hipaa update for hospice - home care information · • cms – security rule since august 2009,...

HIPAA Update for Hospice

Presented by Heather P. Wilson, Ph.D.

Weatherbee Resources, Inc.

Hospice Education Network, Inc. 259 North Street

Hyannis, MA 02601 www.weatherbeeresources.com

www.hospiceonline.com

http://www.weatherbeeresources.com/

http://www.hospiceonline.com/

HIPAA Update

Heather P. Wilson, [email protected]

AGENDA

• HIPAA background• How HITECH changes HIPAA

requirements– Breach notification– Business Associates– Other provisions of HIPAA privacy– Enforcement issues

• What do hospices need to do• Additional resources

HIPAA Background

• Health Insurance Portability and Accountability Act of 1996– Administrative Simplification

• Electronic Data Interchange

• Privacy Rule – Compliance deadline April 2003

• Security Rule – Compliance Deadline April 2005

Hospice Education Network HIPAA Update

2010 Weatherbee Resources, Inc. All rights reserved

1

HIPAA since the compliance deadlines

Minimal enforcement

• OCR – Privacy Rule

• CMS – Security Rule

Since August 2009, OCR assumed responsibility for Security Rule enforcement as well.

HIPAA is back

• Health Information Technology for Economic and Clinical Health(HITECH) Act

• Part of the American Recovery and Reinvestment Act (ARRA) of 2009

• Signed into law February 17, 2009



2

HITECH Changes

●Enforcement

●Fundraising / Marketing

●Minimum necessary

●Access rights to ePHI

●Requested restrictions on PHI

●Accounting of disclosures

●Business Associates

●Breach Notification

CHANGEDNEWITEM

HITECH deadlines and compliance confusion

Intro to breach notification

• Breach final rule published August 24, 2009

• Effective date September 23, 2009

• Need to understand what a breach is and what you have to do about them



3

Definition of Breach

• An unauthorized acquisition, access, use or disclosure of PHI not permitted by the Privacy Rule that compromises the security or privacy of the PHI to such an extent that there is a significant risk of financial or other harm to the individual whose protected health information was wrongfully acquired, accessed, used or disclosed.

Definition of unsecured PHI

• Breaches only apply to “unsecured protected health information” – if the PHI is secured, it can not be breached.

• Unsecured PHI is defined as PHI that is not rendered unusable, unreadable or indecipherable by a technology or methodology specified by HHS

How to secure PHI

• Guidance provided April 27, 2009, further clarified August 24th, 2009– Encryption

– Destruction



4

Challenge

• How to identify when a reportable breach occurs– Need to conduct a risk assessment

– Need to determine if the incident meets the definition of a breach

Notification requirements

• To individuals

• To the media

• To the government

Notifying individuals

• Major rule of thumb:– No matter who else the covered entity has

to notify, it always has to attempt to notify the affected individuals

• Notification letter needs to include required elements and I must be sent by first class mail

• Must be sent as soon as reasonable but no later than 60 calendar days after discovery of the breach



5

Notifying individuals (cont’d)

• If ten or more affected individuals can not be reached, the covered entity must post the notice (containing the same information as the letter) on its Web site for 90 days.

• Or, in prominent media in state or jurisdiction where affected individuals reside

Notifying the media

• Required when 500 or more individuals affected by the breach –as soon as possible after the breach but no later than 60 days.

Notifying the government

• Must be done as soon as possible after a breach affecting 500 or more individuals

• All other breaches must be reported annually (60 days after the end of the calendar year).

• OCR Web site provides info:• http://www.hhs.gov/ocr/privacy/hipaa/ad

ministrative/breachnotificationrule/index.html



6

Additional requirements

• Business associates have breach reporting responsibilities – should be spelled out in written agreement

• Staff need to be trained on breach rule

• Policies and procedures should be updated to include breach requirements related to sanctions, complaints, documentation, etc)

What do you need to do?

• Have a breach notification policy and procedure

• Have a breach notification letter template

• Have a tool/process for conducting breach risk assessments

• Have a process for logging breaches for annual reporting

• Teach staff reporting requirements



7

Business associates

• Definition: A person or entity that uses (or creates, or obtains or discloses) the protected health information of a covered entity to perform a function or activity on behalf of the covered entity.

HITECH changes to business associate requirements

• Business associates have the same responsibility as covered entities to meet the majority of the requirements of the HIPAA Security Rule, Privacy Rule, and HITECH

• Business associates are subject to the same enforcement/penalties/fines as covered entities

Business associates (cont’d)

• Effective date: February 17, 2010• Implementing regulations not

published in time to be helpful for compliance

• Business associate agreements need to be amended



8

Accounting of disclosures

• Individuals have the right to request an accounting of disclosures for treatment, payment and health care operations for the three year period prior to the request.

• This requirement only applies to covered entities that use an electronic medical record and the date of implementation depends upon when the entity acquired and began using electronic health records

Requested restrictions on PHI

• Covered entities MUST comply with a request for restrictions if:– the disclosure is to a health plan for

purposes of carrying out healthcare operations or payment (and not for treatment purposes), except as required by law; and

– the PHI pertains solely to a healthcare item or service for which the company has been paid in full by the individual, out of pocket.

Access rights to ePHI

• The HITECH Act amends the HIPAA Privacy Rule to give individuals the right to obtain access to their PHI in electronic format, if they so request.



9

Minimum necessary

• Prior to HITECH - covered entities could use their own judgment regarding how much PHI would constitute the minimum necessary for particular purposes.

• The HITECH Act requires covered entities "to the extent practicable" to limit the use of PHI to a "limited data set,"

• This may be challenging given that a limited data set is similar to de-identified data but may include date of birth, date of death, date of service, and city, state, and ZIP code. and is frequently far less than what is needed for most purposes.

• Effective February 17, 2010 / Guidance from HHS by August 17, 2010

.

Fundraising

• Any written fundraising communication that is considered a health care operation must clearly and conspicuously provide an opportunity for the recipient to opt out and elect not to receive any further communications.

• When an individual elects to opt-out, this must be treated as a revocation of authorization.

Marketing

• A communication is excepted from the definition of “marketing” only if the communication meets one of the exceptions to the HIPAA definition of marketing and no direct or indirect payment is received for making the communication.

• If payment is received for a communication considered marketing, it is no longer considered part of health care operations and an authorization is required – but then there are exceptions to this.



10

Notice of Privacy Practices

• No new requirements but given the new HITECH requirements, the NPP should be updated.

Enforcement before

• Enforcement minimal since 2003/2005

• OCR has only levied two major fines for HIPAA violations: one for $100,000 fine and another for $2.25 million.

• Enforcement essentially complaint-driven

Enforcement after HITECH

• Penalty structure has changed

• Fines have increased

• Enforcement resources have been augmented



11

Penalty structure and fines

$1,500,000$50,000Willful neglect and not corrected

$1,500,000$10,000-$50,000

Willful neglect but corrected

$1,500,000$1,000-$50,000

Reasonable cause

$1,500,000$100 -$50,000

Did not know

Maximum / year for each

Penalty for each

Category

Compare to before

• Not more than $100 per violation up to a maximum of $25,000 for all violations occurring during a calendar year

• With a number of exceptions to when they could be imposed

Enforcement resources

• As much as $24 million dollars may be spent on enhancing HIPAA enforcement.

• State attorneys general can file HIPAA enforcement actions on behalf of the people of their state

• All penalty money will be plowed back into enforcement activities

• Compliance audits required• In the future (2012) individuals affected by

violations can share in penalties collected



12

www.weatherbeeresources.com • www.hospiceonline.com • www.hospicequality.com

HIPAA

Update

forHospice

HIPAA Update for Hospiceby Heather P. Wilson, Ph.D.

HIPAA UPDATE FOR HOSPICE

TABLE OF CONTENTS

PREFACE 6 CHAPTER I: INTRODUCTION 7 Background and history of HIPAA 7 HIPAA since 2005 11 An overview of the HITECH ACT and its impact on HIPAA compliance 13 Timelines and deadlines 14 How to use and update this manual 16

CHAPTER II: Breach Notification 17 Introduction 17 Definitions 17 Breach 17 Unsecured protected health information 18 Technologies and methods for securing PHI 18 Destruction 18 Encryption 19 Encryption and the Security Rule 19 Discovery of a breach 20 Tool: Breach Risk Assessment 22 Tool: Breach Risk Assessment Summary 24 Breach notification requirements 25

Notification requirements of individual(s) affected by a breach 25 Timeliness of notification 25 Content of a breach notification 26

Template: Breach Notification Letter to an Individual 27 Methods of notification 28

Notification to the media 29 Notification to the government 29 Breaches affecting 500 or more individuals 32 Breaches affecting fewer than 500 individuals 32

Tool: Notice to the Secretary of HHS of Breach of Unsecured PHI 34 Notification requirements for business associates 37 Administrative and burden of proof requirements 37

Training 38 Tool: Sample Policy and Procedure: Privacy and Security Awareness and Training 39

Sanctions 40 Tool: Sample Policy and Procedure: Sanctions for Privacy and Security Violations 41

Complaints and refraining from intimidating or retaliatory acts 42 Tool: Sample Policy and Procedure: Complaint Resolution 43

1


TABLE OF CONTENTS

Documentation and burden of proof 44 Policies and Procedures 44

Tool: Sample Policy and Procedure: Security Incidents 45 Tool: Sample Policy and Procedure: Breach Notification 46

CHAPTER III: Business Associates 48 Introduction 48 Business associate requirements before the HITECH Act 48 What is a business associate? 48 The business associate agreement 49 Business associate requirements after the HITECH Act 50 What a hospice needs to do to comply with the new business associate requirements 53

Template: Model Letter Notifying Business Associates That New Business Associate Addendum Must Be Executed 54

Template: Sample Privacy And Security Business Associate Addendum 55 Tool: Business associate policy and procedure 62

CHAPTER IV: Other HITECH Changes to the HIPAA Privacy Rule 63 Introduction 63 Accounting of disclosures

Tool: Requests for an accounting of disclosures policy and procedure [ for hospices that do not use an electronic health record] 65

Tool: Requests for an accounting of disclosures policy and procedure [ for hospices that do use an electronic health record] 67

Requests for restrictions 69 Tool: Requests for restrictions policy and procedure 70 Requests for access 72 Tool: Requests for access policy and procedure 73 Minimum necessary standard 75 Marketing 75 Fundraising 76 Tool: Fundraising and protected health information policy and procedure 78 Notice of Privacy Practices 79 Tool: Notice of Privacy Practices Policy and Procedure 80

Tool: Updated Notice of Privacy Practices 81

CHAPTER V: Looking to the Future of HIPAA – the Future is Now 89 Introduction 89 Enforcement before the HITECH Act 89 Enforcement after the HITECH Act 90

2


TABLE OF CONTENTS

Civil monetary penalties 90 Increased enforcement resources 91 Increased enforcement incentives 91 How to prepare for increased HIPAA scrutiny 91 Summary 92

TABLES: Table 1: Similarities between the Privacy and Security Rules 10 Table 2: Differences between the Privacy and Security Rules 11 Table 3: HITECH Act’s changes to HIPAA privacy and security requirements 14 Table 4: HITECH Act’s timeline and deadlines 15 Table 5: Required contents of a breach notification letter 26 Table 6: List of common hospice business associates 49 Table 7: Similarities and differences between Privacy Rule and Security Rule business associate requirements 50 Table 8: The HITECH Act’s requirements related to business associates 51 Table 9: Standards and implementation specifications of the HIPAA Security Rule 52 Table 10: Violation categories, culpability and penalties 90

HIPAA Update for Hospice Electronic Resources Folders

Additional Resources Folder Enforcement Resources Folder: CMS Compliance Reviews 2008 CMS Compliance Reviews 2009 Interview and Documentation Request for HIPA Onsite Investigation and Compliance Reviews RFQ – State Attorneys General HIPAA Training/SOW Enforcement Rule – October 30, 2009 NIST Publications SP 800‐88 –Guidelines for Media Sanitation SP 800‐52 – Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementation SP 800‐111‐ Storage Encryption Technologies

SP 800 – 66 – Introductory Resource Guide for Implementing the HIPAA Security Rule

3


TABLE OF CONTENTS

4

Regulatory Texts Breach Notification Rule – August 24, 1009 Subtitle D of the HITECH Act – February 17, 2009 Privacy Final Rule – with Preamble – August 14, 2002 Security Final Rule – with Preamble – February 20, 2003 HIPAA Combined Regulation Text – OCR Publication of HIPAA Rules Enforcement Rule – October 30, 2009 Guidance on Technologies and Methodologies for Securing PHI – April 27, 2009 Breach Notification Tools Breach Risk Assessment Breach Risk Assessment Summary Sample Breach Notification Letter to an Individual Notice to the Secretary of HHS of Breach of Unsecured PHI Breach Notification Policy and Procedure Privacy and Security Training Policy and Procedure Sanctions Policy and Procedure Security Incident Policy and Procedure

Complaint Resolution Policy and Procedure Business Associate Tools Model Business Associate Letter Business Associate Addendum Business Associate Policy and Procedure Miscellaneous Provisions Folder

Requests for an accounting of disclosures policy and procedure [ for hospices that do not use an electronic health record]

Requests for an accounting of disclosures policy and procedure [ for hospices that do use an electronic health record]

Requests for restrictions policy and procedure Requests for access policy and procedure Fundraising and protected health information policy and procedure Notice of Privacy Practices Policy and Procedure

Updated Notice of Privacy Practices

HIPAA Update for HospiceOrder Form

Contact Name: Phone: Date:

Organization: Fax:

Shipping Address: Email:

City: State: Zip:

Download instructions and serial number for the e-manual will be emailed to contact name / email aboveupon receipt. To order online for immediate download, go to www.weatherbeeresources.com/hipaa.html

259 North Street, Hyannis, MA 02601 | Tel: 508-778-0008 | Fax: 508-778-8899 | Toll Free: 866-989-7124 | www.weatherbeeresources.com

To Order:

Call: 866-969-7124 (Mon - Fri 9 to 5 EST)

Fax: 508-778-8899

Mail: 259 North StreetHyannis, MA 02601

Online: www.weatherbeeresources.com/hipaa.html

■■ Check enclosed payable to Weatherbee Resources, Inc.

Please Charge my Credit Card ■■ Visa ■■ MC ■■ AMEX

Account No.:

Security Code (located on back) Exp. Date:

Billing ZIP Code:

Name on Card:

Signature:

Office use:

Date Rec’d: Received:

Processed By: Authorization #:

Processing Date: Amount Charged:

All orders must be pre-paid

HIPAA Update for HospiceThe HIPAA privacy and security regulations have changed and are likely todo so for the next few years as a result of the HITECH Act.

HIPAA Update for Hospice provides clear and concise explanations of thechanges as well as tools and resources for dealing with them.

Since the regulations will continue to be updated over the next few years,HIPAA Update for Hospice is available as a downloadable “e-manual” andthe purchase of this product includes electronic updates through 2012.

Order your copy today to be certain you have the most up-to-date resources and information for compliance with the HIPAA privacy and security regulations. For more information and the Table of Contents, go to www.weatherbeeresources.com/hipaa.html

Order Subtotal: $195.00

Add 7% for S&H: NONE

Total Due: $195.00

hipaa update for hospice - home care information · • cms – security rule since august 2009,...

Documents