Más contenido relacionado La actualidad más candente (20) Similar a Hitech Act (20) Hitech Act2. Your Presenters
Stacey Gutwillig
Partner
Deloitte & Touche LLP
sgutwillig@deloitte.com
(617) 437-2637
Mark Steinhoff
Director
Deloitte & Touche LLP
msteinhoff @deloitte.com
(617) 437-2614
Dan Hoye
Manager
Deloitte & Touche LLP
dhoye@deloitte.com
(617) 437-3528
Copyright © 2010 Deloitte Development LLC. All rights reserved. 1
3. Contents
• The American Recovery and Reinvestment Act (ARRA) of
2009 and HITECH overview
• Overview of HITECH goals
• Ways to address HITECH provisions
• Implementation Dates
• Case studies
• Penalties and Enforcement
• Potential Business Impacts of the HITECH Act
• Security and privacy overlaps
Copyright © 2010 Deloitte Development LLC. All rights reserved. 2
4. The American Recovery and Reinvestment Act of
2009 and HITECH
$38 billion total
HITECH expenditures
2008 US (5% of Stimulus)
ARRA Stimulus
Federal
$787 billion
Budget
$2.9 trillion
(27%) $$$$
Federal Spending for ARRA includes federal tax cuts, expansion of unemployment
benefits and other social welfare provisions, and domestic spending in education,
health care, and infrastructure, including the energy sector.
Copyright © 2010 Deloitte Development LLC. All rights reserved. 3
5. Health Information Technology for Economic and
Clinical Health Act or HITECH Act
Four major goals of the HITECH bill intended to advance the use of health
information technology (Health IT or HIT):
1. Government leadership in developing standards by 2010 that allow for the nationwide
electronic exchange and use of health information
2. Investing $20 billion in health information technology infrastructure and Medicare
and Medicaid incentives to encourage doctors and hospitals to use HIT to electronically
exchange patients’ health information.
3. Strengthening Federal privacy and security law to protect identifiable health
information from misuse as the health care sector increases use of Health IT.
4. Saving the government $10 billion, and generating additional savings throughout the
health sector, through improvements in quality of care/errors and care coordination
As a result of this legislation, the Congressional
Budget Office estimates that approximately 90
percent of doctors and 70 percent of hospitals
will be using comprehensive electronic health
records within the next decade
Copyright © 2010 Deloitte Development LLC. All rights reserved. 4
6. Why the HITECH Act is Getting Such Attention?
“….the American Recovery and Reinvestment Act (ARRA)…puts
into law new privacy requirements that experts have called ‘the
biggest change to the healthcare privacy and security
environment since the original HIPAA privacy rule.
….According to a 2009 study by the Ponemon Institutea, the
healthcare industry is among the top three industries most
frequently victimized by data breaches, risking the medical
and financial well being of breach victims and the credibility and
future business of the healthcare provider’”
– Over 44% of all cases in the 2009 year study involved third-party mistakes or flubs. Data
breaches involving outsourced data to third parties are the most costly.
aFourth Annual US Cost of Data Breach Study, Benchmark Study of Companies By Dr. Larry
Ponemon Sponsored by PGP Corporation Independently conducted by Ponemon Institute LLC
Publication Date: January 2009
Copyright © 2010 Deloitte Development LLC. All rights reserved. 5
7. Current state — Patient information network
*Each color
represents a unique
encounter
Various organizations access this networked Web on a national scale, gathering
similar information about many patients
Collective
Medical
Information
Consuming
Organizations
Copyright © 2010 Deloitte Development LLC. All rights reserved. 6
8. Future state — The National Health Information
Network (NHIN)
In the mature state of the NHIN, geography will no longer be a consideration, as health
care entities will have access to each other, creating a flux of health information.
Future state fully developed and interoperable NHIN Value of the NHIN
• Electronic Health Records (EHRs) will be
the basis of information exchanges on
the NHIN, with different entities
accessing different components of
EHRs.
• Health care system entities and public
health institutions will be able to access
the NHIN, utilizing the full power of the
availability of national health information.
• Administrative, clinical, and public health
costs will be reduced nationally, as
health information may be accessed
from and shared with other entities.
• Interoperability between existing health
systems will be the cornerstone to the
NHIN in achieving goals.
Copyright © 2010 Deloitte Development LLC. All rights reserved. 7
9. Recent New England Journal of Medicine survey
finds very low use of EHR in U.S. hospitals1
• Survey of acute care hospitals that are American Hospital
Method Association (AHA) members. The study received responses from
3,049 hospitals (63%)
• 1.5% have a comprehensive electronic records system present in all
clinical units (i.e., present in all clinical units),
Results
• 7.6% have at least a basic system present in at least one unit (i.e.,
present in at least one clinical unit).
Significant findings related to barriers to EHR adoption in hospitals
Among hospitals without a Record (EHR):
• Inadequate capital for purchase (74%) was the most cited barrier, and EHR
maintenance cost was 2nd most frequently cited barrier (44%)
• Additional barriers cited in study include:
– Physician resistance (36%)
– Unclear Return on Investment (ROI) (32%)
– Lack of staff with expertise in Health Information Technology (HIT) (30%)
• For hospitals with an existing EHR, the above barriers were less likely to be cited
except for physician resistance.
1 New England Journal of Medicine (NEJM) Volume 360:1628-1638 April 16, 2009
Copyright © 2010 Deloitte Development LLC. All rights reserved. 8
10. Some differences between HITECH and HIPAA
General
HIPAA HITECH Act
• CEs included PHI custodians • CEs include PHI custodians as well as business
• CEs were not actively audited associates (e.g. suppliers, outreach organizations,
• No defined penalty structure for neglectful and other organizations doing business with the
privacy practices primary CE)
• Allows 10 years for compliance – Contracts are required with business
associates defining use of PHI
• DHHS to conduct periodic audits within first 12
months after new rules enacted
• Increased, tiered penalty structure with fines
ranging from $25K to $1.5M including mandatory
penalties for cases of “willful neglect”
– Proof of harm no longer required to levy
penalties
– Interpretation of breach cases and penalties
will be made by state Attorneys General
• Compliance required within 12 – 18 months
Copyright © 2010 Deloitte Development LLC. All rights reserved. 9
11. Some differences between HITECH and HIPAA
Breach Notification
HIPAA HITECH Act
• State security breach laws mandated • Applies to breaches on or after September 23,
notification only for electronic PHI 2009
• Burden of notification fell on “data owners”, • CE must provide notification within 60 days
excluding any organization that did not after PHI in any form is breached
“own” the data – Starts from first day breach is known to
• If data owner determined that it had an the CE/business associate or should
obligation to notify of data breach, it was reasonably have been known
required only to send letters to the affected – Requirements are specific for content,
individuals within “a reasonable amount of timing, and obligations
time” • Obligation to notify falls on CE and/or
business associates
• Breach impacting more than 500 individuals
requires “immediate” notification to DHHS,
making the breach public
– If more than 500 individuals and affecting
a single state or jurisdiction, notice must
be made to prominent media outlets
• In cases affecting less than 500 individuals,
the CE must maintain a log of breaches and
submit annually to DHHS, which will be
posted on a public website
Copyright © 2010 Deloitte Development LLC. All rights reserved. 10
12. HITECH Act — Key Implementation Dates2
Provision Guidance/Regulations Effective Date
Health Insurance Health and Human Services (HHS) issued an initial set of February 17, 2010
Portability and standards for implementation and certification criteria for
Accountability Act (HIPAA) the electronic exchange and use of health information on
security and privacy January 13, 2010
provisions to business
Associates Annual guidance on appropriate technical safeguards from
Department of Health and Human Services (DHHS)
Breach Notification DHHS and Federal Trade Commission (FTC ) issued No later than September 23, 2009
interim final regulations on August 24, 2009
Disclosure Restrictions DHHS to issue guidance on what constitutes “minimum February 17, 2010
necessary” no later than August 17, 2010
Accounting of Disclosures DHHS to issue regulations on what information must be January 1, 2014 if EHR acquired before
collected about disclosures by June 30, 2010 January 1, 2009
As early as January 1, 2011 if EHR
acquired after January 1, 2009
Prohibition on Sale of EHR DHHS to issue regulations by August 17, 2010 No later than February 17, 2011
Marketing and Fundraising None February 17, 2010
Penalties and Enforcement DHHS to issue regulations for penalties as related to willful Penalties as related to willful neglect by
neglect no later than August 17, 2010 February 17, 2011
Government Accountability office (GAO) to submit a report Tiered increase in civil penalties and
to DHHS detailing individual remuneration for civil penalty state attorney general enforcement
or settlement amounts no later than February 17, 2012 effective February 17, 2009
2 As of January 26, 2010
Copyright © 2010 Deloitte Development LLC. All rights reserved. 11
13. Some ways to address the provisions of the act…
Provision of the Act Action Steps:
Investment in Health IT Implementation of electronic health records systems and
Infrastructure infrastructure
HIPAA Privacy & Security Assessment
HIPAA Security and Privacy
HIPAA Strategy & Program Development
Provisions to Business Associates
Business Associate Assessments
Incident Response Program Development
Breach Notification
Data Protection Technology Implementation
Update current policies, procedures, and controls to support:
• the requirement of specific authorization from patients
Marketing and Fundraising to use PHI for marketing/fundraising
• the patient’s right to opt-out of any communication that
relates to fundraising.
Copyright © 2010 Deloitte Development LLC. All rights reserved. 12
14. Some ways to address the provisions of the act…
Provision of the Act Action Steps:
Update current policies, procedures, and controls to support:
• the ability for a patient to request PHI not be disclosed when
Disclosure Restrictions paying for the service fully out-of-pocket.
• the collection and disclosure of the minimum set of PHI
practicable to perform business operations
Develop policies, procedures, and controls to support the
following requirements:
• Covered Entities (CEs) and business associates to produce an
accounting of all disclosures of a patient’s PHI, upon request
Accounting of Disclosures
• CEs must either account for PHI disclosures made by business
associates or provide a list of all business associates acting on
behalf of the CE
Update current policies, procedures, and controls to support:
Prohibition on Sale of EHR
• the requirement of specific authorization from patients prior
to receiving direct or indirect remuneration for sale of PHI
Copyright © 2010 Deloitte Development LLC. All rights reserved. 13
15. Case Study
Major U.S. - Based Medical Devices Company
Implementation of Data Privacy Program
Background
The company determined that a review of current data privacy practices and controls was needed
due to a combination of data privacy inquiries from customers and a global ERP deployment
including European operations. The key drivers were:
§ Compliance with Federal, state and international regulatory requirements
§ Risk of breach of contractual agreements with customers
§ Business operations interruption in EU
Outcome
§ Addressed privacy and related business risk (including HITECH considerations)
§ Registered as Safe Harbor compliant for both Customer and HR
§ Global employee and customer privacy policies deployed (including HITECH considerations)
§ Data Protection strategy influenced by data privacy rollout
§ Options for de-identification of patient data developed for R&D
§ Strategies for movement of Test Data (ERP) developed via Model Contracts
§ Information Security strategy informed by Data Privacy initiative
Copyright © 2010 Deloitte Development LLC. All rights reserved. 14
16. Case Study
Global Life Sciences and Medical Device Company
Current State Assessment and Gap Analysis
Background
Following a lost, unencrypted laptop containing PHI resulting in breach notification in conjunction with the
passage of the HITECH Act, the company determined they needed a better understanding of their data privacy
policies and practices. A current state assessment was performed a special focus on:
§ compliance with HIPAA privacy and security rules
§ Business Associate Agreements with organizations
Lessons Learned Outcome
§ PHI was used for secondary uses in their R&D § Identified significant areas of exposure to the
division that were not permitted per customer company based on non-compliance with HIPAA
contracts and BAAs. privacy rule
§ BAAs were not in place with a number of their
customers and customer that did have BAAs were § Updated BAAs template contracts to address
not consistent. HIPAA/HITECH requirements
§ Assessment findings exposed more significant § Revised privacy policies and standards (e.g.
issues with the company’s vendor management notice language)
process and procedures. § Developed a working relationship between the
§ The underlying information security program did information security and privacy functions.
not support the privacy policies and as a result
the company was not in compliance with the § Revised and expanded their information security
HIPAA privacy and security rules. policy
Copyright © 2010 Deloitte Development LLC. All rights reserved. 15
17. Case Study
Major Network of Teaching Hospitals
Current State Assessment and Gap Analysis
Background
Faced with multiple and evolving healthcare regulatory requirements, the company decided to assess and prioritize
information security risks and to determine current state capability to comply with the regulations and to manage
identified risks.
Outcome
§ An information security risk management roadmap was developed to address key risk and capability gaps in
order to align with healthcare regulatory requirements.
§ A matrix comprised of a rationalized set of 86 legal and regulatory requirements, was organized into 12
functional risk areas to serve as the baseline for the assessment.
Ø The matrix included requirements from HIPAA/HITECH, the Red Flag Rules, statutory requirements, etc.
§ In summary, the company identified and initiated procedures and tools to secure EPHI and PII. As a result, the
company can now demonstrate progress with the outlined remediation activities in preparation for the
implementation of HITECH related requirements, reviews and audits.
Copyright © 2010 Deloitte Development LLC. All rights reserved. 16
18. Case Study
Global Telecommunications Company
Current State Assessment and Gap Analysis
Background
Faced with multiple and evolving regulatory requirements, including HIPAA/HITECH, the company performed a
current state assessment of its information security policies to determine if the current state of the policies complied
with HIPAA/HITECH requirements.
Lessons Learned
§ The company had not updated information security policies and procedures since the Privacy Act of 2003.
§ Policies were developed by Legal Departments to comply with the Privacy Act ,however, only consisted of a
recital of the provisions within the Privacy Act.
§ The client was out of compliance with its outdated policies and therefore was out of compliance with
HIPAA/HITECH requirements.
§ The company identified that the existing breach notification policy/process was:
Ø focused on technological risks and did not address privacy risks throughout the organization
Ø did not include up to date escalation procedures
§ The company overhauled all information security and privacy policies to address current practices and
regulatory requirements.
Copyright © 2010 Deloitte Development LLC. All rights reserved. 17
19. Case Study
Multi-institutional Network of Hospitals across the Northeast
Implementation of Data Privacy Program
Background
The company faced several immediate and long-term regulatory, security and personnel challenges including:
§ vacant Chief Information Security Officer position due to personnel changes
§ minimal progress in managing system wide enterprise security risks
§ management and regulatory pressure to comply with security requirements
Solution
The company developed a plan to meet these challenges by creating a prioritized roadmap for FY2010 and:
§ performed information security risk assessment to define current and future state across information security
domains and capabilities.
§ defined short/medium term focus, including prioritized security implementation plan.
§ developed organizational redesign for Information Security Office, including governance model, roles and
responsibilities across health system.
§ established structured security program management and reporting of key risks.
§ provided subject matter experience to key initiatives across the system, including HITECH response.
§ executed Information Security plan and strategy for 2009 and identified priorities for 2010.
Copyright © 2010 Deloitte Development LLC. All rights reserved. 18
20. Penalties & Enforcement
• Expanded resources and
significant funding for Penalties
DHHS enforcement Department of
• State Attorneys General Health &
authorized to pursue Human
actions on behalf of state Services
• New penalty tiers per
citizens HIPAA violation (max/year)
• Vendor breaches enforced • Unknowing ($25K)
by the Federal Trade • Reasonable cause
Commission as an unfair Federal State
Trade Attorneys
($100K)
and deceptive act or
practice Commission General • Willful Neglect ($250K)
• Uncorrected willful
neglect ($1.5M)
• Civil and criminal liability
for HIPAA violations
extended to business
associates
• Mandatory investigations
and civil penalties for
violations due to willful
Enforcement neglect
Copyright © 2010 Deloitte Development LLC. All rights reserved. 19
21. Potential Business Impacts of the HITECH Act
Positives:
• Improved individual patient data availability
• Stimulus funding for early EHR adoption
• Improved tracking of chronic disease management
• Evaluation of health care based on value enabled by the collection of de-
identified price and quality information that can be compared.
Challenges:
• Creates additional needs to monitor controls to mitigate the risks due to
heightened oversight and enforcement
• Process re-engineering, system changes, and logical/physical security
mechanisms changes required
• Create new legal processes for Breach notification, data storage, etc.
• Expanded needs for contractual language to include written requirements
• Assessment/Re-engineering of how PHI is exchanged between parties
Copyright © 2010 Deloitte Development LLC. All rights reserved. 20
22. Security/Privacy OVERLAP with HITECH
COMPLIANCE
• The following are the TOP1 Security/Privacy Issues within Healthcare/Lifesciences
Organizations:
1. Lack of visibility into third parties/business associate privacy practices (esp. older
agreements)
2. Lack of adequate training to the organization including specific trainings to those who handle
personal healthcare information (PHI)
3. Lack of adequate privacy program
4. Lack of formal privacy risk assessment process
5. Large number of records are stored in hardcopy format (i.e. Lack of EHR)
6. Inappropriate use and/or collection of information and information leakage
7. Inadequate segregation of duties (access to information)
8. Inappropriate encryption techniques/technologies
9. Lack of process to identify and classify PHI
10. Lack of compliance with Records Management/Retention Policy
11. Inappropriate conduct of internal employees
12. Exposure to external threats
All with impacts to HITECH compliance
1
Based on respondent results set forth in the Deloitte* 2009 Life Sciences & Health Care Security Study
* As used in this document, “Deloitte” means Deloitte & Touche LLP, a subsidiary of Deloitte LLP. Please see www.deloitte.com/us/about for a detailed
description of the legal structure of Deloitte LLP and its subsidiaries.
Copyright © 2010 Deloitte Development LLC. All rights reserved. 21
23. Contact Info
Stacey Gutwillig
Partner
Deloitte & Touche LLP
sgutwillig@deloitte.com
(617) 437-2637
Mark Steinhoff
Director
Deloitte & Touche LLP
msteinhoff@deloitte.com
(617) 437-2614
Dan Hoye
Manager
Deloitte & Touche LLP
dhoye@deloitte.com
(617) 437-3528
Copyright © 2010 Deloitte Development LLC. All rights reserved. 22
24. Disclaimer
This presentation contains general information only and Deloitte is not, by means of this presentation, rendering accounting, business, financial, investment, legal, tax, or other
professional advice or services. This presentation is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect
your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor.
In addition, this article contains the results of a survey conducted by Deloitte. The information obtained during the survey was taken “as is” and was not validated or confirmed by Deloitte.
Deloitte, its affiliates, and related entities shall not be responsible for any loss sustained by any person who relies on this presentation.
Copyright © 2010 Deloitte Development LLC. All rights reserved. 23