1 / 72

Arkansas Healthcare Association of Access Managers 2009 Fall Meeting

Arkansas Healthcare Association of Access Managers 2009 Fall Meeting. November 19, 2009. TOPICS HIPAA Revisions Security Breach & Red Flags Rule EMTALA. HIPAA. The American Recovery and Reinvestment Act of 2009 contained several revisions to the HIPAA regulations.

uta
Download Presentation

Arkansas Healthcare Association of Access Managers 2009 Fall Meeting

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Arkansas Healthcare Association of Access Managers 2009 Fall Meeting November 19, 2009

  2. TOPICS HIPAA Revisions Security Breach & Red Flags Rule EMTALA

  3. HIPAA The American Recovery and Reinvestment Act of 2009 contained several revisions to the HIPAA regulations. Some of these revisions became effective in 2009, and others will be implemented over the next few years.

  4. HIPAA REVISIONS PENALTIES (effective now)

  5. HIPAA Penalties The revisions clarify that criminal penalties will also be extended to employees of Covered Entities. Civil money penalties have been increased and will be tiered based on the type of violation. Monies received from penalties or settlements will be transferred to the Office for Civil Rights, and by 2012, individuals who are harmed by HIPAA violations will be able to receive a percentage of these monies as damages.

  6. HIPAA Penalties Unknowing violations: $100 to $50,000 per violation, up to a maximum of $1,500,000 per year. Violations due to reasonable cause: $1000 to $50,000 per violation, up to a maximum of $1,500,000 per year. Violations due to willful neglect: (if the violation is corrected): $10,000 to $50,000 per violation, up to a maximum of $1,500,000 per year Violations due to willful neglect: (that are not corrected): At least $50,000 per violation, up to a maximum of $1.5 million per year. Note, the limits refer to “violations of identical requirement or prohibition.” So, if there is more than one type of violation, penalties may be dramatically increased.

  7. HIPAA REVISIONS BREACH NOTIFICATION REQUIREMENTS (effective now)

  8. Breach Notification Requirements Covered Entities are now required to notify affected individuals of a Breach of unsecured PHI.

  9. Breach Notification Requirements A “Breach” means a use or disclosure of PHI in a manner not allowed under the HIPAA regulations that poses a significant risk of financial, reputational or other harm to the affected individuals. “Unsecured PHI” is PHI that has not been encrypted, destroyed or otherwise made unreadable to unauthorized individuals.

  10. Breach Notification Requirements If a HIPAA violation occurs, a “risk assessment” must be performed to determine whether the violation was also a Breach (whether the impermissible use or disclosure results in a serious risk of harm).

  11. Breach Notification Requirements Risk assessments should be fact specific and must be documented. Documentation must be kept for 6 years and must include whether the incident was determined to be a Breach and the reason for the determination.

  12. Breach Notification Requirements Exceptions to Breach: 1. Unintentional use or disclosure by an employee acting within the scope of employment if no additional use or disclosure occurs. 2. Inadvertent disclosure from one authorized person to another authorized person at the Covered Entity. 3. Unauthorized disclosure if the person who received the disclosure couldn’t reasonably be expected to keep or remember the information.

  13. Breach Notification Requirements If a Breach has occurred, steps must be taken to reduce harmful effects of the Breach. Examples include: Notifying law enforcement Contacting affected individuals Updating security, changing pass codes, etc.

  14. Breach Notification Requirements Risk assessments and actions to mitigate must be taken in a timely manner. A Breach is “discovered” when the incident is discovered, not when there is a determination that the incident was a Breach. Notice must be provided as soon as reasonably possible, within a maximum of 60 days – unless law enforcement requests a delay.

  15. Breach Notification Requirements Notice to Individuals: 1. Written notice, in clear language; 2. Description of the incident; 3. Description of the information involved; 4. Description of the investigation and what is being done to mitigate harm; 5. Steps individuals should take to protect themselves; 6. Contact procedures for obtaining additional information.

  16. Breach Notification Requirements Notice to Individuals: Must be sent by first-class mail. Substitute notice may be provided if contact information is out-of-date (website, newspapers, radio or TV). Notice on the website must be posted for 90 days.

  17. Breach Notification Requirements Notice to the Media: If a Breach involves more than 500 residents of a state or jurisdiction (city or county), notice to the media must be provided in addition to individual notice.

  18. Breach Notification Requirements Notice to the Secretary of HHS: If a Breach involves 500 or more individuals (regardless of where they are located), the Secretary of HHS must be notified at the same time and in the same manner as individuals. If a Breach involves less than 500 individuals, a log must be maintained of the Breach. This log must be submitted to the Secretary annually.

  19. Breach Notification Requirements All members of the Covered Entity’s workforce (employees, medical staff, students, contractors, etc.) must be trained on identifying and reporting possible Breaches. Policies for identifying and responding to Breaches must be established, and these policies must provide for sanctions if individuals fail to comply.

  20. New HIPAA Provisions ACCOUNTING for Disclosures (coming soon)

  21. Accounting for Disclosures If Covered Entities use electronic health records, they will soon have to begin accounting for disclosures for treatment, payment and health care operations. Individuals have a right to receive an accounting of these disclosures for three years. A reasonable fee may be imposed when an individual requests an accounting of these types of disclosures, but it cannot exceed more than the entity’s labor cost in responding to the request.

  22. Accounting for Disclosures Covered Entities with electronic health records as of January 1, 2009, must comply on and after January 1, 2014. Covered Entities that begin using electronic health records after January 1, 2009 must comply on the later of January 1, 2011 or the date they acquire the electronic health record.

  23. HIPAA Preview of Coming Attractions: Penalties will apply to Business Associates in the same manner as they apply to Covered Entities. Covered Entities will be required to comply with requests not to disclose PHI for treatment, payment or healthcare operations if the PHI pertains solely to health care paid in full by the individual, out-of-pocket. Disclosures must be limited to the limited data set or “minimum necessary” to accomplish the purpose of the disclosure. There will be new marketing restrictions, and individuals will have to be given the opportunity to opt out of fundraising activities.

  24. HIPAA Preview of Coming Attractions: DHHS will establish a method for individuals who are harmed by HIPAA violations to receive a percent of civil money penalties collected. State Attorneys General will be able to sue Covered Entities for HIPAA violations on behalf of state residents. The OIG will begin performing random audits to make sure that Covered Entities and Business Associates are in compliance with HIPAA.

  25. HIPAA Preparing for Change: Update HIPAA Policies Update Business Associate Agreements Revise Notices of Privacy Practices Re-train Employees

  26. Questions about HIPAA?

  27. SECURITY BREACH

  28. SECURITY BREACH A security breach, under Arkansas law, is unauthorized acquisition of data that compromises the security, confidentiality or integrity of personal information, such as a patient’s medical record or account information. The good faith acquisition of personal information by an employee for the legitimate purposes of the business is not a security breach so long as the information is not otherwise used or subject to further unauthorized disclosure.

  29. SECURITY BREACH “Personal information" means an individual's first name or first initial and his or her last name in combination with any of the following: a. Social security number; b. Driver's license or Arkansas identification number; c. Account number, credit card number, or debit card number and any security code, or password; and d. Medical information. "Records" means any material that contains sensitive personal information in electronic form. "Records" does not include any publicly available directories containing information an individual has voluntarily consented to have publicly listed, such as name, address, or phone number

  30. SECURITY BREACH Arkansas requires businesses that maintain “personal information” (account information, medical information, etc.) about Arkansas residents to implement and maintain reasonable security procedures and practices appropriate to protect this information from unauthorized access, destruction, use, modification or disclosure.

  31. SECURITY BREACH Arkansas also requires business to disclosure security breaches to the affected individuals. The disclosure must be made “without unreasonable delay”. Notification may be delayed only if a law enforcement agency determines that notification will impede a criminal investigation.

  32. Federal Law – Red Flags Rule Requires “Creditors” to implement an identity theft prevention program. Creditor has been broadly defined to include anyone that regularly grants the right to defer payment of a debt – this includes the majority of hospitals and physician practices.

  33. Federal Law – Red Flags Rule The Red Flags Rule requires: (i) written policies to address the protection and security of personal information of customers; (ii) routine audits to monitor for and identify unauthorized access; (iii) methods for notifying individuals and mitigating damages if a identity theft occurs; and (iv) periodic review and revision of policies, if necessary.

  34. Red Flags Rule DEFINITIONS: “Covered Account” - (i) an account that involves multiple payments or transactions, including one or more deferred payments; or (ii) an account that has a reasonably foreseeable risk of identity theft to customers or to the safety and soundness of the institution. “Identity Theft” - fraud that involves stealing money or receiving benefits by using another person’s identity. “Red Flag” – a pattern, practice or specific activity that indicates possible existence of identity theft.

  35. Red Flags Rule Compliance: Perform a risk assessment to identify accounts that have a high risk of use in identity theft (“Covered Accounts”). Any patient account or payment plan that involves multiple payments would likely be a Covered Account. For healthcare providers this will include all patient accounts.

  36. Red Flags Rule Compliance: Develop policies and procedures to address the protection and security of personal information of customers; Perform routine audits to monitor for and identify unauthorized access; and Notify individuals and mitigate damages if a security breach occurs.

  37. Red Flags Rule Four Main Requirements: Identify red flags Detect red flags Respond to red flags Update the program as needed

  38. Red Flags Rule Examples of Red Flags: Suspicious or altered documents. Identification cards that are inconsistent with the person’s appearance. Failure or refusal to provide identifying information. Inability to verify insurance information. Notice from a patient of possible identity theft. Routine audit reveals unauthorized account access.

  39. Red Flags Rule Examples of Red Flags: Medical information provided by the patient differs from that in the medical record. Family members or friends reveal suspicious information to staff members, such as calling the patient by a different name. Reports from patients that they received bills for services that were not received.

  40. Red Flags Rule Detect Relevant Red Flags: Once relevant Red Flags have been identified, procedures must be adopted to detect Red Flags so appropriate responses may be implemented.

  41. Red Flags Rule Detect Relevant Red Flags: All appropriate employees must be educated on identifying relevant Red Flags and notifying the appropriate individual any time a Red Flag is detected.

  42. Red Flags Rule Detect Relevant Red Flags: Measures to detect Red Flags should be based on the risk assessment. Examples include: Collecting identifying information each time a new account is opened; Viewing a photo ID or insurance card; Comparing patient information with information already contained in existing records.

  43. Red Flags Rule Detect Relevant Red Flags: For providers who do not deal directly with patients, an alternate method of verifying the patient’s identity should be used. This might include contacting patients, patient representatives, and/or insurance companies to confirm validity of information received, or requesting copies of identifying information used by the patient referral source.

  44. Red Flags Rule Detect Relevant Red Flags: Any time a Red Flag is detected: * The event should be documented; * The appropriate individual should be notified; and * An investigation should be conducted.

  45. Red Flags Rule Response to Red Flags: The response to Red Flags should be based on the results of the investigation. Responses should be geared toward mitigation of harmful effects.

  46. Red Flags Rule Response Examples: Contact the patient Notify law enforcement Correct the medical record Correct the account Change passwords or security codes Update computer security Determine no action is necessary

  47. Red Flags Rule Response: If an investigation leads to a reasonable belief that identity theft has occurred, affected individuals should be provided with information regarding: * The scope of the breach; * The information accessed; * How the information was used (if known); & * Actions taken to remedy the situation.

  48. Red Flags Rule Documentation: All incidents of actual or suspected identity theft must be documented. This documentation must be maintained for 5 years after the account is closed or becomes dormant.

  49. Red Flags Rule Documentation should include: Identifying information about the individual; A description of any document relied on to verify identity; A description of any additional measures used to verify identity; and A description of the discrepancies discovered.

  50. Red Flags Rule Updates -- Periodic risk assessments must be performed and polices updated in response to: New accounts, Changes in business practices, Experiences with identity theft, Changes in methods to detect, prevent and mitigate identity theft, or Changes in identity theft experienced by the industry.

More Related