Arkansas healthcare association of access managers 2009 fall meeting
1 / 72

Arkansas Healthcare Association of Access Managers 2009 Fall Meeting - PowerPoint PPT Presentation

  • Uploaded on

Arkansas Healthcare Association of Access Managers 2009 Fall Meeting. November 19, 2009. TOPICS HIPAA Revisions Security Breach & Red Flags Rule EMTALA. HIPAA. The American Recovery and Reinvestment Act of 2009 contained several revisions to the HIPAA regulations.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Arkansas Healthcare Association of Access Managers 2009 Fall Meeting' - uta

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Arkansas healthcare association of access managers 2009 fall meeting

Arkansas Healthcare Association


Access Managers

2009 Fall Meeting

November 19, 2009

Arkansas healthcare association of access managers 2009 fall meeting


HIPAA Revisions

Security Breach


Red Flags Rule



The American Recovery and Reinvestment Act of 2009 contained several revisions to the HIPAA regulations.

Some of these revisions became effective in 2009, and others will be implemented over the next few years.

Hipaa revisions


(effective now)

Hipaa penalties
HIPAA Penalties

The revisions clarify that criminal penalties will also be extended to employees of Covered Entities.

Civil money penalties have been increased and will be tiered based on the type of violation.

Monies received from penalties or settlements will be transferred to the Office for Civil Rights, and by 2012, individuals who are harmed by HIPAA violations will be able to receive a percentage of these monies as damages.

Hipaa penalties1
HIPAA Penalties

Unknowing violations: $100 to $50,000 per violation, up to a maximum of $1,500,000 per year.

Violations due to reasonable cause: $1000 to $50,000 per violation, up to a maximum of $1,500,000 per year.

Violations due to willful neglect: (if the violation is corrected): $10,000 to $50,000 per violation, up to a maximum of $1,500,000 per year

Violations due to willful neglect: (that are not corrected): At least $50,000 per violation, up to a maximum of $1.5 million per year.

Note, the limits refer to “violations of identical requirement or prohibition.” So, if there is more than one type of violation, penalties may be dramatically increased.

Hipaa revisions1




(effective now)

Breach notification requirements
Breach Notification Requirements

Covered Entities are now required to notify affected individuals of a Breach of unsecured PHI.

Breach notification requirements1
Breach Notification Requirements

A “Breach” means a use or disclosure of PHI in a manner not allowed under the HIPAA regulations that poses a significant risk of financial, reputational or other harm to the affected individuals.

“Unsecured PHI” is PHI that has not been encrypted, destroyed or otherwise made unreadable to unauthorized individuals.

Breach notification requirements2
Breach Notification Requirements

If a HIPAA violation occurs, a “risk assessment” must be performed to determine whether the violation was also a Breach (whether the impermissible use or disclosure results in a serious risk of harm).

Breach notification requirements3
Breach Notification Requirements

Risk assessments should be fact specific and must be documented.

Documentation must be kept for 6 years and must include whether the incident was determined to be a Breach and the reason for the determination.

Breach notification requirements4
Breach Notification Requirements

Exceptions to Breach:

1. Unintentional use or disclosure by an employee acting within the scope of employment if no additional use or disclosure occurs.

2. Inadvertent disclosure from one authorized person to another authorized person at the Covered Entity.

3. Unauthorized disclosure if the person who received the disclosure couldn’t reasonably be expected to keep or remember the information.

Breach notification requirements5
Breach Notification Requirements

If a Breach has occurred, steps must be taken to reduce harmful effects of the Breach.

Examples include:

Notifying law enforcement

Contacting affected individuals

Updating security, changing pass codes, etc.

Breach notification requirements6
Breach Notification Requirements

Risk assessments and actions to mitigate must be taken in a timely manner.

A Breach is “discovered” when the incident is discovered, not when there is a determination that the incident was a Breach.

Notice must be provided as soon as reasonably possible, within a maximum of 60 days – unless law enforcement requests a delay.

Breach notification requirements7
Breach Notification Requirements

Notice to Individuals:

1. Written notice, in clear language;

2. Description of the incident;

3. Description of the information involved;

4. Description of the investigation and what is being done to mitigate harm;

5. Steps individuals should take to protect themselves;

6. Contact procedures for obtaining additional information.

Breach notification requirements8
Breach Notification Requirements

Notice to Individuals:

Must be sent by first-class mail.

Substitute notice may be provided if contact information is out-of-date (website, newspapers, radio or TV).

Notice on the website must be posted for 90 days.

Breach notification requirements9
Breach Notification Requirements

Notice to the Media:

If a Breach involves more than 500 residents of a state or jurisdiction (city or county), notice to the media must be provided in addition to individual notice.

Breach notification requirements10
Breach Notification Requirements

Notice to the Secretary of HHS:

If a Breach involves 500 or more individuals (regardless of where they are located), the Secretary of HHS must be notified at the same time and in the same manner as individuals.

If a Breach involves less than 500 individuals, a log must be maintained of the Breach. This log must be submitted to the Secretary annually.

Breach notification requirements11
Breach Notification Requirements

All members of the Covered Entity’s workforce (employees, medical staff, students, contractors, etc.) must be trained on identifying and reporting possible Breaches.

Policies for identifying and responding to Breaches must be established, and these policies must provide for sanctions if individuals fail to comply.

New hipaa provisions
New HIPAA Provisions




(coming soon)

Accounting for disclosures
Accounting for Disclosures

If Covered Entities use electronic health records, they will soon have to begin accounting for disclosures for treatment, payment and health care operations.

Individuals have a right to receive an accounting of these disclosures for three years.

A reasonable fee may be imposed when an individual requests an accounting of these types of disclosures, but it cannot exceed more than the entity’s labor cost in responding to the request.

Accounting for disclosures1
Accounting for Disclosures

Covered Entities with electronic health records as of January 1, 2009, must comply on and after January 1, 2014.

Covered Entities that begin using electronic health records after January 1, 2009 must comply on the later of January 1, 2011 or the date they acquire the electronic health record.


Preview of Coming Attractions:

Penalties will apply to Business Associates in the same manner as they apply to Covered Entities.

Covered Entities will be required to comply with requests not to disclose PHI for treatment, payment or healthcare operations if the PHI pertains solely to health care paid in full by the individual, out-of-pocket.

Disclosures must be limited to the limited data set or “minimum necessary” to accomplish the purpose of the disclosure.

There will be new marketing restrictions, and individuals will have to be given the opportunity to opt out of fundraising activities.


Preview of Coming Attractions:

DHHS will establish a method for individuals who are harmed by HIPAA violations to receive a percent of civil money penalties collected.

State Attorneys General will be able to sue Covered Entities for HIPAA violations on behalf of state residents.

The OIG will begin performing random audits to make sure that Covered Entities and Business Associates are in compliance with HIPAA.


Preparing for Change:

Update HIPAA Policies

Update Business Associate Agreements

Revise Notices of Privacy Practices

Re-train Employees

Arkansas healthcare association of access managers 2009 fall meeting




Arkansas healthcare association of access managers 2009 fall meeting



Security breach

A security breach, under Arkansas law, is unauthorized acquisition of data that compromises the security, confidentiality or integrity of personal information, such as a patient’s medical record or account information.

The good faith acquisition of personal information by an employee for the legitimate purposes of the business is not a security breach so long as the information is not otherwise used or subject to further unauthorized disclosure.

Security breach1

“Personal information" means an individual's first name or first initial and his or her last name in combination with any of the following:

a. Social security number;

b. Driver's license or Arkansas identification number;

c. Account number, credit card number, or debit card number and any security code, or password; and

d. Medical information.

"Records" means any material that contains sensitive personal information in electronic form.

"Records" does not include any publicly available directories containing information an individual has voluntarily consented to have publicly listed, such as name, address, or phone number

Security breach2

Arkansas requires businesses that maintain “personal information” (account information, medical information, etc.) about Arkansas residents to implement and maintain reasonable security procedures and practices appropriate to protect this information from unauthorized access, destruction, use, modification or disclosure.

Security breach3

Arkansas also requires business to disclosure security breaches to the affected individuals.

The disclosure must be made “without unreasonable delay”.

Notification may be delayed only if a law enforcement agency determines that notification will impede a criminal investigation.

Federal law red flags rule
Federal Law – Red Flags Rule

Requires “Creditors” to implement an identity theft prevention program.

Creditor has been broadly defined to include anyone that regularly grants the right to defer payment of a debt – this includes the majority of hospitals and physician practices.

Federal law red flags rule1
Federal Law – Red Flags Rule

The Red Flags Rule requires:

(i) written policies to address the protection and security of personal information of customers;

(ii) routine audits to monitor for and identify unauthorized access;

(iii) methods for notifying individuals and mitigating damages if a identity theft occurs; and

(iv) periodic review and revision of policies, if necessary.

Red flags rule
Red Flags Rule


“Covered Account” -

(i) an account that involves multiple payments or transactions, including one or more deferred payments; or

(ii) an account that has a reasonably foreseeable risk of identity theft to customers or to the safety and soundness of the institution.

“Identity Theft” - fraud that involves stealing money or receiving benefits by using another person’s identity.

“Red Flag” – a pattern, practice or specific activity that indicates possible existence of identity theft.

Red flags rule1
Red Flags Rule


Perform a risk assessment to identify accounts that have a high risk of use in identity theft (“Covered Accounts”).

Any patient account or payment plan that involves multiple payments would likely be a Covered Account. For healthcare providers this will include all patient accounts.

Red flags rule2
Red Flags Rule


Develop policies and procedures to address the protection and security of personal information of customers;

Perform routine audits to monitor for and identify unauthorized access; and

Notify individuals and mitigate damages if a security breach occurs.

Red flags rule3
Red Flags Rule

Four Main Requirements:

Identify red flags

Detect red flags

Respond to red flags

Update the program as needed

Red flags rule4
Red Flags Rule

Examples of Red Flags:

Suspicious or altered documents.

Identification cards that are inconsistent with the person’s appearance.

Failure or refusal to provide identifying information.

Inability to verify insurance information.

Notice from a patient of possible identity theft.

Routine audit reveals unauthorized account access.

Red flags rule5
Red Flags Rule

Examples of Red Flags:

Medical information provided by the patient differs from that in the medical record.

Family members or friends reveal suspicious information to staff members, such as calling the patient by a different name.

Reports from patients that they received bills for services that were not received.

Red flags rule6
Red Flags Rule

Detect Relevant Red Flags:

Once relevant Red Flags have been identified, procedures must be adopted to detect Red Flags so appropriate responses may be implemented.

Red flags rule7
Red Flags Rule

Detect Relevant Red Flags:

All appropriate employees must be educated on identifying relevant Red Flags and notifying the appropriate individual any time a Red Flag is detected.

Red flags rule8
Red Flags Rule

Detect Relevant Red Flags:

Measures to detect Red Flags should be based on the risk assessment. Examples include:

Collecting identifying information each time a new account is opened;

Viewing a photo ID or insurance card;

Comparing patient information with information already contained in existing records.

Red flags rule9
Red Flags Rule

Detect Relevant Red Flags:

For providers who do not deal directly with patients, an alternate method of verifying the patient’s identity should be used.

This might include contacting patients, patient representatives, and/or insurance companies to confirm validity of information received, or requesting copies of identifying information used by the patient referral source.

Red flags rule10
Red Flags Rule

Detect Relevant Red Flags:

Any time a Red Flag is detected:

* The event should be documented;

* The appropriate individual should be

notified; and

* An investigation should be conducted.

Red flags rule11
Red Flags Rule

Response to Red Flags:

The response to Red Flags should be based on the results of the investigation.

Responses should be geared toward mitigation of harmful effects.

Red flags rule12
Red Flags Rule

Response Examples:

Contact the patient

Notify law enforcement

Correct the medical record

Correct the account

Change passwords or security codes

Update computer security

Determine no action is necessary

Red flags rule13
Red Flags Rule


If an investigation leads to a reasonable belief that identity theft has occurred, affected individuals should be provided with information regarding:

* The scope of the breach;

* The information accessed;

* How the information was used (if known); &

* Actions taken to remedy the situation.

Red flags rule14
Red Flags Rule


All incidents of actual or suspected identity theft must be documented.

This documentation must be maintained for 5 years after the account is closed or becomes dormant.

Red flags rule15
Red Flags Rule

Documentation should include:

Identifying information about the individual;

A description of any document relied on to verify identity;

A description of any additional measures used to verify identity; and

A description of the discrepancies discovered.

Red flags rule16
Red Flags Rule

Updates -- Periodic risk assessments must be performed and polices updated in response to:

New accounts,

Changes in business practices,

Experiences with identity theft,

Changes in methods to detect, prevent and mitigate identity theft, or

Changes in identity theft experienced by the industry.

Red flags rule17
Red Flags Rule

Compliance Reports:

Periodic compliance reports must be provided to the governing body.

These reports must detail the effectiveness of the policy, recommendations for policy revisions, any incidents of identity theft and the actions taken in response.

Arkansas healthcare association of access managers 2009 fall meeting




3 primary requirements
3 Primary Requirements

Medical Screening Exam (MSE)

Necessary Stabilizing Treatment

Appropriate Transfer

Arkansas healthcare association of access managers 2009 fall meeting

Must perform on anyone who “Comes to the Emergency Department” and requests examination or treatment of a medical condition in order to determine whether an emergency exists.

The MSE must be appropriate for the patient’s symptoms, within the hospital’s capabilities.


“Comes to the Emergency Department” means :

Presents at the hospital’s dedicated ED & requests an exam or treatment;

Presents on hospital property, other than the ED, and requests exam or treatment for what may be an emergency;

Is in an ambulance owned & operated by the hospital for exam and treatment, but is not on hospital grounds; or

Is in a non-hospital owned ambulance on hospital property for exam & treatment of a medical condition.

No delay in treatment

An MSE (and necessary stabilizing treatment) may not be delayed to inquire about method of payment or insurance status.

No delay in treatment1

Insurance authorization may not be done until after appropriate screening and necessary stabilizing treatment are provided.

No delay in treatment2

Registration procedures may be followed so long as they do not delay medical screening or treatment.

The registration process may not discourage individuals from remaining for further evaluation.

No delay in treatment3

CMS has indicated that any procedures, signs, etc., that induce an individual to leave the ED before they receive an MSE places the hospital at risk of an EMTALA violation.

No delay in treatment4

If ED patients who do not have emergencies are expected to pay for services at the time of treatment, such financial discussions should not occur until after the patient has received an MSE and it has been determined that no emergency condition exists.

No delay in treatment5

A hospital was recently fined for violating EMTALA because a patient with chest pain left the ED without treatment after he read a sign which stated payment for non-emergency conditions was expected at the time of service.

What is an mse
What is an MSE?

Determines whether or not an emergency medical condition exists.

More than initial screening or triage.

“The process required to reach with reasonable clinical confidence, the point at which it can be determined whether a medical emergency does or does not exists.”

Can be brief and simple or very complex, depending on the patient.

What is an emergency medical condition
What is an Emergency Medical Condition?

A medical condition with acute symptoms of sufficient severity (including severe pain) that absence of immediate medical attention could reasonably be expected to result in:

Serious risk to an individual’s health;

Serious impairment to bodily functions; or

Serious dysfunction of an organ or body part

Arkansas healthcare association of access managers 2009 fall meeting

If an individual Comes to the Emergency Department and requests an exam or treatment,

and the nature of the request makes it clear that the medical condition is not an emergency,

the hospital must only perform a screening that is appropriate for the patient to determine an emergency medical condition does not exist.

Who may conduct an mse
Who May Conduct an MSE?

A person who is determined qualified by Hospital bylaws or rules and regulations to provide emergency care,


who can provide any necessary stabilizing treatment or an appropriate transfer, if an emergency medical condition exists.


Under Arkansas Law:



Stabilizing treatment

If any individual is determined to have an emergency medical condition, the Hospital must either:

Stabilize the medical condition (within its capabilities);


Transfer the individual to another facility in accordance with the regulations.


A hospital’s EMTALA obligation ends when a physician has made a decision that:

No emergency exists;

That an emergency exists which requires transfer to another facility, or the patient requests transfer to another facility; or

That an emergency exists and the patient is admitted to the hospital for further stabilizing treatment.

On call physician

If the emergency department physician determines an on-call specialist physician’s services are necessary, and

the on-call physician is notified and fails or refuses to appear within a reasonable time and transfer is ordered,

both the hospital & the on-call physician are at risk for violating EMTALA.


Penalties for EMTALA violations include fines of up to $50,000 per violation, and termination from the Medicare and Medicaid programs.

Friday eldredge clark llp
Friday, Eldredge & Clark, LLP

Jennifer Smith 370-3378

Lynda Johnson

(501) 370 - 1553