HIPAA

1. HIPAA What’s New? 2010

2. What Is HIPAA • Health Insurance Portability and Accountability Act of 1996 • Administrative Simplification Subtitle • Privacy Rules • Electronic Data Sets • Security Rules • National Provider Identifiers • HI Tech Security Standards (ARRA Regulation)

3. Are we covered? • HHS is a Covered Entity • A Covered Entity is an organization: • Provider • Health Plan • Clearing House • HHS providers are Business Associates • A business associate is an organization that provides any health related services

4. What Is ARRA? • American Recovery and Reinvestment Act of 2009 • Required for Electronic Health Record Movement • Required for Healthcare Reform Holds Business Associates to the complete set of HIPAA Regulations

5. HITECH Security Standards • Requires Business Associates to: • Notify Covered Entity of Security Breaches • Latest HI Tech Security Survey shows: • 50 percent organizations have experienced at least one data breach this year; • 57 percent of the organizations reported that they now have a greater level of awareness of data breaches and breach risk; and • 90 percent of the organizations plan to change policies and procedures to prevent and detect data breaches.

6. HITECH Security Standards • Breach Notification • Defines a breach • Sets Standard Timeframes for notification • 60 calendar days after discovery • Notification to individuals when their PHI is breached • Media Notification more than 500 patient records breached • Notice to Department Health and Human Services • Notice Letters to all involved

7. HITECH Security Standards • Expanded Restrictions on Accounting and Disclosures • Business Associates are required to provide an individual upon request with an accounting of disclosures of the information in her electronic health record (“EHR”) over the last three years • Any organization bringing up an EMR/EHR in 2009 will be required to be compliant by 2011

8. HITECH Security Standards • Prohibits sale of Patient Names without authorization • Restricts marketing practices to: • Free marketing if to communicate services within a program the individual is participating in; OR • To describe healthcare options

9. HITECH Security Standards • Minimum Data Set • Limits the sharing of information to “data sets” that are de-identified • Requires the removal of Name, Address, Social Security Number and other key identifiers • This is in addition to the HIPAA Privacy Rule Minimum Necessary • Share only the minimum necessary amount of information so the next person can complete their work responsibilities

10. HITECH Security Standards • History of HIPAA Enforcement • 48,000 complaints received by Department of Health &Human Services (HHS) • Vast majority resolved through voluntary compliance or corrective action • Handful of criminal prosecutions

11. Sanctions and Penalties • The original HIPAA regulations held Covered Entities to potential sanctions and criminal penalties for breaches • HITECH holds Business Associates to the same level of requirements as Covered Entities

12. Case Study – We’ve Lost Our Client’s Data! • A business associate discovers a computer belonging to its employee is missing. The last time they remember seeing it was three months ago. • Where do you start? • What should you be concerned with?

13. HIPAA Breaches • Breaches are classified as • Low Risk • Medium Risk • High Risk • Risk is defined as potential litigation, confidentiality breach or compliance liability to the organization

14. Breach Notification • Business Associates are required to notify HHS of any breaches for HHS program participants being managed by the provider along with what has been done to mitigate the risk. • HIPAA issues can be sent to the HIPAA Privacy Officer at CQI@hhshealthoptions.org or faxed to 616-954-1520

15. Questions • Contact HHS via email CQI@hhshealthoptions.org or call 616-954-1576