Section 2: HIPAA and the HITECH Act

Transcription

1 Section 2: HIPAA and the HITECH Act 1

2 Introduction to HIPAA and the HITECH Act The Health Information Technology for Economic and Clinical Health (HITECH) Act was signed on February 17, 2009 as part of the American Recovery and Reinvestment Act (ARRA), better known as the stimulus package. The stimulus package has allocated federal funding to a vast array of industries and special projects and initiatives, with a large portion- about $20 billiongoing to health care. This funding is available in the form of financial incentives for providers and hospitals to accelerate the adoption of health information technology and will be available only for providers that can demonstrate that they have adopted meaningful use of health information technology. Section 2 will cover in detail the major expanded privacy and security expansions that came from the HITECH Act such as breach notification requirements. There are many considerations when switching from a paper based to electronic based system for record storage. With electronic records, an abundance of information is being stored on relatively small devices which is great for operability and efficiency, but has created the need for enhanced provisions and heightened enforcement and penalties. 2

3 Introduction to HIPAA and the HITECH Act The Health Information Technology for Economic and Clinical Health (HITECH) Act was signed on February 17, 2009 as part of the American Recovery and Reinvestment Act (ARRA), better known as the stimulus package. The stimulus package has allocated federal funding to a vast array of industries and special projects and initiatives, with a large portion- about $20 billiongoing to health care. This funding is available in the form of financial incentives for providers and hospitals to accelerate the adoption of health information technology and will be available only for providers that can demonstrate that they have adopted meaningful use of health information technology. Section 2 will cover in detail the major expanded privacy and security expansions that came from the HITECH Act such as breach notification requirements. There are many considerations when switching from a paper based to electronic based system for record storage. With electronic records, an abundance of information is being stored on relatively small devices which is great for operability and efficiency, but has created the need for enhanced provisions and heightened enforcement and penalties. 2

4 Major privacy and security provisions of the HITECH Act Enhanced enforcement and increased penalties for violations: The HITECH Act mandated penalties for certain types of violations and also stipulates stiffer civil penalties for violations. Revised tiers of penalties for covered entities for the following circumstances: 1. Where the covered entity did not know and by exercising reasonable diligence would not have known of the violations $100 - $50,000 per violation No penalties if corrected within 30 days of discovery 2. Due to reasonable cause and not willful neglect $1,000 - $50,000 per violation No penalties if corrected within 30 days of discovery 3. Due to willful neglect but corrected during a 30-day time period $10,000 - $50,000 per violation 4. Due to willful neglect and not corrected during a 30-day time period $50,000 per violation Each category has a $1.5 million maximum for a violation of and identical provision in a calendar year. Before the HITECH Act, this maximum was at $25,000. The Privacy and Security Rules apply only to covered entities. Individuals, organizations, and agencies that meet the definition of a covered entity under HIPAA must comply with the requirements to protect the privacy and security of health information. Covered entities include doctors, clinics, psychologists, dentists, chiropractors, nursing homes, hospitals, pharmacies, health plans, and health care clearinghouses. However, you are only a covered entity if you transmit any information in an electronic form in connection with a transaction for which HHS has adopted a standard. Breach notification requirements: The basic requirement of the breach notification rule is to let patients know if their PHI has been inappropriately disclosed or accessed by people who should not be receiving such information. Breach is defined as the unauthorized acquisition, access, use, or disclosure of PHI which compromises the security or privacy of such information, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information. A breach has occurred when the use of PHI is not a treatment, payment, or health care operations activity, nor is it any other activity permitted by the standards. General rules Unauthorized means an impermissible use or disclosure of PHI under the Privacy Rule. So by definition, only violations of the privacy rule are considered breaches. What is the difference between a use of PHI and a disclosure of PHI? Generally, a use of PHI occurs within a health care organization and among individuals who are under the control of that organization. Therefore breaches can occur even within an organization. For example, snooping by staff members that do not have a reason to be looking at patient charts is actually considered a breach because it involves an unauthorized use of protected health information. It is not a treatment, payment, or health care operations activity; it is a violation of the standards. A disclosure, on the other hand, occurs when PHI is obtained by a person or entity outside of the organization. For 3

5 example, a disclosure to an attorney or life insurance company without the patient s authorization may constitute a breach. Not all violations of the privacy standards constitute breaches, because not all violations are uses and disclosures. For example, a physician practice forgets to give a privacy notice to a new patient. Technically, it is a violation of the standards because a patient has a right to receive the privacy notice upon joining the practice. However, it is not a violation that involves use or disclosure of PHI, so it is not a breach. Any unintentional acquisition, access, or use by a work force member who accessed the PHI in good faith and did not further use or disclose the information, would not constitute a breach. By definition, a violation is considered a breach only if it compromises the security and privacy of such information. The determination of whether or not a breach actually compromises the security and privacy of a patient s information is actually made by you, as the covered entity. Timeliness of notice The general requirement for a breach is that a covered entity shall, following the discovery of a breach of unsecured PHI, notify each individual whose unsecured PHI has been (or is reasonably believed by the covered entity to have been) accessed, acquired, used or disclosed as a result of such breach. Individuals must be notified of a breach without unreasonable delay and in no case later than 60 calendar days after discovery of a breach. A breach should be treated as discovered on the first day on which it is known to the covered entity, or, by exercising reasonable diligence would have been known by the covered entity. Business associates must notify the covered entity of a breach within 60 days of discovery. It is the responsibility of the covered entity to then provide the notifications required by law. Content of notice to patients The notification must be written in plain language, and contain the following elements, to the extent possible: A brief description of what happened, including the date of the breach, if known, and the date of the discovery of the breach; A description of the types of PHI that were involved in the breach, such as whether the full name, social security number, home address, date of birth, diagnosis, or other types of information were involved; Any steps that individuals should take to protect themselves from potential harm resulting from the breach; A brief description of what the covered entity is doing to investigate the breach, to mitigate harm to individuals, and to protect against further breaches; and Contact procedures for individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an address, Web site, or postal address. Delivery of notice Written notification by first-class mail to the individual at the last known address; or by if the individual agrees to communication in this format. Substitute notice- if the practice has insufficient or out-of-date contact information for 10 or more individuals, then a substitute form of notice reasonably calculated to reach the individual must be provided. The substitute notice must be either: Posted conspicuously on the covered entity s homepage or conspicuously included in print or broadcast media in areas where the individuals affected by the breach likely reside; and Include a toll-fee phone number that is active for at least 90 days where patients can call to see if they may have been affected by the breach. Notification of Breaches involving 500 or more individuals must be provided to the Secretary of HHS and also to prominent media outlets during the same period in which the individual notifications are delivered. Breaches involving less than 500 individuals must be maintained in a log by the covered entity and reported to HHS no later than 60 days after the end of each calendar year. 4

6 HHS has a webpage for reporting breaches at: Harm Threshold By definition, an incident is a breach only if it compromises the security or privacy of an individual s unsecured PHI. In an important development, the Breach Notification Rule clarifies that compromises the security or privacy of PHI means that it poses a significant risk of financial, reputational, or other harm to the individual. Thus, to determine if an impermissible use or disclosure of PHI constitutes abreach, a risk assessment is necessary. Risk assessment of unsecured PHI Factors to consider when conducting a risk assessment may include: Who impermissibly used the information, or to whom was the information impermissibly disclosed. For example, your practice makes an inadvertent records release to another practice. Because the provider who accidentally received the records is governed by the same laws, the risk of this inadvertent disclosure is drastically reduced. In most instances, this will not be a situation for breach notification. The type and amount of PHI involved in the disclosure- how much information was released and does it potentially pose reputational or other harm to the patient? Whether any immediate steps were taken to mitigate an impermissible use or disclosure Whether the PHI was returned prior to being accessed- For example, a laptop is lost for some period of time, and a forensic computer expert determines that the information was not accessed during that time. In this instance, breach notification would not be required. Business associates These are the individuals and companies outside of your organization that perform services for you involving the use or disclosure of your PHI. This would include claims processing or billing companies, transcription companies, and lawyers and accountants who require access to your PHI. Business associates (BAs) are required to comply with HIPAA security standards, portions of the privacy standards, and various HITECH Act provisions and they are also subject to federal enforcement and penalties for non-compliance. Breach requirements for business associates As mentioned above, a business associate is required to notify a covered entity without unreasonable delay and in no case later than 60 calendar days after discovery of a breach. The business associate must provide the covered entity with a list of individuals who have been affected and any other available information that the covered entity is required to include in the notification to the individual. It is the responsibility of the covered entity to then provide the notification required by law. Patients copies of electronic records If a covered entity uses or maintains electronic health records, then an individual has a right to: obtain a copy in electronic format; or direct the covered entity to transmit such copy directly to an entity or person designated by the individual. (See MSV FAQs: Charging for copies of medical records) Enhanced Accounting of Disclosures provisions HIPAA has always required physicians to provide a patient, (upon request) with an accounting of certain PHI disclosures that were made without the patient s authorization. The HITECH Act now requires providers to also account for disclosures of electronic health record PHI made for treatment, payment, or health care operations purposes. For those providers who purchased EHRs prior to January 1, 2009, this requirement becomes effective January 1,

7 The power of physicians working together SM The Medical Society of Virginia is searching for heroes like you. People who believe in preserviing the practice of medicine the way it was always intended - with the physicians and patients best interests in mind. Join us as we continue to work together to make a difference in the rapidly changing health care environment. For more information, visit MSV at Medical Society of Virginia Medical Society of Virginia Foundation Medical Society of Virginia Insurance Agency Medical Society of Virginia Political Action Committee Medical Society of Virginia Alliance 2012 Medical Society of Virginia. All rights reserved Emerywood Pkwy Suite 300 Richmond, VA TF FX