1 / 29

HIPAA Update: So what’s new with HIPAA?? And, what does it have to do with you?

HIPAA Update: So what’s new with HIPAA?? And, what does it have to do with you?. WV Attorney General’s Office Consumer Protection Division. Ellen Cannon, WV DHHR HIPAA Privacy Officer . Show me the money!. $2B to ONC $17.2B for EHR incentives through Medicare/Medicaid

artie
Download Presentation

HIPAA Update: So what’s new with HIPAA?? And, what does it have to do with you?

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. HIPAA Update:So what’s new with HIPAA?? And, what does it have to do with you? WV Attorney General’s OfficeConsumer Protection Division Ellen Cannon, WV DHHR HIPAA Privacy Officer

  2. Show me the money! • $2B to ONC • $17.2B for EHR incentives through Medicare/Medicaid • $4.7B for Nat’l Telecommunications and Information Administration’s Broadband Technology Opportunities Program • $2.5B for USDA’s Distance Learning, Telemedicine and Broadband Program

  3. Even More Money! • $1.5B for health centers from HRSA • $1.1B for Comparative effectiveness research within AHRQ, NIH and HHS • $85M for Health IT within Indian Health Svs • $500M for SSA • $50M for IT within the VA

  4. New HIPAA Provisions • Major impact on HIPAA Business Associates • New breach notification requirements • Greater patient and consumer rights • More aggressive enforcement • Note: most provisions effective February 2010

  5. When you leave here, will you know all of the new HIPAA Requirements? • NO! Do you have 5 hours?? • HHS is still in interpretive process • Guidance and regs are forthcoming

  6. New HIPAA Business Associate Requirements • Feds have increased control over BAs (vendors to HIPAA covered entities, such as a billing company) • Civil and criminal penalties now apply directly • Makes certain HIPAA privacy and security regs apply directly to BAs • Makes clear that PHR and HIE vendors are BAs • Requires BA to notify covered entity of a breach, without unreasonable delay, but no longer than 60 days

  7. New Breach Notification Requirements for Covered Entities and PHRs • Must notify impacted individuals without unreasonable delay, but no longer than 60 days • If more than 500 individuals are impacted, the Secretary of HHS and media must be given notice. If less than 500, annual reports must be made to HHS • HHS will “out” those involved in breaches >500 on a website and to notify Congress • New breach notification requirements for PHRs

  8. New Consumer Rights • Covered entities, such as a primary care center, hospital, physician or health plan, will need to be able to restrict disclosure of health information for payment or operations, if a consumer requests the restriction and pays out of pocket. • For many medical care providers this one may be difficult. Coding may be needed to prevent billing information from going to insurance plans

  9. New Consumer Rights Cont’d • For covered entities that have an EHR, they, or their vendor will need to respond to a consumer’s request for an accounting of all disclosures for TPO for 3 years prior. For entities with EHR prior to January 2009, applies to disclosures after January 2014. Regulations interpret EHRs to be more than physician records.

  10. New Consumer Rights Cont’d • For covered entities that have an EHR, they will also have to provide an individual with a copy of their health information in electronic format, upon request • OCR will develop national and regional initiatives to support consumer education around privacy and security requirements and uses of health information

  11. New Requirements • Prohibits a covered entity or business associate from receiving remuneration in exchange for PHI, without individual authorization. Exceptions: public health, research, treatment, sale of a business, BA activities, individual access, etc. • New restrictions around marketing and fundraising. Targets communications paid by 3d parties, such as from drug companies. • OCR will issue new guidance regarding limitation of uses, disclosures and requests for PHI to a limited data set, or if necessary, to the minimum necessary information. Existing exceptions still in force.

  12. Enforcement Changes • Individuals can be prosecuted for criminal violations • Creates 4 tiers of violations: from where an individual did not know, to willful neglect not corrected • Penalties range from $100 to $50K+. Limit of $1.5M • State AG can now bring suit • HHS will develop a process to share money penalties or settlements with harmed individuals • Periodic audits of covered entities and BAs by HHS

  13. Covered Entities Should Develop an Action Plan • Conduct self assessment about new requirements • Update risk assessment • Update policies and procedures; revise breach reporting and notification procedures • Evaluate impact of HHS guidance re encryption, etc. and determine how PHI will be secured • Update business associate agreements • Conduct staff training

  14. Enforcement Changes • Four categories of violations - increasing levels of culpability; • Four corresponding tiers of penalty amounts that significantly increase the minimum penalty amount for each violation; and • A maximum penalty amount of $1.5 million for all violations of an identical provision. • Striking the previous bar on the imposition of penalties if the covered entity did not know and with the exercise of reasonable diligence would not have known of the violation (such violations are now punishable under the lowest tier of penalties); and • Prohibition on the imposition of penalties for any violation that is corrected within a 30-day time period, as long as the violation was not due to willful neglect.  • All of the above effective on February 18, 2009

  15. Civil Monetary Penalties • The CMP are significantly increased. • From $100 for each violation to $1,000 per violation for a violation due to "reasonable cause and not to willful neglect" (with a maximum penalty of $100,000); • $10,000 for each violation that was due to willful neglect and is corrected (subject to a $250,000 maximum penalty); • and $50,000 for each violation if the violation is not corrected properly (subject to a maximum penalty of $1,500,000 during a calendar year).

  16. HITECH Act Rulemaking and Implementation Update 3/15/10 • http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/hitechblurb.html • OCR will implement important privacy and security provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act through notice and comment rulemaking, as required by the Administrative Procedure Act.  These provisions include: business associate liability; new limitations on the sale of protected health information, marketing, and fundraising communications; and stronger individual rights to access electronic medical records and restrict the disclosure of certain information.  OCR continues work on a Notice of Proposed Rulemaking (NPRM) regarding these provisions.  Although the effective date (February 17, 2010) for many of these HITECH Act provisions has passed, the NPRM and the final rule that follows will provide specific information regarding the expected date of compliance and enforcement of these new requirements.

  17. HITECH Act Rulemaking and Implementation Update 3/15/10 (Cont.) • However, interim final rules implementing HITECH Act provisions in two areas have already been issued and are currently in effect: enforcement and breach notification.  New civil money penalty amounts apply to HIPAA Privacy and Security Rule violations occurring after February 17, 2009.  Covered entities and business associates must comply now with breach notification obligations for breaches that are discovered on or after September 23, 2009. OCR announced previously that it would use its enforcement discretion not to impose fiscal sanctions with regard to breaches discovered before February 22, 2010. Since that date has passed, OCR will enforce the Breach Notification Interim Final Rule, including with the possible imposition of sanctions, as it does with the HIPAA Privacy and Security Rule requirements.

  18. Breach Notification • Rules have been published • A breach is, generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information such that the use or disclosure poses a significant risk of financial, reputational, or other harm to the affected individual.  • OCR Breach Notification web site http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/index.html

  19. Breach Does Not Mean • unintentional acquisition, access, or use of protected health information by an employee or individual acting under the authority of a covered entity or business associate if such acquisition, access, or use was made in good faith and within the course and scope of the employment or other professional relationship of such employee or individual, respectively, with the covered entity or business associate; and such information is not further acquired, accessed, used, or disclosed by any person;

  20. Breach Does Not Mean • or any inadvertent disclosure from an individual who is otherwise authorized to access protected health information at a facility operated by a covered entity or business associate to another similarly situated individual at same facility; and any such information received as a result of such disclosure is not further acquired, accessed, used, or disclosed without authorization by any person

  21. Breach Does Not Mean • if the covered entity or business associate has a good faith belief that the unauthorized individual, to whom the impermissible disclosure was made, would not have been able to retain the information.

  22. Unsecured Protected Health Information • Covered entities and business associates must only provide the required notification if the breach involved unsecured protected health information.  Unsecured protected health information is protected health information that has not been rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the Secretary in guidance. 

  23. Guidance • Unsecured Protected Health Information and Guidance • This guidance was issued in April 2009 • http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brguidance.html

  24. Use Encryption • Data in Transit –Use the e-mail encryption program. • Data at Rest – Use whole drive encryption. • Data at Rest – Use encryption for CDs, DVDs, and jump or thumb drives. You need to be aware of data use and manage the security of the data. Consider the cost of notification against the purchase price of security.

  25. CLIA Program and HIPAA PrivacyRule; Patients’ Access to Test Reports • NPRM open for comment until no later than 5 p.m. on November 14, 2011. http://www.hhs.gov/ocr/privacy/index.html • HITECH created a Federal advisory committee known as the Health Information Technology (HIT) Policy Committee which can look at barriers to implementation an interoperable, nationwide health information infrastructure. The committee recommended that the CLIA exemption from provision of information to the patient is barrier exchange of data and should be taken down. • Amends (CLIA) regulations to specify that, upon a patient’s request, the laboratory may provide access to completed test reports that, using the laboratory’s authentication process, can be identified as belonging to that patient. Removes an exemption from HIPAA so that CLIA labs that are HIPAA covered entities must comply with HIPAA.

  26. Ellen Cannon, HIPAA Privacy OfficerPhone 304-558-5965FAX304-558-8433 ellen.e.cannon@wv.gov WV DHHRState Capitol ComplexBldg 3 Room 215Charleston WV 25305 Original presentation prepared by Sallie Milam, JD, CIPP/G Samantha Stamper

More Related