Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
Complying with the Health Information Technology for Economic and Clinical Health (HITECH) Act
HIPAA, Security and Privacy, and Electronic Health Records
December 2009
Copyright © 2009 Deloitte Development LLC. All rights reserved.1 Complying with the HITECH Act
• ARRA/HITECH Act:– ARRA/HITECH overview– Privacy and security requirements
overview– HITECH Act’s impact on privacy and
security– Recent HIPAA privacy and secure
enforcement data– Top HIPAA privacy and security
concerns or challenges• Compliance steps• Deloitte Perspectives
Table of content
As used in this document, “Deloitte” means Deloitte & Touche LLP, a subsidiary of Deloitte LLP. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries.
ARRA/HITECH Act: Security and privacy implications
Copyright © 2009 Deloitte Development LLC. All rights reserved.3 Complying with the HITECH Act
• The recent American Recovery and Reinvestment Act (ARRA) provides a significant step toward health care information technology modernization
Stimulus$787B(27%)
2008 U.S. Federal Budget$2.9T
$38B total allocated towards
HITECH expenditures
HITECH Act overview — background
• ARRA includes the HITECH Act to accelerate the adoption of interoperable electronic health records and to promote HIE.
• The legislation includes provisions intended to shore up public confidence in the use of EHRs and personal health records (PHRs) by beefing up enforcement of and expanding the scope of activities covered by HIPAA Privacy and Security Rules
– Facts and figures• Obama Administration initiative• Appropriates $787B across a broad spectrum
of government programs• Many Health and Human Service (HHS)/labor
funds are passed down to states through existing mechanisms
• Health IT funding includes incentives and appropriations from the HITECH Act and other health IT initiatives such as telehealth
– HITECH priority areas include:• Electronic Health Records (EHR)• Health Information Exchanges (HIE)• Security and Data Privacy• Outcome Registries• Promotion of Health Information Technology
(HIT) Standards and Interoperability
The Congressional Budget Office has already revised initial estimates for EHR ‘meaningful use’ incentives
Agency Funding (Millions) Description
Division A
HHS: HRSA 1,500 • Funds for the construction, renovation and equipment and for the acquisition of health IT systems for community health centers
HHS: Office of the National Coordinator for Health Information Technology
2,000• Funds for the establishment of the National Coordinator for Health Information
Technology, a policy committee, a standards committee, the development of HIT, etc. (See Title XIII of Division A of ARRA)
HHS: Office of the Secretary 50 • Improve information technology security
HHS: IHS 85• Funds may be used for telehealth services deployment and related infrastructure
requirements. Funds to be allocated at the discretion of the Director of the Indian Health Service
SSA 40 • For Health IT research and activities to facilitate adoption of EHR in disability claims
HHS: Agency for Healthcare Research and Quality 400
• A portion of this amount may be used to encourage the development and use of clinical registries, clinical data networks, and other forms of electronic health data that can be used to generate or obtain outcomes data
Part A Total 4,075
Division B - Incentives 36,000 -45,000
• The Congressional Budget Office estimates a total outlay of over $36 billion for incentive payments (recent estimates for outlays have reached $45 billion). They also estimate that these costs will be offset by over $15 billion in reductions in health expenditures and in penalties resulting in the net costs of around $20 billion.
Copyright © 2009 Deloitte Development LLC. All rights reserved.5 Complying with the HITECH Act
Privacy and data protection requirements overview
• Expansion of the Department of Health and Human Services (DHHS) responsibilities:– Creation of the Office of the National Coordinator (ONC) for Health Information
Technology with $2B in initial funding to develop standards and certification criteria• Creation of a Chief Privacy Officer of the ONC to advise state and regional efforts
concerning privacy, security, and data stewardship of health information– Provide education to the business community through implementing regulations and
guidance documents– Periodically evaluate covered entities and business associates for compliance with the
HIPAA Privacy and Security Rules– Increase educational initiatives by assigning regional education liaisons and conducting
compliance studies– Issue mandatory penalties in certain situations– Report breach data to congress annually– Breach notification requirements– Expansion of the HIPAA rules– Business associate liability for the HIPAA Privacy and Security Rule
Copyright © 2009 Deloitte Development LLC. All rights reserved.6 Complying with the HITECH Act
Privacy and data protection requirements overview (cont.)
• Expansion of the DHHS’ responsibilities (cont.):– Individual rights:
• Disclosure restrictions• Right to accounting• Marketing restrictions
– Prohibition on the sale of Protected Health Information (PHI)
Copyright © 2009 Deloitte Development LLC. All rights reserved.7 Complying with the HITECH Act
Requirement Details Effective date
New HIPAA Business Associates
• Requires that new entities that were not contemplated when HIPAA was written (Personal Health Record vendors, Regional Health Information Organizations, HIEs, etc.) are subject to the same privacy and security rules by requiring Business Associate contracts and treating these entities as Business Associates under HIPAA.
February 17, 2010
Breach Notification
• Establishes a federal security breach notification requirement for unsecured protected health information (unsecured PHI) and PHR.
September 15, 2009; February 2010
Disclosure Restrictions
• An individual is permitted to request a covered entity not send its PHI to a health plan for purposes of carrying out payment or health care operations for a service when paying for the service fully out of pocket.
• Covered entities are required to limit the use, disclosure or request of PHI to the limited data set to the extent practicable, or the minimum necessary if needed by the entity.
February 17, 2010
Accounting of Disclosures
• Covered entities must produce, upon request, an accounting of disclosures of the individual’s PHI, including routine disclosures over a three-year period.
• Business associates must produce, upon request, an accounting of disclosures of PHI for treatment, payment, and health care operations.
January 1, 2011 through January 1, 2014, based on acquisition of electronic health records
Prohibition on Sale
• A covered entity or business associate is prohibited from receiving direct or indirect receipt of remuneration for any PHI without a HIPAA authorization from the applicable individual subject to exceptions.
No later than February 11, 2011
Marketing and Fund Raising
• Marketing and fund-raising activities now require specific authorization as they are no longer covered under the health care operations definition. Also, individuals have the right to opt out of any communication that relates to fund-raising.
February 17, 2010
Enforcement • Strengthens enforcement of HIPAA security and privacy rules and penalties for noncompliance.
• Provides for enforcement of HIPAA by States Attorneys General and local law enforcement.
Increase in civil penalties and enforcement by State Attorneys General February 17, 2010Penalties for willful neglect by February 11, 2011
HITECH Act’s impact on privacy and security
A closer look at HITECH Act’s impact on privacy and security
Copyright © 2009 Deloitte Development LLC. All rights reserved.8 Complying with the HITECH Act
HITECH Act overview — penalties and enforcement
Penalties and enforcement under the HITECH ActPenalties
• New penalty tiers per HIPAA violation (max/year)– Unknowing ($25K)– Reasonable cause ($100K)– Willful neglect ($250K)– Uncorrected willful neglect
($1.5M)• Civil and criminal liability for
HIPAA violations extended to business associates
• Mandatory investigations and civil penalties for violations due to willful neglect
Enforcement
• Expanded resources and significant funding for HHS enforcement
• State Attorneys General authorized to pursue actions on behalf of state citizens
• Vendor breaches enforced by the Federal Trade Commission as unfair and deceptive acts or practices
Notable Past Incidents
• Pharmacy incident — $2.24M penalty, plus consent agreement
DHHS
State Attorneys
General
Federal Trade
Commission
Copyright © 2009 Deloitte Development LLC. All rights reserved.9 Complying with the HITECH Act
Enforcement results for HIPAA privacy
• From the compliance date (April 2003) to July 2009, the HIPAA Privacy* compliance issues investigated most are, compiled cumulatively in order of frequency:– Impermissible uses and disclosures of protected health information; – Lack of safeguards of protected health information; – Lack of patient access to their protected health information; – Uses or disclosures of more than the minimum necessary protected health information;
and – Lack of or invalid authorizations for uses and disclosures of protected health information.
• The most common types of covered entities that have been required to take corrective action to achieve voluntary compliance are, in order of frequency:– Private Practices. – General Hospitals.– Outpatient Facilities.– Health Plans (group health plans and health insurance issuers.– Pharmacies.
* Based on the CMS Enforcement Statistics Report Open and Closed Cases by Type As of July 31, 2009
Copyright © 2009 Deloitte Development LLC. All rights reserved.10 Complying with the HITECH Act
Most commonly violated HIPAA security provisions
170 170139
117
79
0
50
100
150
200
Summary of most commonly violated security provisions
• A single security complaint can allege violations of all the provisions listed• The number of provisions listed do not correlate to the total number of security complaints• The total number of Administrative provisions represented on this slide, 426, Technical 170, and Physical 79
* Based on the CMS Enforcement Statistics Report Open and Closed Cases by Type As of July 31, 2009
• Administrative-164.308(a)(4)(i) Information Access Management (Total 170)
• Technical-164.312(a)(1) Access Control (Total 170)
• Administrative-164.308(a)(5)(i) Security Awareness and Training (Total 139)
• Administrative-164.308(a)(6)(i) Security Incident Procedures (Total 117)
• Physical-164.310(d)(1) Device and Media Control (Total 79)
Copyright © 2009 Deloitte Development LLC. All rights reserved.11 Complying with the HITECH Act
Top HIPAA privacy and security concerns and challenges
Based on recent work relating to HITECH, the following are examples of the top privacy and security concerns or challenges that many organizations are facing:
HIPAA privacy• Update the breach notification procedures • Amend the business associate agreements
and enhance third-party risk management• Revise policies and procedures
(e.g., accounting of disclosure, marketing, individual access to PHI)
• Refresh training to workforce members
HIPAA security• Reduce data leakage (e.g., data sent outside
the organization and/or controlling end-user behavior)
• Enhance role-based access control based on the minimum necessary principle
• Improve logging and monitoring to detect suspicious system activities
• Implement encryption solution (e.g., focusing on mobile devices first)
Compliance steps
Copyright © 2009 Deloitte Development LLC. All rights reserved.13 Complying with the HITECH Act
`
Deloitte approach
Covered Entities should assess the HITECH Act and Health Insurance Portability and Accountability Act (HIPAA) security and privacy requirements and satisfy “Meaningful Use.”
• Inventory business processes• Conduct HIPAA privacy and
security rule assessment• Identify privacy and security gaps• Recommend next steps
HITECH/HIPAA Assessment
Copyright © 2009 Deloitte Development LLC. All rights reserved.14 Complying with the HITECH Act
HIPAA/HITECH assessment
Covered Entities must meet HIPAA/HITECH privacy and security requirements as they establish a strategy for their “Meaningful Use” of Electronic Health Records implementation. The outline below is a three-phased approach:
• Inventory the business processes of the provider
• Select a number of business processes to assess based upon agreed - upon risk prioritization
• Assess selected business processes against HIPAA/HITECH privacy and security requirements
• Identify HIPAA/HITECH privacy and security gaps
Business process inventory and risk
prioritization
• Identify potential control gaps that may exist in the business, Information Technology (“IT”), and operating environment of provider
• Create data maps for the identified business processes
• Create road map/remediation plan to address HIPAA/HITECH privacy and security gaps
Make recommendations and
create privacy and security road map
HIPAA/HITECH privacy and security rule
assessment
Where to start
Copyright © 2009 Deloitte Development LLC. All rights reserved.16 Complying with the HITECH Act
Avoiding the disconnect
A “disconnect” among corporate policies, actual operational practices, and technology infrastructure reduces corporate ability to implement changes into the business environment.
Technology
Policies
Processes
Disconnect
Disconnect
• Examples of activities related to privacy and data protection that may lead to enforcement actions, law suits, or monetary fines: – Failure to adequately track and account
for disclosures– Failure to implement “Minimum
Necessary” controls– Failure to adequately train personnel on
HIPAA privacy policies and procedures– Misrepresenting the security and privacy
protection of PHI
Copyright © 2009 Deloitte Development LLC. All rights reserved.17 Complying with the HITECH Act
Identify all applicable requirements (regulations, contractual, business requirements) related Security & Privacy
PCIDSS
HIPAA Security &
Privacy
Texas Security &
Privacy(HB 2004)
Red FlagsCFATS?FISMA?
Other State-Specific
Requirements
External Audits
Internal Audits
GLBA
HITECH
Develop Integrated Baseline Requirements
Applied Risk Based Baseline Requirements to Organization’s Information Assets (Process, Applications, Infrastructure, Facility, Third-Party, etc.)
Branch Offices
Remote EmployeesWAN
WAN
WWW
VPN
OutsourcedDevelopment
Enterprisee-mail
Business Analytics
Customer PortalProduction Data
Data warehouse
Staging
File Server
DR
Back up disk
Back up tape
Disk storage
CustomersPartners
Integrated Baseline Requirements and Controls
Align Policies, Standards, Awareness, and Implementation of any gaps
Focus on standardization, reduce risk and better visibility on compliance
Perform Assessment and Compliance Monitoring
Compliance approach — integrated program
• From an effectiveness and efficiency perspective, organizations need to have or develop a holistic and integrated compliance approach
• To demonstrate and support the various security controls and risk decisions companies should consider the respective regulatory and business requirements
Copyright © 2009 Deloitte Development LLC. All rights reserved.18 Complying with the HITECH Act
Compliance approach — breach notification
• Many organizations are in the early stages of developing an effective privacy breach response strategy or have attempted to resolve this issue by leveraging existing security breach response programs.
• These programs by themselves may not be comprehensive enough to cover market, industry and regulatory requirements associated with a breach of PII/ePHI/PHI
• In order to effectively manage these requirements and associated risks, organizations need to identify the components of an incident response program that are in place, identify gaps, and build a broad response capability
Level 1: Reactive, no documented privacy breach response program: ad hoc approach
Level 2: Defined basic processes: not implemented or tested
Level 3: Repeatable processes in place for responding to breaches: not programmatic
Level 4: Well-defined and tested privacy breach response program set for the organization and strong awareness
Maturity
See more details in Appendix D
This presentation contains general information only and Deloitte is not, by means of this presentation, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This presentation is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor.
Deloitte, its affiliates, and related entities shall not be responsible for any loss sustained by any person who relies on this presentation.
Copyright © 2009 Deloitte Development LLC. All rights reserved.Member of Deloitte Touche Tohmatsu