The HITECH Act: Implications to HIPAA Covered Entities and Business Associates. Linn F. Freedman, Esq.

Transcription

1 The HITECH Act: Implications to HIPAA Covered Entities and Business Associates Linn F. Freedman, Esq.

2 Introduction and Overview On February 17, 2009, President Obama signed P.L , the American Recovery and Reinvestment Act (ARRP) Title XIII of Division A of ARRP comprise the provisions known as HITECH the Health Information Technology for Economic and Clinical Health Act

3 Summary of Presentation Outline of HITECH Act Provisions Office of the National Coordinator for Health Information Technology (ONC) Expansion of security and privacy provisions and penalties to HIPAA business associates Breach notification requirements Compliance with HITECH

4 The Office of the National Coordinator for Health Information Technology (ONC) Established by Executive Order in 2004 HITECH appropriates $2 billion to ONC Codifies duties of ONC Goal: the utilization of an electronic health record for each person in the U.S. by 2014

5 ONC (cont d) ONC strategic plan: The development of a nationwide health information technology infrastructure that allows for the electronic use and exchange of information that ensures that patients health information is secure and protected

6 ONC (cont'd) ONC responsibilities under HITECH Establishing national standards for the exchange of health information Coordinating HIT policy and programs, and updating and implementing the Federal Health IT Strategic Plan through collaboration with public and private entities Ensuring that privacy and security protections are incorporated in the electronic exchange of health information Work with state and regional efforts regarding privacy, security and data stewardship Implementing strategies to enhance the use of HIT and integration of information among healthcare providers, health plans and government

7 ONC (cont d) ONC responsibilities under HITECH (cont'd) Assessing the impact of HIT in communities with health disparities Evaluating the benefits and costs of the exchange of health information Appointing a Chief Privacy Officer of ONC within 12 months Establishing an HIT Policy Committee, responsible for making policy recommendations to the ONC on the implementation of a nationwide HIT infrastructure

8 ONC (cont d) ONC responsibilities under HITECH (cont'd) Establishing an HIT Standards Committee, responsible for making recommendations to the ONC regarding standards, implementation specifications and certification criteria for HIT Coordinate with National Institute of Standards and Technology Initial set of standards to be adopted by HHS by December 31, 2009 after formal rulemaking ONC may adopt CCHIT or HITSP Standards, but not mandated

9 Incentive Payments for Adoption of EHR HITECH will provide an estimated $17 billion in incentives for adoption of certified EHRs by meaningful users To be eligible for Medicare incentive payments, physicians must demonstrate: Using certified EHR technology in a meaningful way A qualified EHR meeting standards adopted by HHS with recommendation of HIT Standards Committee EHRs must improve quality of health care, and be connected and integrated with other providers or an HIE Clinical quality reports required Must have erx capabilities

10 Incentive Payments for Adoption of EHR (cont d) HITECH expands financial opportunities for state government States or a state designated entity may apply for planning and implementation grants and funding to implement HIT at state level State designated entity means a not-for-profit entity with broad stakeholder representation that follows non-discrimination and conflict of interest policies Requires consultation with a broad spectrum of stakeholders Annual evaluation by Secretary of HHS and State must match funding on a sliding scale

11 Other Available Funding for HIT Through Department of Commerce Funding for standards-related research to support security and interoperability of EHR Medical Health Informatics Education Programs Assistance to higher education institutions for medical health informatics education programs Graduate programs in behavioral or mental health, health professions, nursing schools and PA programs Must be used for 2 or more programs

12 Other Available Funding for HIT (cont d) Through Department of Commerce Medical Health Informatics Education Programs (cont d) Goal to integrate certified EHRs into community based education programs Funds to be used for educational services, not hardware or software R&D for universities, non-profit consortia, federal labs or multidisciplinary centers for Health Care Information Enterprise Integration

13 Other Available Funding for HIT (cont'd) HIT Professionals in Healthcare (undergraduate or masters degree programs) Develop and revise curriculum Recruit and train students

14 Health IT Extension Program HITECH Act requires HHS to provide implementation support though creation of a National Health IT Research Center Provide technical assistance Forum for exchange of knowledge Develop best practices to accelerate HIT adoption Assist RHIOs and local HIEs and HINS

15 Health IT Extension Program (cont'd) Creation of Regional Extension Centers Assistance with implementation, maintenance and upgrading of EHRs Technical assistance and disseminate best practices from National Research Center Funding will focus on public or not-for-profit hospitals, critical access hospitals, FQHC and underserved populations, primary care solos or small group practices Affiliate with not-for-profit organizations Financial assistance of up to 50% of capital and annual operating and maintenance funds 4 year funding cycle

16 Expansion of Security and Privacy Provisions and Penalties to HIPAA Business Associates HITECH applies the administrative, physical and technical safeguards of the HIPAA security regulations directly to business associates HITECH imposes additional obligations upon business associates regarding policies, procedures and documentation

17 Impact Expansion of Security and Privacy Provisions and Penalties (cont'd) All organizations that support the health care industry as business associates Before HITECH, these entities were required by contract to agree to certain safeguards regarding use or disclosure of PHI After HITECH, required by law to develop and implement written privacy and security policies and procedures regarding handling of PHI

18 Expansion of Security and Privacy Provisions and Penalties (cont'd) Impact (cont d) Upgrade technological capabilities and infrastructure HITECH will specify encryption or other standards Revision of HIPAA business associate agreements Differing interpretations - by application of law or amendment required

19 Expansion of Security and Privacy Provisions and Penalties (cont'd) Business associates that become aware of a pattern of activity that constitutes a violation of HIPAA must take steps to cure the violation Terminate agreement Report problem to HHS Civil and criminal penalties that apply to covered entities for violations of security and privacy regulations now will apply directly to business associates

20 Expansion of Security and Privacy Provisions and Penalties (cont'd) Business Associates will need to: Engage in HIPAA security compliance process Develop and implement appropriate policies and procedures Revise business associate agreements Develop and implement breach notification process and request for amendment process

21 Security Breach Notification Requirements HITECH requires covered entities, business associates, vendors of Personal Health Records (PHR) and other third-party service providers to notify individuals or entities when unsecured PHI or unsecured PHR that is identifiable is breached Breach defined to include the unauthorized acquisition, access, use or disclosure of PHI that compromises its security, privacy or integrity

22 Security Breach Notification Requirements (cont'd) Breach does not include an inadvertent disclosure if the information is not further accessed, used or disclosed HHS must issue guidance specifying the technologies and methodologies that render PHI unusable (i.e. encryption)

23 Security Breach Notification Requirements (cont'd) Required notice Covered entities must notify each individual whose unsecured PHI has been or is reasonably believed to have been accessed, acquired or disclosed Business associates must notify covered entities of a security breach and provide identification of affected individuals Vendors of PHRs, entities that offer products or services through websites of PHRs must notify individuals and the FTC following discovery of breach of security of unsecured PHR and FTC will notify HHS temporary requirements until Congress enacts new legislation establishing notification requirements for non-covered entities

24 Required Notice (cont'd) Third party service providers must notify vendor or entity of security breach, including identity of the individual affected Notification must be within 60 days of discovery Notification may be delayed if requested by law enforcement In writing or electronic Posting on website Broadcast media

25 Required Notice (cont'd) If more than 500 people affected, notice must be provided to prominent media outlet Notice must be made to HHS HHS will post on its website a list of covered entities involved in a breach affecting over 500 individuals If less than 500 individuals, covered entity must provide a log to HHS HHS reports results of logs annually to Congress

26 Required Notice (cont'd) Notices must include Description of what happened Description of the type of unsecured protected health information that was involved in the breach Steps to be taken to protect themselves from harm Description of what the covered entity is doing to investigate the breach, mitigate losses and protection against further breaches Contact information for individuals to ask questions

27 State Breach Notification Laws Over 40 states have enacted Most require reasonable belief that information will be used for identity theft (no such requirement in HITECH) No specific preemption language in HITECH, although it supersedes any inconsistent standards governing privacy and security of individually identifiable information HIPAA does not supersede state law if state law is more stringent Need to comply with both state and HITECH if there is a breach

28 Other HITECH Requirements Covered entities must honor a patient s request to withhold PHI from a health plan if the patient paid for the medical care Covered entities must limit use or disclosure of PHI to a limited data set or, if needed, to the minimum necessary to accomplish an intended purpose Requires a review of the request and a determination of what constitutes minimum necessary for the request HHS Secretary will issue new guidance on what constitutes minimum necessary within 18 months

29 Other HITECH Requirements (cont'd) Covered entities must provide patients with an audit trail of all disclosures of PHI made within the past three years HHS Secretary to promulgate regulations regarding what information should be collected about PHI disclosures by 6/10 Covered entities and business associates are prohibited from receiving remuneration in exchange for any PHI of an individual without authorization

30 Other HITECH Requirements (cont'd) Restrictions on marketing communications No communication that encourages the recipient to purchase or use a product or service that is not considered a health care operation unless: It describes a product or service that is provided in a plan of benefits including: Participation in a health care provider network or health plan network Replacement of, or enhancements to, a health plan Health related products or services available only to a health plan enrollee that add value, to, but are not part of, a plan of benefits For treatment of the individual For case management or care coordination for the individual

31 Other HITECH Requirements (cont'd) Fundraising communication must provide in a clear and conspicuous manner An opportunity for the recipient to opt out of receiving any further communications If individual opts out, the election is to be treated as a revocation of authorization Restrictions apply to written communications after 2/17/10

32 Penalties for Violation Penalties are tiered, depending on conduct Unknown $100 per violation up to $25,000 for all identical violations in a calendar year, with a cap of $1.5 million Corrective action without CMPs authorized

33 Penalties for Violation (cont'd) Reasonable cause that is not willful neglect $1,000 for each violation up to $100,000 for all identical violations in a calendar year, with a cap of $1.5 million for all violations of this type in a calendar year

34 Penalties for Violation (cont'd) Willful neglect If violation corrected within 30 days of knowledge: $10,000 for each identical violation, up to $250,000 for all identical violations in a calendar year, with a cap of $1.5 million for all violations of this type in a calendar year If violation not corrected: $50,000 for each violation, up to $1.5 million for all identical or non-identical violations in a calendar year

35 Penalties for Violation (cont'd) Collections will got to OCR for enforcement of HIPAA privacy and security rules Similar to whistleblower statutes, a portion may be paid to harmed individuals Regulations to be promulgated no later than 2/17/12

36 Enforcement by State Attorneys General State AGs may commence civil actions in federal district court for violations of HIPAA Damages: $100 per violation with a cap of $25,000 Costs and attorneys fees may be awarded to State

37 Audits Secretary of HHS required under HITECH to conduct periodic audits of covered entities and business associates for compliance and enforcement purposes Secretary of HHS is required to report the number of audits and a summary of audit findings to Congress starting in 2010 Reports will be made available on HHS website Increased enforcement activities

38 Timeline 2/17/09 Tiered civil monetary penalties Enforcement of violation of privacy and security regulations by State Attorneys General 4/3/09 HHS Secretary may appoint HIT Policy Committee members not yet appointed 4/18/09 HHS Secretary to provide guidance on technical safeguards for unsecured PHI

39 5/18/09 Timeline (cont'd) HHS Secretary to publish a draft description of program for regional extension centers HIT Standards Committee to develop schedule to act on recommendations from HIT Policy Committee 8/16/09 HHS Secretary to publish interim final rules on breach notification that will apply to breaches of security FTC rules on PHR breach notification 12/31/09 HHS shall adopt initial set of standards and implementation specifications on HIE, EHR certification, privacy and HIT considered by HIT Policy Committee

40 2/16/10 Timeline (cont'd) HHS Secretary appoints Chief Privacy Officer for ONC Secretary submits reports to Congress Efforts to demonstrate integration of HIT into clinical education Guidance on effective security measures Nature and number of reported security breaches and remedial steps taken Privacy and security violation complaint allegations Effective date of all security and privacy provisions HHS publish rules on communications for marketing and funding

41 Compliance with HITECH and other Privacy and Security Laws Develop and implement a Red Flag Rules Compliance Program Develop and implement a Breach Notification Compliance Program Review and amend existing business associate agreements and determine if new BAAs are needed Strategize and position yourself to obtain loan and grant funding

42 Questions??? If you have any questions concerning HITECH or this webinar, please contact Whitney Cook at Thank you for participating!

43