1 / 17

Tri-State REC: Basic Privacy and Security Issues for Physician Practices

Tri-State REC: Basic Privacy and Security Issues for Physician Practices. Claudia Allen Privacy Officer HealthBridge. ARRA Privacy Provisions. American Recovery and Reinvestment Act of 2009 (“ARRA”) :

ganit
Download Presentation

Tri-State REC: Basic Privacy and Security Issues for Physician Practices

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Tri-State REC: Basic Privacy and Security Issues for Physician Practices Claudia Allen Privacy Officer HealthBridge

  2. ARRA Privacy Provisions American Recovery and Reinvestment Act of 2009 (“ARRA”) : • Establishes the Office of the National Coordinator for Health Information Technology (“ONC”) • Extends HIPAA Privacy and Security requirements to Business Associates (“BA”) • Establishes breach identification and notification requirements • Calls for education initiatives on the uses of health information • Establishes further restrictions on “sales” of health information • New disclosure accounting requirements • New access requirements for EHR by individuals • Increased enforcement initiatives • Generally effective February 17, 2010

  3. A Bit of History • HIPAA passed in 1996, but the Privacy and Security Rules went into effect in 2003 • HIPAA does not pre-empt state law if the state law requires a higher standard • Covered Entities are subject to rules protecting the privacy/confidentiality of Protected Health Information (“PHI”)

  4. A Bit of History (cont.) • Covered Entities • Providers of health care services • Physicians, dentists, chiropractors, psychologists • Clinics, Nursing Homes, Pharmacies, Laboratories • Health Plans and Clearinghouses • PHI is medically related information that is • Identifiable to the individual • E.g, Name, address, phone, birth date, social security number • Transmitted or maintained by • electronic media • in any other media

  5. A Bit of History (cont.) Permitted Uses of PHI without consent: • Treatment • Payment • Operation of Business • Limited data set (de-identified) for research, public health • Required by law

  6. A Bit of History (cont.) Business Associates required to enter into an agreement with CEs to protect PHI • Breach by the BA would subject the CE to liability • Redress against BA was by breach of contract lawsuit

  7. New ARRA Provisions An Overview for Physician Practices

  8. 1. Business Associates ARRA and HITECH Extends Privacy and Security to Business Associates (“BA”) • Business Associates directly subject to the Security Rule and privacy/confidentiality requirements • Breach by BA results in liability for CE’s criminal and civil penalties • Four tiers ranging from $100 to $50,000 per violation • Individuals harmed may recover part of penalty • States Attorney General authorized to bring suit • Attorneys fees may be awarded • BA required to respond to privacy non-compliance by CE • BA Contracts are now required with entities that provide data transmission of PHI on a regular basis such as Health Information Exchanges

  9. 2. Breach Notification AARA Requires Breach Notification of Unsecured PHI • Breach is defined as unauthorized acquisition, access, use or disclosure of Unsecured PHI (“UPHI”) which compromises the security or privacy of information • Unsecured PHI is defined as PHI that is not secured through the use of technology or methodology specified by the Secretary that renders the information unusable, unreadable, or undecipherable to unauthorized persons. • Breach does not include: • Unintentional acquisition, access or use • made in good faith within the course of employment with BA or CE and not further acquired, used, or disclosed by any person • made by an individual acting under the authority of the CE or BA • of information the disclosure of which could not reasonably be retained

  10. Breach Notification (cont.) • Notification upon discovery of Breach • CEs must notify each individual whose UPHI is breached • BA must notify the CE • Time period: without unreasonable delay but no later than 60 calendar days after discovery (first day known or should have been known) • Burden on discoverer • Written notice by mail unless urgent • If more than 9 individuals involved, posting on web • Notice to media if over 500 residents in state or jurisdiction affected • Immediate notice to Secretary if over 500 affected • Breach log required to be sent to Secretary annually

  11. Breach Notification (cont.) • Breach Notice contains • Description of what happened • Description of types of data involved • Steps individuals should take to protect themselves • What CE is doing to investigate, mitigate losses, and protect from further breaches • Contact procedures

  12. 3. Disclosure Accounting ARRA Requires Accounting for Disclosures of EHR • CEs are required to account for all disclosures of PHI including those for Payment, Treatment and Operations • Records for the prior 3 years must be provided • CEs with EHR technology prior to January 1, 2009 must comply by January 1, 2014 • CEs acquiring EHR technology after January 1, 2009 must comply by January 1, 2011 or if later, when it acquires EHR.

  13. 4. Prohibition on Sale of Data ARRA Prohibits Sales of EHR Data or PHI • No direct or indirect remuneration in exchange for PHI unless covered by a valid authorization. • Exceptions: • Public Health • Research Data where cost is all that is reimbursed • Exchange for health care operations or treatment as permitted by regulation

  14. 5. Disclosure Restrictions ARRA allows restrictions on Disclosures • Individuals may restrict disclosure to a health plan for payment or operations • Individual must have paid out of pocket in full

  15. Practical Guidance • Inventory and review all BAAs to determine if they need to be amended. • ARRA Security and Privacy provisions are required to be incorporated into the BA Agreements. • Review all policies and procedures to incorporate the new obligations of ARRA. • Modify training of personnel to include the changes made by ARRA. • Enter into BA Agreements with any organizations with which the CE transmits Health Information electronically.

  16. Practical Guidance • Conduct a risk assessment to determine if office procedures are consistent with protecting PHI: • Doors locked except for business entrances and exits during business hours • Employee access restricted during non-business hours • Patients, families not allowed access to provider offices • Patient sign-up sheets not visible to non-employees • Employees’ visitors not allowed access • Employees are restricted from mentioning patients on social media sites • Remote access to data is limited, inventoried • Portable electronics secured, if not encrypted • Keys, pass codes inventoried • Workstations secured, screens not in view of public • Implement procedures for terminated employees to limit access to PHI • Implement procedures to report suspicious activity • Implement hiring practices that minimize risk, check references and background • Conduct periodic training on privacy and security

  17. Questions? The Tri-State REC can help! www.healthbridge.org rec@healthbridge.org 513-469-7222

More Related