Embed Size (px)
Citation preview
From HIPAA to HITECH
OMH Briefing
Overview
Part 1: HIPAA Review
Part 2: HITECH Highlights
Part 3: HITECH Breach Notification Requirements
PART ONE:
Review Of HIPAA
Background
OMH is a covered entity required to comply with the requirements of the HIPAA Privacy and Security RulesFebruary 17, 2010: Additional federal requirements now enforceable against covered entities as a result of the HITECH Act (Health Information Technology for Economic and Clinical Health Act, Title XIII of the American Recovery and Reinvestment Act of 2009)
HIPAA Review Privacy Rule
Development of policy for use and disclosure of PHI/clinical information and to assure individual rights
Implementation of appropriate safeguards for protecting PHI/clinical information
Workforce training
HIPAA Review Privacy Rule
Each covered entity must:
• Issue Privacy notices
• Have privacy officer and privacy liaisons at each facility
• Use business associate agreements
HIPAA Review Privacy Rule
A covered entity can only use or disclose PHI:
• For treatment, payment, or healthcare operations• As specifically authorized requests by the patient
in writing• If HIPAA provides another exception
HIPAA Review Privacy Rule
No consent required for uses and disclosures of PHI for treatment*, payment and health care operations (* Note that Mental Hygiene Law is more stringent; no consent needed if provider has “nexus/link” with OMH)• Thru licensure, local agreement, services plan
With some exceptions, individual’s written authorization required for all other disclosures
Use of OMH authorization form (OMH-11)
HIPAA ReviewPrivacy Rule
Clinical information protected under Mental Hygiene Law §33.13 is Protected Health Information (PHI) under HIPAA
State or federal rule providing greater confidentiality or greater access to information to the individual will prevail (preemption)
Patient Authorization Needed:
Agencies/Individuals involved in discharge planning/follow-up services
Attorney
Physicians/Providers of health/mental health• Unless there is nexus/link with NYS OMH
Patient Authorization Needed (cont.):
Children Protective Agency
Department of Social Services
Family
Probation Department
VESID
Media
HIPAA Review Privacy Rule
Minimum Necessary Rule
Limit use and disclosures of PHI to amount necessary to fulfill purpose of the disclosure (or perform job functions)
Exceptions: provider use for treatment purposes, disclosures to individuals and disclosures required by law
PHI Identifiers
Names
All elements of dates (except year) for dates directly related to an individual
Phone numbers
Social security numbers
Medical record numbers
PHI Identifiers
Health plan beneficiary numbers
Account numbers
Full face photographic images and any comparable images
Any other unique identifying number, characteristic, or code
HIPAA Review Security Rule
Requires Safeguards to protect Electronic PHI (EPHI):
C Confidentiality of EPHI;
I Integrity of EPHI; and
A Accessibility of EPHI
HIPAA ReviewSecurity Rule
Administrative safeguards• Security Awareness
and Training • Information Access
Management • Contingency Plan • Business Associate
Contracts and Arrangements
Physical safeguards• Device and Media
Controls • Facility Access Controls • Workstation Security • Workstation Use
Technical safeguards• Access Control • Audit Controls • Integrity • Person or Entity
Authentication • Transmission Security
PART TWO:
HITECH Highlights
HITECH-2009
Amends HIPAA- now includes breach reporting and notification requirementsSignificantly increases civil and criminal penalties for violationsEnhances state and federal enforcement and oversight activitiesHIPAA provisions are now directly applicable to Business Associates
Business Associates
Must comply with all safeguards under HIPAA security rule for E-PHIRequired to document policies and procedures for safeguarding PHIMust report security breachesMust fix/report any known pattern of activity or practice by a covered entity that breaches or terminates the BAANow directly liable for civil and criminal penalties
Business Associates
Revised OMH Business Associate Agreement in accordance with HITECH changesBusiness associates:• BOCES staff• IT vendors • Consultants (PT, OT)
Additional HITECH Changes
Mandated Audits-to ensure compliance
Audits performed by:
- HIM
- IT
- CIT
Additional HITECH Changes
OMH continues to follow Mental Hygiene and Confidentiality rules
Allows individuals to have broader rights of access to their records
Additional HITECH changes
Mental Hygiene Law- “need to know” similar to HIPAA- “minimum necessary standard”
Access and disclosure of PHI • Only what is required to provide
care/treatment or in order to perform job duty
Patient Rights
Now have the right to request an accounting of disclosures (EHR): made for treatment, payment, healthcare operations, and those authorized by patient
Can go back as far as 3 years
Patient Rights
Individuals may file privacy complaints
Designated OMH contact persons• Facility Director
• QM
• HIM
• HHS
• OCR
Patient Rights
CE MUST comply with individual’s request to restrict use or disclosure for payment or health care operations purposes when PHI pertains to service paid in full and out of pocket by individual
Additional HITECH Changes
Individuals have right to access their PHI in electronic format, if requested
Limits use of PHI for marketing purposes
Prohibition on sale of PHI, HHS regulations to be promulgated
Safeguards to Protect PHI
Follow the “Minimum necessary rule” except for treatment purposes, use and disclosure of PHI is limited to amount necessary to perform job functionsUse file covers, locked filing cabinets and locked record roomsAvoid conversations identifying individuals in public placesAvoid posting PHI where it can be seen by unauthorized individuals
Safeguards to Protect PHI
Don’t leave the worksite with unsecured PHI
Use, but don’t share, computer passwords
Follow computer security policies for desktops, laptops, disks and other media.
DO NOT email confidential clinical information or PHI over the internet
Keep track of paper files and electronic devices which contain PHI.
Safeguards to Protect PHI
When faxing or phoning PHI, know or verify the receiving party and the contact numbersBe mindful of disposing of PHI: Shred don’t toss and use secure waste systems, not regular trash receptaclesWhen storing PHI: choose the most secure, accessible media: encryptable portable devices, hard drives, OMH system drivesAvoid storing PHI on personally owned devices and home computers
Safeguards to Protect PHI
Remove PHI from electronic files and storage devices when no longer neededWhen changing job functions or leaving OMH, discuss with your supervisor the secured return or destruction of PHIReport suspected violations of HIPAA privacy or security requirements to your supervisorImmediately report any suspected instance of lost or stolen paper or electronic files containing PHI to your supervisor
PART THREE:HITECH Breach
Notification Requirements
What is a Breach?
HITECH defines “breach” as:
Unauthorized acquisition, access, use, or disclosure of PHI which compromises the security or privacy of the PHI
Notification of Breech
OMH and business associates are required to notify individuals when there is a breach of unsecured PHIPreviously this was not a HIPAA requirementIf more than 500 residents in a state are involved - media outlets MUST be notified
What is “Unsecured PHI?”
Protected Health Information (PHI) that is NOT:
Encrypted
Destroyed prior to Disposal
Unreadable, unusable or indecipherable
Includes both hard copy and electronic information
How Can a Breach Occur?
It may include:
Loss of an information device or media that contains PHI Smartphone, flash drive, laptop, CD, etc.)
Unauthorized access, use, or disclosure included in clinical records
How can a Breach Occur?
Sending PHI to an incorrect email address or fax number
Posting PHI on an unsecured website
Unauthorized access from an application, database, or another individual’s private account
Notification of Breach
Internal Procedure- when breach is suspectedReport Breach to HIM DirectorRisk Assessment completed • HIM• IT
Determination Made Information Reported to Central Office
Risk Assessment
Factors Considered:
What type of PHI was disclosed?
What amount of PHI was disclosed as a result of the incident?
Who used or had unauthorized access to the disclosed information? Was it a disclosure to another entity?
Risk Assessment
Method of Disclosure• Verbal
• Paper
• Electronic
Recipient of Information• Internal Workforce
• Agency
• Business Associate
Risk Assessment
Circumstances of Release• Unintentional use/access
• Intentional disclosure w/o authorization
• Theft
• Loss
• Hack
Risk Assessment
Was the unauthorized disclosure PHI returned before it could be accessed and used?
What immediate steps were taken to mitigate the risks associated with the unauthorized use or disclosure?
Who must be notified when Breach is discovered?
Affected individuals• No later than 60 days after discovery
Media• If affects more than 500 residents of a state or
jurisdiction
Secretary of Breaches of PHI (HHS)• By filling out an electronic breach report form
Covered Entity • If breach of PHI occurs at/by a Business Associate
Risks
Impact• Financial
• Reputational
• Other Harm
Categories• Low
• Medium
• High
Breach Notification
OMH will provide written notice:
By first class mail to each individual involved;
By hand delivery
Breach Notification
Notifications to individuals must include:
Brief description of incident
Description of the types of unsecured PHI
Steps that should be taken by individual to protect themselves from harm
Brief description of the actions taken by OMH
Contact information to ask questions or gather additional information
Documentation
OMH must create a log of all notifications of breaches involving less than 500 individuals
Submit log within 60 days of the end of each calendar year
Log and all other documentation will be maintained for 6 years
Enforcing HITECH
HITECH significantly increases civil and criminal penalties for violating HIPAA
Civil penalties are tiered and can range from $100 a violation to $1.5 million per year,
Criminal fines up to $50,000 and/or imprisonment
Next Steps
Workforce Training• Current Employees
• Review 2010 Information Security Mandated Training from the Bureau of Education and Workforce Development
• Future Employees• HIPAA videos and all mandated HIPAA Privacy
and Security materials
Manual Updates
Next Steps
Posting of Information• Brochures
• FAQ’s on intranet
• Posters around buildings
HIM attendance at department/discipline meetings
Continued staff awareness
Q & A
Remember…
Information Privacy and Security is
everyone’s responsibility.
