2010 hipaa rules 011310

© 2009 Open Health IT Exchange. All rights reserved. | 011310 | Slide 1 of 29

HIPAA Privacy and SecurityNew HITECH Act Requirements for 2010

Jan 13, 2010 | 1:00-2:15 pm Central

Speakers

• Colleen Sauter, Moderator

Administrator, OHITX


• Grant Peterson, J.D.

DGPeterson, LLC

HIPAA Privacy and Security Consulting

Grant Peterson, J.D.

• Grant provides personal compliance consulting to healthcare organizations, with services including compliance strategies, HIPAA audits and Privacy Officer outsourcing to meet short and long-term needs.

• In 2001, he developed a Web-based compliance program to deliver HIPAA training and tools in versions designed specifically for medical clinics, long-term care facilities and business associates.

• Grant has more than 25 years of experience creating and managing several professional service firms specializing in the design, development and integration of regulatory and technology-based


firms specializing in the design, development and integration of regulatory and technology-based programs for insurance, banking and healthcare.

• Grant holds a B.S. degree in Public Administration from Minnesota State University, and a JurisDoctor (J.D.) law degree from Hamline University School of Law.

Agenda

• Welcome

• Program Notes

• HITECH Act

– New Privacy & Security Requirements


– New Privacy & Security Requirements

– Comments on delayed FTC Red Flags Rule

• Resources

• Q & A

HIPAA Overview

HIPAA Privacy Rule April 2003

HIPAA Security Rule April 2005

HIPAA History and Timeline


HIPAA Security Rule April 2005

HIPSA (Senate Bill) July 2007

HITECH Act February 2009

HITECH Act – H. R. 1-146

13401 Application of Security Provisions and Penalties to Business Associates + HHS Annual Guidance

13402 Notification in the Case of Breach

Part 1 - Improved Privacy and Security Provision


13403 Education on Health Information Privacy

13404 Application of Privacy Provisions to Business Associates of Covered Entities

13405 Restrictions on Certain Disclosures and Sales of Health Information, Accounting of Certain PHI Disclosures, Access of Certain Information in Electronic Format

HITECH Act – H. R. 1-146 cont.

Part 1 cont. - Improved Privacy and Security Provision

13406 Conditions on Certain Contacts as Part of Health Care Operations

13407 Temporary Breach Notification for Vendors of PHR and other Non-HIPAA Covered Entities


Non-HIPAA Covered Entities

13408 Business Associate Contracts Required for Certain Entities

13409 Clarification of Application of Wrongful Disclosures Criminal Penalties

13410 Improved Enforcement

13411 Audits

Business Associates – Section 13401

Application of Security Provisions and Penalties to Business Associates + HHS Annual Guidance

• §164.308 Administrative Safeguards (Security Rule)

• §164.310 Physical Safeguards (Security Rule)

• §164.312 Technical safeguards (Security Rule)


• §164.312 Technical safeguards (Security Rule)

• § 164.316 Policies and Procedures and Documentation Requirements (Security Rule)RESOURCE/ HIPAA Administrative Simplification

• Application of Civil and Criminal Penalties, Sections 1176 and 1177 of the Social Security ActRESOURCE/ Application of Civil and Criminal Penalties

• HHS Annual Guidance on Most Effective and Appropriate Technical Safeguards in Carrying Out the Above

Data Breach Notification – Section 13402

Definition of Breach

• Is defined in the Act as ‘‘the unauthorized acquisition, access, use, or disclosure of protected health information (PHI) which compromises the security or privacy of such information, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information.’’

• Exceptions include: The unauthorized acquisition, access, or use of PHI is


• Exceptions include: The unauthorized acquisition, access, or use of PHI is unintentional or if such acquisition, access, or use was made in good faith and such information is not further acquired, accessed, used, or disclosed.

• The risk of harm standard requires that a Covered Entity undertake some form of risk assessment in the event of a breach, and based upon the assessment, determine in good faith whether it is necessary to notify the individual of the breach.RESOURCE/ HIPAA Breach Notification

Breach Notification – Section 13402 cont.

Breach of “Unsecured” Protected Health Information

• Section 13402(h) of the Act defines ‘‘unsecured protected health information’’ to mean protected health information that is not secured through the use of a technology or methodology specified by the Secretary in guidance.

• According to HHS, the specified technologies and methodologies “create the functional equivalent of a safe harbor.”


functional equivalent of a safe harbor.”

• HHS explains what is secured through the use of a technology or methodology... “In consultation with information security experts at NIST, we have identified two methods for rendering PHI unusable, unreadable, or indecipherable to unauthorized individuals:

1. encryption

2. destruction


Following the discovery of a breach of unsecured PHI

• A covered entity must notify each individual whose unsecured PHI has been, or is reasonably believed to have been, inappropriately accessed, acquired, or disclosed in the breach [section 13402(a)]

• Additionally, following the discovery of a breach by a business associate, the business associate must notify the covered entity of the breach and identify for the covered


associate must notify the covered entity of the breach and identify for the covered entity the individuals whose unsecured PHI has been, or is reasonably believed to have been, breached [section 13402(b)]

• The Act requires the notifications to be made without unreasonable delay but in no case later than 60 calendar days after discovery of the breach


Notice Following the discovery of a breach

• The notice shall be made in writing, except under circumstances where the Covered Entity does not have the correct contact information for the affected individual, or where there is particular urgency to the notification. The notice to affected individuals must contain the following 5 elements:

1. A brief description of what occurred with respect to the breach, including, to


1. A brief description of what occurred with respect to the breach, including, to the extent known, the date of the breach and the date on which the breach was discovered;

2. A description of the types of unsecured PHI that were disclosed during the breach;

3. A description of the steps the affected individual should take in order to protect himself or herself from potential harm caused by the breach;

4. A description of what the Covered Entity is doing to investigate and mitigate the breach and to prevent future breaches; and

5. Instructions for the individual to contact the Covered Entity

Education – Section 13403

Education on Health Information Privacy

• Regional Office Privacy Advisors and Education Initiative

• Guidance and Education to covered entities, business associates and individuals on rights and responsibilities related to federal privacy and security requirements for protected health information


security requirements for protected health information

Business Associate – Section 13404

Application of Privacy Provisions to Business Associates of Covered Entities

• Section 13404 of the Act requires HIPAA business associates to comply with 45 CFR § 164.504(e), which sets forth the privacy terms required in HIPAA business associate agreements. While these contract obligations have always been enforceable by covered entities, they are now enforceable by the government through HIPAA. Business associates also are required to comply with the additional privacy


Business associates also are required to comply with the additional privacy requirements imposed by the Act described below.

• Business associates must take reasonable steps to cure a breach of, or terminate, a Business Associate Agreement if it becomes aware of a pattern of activity or practice by a covered entity that violates the agreement. If a business associatefails to take reasonable steps to cure the breach, terminate the agreement, or report the problem to HHS, then the business associate may be liable for civil and/or criminal penalties under the Act.

RESOURCE/ Sample Business Associate Agreement (BAA)

Restrictions, Accounting, Access – Section 13405

Restrictions on Certain Disclosures and Sales of Health Information, Accounting of Certain PHI Disclosures, Access of Certain Information in Electronic Format

• 13405(a) A covered entity must comply with the requested restriction if the disclosure would be to a health plan for purposes of carrying out payment or health care operations—but not for treatment; and the PHI pertains solely to a health care item or


operations—but not for treatment; and the PHI pertains solely to a health care item or service for which the health care provider involved has been fully paid by the patient.

• 13405(b) Disclosures limited to the Limited Data Set or Minimum Necessary. The Act requires the Covered Entity to make the determination of Minimum Necessary, rather than relying on others.

• Section 13405(c) of the Act provides that disclosures made through an EHR for treatment, payment and health care operations purposes must be included in the accounting, but information is limited to three years of disclosure information (rather than six).

Restrictions, Accounting, Access – Section 13405 cont.

Restrictions on Certain Disclosures and Sales of Health Information, Accounting of Certain PHI Disclosures, Access of Certain Information in Electronic Format

• Section 13405(d) of the Act now prohibits indirect and direct remuneration for a disclosure of PHI without the individual’s authorization. The authorization document must also explain whether PHI can be further exchanged for remuneration by the downstream entity receiving the PHI. The statute contains several exceptions where a


downstream entity receiving the PHI. The statute contains several exceptions where a covered entity is still permitted to receive remuneration for disclosures, such as public health, research, treatment, sale or merger of a CE, to a business associate for work functions, to an individual who requests copies of their PHI etc.

• Section 13405(e) In the case that the CE uses or maintains an EHR, individuals have the right to obtain a copy in electronic format.

Marketing – Section 13406

Conditions on Certain Contacts as Part of Health Care Operations

• Section 13406(a), communications which are deemed part of health care operations and excluded from the definition of marketing as contained in 164.501(1)(i), (ii) or (iii) are now limited to those communications for which the covered entity has not been


are now limited to those communications for which the covered entity has not been paid directly or indirectly, unless the communication involves a drug or biologic currently being prescribed. Otherwise, an authorization from the individual is needed.

• Section 13406(b) All fund-raising communications must provide for the opportunity to opt-out of receiving further communications.

Temporary Breach Notification – Section 13407

Temporary Breach Notification Requirement for Vendors of Personal Health Records and Other Non-HIPAA Covered Entities

• The HITECH Act includes two sets of new breach notification requirements. Section 13402 (previously discussed) of the HITECH Act requires HIPAA covered entities to notify individuals if there has been a breach involving their “unsecured PHI.” Section 13407 of the HITECH Act includes breach notification requirements for vendors of personal health records (PHR) and related entities that are not subject to the HIPAA


personal health records (PHR) and related entities that are not subject to the HIPAA requirements and therefore not covered by the Section 13402 requirements.

• Federal Trade Commission, Health Breach Notification Rule, 16 CFR Part 318 was created pursuant to HITECH Act Section 13407(g). The rule requires vendors of personal health records and related entities to notify consumers when the security of their individually identifiable health information has been breached. The rule is effective September 24, 2009. Full compliance is required by February 22, 2010. RESOURCE/ HIPAA Breach Notification

Business Associate Contracts – Section 13408

Business Associate Contracts Required for Certain Entities

• Section 13408 of the Act identifies additional entities that are to be considered business associates and with whom covered entities must have written agreements (or other arrangement). These are organizations that transmit protected health information to the covered entity (or its business associates), such a Health Information Exchange Organization, a Regional Health Information Organization, an


Information Exchange Organization, a Regional Health Information Organization, an E-prescribing Gateway, or each vendor that contracts with a Covered Entity to offer a Personal Health Record as part of its EHR, is required to enter into a written contract and shall be treated as a business associate.

Wrongful Disclosures – Section 13409

Clarification of Application of Wrongful Disclosures Criminal Penalties

• Section 1177(a) of the Social Security Act (42 U.S.C. 1320d-6(a)) is amended by adding at the end the following new sentence: “For purposes of the previous sentence, a person (including an employee or other individual) shall be considered to have obtained or disclosed individually identifiable health information in violation of this part if the information is maintained by a covered entity (as defined in the HIPAA privacy regulation described in


maintained by a covered entity (as defined in the HIPAA privacy regulation described in section 1180(b)(3)) and the individual obtained or disclosed such information without authorization.” This provision clarifies that an individual does not need to be a HIPAA covered entity to be subject to the criminal penalties in 42 U.S.C. § 1320d-6(a).

• The base penalty is a $50,000 fine, imprisonment for not more than one year, or both. For offenses committed under false pretenses, the fine is not more than $100,000, imprisonment for not more than five years, or both. And if the offense is committed with the intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm, the fine is not more than $250,000, imprisonment for not more than 10 years, or both.

Improved Enforcement – Section 13410

Improved Enforcement

• Section 13410 makes a variety of changes to the civil penalty provisions. First, the Act adds that noncompliance for willful neglect requires HHS to formally investigate a complaint and to impose a civil penalty. HHS is required to implement regulations, and these statutory amendments will be effective in 24 months.

• The section also requires civil penalties collected for privacy or security violations to


• The section also requires civil penalties collected for privacy or security violations to go to the HHS Office for Civil Rights to fund enforcement. The Government Accountability Office is also directed to issue a report on sharing a percentage of these penalties with individuals who are harmed, and HHS is directed to issue regulations within three years.

• States Attorney General may bring a civil action to enjoin privacy or security violations or obtain damages on behalf of state residents for such violations.

Improved Enforcement – Section 13410 cont.

Enhanced Enforcement Options and Increased Penalties for Non-Compliance

• The Act also increases the amount of civil penalties from the present $100 per violation (up to $25,000 per identical violation), to the following tiered civil penalties:

1. If the person did not know (and by exercising reasonable diligence would not have known) that such person violated a provision, the civil penalty is between $100 - $50,000 for each violation, up to a total of $25,000-$1,500,000 for all violations of an identical requirement;


2. If the violation was due to reasonable cause and not to willful neglect, the civil penalty is between $1,000 - $50,000 for each violation, up to a total of $100,000-$1,500,000 for all violations of an identical requirement;

3. If the violation was due to willful neglect, the civil penalty is between $10,000 - $50,000 for each violation, up to a total of $250,000-$1,500,000 for all violations of an identical requirement if the violation was corrected during the 30 day period beginning on the first date the person liable for the penalty knew, or by exercising reasonable diligence would have known, that the failure to comply occurred.

4. If the violation is not corrected within 30 days, the penalties increase to $50,000 for each violation, up to a total of $1,500,000 for all violations of an identical requirement.

Audits – Section 13411 cont.

Audits

• Section 13411 requires the Secretary of HHS to conduct periodic audits to ensure that covered entities and business associates are in compliance with HIPAA Covered entities and business associates should prepare for audits to begin no later than February 17, 2010 for all HIPAA requirements.


begin no later than February 17, 2010 for all HIPAA requirements.

FTC Red Flags Rule

Red Flag Rule

• The Identity Theft Red Flags Rule was promulgated under the Fair and Accurate Credit Transactions Act, in which Congress directed the Commission and other agencies to develop regulations requiring “creditors” and “financial institutions” to address the risk of identity theft.

• Health care providers who periodically allow patients to pay for medical services over time through a series of payments should have written policies that identify the “red flags” or indicators of possible identity theft they may come across in the course of business, establish procedures to detect those red


identity theft they may come across in the course of business, establish procedures to detect those red flags and to respond appropriately to mitigate and prevent harm, and develop procedures for training staff and keeping applicable policies current. Health care providers should also have procedures in place to ensure that their vendors are in compliance with the Red Flag Rules and amend existing business associate agreements or asking for copies of the vendors’ Red Flag policies.

• The Federal Trade Commission is delaying enforcement of the “Red Flags” Rule until June 1, 2010, for financial institutions and creditors subject to enforcement by the FTC

RESOURCE/ Red Flag Rule

HIPAA Privacy and Security Assessment

Framework for Managing Risk

• PHI, ePHI, Patient, Organization, Vendors

• Methodical, repeatable, risk-based approach to implementing effective risk management

• Life cycle that facilitates continuous monitoring and improvement


• Life cycle that facilitates continuous monitoring and improvement

• Purpose and scope

• Applicability

• Audience

• How and why to use assessment

RESOURCES/ CMS Security Audit

Next Steps

Task Completed

Amend Business Associate Agreements:•New Obligations•Red Flags Rule

Create Policies & Procedures to Address Notification of Breach

Create Policies & Procedures to Address:•Disclosures and Sales of Health Information•Accounting of PHI•Disclosures and Access of Certain Information in Electronic Format


RESOURCES/ Standards Checklist and 2010 New Guidelines

Amend Marketing Policies & Procedures, Review Communications, Need for Authorization and Fund Raising Opt-Out

Review Health Breach Notification, Create Policies & Procedures as Required

Create Policy & Procedures on Wrongful Disclosures

Develop Training & Awareness Campaign to Address HITECH Act

Consider Framework to Manage HIPAA Compliance


Q & A


Thank You!

For more information on OHITX or today’s session, please contact Colleen Sauter [email protected].

To access the resource section, please click here:

Disclaimer

This Webinar IS NOT Legal Advice

• These materials should not be considered as, or as a substitute for, legal advice and they are not intended to, nor do they create an attorney-client relationship. Because the materials included here are general, they may not apply to a particular individual legal or factual circumstance.


• The reader should not take, or refrain from taking, any action based on the information contained herein without first obtaining professional counsel.

• The views expressed herein do not necessarily reflect the views of OHITX

2010 hipaa rules 011310

Documents

open health

hipaa security ruleapril

security consulting

health information privacy

llc hipaa privacy

timeline hipaa privacy

improved privacy

hipaa audits