1 / 78

ARRA/HITECH Update

ARRA/HITECH Update. HIPAA COW Webinar February 23, 2010 Welcome! Everyone please mute your phone at this time by pressing *6 This session is being recorded and will begin in a few minutes. ARRA/HITECH Update: Compliance with BAA Requirements. HIPAA COW Webinar February 23, 2010

stella-foley
Download Presentation

ARRA/HITECH Update

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. ARRA/HITECH Update HIPAA COW Webinar February 23, 2010 Welcome! Everyone please mute your phone at this time by pressing *6 This session is being recorded and will begin in a few minutes.

  2. ARRA/HITECH Update:Compliance with BAA Requirements HIPAA COW Webinar February 23, 2010 Presented By: Cathy Boerner, JD, CHC

  3. Session to Cover: • Overview of HITECH Business Associate Agreement (BAA) Provisions • Strategies for BAA Compliance • Review of HIPAA COW BAA Documents

  4. Disclaimer • The information provided in this presentation does not constitute legal advice and is intended to be used for guidance. • If you require legal advice, please consult with an attorney.

  5. Overview of HITECH Business Associate Agreement Provisions • Feb. 17, 2009, President Obama signed the American Recovery and Reinvestment Act of 2009 (ARRA)  • Title XIII of ARRA is Health Information Technology for Economic and Clinical Health Act (HITECH) • HITECH Subtitle D, Part 1 – Improved Privacy Provisions and Security Provisions

  6. Overview of HITECH Business Associate Agreement Provisions • The Office of Civil Rights (OCR) is developing regulations which HHS is issuing to implement provisions of the HITECH Act. It is important to keep up-to-date as the regulations come out in the Federal Register. Check the OCR What’s New website section at http://www.hhs.gov/ocr/office/news/index.html

  7. Overview of HITECH Business Associate Agreement Provisions • HIPAA Security Provisions 13401(a) • HIPAA Privacy Provisions 13404(a)(b) • Enforcement 13401(b) & 13404 (c) • Accounting of Disclosures 13405 (c)(3) • Notification of Breaches 45 CFR 164.402-164.412

  8. Overview of HITECH Business Associate Agreement Provisions • HITECH requires covered entities to incorporate new business associate provisions into business associate agreements. HITECH Section 13401(a) & 13404(a) of the Act (42 U.S.C. § 17931) • Effective February 17, 2010

  9. HITECH Provisions – HIPAA Security • Sections 164.308, 164.310, 164.312, and 164.316 of title 45, Code of Federal Regulations, shall apply to a business associate of a covered entity in the same manner that such sections apply to the covered entity. HITECH Section 13401(a) of the Act (42 U.S.C. § 17931)

  10. HITECH Provisions – HIPAA Security • The additional requirements of this title that relate to security and that are made applicable with respect to covered entities shall also be applicable to such a business associate and shall be incorporated into thebusiness associate agreement between the business associate and the covered entity. HITECH Section 13401(a) of the Act (42 U.S.C. § 17931)

  11. HITECH Provisions – HIPAA Security • 164.308 – Administrative safeguards • 164.310 – Physical safeguards • 164.312 – Technical safeguards • 164.316 – Policies and procedures and documentation requirements

  12. HITECH Provisions – HIPAA Security • Current Business Associate Agreement language says: • “Implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic protected health information that it creates, receives, maintains, or transmits on behalf of the covered entity as required by this subpart.” 45 CFR 164.314

  13. HITECH Provisions – HIPAA Security • For HITECH add: …Business Associate shall document and keep these security measures current. Business Associate shall cooperate in good faith in response to any reasonable requests from Covered Entity to discuss, review, inspect, and/or audit Business Associates’ safeguards.

  14. HITECH Provisions – HIPAA Privacy • Sections 164.504(e) of title 45, Code of Federal Regulations, shall apply to a business associate of a covered entity in the same manner that such sections apply to the covered entity. See HITECH Section 13404(a)(b) of the Act (42 U.S.C. § 17931)

  15. HITECH Provisions – HIPAA Privacy • The additional requirements of this subtitle that relate to privacy and that are made applicable with respect to covered entities shall also be applicable to such a business associate and shall be incorporated into the business associate agreement between the business associate and the covered entity. HITECH Section 13404(a)(b) of the Act (42 U.S.C. § 17931)

  16. HITECH Provisions – HIPAA Privacy • 164.504(e) – Business Associate Contracts

  17. HITECH Provisions – HIPAA Privacy • Current Business Associate Agreement language says: “Ensure that any agents, including a subcontractor, to whom it provides protected health information…received by the business associate, on behalf of the covered entity, agrees to the same restrictions and conditions that apply to the business associate with respect to such information;”

  18. HITECH Provisions – HIPAA Privacy • For HITECH add: “Ensure that any agents, including a subcontractor, to whom it provides protected health information…received by the business associate, on behalf of the covered entity, agrees in writingto the same restrictions and conditions that apply to the business associate with respect to such information;”

  19. HITECH Provisions – Civil and Criminal Penalties • In the case of a business associate that violates applicable provisions civil and criminal penalties shall apply to the business associate with respect to such violation in the same manner as a covered entity that violates such provision. See HITECH Section 13401(b) of the Act (42 U.S.C. § 17931); See Section 13404 (c).

  20. HITECH Provisions Accounting of Disclosures (HIPAA Privacy)

  21. HITECH Provisions – Accounting of Disclosures (HIPAA Privacy) • BAA already state “Make available the information required to provide an accounting of disclosures in accordance with §164.528” 45 CFR §164.504(e)(2)(ii)(G) ; (See HITECH Section 13405(c) of the Act (42 U.S.C. § 17931)

  22. HITECH Provisions – Accounting of Disclosures • HITECH added: 13405 (c)(1) • If the covered entity uses an electronic health record then: • The accounting of disclosures shall include those to carry out treatment, payment and health care operations • During only the three years prior to the date on which the accounting is requested.

  23. HITECH Provisions – Accounting of Disclosures • HITECH added: 13405 (c)(3) • In response to a request from an individual for an accounting, a covered entity shall elect to provide either an— ‘‘(A) accounting, as specified under paragraph (1), for disclosures of protected health information that are made by such covered entity and by a business associate acting on behalf of the covered entity; or

  24. HITECH Provisions – Accounting of Disclosures13405(c)(3) ‘‘(B) accounting, as specified under paragraph (1), for disclosures that are made by such covered entity and provide a list of all business associates acting on behalf of the covered entity, including contact information for such associates (such as mailing address, phone, and email address). • A business associate included on a list under subparagraph (B) shall provide an accounting of disclosures (as required under paragraph (1) for a covered entity) made by the business associate upon a request made by an individual directly to the business associate for such an accounting.”

  25. HITECH Provisions Business Associates Breach Notification

  26. HITECH Provisions – Notification of Covered Entity by Business Associate • A business associate of a covered entity that accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses unsecured protected health information shall, following the discovery of a breach of such information, notify the covered entity of such breach. HITECH Section 13402(b) of the Act (42 U.S.C. § 17931); 45 CFR §164.410(a)(1) – Notification by a business associate.

  27. HITECH Provisions - Notification of Covered Entity by Business Associate • Such notice shall include the identification of each individual whose unsecured protected health information has been, or is reasonably believed by the business associate to have been, accessed, acquired, or disclosed during such breach. See HITECH Section 13402(b) of the Act (42 U.S.C. § 17931)

  28. HITECH Provisions - Notification of Covered Entity by Business Associate • Breaches treated as discovered. “A breach shall be treated as discovered by a business associate as of the first day on which such breach is known to the business associate or, by exercising reasonable diligence, would have been known to the business associate.” 45 CFR 164.410(a) (2)

  29. HITECH Provisions - Notification of Covered Entity by Business Associate • Breaches treated as discovered. • “A business associate shall be deemed to have knowledge of a breach if the breach is known, or by exercising reasonable diligence would have been known, to any person, other than the person committing the breach, who is an employee, officer, or other agent of the business associate (determined in accordance with the federal common law of agency).” 45 CFR 164.410(a) (2)

  30. HITECH Provisions - Notification of Covered Entity by Business Associate • Timeliness of notification. • Except as provided in §164.412 [Law Enforcement Exception], a business associate shall provide the notification required by paragraph (a) of this section without unreasonable delay and in no case later than 60 calendar days after discovery of a breach. 45 CFR 164.410(b)

  31. HITECH Provisions - Notification of Covered Entity by Business Associate • Content of notification. • The notification required shall include, to the extent possible, the identification of each individual whose unsecured protected health information has been, or is reasonably believed by the business associate to have been, accessed, acquired, used, or disclosed during the breach. 45 CFR 164.410(c)(1)

  32. HITECH Provisions - Notification of Covered Entity by Business Associate • Content of notification. • A business associate shall provide the covered entity with any other available information that the covered entity is required to include in notification to the individual under §164.404(c) at the time of the notification required by paragraph (a) of this section or promptly thereafter as information becomes . 45 CFR 164.410(c)(2)

  33. Review of HIPAA COW BAA Documents - Addendum • Current Business Associate Agreement language says: • “Report to the covered entity any security incident of which it becomes aware;” 45 CFR 314(a)(2)(i)(C) • “Report to the covered entity any use or disclosure of the information not provided for by its contract of which it becomes aware;” 45 CFR 504(e)(2)(ii)(C) • HIPAA COW Sample BAA includes all three - Reporting of an Incident/Breach, Unauthorized Disclosures or Misuse of PHI (occurrence) Section

  34. Strategies for BAA Compliance • Update your Business Associate Agreements • Send existing Business Associates new agreements or letter informing them of updates • Emphasize your Breach Notification process with your Business Associates and consider providing a notification form • Read the regulations when they are published

  35. HIPAA COW Resources BUSINESS ASSOCIATE AGREEMENT TEMPLATE INCLUDING HITECH ACT REQUIREMENTS & BUSINESS ASSOCIATE NOTIFICATION LETTER (Updated 1/12/2010) www.hipaacow.org

  36. Review of HIPAA COW BAA Documents • Sample Business Associate Notification Letter

  37. Review of HIPAA COW BAA Documents - Addendum • Definition Section (1) • Breach • Electronic Health Record • Unsecured Protected Health Information • Safeguarding of PHI Section (6 & Exhibit) • Subcontractors and Agents (7) • Reporting of an Incident/Breach, Unauthorized Disclosures or Misuse of PHI (occurrence) Section (11) • Tracking of Accounting of Disclosures Section (14 D, E & F)

  38. Contact Information Catherine Boerner, JD, CHC President (414) 427-8263 cboerner@boernerconsultingllc.com

  39. Implementing Breach Notification – Lessons Learned HIPAA COW Webinar February 23, 2010 Presented By: Nancy Davis

  40. Session to Cover: • Overview of HITECH Breach Notification Provisions • Strategies for Breach Notification Compliance • Review of HIPAA COW Breach Notification Tools • Case Examples

  41. Disclaimer • The information provided in this presentation does not constitute legal advice and is intended to be used for guidance. • If you require legal advice, please consult with an attorney.

  42. HITECH Provisions • Require Covered Entities to Notify Individuals of a Breach as Well as HHS “without reasonable delay” or within 60 days • All Breaches (<500) to be Reported to Secretary of DHS on Annual Basis – Year End • Further Notification Requirements if > 500 Individuals Involved (Media Outlets) • Requirements for Business Associates to Notify Covered Entity of Breach

  43. What is a Breach? • “Unauthorized acquisition, access, use, or disclosure of unsecured patient protected health information (PHI) which compro-mises the privacy, security, or integrity of the PHI.

  44. Analysis of Breach • Was the PHI Unsecured? • Was the HIPAA Privacy Rule Violated? • Does the breach pose a significant risk of financial, reputational, or other harm to the individual? • If “Yes” to the Above, has the Risk been Mitigated?

  45. Risk Assessment To determine if an impermissible use or disclosure of PHI constitutes a breach, the organization will need to perform a risk assessment to determine if there is significant risk of harm to the individual. The risk assessment shall be fact specific and shall address: • Consideration of who impermissibly used or to whom the information was impermissibly disclosed. • The type and amount of PHI involved. • The potential for significant risk of financial, reputational, or other harm.

  46. Strategies for Breach Notification Compliance • Have a Policy in Place • Educate Staff on Policy • Develop Relevant Forms/Data Bases • Incident Report • Breach Log • Letter Template

  47. Breach Investigation Report • Incident Report • Build in Risk Assessment Questions • Use to Supplement Log Information

  48. Breach Log Maintain a process to record or log all breaches of unsecured PHI regardless of the number of patients affected. The following information should be collected/logged: • A description of what happened, including the date of the breach, the date of the discovery of the breach, and the number of patients affected, if known. • A description of the types of unsecured protected health information that were involved in the breach (such as full name, Social Security number, date of birth, home address, account number, etc.). • A description of the action taken with regard to notification of patients regarding the breach.

  49. Business Associate Responsibilities The business associate (BA) of the organization shall, without unreasonable delay and in no case later than 60 calendar days after discovery of a breach, notify the organization of such breach. Notice shall include the identification of each individual whose unsecured PHI has been, or is reasonably believed by the business associate to have been, accessed, acquired, or disclosed during such breach. Business associate responsibility under ARRA/HITECH for breach notification should be included in the organization’s business associate agreement (BAA) with the associate.

  50. HIPAA COW Resource BREACH NOTIFICATION POLICY PROTECTED HEALTH INFORMATION POLICY www.hipaacow.org

More Related