Transcript Document

America’s Voice for Community Health Care
The NACHC Mission
To promote the provision of high quality,
comprehensive and affordable health care that is
coordinated, culturally and linguistically competent,
and community directed for all medically
underserved people.
American Recovery and Reinvestment Act
Changes to HIPAA
Michael Lardiere, LCSW
Director, Health Information Technology
Sr. Advisor, Behavioral Health
National Association of Community Health
Centers
[email protected]
October 16 - 18 2009
American Recovery and Reinvestment Act of 2009
Includes the Health Information Technology
for Economic and Clinical Health Act (HITECH
Act).
Important substantive changes to the Health
Insurance Portability and Accountability Act of
1996 (HIPAA)
Mandates extensive new regulations
around electronic medical records.
Extends the HIPAA Privacy and Security
Provisions and Penalties to Business Associates
of Covered Entities
Health information exchanges
Regional health information organizations
e-prescribing gateways and
Other technology vendors
Vendors contracted with a Covered Entity to
provide a Personal Health Record (PHR) as
part of an Electronic Health Record (EHR).
The HITECH Act defines a “personal health
record” as an electronic record of identifiable
health information on an individual that can be
drawn from multiple sources and that is
managed, shared, and controlled by or primarily
for the individual. An electronic health record
is defined as “an electronic record of healthrelated information on an individual that is
created, gathered, managed, and consulted by
authorized health care clinicians and staff.”

BAs will be treated just like Covered Entities for
purposes of the HIPAA privacy and security
provisions and be respopnsible for
Administrative Safeguards
Physical Safeguards
Technical Safeguards
Policies and Procedures and
Documentation requirements of the Security
Rule
45 C.F.R. §§ 164.308, 164.310, 164.312 and 164.316, respectively.
Liability for civil and criminal penalties
 Covered Entities will likely have to revise
their existing Business Associate Agreements
to incorporate language reflecting this change
Business Associates will have an obligation to
terminate their Business Associate
Agreements with Covered Entities if they have
knowledge of a pattern of noncompliance with
the Privacy Rule by the Covered Entity
Increases Penalties for HIPAA Violations and
Expands Enforcement Mechanisms
Amount of civil monetary penalties (CMPs)
available has increased
Civil monetary penalties are now structured
in a tiered format
Ranging from $100 per violation
Up to $50,000 per violation
Anyone whose PHI is accessed in violation of
HIPAA will be eligible to share a percentage of
any CMPs collected
Office of Civil Rights will continue to enforce
HIPAA compliance
State Attorneys General will now have the
power to enforce HIPAA by bringing suit in
federal district court
Act requires DHHS to periodically audit Covered
Entities and Business Associates to assess HIPAA
compliance
Covered Entities and Business Associates need
to make sure that all of their HIPAA policies and
procedures are up to date and in use
Creates a Comprehensive New Set of Requirements
Around
Notification of Data Breaches or
Suspected Data Breaches
Notification must be made within 60 days of discovery
Will require prompt investigation and assessment of
suspected breaches
Mandates public reporting to both the DHHS and media
outlets in the event of a breach affecting more than 500
individuals
DHHS will publish a list on its website that identifies each
Covered Entity involved in a breach of more than 500
individuals
The notice must include:
(1) a brief description of the breach, including
 the date it occurred and
the date it was discovered
(2) the types of PHI involved in the breach
(3) steps individuals should take to protect
themselves
(4) steps the Covered Entity is taking to
investigate the breach and protect against
future breaches and
(5) contact information to ask questions and
learn more
Notice must be provided by first class mail to
the individual’s last known address
Unless the individual has specified to receive
information by electronic mail
Then notice may be provided electronically
If the contact information for more than 10
affected individuals is out of date
Notice may be through a posting on the
entity’s web site or
In major print or broadcast media
If a Business Associate discovers a breach of
unsecured PHI
It must notify the Covered Entity of such
breach, and
Include a list of each individual whose PHI
was or is reasonably believed to have been
accessed or acquired during the breach
If the breach involves the access or acquisition
of more than 500 residents of
a State or
Jurisdiction
Notice must be made to the prominent
media outlets of that State or jurisdiction
The Covered Entity must
Keep a log of its discovered breaches and
Provide a copy of the log to DHHS annually
If a breach involves the access or acquisition
of the PHI of more than 500 individuals
Notice must be provided to DHHS
immediately
Creates a New Breach Notification Requirement
for Vendors of Personal Health Records and Other
Non-HIPAA Covered Entities
Vendors of personal health records and related
vendors must notify
The Federal Trade Commission (FTC) and
Any U.S. citizens whose information was
acquired as a result of the breach
Empowers the FTC to begin policing medical
privacy which is a significant expansion of federal
oversight of medical information.
Expands HIPAA Mandated Accounting of
Disclosures for Those Using Electronic Health
Records
Covered Entities and Business Associates using
electronic health records will be required to
Make available an accounting of all uses and
disclosures of the electronic health record
 in the previous three years, including
 disclosures for payment,
treatment, and
Operations
Time period an individual may request
such an accounting is shortened from up
to 6 years to 3 years
In responding to a request for an accounting, the
Covered Entity can
Choose to provide either
The disclosures of the patient’s PHI made
by the Covered Entity and its Business
Associates, or
Merely provide the disclosures made by the
Covered Entity and a list of its Business
Associates
For entities that were using EHRs as of
January 1, 2009,
The provision applies to disclosures made
on or after January 1, 2014.
For entities that adopt EHRs after January 1,
2009 the provision will apply on
January 1, 2011 or
The date when the Covered Entity begins
using EHRs, whichever is later
Revisions to an Individual’s Right to Request a
Copy of His or Her Record
If the Covered Entity uses EHR, the patient may
request his or her record be produced in an
electronic format and to be transmitted to a
person designated by the patient
The fee for production of an electronic copy of
the record shall not be greater than the labor costs
of responding to the request
Establishment of the “Minimum Necessary”
Standard
Covered Entities and Business Associates must,
to the extent practicable
Limit use or disclosure of PHI either
To the limited data set or
To the “minimum necessary” to accomplish
the stated purpose of the use/disclosure
Adopts New Prohibitions on the Sale of Electronic
Health Information
Language is sufficiently vague to create
uncertainty about the ability of
Regional health information organizations
Health information exchanges, and
e-prescribing services to charge fees for their
services
Eliminates Sharing of PHI for Marketing and
Fundraising Purposes from the Definition of Health
Care Operations Under HIPAA
Fundraising is no longer considered part of
operations
In order to use PHI for direct fundraising
campaigns, a Covered Entity must first obtain
an authorization from the patient
Then modified to allow to continue
fundraising but must give the patient the
option to opt out of future
De-Identified Health Information
There are no restrictions on the use or
disclosure of de-identified health information
De-identified health information
neither identifies nor
provides a reasonable basis to identify an
individual
There are two ways to de-identify
information
1) a formal determination by a qualified
Statistician or
2) the removal of specified identifiers of
the individual and of the individual’s
relatives, household members, and
employers is required, and is adequate
only if the covered entity has no actual
knowledge that the remaining information
could be used to identify the individual
The following identifiers of the individual or of
relatives, employers, or household members of
the individual must be removed to achieve the
“safe harbor” method of de-identification
(A) Names
(B) Geographic subdivisions smaller than a
State including
Street address
City
County
Precinct
Zip code, and their equivalent geocodes
Except for the initial three digits of a zip
code
(B) The geographic units formed by combining all
zip codes with the same three initial digits
contains
more than 20,000 people
The initial three digits of a zip code for all such
geographic units containing 20,000 or fewer
people is changed to 000
(C) All elements of dates (except year) for
dates directly related to the individual, including
birth date
admission date
discharge date
date of death; and
all ages over 89 and all elements of dates
(including year) indicative of such age,
except
that such ages and elements may be
aggregated into a single category of age
90 or older
(D) Telephone numbers
(E) Fax numbers
(F) Electronic mail addresses
(G) Social security numbers
(H) Medical record numbers
(I) Health plan beneficiary numbers
(J) Account numbers
(K) Certificate/license numbers
(L) Vehicle identifiers and serial numbers
including license plate numbers
(M) Device identifiers and serial numbers
(N) Web Universal Resource Locators (URLs)
(O) Internet Protocol (IP) address numbers
(P) Biometric identifiers, including finger and
voice prints
(Q) Full face photographic images and any
comparable images; any other unique
identifying number, characteristic, or code,
except as permitted for re-identification
purposes provided certain conditions are met
In addition to the removal of the above-stated
identifiers, the covered entity may not have
actual knowledge that the remaining
information could be used alone or in
combination with any other information to
identify an individual who is subject of the
information
SUMMARY OF THE HIPAA PRIVACY RULE
Office of Civil rights
http://www.nachc.com/client/HIPAA%20Privacy%
20Rule%20Summary_8_19_09.pdf
To reduce risks covered entities should consider
accomplishing the following tasks:
Implement systems for detecting a security breach
Create a security breach response plan or update the
existing plan
Conduct workforce training in responding to a
security breach.
Negotiate amendments to business associate
agreement to address security breaches
Revise HIPAA policies and procedures regarding to
address the security breach regulations.
Federally Qualified Health Centers
Michael Lardiere, LCSW
Director HIT; Sr. Advisor Behavioral Health
National Association of Community Health
Centers
301-347-0400 xt 2069
[email protected]