expanded resources and significant funding for DHHS enforcement

• State Attorneys General authorized to pursue actions on behalf of state citizens

• Vendor breaches enforced by the Federal Trade Commission as an unfair and deceptive act or practice

Enforcement

• New penalty tiers per HIPAA violation (max/year)• Unknowing ($25K)• Reasonable cause

($100K)• Willful Neglect ($250K)• Uncorrected willful

neglect ($1.5M)• Civil and criminal liability

for HIPAA violations extended to business associates

• Mandatory investigations and civil penalties for violations due to willful neglect

PenaltiesDepartment of

Health & Human

Services

State Attorneys General

Federal Trade

Commission


Potential Business Impacts of the HITECH ActPositives:• Improved individual patient data availability• Stimulus funding for early EHR adoption • Improved tracking of chronic disease management• Evaluation of health care based on value enabled by the collection of de-

identified price and quality information that can be compared.

Challenges:• Creates additional needs to monitor controls to mitigate the risks due to

heightened oversight and enforcement• Process re-engineering, system changes, and logical/physical security

mechanisms changes required• Create new legal processes for Breach notification, data storage, etc.• Expanded needs for contractual language to include written requirements• Assessment/Re-engineering of how PHI is exchanged between parties


Security/Privacy OVERLAP with HITECH COMPLIANCE

• The following are the TOP1 Security/Privacy Issues within Healthcare/Lifesciences Organizations:1. Lack of visibility into third parties/business associate privacy practices (esp. older

agreements)2. Lack of adequate training to the organization including specific trainings to those who handle

personal healthcare information (PHI)3. Lack of adequate privacy program4. Lack of formal privacy risk assessment process 5. Large number of records are stored in hardcopy format (i.e. Lack of EHR)6. Inappropriate use and/or collection of information and information leakage7. Inadequate segregation of duties (access to information)8. Inappropriate encryption techniques/technologies9. Lack of process to identify and classify PHI10. Lack of compliance with Records Management/Retention Policy11. Inappropriate conduct of internal employees12. Exposure to external threats

All with impacts to HITECH compliance1 Based on respondent results set forth in the Deloitte* 2009 Life Sciences & Health Care Security Study

* As used in this document, “Deloitte” means Deloitte & Touche LLP, a subsidiary of Deloitte LLP. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries.

www.deloitte.com/us/aboutfor


Contact Info

Stacey GutwilligPartnerDeloitte & Touche [email protected](617) 437-2637

Mark SteinhoffDirectorDeloitte & Touche [email protected](617) 437-2614

Dan HoyeManagerDeloitte & Touche [email protected](617) 437-3528





DisclaimerThis presentation contains general information only and Deloitte is not, by means of this presentation, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This presentation is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor.

In addition, this article contains the results of a survey conducted by Deloitte. The information obtained during the survey was taken “as is” and was not validated or confirmed by Deloitte.

Deloitte, its affiliates, and related entities shall not be responsible for any loss sustained by any person who relies on this presentation.

hitech act

Technology

clinical health act

flux of health information

health care sector

deloitte development

health care system entities

public health institutions

public health costs

existing health systems