HITECH Poses Important Challenges... Are You Compliant?

Similar documents
HIPAA, 42 CFR PART 2, AND MEDICAID COMPLIANCE STANDARDS POLICIES AND PROCEDURES

BREACH NOTIFICATION POLICY

45 CFR Part 164. Interim Final Rule Breach Notification for Unsecured Protected Health Information

Changes to HIPAA Privacy and Security Rules

OCR Phase II Audit Protocol Breach Notification. HIPAA COW Spring Conference 2017 Page 1 Boerner Consulting, LLC

H E A L T H C A R E L A W U P D A T E

NOTIFICATION OF PRIVACY AND SECURITY BREACHES

OVERVIEW OF RECENT CHANGES IN HIPAA AND OHIO PRIVACY LAWS

New. To comply with HIPAA notice requirements, all Providence covered entities shall follow, at a minimum, the specifications described below.

Breach Policy. Applicable Standards from the HITRUST Common Security Framework. Applicable Standards from the HIPAA Security Rule

The Guild for Exceptional Children HIPAA Breach Notification Policy and Procedure

Interim Date: July 21, 2015 Revised: July 1, 2015

HIPAA Training. HOPE Health Facility Administrators June 2013 Isaac Willett and Jason Schnabel

AFTER THE OMNIBUS RULE

HIPAA PRIVACY REQUIREMENTS. Dana L. Thrasher Robert S. Ellerbrock, III Constangy, Brooks & Smith, LLP

Fifth National HIPAA Summit West

The wait is over HHS releases final omnibus HIPAA privacy and security regulations

HIPAA COMPLIANCE ROADMAP AND CHECKLIST FOR BUSINESS ASSOCIATES

HIPAA OMNIBUS RULE. The rule makes it easier for parents and others to give permission to share proof of a child s immunization with a school

2011 Miller Johnson. All rights reserved. 1. HIPAA Compliance: Privacy and Security Changes under HITECH HITECH. What is HITECH? Mary V.

ALERT. November 20, 2009

HITECH and HIPAA: Highlights for Health Departments. Aimee Wall UNC School of Government

ARRA s Amendments to HIPAA Privacy & Security Rules

Omnibus Components. Not in Omnibus. HIPAA/HITECH Omnibus Final Rule

The Impact of Final Omnibus HIPAA/HITECH Rules. Presented by Eileen Coyne Clark Niki McCoy September 19, 2013

Hayden W. Shurgar HIPAA: Privacy, Security, Enforcement, HITECH, and HIPAA Omnibus Final Rule

HIPAA: Final Omnibus Rule is Here Arizona Society for Healthcare Risk Managers November 15, 2013

HIPAA Basic Training for Health & Welfare Plan Administrators

To: Our Clients and Friends January 25, 2013

HIPAA HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT

North Shore LIJ Health System, Inc. Facility Name. CATEGORY: Effective Date: 8/15/13

HIPAA Breach Notice Rules New notice requirements for HIPAA covered entities when there is a breach of Protected Health Information (PHI)

Legal and Privacy Implications of the HIPAA Final Omnibus Rule

Compliance Steps for the Final HIPAA Rule

The American Recovery Reinvestment Act. and Health Care Reform Puzzle

Saturday, April 28 Medical Ethics: HIPAA Privacy and Security Rules

Changes to HIPAA Under the Omnibus Final Rule

An Overview of the Impact of the American Recovery and Reinvestment Act of 2009 on the HIPAA Medical Privacy and Security Rules

Management Alert Final HIPAA Regulations Issued

HIPAA Privacy Overview

HIPAA & The Medical Practice

GUIDE TO THE OMNIBUS HIPAA RULE: What You Need to Know and Do

Business Associate Agreement

Effective Date: 08/2013

8/14/2013. HIPAA Privacy & Security 2013 Omnibus Final Rule update. Highlights from Final Rules January 25, 2013

x Major revision of existing policy Reaffirmation of existing policy

The Impact of the Stimulus Act on HIPAA Privacy and Security

HIPAA / HITECH. Ed Massey Affiliated Marketing Group

UNDERSTANDING HIPAA & THE HITECH ACT. Heather Deixler, Esq. Associate, Morgan, Lewis & Bockius LLP

HHS, Office for Civil Rights. IAPP October 11, 2012

Compliance Steps for the Final HIPAA Rule

HITECH and Stimulus Payment Update

OMNIBUS RULE ARRIVES

Patient Breach Letter Content Requirements

GUIDE TO PATIENT PRIVACY AND SECURITY RULES

MEMORANDUM. Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

HIPAA The Health Insurance Portability and Accountability Act of 1996

HITECH/HIPAA Omnibus Final Rule: Implications for Hospices. Elizabeth S. Warren May 3, 2013

Highlights of the Omnibus HIPAA/HITECH Final Rule

COMPLIANCE TRAINING 2015 C O M P L I A N C E P R O G R A M - F W A - H I P A A - C O D E O F C O N D U C T

Regenstrief Center for Healthcare Engineering HIPAA Compliance Policy

New HIPAA Breach Rules NAHU presents the WHAT and WHYs. Agenda

Texas Tech University Health Sciences Center El Paso HIPAA Privacy Policies

HIPAA Update. Jamie Sorley U.S. Department of Health and Human Services Office for Civil Rights

2013 HIPAA Omnibus Regulations: New Rules for Healthcare Providers and Collections Partners

HIPAA Privacy & Security Plan October 2016

Health Law Diagnosis

UAMS ADMINISTRATIVE GUIDE NUMBER: 2.1

The HHS Breach Final Rule Is Out What s Next?

Determining Whether You Are a Business Associate

New HIPAA-HITECH Proposed Regulations Issued

Texas Tech University Health Sciences Center HIPAA Privacy Policies

LEGAL ISSUES IN HEALTH IT SECURITY

HIPAA Compliance Guide

Getting a Grip on HIPAA

AMA Practice Management Center, What you need to know about the new health privacy and security requirements

Privacy Sleuths: Solving the Mystery of Wellness Program Privacy Compliance. Agenda. Health Data Exposure National Wellness Conference

HIPAA OMNIBUS FINAL RULE

Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates

[Name of Organization] HIPAA Incident/Breach Investigation Procedure 4

UBMD Policy for HIPAA Compliant Subject Recruitment

The HIPAA Omnibus Rule

Limited Data Set Data Use Agreement For Research

Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates

Executive Policy, EP HIPAA. Page 1 of 25

Interpreters Associates Inc. Division of Intérpretes Brasil

HIPAA BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATES AND SUBCONTRACTORS

THE CITY AND COUNTY OF SAN FRANCISCO SECTION 125 CAFETERIA PLAN HIPAA PRIVACY POLICIES & PROCEDURES

CROOK COUNTY POLICY AND PROCEDURES FOR COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF

Coping with, and Taking Advantage of, HIPAA s New Rules!! Deven McGraw Director, Health Privacy Project April 19, 2013!

Preparing for a HIPAA Audit & Hot Topics in Health Care Reform

The HIPAA/HITECH Final Rule: Time to Get More Serious About Compliance. Patricia A. Markus, Esq.

University of California Group Health and Welfare Benefit Plans HIPAA Privacy Rule Policies and Procedures (Interim)

SATINSKY CONSULTING, LLC FINAL OMNIBUS HIPAA PRIVACY AND SECURITY RULE

Containing the Outbreak: HIPAA Implications of a Data Breach. Jason S. Rimes. Orlando, Florida

HIPAA Redux 2013 Kim Cavitt, AuD Audiology Resources, Inc. Expert e-seminar 4/29/2013. HIPAA Redux Presented by: Kim Cavitt, AuD

Texas Health and Safety Code, Chapter 181 Medical Records Privacy Law, HB 300

BUSINESS POLICY AND PROCEDURE MANUAL

HIPAA: Impact on Corporate Compliance

HIPAA Omnibus Rule. Critical Changes for Providers Presented by Susan A. Miller, JD. Hosted by

Transcription:

Presents a Webinar HITECH Poses Important Challenges... Are You Compliant? A program for Clinic and Hospital Administrators, Risk Managers, and other interested staff. Joint Sponsor Kansas Hospital Association

KaMMCO Benefits & Services C LAIMS Strong defense of non-meritorious claims and early disposition of meritorious claims. Member involvement in claims defense team. Post-claim follow up, including loss prevention tips. Litigation support program (C.A.R.E.) for members and spouses. Case reviews to develop new ideas and strategies in member defense. L OSS PREVENTION/EDUCATION Statewide meetings to educate health care professionals regarding timely and important topics, such as: HIPAA and other regulatory issues. Coding certification. Medical record documentation, release, and filing. Front office operational efficiency. Use of physician extenders. Systems and their effectiveness in the practice of medicine. On-site clinic and hospital reviews that include assessment of such areas as: Waiting rooms, surgical suites, and exam rooms. Patient scheduling, process for termination of the physician/patient relationship, and billing and collections. Credentialing and governing bylaws. Medical records. Education meetings for student and residency programs. Publications. Toll-free telephone and website access to medical/loss prevention advice and information. To learn more about the benefits and services available from KaMMCO, call 1-800-232-2259 or visit www.kammco.com.

About Our Speaker Yolanda Sims, JD, MHA Loss Prevention and Risk Management Advisor, KaMMCO Ms. Sims provides KaMMCO members with an understanding of loss prevention and risk management issues in the health care field through education and information based on legal research. Other responsibilities include developing and presenting education programs, assisting with litigation support services, and writing newsletter and website articles. Ms. Sims received her Juris Doctorate degree from St. Louis University, School of Law and a Master of Health Administration from St. Louis University, School of Public Health. She previously worked at Truman Medical Center and has served internships at Jesse Brown Veterans Administration Hospital and the U.S. Department of Health and Human Services. Prior to KaMMCO, she was employed in a Kansas City law firm where she handled a broad range of legal issues. Ms. Sims is a member of the Missouri and American Bar Associations, Kansas City Metropolitan Bar Association, Association of Corporate Counsel, Kansas Association of Risk and Quality Management, and a member of the American Health Lawyers Association. Disclaimer The recommendations in this handout are not intended to establish a standard of care, nor are they a substitute for legal advice. The recommendations should be tailored to meet the needs of each particular health care setting. Any implementation of these recommendations should be reviewed by appropriate staff and, if necessary, legal counsel. The fact that a health care professional varies from these guidelines does not establish that the health care professional failed to meet the required standard of care. There may be legitimate reasons to choose another course of action. However, consideration of the information in this handout may reduce the risk of facing a lawsuit and the stress that accompanies even a successful defense in court. Objectives Following participation in this presentation, the learner will be prepared to: 1. Understand the impact of HITECH laws and regulations on hospitals, clinics, physicians, and other affected operations. 2. Comply with HITECH requirements by using checklists showing the steps that should be considered. 3. Obtain the tools and information needed to develop a compliance plan for HITECH. Contents of this handout are produced for the benefit of KaMMCO members and are protected by 2010 copyright. No one other than KaMMCO members may reproduce the contents of this handout without written permission from KaMMCO. Send all communication to KaMMCO, 623 SW 10 th Avenue, Topeka, Kansas 66612.

Table of Contents I. Introduction... 1 A. Breach Notification Rule...1 B. What is a Breach?...2 C. Investigative Steps for a Breach...2 D. Exceptions to Breach...3 E. Methods for Notification...4 1. Timeliness of Notification...4 2. Content of Notification...4 3. Methods of Notification to Individuals...4 4. Notification to Media if More than 500 Affected...5 5. Notification to HHS if 500 or More Affected...5 6. Law Enforcement Exception...5 F. Breach Risk Assessment Examples...6 Example 1: Patient s Information Mistakenly Mailed to Wrong Person...6 Example 2: A Rogue Employee...7 Example 3: The Stolen Laptop...7 Example 4: A Breach Discovered by a Business Associate...8 G. Granting Individual Requests to Limit Uses or Disclosures...8 Two-Prong Test...9 H. Limit Disclosure or Use of PHI to the Minimum Necessary Standard...9 What is a Limited Data Set?...10 I. Increased Accounting Obligations if Covered Entities Use Electronic Health Records (EHRs)...10

J. Effective Dates for the Accounting Requirement...11 K. Content of the Accounting...11 L. Covered Entities Must Make Accounting Available to Individual in Electronic Format...11 Provision of PHI in Electronic Format...11 M. Covered Entities Cannot Receive Remuneration for PHI...12 1. Prohibition on Sale of PHI...12 2. Exceptions to Remuneration...12 3. Effective Date...13 N. Limitations on Marketing...13 1. Clarification Regarding Marketing Provisions...13 2. When are Communications Considered Health Care Operations?...13 O. Penalties & Enforcement...14 Increased Civil Penalties...14 P. Enforcement...15 State Attorneys General Enforcement Authority...15 Q. Conclusion...15 Exhibit A Marketing Decision Tree...16

HITECH Poses Important Challenges... Are You Compliant? I. Introduction The Health Information Technology for Economic and Clinical Health Act (HITECH ACT), signed into law on February 17, 2009, as part of the American Recovery and Reinvestment Act (ARRA), amends the regulation of the privacy and security of patient health information (PHI). Effective February 17, 2010, the HITECH Act imposed new privacy and security requirements that essentially expanded the original foundation of the Health Information Portability and Accountability Act (HIPAA). Under HITECH, many of the HIPAA standards will apply directly to business associates, and business associates will be subject to the same civil and criminal penalties as covered entities. The HITECH Act also mandates that business associates maintain appropriate security safeguards. These types of safeguards include administrative, physical, and technical safeguards as defined under the Security Rule. A. Breach Notification Rule The Breach Notification Rule places new obligations on both covered entities and business associates regarding business associate notice to the covered entity, patient notification, and maintaining breach logs. Covered entities 1 must notify individuals when the PHI of an individual has been breached. Conversely, business associates must notify covered entities of such breaches. 2 After being notified, covered entities will take the proper steps to notify the affected individuals. When an entity or associate is determining whether notice is required, several things should be considered. First, was the disclosure permitted under HIPAA. If not, the second question is whether a breach occurred according to the definition provided in the regulation. Third, was it a breach of unsecured PHI? Be advised that only breaches of unsecured PHI trigger the notification requirement. When is PHI considered unsecured? HITECH defines the term unsecured PHI as PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the Secretary of Health & Human Services (HHS). 3 1 Covered entities include most physicians and health care providers, health care plans, and health care clearinghouses. 2 Business associates, like covered entities, are held accountable under the same breach notification requirement. When a breach is by the business associate they are legally obligated to inform the covered entity, not the individual. 3 See, Guidance Specifying the Technologies and Methodologies that Render Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals at 74 F.R. 42740-42743 (August 24, 2009). 1

B. What is a Breach? A breach is defined in HITECH as the unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security and privacy such that the use of the information poses significant risk of financial, reputational, or other harm to individuals. The new requirement does not intend to require notification every time unsecured PHI is mistakenly accessed or used. For that reason, the definition of breach does include a harm assessment. This assessment would be done on a case-by-case analysis, but it essentially requires entities and associates to determine the likelihood that a breach could cause harm to an individual. The goal is to prevent unnecessary notices to individuals when there is no real need for concern. If the entity or associate determines the harm is insignificant, no notification is required. The Interim Breach Notification regulations suggest covered entities and business associates review the Office and Management Budget (OMB) Memorandum M-07-16 for examples of the types of factors that may be taken into account in determining whether an impermissible use or disclosure presents a significant risk of harm to the individual. The five factors are: 1. Nature of the data elements breached; 2. Number of individuals affected; 3. Likelihood the information is accessible and usable; 4. Likelihood the breach may lead to harm; and, 5. Ability of the agency to mitigate the risk of harm. The burden of proof is upon the entity or associate to show what factors were taken into consideration. Covered entities and business associates must document their risk assessments. The documentation must demonstrate evidence of a plan that indicates your organization is in compliance with the HITECH requirements. In the event of an audit, you will need to produce demonstrable evidence. C. Investigative Steps for a Breach 1. Does the disclosure violate the HIPAA Privacy Rule? 2. Does it involve unsecured PHI? 3. Does an exception to the breach notification requirements apply? 2

Good faith, unintentional acquisition, access, or use of PHI by employee/workforce; Inadvertent disclosure to another authorized person within the entity, covered entity, or business associate; Recipient could not reasonably have retained the data; or, Data is limited to limited data set that does not include date of birth or zip code. See, 45 C.F. R. 164.402. 4. Does the disclosure result in significant risk of financial, reputational, or other harm? D. Exceptions to Breach According to HHS, the following exceptions and examples are not considered a breach and would not be reportable: If an unintentional acquisition, access, or use of PHI made in good faith occurs within the scope of employment or a professional relationship and does not result in further impermissible use or disclosure. o Example: A nurse mistakenly sends an e-mail with PHI to a hospital s billing employee. After opening the e-mail, the billing employee notifies the nurse and deletes the e-mail. If it is an inadvertent disclosure, from an individual who is otherwise authorized to access PHI at a facility operated by a covered entity or business associate to another similarly situated individual at the same facility, and such information received, as a result of such disclosure, is not further acquired, accessed, used, or disclosed without authorization by any person. o Example: A Human Resources Manager who is authorized to access employee health plans inadvertently discloses PHI to another Human Resources employee. If an unauthorized person who receives the health information cannot reasonably retain it; o Example: A covered entity sends out a benefits enrollment form to the wrong individual. If the information is returned by the post office, unopened, the entity would consider it undeliverable. 3

Data is limited to limited data set that does not include date of birth or zip code. See, 45 C.F. R. 164.402. o Example: A researcher conducts a clinical trial and uses a limited data set. E. Methods for Notification The methods for notification will vary depending on the number of individuals involved; however, the timeliness standard applies to all of them. 1. Timeliness of Notification. Notification must be made to individuals without unreasonable delay, but no later than 60 calendar days after discovery of the breach. Breaches are considered to be discovered on the first day the breach is known to the covered entity (i.e., known to any member of the covered entity s workforce or agents) or when, by exercising reasonable diligence, the breach would have been known to the covered entity. 45 C.F.R. 164.404(b). 2. Content of Notification. Notification sent to individuals must be in plain language and include the following: A brief description of what happened, including the date of the breach and the date of discovery of the breach, if known; A description of the types of unsecured PHI involved in the breach; Steps individuals should take to protect themselves from potential harm resulting from the breach; A brief description of the steps the entity is taking to investigate the breach, mitigate harm, and protect against further breaches; and, Contact procedures for individuals to ask questions or obtain additional information, including a toll-free number, e-mail address, website, or postal address. 45 C.F.R. 164.404(c). 3. Methods of Notification to Individuals. Notification to individuals must be sent to an individual s last known address via first-class mail, or by e-mail if the individual has agreed to e-mail and has not withdrawn such agreement. If the contact information is outdated or insufficient, a substitute notice reasonably calculated to reach the individual must be made. If there is outdated or insufficient information for fewer than 10 individuals, substitute notice may be provided by an alternative written notice, telephone, or other means. If the contact information for 10 or more individuals is found to be 4

Conspicuous posting on the home page of the covered entity s website for a period of no less than 90 days; or, Conspicuous notice in major print or broadcast media in the geographic areas where the affected individuals likely reside. In addition, the substitute notice when 10 or more individuals are involved on the website, in print, or by broadcast media must include a toll-free telephone number which will remain active for at least 90 days where individuals can learn whether their unsecured PHI was included in the breach. 45 C.F.R. 164.404. In the event the affected individual is a minor or lacks the legal capacity to receive notice, a breach notification should be sent to the individual s parent or personal representative. In addition, if the breach affects an individual who is deceased, an entity still has an obligation to send a breach notification. The notice should be sent to the address of the next of kin. See, 45 C.F.R. 164.404(d)(1)(ii) 4. Notification to Media if More than 500 Affected. If the breach affects more than 500 residents of a particular state or jurisdiction, the covered entity also must notify prominent media outlets serving the state or jurisdiction of the breach without unreasonable delay, but no later than 60 calendar days after discovery of the breach. 45 C.F.R. 164.406(a). 5. Notification to HHS if 500 or More Affected. A covered entity must notify the Secretary of HHS following the discovery of a breach of unsecured PHI. 45 C.F.R. 164.408(a). If the breach affects 500 or more individuals, notice must be made to Health and Human Services (HHS) contemporaneously with the notification to the affected individuals and in the manner specified by HHS or its website. If fewer than 500 individuals are affected, the covered entity must maintain a log of any such breaches, and submit the log annually to HHS no later than 60 days following the end of the calendar year. 45 C.F.R. 164.408 (b)(c). 6. Law Enforcement Exception. If a law enforcement official states to a covered entity that notification of a breach would impede a criminal investigation or cause damage to national security, a covered entity shall delay the notification if the law enforcement s request is in writing and specifies a time for the delay. If the statement is oral, the covered entity must document the statement, identify the official, and delay notification no longer than 30 days from the oral statement unless the official submits the statement in writing during this period. 45 C.F.R. 164.412. 5

F. Breach Risk Assessment Examples Example 1: Patient s Information Mistakenly Mailed to Wrong Person During a routine mailing, an employee inadvertently inserted a patient s billing statement into the wrong patient s envelope. Upon receiving the statement in the mail, the unintended patient contacted the medical office. The statement contained the following information: Patient name; Address including zip code; Date of birth; and, Dates of treatment. Investigation Evaluate and document the risk assessment conducted to determine the risk of financial, reputational, or other harm to the affected individual. The risk of harm to the patient is high because of the following factors: The PHI contained in the statement; The method of disclosure was paper; The unintended recipient was a member of the general public; and, The information could not be retrieved because it was outside of the facility nor could the unintended patient provide reasonable assurances it was properly destroyed. Outcome The office manager notified the affected individual about the inadvertent disclosure by sending the patient a first-class letter with the required contents. In this situation, the matter can be deemed urgent and you can provide telephone notice in addition to the letter. This would be helpful to mitigate any potential harm that could result from the breach. Maintain the breach in a breach notification log. 6

Example 2: A Rogue Employee Dr. Jane Doe, a first-year resident assigned to City Hospital, was shot in the parking lot of a local grocery store and became a patient at the hospital. A hospital employee, not a member of the patient s care team, accessed, examined, and disclosed Dr. Doe s medical record. The impermissible use and disclosure was discovered because of the software used at the facility. Investigation Evaluate and document the risk assessment conducted to determine the risk of financial, reputational, or other harm to the affected individual. The breach did not fall within an exception because the employee intentionally accessed the record without authorization. Outcome An employee s medical record is protected by the Privacy Rule, even though employment records held by a covered entity, in its role as employer, are not. An administrator notified the affected individual. Employee should receive training on the appropriate use of the medical information of a fellow employee. An additional corrective measure may include placing a letter of reprimand in the employee s personnel file and receive training about the Privacy Rule. Example 3: The Stolen Laptop An IT manager at a major health care entity regularly took his workplace laptop home. Over the weekend, he drove his car to a local shopping plaza with his laptop in the backseat. While shopping, his car was vandalized and the laptop was stolen. The laptop was ultimately recovered. Forensic analysis of the computer showed that it contained unsecured PHI, but the information was not opened, altered, transferred, or otherwise compromised. Investigation Evaluate and document the risk assessment including the circumstances surrounding the theft and recovery of the laptop. 7

Outcome The breach likely does not pose a significant risk of harm to the individuals and therefore notification is probably not required. Example 4: A Breach Discovered by a Business Associate Casey is the administrator of a medical group practice that outsources its transcription. The practice has a valid business associate agreement with a transcription service. A local attorney s office that uses the same transcription service has just notified the transcription service that they mistakenly received and opened a batch of the practice s transcriptions. The transcriptions contain PHI of 770 patients. The transcription service notifies the administrator immediately. Investigation Evaluate and document the risk assessment. Determine if the impermissible use/disclosure poses a significant risk for financial, reputational, or other harm to the individual. The breach falls within an exception. The breach would be considered an unintentional, good faith acquisition access, or use by an individual acting under the business associate s authority. Outcome Notification is not required because the sender and the recipient are similarly situated. The attorney s office provided reasonable assurance there was no further use or disclosure. G. Granting Individual Requests to Limit Uses or Disclosures HITECH expands patient privacy rights and provides more patient input when disclosing their PHI. In essence, the restriction has strengthened the privacy and security rules currently in place. Pre-HITECH, if an individual requested a covered entity to limit disclosure of PHI that exceeded HIPAA s requirements, covered entities had no corresponding obligation to agree to that request. Post- HITECH, in a very limited circumstance described below, a covered entity must grant the request. 8

Two-Prong Test Covered entities must agree to restrict the disclosure or uses of PHI if the following requirements are met: The disclosure is to a health plan for the purpose of carrying out payment or health care operations (not for treatment); and, The PHI pertains solely to a health care service or item for which the provider has been paid out-of-pocket expenses in full. See, HITECH Act 13405. If an individual desires to pay for a procedure or testing rather than filing an insurance claim, they have the right to restrict disclosure of those services. o Example: A patient would like for her family to be tested for genetic abnormalities. She has the right to pay for it out of pocket and keep the results for her insurance record. H. Limit Disclosure or Use of PHI to the Minimum Necessary Standard Under HITECH, covered entities, when permitted, must disclose only the minimum necessary to accomplish the intended purpose for such use or disclosure. Minimum necessary is a concept that requires the covered entity to provide/obtain the minimum amount of information required to accomplish the intended purpose of the use, disclosure, or request for information when: Employees use information within the facility; The facility discloses information to an outside entity; or, The facility requests information from an outside entity. Covered entities are charged with the responsibility of making a determination of minimum necessary for disclosure, rather than relying on business associates or vendors when releasing information. The Secretary of Health and Human Services (HHS) will issue guidance on what constitutes minimum necessary for purposes of disclosure under HITECH no later than August 2010. Until the Secretary issues this guidance, covered entities should use a limited data set to protect patient privacy to the extent practicable. Once implemented, all requests will have to comply with the new minimum 9

necessary guidance issued by the Secretary. This new guidance will not affect exceptions to disclosures defined by 45 C.F.R. 165.502(b)(2). 4 What is a Limited Data Set? A limited data set 5 must have all directed identifiers removed, including the following: Name and Social Security number; Street address, e-mail address, telephone and fax number; Certificates/license numbers; Vehicle identifiers and serial numbers including license plate numbers; Account numbers; Health plan beneficiary numbers; Device identifiers or serial numbers; URL s Internet Protocols (IP) address numbers; Biometric identifiers (including finger and voice prints); and, Full face photographic images and any comparable images. I. Increased Accounting Obligations if Covered Entities Use Electronic Health Records (EHRs) HITECH changes the requirements for generating an accounting of disclosures per patient request for covered entities using EHRs. As defined by the HITECH Act, an EHR is an electronic record of health-related information on an individual that is created, managed, and consulted by authorized health care clinicians and staff. 6 Under HITECH, accountings must include disclosures made through electronic health record for treatment, payment, or health care operations in addition to the accounting requirements pre-hitech. Covered entities and business associates 4 The following exceptions to the minimum necessary standard continue to apply under 45 C.F.R. 165.502(b)(2): Disclosures/requests by a health care provider for treatment, uses/disclosures to the patient, uses/disclosures made pursuant to an authorization, disclosures to the HHS Secretary, uses/disclosures required by law; and uses/disclosures required for HIPAA compliance. 5 See also, 45 C.F.R. 164.514(e) 6 See, HITECH Act 13400. 10

alike must comply with the new accounting obligation relating to disclosures through an EHR. Under the new accounting obligations: Covered entities must provide an accounting for the electronic disclosures through an EHR for payment, treatment, or health operations made by the covered entity or business associate during the three years prior to the request; or, The covered entity may provide the accounting as described above and a list of all business associates for the individual to contact directly. The list should contain necessary contact information such as name, address, telephone number, and e-mail. J. Effective Dates for the Accounting Requirement The effective dates for the new accounting requirement correlate to the date the covered entity implemented an EHR system. For a covered entity that acquired an EHR before January 1, 2009, the accounting requirement applies to disclosures made on or after January 1, 2014. For a covered entity that acquired an EHR on or after January 1, 2009, the provision will be effective for disclosures made on or after January 1, 2011 or the date the covered entity obtained the EHR. See, HITECH Act 13405(c). K. Content of the Accounting HHS is scheduled to issue regulations regarding the content of an accounting of disclosures for treatment, payment, and health care operations through EHRs. According to HHS, the regulations will provide guidelines for educating individuals about the uses and disclosures of their PHI and address administrative burdens associated with providing the accounting. The anticipated deadline regarding the content of the accounting is scheduled to be issued by June 2010. L. Covered Entities Must Make Accounting Available to Individual in Electronic Format Provision of PHI in Electronic Format HITECH requires covered entities and business associates that use or maintain EHRs to provide a copy in electronic format if chosen by the 11

individual. 7 The electronic format can be transmitted to another person or entity upon proper authorization from the patient. The authorization must be clear, conspicuous, and specific. The covered entity may charge a fee when honoring this request. The fee is limited to labor costs and will vary depending on whether the request is a copy of a particular transaction or an explanation of the entire EHR. As provided by HIPAA, the timeframe for responding to requests for electronic copies under HITECH is still within a reasonable time, no later than 30 days. M. Covered Entities Cannot Receive Remuneration for PHI 1. Prohibition on Sale of PHI Under HITECH, covered entities and business associates are prohibited from receiving indirect or direct remuneration in exchange for PHI of an individual without obtaining the authorization of the individual. The authorization must specify that the covered entity may exchange the individual s PHI for remuneration. See, HITECH Act 13405(d). 2. Exceptions to Remuneration No authorization will be needed for a covered entity to receive remuneration in exchange for providing PHI for any of the following purposes: Public health activities; or, Research, as long as the remuneration reflects only the cost to prepare and transmit the PHI to the researcher; or, Treatment of the individual; or, A health care provider as defined in 6(iv) of health care provider under 45 C.F.R. 164.501; or, Payment to a business associate for activities that involve the exchange of PHI at the request of, and on behalf of, the covered entity pursuant to a business associate agreement; or, Providing a copy of PHI to an individual who has exercised the right to access the individual s PHI; or, Such similarly necessary and appropriate information as determined in HHS regulations. 7 The right to an electronic copy is information in the electronic health record. 12

3. Effective Date The Secretary of HHS must adopt regulations to facilitate this provision no later than August 18, 2010. The prohibition on remuneration for a transmission of PHI will become effective and apply to exchanges of PHI occurring on or after six months after HHS issues the final regulations for this provision. N. Limitations on Marketing 1. Clarification Regarding Marketing Provisions The definition of marketing includes a number of exceptions. HIPAA defines marketing as a communication about a product or service that encourages the purchase or use of the product or service, except for communications made: To describe a health-related product or service (or payment for such product or service) that is provided by, or included in, a plan of benefits of the covered entities making the communication, including communications about the entities participating in a health care provider network or health plan network; replacement of, or enhancements to, a health plan; and health-related products or services available only to a health plan enrollee that add value to, but are not part of, a plan of benefits; or, For treatment of the individual; or, For case management or care coordination or to direct patients to alternative treatments, therapies, providers, or settings of care 8. The communications described above are deemed to fall within the definition of health care operations under HIPAA, and thereby permissible without obtaining an individual s authorization. The provision also makes clear that the term payment does not include any payment for treatment of an individual. 2. When are Communications Considered Health Care Operations? Under HITECH, if the covered entity has received payment in exchange for making one of the communications described in the section above, the communication may no longer be considered health care operations unless: 8 45 C.F.R. 164.501, Marketing Definition (1)(i)-(iii). 13

The communication describes only a drug or biologic that is currently being prescribed for the recipient of the communication and any payment is reasonable in amount; 9 The communication is made by the covered entity and individual authorization is obtained; or, The communication is made by a business associate of a covered entity, on behalf of the covered entity and the communication is made consistent with the business associate agreement. See, Attachment A, Marketing Decision Tree. O. Penalties & Enforcement Increased Civil Penalties Civil penalties may be assessed for violations caused by willful neglect. Examples of willful neglect may include 10 : The organization does not have any processes in place to support your policies and procedures; The organization has no demonstrable evidence that staff training has been done as required by the regulations; The organization is a covered entity that does business with a number of business associates and have no contracts in place with them, or if old contracts are still being used; Employees have passwords on sticky notes that are readily visible; The organization has an EHR system running on a local server and the server room is not secured; and, The organization has no plan for notifying patients when unsecured PHI has been breached. 9 The meaning of what constitutes payment that is reasonable in amount is to be set by the Secretary of HHS in forthcoming regulation. 10 See, What does willful neglect mean under HITECH/HIPAA? www.lawtechtv.com/home/ 14

The new minimum civil penalties are tiered according to the entity s perceived culpability for the HIPAA violation, as follows: Tier A: If the offender did not know, and by exercising reasonable diligence would not have known, that he or she violated the law: $100 per violation, except that the total amount imposed on the person for all such violations of an identical requirement or prohibition during a calendar year may not exceed $25,000. Tier B: If the violation was due to reasonable cause and not willful neglect: $1,000 for each violation, except that the total amount imposed on the person for all such violations of an identical requirement or prohibition during a calendar year may not exceed $100,000. Tier C: If in year of violation and due to willful neglect, if corrected within thirty days from knowledge of violation: $10,000 for each violation, except that the total amount imposed on the person for all such violations of an identical requirement or prohibition during a calendar year may not exceed $250,000. Tier D: If the violation was due to willful neglect and was not corrected: $50,000 for each violation, except that the total amount imposed on the person for all such violations of an identical requirement or prohibition during a calendar year may not exceed $1,500,000. P. Enforcement State Attorneys General Enforcement Authority Q. Conclusion Under HITECH, state attorney generals are authorized to pursue actions against persons who violate HIPAA if the attorney general has reason to believe that the violation threatens or adversely affects any resident in the state. However, the state attorney general cannot bring an action as long as an action or the same violation is pending by the Secretary of HHS. The new HITECH requirements will have an impact on the way covered entities and business associates conduct relationships. The materials in this presentation were developed to help covered entities ensure their policies and procedures are HITECH-compliant. Covered entities should review how they document data breaches, know when an exception to notification applies, and make an effort to share their policies and procedures with business associates. 15

16

NOTES

KaMMCO Offices Topeka Wichita Hays Kansas City 623 S.W. 10 th Ave. #2 Brittany Place 1010 Downing 6950 Squibb Rd. Suite 200 1938 N. Woodlawn Suite 60 Suite 440 Topeka, KS 66612 Suite 300 Hays, KS 67601 Mission, KS 66202 785-232-2224 Wichita, KS 67208 785-625-8215 913-384-8991 800-232-2259 316-681-8119 800-293-2363 800-779-8201 785-232-4704 (Fax) 800-207-3073 785-625-8234 913-384-2296 (Fax) 316-681-7497 (Fax) www.kammco.com

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback