Content Covered:

Expansion of Security and Privacy Rules

Privacy & Security Division

The American Recovery and Reinvestment Act OF 2009, commonly known as the “Stimulus Bill,” was signed into law by president Obama on February 17,2009. $787 billion economic package$ 24.3 million dedicated to Privacy & Security

.

The Bill accomplishes strengthening federal privacy and security law to protect identifiable health information from misuse through: Expansion of Security & Privacy Rules New Requirements to Notify Patients when a breach occurs Increased Enforcement and Penalties

Protected health information is information about the patient, their health, and healthcare services they receive.

Examples: Why the patient was admitted...Patient’s history of mental illness…Patient’s physical health…Patient’s name, address or date of birth…Patient’s diet plan indicating diabetic

restrictions…

a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, Springhill.

The new law extends HIPAA privacy and security requirements to cover

our business associates.

Pre-ARRA Rule:

Business Associates were not directly subject to the HIPAA privacy and security rules.

Now HIPAA obligations that govern administrative, physical and technical safeguards, and require security policies and

procedures, apply directly to our Business Associates.

In effect, business associates are now subject to the same requirements for protected health information data security as Springhill- along with the same penalties for noncompliance.

Springhill must amend business associate agreements to incorporate expanded privacy and security rule obligations.

EXPANDED OBLIGATIONS

The monetary penalties for violations of HIPAA have also INCREASED, and the percentage of the penalties collected will be distributed to those individuals harmed by the violations.

The authority for the administration and enforcement of the HIPAA Security Rule, which had previously been delegated to the Centers for Medicare and Medicaid Services, now belongs to the Office for Civil Rights.

The Act provides individuals with a right to obtain their PHI in an electronic format (i.e. ePHI). An individual can also designate that a third party be the recipient of the ePHI.

In the case that an individual requests that a covered entity restrict the disclosure of PHI , the covered entity must comply with the requested restriction if—

the protected health information pertains solely to a health care item or service for which the health care provider involved has been paid out of pocket in full.

Previously, HIPAA allowed covered entities to decline a patient’s request to restrict disclosure of information related to self-pay services. Now, however, if a patient pays for a procedure or testing rather than filing an insurance claim, they have the right to restrict disclosure of any information related to those services.

Patients can request an AOD that includes a full accounting of PHI disclosures including those for treatment, payment, healthcare operations.

Can go back 3 years. The effective date depends upon acquired EHR date. We must now include treatment, payment and healthcare operations in AOD.

Covered Entities and Business Associates must limit their uses, disclosures or requests for PHI to a "limited data set," if practicable, or, if needed, the minimum necessary to accomplish the intended purpose of the use, disclosure or request.

To comply with this requirement, Covered Entities and Business Associates must educate their workforce members about the new minimum necessary and limited data set standards.

Minimum Penalties“Did not know”› Tier A $100

“Reasonable cause”› Tier B $1,000

“Willful neglect”› Tier C $10,000

“Uncorrected violation”› Tier D $50,000

Maximum Penalties

› Tier A $25,000

› Tier B $100,000

› Tier C $250,000

› Tier D $1,500,000

“Breach” generally is the unauthorizedacquisition, access, use or disclosure of protected health information thatcompromises the privacy or security of thatinformation.

Springhill must provide notice via first class mail to the affected person within 60 days of a breach!! Among other things, the notice must include: A description of what happened and the date of the breachA description of the information involved in the breach,The steps the person should take to protect himself, andA description of the covered entity’s investigation and mitigation efforts.

In any case in which 500 or more persons are affected by a breach, Springhill must provide notice to major local media outlets. Under 500 must be reported annually to the Department of Health and Human Services.

August 2009: Breach notification provisions and PHI breach notification

February 2010: Business Associates and Marketing; Employees of covered entities may have independent criminal liability

August 2010: Minimum Necessary and Prohibition on sale of electronic health records/PHRs.

January 2011: Accounting for Disclosures

February 2011: Enforcement for ‘willful neglect’

The Secretary shall provide for periodic audits to ensure that covered entities and business associates that are subject to the requirements.

Health Information Technology American Recovery and Reinvestment Act (Recovery Act) Implementation Plan Office of the National Coordinator for Health Information Technology

Funding Table Total Appropriated (Dollars in Millions)

Privacy and Security* $ 24.285

National Institute of Standards and Technology (NIST) 20.000

Regional HIT Exchange 300.000

Unspecified 1,655.715

Total, Health Information Technology $ 2,000.000

*Note: This dollar figure, $24,285,000, includes an estimated $9.5 million for audits by the Office for Civil Rights and the Centers for Medicare & Medicaid Services.

Springhill is responsible for reporting a breach in a timely manner and you can help. If you suspect a breach to have occurred, immediately alert the Privacy Officer or call the anonymous compliance hotline.