Gurvinder Singh (CISSP)Gurvinder@jasgur.com

San Antonio Chapter of The Healthcare Information and Management Systems Society (HIMSS)

HITECH CHANGES TO HIPAAWHY SHOULD YOU CARE?

OBJECTIVES

• Overview of HITECH

• Changes to HIPAA under HITECH

• Business Associates & Effects on BAA

• The Breach Notification Rule

DISCLAIMER (NOT SO FINE PRINT)

The information contained in this session is not intended to serve as legal advice nor should it substitute for legal counsel. The material in this presentation is designed to provide information. The presentation is not exhaustive, and attendees are encouraged to seek additional detailed legal guidance to supplement the information contained herein.

DEFINITIONS

• Protected Health Information (PHI)• Any oral or recorded information in any form or medium that is

• Created or received by the covered entity/BA –AND-

• Relates to past, present or future condition of an individual

• Any information that contains a subset of demographic information collected from an individual

• Any information that identifies an individual, or where there is a reasonable basis to believe information can be used to identify an individual

• Includes any data transmitted or maintained in any form

DEFINITONS

• Privacy Rule• Relates to privacy of any protected health

information (PHI)

• Security Rule• Relates specifically to electronic PHI (ePHI) at rest or

in transit

Administrative Simplification[Accountability]

InsuranceReform

[Portability]

Health Insurance Portability and Accountability Act

(HIPAA)

Privacy

Compliance Date: 4/14/2003

Privacy

Compliance Date: 4/14/2003

Security

Compliance Date: 4/20/2005

Security

Compliance Date: 4/20/2005

Fraud and Abuse (Accountability)

Fraud and Abuse (Accountability)

HITECHHealth Information Technology for Economic and Clinical Health 9/18/2009

(HITECH) HEALTH INFORMATION TECHNOLOGY FOR ECONOMIC AND CLINICAL HEALTH(ARRA) AMERICAN RECOVERY AND REINVESTMENT ACT OF 2009

Increased penalties for HIPAA Violations (tiered civil monetary penalties)

Required Audits and Investigations Increased enforcement and oversight activities State Attorneys General will have enforcement

authority and may sue for damages and injunctive relief.

Increased Breach Notification Rules

HITECH Act (ARRA) How it changed HIPAA? No more a Paper Tiger

REQUIREMENT COMPLIANCE DATE

1. Business Associates February 2010

2. Breach Notification September 2009

3. Self-Payment Disclosures February 2010

4. Minimum Necessary August 2010

5. Accounting of Disclosures January 2011/2014

HITECH Act (ARRA)Health Information Technology for Economic and Clinical Health

WHO IS A BUSINESS ASSOCIATE?

• If an entity that is not a covered entity is doing something “ON YOUR BEHALF”, and is not treatment, you need a BA Agreement with them.

• Applies to payment and health care operationsExamples of Business Associates.

• A third party administrator that assists a health plan with claims processing.

• A CPA firm whose accounting services to a health care provider involve access to protected health information.

• An attorney whose legal services to a health plan involve access to protected health information.

• A consultant that performs utilization reviews for a hospital.

• A health care clearinghouse that translates a claim from a non-standard format into a standard transaction on behalf of a health care provider and forwards the processed transaction to a payer.

• An independent medical transcriptionist that provides transcription services to a physician.

• A pharmacy benefits manager that manages a health plan’s pharmacist network. http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/businessassociates.html

BUSINESS ASSOCIATES PRIVACY RULE IMPACT

• Under Section 13404, a business associate may only use or disclose PHI in a manner that complies with 45 C.F.R. § 164.504(e) (which describes the requirements for business associate agreements)

• Thus, business associates will now be regulated directly through a statutory requirement rather than indirectly through a contract. Business associates also must comply with the applicable provisions of the HITECH Act.

• Business associates will be subject to civil and criminal penalties if they violate these provisions.

Under Section 13401, business associates will be required to comply with provisions of the HITECH Act, and with the following provisions of the Security Rule: • § 164.308 (Administrative Safeguards); • § 164.310 (Physical Safeguards); • § 164.312 (Technical Safeguards); • § 164.316 (Policies and Procedures).

BUSINESS ASSOCIATES SECURITY RULE IMPACT

BREACH

• Notification required upon “discovery” of a “breach” of “unsecured PHI”

• “Breach” defined as unauthorized acquisition, access, use or disclosure of unsecured Patient Health Information (PHI) which compromises the security or privacy of such information

• “Compromises” means creates a “significant risk of financial, reputation or other harm to the individual”

• Requires risk assessment: fact specific analysis (consider nature of information, recipient, mitigation) to determine if significant harm exists.

13

Applies to all electronic “unsecured PHI” or unencrypted Requires notification to the Federal Government

if more than 500 individuals effected no later than 60 days

Annual notification if less that 500 individuals effected Requires notification to a major media outlet Breach will be listed on a public website Requires individual notification to patients in plain

language Criminal penalties - may apply to individual or employee

of a covered entity

Federal Breach Notification Law – Effective Sept 2009

CIVIL MONETARY PENALTIES – HITECH

Old rule was: Maximum civil penalty of $100 per violation up to $25,000/year for multiple violations of same requirement

New rule is: Tiered civil penalty structure:

• Innocent mistakes (did not know and would not have known violation occurred after reasonable diligence)—$100 per violation (max $25,000) to $50,000 (max $1.5 mil) .

• Reasonable cause and not willful neglect—$1,000 per violation up to a maximum of $100,000/year for multiple violations of same requirement

• Willful neglect but corrected within 30 days—up to $10,000 per violation, up to a maximum of $250,000/year for multiple violations of the same requirement

• Willful neglect—up to $50,000 per violation that is not timely corrected, up to a maximum of $1,500,000/year for multiple violations of the same requirement

TYPE OF BREACHES WITH MORE THAN 500 RECORDS BREACHED ACROSS USA DEPARTMENT OF HEALTH AND HUMAN SERVICES (HHS)

http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html (As of July 3rd 2012)

Theft; 52%Unauthorized Access/Dis-closure; 22%

Loss; 15%

Hacking/IT In-cident; 6%

Improper Disposal; 5%

TYPE OF BREACHES IN TEXASDEPARTMENT OF HEALTH AND HUMAN SERVICES (HHS)

http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html (As of July 3rd 2012)

Theft; 64%Loss; 8%

Unauthorized Access/Disclo-

sure; 8%

Improper Disposal;

11%

Hacking/IT Incident; 6% Unknown; 3%

LOCATION OF BREACHES ACROSS USADEPARTMENT OF HEALTH AND HUMAN SERVICES (HHS)

Laptop; 27%

Paper; 27%

Other Portable Electronic Device;

15%

Computer; 15%

Network Server; 10%

Other; 6%

http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html (As of July 3rd 2012)

LOCATION OF BREACHES IN TEXAS DEPARTMENT OF HEALTH AND HUMAN SERVICES (HHS)

http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html (As of July 3rd 2012)

Laptop; 30%

Network Server; 16%Other Portable Electronic

Device; 16%

Paper; 16%

Computer; 11%

Electronic Medical Record; 3%

E-mail; 3% Other; 3% Other (X-ray films); 3%

CASE STUDY 1- ALASKA DEPARTMENT OF HEALTH AND SOCIAL SERVICES (DHSS)

• June 2012: Alaska DHSS settles HIPAA security case for $1,700,000

• Portable electronic storage device (USB hard drive) possibly containing ePHI was stolen from the vehicle of a DHSS employee.

• HHS concluded that the Alaska Medicaid office did not have sufficient policies and procedures to protect patient information.

• The state health department had not completed a risk analysis for patient data

• NOT instituted security training for state workers

• NOT implemented data encryption efforts that are required by HIPAA.

http://www.hhs.gov/news/press/2012pres/06/20120626a.html

CASE STUDY 2- PHOENIX CARDIAC SURGERY (5 PHYSICIAN PRACTICE)

• April 2012: Phoenix Cardiac Surgery settles with HHS for $100,000

• Posted clinical and surgical appointments for its patients containing PHI on an Internet-based calendar that was publicly accessible.

• HHS investigation also revealed the following issues:

• Phoenix Cardiac Surgery failed to implement adequate policies and procedures to appropriately safeguard patient information;

• Phoenix Cardiac Surgery failed to document that it trained any employees on its policies and procedures on the Privacy and Security Rules;

• Phoenix Cardiac Surgery failed to identify a security official and conduct a risk analysis; and

• Phoenix Cardiac Surgery failed to obtain business associate agreements with Internet-based email and calendar services where the provision of the service included storage of and access to its ePHI.

http://www.hhs.gov/news/press/2012pres/04/20120417a.html

CASE STUDY 3 - CRIMINAL PROCEEDINGS

• “Seattle Man Pleads Guilty in First Ever Conviction for HIPAA Rules Violation,” August 19, 2004.

• Richard Gibson, an employee at the Seattle Cancer Care Alliance, got cancer patient’s name, DOB, and SSN and got credit cards in patients’ names.

• $9,000 for jewelry, home improvements, etc.

• Got maximum sentence: 16 months prison.

WHAT CAN WE LEARN?

• You won’t escape the notice of the HHS just because you are a small practice. Every practice, hospital, facility, healthcare entity and anyone that has access to Protected Health Information (PHI) must be compliant with the HIPAA Privacy and Security Rules.

• Patients are paying attention and want their information protected! Patients will not hesitate to report a practice if they feel their privacy is being breached. Let your patients know that you take their privacy seriously and what you are doing in your entity to protect their privacy.

http://www.managemypractice.com/what-can-we-learn-about-hipaa-from-phoenix-cardiac-surgery/

WHAT CAN WE LEARN (CONTINUED)?• Physicians are not exempt from responsibility. Physicians may

not want to use the hospital or practice network email – they may want to use their personal Gmail, Yahoo, Hotmail or AOL account for office business but it is easy to forget and use personal email to hand off patients, discuss appointments and ask for refill approvals. Non-secured email services are NOT the right way to send any patient information.

• Understand your technology. This is why the risk assessment is so important – you must identify any process or technology you are currently using that has the potential for PHI to be accessed inappropriately. Understand and mitigate your risk!

http://www.managemypractice.com/what-can-we-learn-about-hipaa-from-phoenix-cardiac-surgery/

WHAT CAN YOU DO?SHORT HITECH-HIPAA CHECKLIST :

Put together a breach notification policy.

HIPAA Security Risk Analysis (§164.308(a)(1)(ii)(A)) is required by law to be performed by every Covered Entity and Business Associate.

Find all your existing business associate agreements and update them.

Educate your staff about HITECH and document the trainings.

Encrypt if you can, or at least where you can.

Monitor DHHS activities for the publication of additional guidance and proposed regulations.

This is also a good time to review all your HIPAA policies and re-educate your staff. The rules have changed, and the risks are much, much higher.

RESOURCES

• Risk Assessment Basics from HIMSSwww.himss.org/asp/ContentRedirector.asp?ContentID=76250

• Tools and methods available for risk analysis and risk managementhttp://www.hhs.gov/ocr/hipaa

• 45 CFR Parts 160 and 164, Breach Notification for Unsecured Protected Health Information; Interim Final Rule, Health and Human Services (HHS), August 2009

http://edocket.access.gpo.gov/2009/pdf/E9-20169.pdf

• HIPAA information webpage

http://www.hhs.gov/ocr/privacy/hipaa/understanding/index.html

• http://www.linkedin.com/groups/All-Things-HITECH-3873240

QUESTIONS

???