prepare for new hipaa-hitech security rules - katten muchin

© Grant Thornton LLP. All rights reserved.© Grant Thornton LLP. All rights reserved.

Prepare for new HIPAA-HITECH security rulesHow breach notification requirements and changes in the enforcement landscape will impact your business

Today's session begins at 3:00 pm eastern time

To receive 1.5 hours of CPE or CLE, you must individually participate by:- Remaining logged in for the entire session- Responding to all polling questions

For technical support, please contact LearnLive at:- E-mail – [email protected] Phone – 888.228.0988

AudioSlides

Video

2© Grant Thornton LLP. All rights reserved. 2© Grant Thornton LLP. All rights reserved.

Awarding CPE for this sessionIf you experience any technical difficulties, please contact 888.228.0988 or [email protected]

For those of you seeking continuing legal education credits please print out the attendance verifications forms.

A course code specific to continuing legal education credits will be read aloud at the end of the program,


Addressing your questions…

If you experience any technical difficulties, please contact 888.228.0988 or [email protected]


1. Group check

Tell us a little bit about your organization. Do you work in the:

A. health care industryB. insurance industryC. governmentD. financial industryE. technology industryF. other


Welcome

Anne McGeorgeNational Managing Partner of the Health Care Industry Practice,Charlotte


Welcome to our presenters

Sheila SokolowskiAssociateKatten Muchin Rosenman LLPChicago, IL

Mark J. SullivanPrincipalForensic Accounting & Investigative Services Practice LeaderGrant Thornton LLPChicago, IL


Welcome to our presenters

Jan HertzbergAdvisory Services Executive DirectorGrant Thornton LLPHealth Care Industry Practice,Chicago, IL


Learning objectivesAt the end of this webcast, you will better understand…

• The new Health Insurance Portability and Accountability Act (HIPAA) of 1996 (P.L.104-191) (HIPAA) security rules– Overview of the new HITECH legislation, the new

security requirements, deadlines and consequences for noncompliance

• 7 steps to HIPAA compliance

9© Grant Thornton LLP. All rights reserved.

Today’s agenda

• Legal overview– Health Information Technology for Economic and

Clinical Health Act (HITECH)– New breach requirements– Elements of an effective breach notification process

• Case Study• 7 steps to HIPAA compliance• Take-away• Questions?


2. Group check

How well do you understand the new HITECH act overall?A. Very wellB. I understand the components that are important to meC. I understand a little bitD. I’m hoping to understand more by attending this

Webcast!


Background

• Health Information Technology for Economic and Clinical Health Act (HITECH Act)– accelerates move to transaction-based, Healthcare

Information Network to:• provide more efficient, higher quality care• enhance communications among doctors, staff,

patients and third-party providers• securely move health records, services, money

11


Background

– Recognizes growing trends in the healthcare industry• geographically-dispersed delivery of care• increasing use of specialists and sophisticated

diagnostic and treatment technology• need for ready-access to patient and disease

data as automated decision-support tools• increasingly mobile medical personnel who

deliver patient care, inside and outside the hospital

12

© Grant Thornton LLP. All rights reserved.

Healthcare Information Network

Government &Private Payers

Public Health Organizations Social Services

Home &Long Term Care

Business Associates

Clinics

Hospitals

Healthcare Information

Network

Labs

SuppliersPharmacies


Critical Success Factors

• Ubiquitous access– common communication protocols, data standards

• Collaborative exchange of information • Secure infrastructure

– real-time monitoring, tracking, reporting– continuous audit, forensics and enforcement

capabilities

14


Current State (according to Forrester Research (7/09))

• Many providers lack basic security technologies and processes

• Security spending lags behind other regulated industries

• Providers moving to electronic health records (EHR) without considering security implications

• Hackers increasingly targeting healthcare and medical facilities

15


3. Group check

Has there been a data breach within your organization in thepast twelve months?

A. YesB. NoC. I don’t know


HITECH Enforcement Context

History of HIPAA Enforcement• 48,000 complaints received by Department of Health &

Human Services (HHS)• Vast majority resolved through voluntary compliance or

corrective action• Two “Resolution Agreements”• Handful of criminal prosecutions


HITECH Enforcement ContextPost-HITECH Civil Monetary Penalty(s) (CMPs) in effect now:

Violation Category –Section 1176(a)(1)

Each violation All such violations of an Identical Provision in a Calendar Year

(A) Did Not Know $100-$50,000 $1,500,000

(B) Reasonable Cause $1,000-$50,000 $1,500,000

(C)(i) Willful Neglect –Corrected

$10,000-$50,000 $1,500,000

(C)(ii) Willful Neglect -Not Corrected

$50,000 $1,500,000


HITECH Enforcement Context

Other key changes• Business Associates liable for criminal and civil penalties • Compliance audits required• State Attorneys General expressly authorized to enforce• Enforcement funding and, by 2012, percentage of CMPs/settlement distributed

to individuals• Explicit authority to seek criminal penalties for wrongful disclosure of protected

health information (PHI)• PHI against individuals• Net effect

– More aggressive enforcement– higher penalties – more potential opportunities for enforcement


4. Group check

Has your organization performed a thorough risk assessment in the…A. Last 12 monthsB. Last two yearsC.Not sure when we did one lastD. I don’t know, I’m stumped


Overview of HITECH Breach Notification Law

• Covered Entities and Business Associates required to provide notice of any breach of unsecured PHI

• Notice must be provided without unreasonable delay• Specific content and procedure requirements for providing

notices of breach• In effect now, for breaches discovered on or after

September 23, 2009• Enforcement delayed until February 23, 2010


Breach of unsecured PHI

• Notice requirements apply only to breaches of unsecured PHI

• Breach is:– Acquisition, access, use or disclosure of PHI in a

manner not permitted by HIPAA Privacy RegulationsAnd

– Compromises security or privacy of PHI, which means there is significant risk of harm to individual


Significant Risk of Harm

• Risk of Harm Assessment/Factors to Consider– Type and amount of information disclosed– Likelihood that the information is accessible and

usable– Likelihood that breach will lead to harm to individual– Steps taken to mitigate harm to individual

23


Exceptions to Breach

• Unintentional acquisition, access, or use by workforce members of Covered Entity or Business Associate

• Inadvertent disclosure to similarly situated individuals at same facility

• Disclosure to an unauthorized person not reasonably able to retain the information

24


Unreasonable Delay and Discovery of Breach

• Covered Entity must notify individuals of a security breach without unreasonable delay and no later than 60 days from the date of discovery

• Business Associate has same timeliness obligations with respect to notifying Covered Entity

• Delay if law enforcement official requests for criminal investigation or national security

• Breaches treated as discovered when discovered by Covered Entity or Business Associate, or would have been known byexercising “reasonable diligence”

25


Notice to Individual

• Content– Description of breach, including dates of breach and discovery– Description of types of PHI involved– Steps individuals should take to protect against harm– Steps taken by Covered Entity to mitigate and protect against harm– Contact procedures

• Procedures– Written notice via First Class mail to last known address– Substitute notice, if insufficient or out of date information– May use telephone or other means if urgent

• Single notice may meet any state law requirements• Multiple notices permitted

26


Notice to Media

• If breach involves more than 500 residents of a state or jurisdiction, provide notice to prominent media outlets in that state or jurisdiction

• Provide in addition to notice to individual• Same content and timeliness requirements as notice to

individual

27


Notice to Secretary

• If breach involves 500 or more individuals, notify HHS Secretarysimultaneously with notice to individuals

• If less than 500 individuals, maintain log and provide information to HHS Secretary within 60 days of the end of the calendar year

• Form for notification of HHS Secretary (OMB No. 0990-0346) at http://transparency.cit.nih.gov/breach/index.cfm.

• Among other things, form requires an attestation and requests information about:– Type of breach e.g., theft, loss– Location of breached PHI– Safeguards in place prior to breach– Actions taken in response to breach

28


5. Group check

Has your organization been trained to respond appropriatelyshould a breach occur?

A. YesB. NoC. I don’t know


Legal Action Steps

Create/refine your breach response plan (now)• Identify your team

– Internal– Line up potential external resources now

• Develop breach notice form, policies, response flow chart– Don’t forget state law

• Train your workforce• Strategy for dealing with BAs and BA contracts• Insurance options • Practice drill(s)

30


Case Study – We’ve Lost Our Client’s Data!

A business associate discovers a computer belonging to its client is missing. The last time they remember seeing it was three months ago.

•Where do you start?•What should you be concerned with?

31


6. Group check

Which of the following describes your organization? We are…A. Well-prepared to respond to a breach.B. Somewhat prepared to respond to a breach.C.Not at all prepared to respond to a breach.D.We'll just figure it out, if and when it happens.


Seven Steps to HIPAA Compliance

1. Begin with a thorough risk assessment2. Identify all locations with PHI3. Determine whether encryption is warranted, and to what

extent4. Create a cost-effective plan to mitigate top risks5. Ensure business associate contracts are modified6. Update policies and procedures7. Take a cross-functional approach to compliance

33


Take-away

• Expect more enforcement and bigger penalties for HIPAA violations

• Have a well-thought out breach response plan before the breach occurs

• Managing a breach correctly after it occurs requires understanding its scope and extent

• Basic safeguards can help prevent a breach or, if it does occur, can minimize its impact

34


7. Group check

How would improved breach readiness help your organization?A. avoid litigationB. avoid negative pressC. avoid serious legal and administrative costsD. all of the above


Our presenters will now answer your questions

Sheila [email protected] Muchin Rosenman LLPChicago, IL

Mark J. [email protected] Thornton LLPChicago, IL

Jan [email protected] Thornton LLPChicago, IL


To stay up to date on health care reform and its’impact to you…please click on the links below…

• Grant Thornton’s health care reform resource center

• Katten Muchin Rosenman Health Care Practice


After the program

Respond to online evaluation form.Print your CPE Certificate from a CPE confirmation email.

Note: Group participation will not receive CPE.Download today’s slides as a reference resource.

For questions regarding your CPE certificate, contact LearnLive at 888.228.0988

regarding your CLE certificate, contact [email protected]


Thank you…

Tax Professional Standards StatementThis document supports Grant Thornton LLP’s marketing of professional services, and is not written tax advice directed at the particular facts and circumstances of any person. If you are interested in the subject of this document we encourage you to contact us or an independent tax advisor to discuss the potential application to your particular situation. Nothing herein shall be construed as imposing a limitation on any person from disclosing the tax treatment or tax structure of any matter addressed herein. To the extent this document may be considered to contain written tax advice, any written advice contained in, forwarded with, or attached to this document is not intended by Grant Thornton to be used, and cannot be used, by any person for the purpose of avoiding penalties that may be imposed under the Internal Revenue Code.

prepare for new hipaa-hitech security rules - katten muchin

Documents