1 / 23

American Recovery and Reinvestment Act of 2009 Changes to HIPAA and the Impact to YOU

American Recovery and Reinvestment Act of 2009 Changes to HIPAA and the Impact to YOU. Terrell Herzig, Data Security Officer, HSIS. American Recovery and Reinvestment Act of 2009 (ARRA). The goal: to stimulate the US economy, but impacts go beyond economic/financial arenas

isla
Download Presentation

American Recovery and Reinvestment Act of 2009 Changes to HIPAA and the Impact to YOU

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. American Recovery and Reinvestment Act of 2009Changes to HIPAA andthe Impact to YOU Terrell Herzig, Data Security Officer, HSIS

  2. American Recovery and Reinvestment Act of 2009 (ARRA) • The goal: to stimulate the US economy, but impacts go beyond economic/financial arenas • Privacy and security provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) are expanded: • HIPAA regulations apply to business associates • Breach notification requirements • Regional privacy advisors and education campaign • Improved enforcement

  3. Today’s Objectives • To make members of the UAB/UABHS workforce aware of new HIPAA regulations, or changes in current HIPAA regulations with regard to the following: • Breach and breach notification • Enforcement • Business Associate Agreements

  4. First Federal Definition of Breach • Breach: • The unauthorized acquisition, access, use or disclosure of protected health information (PHI) which compromises the security or privacy of the information • Exceptions: • Unintentional acquisition, access or use of PHI by an employee or individual acting under the authority of a covered entity • Inadvertent disclosure of PHI from one person authorized to access PHI at a covered entity, to another person authorized to access PHI at the covered entity • Unauthorized disclosures in which an unauthorized person to whom PHI is disclosed would not reasonably have been able to retain the information

  5. What constitutes a breach? • A breach could result from: • Failing to log off when leaving a workstation • Unauthorized access to PHI • Sharing confidential information, including passwords • Having patient-related conversations in public settings • Improper disposal of confidential materials in any form • Copying or removing PHI/Electronic PHI (ePHI) from the appropriate area • Why? • Curiosity • Laziness • Compassion • Greed or malicious intent

  6. So… • Bill, a billing employee, receives and opens an email containing PHI that a nurse, Nancy, mistakenly sent to Bill. Bill notices that he is not the intended recipient, alerts Nancy to the misdirected email and deletes it. Bill unintentionally accessed PHI that he was not authorized to access. However, he opened the email within the scope of his job for the covered entity. He did not further use or disclose the PHI. Was this a breach of PHI?

  7. And the answer is… • No. This was not a breach of PHI as long as Bill did not further use or disclose the information accessed in a manner not permitted by the privacy rule.

  8. What about… • Rhonda is a receptionist for a covered entity, and due to her work responsibilities, she is not authorized to access PHI. Rhonda decides to look through patient files to learn about a friend’s last visit to the doctor. Does Rhonda’s action constitute a breach?

  9. The answer is… • Yes. Rhonda accessed PHI without a work-related need to know. This access was not unintentional, done in good faith or within the scope of her job for the covered entity.

  10. How about this?

  11. Breach Notification • If it is determined that a breach of PHI occurred, then the covered entity must notify the affected individual (or next-of-kin) as soon as possible, but not later than 60 days from discovering the breach. • First class letter (or email if appropriate) detailing the breach • Add to breach log maintained and submitted annually to the Department of Health and Human Services to be posted on its Web site • If more than 500 individuals are affected, additional requirements include: • Immediate notification of the Department of Health and Human Services to post on its Web site • Notify major media outlets in covered entity area • Post on covered entity Web site home page for 90 days

  12. Breach Notification • September 23, 2009: Breach notification regulations take effect • February 22, 2010: Department of Health and Human Services (HHS) begins enforcement of the rule

  13. Breach Notification Process at UAB/UABHS • The UAB/UABHS Privacy Office is responsible for overseeing and/or managing the breach investigation and notification processes. • Privacy complaints and suspected breach response procedures: • The covered entity’s Entity Privacy Coordinator (EPC) will notify Privacy Officer (PO) and lead the preliminary investigation. • EPCs will provide PO with all necessary documentation. • Breach notification procedures: • PO will notify appropriate UAB/UABHS officials • PO and Legal, with UAB HIPAA security officer, will determine risks and actions to be taken • EPC and the covered entity will notify patients as directed by PO and Legal

  14. Breach Notification Process at UAB/UABHS • Step-by-step procedures are provided to EPCs. • Although each breach will be considered on a case-by-case basis, templates for notification letters and media press releases are available. • Assistance for posting to UAB/UABHS website is provided. • Procedure for establishing a toll-free, call-in number for affected individuals is available. • Credit monitoring services may be offered to impacted individuals. • Department in which breach occurs will be responsible for cost of patient notification, credit monitoring and other associated costs.

  15. Enhanced Enforcements • ARRA provides that the HIPAA criminal and civil fines and penalties can be enforced against INDIVIDUALS, as well as covered entities who obtain or disclose PHI without authorization. • State attorneys general can pursue civil cases against INDIVIDUALS who violate the HIPAA privacy and security regulations. • Four tiers of civil monetary penalties are available to HHS. • Civil monetary penalties include fines from $100 per violation up to $1.5 million for a series of identical violations during a calendar year. • Criminal penalties for “wrongful disclosure” continue, which include both large fines of $50,000 to $250,000, and up to 10 years in prison.

  16. A Breach Has Many Risks • Risks to individual whose PHI is compromised: • Embarrassment, misuse of personal data, victim of fraud or scams, identity theft • Risks to employee: • Loss of data, time, funding, reputation, embarrassment, disciplinary action up to and including termination, fines, penalties, prosecution • Risks to the institution: • Loss of information and equipment, trust of constituencies, reputation, future grant awards, negative publicity, penalties, fines, litigation • Risks to research: • Loss of data or data integrity, funding in jeopardy

  17. Any Good News? • ARRA further identified the information to which the breach notification provisions apply. It defined “unsecured protected health information” as PHI that is not secured through the use of a technology or methodology that renders it unusable, unreadable or indecipherable, and that is developed or endorsed by the American National Standards Institute. • Therefore, for breaches involving the misuse, loss or inappropriate disclosure of paper or electronic data, there are some home-free methods under which the loss would indicate no harm done: • Paper = secured by use of crosscut shredder (destroyed) • Electronic data = encrypted data files and/or transmissions

  18. A Coordinated Effort • When receiving a privacy complaint, learning of a suspected breach in privacy or security, or noticing something is “just not right,” we must work together • Immediately • Cooperatively • Efficiently • Carefully • Confidentially

  19. Reminders • Documents containing PHI or other sensitive information must be shredded when no longer needed. Shred immediately or place in securely locked boxes or rooms to await shredding. • Media such as CDs, disks or thumb drives containing PHI/sensitive information must be cleaned or sanitized before reallocating or destroying. • Sanitize means to eliminate confidential or sensitive information from computer/electronic media by either overwriting the data or magnetically erasing data from the media. • If media are to be destroyed, place them in specially marked secure containers for destruction after they have been sanitized. • NOTES: Deleting a file does not actually remove the data from the media. • Formatting does not constitute sanitizing the media. • Contact your information systems representative for assistance with sanitization and destruction methods.

  20. More Reminders • Store sensitive and confidential information securely in a directory on a secure network file server. Information stored on the hard drive (C: drive) of a computer or portable computing device (PCD) can be lost or compromised. PCDs include handheld, notebook and laptop computers, personal digital assistants (PDAs) and portable memory devices such as flash disks, thumb drives, jump drives, etc. • Use of PCDs for ePHI must be approved by senior management. • PCDs must be inventoried and maintain appropriate security protection. PCDs used for PHI must be encrypted. Ask your information systems representative for help securing PCDs.

  21. Your Responsibility • If you notice, hear, see or witness any activity that you think might be a breach of privacy or security, please let someone know immediately. It is much better to investigate and discover no breach than to wait and later discover that something did happen. The 60-day clock of notifying affected individuals begins when the breach should have been discovered. • Continue to be mindful of HIPAA privacy and security regulations, and practice the provisions of the UAB/UABHS privacy and security core standards. Additionally, the basic HIPAA training is always available for review on the UAB/UABHS HIPAA Web site at http://www.hipaa.uab.edu/pdffiles/UABHS_HIPAA_training_08_2009.pdf. • Refer to the UAB/UABHS Information Security Handbook at www.hipaa.uab.edu/pdffiles/Information_Security_Handbook_03_2009.pdf.

  22. Business Associate Agreements (BAAs) • Review: A BAA is required before a covered entity can contract with a third party individual or vendor (subcontractor) to perform activities or functions which will involve the use or disclosure of the covered entity’s PHI. • Make sure your department has BAAs for vendors that access our PHI. • The UAB/UABHS BAA is being revised and will be available for use beginning October 1, 2009. • At this time, current BAAs will not have to be replaced with the new format; however, that could change depending upon additional guidance from the Department of Health and Human Services. • Biggest change: entities must maintain a list of all active BAAs and copies of the fully executed BAAs.

  23. Additional Communications • The American Recovery and Reinvestment Act of 2009 (ARRA) brought with it major impacts to the HIPAA privacy and security regulations. These changes do not occur over a period of several years as was experienced with the enforcement of HIPAA. • This update provides the most immediate changes to HIPAA compliance. • Additional guidance is expected from the Department of Health and Human Services. • Other meetings, announcements, trainings and awareness activities are most probable. • So, until next time… • Thank you!

More Related