SlideShare a Scribd company logo

Hitech changes-to-hipaa

•Download as PPTX, PDF•
•
G
geeksikh
Health & MedicineTechnology
1 of 26
Gurvinder Singh (CISSP) Gurvinder@jasgur.com San Antonio Chapter of The Healthcare Information and Management Systems Society (HIMSS) HITECH CHANGES TO HIPAA WHY SHOULD YOU CARE?
OBJECTIVES • Overview of HITECH • Changes to HIPAA under HITECH • Business Associates & Effects on BAA • The Breach Notification Rule
DISCLAIMER (NOT SO FINE PRINT) The information contained in this session is not intended to serve as legal advice nor should it substitute for legal counsel. The material in this presentation is designed to provide information. The presentation is not exhaustive, and attendees are encouraged to seek additional detailed legal guidance to supplement the information contained herein.
DEFINITIONS • Protected Health Information (PHI) • Any oral or recorded information in any form or medium that is • Created or received by the covered entity/BA –AND- • Relates to past, present or future condition of an individual • Any information that contains a subset of demographic information collected from an individual • Any information that identifies an individual, or where there is a reasonable basis to believe information can be used to identify an individual • Includes any data transmitted or maintained in any form
DEFINITONS • Privacy Rule • Relates to privacy of any protected health information (PHI) • Security Rule • Relates specifically to electronic PHI (ePHI) at rest or in transit
Administrative Simplification [Accountability] Insurance Reform [Portability] Health Insurance Portability and Accountability Act (HIPAA) Privacy Compliance Date: 4/14/2003 Security Compliance Date: 4/20/2005 Fraud and Abuse (Accountability) HITECH Health Information Technology for Economic and Clinical Health 9/18/2009 (HITECH) HEALTH INFORMATION TECHNOLOGY FOR ECONOMIC AND CLINICAL HEALTH (ARRA) AMERICAN RECOVERY AND REINVESTMENT ACT OF 2009
 Increased penalties for HIPAA Violations (tiered civil monetary penalties)  Required Audits and Investigations  Increased enforcement and oversight activities  State Attorneys General will have enforcement authority and may sue for damages and injunctive relief.  Increased Breach Notification Rules HITECH Act (ARRA) How it changed HIPAA? No more a Paper Tiger
REQUIREMENT COMPLIANCE DATE 1. Business Associates February 2010 2. Breach Notification September 2009 3. Self-Payment Disclosures February 2010 4. Minimum Necessary August 2010 5. Accounting of Disclosures January 2011/2014 HITECH Act (ARRA) Health Information Technology for Economic and Clinical Health
WHO IS A BUSINESS ASSOCIATE? • If an entity that is not a covered entity is doing something ―ON YOUR BEHALF‖, and is not treatment, you need a BA Agreement with them. • Applies to payment and health care operations Examples of Business Associates. • A third party administrator that assists a health plan with claims processing. • A CPA firm whose accounting services to a health care provider involve access to protected health information. • An attorney whose legal services to a health plan involve access to protected health information. • A consultant that performs utilization reviews for a hospital. • A health care clearinghouse that translates a claim from a non-standard format into a standard transaction on behalf of a health care provider and forwards the processed transaction to a payer. • An independent medical transcriptionist that provides transcription services to a physician. • A pharmacy benefits manager that manages a health plan’s pharmacist network. http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/businessassociates.html
BUSINESS ASSOCIATES PRIVACY RULE IMPACT • Under Section 13404, a business associate may only use or disclose PHI in a manner that complies with 45 C.F.R. § 164.504(e) (which describes the requirements for business associate agreements) • Thus, business associates will now be regulated directly through a statutory requirement rather than indirectly through a contract. Business associates also must comply with the applicable provisions of the HITECH Act. • Business associates will be subject to civil and criminal penalties if they violate these provisions.
Under Section 13401, business associates will be required to comply with provisions of the HITECH Act, and with the following provisions of the Security Rule: • § 164.308 (Administrative Safeguards); • § 164.310 (Physical Safeguards); • § 164.312 (Technical Safeguards); • § 164.316 (Policies and Procedures). BUSINESS ASSOCIATES SECURITY RULE IMPACT
BREACH • Notification required upon ―discovery‖ of a ―breach‖ of ―unsecured PHI‖ • ―Breach‖ defined as unauthorized acquisition, access, use or disclosure of unsecured Patient Health Information (PHI) which compromises the security or privacy of such information • ―Compromises‖ means creates a ―significant risk of financial, reputation or other harm to the individual‖ • Requires risk assessment: fact specific analysis (consider nature of information, recipient, mitigation) to determine if significant harm exists.
13  Applies to all electronic “unsecured PHI” or unencrypted  Requires notification to the Federal Government if more than 500 individuals effected no later than 60 days  Annual notification if less that 500 individuals effected  Requires notification to a major media outlet  Breach will be listed on a public website  Requires individual notification to patients in plain language  Criminal penalties - may apply to individual or employee of a covered entity Federal Breach Notification Law – Effective Sept 2009
CIVIL MONETARY PENALTIES – HITECH Old rule was: Maximum civil penalty of $100 per violation up to $25,000/year for multiple violations of same requirement New rule is: Tiered civil penalty structure: • Innocent mistakes (did not know and would not have known violation occurred after reasonable diligence)—$100 per violation (max $25,000) to $50,000 (max $1.5 mil). • Reasonable cause and not willful neglect—$1,000 per violation up to a maximum of $100,000/year for multiple violations of same requirement • Willful neglect but corrected within 30 days—up to $10,000 per violation, up to a maximum of $250,000/year for multiple violations of the same requirement • Willful neglect—up to $50,000 per violation that is not timely corrected, up to a maximum of $1,500,000/year for multiple violations of the same requirement
TYPE OF BREACHES WITH MORE THAN 500 RECORDS BREACHED ACROSS USA DEPARTMENT OF HEALTH AND HUMAN SERVICES (HHS) http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html (As of July 3rd 2012) Theft, 52% Unauthorized Access/Disclos ure, 22% Loss, 15% Hacking/IT Incident, 6% Improper Disposal, 5%
TYPE OF BREACHES IN TEXAS DEPARTMENT OF HEALTH AND HUMAN SERVICES (HHS) http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html (As of July 3rd 2012) Theft, 64% Loss, 8% Unauthorized Access/Disclos ure, 8% Improper Disposal, 11% Hacking/IT Incident, 6% Unknown, 3%
LOCATION OF BREACHES ACROSS USA DEPARTMENT OF HEALTH AND HUMAN SERVICES (HHS) Laptop, 27% Paper, 27% Other Portable Electronic Device, 15% Computer, 15% Network Server, 10% Other, 6% http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html (As of July 3rd 2012)
LOCATION OF BREACHES IN TEXAS DEPARTMENT OF HEALTH AND HUMAN SERVICES (HHS) http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html (As of July 3rd 2012) Laptop, 30% Network Server, 16% Other Portable Electronic Device, 16% Paper, 16% Computer, 11% Electronic Medical Record, 3% E-mail, 3% Other, 3% Other (X-ray films), 3%
CASE STUDY 1- ALASKA DEPARTMENT OF HEALTH AND SOCIAL SERVICES (DHSS) • June 2012: Alaska DHSS settles HIPAA security case for $1,700,000 • Portable electronic storage device (USB hard drive) possibly containing ePHI was stolen from the vehicle of a DHSS employee. • HHS concluded that the Alaska Medicaid office did not have sufficient policies and procedures to protect patient information. • The state health department had not completed a risk analysis for patient data • NOT instituted security training for state workers • NOT implemented data encryption efforts that are required by HIPAA. http://www.hhs.gov/news/press/2012pres/06/20120626a.html
CASE STUDY 2- PHOENIX CARDIAC SURGERY (5 PHYSICIAN PRACTICE) • April 2012: Phoenix Cardiac Surgery settles with HHS for $100,000 • Posted clinical and surgical appointments for its patients containing PHI on an Internet-based calendar that was publicly accessible. • HHS investigation also revealed the following issues: • Phoenix Cardiac Surgery failed to implement adequate policies and procedures to appropriately safeguard patient information; • Phoenix Cardiac Surgery failed to document that it trained any employees on its policies and procedures on the Privacy and Security Rules; • Phoenix Cardiac Surgery failed to identify a security official and conduct a risk analysis; and • Phoenix Cardiac Surgery failed to obtain business associate agreements with Internet-based email and calendar services where the provision of the service included storage of and access to its ePHI. http://www.hhs.gov/news/press/2012pres/04/20120417a.html
CASE STUDY 3 - CRIMINAL PROCEEDINGS • ―Seattle Man Pleads Guilty in First Ever Conviction for HIPAA Rules Violation,‖ August 19, 2004. • Richard Gibson, an employee at the Seattle Cancer Care Alliance, got cancer patient’s name, DOB, and SSN and got credit cards in patients’ names. • $9,000 for jewelry, home improvements, etc. • Got maximum sentence: 16 months prison.
WHAT CAN WE LEARN? • You won’t escape the notice of the HHS just because you are a small practice. Every practice, hospital, facility, healthcare entity and anyone that has access to Protected Health Information (PHI) must be compliant with the HIPAA Privacy and Security Rules. • Patients are paying attention and want their information protected! Patients will not hesitate to report a practice if they feel their privacy is being breached. Let your patients know that you take their privacy seriously and what you are doing in your entity to protect their privacy. http://www.managemypractice.com/what-can-we-learn-about-hipaa-from-phoenix-cardiac-surgery/
WHAT CAN WE LEARN (CONTINUED)? • Physicians are not exempt from responsibility. Physicians may not want to use the hospital or practice network email – they may want to use their personal Gmail, Yahoo, Hotmail or AOL account for office business but it is easy to forget and use personal email to hand off patients, discuss appointments and ask for refill approvals. Non-secured email services are NOT the right way to send any patient information. • Understand your technology. This is why the risk assessment is so important – you must identify any process or technology you are currently using that has the potential for PHI to be accessed inappropriately. Understand and mitigate your risk! http://www.managemypractice.com/what-can-we-learn-about-hipaa-from-phoenix-cardiac-surgery/
WHAT CAN YOU DO? SHORT HITECH-HIPAA CHECKLIST :  Put together a breach notification policy.  HIPAA Security Risk Analysis (§164.308(a)(1)(ii)(A)) is required by law to be performed by every Covered Entity and Business Associate.  Find all your existing business associate agreements and update them.  Educate your staff about HITECH and document the trainings.  Encrypt if you can, or at least where you can.  Monitor DHHS activities for the publication of additional guidance and proposed regulations. This is also a good time to review all your HIPAA policies and re-educate your staff. The rules have changed, and the risks are much, much higher.
RESOURCES • Risk Assessment Basics from HIMSS www.himss.org/asp/ContentRedirector.asp?ContentID=76250 • Tools and methods available for risk analysis and risk management http://www.hhs.gov/ocr/hipaa • 45 CFR Parts 160 and 164, Breach Notification for Unsecured Protected Health Information; Interim Final Rule, Health and Human Services (HHS), August 2009 http://edocket.access.gpo.gov/2009/pdf/E9-20169.pdf • HIPAA information webpage http://www.hhs.gov/ocr/privacy/hipaa/understanding/index.html • http://www.linkedin.com/groups/All-Things-HITECH-3873240
QUESTIONS

Recommended

HITECH-Changes-to-HIPAA
HITECH-Changes-to-HIPAAHITECH-Changes-to-HIPAA
HITECH-Changes-to-HIPAAGurvinder Singh, CISSP, CISA, ITIL v3
 
HIPAA Access Medical Records by Sainsbury-Wong
HIPAA Access Medical Records by Sainsbury-WongHIPAA Access Medical Records by Sainsbury-Wong
HIPAA Access Medical Records by Sainsbury-WongLorianne Sainsbury-Wong
 
Health Insurance Portability and Accountability Act (HIPPA) - Kloudlearn
Health Insurance Portability and Accountability Act (HIPPA) - KloudlearnHealth Insurance Portability and Accountability Act (HIPPA) - Kloudlearn
Health Insurance Portability and Accountability Act (HIPPA) - KloudlearnKloudLearn
 
The Basics of HIPAA
The Basics of HIPAA The Basics of HIPAA
The Basics of HIPAA DamianKnowles1
 
HIPAA Compliance
HIPAA ComplianceHIPAA Compliance
HIPAA ComplianceManny Oliverez
 
Hipaa journal com - HIPAA compliance guide
Hipaa journal com - HIPAA compliance guideHipaa journal com - HIPAA compliance guide
Hipaa journal com - HIPAA compliance guideFelipe Prado
 
You and HIPAA - Get the Facts
You and HIPAA - Get the FactsYou and HIPAA - Get the Facts
You and HIPAA - Get the Factsresourceone
 
Do You Know How to Handle a HIPAA Breach?
Do You Know How to Handle a HIPAA Breach?Do You Know How to Handle a HIPAA Breach?
Do You Know How to Handle a HIPAA Breach?Compliancy Group
 

Recommended

HITECH-Changes-to-HIPAA
HITECH-Changes-to-HIPAAHITECH-Changes-to-HIPAA
HITECH-Changes-to-HIPAAGurvinder Singh, CISSP, CISA, ITIL v3
 
HIPAA Access Medical Records by Sainsbury-Wong
HIPAA Access Medical Records by Sainsbury-WongHIPAA Access Medical Records by Sainsbury-Wong
HIPAA Access Medical Records by Sainsbury-WongLorianne Sainsbury-Wong
 
Health Insurance Portability and Accountability Act (HIPPA) - Kloudlearn
Health Insurance Portability and Accountability Act (HIPPA) - KloudlearnHealth Insurance Portability and Accountability Act (HIPPA) - Kloudlearn
Health Insurance Portability and Accountability Act (HIPPA) - KloudlearnKloudLearn
 
The Basics of HIPAA
The Basics of HIPAA The Basics of HIPAA
The Basics of HIPAA DamianKnowles1
 
HIPAA Compliance
HIPAA ComplianceHIPAA Compliance
HIPAA ComplianceManny Oliverez
 
Hipaa journal com - HIPAA compliance guide
Hipaa journal com - HIPAA compliance guideHipaa journal com - HIPAA compliance guide
Hipaa journal com - HIPAA compliance guideFelipe Prado
 
You and HIPAA - Get the Facts
You and HIPAA - Get the FactsYou and HIPAA - Get the Facts
You and HIPAA - Get the Factsresourceone
 
Do You Know How to Handle a HIPAA Breach?
Do You Know How to Handle a HIPAA Breach?Do You Know How to Handle a HIPAA Breach?
Do You Know How to Handle a HIPAA Breach?Compliancy Group
 
A brief introduction to hipaa compliance
A brief introduction to hipaa complianceA brief introduction to hipaa compliance
A brief introduction to hipaa compliancePrince George
 
HIPAA Part I the Law Test
HIPAA Part I the Law TestHIPAA Part I the Law Test
HIPAA Part I the Law TestSachiko Hurst
 
Health Insurance Portability and Accountability Act (HIPAA) Compliance
Health Insurance Portability and Accountability Act (HIPAA) ComplianceHealth Insurance Portability and Accountability Act (HIPAA) Compliance
Health Insurance Portability and Accountability Act (HIPAA) ComplianceControlCase
 
HIPAA | HITECH
HIPAA | HITECHHIPAA | HITECH
HIPAA | HITECHrcabarloc
 
HIPAA and How it Applies to You
HIPAA and How it Applies to YouHIPAA and How it Applies to You
HIPAA and How it Applies to YouWinston & Strawn LLP
 
Patient Privacy Provisions of the HITECH Act Implications for Patients and Sm...
Patient Privacy Provisions of the HITECH Act Implications for Patients and Sm...Patient Privacy Provisions of the HITECH Act Implications for Patients and Sm...
Patient Privacy Provisions of the HITECH Act Implications for Patients and Sm...Xiaoming Zeng
 
Hipaa for business associates simple
Hipaa for business associates simpleHipaa for business associates simple
Hipaa for business associates simpleJose Ivan Delgado, Ph.D.
 
HIPAA Security 2019
HIPAA Security 2019HIPAA Security 2019
HIPAA Security 2019Jose Ivan Delgado, Ph.D.
 
Hipaa
HipaaHipaa
Hipaateammayco
 
HIPAA and HITECH : What you need to know
HIPAA and HITECH : What you need to knowHIPAA and HITECH : What you need to know
HIPAA and HITECH : What you need to knowShred-it
 
MPCA HIPAA Compliance/Meaningful Use Requirements and Security Risk Assessmen...
MPCA HIPAA Compliance/Meaningful Use Requirements and Security Risk Assessmen...MPCA HIPAA Compliance/Meaningful Use Requirements and Security Risk Assessmen...
MPCA HIPAA Compliance/Meaningful Use Requirements and Security Risk Assessmen...Michigan Primary Care Association
 
Annual HIPAA Training
Annual HIPAA TrainingAnnual HIPAA Training
Annual HIPAA TrainingCynthia Holland
 
Hi103 week 5 chpt 13
Hi103 week 5 chpt 13Hi103 week 5 chpt 13
Hi103 week 5 chpt 13BealCollegeOnline
 
HIPAA HITECH training 7-9-12
HIPAA HITECH training 7-9-12HIPAA HITECH training 7-9-12
HIPAA HITECH training 7-9-12O2 TESTING SERVICES
 
HIPAA Compliance for Developers
HIPAA Compliance for DevelopersHIPAA Compliance for Developers
HIPAA Compliance for DevelopersTrueVault
 
Hitech Act
Hitech ActHitech Act
Hitech ActISACA New England
 
HIPAA and Privacy for Researchers
HIPAA and Privacy for ResearchersHIPAA and Privacy for Researchers
HIPAA and Privacy for ResearchersJason Karn
 
UNA HIPAA Training 8-13
UNA HIPAA Training 8-13UNA HIPAA Training 8-13
UNA HIPAA Training 8-13University of North Alabama - Academic Affairs
 
The Startup Path to HIPAA Compliance
The Startup Path to HIPAA ComplianceThe Startup Path to HIPAA Compliance
The Startup Path to HIPAA ComplianceJim Anfield
 
Hippa training v2
Hippa training v2Hippa training v2
Hippa training v2Suzanne Guggenheim
 
HIPAA/HITECH Requirements for FQHCs and the New Omnibus Rule
HIPAA/HITECH Requirements for FQHCs and the New Omnibus RuleHIPAA/HITECH Requirements for FQHCs and the New Omnibus Rule
HIPAA/HITECH Requirements for FQHCs and the New Omnibus RuleMichigan Primary Care Association
 
Health care compliance webinar may 10 2017
Health care compliance webinar may 10 2017Health care compliance webinar may 10 2017
Health care compliance webinar may 10 2017Kimberly Simon MBA
 

More Related Content

What's hot

A brief introduction to hipaa compliance
A brief introduction to hipaa complianceA brief introduction to hipaa compliance
A brief introduction to hipaa compliancePrince George
 
HIPAA Part I the Law Test
HIPAA Part I the Law TestHIPAA Part I the Law Test
HIPAA Part I the Law TestSachiko Hurst
 
Health Insurance Portability and Accountability Act (HIPAA) Compliance
Health Insurance Portability and Accountability Act (HIPAA) ComplianceHealth Insurance Portability and Accountability Act (HIPAA) Compliance
Health Insurance Portability and Accountability Act (HIPAA) ComplianceControlCase
 
HIPAA | HITECH
HIPAA | HITECHHIPAA | HITECH
HIPAA | HITECHrcabarloc
 
HIPAA and How it Applies to You
HIPAA and How it Applies to YouHIPAA and How it Applies to You
HIPAA and How it Applies to YouWinston & Strawn LLP
 
Patient Privacy Provisions of the HITECH Act Implications for Patients and Sm...
Patient Privacy Provisions of the HITECH Act Implications for Patients and Sm...Patient Privacy Provisions of the HITECH Act Implications for Patients and Sm...
Patient Privacy Provisions of the HITECH Act Implications for Patients and Sm...Xiaoming Zeng
 
Hipaa for business associates simple
Hipaa for business associates simpleHipaa for business associates simple
Hipaa for business associates simpleJose Ivan Delgado, Ph.D.
 
HIPAA and HITECH : What you need to know
HIPAA and HITECH : What you need to knowHIPAA and HITECH : What you need to know
HIPAA and HITECH : What you need to knowShred-it
 
MPCA HIPAA Compliance/Meaningful Use Requirements and Security Risk Assessmen...
MPCA HIPAA Compliance/Meaningful Use Requirements and Security Risk Assessmen...MPCA HIPAA Compliance/Meaningful Use Requirements and Security Risk Assessmen...
MPCA HIPAA Compliance/Meaningful Use Requirements and Security Risk Assessmen...Michigan Primary Care Association
 
Annual HIPAA Training
Annual HIPAA TrainingAnnual HIPAA Training
Annual HIPAA TrainingCynthia Holland
 
HIPAA HITECH training 7-9-12
HIPAA HITECH training 7-9-12HIPAA HITECH training 7-9-12
HIPAA HITECH training 7-9-12O2 TESTING SERVICES
 
HIPAA Compliance for Developers
HIPAA Compliance for DevelopersHIPAA Compliance for Developers
HIPAA Compliance for DevelopersTrueVault
 
HIPAA and Privacy for Researchers
HIPAA and Privacy for ResearchersHIPAA and Privacy for Researchers
HIPAA and Privacy for ResearchersJason Karn
 
The Startup Path to HIPAA Compliance
The Startup Path to HIPAA ComplianceThe Startup Path to HIPAA Compliance
The Startup Path to HIPAA ComplianceJim Anfield
 

What's hot (20)

A brief introduction to hipaa compliance
A brief introduction to hipaa complianceA brief introduction to hipaa compliance
A brief introduction to hipaa compliance
 
HIPAA Part I the Law Test
HIPAA Part I the Law TestHIPAA Part I the Law Test
HIPAA Part I the Law Test
 
Health Insurance Portability and Accountability Act (HIPAA) Compliance
Health Insurance Portability and Accountability Act (HIPAA) ComplianceHealth Insurance Portability and Accountability Act (HIPAA) Compliance
Health Insurance Portability and Accountability Act (HIPAA) Compliance
 
HIPAA | HITECH
HIPAA | HITECHHIPAA | HITECH
HIPAA | HITECH
 
HIPAA and How it Applies to You
HIPAA and How it Applies to YouHIPAA and How it Applies to You
HIPAA and How it Applies to You
 
Patient Privacy Provisions of the HITECH Act Implications for Patients and Sm...
Patient Privacy Provisions of the HITECH Act Implications for Patients and Sm...Patient Privacy Provisions of the HITECH Act Implications for Patients and Sm...
Patient Privacy Provisions of the HITECH Act Implications for Patients and Sm...
 
Hipaa for business associates simple
Hipaa for business associates simpleHipaa for business associates simple
Hipaa for business associates simple
 
HIPAA Security 2019
HIPAA Security 2019HIPAA Security 2019
HIPAA Security 2019
 
Hipaa
HipaaHipaa
Hipaa
 
HIPAA and HITECH : What you need to know
HIPAA and HITECH : What you need to knowHIPAA and HITECH : What you need to know
HIPAA and HITECH : What you need to know
 
MPCA HIPAA Compliance/Meaningful Use Requirements and Security Risk Assessmen...
MPCA HIPAA Compliance/Meaningful Use Requirements and Security Risk Assessmen...MPCA HIPAA Compliance/Meaningful Use Requirements and Security Risk Assessmen...
MPCA HIPAA Compliance/Meaningful Use Requirements and Security Risk Assessmen...
 
Annual HIPAA Training
Annual HIPAA TrainingAnnual HIPAA Training
Annual HIPAA Training
 
Hi103 week 5 chpt 13
Hi103 week 5 chpt 13Hi103 week 5 chpt 13
Hi103 week 5 chpt 13
 
HIPAA HITECH training 7-9-12
HIPAA HITECH training 7-9-12HIPAA HITECH training 7-9-12
HIPAA HITECH training 7-9-12
 
HIPAA Compliance for Developers
HIPAA Compliance for DevelopersHIPAA Compliance for Developers
HIPAA Compliance for Developers
 
Hitech Act
Hitech ActHitech Act
Hitech Act
 
HIPAA and Privacy for Researchers
HIPAA and Privacy for ResearchersHIPAA and Privacy for Researchers
HIPAA and Privacy for Researchers
 
UNA HIPAA Training 8-13
UNA HIPAA Training 8-13UNA HIPAA Training 8-13
UNA HIPAA Training 8-13
 
The Startup Path to HIPAA Compliance
The Startup Path to HIPAA ComplianceThe Startup Path to HIPAA Compliance
The Startup Path to HIPAA Compliance
 
Hippa training v2
Hippa training v2Hippa training v2
Hippa training v2
 

Similar to Hitech changes-to-hipaa

HIPAA/HITECH Requirements for FQHCs and the New Omnibus Rule
HIPAA/HITECH Requirements for FQHCs and the New Omnibus RuleHIPAA/HITECH Requirements for FQHCs and the New Omnibus Rule
HIPAA/HITECH Requirements for FQHCs and the New Omnibus RuleMichigan Primary Care Association
 
Health care compliance webinar may 10 2017
Health care compliance webinar may 10 2017Health care compliance webinar may 10 2017
Health care compliance webinar may 10 2017Kimberly Simon MBA
 
HealthCare Compliance - HIPAA and HITRUST
HealthCare Compliance - HIPAA and HITRUSTHealthCare Compliance - HIPAA and HITRUST
HealthCare Compliance - HIPAA and HITRUSTKimberly Simon MBA
 
HIPAA Panel Discussion
HIPAA Panel Discussion HIPAA Panel Discussion
HIPAA Panel Discussion Dan Wellisch
 
HIPAA and FDCPA Compliance for Process Servers
HIPAA and FDCPA Compliance for Process ServersHIPAA and FDCPA Compliance for Process Servers
HIPAA and FDCPA Compliance for Process ServersLawgical
 
health insurance portability and accountability act.pptx
health insurance portability and accountability act.pptxhealth insurance portability and accountability act.pptx
health insurance portability and accountability act.pptxamartya2087
 
HIPAA - Understanding the Basics of Compliance
HIPAA - Understanding the Basics of ComplianceHIPAA - Understanding the Basics of Compliance
HIPAA - Understanding the Basics of ComplianceJay Hodes
 
Hipaa Goes Hitech
Hipaa Goes HitechHipaa Goes Hitech
Hipaa Goes HitechCandy Matheny
 
Knowing confidentiality
Knowing confidentialityKnowing confidentiality
Knowing confidentialityjessie66
 
HealthCare Compliance - HIPAA & HITRUST
HealthCare Compliance - HIPAA & HITRUSTHealthCare Compliance - HIPAA & HITRUST
HealthCare Compliance - HIPAA & HITRUSTKimberly Simon MBA
 
Ruggiero.hipaa training
Ruggiero.hipaa trainingRuggiero.hipaa training
Ruggiero.hipaa trainingGina Ruggiero
 
HIPAA Compliance: What Medical Practices and Their Business Associates Need t...
HIPAA Compliance: What Medical Practices and Their Business Associates Need t...HIPAA Compliance: What Medical Practices and Their Business Associates Need t...
HIPAA Compliance: What Medical Practices and Their Business Associates Need t...Skoda Minotti
 
Becoming HITECH - 9/2009
Becoming HITECH - 9/2009Becoming HITECH - 9/2009
Becoming HITECH - 9/2009rogersons
 
PSOW 2016 - HIPAA Compliance for EMS Community
PSOW 2016 - HIPAA Compliance for EMS CommunityPSOW 2016 - HIPAA Compliance for EMS Community
PSOW 2016 - HIPAA Compliance for EMS CommunityPSOW
 
HIPAA Final Omnibus Rule Playbook
HIPAA Final Omnibus Rule PlaybookHIPAA Final Omnibus Rule Playbook
HIPAA Final Omnibus Rule PlaybookElizabeth Dimit
 
Rightscale webinar-hipaa-public-cloud
Rightscale webinar-hipaa-public-cloudRightscale webinar-hipaa-public-cloud
Rightscale webinar-hipaa-public-cloudRightScale
 
HNI U: HIPAA Essentials
HNI U: HIPAA EssentialsHNI U: HIPAA Essentials
HNI U: HIPAA EssentialsHNI Risk Services
 

Similar to Hitech changes-to-hipaa (20)

HIPAA/HITECH Requirements for FQHCs and the New Omnibus Rule
HIPAA/HITECH Requirements for FQHCs and the New Omnibus RuleHIPAA/HITECH Requirements for FQHCs and the New Omnibus Rule
HIPAA/HITECH Requirements for FQHCs and the New Omnibus Rule
 
Health care compliance webinar may 10 2017
Health care compliance webinar may 10 2017Health care compliance webinar may 10 2017
Health care compliance webinar may 10 2017
 
HealthCare Compliance - HIPAA and HITRUST
HealthCare Compliance - HIPAA and HITRUSTHealthCare Compliance - HIPAA and HITRUST
HealthCare Compliance - HIPAA and HITRUST
 
HIPAA Panel Discussion
HIPAA Panel Discussion HIPAA Panel Discussion
HIPAA Panel Discussion
 
HIPAA and FDCPA Compliance for Process Servers
HIPAA and FDCPA Compliance for Process ServersHIPAA and FDCPA Compliance for Process Servers
HIPAA and FDCPA Compliance for Process Servers
 
health insurance portability and accountability act.pptx
health insurance portability and accountability act.pptxhealth insurance portability and accountability act.pptx
health insurance portability and accountability act.pptx
 
HIPAA - Understanding the Basics of Compliance
HIPAA - Understanding the Basics of ComplianceHIPAA - Understanding the Basics of Compliance
HIPAA - Understanding the Basics of Compliance
 
Hipaa Goes Hitech
Hipaa Goes HitechHipaa Goes Hitech
Hipaa Goes Hitech
 
Knowing confidentiality
Knowing confidentialityKnowing confidentiality
Knowing confidentiality
 
HealthCare Compliance - HIPAA & HITRUST
HealthCare Compliance - HIPAA & HITRUSTHealthCare Compliance - HIPAA & HITRUST
HealthCare Compliance - HIPAA & HITRUST
 
Ruggiero.hipaa training
Ruggiero.hipaa trainingRuggiero.hipaa training
Ruggiero.hipaa training
 
HIPAA Compliance: What Medical Practices and Their Business Associates Need t...
HIPAA Compliance: What Medical Practices and Their Business Associates Need t...HIPAA Compliance: What Medical Practices and Their Business Associates Need t...
HIPAA Compliance: What Medical Practices and Their Business Associates Need t...
 
Hipaa basics
Hipaa basicsHipaa basics
Hipaa basics
 
Becoming HITECH - 9/2009
Becoming HITECH - 9/2009Becoming HITECH - 9/2009
Becoming HITECH - 9/2009
 
PSOW 2016 - HIPAA Compliance for EMS Community
PSOW 2016 - HIPAA Compliance for EMS CommunityPSOW 2016 - HIPAA Compliance for EMS Community
PSOW 2016 - HIPAA Compliance for EMS Community
 
HIPAA Final Omnibus Rule Playbook
HIPAA Final Omnibus Rule PlaybookHIPAA Final Omnibus Rule Playbook
HIPAA Final Omnibus Rule Playbook
 
Rightscale webinar-hipaa-public-cloud
Rightscale webinar-hipaa-public-cloudRightscale webinar-hipaa-public-cloud
Rightscale webinar-hipaa-public-cloud
 
HIPAA Basics by Brian Fleetham
HIPAA Basics by Brian FleethamHIPAA Basics by Brian Fleetham
HIPAA Basics by Brian Fleetham
 
HNI U: HIPAA Essentials
HNI U: HIPAA EssentialsHNI U: HIPAA Essentials
HNI U: HIPAA Essentials
 
HIPAA
HIPAAHIPAA
HIPAA
 

Recently uploaded

VIP Call Girls Lucknow Nandini 7001305949 Independent Escort Service Lucknow
VIP Call Girls Lucknow Nandini 7001305949 Independent Escort Service LucknowVIP Call Girls Lucknow Nandini 7001305949 Independent Escort Service Lucknow
VIP Call Girls Lucknow Nandini 7001305949 Independent Escort Service Lucknownarwatsonia7
 
Hemostasis Physiology and Clinical correlations by Dr Faiza.pdf
Hemostasis Physiology and Clinical correlations by Dr Faiza.pdfHemostasis Physiology and Clinical correlations by Dr Faiza.pdf
Hemostasis Physiology and Clinical correlations by Dr Faiza.pdfMedicoseAcademics
 
College Call Girls Pune Mira 9907093804 Short 1500 Night 6000 Best call girls...
College Call Girls Pune Mira 9907093804 Short 1500 Night 6000 Best call girls...College Call Girls Pune Mira 9907093804 Short 1500 Night 6000 Best call girls...
College Call Girls Pune Mira 9907093804 Short 1500 Night 6000 Best call girls...Miss joya
 
College Call Girls Vyasarpadi Whatsapp 7001305949 Independent Escort Service
College Call Girls Vyasarpadi Whatsapp 7001305949 Independent Escort ServiceCollege Call Girls Vyasarpadi Whatsapp 7001305949 Independent Escort Service
College Call Girls Vyasarpadi Whatsapp 7001305949 Independent Escort ServiceNehru place Escorts
 
See the 2,456 pharmacies on the National E-Pharmacy Platform
See the 2,456 pharmacies on the National E-Pharmacy PlatformSee the 2,456 pharmacies on the National E-Pharmacy Platform
See the 2,456 pharmacies on the National E-Pharmacy PlatformKweku Zurek
 
Call Girl Lucknow Mallika 7001305949 Independent Escort Service Lucknow
Call Girl Lucknow Mallika 7001305949 Independent Escort Service LucknowCall Girl Lucknow Mallika 7001305949 Independent Escort Service Lucknow
Call Girl Lucknow Mallika 7001305949 Independent Escort Service Lucknownarwatsonia7
 
Call Girls Service In Shyam Nagar Whatsapp 8445551418 Independent Escort Service
Call Girls Service In Shyam Nagar Whatsapp 8445551418 Independent Escort ServiceCall Girls Service In Shyam Nagar Whatsapp 8445551418 Independent Escort Service
Call Girls Service In Shyam Nagar Whatsapp 8445551418 Independent Escort Serviceparulsinha
 
Call Girls Kanakapura Road Just Call 7001305949 Top Class Call Girl Service A...
Call Girls Kanakapura Road Just Call 7001305949 Top Class Call Girl Service A...Call Girls Kanakapura Road Just Call 7001305949 Top Class Call Girl Service A...
Call Girls Kanakapura Road Just Call 7001305949 Top Class Call Girl Service A...narwatsonia7
 
Low Rate Call Girls Pune Esha 9907093804 Short 1500 Night 6000 Best call girl...
Low Rate Call Girls Pune Esha 9907093804 Short 1500 Night 6000 Best call girl...Low Rate Call Girls Pune Esha 9907093804 Short 1500 Night 6000 Best call girl...
Low Rate Call Girls Pune Esha 9907093804 Short 1500 Night 6000 Best call girl...Miss joya
 
Bangalore Call Girls Marathahalli 📞 9907093804 High Profile Service 100% Safe
Bangalore Call Girls Marathahalli 📞 9907093804 High Profile Service 100% SafeBangalore Call Girls Marathahalli 📞 9907093804 High Profile Service 100% Safe
Bangalore Call Girls Marathahalli 📞 9907093804 High Profile Service 100% Safenarwatsonia7
 
Call Girl Koramangala | 7001305949 At Low Cost Cash Payment Booking
Call Girl Koramangala | 7001305949 At Low Cost Cash Payment BookingCall Girl Koramangala | 7001305949 At Low Cost Cash Payment Booking
Call Girl Koramangala | 7001305949 At Low Cost Cash Payment Bookingnarwatsonia7
 
call girls in Connaught Place DELHI 🔝 >༒9540349809 🔝 genuine Escort Service ...
call girls in Connaught Place DELHI 🔝 >༒9540349809 🔝 genuine Escort Service ...call girls in Connaught Place DELHI 🔝 >༒9540349809 🔝 genuine Escort Service ...
call girls in Connaught Place DELHI 🔝 >༒9540349809 🔝 genuine Escort Service ...saminamagar
 
Book Call Girls in Kasavanahalli - 7001305949 with real photos and phone numbers
Book Call Girls in Kasavanahalli - 7001305949 with real photos and phone numbersBook Call Girls in Kasavanahalli - 7001305949 with real photos and phone numbers
Book Call Girls in Kasavanahalli - 7001305949 with real photos and phone numbersnarwatsonia7
 
Call Girls Whitefield Just Call 7001305949 Top Class Call Girl Service Available
Call Girls Whitefield Just Call 7001305949 Top Class Call Girl Service AvailableCall Girls Whitefield Just Call 7001305949 Top Class Call Girl Service Available
Call Girls Whitefield Just Call 7001305949 Top Class Call Girl Service Availablenarwatsonia7
 
Call Girls Service in Bommanahalli - 7001305949 with real photos and phone nu...
Call Girls Service in Bommanahalli - 7001305949 with real photos and phone nu...Call Girls Service in Bommanahalli - 7001305949 with real photos and phone nu...
Call Girls Service in Bommanahalli - 7001305949 with real photos and phone nu...narwatsonia7
 
Mumbai Call Girls Service 9910780858 Real Russian Girls Looking Models
Mumbai Call Girls Service 9910780858 Real Russian Girls Looking ModelsMumbai Call Girls Service 9910780858 Real Russian Girls Looking Models
Mumbai Call Girls Service 9910780858 Real Russian Girls Looking Modelssonalikaur4
 
Call Girls Hsr Layout Just Call 7001305949 Top Class Call Girl Service Available
Call Girls Hsr Layout Just Call 7001305949 Top Class Call Girl Service AvailableCall Girls Hsr Layout Just Call 7001305949 Top Class Call Girl Service Available
Call Girls Hsr Layout Just Call 7001305949 Top Class Call Girl Service Availablenarwatsonia7
 
Call Girls Frazer Town Just Call 7001305949 Top Class Call Girl Service Avail...
Call Girls Frazer Town Just Call 7001305949 Top Class Call Girl Service Avail...Call Girls Frazer Town Just Call 7001305949 Top Class Call Girl Service Avail...
Call Girls Frazer Town Just Call 7001305949 Top Class Call Girl Service Avail...narwatsonia7
 
Aspirin presentation slides by Dr. Rewas Ali
Aspirin presentation slides by Dr. Rewas AliAspirin presentation slides by Dr. Rewas Ali
Aspirin presentation slides by Dr. Rewas AliRewAs ALI
 

Recently uploaded (20)

VIP Call Girls Lucknow Nandini 7001305949 Independent Escort Service Lucknow
VIP Call Girls Lucknow Nandini 7001305949 Independent Escort Service LucknowVIP Call Girls Lucknow Nandini 7001305949 Independent Escort Service Lucknow
VIP Call Girls Lucknow Nandini 7001305949 Independent Escort Service Lucknow
 
Hemostasis Physiology and Clinical correlations by Dr Faiza.pdf
Hemostasis Physiology and Clinical correlations by Dr Faiza.pdfHemostasis Physiology and Clinical correlations by Dr Faiza.pdf
Hemostasis Physiology and Clinical correlations by Dr Faiza.pdf
 
College Call Girls Pune Mira 9907093804 Short 1500 Night 6000 Best call girls...
College Call Girls Pune Mira 9907093804 Short 1500 Night 6000 Best call girls...College Call Girls Pune Mira 9907093804 Short 1500 Night 6000 Best call girls...
College Call Girls Pune Mira 9907093804 Short 1500 Night 6000 Best call girls...
 
College Call Girls Vyasarpadi Whatsapp 7001305949 Independent Escort Service
College Call Girls Vyasarpadi Whatsapp 7001305949 Independent Escort ServiceCollege Call Girls Vyasarpadi Whatsapp 7001305949 Independent Escort Service
College Call Girls Vyasarpadi Whatsapp 7001305949 Independent Escort Service
 
See the 2,456 pharmacies on the National E-Pharmacy Platform
See the 2,456 pharmacies on the National E-Pharmacy PlatformSee the 2,456 pharmacies on the National E-Pharmacy Platform
See the 2,456 pharmacies on the National E-Pharmacy Platform
 
Call Girl Lucknow Mallika 7001305949 Independent Escort Service Lucknow
Call Girl Lucknow Mallika 7001305949 Independent Escort Service LucknowCall Girl Lucknow Mallika 7001305949 Independent Escort Service Lucknow
Call Girl Lucknow Mallika 7001305949 Independent Escort Service Lucknow
 
Call Girls Service In Shyam Nagar Whatsapp 8445551418 Independent Escort Service
Call Girls Service In Shyam Nagar Whatsapp 8445551418 Independent Escort ServiceCall Girls Service In Shyam Nagar Whatsapp 8445551418 Independent Escort Service
Call Girls Service In Shyam Nagar Whatsapp 8445551418 Independent Escort Service
 
Call Girls Kanakapura Road Just Call 7001305949 Top Class Call Girl Service A...
Call Girls Kanakapura Road Just Call 7001305949 Top Class Call Girl Service A...Call Girls Kanakapura Road Just Call 7001305949 Top Class Call Girl Service A...
Call Girls Kanakapura Road Just Call 7001305949 Top Class Call Girl Service A...
 
Low Rate Call Girls Pune Esha 9907093804 Short 1500 Night 6000 Best call girl...
Low Rate Call Girls Pune Esha 9907093804 Short 1500 Night 6000 Best call girl...Low Rate Call Girls Pune Esha 9907093804 Short 1500 Night 6000 Best call girl...
Low Rate Call Girls Pune Esha 9907093804 Short 1500 Night 6000 Best call girl...
 
Bangalore Call Girls Marathahalli 📞 9907093804 High Profile Service 100% Safe
Bangalore Call Girls Marathahalli 📞 9907093804 High Profile Service 100% SafeBangalore Call Girls Marathahalli 📞 9907093804 High Profile Service 100% Safe
Bangalore Call Girls Marathahalli 📞 9907093804 High Profile Service 100% Safe
 
Escort Service Call Girls In Sarita Vihar,, 99530°56974 Delhi NCR
Escort Service Call Girls In Sarita Vihar,, 99530°56974 Delhi NCREscort Service Call Girls In Sarita Vihar,, 99530°56974 Delhi NCR
Escort Service Call Girls In Sarita Vihar,, 99530°56974 Delhi NCR
 
Call Girl Koramangala | 7001305949 At Low Cost Cash Payment Booking
Call Girl Koramangala | 7001305949 At Low Cost Cash Payment BookingCall Girl Koramangala | 7001305949 At Low Cost Cash Payment Booking
Call Girl Koramangala | 7001305949 At Low Cost Cash Payment Booking
 
call girls in Connaught Place DELHI 🔝 >༒9540349809 🔝 genuine Escort Service ...
call girls in Connaught Place DELHI 🔝 >༒9540349809 🔝 genuine Escort Service ...call girls in Connaught Place DELHI 🔝 >༒9540349809 🔝 genuine Escort Service ...
call girls in Connaught Place DELHI 🔝 >༒9540349809 🔝 genuine Escort Service ...
 
Book Call Girls in Kasavanahalli - 7001305949 with real photos and phone numbers
Book Call Girls in Kasavanahalli - 7001305949 with real photos and phone numbersBook Call Girls in Kasavanahalli - 7001305949 with real photos and phone numbers
Book Call Girls in Kasavanahalli - 7001305949 with real photos and phone numbers
 
Call Girls Whitefield Just Call 7001305949 Top Class Call Girl Service Available
Call Girls Whitefield Just Call 7001305949 Top Class Call Girl Service AvailableCall Girls Whitefield Just Call 7001305949 Top Class Call Girl Service Available
Call Girls Whitefield Just Call 7001305949 Top Class Call Girl Service Available
 
Call Girls Service in Bommanahalli - 7001305949 with real photos and phone nu...
Call Girls Service in Bommanahalli - 7001305949 with real photos and phone nu...Call Girls Service in Bommanahalli - 7001305949 with real photos and phone nu...
Call Girls Service in Bommanahalli - 7001305949 with real photos and phone nu...
 
Mumbai Call Girls Service 9910780858 Real Russian Girls Looking Models
Mumbai Call Girls Service 9910780858 Real Russian Girls Looking ModelsMumbai Call Girls Service 9910780858 Real Russian Girls Looking Models
Mumbai Call Girls Service 9910780858 Real Russian Girls Looking Models
 
Call Girls Hsr Layout Just Call 7001305949 Top Class Call Girl Service Available
Call Girls Hsr Layout Just Call 7001305949 Top Class Call Girl Service AvailableCall Girls Hsr Layout Just Call 7001305949 Top Class Call Girl Service Available
Call Girls Hsr Layout Just Call 7001305949 Top Class Call Girl Service Available
 
Call Girls Frazer Town Just Call 7001305949 Top Class Call Girl Service Avail...
Call Girls Frazer Town Just Call 7001305949 Top Class Call Girl Service Avail...Call Girls Frazer Town Just Call 7001305949 Top Class Call Girl Service Avail...
Call Girls Frazer Town Just Call 7001305949 Top Class Call Girl Service Avail...
 
Aspirin presentation slides by Dr. Rewas Ali
Aspirin presentation slides by Dr. Rewas AliAspirin presentation slides by Dr. Rewas Ali
Aspirin presentation slides by Dr. Rewas Ali
 

Hitech changes-to-hipaa

  • 1. Gurvinder Singh (CISSP) Gurvinder@jasgur.com San Antonio Chapter of The Healthcare Information and Management Systems Society (HIMSS) HITECH CHANGES TO HIPAA WHY SHOULD YOU CARE?
  • 2. OBJECTIVES • Overview of HITECH • Changes to HIPAA under HITECH • Business Associates & Effects on BAA • The Breach Notification Rule
  • 3. DISCLAIMER (NOT SO FINE PRINT) The information contained in this session is not intended to serve as legal advice nor should it substitute for legal counsel. The material in this presentation is designed to provide information. The presentation is not exhaustive, and attendees are encouraged to seek additional detailed legal guidance to supplement the information contained herein.
  • 4. DEFINITIONS • Protected Health Information (PHI) • Any oral or recorded information in any form or medium that is • Created or received by the covered entity/BA –AND- • Relates to past, present or future condition of an individual • Any information that contains a subset of demographic information collected from an individual • Any information that identifies an individual, or where there is a reasonable basis to believe information can be used to identify an individual • Includes any data transmitted or maintained in any form
  • 5. DEFINITONS • Privacy Rule • Relates to privacy of any protected health information (PHI) • Security Rule • Relates specifically to electronic PHI (ePHI) at rest or in transit
  • 6. Administrative Simplification [Accountability] Insurance Reform [Portability] Health Insurance Portability and Accountability Act (HIPAA) Privacy Compliance Date: 4/14/2003 Security Compliance Date: 4/20/2005 Fraud and Abuse (Accountability) HITECH Health Information Technology for Economic and Clinical Health 9/18/2009 (HITECH) HEALTH INFORMATION TECHNOLOGY FOR ECONOMIC AND CLINICAL HEALTH (ARRA) AMERICAN RECOVERY AND REINVESTMENT ACT OF 2009
  • 7.  Increased penalties for HIPAA Violations (tiered civil monetary penalties)  Required Audits and Investigations  Increased enforcement and oversight activities  State Attorneys General will have enforcement authority and may sue for damages and injunctive relief.  Increased Breach Notification Rules HITECH Act (ARRA) How it changed HIPAA? No more a Paper Tiger
  • 8. REQUIREMENT COMPLIANCE DATE 1. Business Associates February 2010 2. Breach Notification September 2009 3. Self-Payment Disclosures February 2010 4. Minimum Necessary August 2010 5. Accounting of Disclosures January 2011/2014 HITECH Act (ARRA) Health Information Technology for Economic and Clinical Health
  • 9. WHO IS A BUSINESS ASSOCIATE? • If an entity that is not a covered entity is doing something ―ON YOUR BEHALF‖, and is not treatment, you need a BA Agreement with them. • Applies to payment and health care operations Examples of Business Associates. • A third party administrator that assists a health plan with claims processing. • A CPA firm whose accounting services to a health care provider involve access to protected health information. • An attorney whose legal services to a health plan involve access to protected health information. • A consultant that performs utilization reviews for a hospital. • A health care clearinghouse that translates a claim from a non-standard format into a standard transaction on behalf of a health care provider and forwards the processed transaction to a payer. • An independent medical transcriptionist that provides transcription services to a physician. • A pharmacy benefits manager that manages a health plan’s pharmacist network. http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/businessassociates.html
  • 10. BUSINESS ASSOCIATES PRIVACY RULE IMPACT • Under Section 13404, a business associate may only use or disclose PHI in a manner that complies with 45 C.F.R. § 164.504(e) (which describes the requirements for business associate agreements) • Thus, business associates will now be regulated directly through a statutory requirement rather than indirectly through a contract. Business associates also must comply with the applicable provisions of the HITECH Act. • Business associates will be subject to civil and criminal penalties if they violate these provisions.
  • 11. Under Section 13401, business associates will be required to comply with provisions of the HITECH Act, and with the following provisions of the Security Rule: • § 164.308 (Administrative Safeguards); • § 164.310 (Physical Safeguards); • § 164.312 (Technical Safeguards); • § 164.316 (Policies and Procedures). BUSINESS ASSOCIATES SECURITY RULE IMPACT
  • 12. BREACH • Notification required upon ―discovery‖ of a ―breach‖ of ―unsecured PHI‖ • ―Breach‖ defined as unauthorized acquisition, access, use or disclosure of unsecured Patient Health Information (PHI) which compromises the security or privacy of such information • ―Compromises‖ means creates a ―significant risk of financial, reputation or other harm to the individual‖ • Requires risk assessment: fact specific analysis (consider nature of information, recipient, mitigation) to determine if significant harm exists.
  • 13. 13  Applies to all electronic “unsecured PHI” or unencrypted  Requires notification to the Federal Government if more than 500 individuals effected no later than 60 days  Annual notification if less that 500 individuals effected  Requires notification to a major media outlet  Breach will be listed on a public website  Requires individual notification to patients in plain language  Criminal penalties - may apply to individual or employee of a covered entity Federal Breach Notification Law – Effective Sept 2009
  • 14. CIVIL MONETARY PENALTIES – HITECH Old rule was: Maximum civil penalty of $100 per violation up to $25,000/year for multiple violations of same requirement New rule is: Tiered civil penalty structure: • Innocent mistakes (did not know and would not have known violation occurred after reasonable diligence)—$100 per violation (max $25,000) to $50,000 (max $1.5 mil). • Reasonable cause and not willful neglect—$1,000 per violation up to a maximum of $100,000/year for multiple violations of same requirement • Willful neglect but corrected within 30 days—up to $10,000 per violation, up to a maximum of $250,000/year for multiple violations of the same requirement • Willful neglect—up to $50,000 per violation that is not timely corrected, up to a maximum of $1,500,000/year for multiple violations of the same requirement
  • 15. TYPE OF BREACHES WITH MORE THAN 500 RECORDS BREACHED ACROSS USA DEPARTMENT OF HEALTH AND HUMAN SERVICES (HHS) http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html (As of July 3rd 2012) Theft, 52% Unauthorized Access/Disclos ure, 22% Loss, 15% Hacking/IT Incident, 6% Improper Disposal, 5%
  • 16. TYPE OF BREACHES IN TEXAS DEPARTMENT OF HEALTH AND HUMAN SERVICES (HHS) http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html (As of July 3rd 2012) Theft, 64% Loss, 8% Unauthorized Access/Disclos ure, 8% Improper Disposal, 11% Hacking/IT Incident, 6% Unknown, 3%
  • 17. LOCATION OF BREACHES ACROSS USA DEPARTMENT OF HEALTH AND HUMAN SERVICES (HHS) Laptop, 27% Paper, 27% Other Portable Electronic Device, 15% Computer, 15% Network Server, 10% Other, 6% http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html (As of July 3rd 2012)
  • 18. LOCATION OF BREACHES IN TEXAS DEPARTMENT OF HEALTH AND HUMAN SERVICES (HHS) http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html (As of July 3rd 2012) Laptop, 30% Network Server, 16% Other Portable Electronic Device, 16% Paper, 16% Computer, 11% Electronic Medical Record, 3% E-mail, 3% Other, 3% Other (X-ray films), 3%
  • 19. CASE STUDY 1- ALASKA DEPARTMENT OF HEALTH AND SOCIAL SERVICES (DHSS) • June 2012: Alaska DHSS settles HIPAA security case for $1,700,000 • Portable electronic storage device (USB hard drive) possibly containing ePHI was stolen from the vehicle of a DHSS employee. • HHS concluded that the Alaska Medicaid office did not have sufficient policies and procedures to protect patient information. • The state health department had not completed a risk analysis for patient data • NOT instituted security training for state workers • NOT implemented data encryption efforts that are required by HIPAA. http://www.hhs.gov/news/press/2012pres/06/20120626a.html
  • 20. CASE STUDY 2- PHOENIX CARDIAC SURGERY (5 PHYSICIAN PRACTICE) • April 2012: Phoenix Cardiac Surgery settles with HHS for $100,000 • Posted clinical and surgical appointments for its patients containing PHI on an Internet-based calendar that was publicly accessible. • HHS investigation also revealed the following issues: • Phoenix Cardiac Surgery failed to implement adequate policies and procedures to appropriately safeguard patient information; • Phoenix Cardiac Surgery failed to document that it trained any employees on its policies and procedures on the Privacy and Security Rules; • Phoenix Cardiac Surgery failed to identify a security official and conduct a risk analysis; and • Phoenix Cardiac Surgery failed to obtain business associate agreements with Internet-based email and calendar services where the provision of the service included storage of and access to its ePHI. http://www.hhs.gov/news/press/2012pres/04/20120417a.html
  • 21. CASE STUDY 3 - CRIMINAL PROCEEDINGS • ―Seattle Man Pleads Guilty in First Ever Conviction for HIPAA Rules Violation,‖ August 19, 2004. • Richard Gibson, an employee at the Seattle Cancer Care Alliance, got cancer patient’s name, DOB, and SSN and got credit cards in patients’ names. • $9,000 for jewelry, home improvements, etc. • Got maximum sentence: 16 months prison.
  • 22. WHAT CAN WE LEARN? • You won’t escape the notice of the HHS just because you are a small practice. Every practice, hospital, facility, healthcare entity and anyone that has access to Protected Health Information (PHI) must be compliant with the HIPAA Privacy and Security Rules. • Patients are paying attention and want their information protected! Patients will not hesitate to report a practice if they feel their privacy is being breached. Let your patients know that you take their privacy seriously and what you are doing in your entity to protect their privacy. http://www.managemypractice.com/what-can-we-learn-about-hipaa-from-phoenix-cardiac-surgery/
  • 23. WHAT CAN WE LEARN (CONTINUED)? • Physicians are not exempt from responsibility. Physicians may not want to use the hospital or practice network email – they may want to use their personal Gmail, Yahoo, Hotmail or AOL account for office business but it is easy to forget and use personal email to hand off patients, discuss appointments and ask for refill approvals. Non-secured email services are NOT the right way to send any patient information. • Understand your technology. This is why the risk assessment is so important – you must identify any process or technology you are currently using that has the potential for PHI to be accessed inappropriately. Understand and mitigate your risk! http://www.managemypractice.com/what-can-we-learn-about-hipaa-from-phoenix-cardiac-surgery/
  • 24. WHAT CAN YOU DO? SHORT HITECH-HIPAA CHECKLIST :  Put together a breach notification policy.  HIPAA Security Risk Analysis (§164.308(a)(1)(ii)(A)) is required by law to be performed by every Covered Entity and Business Associate.  Find all your existing business associate agreements and update them.  Educate your staff about HITECH and document the trainings.  Encrypt if you can, or at least where you can.  Monitor DHHS activities for the publication of additional guidance and proposed regulations. This is also a good time to review all your HIPAA policies and re-educate your staff. The rules have changed, and the risks are much, much higher.
  • 25. RESOURCES • Risk Assessment Basics from HIMSS www.himss.org/asp/ContentRedirector.asp?ContentID=76250 • Tools and methods available for risk analysis and risk management http://www.hhs.gov/ocr/hipaa • 45 CFR Parts 160 and 164, Breach Notification for Unsecured Protected Health Information; Interim Final Rule, Health and Human Services (HHS), August 2009 http://edocket.access.gpo.gov/2009/pdf/E9-20169.pdf • HIPAA information webpage http://www.hhs.gov/ocr/privacy/hipaa/understanding/index.html • http://www.linkedin.com/groups/All-Things-HITECH-3873240

Editor's Notes

  1. HHS’ Office for Civil Rights is responsible for enforcing the Privacy and Security Rules. Enforcement of the Privacy Rule began April 14, 2003 for most HIPAA covered entities.The American Recovery and Reinvestment Act of 2009 (ARRA) requires HHS to audit covered entity and business associate compliance with the HIPAA privacy and security standards. In summary, since the compliance date in April 2003, HHS has received over 71,849 HIPAA complaints. Resolved ninety-one percent of complaints received (over 65,460): through investigation and enforcement resolved (over 16,708)requiring changes in privacy practices and other corrective actions by the covered entities.through investigation and finding no violation (8,514); and through closure of cases that were not eligible for enforcement (40,238).Previously, HIPAA violations were investigated and enforced through the federal Department of Health and Human Services and Department of Justice, but now state attorneys general also have authority to bring aHIPAA enforcement action.
  2. Ignorance is not an excuse to anything. It does not matter if you are an IT organization that is not HIPAA compliant and you work with clients who are not HIPAA compliant that have PHI on your equipment, you could be fined. You cannot say you did not know to HHS. That is not an excuse, you should have known and you could be fined.Effective February 17, 2010Business Associates are directly accountable for HIPAA compliance in addition to contractual requirements.Patients may request restrictions to billing disclosures when they self-payLimited Data Sets are considered the default standard for complying with HIPAA’s Minimum Necessary standardPatients may request electronic copies of their PHI when the data is held in an EHR and that their records be sent to others in an electronic format.Limitations and prohibitions on using PHI for marketing and fundraising are strengthened and sale of PHI is prohibited.Phased in beginning 1/1/2011All disclosures of PHI from an EHR must be accounted for, including those for treatment, payment and healthcare operations
  3. For HIPAA Business Associates, HITECH imposes even more serious changes:Business Associates are now responsible for following all HIPAA Privacy and Security regulations with respect to all protected health information that they obtain or generate.Unauthorized use or disclosure by Business Associates of any protected health information leaves the Business Associate equally liable to damages and unfavorablepublicity.
  4. Many vendors do not know what are the changes to HIPAA imposed by HITECH. Really! We have spoken to many professionals who are surprised that HIPAA is changing and who are now scrambling to figure out “what to do”.The HITECH changes are very significant for Business Associates. In the old scheme, all burden and liability was on the customer (the Covered Entity) and most Business Associate agreements just said things like “be sure to use our services in a way that doesn’t violate HIPAA”. The Business Associate was under no obligation to follow HIPAA Security and Privacy rules themselves.Vendors will probably have to revise their privacy policies and Business Associate Agreements.
  5. As required by section 13402(e)(4) of the HITECH Act, the Secretary must post a list of breaches of unsecured protected health information affecting 500 or more individuals. 
  6. As required by section 13402(e)(4) of the HITECH Act, the Secretary must post a list of breaches of unsecured protected health information affecting 500 or more individuals.Â