Complying with the Health Information Technology for ... · HIPAA/HITECH assessment Covered Entities must meet HIPAA/HITECH privacy and security requirements as they establish a strategy

Complying with the Health Information Technology for Economic and Clinical Health (HITECH) Act

HIPAA, Security and Privacy, and Electronic Health Records

December 2009

Copyright © 2009 Deloitte Development LLC. All rights reserved.1 Complying with the HITECH Act

• ARRA/HITECH Act:– ARRA/HITECH overview– Privacy and security requirements

overview– HITECH Act’s impact on privacy and

security– Recent HIPAA privacy and secure

enforcement data– Top HIPAA privacy and security

concerns or challenges• Compliance steps• Deloitte Perspectives

Table of content

As used in this document, “Deloitte” means Deloitte & Touche LLP, a subsidiary of Deloitte LLP. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries.

www.deloitte.com/us/aboutfor

ARRA/HITECH Act: Security and privacy implications


• The recent American Recovery and Reinvestment Act (ARRA) provides a significant step toward health care information technology modernization

Stimulus$787B(27%)

2008 U.S. Federal Budget$2.9T

$38B total allocated towards

HITECH expenditures

HITECH Act overview — background

• ARRA includes the HITECH Act to accelerate the adoption of interoperable electronic health records and to promote HIE.

• The legislation includes provisions intended to shore up public confidence in the use of EHRs and personal health records (PHRs) by beefing up enforcement of and expanding the scope of activities covered by HIPAA Privacy and Security Rules

– Facts and figures• Obama Administration initiative• Appropriates $787B across a broad spectrum

of government programs• Many Health and Human Service (HHS)/labor

funds are passed down to states through existing mechanisms

• Health IT funding includes incentives and appropriations from the HITECH Act and other health IT initiatives such as telehealth

– HITECH priority areas include:• Electronic Health Records (EHR)• Health Information Exchanges (HIE)• Security and Data Privacy• Outcome Registries• Promotion of Health Information Technology

(HIT) Standards and Interoperability

The Congressional Budget Office has already revised initial estimates for EHR ‘meaningful use’ incentives

Agency Funding (Millions) Description

Division A

HHS: HRSA 1,500 • Funds for the construction, renovation and equipment and for the acquisition of health IT systems for community health centers

HHS: Office of the National Coordinator for Health Information Technology

2,000• Funds for the establishment of the National Coordinator for Health Information

Technology, a policy committee, a standards committee, the development of HIT, etc. (See Title XIII of Division A of ARRA)

HHS: Office of the Secretary 50 • Improve information technology security

HHS: IHS 85• Funds may be used for telehealth services deployment and related infrastructure

requirements. Funds to be allocated at the discretion of the Director of the Indian Health Service

SSA 40 • For Health IT research and activities to facilitate adoption of EHR in disability claims

HHS: Agency for Healthcare Research and Quality 400

• A portion of this amount may be used to encourage the development and use of clinical registries, clinical data networks, and other forms of electronic health data that can be used to generate or obtain outcomes data

Part A Total 4,075

Division B - Incentives 36,000 -45,000

• The Congressional Budget Office estimates a total outlay of over $36 billion for incentive payments (recent estimates for outlays have reached $45 billion). They also estimate that these costs will be offset by over $15 billion in reductions in health expenditures and in penalties resulting in the net costs of around $20 billion.


Privacy and data protection requirements overview

• Expansion of the Department of Health and Human Services (DHHS) responsibilities:– Creation of the Office of the National Coordinator (ONC) for Health Information

Technology with $2B in initial funding to develop standards and certification criteria• Creation of a Chief Privacy Officer of the ONC to advise state and regional efforts

concerning privacy, security, and data stewardship of health information– Provide education to the business community through implementing regulations and

guidance documents– Periodically evaluate covered entities and business associates for compliance with the

HIPAA Privacy and Security Rules– Increase educational initiatives by assigning regional education liaisons and conducting

compliance studies– Issue mandatory penalties in certain situations– Report breach data to congress annually– Breach notification requirements– Expansion of the HIPAA rules– Business associate liability for the HIPAA Privacy and Security Rule


Privacy and data protection requirements overview (cont.)

• Expansion of the DHHS’ responsibilities (cont.):– Individual rights:

• Disclosure restrictions• Right to accounting• Marketing restrictions

– Prohibition on the sale of Protected Health Information (PHI)


Requirement Details Effective date

New HIPAA Business Associates

• Requires that new entities that were not contemplated when HIPAA was written (Personal Health Record vendors, Regional Health Information Organizations, HIEs, etc.) are subject to the same privacy and security rules by requiring Business Associate contracts and treating these entities as Business Associates under HIPAA.

February 17, 2010

Breach Notification

• Establishes a federal security breach notification requirement for unsecured protected health information (unsecured PHI) and PHR.

September 15, 2009; February 2010

Disclosure Restrictions

• An individual is permitted to request a covered entity not send its PHI to a health plan for purposes of carrying out payment or health care operations for a service when paying for the service fully out of pocket.

• Covered entities are required to limit the use, disclosure or request of PHI to the limited data set to the extent practicable, or the minimum necessary if needed by the entity.

February 17, 2010

Accounting of Disclosures

• Covered entities must produce, upon request, an accounting of disclosures of the individual’s PHI, including routine disclosures over a three-year period.

• Business associates must produce, upon request, an accounting of disclosures of PHI for treatment, payment, and health care operations.

January 1, 2011 through January 1, 2014, based on acquisition of electronic health records

Prohibition on Sale

• A covered entity or business associate is prohibited from receiving direct or indirect receipt of remuneration for any PHI without a HIPAA authorization from the applicable individual subject to exceptions.

No later than February 11, 2011

Marketing and Fund Raising

• Marketing and fund-raising activities now require specific authorization as they are no longer covered under the health care operations definition. Also, individuals have the right to opt out of any communication that relates to fund-raising.

February 17, 2010

Enforcement • Strengthens enforcement of HIPAA security and privacy rules and penalties for noncompliance.

• Provides for enforcement of HIPAA by States Attorneys General and local law enforcement.

Increase in civil penalties and enforcement by State Attorneys General February 17, 2010Penalties for willful neglect by February 11, 2011

HITECH Act’s impact on privacy and security

A closer look at HITECH Act’s impact on privacy and security


HITECH Act overview — penalties and enforcement

Penalties and enforcement under the HITECH ActPenalties

• New penalty tiers per HIPAA violation (max/year)– Unknowing ($25K)– Reasonable cause ($100K)– Willful neglect ($250K)– Uncorrected willful neglect

($1.5M)• Civil and criminal liability for

HIPAA violations extended to business associates

• Mandatory investigations and civil penalties for violations due to willful neglect

Enforcement

• Expanded resources and significant funding for HHS enforcement

• State Attorneys General authorized to pursue actions on behalf of state citizens

• Vendor breaches enforced by the Federal Trade Commission as unfair and deceptive acts or practices

Notable Past Incidents

• Pharmacy incident — $2.24M penalty, plus consent agreement

DHHS

State Attorneys

General

Federal Trade

Commission


Enforcement results for HIPAA privacy

• From the compliance date (April 2003) to July 2009, the HIPAA Privacy* compliance issues investigated most are, compiled cumulatively in order of frequency:– Impermissible uses and disclosures of protected health information; – Lack of safeguards of protected health information; – Lack of patient access to their protected health information; – Uses or disclosures of more than the minimum necessary protected health information;

and – Lack of or invalid authorizations for uses and disclosures of protected health information.

• The most common types of covered entities that have been required to take corrective action to achieve voluntary compliance are, in order of frequency:– Private Practices. – General Hospitals.– Outpatient Facilities.– Health Plans (group health plans and health insurance issuers.– Pharmacies.

* Based on the CMS Enforcement Statistics Report Open and Closed Cases by Type As of July 31, 2009


Most commonly violated HIPAA security provisions

170 170139

117

79

0

50

100

150

200

Summary of most commonly violated security provisions

• A single security complaint can allege violations of all the provisions listed• The number of provisions listed do not correlate to the total number of security complaints• The total number of Administrative provisions represented on this slide, 426, Technical 170, and Physical 79

* Based on the CMS Enforcement Statistics Report Open and Closed Cases by Type As of July 31, 2009

• Administrative-164.308(a)(4)(i) Information Access Management (Total 170)

• Technical-164.312(a)(1) Access Control (Total 170)

• Administrative-164.308(a)(5)(i) Security Awareness and Training (Total 139)

• Administrative-164.308(a)(6)(i) Security Incident Procedures (Total 117)

• Physical-164.310(d)(1) Device and Media Control (Total 79)


Top HIPAA privacy and security concerns and challenges

Based on recent work relating to HITECH, the following are examples of the top privacy and security concerns or challenges that many organizations are facing:

HIPAA privacy• Update the breach notification procedures • Amend the business associate agreements

and enhance third-party risk management• Revise policies and procedures

(e.g., accounting of disclosure, marketing, individual access to PHI)

• Refresh training to workforce members

HIPAA security• Reduce data leakage (e.g., data sent outside

the organization and/or controlling end-user behavior)

• Enhance role-based access control based on the minimum necessary principle

• Improve logging and monitoring to detect suspicious system activities

• Implement encryption solution (e.g., focusing on mobile devices first)

Compliance steps


`

Deloitte approach

Covered Entities should assess the HITECH Act and Health Insurance Portability and Accountability Act (HIPAA) security and privacy requirements and satisfy “Meaningful Use.”

• Inventory business processes• Conduct HIPAA privacy and

security rule assessment• Identify privacy and security gaps• Recommend next steps

HITECH/HIPAA Assessment


HIPAA/HITECH assessment

Covered Entities must meet HIPAA/HITECH privacy and security requirements as they establish a strategy for their “Meaningful Use” of Electronic Health Records implementation. The outline below is a three-phased approach:

• Inventory the business processes of the provider

• Select a number of business processes to assess based upon agreed - upon risk prioritization

• Assess selected business processes against HIPAA/HITECH privacy and security requirements

• Identify HIPAA/HITECH privacy and security gaps

Business process inventory and risk

prioritization

• Identify potential control gaps that may exist in the business, Information Technology (“IT”), and operating environment of provider

• Create data maps for the identified business processes

• Create road map/remediation plan to address HIPAA/HITECH privacy and security gaps

Make recommendations and

create privacy and security road map

HIPAA/HITECH privacy and security rule

assessment

Where to start


Avoiding the disconnect

A “disconnect” among corporate policies, actual operational practices, and technology infrastructure reduces corporate ability to implement changes into the business environment.

Technology

Policies

Processes

Disconnect

Disconnect

• Examples of activities related to privacy and data protection that may lead to enforcement actions, law suits, or monetary fines: – Failure to adequately track and account

for disclosures– Failure to implement “Minimum

Necessary” controls– Failure to adequately train personnel on

HIPAA privacy policies and procedures– Misrepresenting the security and privacy

protection of PHI


Identify all applicable requirements (regulations, contractual, business requirements) related Security & Privacy

PCIDSS

HIPAA Security &

Privacy

Texas Security &

Privacy(HB 2004)

Red FlagsCFATS?FISMA?

Other State-Specific

Requirements

External Audits

Internal Audits

GLBA

HITECH

Develop Integrated Baseline Requirements

Applied Risk Based Baseline Requirements to Organization’s Information Assets (Process, Applications, Infrastructure, Facility, Third-Party, etc.)

Branch Offices

Remote EmployeesWAN

WAN

WWW

VPN

OutsourcedDevelopment

Enterprisee-mail

Business Analytics

Customer PortalProduction Data

Data warehouse

Staging

File Server

DR

Back up disk

Back up tape

Disk storage

CustomersPartners

Integrated Baseline Requirements and Controls

Align Policies, Standards, Awareness, and Implementation of any gaps

Focus on standardization, reduce risk and better visibility on compliance

Perform Assessment and Compliance Monitoring

Compliance approach — integrated program

• From an effectiveness and efficiency perspective, organizations need to have or develop a holistic and integrated compliance approach

• To demonstrate and support the various security controls and risk decisions companies should consider the respective regulatory and business requirements


Compliance approach — breach notification

• Many organizations are in the early stages of developing an effective privacy breach response strategy or have attempted to resolve this issue by leveraging existing security breach response programs.

• These programs by themselves may not be comprehensive enough to cover market, industry and regulatory requirements associated with a breach of PII/ePHI/PHI

• In order to effectively manage these requirements and associated risks, organizations need to identify the components of an incident response program that are in place, identify gaps, and build a broad response capability

Level 1: Reactive, no documented privacy breach response program: ad hoc approach

Level 2: Defined basic processes: not implemented or tested

Level 3: Repeatable processes in place for responding to breaches: not programmatic

Level 4: Well-defined and tested privacy breach response program set for the organization and strong awareness

Maturity

See more details in Appendix D

This presentation contains general information only and Deloitte is not, by means of this presentation, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This presentation is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor.

Deloitte, its affiliates, and related entities shall not be responsible for any loss sustained by any person who relies on this presentation.

Copyright © 2009 Deloitte Development LLC. All rights reserved.Member of Deloitte Touche Tohmatsu

Documents

Complying with the Health Information Technology for ... · HIPAA/HITECH assessment Covered Entities must meet HIPAA/HITECH privacy and security requirements as they establish a strategy