This document summarizes HIPAA regulations and how they apply to electronic health records. It discusses the history of HIPAA including the privacy and security rules, as well as changes and increased penalties introduced by HITECH. Key points covered include what constitutes a data breach, notification requirements, and considerations for securing electronic protected health information and complying with HIPAA in the context of implementing an electronic health record system.

1. HIPAA in the Era of EHR Rural Hospital Health Information Technology Conference May 27, 2010 Stacy Harper, JD, MHSA, CPC Forbes Law Group, LLC (913) 341 – 8619 sharper@forbeslawgroup.com

2. Summary of HIPAA to Date Impact of EMR Implementation Considerations with EHR Overview

3. Administrative Simplification Privacy Security HITECH Summary of HIPAA To Date

4. Standardized Electronic Transactions and Code Sets Unique Identifier for Employers Unique Identifier for Providers Unique Identifier for Health Plans HIPAA Administrative Simplification

5. April 14, 2003 Applies to all Protected Health Information Included requirements for: Safeguards Notice of Privacy Practices Use and Disclosure of Protected Health Information Patient Rights Business Associates Other General Requirements HIPAA Privacy

6. April 14, 2005 Applies to Electronic Protected Health Information (EPHI) Included Requirements related to: Safeguards and protection of EPHI Device and Media Controls Contingency and Back Up Plan Individual Access to Information Information System Activity Review HIPAA Security

7. February 17, 2010 (with few exceptions) Applies to all protected health information Privacy and Security Provisions now apply to Business Associates Breach is Distinguished from a Violation Requirements of Notice of Breach Disclosures of Information to Payors Electronic Health Record Accounting and Access New Penalties Enforcement by State Attorney General Guidance from HHS HIPAA HITECH

8. “An unauthorized acquisition, access, use, or disclosure of phi which compromises the security or privacy of such information, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information.” Exceptions Clarifications from HHS HITECH- Definition of Breach

9. Step 1: Was the Information Secure? Determination of Breach

10. Approved Methods: Encryption Destruction But NOT Access Controls Redaction Limited Data Set HITECH- Methods of Rendering PHI Unusable

11. Step 1: Was the Information Secure? Step 2: Do One of the Exclusions Apply? Determination of Breach

12. Workforce Use – Unintentional acquisition, access or use of PHI by a workforce member if the PHI is not further used or disclosed in a manner that violates the Privacy Rule Workforce Disclosure - Unintentional disclosure of PHI by a workforce member if the PHI is not further used or disclosed in a manner that violates the Privacy Rule No Way to Retain Info – Unauthorized disclosure to which the CE or BA has a good faith belief that the unauthorized person to whom the PHI is disclosed would not reasonably have been able to retain info. Exclusions to Breach

13. Step 1: Was the Information Secure? Step 2: Do One of the Exclusions Apply? Step 3: Does the Use/Disclosure Pose a Significant Risk to the Individual? Determination of Breach

14. Covered Entity to Covered Entity – Inadvertent disclosure of PHI from one covered entity or BA employee to another similarly situated covered entity or BA employee, provided that PHI is not further used or disclosed in any manner that violates the Privacy Rule. Immediate Steps to Mitigate– Were immediate steps taken to mitigate the harm including return or destruction of the information and a written confidentiality agreement Types of information included– Was the information disclosed limited to the name of the individual or a limited data set? Guidance for Significant Risk

15. Effective 9/23/09, but HHS will not impose sanctions until 2/22/10 Business Associate must notify Covered Entity of breach including individuals whose information was included in the breach Covered Entity has 60 days from the day discovered to notify the individual of a breach Day discovered is the date when provider knew or could have known through reasonable diligence Increases importance of system to check for breaches to phi and track compliance with HIPAA privacy and security regulations HITECH- Notice of Breach

16. Notice of Breach must include: A description of what happened including the date of breach and date of discovery A description of the types of phi involved Steps the individual should take to protect themselves Steps taken by the provider to investigate, mitigate, and protect against further disclosure Contact information for questions including a toll-free telephone number, e-mail address, website, or postal address HITECH- Notice of Breach

17. Notice must be provided to: Individual In writing to last known address Website If the provider does not have current contact information on more than 10 patients involved Media If breach affected more than 500 patients in one state or jurisdiction Secretary of HHS Within 60 days if more than 500 people affected Annual report of breaches affecting less than 500 people HITECH- Notice of Breach

18. HIPAA Security Now Applies to Medical Records Increased Risk of Breach Importance of Monitoring Implementation and IT Considerations Impact of EMR Implementation

19. Safeguards and protection of EPH Perform a New Risk Assessment Physical Access to EPHI Encryption and Decryption of Data Tracking of Changes and Maintaining Integrity Remote Access Device and Media Control Use, Re-use, and Destruction New Concerns re: Copiers and Scan to E-mail EMR and HIPAA Security

20. Contingency and Back Up Plan New criticality analysis Redundancy and Back-Up Systems Emergency Mode and Recovery Operations Individual Access to Information Determination of Access Levels Granting, Modifying or Terminating Authority Protection of User Names and Passwords Automatic Log Off EMR and HIPAA Security

21. Information System Activity Review Review of log on attempts Audit logs Access reports Security incidents Other system activity EMR and HIPAA Security

22. More methods of access Records more likely to leave the facility Increased transferability of information More interest in the information Greater impact if a breach occurs Increased Risk of Breach

23. Type of Entity with Breach over 500

24. Method of Breach

25. Location of Breach

26. Notice from the date you knew or should have known of the breach Increased penalties and scrutiny Failure to monitor can result in increased liability Renew the training for your staff and get them involved Importance of Monitoring

27. Incorporate the HIPAA discussion into your implementation plan Consider “upgrading” some of the hardware and other software options to improve encryption and security Security programs for handheld devices Implementation and IT Considerations

28. Created Framework for Communication Opt-In versus Opt-Out Specificity of Patient Consent Who is responsible for Security Modification of State privacy laws Current focus is at the state level Future amendments to HIPAA to encourage sharing of information? Considerations with EHR

29. Questions?? Stacy Harper, JD, MHSA, CPC Forbes Law Group, LLC 10740 Nall Avenue, Suite 330 Overland Park, KS 66211 (913) 641-8619 sharper@forbeslawgroup.com