The Impact of the Stimulus Act on HIPAA Privacy and Security

Transcription

1 The Impact of the Stimulus Act on Webinar March 12, 2009 Practical Tools for Seminar Learning Copyright 2009 American Health Information Management Association. All rights reserved.

2 Disclaimer The American Health Information Management Association makes no representation or guarantee with respect to the contents herein and specifically disclaims any implied guarantee of suitability for any specific purpose. AHIMA has no liability or responsibility to any person or entity with respect to any loss or damage caused by the use of this audio seminar, including but not limited to any loss of revenue, interruption of service, loss of business, or indirect damages resulting from the use of this program. AHIMA makes no guarantee that the use of this program will prevent differences of opinion or disputes with Medicare or other third party payers as to the amount that will be paid to providers of service. As a provider of continuing education the American Health Information Management Association (AHIMA) must assure balance, independence, objectivity and scientific rigor in all of its endeavors. AHIMA is solely responsible for control of program objectives and content and the selection of presenters. All speakers and planning committee members are expected to disclose to the audience: (1) any significant financial interest or other relationships with the manufacturer(s) or provider(s) of any commercial product(s) or services(s) discussed in an educational presentation; (2) any significant financial interest or other relationship with any companies providing commercial support for the activity; and (3) if the presentation will include discussion of investigational or unlabeled uses of a product. The intent of this requirement is not to prevent a speaker with commercial affiliations from presenting, but rather to provide the participants with information from which they may make their own judgments. This seminar's faculty has made no such disclosures. AHIMA 2009 HIM Webinar Series i

3 Faculty Dan Rode, MBA, CHPS, FHFMA Dan Rode is AHIMA's vice president of Policy and Government Relations. His responsibilities include working with federal agencies, Congress, and providing AHIMA's members with up-to-date information on legislative, regulatory, and public policy developments that affect HIM. As a spokesperson for AHIMA, he explains HIM practices and the Association's official public policy positions to government agencies and the media. AHIMA 2009 HIM Webinar Series ii

4 Table of Contents Disclaimer... i Faculty... ii Agenda... 1 ARRA Title XIII Health Information Technology... 2 HIT Policy Committee... 3 HIT Standards Committee... 3 Other Provisions... 4 Application and Use of Adopted Health Information Technology... 4 Testing of HIT... 5 Incentives for the Use of HIT Part Resource/Reference List Audience Questions Audio Seminar Discussion and Audio Seminar Information Online Upcoming Audio Seminars AHIMA Distance Education online courses Thank You/Evaluation Form and CE Certificate (Web Address) Appendix Resource/Reference List CE Certificate Instructions AHIMA 2009 HIM Webinar Series

5 Agenda ARRA the Stimulus Bill ARRA the HIT Bill Health Information Management Implications ARRA Privacy Part 1 ARRA Privacy Part 2 Questions Resources 1 ARRA American Recovery and Reinvestment Act of 2009 Public Law Stimulus Bill Title XIII Health Information Technology Subpart D Privacy Signed: February 17, 2009 (Enactment) 2 AHIMA 2009 HIM Webinar Series 1

6 ARRA Healthcare and Technology Health Information Technology Other Provisions Healthcare Related: Broadband DoA, DFA, NTIA Education, Training & Reseach: DoE, DoL, HHS, NSF Facilities HHS Agencies: AHRQ, CMS, HRSA, NIH, & IHS 3 Title XIII Health Information Technology Office of the National Coordinator for Health Information Technology (ONC) Establishment, purpose and duties HIT policy coordination and standards Strategic plan (privacy and security protections) Report on additional funding or authority Chief privacy officer for ONC 4 AHIMA 2009 HIM Webinar Series 2

7 HIT Policy Committee Established to make policy recommendations to ONC Health information technology infrastructure standards development Including technologies that protect privacy and security (specifics) and allow individually identifiable health information to be rendered unreadable Appointments by Congress, Secretary, and the Comptroller General 5 HIT Standards Committee Established to recommend standards, specifications, and criteria for HIE to ONC Development, harmonization, testing for the electronic exchange and use of health information Including technology expertise on healthcare quality, privacy, and security Appointments by ONC 6 AHIMA 2009 HIM Webinar Series 3

8 Other Provisions Process for adoption and endorsement of standards, specifications, and certification criteria Application and use of standards and specifications by federal agencies Federal development of HIT Transitions Relationship to HIPAA and provision for Secretary flexibility 7 Application and Use of Adopted Health Information Technology Federal use and coordination of HIT standard and specifications Application to private entities Study and reports: Report on HIT adoption Study and report on reimbursement incentive methods Study and report on aging services technology 8 AHIMA 2009 HIM Webinar Series 4

9 Testing of HIT National Institute for Standard and Technology (NIST) Testing Research and development programs Healthcare Information Enterprise Integration Research Centers National Information Technology Research and Development Program 9 Incentives for the Use of HIT Funding to strengthen HIT Infrastructure HIT architecture Development and adoption of certified EHRs Training and information on best practices to integrate HIT/EHRs into the delivery of care Infrastructure and tools for telemedicine Interoperability of clinical data repositories Improvement and expansion of the use of HIT by public health departments 10 AHIMA 2009 HIM Webinar Series 5

10 Incentives for the Use of HIT Health Information Technology Implementation Assistance HIT Extension Program EHR technology assistance HIT Research Center Technical assistance and develop/recognize best practices HIT Regional Extension Centers Assistance at a regional/local level 11 Incentives for the Use of HIT State grants to promote HIT Planning grants to state or designated state entity Implementation grants to state or state entity Competitive grants to states and tribes for development of loan programs 12 AHIMA 2009 HIM Webinar Series 6

11 Incentives for the Use of HIT Demonstration program to integrate information technology into clinical education Development of academic curricula integrating certified EHR technology in the clinical education of health professionals 13 Incentives for the Use of HIT Information technology professionals in healthcare Establish or expand medical health informatics [HIM] education programs into certificate, undergraduate, and masters degree programs Develop or revise curricula Recruit and retain students Obtain necessary resources Build bridge between community colleges and universities Priority on existing and short term (six month) programs 14 AHIMA 2009 HIM Webinar Series 7

12 Incentives for the Use of HIT Funding to strengthen HIT Infrastructure HIT architecture Development and adoption of certified EHRs Training and information on best practices to integrate HIT/EHRs into the delivery of care Infrastructure and tools for telemedicine Interoperability of clinical data repositories Improvement and expansion of the use of HIT by public health departments 15 Definitions Certified EHR Technology Health Care Provider Health Information Technology 16 AHIMA 2009 HIM Webinar Series 8

13 Definitions Qualified Electronic Health Record an electronic record of health-related information on an individual that: Includes patient demographic and clinical health information, and has the capacity to: Provide clinical decision support Support physician order entry Capture and query information relevant care quality Exchange electronic health information from other source 17 Definitions HIPAA Definitions Breach Electronic Health Record Personal Health Record (PHRs) Vendor of PHRs 18 AHIMA 2009 HIM Webinar Series 9

14 Business Associates Now covered by HIPAA Security Administrative Safeguards Physical Safeguards Technical Safeguards Policies and Procedure and Documentation Requirements New (ARRA) and old (HIPAA) civil and criminal penalties 19 Business Associates Now covered by HIPAA Privacy Uses and disclosures Application of knowledge two-way street Subject to new (ARRA) and old (HIPAA) civil and criminal penalties New contracts 20 AHIMA 2009 HIM Webinar Series 10

15 Business Associate Contracts BA Contracts Required when: Entity provides data transmission of PHI to CE or BA and that requires access on a routine basis to PHI Could include: Health Information Exchange Organization Regional Health Information Organization E-prescribing Gateway PHR vendor in some circumstances 21 Breach (definition) Means the unauthorized acquisition, access, use, or disclosure of PHI which compromise the security or privacy of such information, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information 22 AHIMA 2009 HIM Webinar Series 11

16 Breach (exceptions) The term breach does not include: Any unintentional acquisition, access, or use of PHI by an employee or individual acting under the authority of a covered entity (CE) or business associate (BA), if: Such acquisition, access, or use was made in good faith and within the course and scope of the employment or other professional relationship of such employee or individual, respectively, with the CE or BA; and Such information is not further acquired, accessed, used, or disclosed by any person; or 23 Breach (exceptions) (cont d) The term breach does not include: Any inadvertent disclosure from an individual who is otherwise authorized to access PHI at a facility operated by a CE or BA to another similarly situated individual at the same facility; and Any such information received as a result of such disclosure is not further acquired, accessed, used or disclosed without authorization by any person 24 AHIMA 2009 HIM Webinar Series 12

17 Breach (another definition) Unsecured PHI means: PHI that is not secured through the use of a technology or methodology specified by the Secretary guidance due within 60 days of enactment, OR PHI that is not secured by a technology standard that renders PHI unusable, unreadable, or indecipherable to unauthorized individuals and is developed or endorsed by a standards developing organization accredited by ANSI 25 Breach A covered entity shall in the case of breach notify each individual whose unsecured PHI has been, or is reasonably believed by the CE to have been accessed, acquired, or disclosed as a result of such breach 26 AHIMA 2009 HIM Webinar Series 13

18 Breach A business associate shall in the case of breach notify the CE of a breach of such information and include the identification of each individual whose unsecured PHI has been, or is reasonably believed by the BA to have been accessed, acquired, or disclosed during such breach 27 Breach Treated as Discovered As of the first day on which such breach: Is known to the CE or BA (including any person, other than the individual committing the breach, that is an employee officer, or other agent), or Should reasonably have been know to the CE or BA to have occurred 28 AHIMA 2009 HIM Webinar Series 14

19 Breach Notification All notifications must be made without reasonable delay and in no case later than 60 days after discovery The CE or BA involved has the burden of demonstrating that all notifications were made including evidence demonstrating the necessity of any delay Delay permitted for authorized law enforcement purposes 29 Breach Notification Methods Individual Notice: Written, first-class mail, to the individual or next of kin at last address or electronic if specified Use of substitute form if insufficient or outof-date contact information: Conspicuous posting on Web site Notice in major media or broadcast media in appropriate area If urgent, by phone, due to possible imminent misuse, followed by letter 30 AHIMA 2009 HIM Webinar Series 15

20 Breach Notification Methods Media Notice: Provided to prominent media outlets serving a State or jurisdiction if unsecured PHI of more than 500 residents is believed to have been accessed, acquired, or disclosed during such breach 31 Breach & the Secretary Notice: Provided immediately to Secretary when 500 or more individuals PHIs are involved If less than 500 individuals maintain a log of breach occurring and annually submit log to the Secretary Posting on HHS Website: The Secretary shall post to the public each CE involved in a breach where more that 500 individuals PHIs are involved 32 AHIMA 2009 HIM Webinar Series 16

21 Breach Notice Content: Brief description of what happened date of breach and date of discovery, if known Description of types of unsecured PHI involved Steps individuals should take to protect themselves from potential harm 33 Breach Notice Content: (cont d) Brief description of what CE is doing to investigate the breach to mitigate losses Contact procedure for individuals to ask questions or learn additional information including a toll-free telephone number, an address, Web site, or postal address 34 AHIMA 2009 HIM Webinar Series 17

22 Breach & Secretary: Guidance within 60 days of enactment specifying the technologies and methodologies that render PHI unusable, unreadable or indecipherable to unauthorized individuals Report to Congress within 12 months and then annually number of breaches and actions taken in response 35 Breach & Secretary: Regulations: Interim final regulations promulgated by not later than 180 days from enactment Regulations apply to breaches that are discovered on or after 30 days after the date of publication of the interim final regulation 36 AHIMA 2009 HIM Webinar Series 18

23 Breach & Vendors of PHRs and Other non-hipaa Covered Entities Definitions: Breach of Security means, with respect to unsecured PHR, identifiable health information of an individual in a PHR, acquisition of such information without the authorization of the individual 37 Breach & Vendors of PHRs and Other non-hipaa Covered Entities Definitions: PHR Identifiable Health Information means, individually identifiable health information and includes with respect to the individual: Information provide by or on behalf of the individual Information that identifies the individual or with respect to where there is a reasonable basis to believe that the information can be used to identify the individual 38 AHIMA 2009 HIM Webinar Series 19

24 Breach & Vendors of PHRs and Other non-hipaa Covered Entities Requirement for timeliness, method, and content of notifications mirror those of other Breach requirements, however, requires notification only of each individual who is a citizen or resident of the US and whose PHR identifiable health information is involved, and Notification of the Federal Trade Commission rather than the Secretary 39 Breach & Vendors of PHRs and Other non- HIPAA Covered Entities Requirement for notification by third party service providers Similar definition and requirements related to unsecured PHR identifiable health information FTC to promulgate interim final regulation no later than 180 days after the date of enactment, and apply to breaches that occur on or after 30 days from publication Enforcement is under Federal Trade Commission Act regarding unfair or deceptive acts or practices Could change if Congress enacts new legislation 40 AHIMA 2009 HIM Webinar Series 20

25 Education on Health Information Privacy: Regional Office Privacy Advisors named within six months of enactment Education initiative (within 12 months) on uses of health information to enhance public transparency regarding: The use of PHI, The effects of such use, and The rights of individual with respect to such uses 41 Disclosures of Health Information ARRA impacts HIPAA Rights to request privacy protection for PHI (HIPAA ): CE can no longer deny request for restriction on disclosure, except as otherwise required by law, if the disclosure is to a health plan for the purpose of carrying out payment or healthcare operations and the PHI pertains solely to a healthcare item or service for which the healthcare provider involved has been paid out of pocket in full 42 AHIMA 2009 HIM Webinar Series 21

26 Disclosures Limited Data Sets or Minimum Necessary ARRA states that Use and Disclosure of PHI can be considered in compliance when the CE limits: PHI to the extent practical to the limited data set, or if needed to the minimum necessary to accomplish the intended purpose of such disclosure, or request The CE or BA disclosing such information shall determine what constitutes the minimum necessary to accomplish the intended purpose 43 Disclosures Minimum Necessary Secretary is required to issue guidance on what constitutes minimum necessary within 18 months of enactment taking into consideration guidance to be issued in 12 months on how to best implement the requirements for de-identification of PHI The CE determination of Minimum Necessary takes place in 12 months 44 AHIMA 2009 HIM Webinar Series 22

27 Accounting for Disclosures Once rules are in effect, this accounting rule is in force when a CE uses or maintains an EHR with respect to PHI Then the exception for accounting of treatment, payment, and healthcare operations no long applies; and The individual can request an accounting of disclosure for up to three years prior to the request date 45 Accounting for Disclosures Once in force, in response to a request a CE can elect to either: Provide an accounting for disclosure of PHI that are made by the CE and applicable BAs, or Provide an accounting for disclosure of PHI made by the CE and provide a list of all applicable BAs acting on behalf of the CE including contact information 46 AHIMA 2009 HIM Webinar Series 23

28 Accounting for Disclosures The Secretary must promulgate regulations of what information must be collected about each disclosure within six months of adopting standards on accounting for disclosure from an EHR The effective date will vary depending on when the CE acquires an EHR either before 1/1/2009 or later The earliest effective date is 1/1/ Prohibition on Sale of EHRs or PHI A CE or BA cannot be remunerated in exchange for any PHI unless covered by a valid authorization The authorization must also specify whether the entity receiving the PHI can further exchange the information for remuneration 48 AHIMA 2009 HIM Webinar Series 24

29 Prohibition on Sale of EHRs or PHI Exceptions: Public health data (TBD) Research data (prep and transmission) Data for treatment Data for health care operations Remuneration that is provided by a CE to a BA Data to provide an individual with a copy (HIPAA rules) As determined by the Secretary 49 Prohibition on Sale of EHRs or PHI New Regulations required within 18 months of enactment : Requires evaluation of data used for public health Requires evaluation of costs of providing data Effective date will apply for exchange occurring six months after the date of promulgation of final regulations 50 AHIMA 2009 HIM Webinar Series 25

30 Access to Certain Information in Electronic Format Applies to CE using or maintaining an EHR with respect to PHI Individual: Has a right to obtain a copy of information in electronic format, and Can direct the CE to transmit such copy directly to an entity or person designated, provided designation is clear, conspicuous, and specific Covered Entity: Fee cannot be greater than the entity s labor costs in responding to the request for the copy (or summary or explanation) 51 Clarification of Application of Wrongful Disclosure Criminal Penalties Clarifies who can be held accountable for wrongful disclosure Eliminates confusion caused by DOJ letter Individuals can be prosecuted under HIPAA and ARRA 52 AHIMA 2009 HIM Webinar Series 26

31 Improved Enforcement Willful Neglect Willful neglect must be penalized Secretary must investigate all allegations of willful neglect Effective 24 months after enactment Secretary must issue regulations within 18 months of enactment Serious penalties 53 Improved Enforcement Distribution of Certain Civil Monetary Penalties (CMP) Collected Monies from CMP or settlements collected to be transferred to the Office of Civil Rights to support enforcement efforts GAO to report, in 18 months, on methodology for sharing a percentage of CMP/Settlement with affected individual Within three years, Secretary to establish by regulation sharing with individual Sharing to be applied to CMPS or settlements imposed on or after effective date of enactment 54 AHIMA 2009 HIM Webinar Series 27

32 Improved Enforcement Tiered Increase in Amount of Certain Civil Monetary Penalties (CMP) Collected Tiers reflect: Violation Willful Neglect -not corrected -corrected Penalty per Violation Less than or equal to $50,000 $ 10,000 50,000 Reasonable Cause $1,000 50,000 Unknown $ ,000 if any 55 Improved Enforcement Tiered Increase in Amount of Certain Civil Monetary Penalties (CMP) Collected Tiers: Tier Per Violation Minimum Maximum per Calendar Year Tier A $ 100 $25,000 Tier B $1,000 $100,000 Tier C $10,000 $250,000 Tier D $50,000 $1,500, AHIMA 2009 HIM Webinar Series 28

33 Improved Enforcement Tiered Increase in Amount of Certain Civil Monetary Penalties (CMP) Collected Effective for violations occurring after the date of enactment 57 Improved Enforcement Enforcement by State Attorneys General Civil case (violation) of interest to state residents State Attorney can bring: Enjoinment of further violation Damage on behalf of residents Damages: $100/violation up to $25,000 per calendar year Court can limit damages 58 AHIMA 2009 HIM Webinar Series 29

34 Improved Enforcement Enforcement by State Attorneys General (continued) Attorney fees for successful action can be awarded Must serve notice to Secretary of pending action unless not feasible Secretary can intervene, be heard, file an appeal 59 Improved Enforcement Enforcement by State Attorneys General (cont d) Does not prevent an AG from attending to his/her state duties Federal district court is the venue Limits state action when federal action is pending Effective with violations occurring after the date of enactment 60 AHIMA 2009 HIM Webinar Series 30

35 Audits Secretary shall provide for periodic audits to ensure that covered entities and business associates comply with the HIPAA and ARRA requirements 61 Part 2 Relationship to Other Laws; Regulatory References, Effective Date; and Reports HIPAA approach to preemption continues HIPAA rules continue unless modified by ARRA Secretary to issue conforming regulations 62 AHIMA 2009 HIM Webinar Series 31

36 Part 2 Relationship to Other Laws; Regulatory References, Effective Date; and Reports (cont d) Effective Date Except as otherwise specifically provide, the provisions of Part 1 shall take effect on the date that is 12 months after the date of the enactment of this title. 63 Part 2 Relationship to Other Laws; Regulatory References, Effective Date; and Reports (cont d) Report on Compliance Secretary to the Congress First Year and Annually HIPAA/ARRA: Number of complaints Number of complaints resolved informally, type Number of complaints resulting in CMPs or settlement, etc. Number of compliance reviews conducted and outcomes Number of subpoenas or inquires issued Plan for improving compliance and enforcement Number of audits performed and a summary of audit findings 64 AHIMA 2009 HIM Webinar Series 32

37 Part 2 Relationship to Other Laws; Regulatory References, Effective Date; and Reports (cont d) Study and Report on Application of P&S Requirements on non-hipaa Covered Entities Secretary (consulting with FTC) to the Congress Requirements relating to security, privacy, and breach applied to: PHR Vendors Entities offering products or services via PHR website Entities offering products or services via CE websites that offer PHRs Entities (not CEs) that access information in a PHR to send information to a PHR Third party services providers to vendors and entities noted above Determine which federal agency best equipped to enforce requirements Timeframe for implementing regulations based on findings 65 Part 2 Relationship to Other Laws; Regulatory References, Effective Date; and Reports (cont d) Guidance on Implementation Specification to De-Identify PHI To be issued within 12 months of enactment Consult with stakeholders 66 AHIMA 2009 HIM Webinar Series 33

38 Part 2 Relationship to Other Laws; Regulatory References, Effective Date; and Reports (cont d) GAO Report on Treatment Disclosures To be issued within 12 months of enactment Comptroller General to Congress Best practices implemented by states and other entities (HIEs or RHIOs) Success of best practices related to quality of care Use of electronic informed consent for disclosing PHI for TPO 67 Part 2 Relationship to Other Laws; Regulatory References, Effective Date; and Reports (cont d) Report on ARRA Impact To be issued within five years of enactment GAO to Congress and Secretary Impact of any of the provisions of ARRA on health insurance premiums, overall health care costs, adoption of EHRs by providers, and reduction in medical errors and other quality improvements 68 AHIMA 2009 HIM Webinar Series 34

39 Part 2 Relationship to Other Laws; Regulatory References, Effective Date; and Reports (cont d) Study on the definition of Psychotherapy Notes No due date provided By the Secretary Definition with regard to including test data that is related to direct responses, scores, items, forms, protocols, manuals, or other materials that are part of a mental health evaluation as determined by the mental health professional providing treatment or evaluation Based on the study, issue regulations to revise the definition in HIPAA 69 ARRA Reference/Resouce Resouce American Recovery and Reinvestment Act of 2009, PL Library of Congress Thomas at AHIMA Analysis of ARRA PL Sections on Health Care Confidentiality, Privacy, and Security at 70 AHIMA 2009 HIM Webinar Series 35

40 ARRA Reference/Resouce Resouce AHIMA Analysis of ARRA PL Related to Healthcare Information Communication and Technology at HHS Office of Civil Rights Contains all of the HIPAA Regulations Consolidated 71 Audience Questions AHIMA 2009 HIM Webinar Series 36

41 Audio Seminar Discussion Following today s live seminar Available to AHIMA members at Members Only Communities of Practice (CoP) AHIMA Member ID number and password required Join the e-him Community from your Personal Page. Look under Community Discussions for the Audio Seminar Forum You will be able to: discuss seminar topics network with other AHIMA members enhance your learning experience AHIMA Audio Seminars and Webinars Visit our Web site for information on the 2009 seminar schedule. While online, you can also register for seminars and webinars, order CDs, Webcasts or MP3s of past seminars. AHIMA 2009 HIM Webinar Series 37

42 Upcoming Webinars Fundamentals of Workflow Analysis: Implementing New Systems March 17, 2009 The Challenge of Managing Portable Devices April 21, 2009 ICD-10-CM/PCS Impact Assessment May 5, 2009 AHIMA Distance Education Anyone interested in learning more about e-him should consider one of AHIMA s web-based training courses. For more information visit AHIMA 2009 HIM Webinar Series 38

43 Thank you for joining us today! Remember visit the AHIMA Audio Seminars/Webinars Web site to complete your evaluation form and receive your CE Certificate online at: Each person seeking CE credit must complete the sign-in form and evaluation in order to view and print their CE certificate. Certificates will be awarded for AHIMA CEUs. AHIMA 2009 HIM Webinar Series 39

44 Appendix Resource/Reference List CE Certificate Instructions AHIMA 2009 HIM Webinar Series 40

45 Appendix Resource/Reference List AHIMA 2009 HIM Webinar Series 41

46 To receive your CE Certificate Please go to the AHIMA Web site click on the link to Sign In and Complete Online Evaluation listed for this webinar. You will be automatically linked to the CE certificate for this webinar after completing the evaluation. Each participant expecting to receive continuing education credit must complete the online evaluation and sign-in information after the webinar, in order to view and print the CE certificate.