HITECH Poses Important Challenges... Are You Compliant?

Transcription

1 Presents a Webinar HITECH Poses Important Challenges... Are You Compliant? A program for Clinic and Hospital Administrators, Risk Managers, and other interested staff. Joint Sponsor Kansas Hospital Association

2 KaMMCO Benefits & Services C LAIMS Strong defense of non-meritorious claims and early disposition of meritorious claims. Member involvement in claims defense team. Post-claim follow up, including loss prevention tips. Litigation support program (C.A.R.E.) for members and spouses. Case reviews to develop new ideas and strategies in member defense. L OSS PREVENTION/EDUCATION Statewide meetings to educate health care professionals regarding timely and important topics, such as: HIPAA and other regulatory issues. Coding certification. Medical record documentation, release, and filing. Front office operational efficiency. Use of physician extenders. Systems and their effectiveness in the practice of medicine. On-site clinic and hospital reviews that include assessment of such areas as: Waiting rooms, surgical suites, and exam rooms. Patient scheduling, process for termination of the physician/patient relationship, and billing and collections. Credentialing and governing bylaws. Medical records. Education meetings for student and residency programs. Publications. Toll-free telephone and website access to medical/loss prevention advice and information. To learn more about the benefits and services available from KaMMCO, call or visit

3 About Our Speaker Yolanda Sims, JD, MHA Loss Prevention and Risk Management Advisor, KaMMCO Ms. Sims provides KaMMCO members with an understanding of loss prevention and risk management issues in the health care field through education and information based on legal research. Other responsibilities include developing and presenting education programs, assisting with litigation support services, and writing newsletter and website articles. Ms. Sims received her Juris Doctorate degree from St. Louis University, School of Law and a Master of Health Administration from St. Louis University, School of Public Health. She previously worked at Truman Medical Center and has served internships at Jesse Brown Veterans Administration Hospital and the U.S. Department of Health and Human Services. Prior to KaMMCO, she was employed in a Kansas City law firm where she handled a broad range of legal issues. Ms. Sims is a member of the Missouri and American Bar Associations, Kansas City Metropolitan Bar Association, Association of Corporate Counsel, Kansas Association of Risk and Quality Management, and a member of the American Health Lawyers Association. Disclaimer The recommendations in this handout are not intended to establish a standard of care, nor are they a substitute for legal advice. The recommendations should be tailored to meet the needs of each particular health care setting. Any implementation of these recommendations should be reviewed by appropriate staff and, if necessary, legal counsel. The fact that a health care professional varies from these guidelines does not establish that the health care professional failed to meet the required standard of care. There may be legitimate reasons to choose another course of action. However, consideration of the information in this handout may reduce the risk of facing a lawsuit and the stress that accompanies even a successful defense in court. Objectives Following participation in this presentation, the learner will be prepared to: 1. Understand the impact of HITECH laws and regulations on hospitals, clinics, physicians, and other affected operations. 2. Comply with HITECH requirements by using checklists showing the steps that should be considered. 3. Obtain the tools and information needed to develop a compliance plan for HITECH. Contents of this handout are produced for the benefit of KaMMCO members and are protected by 2010 copyright. No one other than KaMMCO members may reproduce the contents of this handout without written permission from KaMMCO. Send all communication to KaMMCO, 623 SW 10 th Avenue, Topeka, Kansas

4 Table of Contents I. Introduction... 1 A. Breach Notification Rule...1 B. What is a Breach?...2 C. Investigative Steps for a Breach...2 D. Exceptions to Breach...3 E. Methods for Notification Timeliness of Notification Content of Notification Methods of Notification to Individuals Notification to Media if More than 500 Affected Notification to HHS if 500 or More Affected Law Enforcement Exception...5 F. Breach Risk Assessment Examples...6 Example 1: Patient s Information Mistakenly Mailed to Wrong Person...6 Example 2: A Rogue Employee...7 Example 3: The Stolen Laptop...7 Example 4: A Breach Discovered by a Business Associate...8 G. Granting Individual Requests to Limit Uses or Disclosures...8 Two-Prong Test...9 H. Limit Disclosure or Use of PHI to the Minimum Necessary Standard...9 What is a Limited Data Set?...10 I. Increased Accounting Obligations if Covered Entities Use Electronic Health Records (EHRs)...10

5 J. Effective Dates for the Accounting Requirement...11 K. Content of the Accounting...11 L. Covered Entities Must Make Accounting Available to Individual in Electronic Format...11 Provision of PHI in Electronic Format...11 M. Covered Entities Cannot Receive Remuneration for PHI Prohibition on Sale of PHI Exceptions to Remuneration Effective Date...13 N. Limitations on Marketing Clarification Regarding Marketing Provisions When are Communications Considered Health Care Operations?...13 O. Penalties & Enforcement...14 Increased Civil Penalties...14 P. Enforcement...15 State Attorneys General Enforcement Authority...15 Q. Conclusion...15 Exhibit A Marketing Decision Tree...16

6 HITECH Poses Important Challenges... Are You Compliant? I. Introduction The Health Information Technology for Economic and Clinical Health Act (HITECH ACT), signed into law on February 17, 2009, as part of the American Recovery and Reinvestment Act (ARRA), amends the regulation of the privacy and security of patient health information (PHI). Effective February 17, 2010, the HITECH Act imposed new privacy and security requirements that essentially expanded the original foundation of the Health Information Portability and Accountability Act (HIPAA). Under HITECH, many of the HIPAA standards will apply directly to business associates, and business associates will be subject to the same civil and criminal penalties as covered entities. The HITECH Act also mandates that business associates maintain appropriate security safeguards. These types of safeguards include administrative, physical, and technical safeguards as defined under the Security Rule. A. Breach Notification Rule The Breach Notification Rule places new obligations on both covered entities and business associates regarding business associate notice to the covered entity, patient notification, and maintaining breach logs. Covered entities 1 must notify individuals when the PHI of an individual has been breached. Conversely, business associates must notify covered entities of such breaches. 2 After being notified, covered entities will take the proper steps to notify the affected individuals. When an entity or associate is determining whether notice is required, several things should be considered. First, was the disclosure permitted under HIPAA. If not, the second question is whether a breach occurred according to the definition provided in the regulation. Third, was it a breach of unsecured PHI? Be advised that only breaches of unsecured PHI trigger the notification requirement. When is PHI considered unsecured? HITECH defines the term unsecured PHI as PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the Secretary of Health & Human Services (HHS). 3 1 Covered entities include most physicians and health care providers, health care plans, and health care clearinghouses. 2 Business associates, like covered entities, are held accountable under the same breach notification requirement. When a breach is by the business associate they are legally obligated to inform the covered entity, not the individual. 3 See, Guidance Specifying the Technologies and Methodologies that Render Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals at 74 F.R (August 24, 2009). 1

7 B. What is a Breach? A breach is defined in HITECH as the unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security and privacy such that the use of the information poses significant risk of financial, reputational, or other harm to individuals. The new requirement does not intend to require notification every time unsecured PHI is mistakenly accessed or used. For that reason, the definition of breach does include a harm assessment. This assessment would be done on a case-by-case analysis, but it essentially requires entities and associates to determine the likelihood that a breach could cause harm to an individual. The goal is to prevent unnecessary notices to individuals when there is no real need for concern. If the entity or associate determines the harm is insignificant, no notification is required. The Interim Breach Notification regulations suggest covered entities and business associates review the Office and Management Budget (OMB) Memorandum M for examples of the types of factors that may be taken into account in determining whether an impermissible use or disclosure presents a significant risk of harm to the individual. The five factors are: 1. Nature of the data elements breached; 2. Number of individuals affected; 3. Likelihood the information is accessible and usable; 4. Likelihood the breach may lead to harm; and, 5. Ability of the agency to mitigate the risk of harm. The burden of proof is upon the entity or associate to show what factors were taken into consideration. Covered entities and business associates must document their risk assessments. The documentation must demonstrate evidence of a plan that indicates your organization is in compliance with the HITECH requirements. In the event of an audit, you will need to produce demonstrable evidence. C. Investigative Steps for a Breach 1. Does the disclosure violate the HIPAA Privacy Rule? 2. Does it involve unsecured PHI? 3. Does an exception to the breach notification requirements apply? 2

8 Good faith, unintentional acquisition, access, or use of PHI by employee/workforce; Inadvertent disclosure to another authorized person within the entity, covered entity, or business associate; Recipient could not reasonably have retained the data; or, Data is limited to limited data set that does not include date of birth or zip code. See, 45 C.F. R Does the disclosure result in significant risk of financial, reputational, or other harm? D. Exceptions to Breach According to HHS, the following exceptions and examples are not considered a breach and would not be reportable: If an unintentional acquisition, access, or use of PHI made in good faith occurs within the scope of employment or a professional relationship and does not result in further impermissible use or disclosure. o Example: A nurse mistakenly sends an with PHI to a hospital s billing employee. After opening the , the billing employee notifies the nurse and deletes the . If it is an inadvertent disclosure, from an individual who is otherwise authorized to access PHI at a facility operated by a covered entity or business associate to another similarly situated individual at the same facility, and such information received, as a result of such disclosure, is not further acquired, accessed, used, or disclosed without authorization by any person. o Example: A Human Resources Manager who is authorized to access employee health plans inadvertently discloses PHI to another Human Resources employee. If an unauthorized person who receives the health information cannot reasonably retain it; o Example: A covered entity sends out a benefits enrollment form to the wrong individual. If the information is returned by the post office, unopened, the entity would consider it undeliverable. 3

9 Data is limited to limited data set that does not include date of birth or zip code. See, 45 C.F. R o Example: A researcher conducts a clinical trial and uses a limited data set. E. Methods for Notification The methods for notification will vary depending on the number of individuals involved; however, the timeliness standard applies to all of them. 1. Timeliness of Notification. Notification must be made to individuals without unreasonable delay, but no later than 60 calendar days after discovery of the breach. Breaches are considered to be discovered on the first day the breach is known to the covered entity (i.e., known to any member of the covered entity s workforce or agents) or when, by exercising reasonable diligence, the breach would have been known to the covered entity. 45 C.F.R (b). 2. Content of Notification. Notification sent to individuals must be in plain language and include the following: A brief description of what happened, including the date of the breach and the date of discovery of the breach, if known; A description of the types of unsecured PHI involved in the breach; Steps individuals should take to protect themselves from potential harm resulting from the breach; A brief description of the steps the entity is taking to investigate the breach, mitigate harm, and protect against further breaches; and, Contact procedures for individuals to ask questions or obtain additional information, including a toll-free number, address, website, or postal address. 45 C.F.R (c). 3. Methods of Notification to Individuals. Notification to individuals must be sent to an individual s last known address via first-class mail, or by if the individual has agreed to and has not withdrawn such agreement. If the contact information is outdated or insufficient, a substitute notice reasonably calculated to reach the individual must be made. If there is outdated or insufficient information for fewer than 10 individuals, substitute notice may be provided by an alternative written notice, telephone, or other means. If the contact information for 10 or more individuals is found to be 4

10 Conspicuous posting on the home page of the covered entity s website for a period of no less than 90 days; or, Conspicuous notice in major print or broadcast media in the geographic areas where the affected individuals likely reside. In addition, the substitute notice when 10 or more individuals are involved on the website, in print, or by broadcast media must include a toll-free telephone number which will remain active for at least 90 days where individuals can learn whether their unsecured PHI was included in the breach. 45 C.F.R In the event the affected individual is a minor or lacks the legal capacity to receive notice, a breach notification should be sent to the individual s parent or personal representative. In addition, if the breach affects an individual who is deceased, an entity still has an obligation to send a breach notification. The notice should be sent to the address of the next of kin. See, 45 C.F.R (d)(1)(ii) 4. Notification to Media if More than 500 Affected. If the breach affects more than 500 residents of a particular state or jurisdiction, the covered entity also must notify prominent media outlets serving the state or jurisdiction of the breach without unreasonable delay, but no later than 60 calendar days after discovery of the breach. 45 C.F.R (a). 5. Notification to HHS if 500 or More Affected. A covered entity must notify the Secretary of HHS following the discovery of a breach of unsecured PHI. 45 C.F.R (a). If the breach affects 500 or more individuals, notice must be made to Health and Human Services (HHS) contemporaneously with the notification to the affected individuals and in the manner specified by HHS or its website. If fewer than 500 individuals are affected, the covered entity must maintain a log of any such breaches, and submit the log annually to HHS no later than 60 days following the end of the calendar year. 45 C.F.R (b)(c). 6. Law Enforcement Exception. If a law enforcement official states to a covered entity that notification of a breach would impede a criminal investigation or cause damage to national security, a covered entity shall delay the notification if the law enforcement s request is in writing and specifies a time for the delay. If the statement is oral, the covered entity must document the statement, identify the official, and delay notification no longer than 30 days from the oral statement unless the official submits the statement in writing during this period. 45 C.F.R

11 F. Breach Risk Assessment Examples Example 1: Patient s Information Mistakenly Mailed to Wrong Person During a routine mailing, an employee inadvertently inserted a patient s billing statement into the wrong patient s envelope. Upon receiving the statement in the mail, the unintended patient contacted the medical office. The statement contained the following information: Patient name; Address including zip code; Date of birth; and, Dates of treatment. Investigation Evaluate and document the risk assessment conducted to determine the risk of financial, reputational, or other harm to the affected individual. The risk of harm to the patient is high because of the following factors: The PHI contained in the statement; The method of disclosure was paper; The unintended recipient was a member of the general public; and, The information could not be retrieved because it was outside of the facility nor could the unintended patient provide reasonable assurances it was properly destroyed. Outcome The office manager notified the affected individual about the inadvertent disclosure by sending the patient a first-class letter with the required contents. In this situation, the matter can be deemed urgent and you can provide telephone notice in addition to the letter. This would be helpful to mitigate any potential harm that could result from the breach. Maintain the breach in a breach notification log. 6

12 Example 2: A Rogue Employee Dr. Jane Doe, a first-year resident assigned to City Hospital, was shot in the parking lot of a local grocery store and became a patient at the hospital. A hospital employee, not a member of the patient s care team, accessed, examined, and disclosed Dr. Doe s medical record. The impermissible use and disclosure was discovered because of the software used at the facility. Investigation Evaluate and document the risk assessment conducted to determine the risk of financial, reputational, or other harm to the affected individual. The breach did not fall within an exception because the employee intentionally accessed the record without authorization. Outcome An employee s medical record is protected by the Privacy Rule, even though employment records held by a covered entity, in its role as employer, are not. An administrator notified the affected individual. Employee should receive training on the appropriate use of the medical information of a fellow employee. An additional corrective measure may include placing a letter of reprimand in the employee s personnel file and receive training about the Privacy Rule. Example 3: The Stolen Laptop An IT manager at a major health care entity regularly took his workplace laptop home. Over the weekend, he drove his car to a local shopping plaza with his laptop in the backseat. While shopping, his car was vandalized and the laptop was stolen. The laptop was ultimately recovered. Forensic analysis of the computer showed that it contained unsecured PHI, but the information was not opened, altered, transferred, or otherwise compromised. Investigation Evaluate and document the risk assessment including the circumstances surrounding the theft and recovery of the laptop. 7

13 Outcome The breach likely does not pose a significant risk of harm to the individuals and therefore notification is probably not required. Example 4: A Breach Discovered by a Business Associate Casey is the administrator of a medical group practice that outsources its transcription. The practice has a valid business associate agreement with a transcription service. A local attorney s office that uses the same transcription service has just notified the transcription service that they mistakenly received and opened a batch of the practice s transcriptions. The transcriptions contain PHI of 770 patients. The transcription service notifies the administrator immediately. Investigation Evaluate and document the risk assessment. Determine if the impermissible use/disclosure poses a significant risk for financial, reputational, or other harm to the individual. The breach falls within an exception. The breach would be considered an unintentional, good faith acquisition access, or use by an individual acting under the business associate s authority. Outcome Notification is not required because the sender and the recipient are similarly situated. The attorney s office provided reasonable assurance there was no further use or disclosure. G. Granting Individual Requests to Limit Uses or Disclosures HITECH expands patient privacy rights and provides more patient input when disclosing their PHI. In essence, the restriction has strengthened the privacy and security rules currently in place. Pre-HITECH, if an individual requested a covered entity to limit disclosure of PHI that exceeded HIPAA s requirements, covered entities had no corresponding obligation to agree to that request. Post- HITECH, in a very limited circumstance described below, a covered entity must grant the request. 8

14 Two-Prong Test Covered entities must agree to restrict the disclosure or uses of PHI if the following requirements are met: The disclosure is to a health plan for the purpose of carrying out payment or health care operations (not for treatment); and, The PHI pertains solely to a health care service or item for which the provider has been paid out-of-pocket expenses in full. See, HITECH Act If an individual desires to pay for a procedure or testing rather than filing an insurance claim, they have the right to restrict disclosure of those services. o Example: A patient would like for her family to be tested for genetic abnormalities. She has the right to pay for it out of pocket and keep the results for her insurance record. H. Limit Disclosure or Use of PHI to the Minimum Necessary Standard Under HITECH, covered entities, when permitted, must disclose only the minimum necessary to accomplish the intended purpose for such use or disclosure. Minimum necessary is a concept that requires the covered entity to provide/obtain the minimum amount of information required to accomplish the intended purpose of the use, disclosure, or request for information when: Employees use information within the facility; The facility discloses information to an outside entity; or, The facility requests information from an outside entity. Covered entities are charged with the responsibility of making a determination of minimum necessary for disclosure, rather than relying on business associates or vendors when releasing information. The Secretary of Health and Human Services (HHS) will issue guidance on what constitutes minimum necessary for purposes of disclosure under HITECH no later than August Until the Secretary issues this guidance, covered entities should use a limited data set to protect patient privacy to the extent practicable. Once implemented, all requests will have to comply with the new minimum 9

15 necessary guidance issued by the Secretary. This new guidance will not affect exceptions to disclosures defined by 45 C.F.R (b)(2). 4 What is a Limited Data Set? A limited data set 5 must have all directed identifiers removed, including the following: Name and Social Security number; Street address, address, telephone and fax number; Certificates/license numbers; Vehicle identifiers and serial numbers including license plate numbers; Account numbers; Health plan beneficiary numbers; Device identifiers or serial numbers; URL s Internet Protocols (IP) address numbers; Biometric identifiers (including finger and voice prints); and, Full face photographic images and any comparable images. I. Increased Accounting Obligations if Covered Entities Use Electronic Health Records (EHRs) HITECH changes the requirements for generating an accounting of disclosures per patient request for covered entities using EHRs. As defined by the HITECH Act, an EHR is an electronic record of health-related information on an individual that is created, managed, and consulted by authorized health care clinicians and staff. 6 Under HITECH, accountings must include disclosures made through electronic health record for treatment, payment, or health care operations in addition to the accounting requirements pre-hitech. Covered entities and business associates 4 The following exceptions to the minimum necessary standard continue to apply under 45 C.F.R (b)(2): Disclosures/requests by a health care provider for treatment, uses/disclosures to the patient, uses/disclosures made pursuant to an authorization, disclosures to the HHS Secretary, uses/disclosures required by law; and uses/disclosures required for HIPAA compliance. 5 See also, 45 C.F.R (e) 6 See, HITECH Act

16 alike must comply with the new accounting obligation relating to disclosures through an EHR. Under the new accounting obligations: Covered entities must provide an accounting for the electronic disclosures through an EHR for payment, treatment, or health operations made by the covered entity or business associate during the three years prior to the request; or, The covered entity may provide the accounting as described above and a list of all business associates for the individual to contact directly. The list should contain necessary contact information such as name, address, telephone number, and . J. Effective Dates for the Accounting Requirement The effective dates for the new accounting requirement correlate to the date the covered entity implemented an EHR system. For a covered entity that acquired an EHR before January 1, 2009, the accounting requirement applies to disclosures made on or after January 1, For a covered entity that acquired an EHR on or after January 1, 2009, the provision will be effective for disclosures made on or after January 1, 2011 or the date the covered entity obtained the EHR. See, HITECH Act 13405(c). K. Content of the Accounting HHS is scheduled to issue regulations regarding the content of an accounting of disclosures for treatment, payment, and health care operations through EHRs. According to HHS, the regulations will provide guidelines for educating individuals about the uses and disclosures of their PHI and address administrative burdens associated with providing the accounting. The anticipated deadline regarding the content of the accounting is scheduled to be issued by June L. Covered Entities Must Make Accounting Available to Individual in Electronic Format Provision of PHI in Electronic Format HITECH requires covered entities and business associates that use or maintain EHRs to provide a copy in electronic format if chosen by the 11

17 individual. 7 The electronic format can be transmitted to another person or entity upon proper authorization from the patient. The authorization must be clear, conspicuous, and specific. The covered entity may charge a fee when honoring this request. The fee is limited to labor costs and will vary depending on whether the request is a copy of a particular transaction or an explanation of the entire EHR. As provided by HIPAA, the timeframe for responding to requests for electronic copies under HITECH is still within a reasonable time, no later than 30 days. M. Covered Entities Cannot Receive Remuneration for PHI 1. Prohibition on Sale of PHI Under HITECH, covered entities and business associates are prohibited from receiving indirect or direct remuneration in exchange for PHI of an individual without obtaining the authorization of the individual. The authorization must specify that the covered entity may exchange the individual s PHI for remuneration. See, HITECH Act 13405(d). 2. Exceptions to Remuneration No authorization will be needed for a covered entity to receive remuneration in exchange for providing PHI for any of the following purposes: Public health activities; or, Research, as long as the remuneration reflects only the cost to prepare and transmit the PHI to the researcher; or, Treatment of the individual; or, A health care provider as defined in 6(iv) of health care provider under 45 C.F.R ; or, Payment to a business associate for activities that involve the exchange of PHI at the request of, and on behalf of, the covered entity pursuant to a business associate agreement; or, Providing a copy of PHI to an individual who has exercised the right to access the individual s PHI; or, Such similarly necessary and appropriate information as determined in HHS regulations. 7 The right to an electronic copy is information in the electronic health record. 12

18 3. Effective Date The Secretary of HHS must adopt regulations to facilitate this provision no later than August 18, The prohibition on remuneration for a transmission of PHI will become effective and apply to exchanges of PHI occurring on or after six months after HHS issues the final regulations for this provision. N. Limitations on Marketing 1. Clarification Regarding Marketing Provisions The definition of marketing includes a number of exceptions. HIPAA defines marketing as a communication about a product or service that encourages the purchase or use of the product or service, except for communications made: To describe a health-related product or service (or payment for such product or service) that is provided by, or included in, a plan of benefits of the covered entities making the communication, including communications about the entities participating in a health care provider network or health plan network; replacement of, or enhancements to, a health plan; and health-related products or services available only to a health plan enrollee that add value to, but are not part of, a plan of benefits; or, For treatment of the individual; or, For case management or care coordination or to direct patients to alternative treatments, therapies, providers, or settings of care 8. The communications described above are deemed to fall within the definition of health care operations under HIPAA, and thereby permissible without obtaining an individual s authorization. The provision also makes clear that the term payment does not include any payment for treatment of an individual. 2. When are Communications Considered Health Care Operations? Under HITECH, if the covered entity has received payment in exchange for making one of the communications described in the section above, the communication may no longer be considered health care operations unless: 8 45 C.F.R , Marketing Definition (1)(i)-(iii). 13

19 The communication describes only a drug or biologic that is currently being prescribed for the recipient of the communication and any payment is reasonable in amount; 9 The communication is made by the covered entity and individual authorization is obtained; or, The communication is made by a business associate of a covered entity, on behalf of the covered entity and the communication is made consistent with the business associate agreement. See, Attachment A, Marketing Decision Tree. O. Penalties & Enforcement Increased Civil Penalties Civil penalties may be assessed for violations caused by willful neglect. Examples of willful neglect may include 10 : The organization does not have any processes in place to support your policies and procedures; The organization has no demonstrable evidence that staff training has been done as required by the regulations; The organization is a covered entity that does business with a number of business associates and have no contracts in place with them, or if old contracts are still being used; Employees have passwords on sticky notes that are readily visible; The organization has an EHR system running on a local server and the server room is not secured; and, The organization has no plan for notifying patients when unsecured PHI has been breached. 9 The meaning of what constitutes payment that is reasonable in amount is to be set by the Secretary of HHS in forthcoming regulation. 10 See, What does willful neglect mean under HITECH/HIPAA? 14

20 The new minimum civil penalties are tiered according to the entity s perceived culpability for the HIPAA violation, as follows: Tier A: If the offender did not know, and by exercising reasonable diligence would not have known, that he or she violated the law: $100 per violation, except that the total amount imposed on the person for all such violations of an identical requirement or prohibition during a calendar year may not exceed $25,000. Tier B: If the violation was due to reasonable cause and not willful neglect: $1,000 for each violation, except that the total amount imposed on the person for all such violations of an identical requirement or prohibition during a calendar year may not exceed $100,000. Tier C: If in year of violation and due to willful neglect, if corrected within thirty days from knowledge of violation: $10,000 for each violation, except that the total amount imposed on the person for all such violations of an identical requirement or prohibition during a calendar year may not exceed $250,000. Tier D: If the violation was due to willful neglect and was not corrected: $50,000 for each violation, except that the total amount imposed on the person for all such violations of an identical requirement or prohibition during a calendar year may not exceed $1,500,000. P. Enforcement State Attorneys General Enforcement Authority Q. Conclusion Under HITECH, state attorney generals are authorized to pursue actions against persons who violate HIPAA if the attorney general has reason to believe that the violation threatens or adversely affects any resident in the state. However, the state attorney general cannot bring an action as long as an action or the same violation is pending by the Secretary of HHS. The new HITECH requirements will have an impact on the way covered entities and business associates conduct relationships. The materials in this presentation were developed to help covered entities ensure their policies and procedures are HITECH-compliant. Covered entities should review how they document data breaches, know when an exception to notification applies, and make an effort to share their policies and procedures with business associates. 15

21 16

22 NOTES

23 KaMMCO Offices Topeka Wichita Hays Kansas City 623 S.W. 10 th Ave. #2 Brittany Place 1010 Downing 6950 Squibb Rd. Suite N. Woodlawn Suite 60 Suite 440 Topeka, KS Suite 300 Hays, KS Mission, KS Wichita, KS (Fax) (Fax) (Fax)