Section 2: HIPAA and the HITECH Act



Similar documents
COMPLIANCE ALERT 10-12

POLICY AND PROCEDURE MANUAL

UNDERSTANDING THE HIPAA/HITECH BREACH NOTIFICATION RULE 2/25/14

HIPPA and HITECH NOTIFICATION Effective Date: September 23, 2013

Checklist for HITECH Breach Readiness

Barnes & Thornburg LLP HIPAA Update: HITECH Act Breach Notification Rule

STANDARD ADMINISTRATIVE PROCEDURE

BREACH NOTIFICATION FOR UNSECURED PROTECTED HEALTH INFORMATION

ADMINISTRATIVE REGULATION EFFECTIVE DATE: 1/1/2016

The ReHabilitation Center Buffalo Street. Olean. NY

How To Notify Of A Security Breach In Health Care Records

Data Breach, Electronic Health Records and Healthcare Reform

This presentation focuses on the Healthcare Breach Notification Rule. First published in 2009, the final breach notification rule was finalized in

Everett School Employee Benefit Trust. Reportable Breach Notification Policy HIPAA HITECH Rules and Washington State Law

Updated HIPAA Regulations What Optometrists Need to Know Now. HIPAA Overview

FEDERAL AND STATE BREACH NOTIFICATION LAWS FOR CALIFORNIA

My Docs Online HIPAA Compliance

NACHC Issue Brief Changes to the Health Insurance Portability and Accountability Act Included in ARRA. March 2010

REPRODUCTIVE ASSOCIATES OF DELAWARE (RAD) NOTICE OF PRIVACY PRACTICES PLEASE REVIEW IT CAREFULLY.

Breach Notification Policy

Five Rivers Medical Center, Inc Medical Center Drive Pocahontas, AR Notification of Security Breach Policy

HIPAA and the HITECH Act Privacy and Security of Health Information in 2009

IDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) HIPAA Privacy - Data Breach Notification Policy 10240

HIPAA BREACH RESPONSE POLICY

Reporting of HIPAA Privacy/Security Breaches. The Breach Notification Rule

Business Associates and Breach Reporting Under HITECH and the Omnibus Final HIPAA Rule

New HIPAA Breach Notification Rule: Know Your Responsibilities. Loudoun Medical Group Spring 2010

HIPAA, HIPAA Hi-TECH and HIPAA Omnibus Rule

NOTICE OF THE NATHAN ADELSON HOSPICE PRIVACY PRACTICES

Identity Theft Prevention and Security Breach Notification Policy. Purpose:

The Basics of HIPAA Privacy and Security and HITECH

Business Associate Liability Under HIPAA/HITECH

What do you need to know?

Business Associates and HIPAA

Implementing Electronic Medical Records (EMR): Mitigate Security Risks and Create Peace of Mind

HIPAA Data Breaches: Managing Them Internally and in Response to Civil/Criminal Investigations

12/19/2014. HIPAA More Important Than You Realize. Administrative Simplification Privacy Rule Security Rule

The HITECH Act: Implications to HIPAA Covered Entities and Business Associates. Linn F. Freedman, Esq.

By Ross C. D Emanuele, John T. Soshnik, and Kari Bomash, Dorsey & Whitney LLP Minneapolis, MN

HIPAA Omnibus Rule Practice Impact. Kristen Heffernan MicroMD Director of Prod Mgt and Marketing

HIPAA Breach Notification Policy

Name of Other Party: Address of Other Party: Effective Date: Reference Number as applicable:

HIPAA Omnibus Rule Overview. Presented by: Crystal Stanton MicroMD Marketing Communication Specialist

HIPAA Hot Topics. Audits, the Latest on Enforcement and the Impact of Breaches. September Nashville Knoxville Memphis Washington, D.C.

Data Breach Notification Burden Grows With First State Insurance Commissioner Mandate

Trust 9/10/2015. Why Does Privacy and Security Matter? Who Must Comply with HIPAA Rules? HIPAA Breaches, Security Risk Analysis, and Audits

New Privacy Laws Impacting the Health Care Work Place

HIPAA Privacy and Security

Data Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, :15pm 3:30pm

Healthcare Practice. HIPAA/HITECH Act vs. Oregon Consumer Identity Theft Protection Act. February 2010

Dissecting New HIPAA Rules and What Compliance Means For You

HHS Issues New HITECH/HIPAA Rule: Implications for Hospice Providers

HHS Finalizes HIPAA Privacy and Data Security Rules, Including Stricter Rules for Breaches of Unsecured PHI

HIPAA Business Associate Agreement

BUSINESS ASSOCIATE AGREEMENT. (Contractor name and address), hereinafter referred to as Business Associate;

Use & Disclosure of Protected Health Information by Business Associates

SAMPLE BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT. Business Associate. Business Associate shall mean.

The Impact of HIPAA and HITECH

Page 1. NAOP HIPAA and Privacy Risks 3/11/2014. Privacy means being able to have control over how your information is collected, used, or shared;

AVE MARIA UNIVERSITY HIPAA PRIVACY NOTICE

Business Associate Agreement Involving the Access to Protected Health Information

BUSINESS ASSOCIATE AGREEMENT BETWEEN LEWIS & CLARK COLLEGE AND ALLEGIANCE BENEFIT PLAN MANAGEMENT, INC. I. PREAMBLE

Overview of the HIPAA Security Rule

Nerds and Geeks Re-United: Towards a Practical Approach to Health Privacy Breaches. Gerard M. Stegmaier gstegmaier@wsgr.

what your business needs to do about the new HIPAA rules

NCHICA HITECH Act Breach Notification Risk Assessment Tool. Prepared by the NCHICA Privacy, Security & Legal Officials Workgroup

Transcription:

Section 2: HIPAA and the HITECH Act 1

Introduction to HIPAA and the HITECH Act The Health Information Technology for Economic and Clinical Health (HITECH) Act was signed on February 17, 2009 as part of the American Recovery and Reinvestment Act (ARRA), better known as the stimulus package. The stimulus package has allocated federal funding to a vast array of industries and special projects and initiatives, with a large portion- about $20 billiongoing to health care. This funding is available in the form of financial incentives for providers and hospitals to accelerate the adoption of health information technology and will be available only for providers that can demonstrate that they have adopted meaningful use of health information technology. Section 2 will cover in detail the major expanded privacy and security expansions that came from the HITECH Act such as breach notification requirements. There are many considerations when switching from a paper based to electronic based system for record storage. With electronic records, an abundance of information is being stored on relatively small devices which is great for operability and efficiency, but has created the need for enhanced provisions and heightened enforcement and penalties. 2

Introduction to HIPAA and the HITECH Act The Health Information Technology for Economic and Clinical Health (HITECH) Act was signed on February 17, 2009 as part of the American Recovery and Reinvestment Act (ARRA), better known as the stimulus package. The stimulus package has allocated federal funding to a vast array of industries and special projects and initiatives, with a large portion- about $20 billiongoing to health care. This funding is available in the form of financial incentives for providers and hospitals to accelerate the adoption of health information technology and will be available only for providers that can demonstrate that they have adopted meaningful use of health information technology. Section 2 will cover in detail the major expanded privacy and security expansions that came from the HITECH Act such as breach notification requirements. There are many considerations when switching from a paper based to electronic based system for record storage. With electronic records, an abundance of information is being stored on relatively small devices which is great for operability and efficiency, but has created the need for enhanced provisions and heightened enforcement and penalties. 2

Major privacy and security provisions of the HITECH Act Enhanced enforcement and increased penalties for violations: The HITECH Act mandated penalties for certain types of violations and also stipulates stiffer civil penalties for violations. Revised tiers of penalties for covered entities for the following circumstances: 1. Where the covered entity did not know and by exercising reasonable diligence would not have known of the violations $100 - $50,000 per violation No penalties if corrected within 30 days of discovery 2. Due to reasonable cause and not willful neglect $1,000 - $50,000 per violation No penalties if corrected within 30 days of discovery 3. Due to willful neglect but corrected during a 30-day time period $10,000 - $50,000 per violation 4. Due to willful neglect and not corrected during a 30-day time period $50,000 per violation Each category has a $1.5 million maximum for a violation of and identical provision in a calendar year. Before the HITECH Act, this maximum was at $25,000. The Privacy and Security Rules apply only to covered entities. Individuals, organizations, and agencies that meet the definition of a covered entity under HIPAA must comply with the requirements to protect the privacy and security of health information. Covered entities include doctors, clinics, psychologists, dentists, chiropractors, nursing homes, hospitals, pharmacies, health plans, and health care clearinghouses. However, you are only a covered entity if you transmit any information in an electronic form in connection with a transaction for which HHS has adopted a standard. Breach notification requirements: The basic requirement of the breach notification rule is to let patients know if their PHI has been inappropriately disclosed or accessed by people who should not be receiving such information. Breach is defined as the unauthorized acquisition, access, use, or disclosure of PHI which compromises the security or privacy of such information, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information. A breach has occurred when the use of PHI is not a treatment, payment, or health care operations activity, nor is it any other activity permitted by the standards. General rules Unauthorized means an impermissible use or disclosure of PHI under the Privacy Rule. So by definition, only violations of the privacy rule are considered breaches. What is the difference between a use of PHI and a disclosure of PHI? Generally, a use of PHI occurs within a health care organization and among individuals who are under the control of that organization. Therefore breaches can occur even within an organization. For example, snooping by staff members that do not have a reason to be looking at patient charts is actually considered a breach because it involves an unauthorized use of protected health information. It is not a treatment, payment, or health care operations activity; it is a violation of the standards. A disclosure, on the other hand, occurs when PHI is obtained by a person or entity outside of the organization. For 3

example, a disclosure to an attorney or life insurance company without the patient s authorization may constitute a breach. Not all violations of the privacy standards constitute breaches, because not all violations are uses and disclosures. For example, a physician practice forgets to give a privacy notice to a new patient. Technically, it is a violation of the standards because a patient has a right to receive the privacy notice upon joining the practice. However, it is not a violation that involves use or disclosure of PHI, so it is not a breach. Any unintentional acquisition, access, or use by a work force member who accessed the PHI in good faith and did not further use or disclose the information, would not constitute a breach. By definition, a violation is considered a breach only if it compromises the security and privacy of such information. The determination of whether or not a breach actually compromises the security and privacy of a patient s information is actually made by you, as the covered entity. Timeliness of notice The general requirement for a breach is that a covered entity shall, following the discovery of a breach of unsecured PHI, notify each individual whose unsecured PHI has been (or is reasonably believed by the covered entity to have been) accessed, acquired, used or disclosed as a result of such breach. Individuals must be notified of a breach without unreasonable delay and in no case later than 60 calendar days after discovery of a breach. A breach should be treated as discovered on the first day on which it is known to the covered entity, or, by exercising reasonable diligence would have been known by the covered entity. Business associates must notify the covered entity of a breach within 60 days of discovery. It is the responsibility of the covered entity to then provide the notifications required by law. Content of notice to patients The notification must be written in plain language, and contain the following elements, to the extent possible: A brief description of what happened, including the date of the breach, if known, and the date of the discovery of the breach; A description of the types of PHI that were involved in the breach, such as whether the full name, social security number, home address, date of birth, diagnosis, or other types of information were involved; Any steps that individuals should take to protect themselves from potential harm resulting from the breach; A brief description of what the covered entity is doing to investigate the breach, to mitigate harm to individuals, and to protect against further breaches; and Contact procedures for individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, Web site, or postal address. Delivery of notice Written notification by first-class mail to the individual at the last known address; or by e-mail if the individual agrees to communication in this format. Substitute notice- if the practice has insufficient or out-of-date contact information for 10 or more individuals, then a substitute form of notice reasonably calculated to reach the individual must be provided. The substitute notice must be either: Posted conspicuously on the covered entity s homepage or conspicuously included in print or broadcast media in areas where the individuals affected by the breach likely reside; and Include a toll-fee phone number that is active for at least 90 days where patients can call to see if they may have been affected by the breach. Notification of Breaches involving 500 or more individuals must be provided to the Secretary of HHS and also to prominent media outlets during the same period in which the individual notifications are delivered. Breaches involving less than 500 individuals must be maintained in a log by the covered entity and reported to HHS no later than 60 days after the end of each calendar year. 4

HHS has a webpage for reporting breaches at:www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule Harm Threshold By definition, an incident is a breach only if it compromises the security or privacy of an individual s unsecured PHI. In an important development, the Breach Notification Rule clarifies that compromises the security or privacy of PHI means that it poses a significant risk of financial, reputational, or other harm to the individual. Thus, to determine if an impermissible use or disclosure of PHI constitutes abreach, a risk assessment is necessary. Risk assessment of unsecured PHI Factors to consider when conducting a risk assessment may include: Who impermissibly used the information, or to whom was the information impermissibly disclosed. For example, your practice makes an inadvertent records release to another practice. Because the provider who accidentally received the records is governed by the same laws, the risk of this inadvertent disclosure is drastically reduced. In most instances, this will not be a situation for breach notification. The type and amount of PHI involved in the disclosure- how much information was released and does it potentially pose reputational or other harm to the patient? Whether any immediate steps were taken to mitigate an impermissible use or disclosure Whether the PHI was returned prior to being accessed- For example, a laptop is lost for some period of time, and a forensic computer expert determines that the information was not accessed during that time. In this instance, breach notification would not be required. Business associates These are the individuals and companies outside of your organization that perform services for you involving the use or disclosure of your PHI. This would include claims processing or billing companies, transcription companies, and lawyers and accountants who require access to your PHI. Business associates (BAs) are required to comply with HIPAA security standards, portions of the privacy standards, and various HITECH Act provisions and they are also subject to federal enforcement and penalties for non-compliance. Breach requirements for business associates As mentioned above, a business associate is required to notify a covered entity without unreasonable delay and in no case later than 60 calendar days after discovery of a breach. The business associate must provide the covered entity with a list of individuals who have been affected and any other available information that the covered entity is required to include in the notification to the individual. It is the responsibility of the covered entity to then provide the notification required by law. Patients copies of electronic records If a covered entity uses or maintains electronic health records, then an individual has a right to: obtain a copy in electronic format; or direct the covered entity to transmit such copy directly to an entity or person designated by the individual. (See MSV FAQs: Charging for copies of medical records) Enhanced Accounting of Disclosures provisions HIPAA has always required physicians to provide a patient, (upon request) with an accounting of certain PHI disclosures that were made without the patient s authorization. The HITECH Act now requires providers to also account for disclosures of electronic health record PHI made for treatment, payment, or health care operations purposes. For those providers who purchased EHRs prior to January 1, 2009, this requirement becomes effective January 1, 2014. 5

The power of physicians working together SM The Medical Society of Virginia is searching for heroes like you. People who believe in preserviing the practice of medicine the way it was always intended - with the physicians and patients best interests in mind. Join us as we continue to work together to make a difference in the rapidly changing health care environment. For more information, visit MSV at www.msv.org Medical Society of Virginia Medical Society of Virginia Foundation Medical Society of Virginia Insurance Agency Medical Society of Virginia Political Action Committee Medical Society of Virginia Alliance 2012 Medical Society of Virginia. All rights reserved.... 2924 Emerywood Pkwy Suite 300 Richmond, VA 23294 TF 800 746-6768 FX 804 355-6189 www.msv.org 14

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information