Transcript HITECH ACT - Frederick Memorial Hospital

HITECH ACT
Privacy & Security Requirements
Cathleen Casagrande
Privacy Officer
July 23, 2009
HITECH ACT
Dedicates over $31 billion in stimulus
funds for Healthcare Infrastructure and
the adoption of Electronic Health Record
(EHR).
 Also imposes new medical privacy
requirements.

Changes to Medical Privacy
Requirements
Fundamental changes in the areas of
accountability, data breach notification,
consumer access, and use of personal
health information.
 Unlike HIPAA, HITECH ACT one year for
most provisions.

Accountability
Imposes new levels of accountability for
medical privacy.
 Periodic audits by HHS to ensure
compliance within the first 12 months
after enactment of the new rules.

Accountability

Tiered penalty structure, with fines
ranging from $25,000 to $1.5 million and
penalties are mandatory for cases of
“willful neglect”.
 All
violations occurring after February 2009
enactment date are subject to the increased
penalties.
Accountability

Business Associates with access PHI
bound by the same requirements as the
Organization (Feb 2010).
Accountability
Assure business associate contracts,
authorizing and defining their use of the
PHI shared with them.
 Obligated to report the violation to
appropriate authorities and discontinue
the relationship.

Consumer Access (Feb 2010)

Gives individuals clear access rights to
their own health records, and it gives
them the right to restrict disclosure of PHI
if they pay the healthcare providers
themselves.
Use of PHI (Feb 2010)

CE’s and their business associates are also
prohibited from selling PHI without
explicit, documented authorization from
the individual whose information is
contained in the record.
Breach Notification
Defined: Unauthorized acquisition, access
use, or disclosure of PHI compromises the
security or privacy of the data.
 Unsecured PHI – Not secured through
technology as: unusable, unreadable, or
indecipherable to unauthorized individual

 Additional
guidance technology.
Breach Notification
Obligation to notify all breaches that are
discovered on or after September 15,
2009.
 Notification within 60 days when PHI in
any form or medium is breached, not just
electronic records.
 Breach is officially discovered on “the first
day it is known to the HIPAA entity or
business associate or should reasonably
have been known”.

Breach Notification

HIPAA covered entity that suffered the
breach demonstrates required notifications
were made.
 Telephone
notifications can be made in
urgent situations.

Business Associates required to notify the
covered entity including the individuals
affected.
Breach Notification

Breach Affecting 500 or more individuals,
CE required to provide “immediate” notice
to HHS.
 Thus

the breach notice is public.
Rule of 500 applies in a single state or
jurisdiction.

Notice must be provided to prominent media
outlets.
Methods of Notice

Individual Notice
 Notice
required under this section to be
provided to an individual, with respect to a
breach, shall be provided promptly and in the
following form:
 Written
notification by first-class mail to the
individual at the last known address.
 In the case of insufficient, or out-of-date contact
information that precludes direct written specified
by the individual under subparagraph.
Media Notice

Notice shall be provided to prominent
media outlets serving a State or
jurisdiction, following the discovery of a
breach of unsecured protected health
information of more than 500 residents in
such State, or jurisdiction.
Notice to HHS Secretary

Required immediately if the breach
involved 500 or more individuals. These
breaches will be posted on the HHS public
website including the name of the covered
entity.


If the breach less than 500 individuals, the covered
entity may maintain a log of any such breach
occurring.
Annually submit such a log to HHS documenting
breaches occurrence during the year involved.
Content of Notification

Regardless of the method by which notice
is provided to individuals under this
section, Notice of a breach shall include,
to the extent possible, the following:
A
brief description of what happened,
including the date of the breach and the date
of the discovery of the breach.
 Description of unsecured PHI, such as SSN,
address, etc.
Content of Notification

Contact procedures for individuals to ask
questions or learn additional information,
which shall include a toll-free telephone
number, an e-mail address, website, or
postal address.
 Time
consuming, costly, overwhelming.
 Potential long term damage with customers.
Content of Notification
The steps the individuals should take to
protect themselves from potential harm
resulting from the breach.
 A brief description from covered entity to
investigate the breach, to mitigate losses,
and to protect against any further
breaches.

Data Breach Response

Provide recovery services for individuals
who become victims of identity crime.
 Restore
their medical identities to pre-theft
status.
 Designate an Individual, or company to
manage Customer calls.
Business Impacts

Inventory PHI=Risk Assessment
 70%
of all organizations do not have an
accurate inventory of personally identifiable
information (PII) in their custody and
documented.
 Includes

data shared with a Business Associate.
Price Waterhouse Coopers reports that 44% of
data breach incidents are due to third-party
handling of data.
Breach Impact

Small-scale data breaches will now be
obligated to notify in each instance, and to
keep detailed proof of notification, causing
significant effort and cost.
Business Impact

Data breaches damage Businesses
credibility.
 Medical
and Financial risks to the people
whose data is lost.
Questions & Answers

Clarification of the Privacy Requirements
within the AARA rule in the next 12
months.
 Key
strategies assess PHI, including BAA’s.
 Utilize appropriate Security Standards.
 Staff,
computer access, etc.