Embed Size (px)
Citation preview
HITECH and HIPAA
HITECH and HIPAA
Presented by Rhonda Anderson, RHIA
Anderson Health Information Systems, Inc [email protected] 714 -558 - 3887
HITECH & HIPAA HITECH & HIPAA
ACCESS
HITECH HIPAA
SB 541
BREACHES
Privacy and Security
Privacy and Security
AgendaAgenda
1. What is HITECH 1. What is HITECH
2. Breach Reporting 2. Breach Reporting
3. Business Associate Agreements 3. Business Associate Agreements
4. SB 541 – California 4. SB 541 – California
5. Penalties 5. Penalties
Part of the American Recovery and
Reinvestment Act of 2009
Applies the HIPAA privacy and security rules and
their penalties to HIPAA business associates
Creates a new breach reporting requirement for
HIPPA CEs and BAs
Effective Date February 2009
Part of the American Recovery and
Reinvestment Act of 2009
Applies the HIPAA privacy and security rules and
their penalties to HIPAA business associates
Creates a new breach reporting requirement for
HIPPA CEs and BAs
Effective Date February 2009
California legislature that enforces reporting
requirements for unlawful or
unauthorized access, use or disclosure of a
patient’s medical information
Reporting requirement within 5 days of
discovery
Effective Date 2009
California legislature that enforces reporting
requirements for unlawful or
unauthorized access, use or disclosure of a
patient’s medical information
Reporting requirement within 5 days of
discovery
Effective Date 2009
Health Insurance Portability and
Accountability Act
Guidance for Privacy and Security of protected health
information
45CFR 160 -164
Effective Date 2003
Health Insurance Portability and
Accountability Act
Guidance for Privacy and Security of protected health
information
45CFR 160 -164
Effective Date 2003
HIPAA HIPAA
SB 541SB 541HITECH ACT HITECH ACT
HITECH Vocabulary HITECH Vocabulary
• Breach – the unauthorized acquisition, access, use or disclosure of protected health information which compromises the security or privacy of such information
• Unsecured PHI – PHI that is not secured through the use of a technology or methodology that renders PHI “unusable, unreadable, or indecipherable to unauthorized individuals.
• Acceptable methodologies – Encryption as specified in the HIPAA security rule
• Shredding or destroying of non-electronic PHI
HITECH Reporting Requirements HITECH Reporting Requirements
• Notification to each individual whose unsecured PHI has been or is reasonably believed by the CE to have been accessed, acquired or disclosed as a result of such breach without reasonable delay no later than 60 days of discovery of the breach by the CE or BA
• Notice must be made by first-class mail or email if specified by an individual.
• If there are more than 10 affected individuals, the entity must do a conspicuous web site posting or notice in major print or broadcast media
• If there are more than 500 individuals all residents of the same State or jurisdiction the entity must provide immediate notice to HHS and notice to the media
• Business associates must adhere to the same reporting timeline but are not required to provide notice of breach to the individual but instead notify the covered entity of a breach along with identification of the each affected individual
• The Covered Entity is then responsible for notifying each affected individual
• The clock starts for the CE when the BA reports the breach
• Covered entities and Business associates are required to keep a log of breaches and submit it within 60 days after the end of the year unless immediate notification is required such as in the case of more than 500 affected individuals
• Documentation should also be maintained for suspected breaches that after investigation are deemed as not constituting a Breach under the HITECH requirements
• The notice to individuals must contain a description of what happened and the unsecured PHI involved, steps for individuals to protect themselves, a description of the covered entity’s efforts to investigate, mitigate and prevent further breaches and contact information.
• The HIPAA requirement for a six year accounting of disclosures still applies to non EHR disclosures.
• Under HITECH covered entities and business associates are required to maintain an accounting of disclosures made through HER including disclosures made for treatment, payment and health care operations.
• Information is limited to three years of disclosure information rather than the current 6 year requirement under HIPAA
BA Agreements BA Agreements
• AHIS has updated the business associate agreement policy to include the new HITECH requirements
• Covered entities must update all business associate agreements and ensure that they include HITECH requirements
No Safe HarborNo Safe Harbor
• California covered entities are still required to report unlawful or unauthorized access, use or disclosure of a patient’s medical information within 5 days to comply with SB 541 – which has been in effect since January 2009
Penalties Penalties
• SB-541 – failure to report within 5 days
$100 per day for each day that the unlawful or unauthorized access, use or disclosure is not reported up to a maximum of $250,000.
HIPPA civil penalties under new HITECH provisions
Effective November 30, 2009
HIPPA civil penalties under new HITECH provisions
Effective November 30, 2009
Violation Category Each Violation
All such violations of an identical provision in a calendar year
Did not know $100-50,000 $1,500,000
Reasonable Cause $1,000-50,000 1,500,000
Willful neglect corrected within 30
days $10,000-50,000 1,500,000
Willful neglect - not corrected
$50,000 1,500,000
Risk analysis and implementation Risk analysis and implementation
• AHIS will help you analyze possible areas of risk
• Provide you with guidance on documentation of investigation and notification of breaches
AHIS as your partner AHIS as your partner
Implementation Plan
Risk Analysis
Policy and Procedure
Current system review
Action as needed
