Top 10 Series

Changes to HIPAA

Devon BernardAOPA

Reimbursement Services Coordinator

Why the Changes?

• American Recovery & Reinvestment Act (ARRA)– Signed into law February 2009

• Title XIII: Health Information Technology for Economic & Clinical Health Act (HITECH)– Enacted February 2009– Effective February 2010

Breaches

• Under HIPAA: No requirement to notify patients of a breach of their PHI

• Under HITECH: Must notify a patient of a breach– Also must notify Health and Human Services

(HHS) of breaches

Breaches

• What is a breach? The acquisition, access, use, or disclosure of PHI in a manner not permitted by the Privacy Rule, which compromises the security or privacy of the PHI and poses a significant risk of financial, reputational, or other harm to the individual

Breaches

• Determine if a breach requires notification– Risk of Harm/Risk Assessment

• Who accessed or used the PHI• Was the information useable• What information was breached• Can potential harm be limited• Are the breaches exempt under the HITECH Act

• Document/log your findings– Maintain documentation for 6 years

Breaches

• Involving less than 500 people• Notification in writing, no more than 60

days after discovery of the breach• Notification should include:

– Description of the breach– Steps patient can take to limit harm– What you are doing about the breach– Contact information

Breaches

• Involving 500 or more people• Notify the individuals affected• Notify the media• Notify HHS, no more than 60 days after

discovery of the breach– Will post the information on their website

Breaches

• Yearly reporting to HHS• No more than 60 days after the end of the

year• Information from your breach log

– Date of the breach– Description– Notification required– Action taken

Disclosure of PHI

• Under HIPAA: Patient had the right to request that their PHI not be disclosed to a health plan– Under no obligation to comply with request

Disclosure of PHI

• Under HITECH: You must comply with the request. If:– The request is only related to payment – The patient pays for the service out of pocket

and pays for the service in full

Access

• Under HIPAA: Patient had a right to access or receive a copy of their medical record– In any format requested by the patient, if

readily available

Access

• Under HITECH: Patient has a right to access or receive a copy of their medical record

• If you maintain electronic health records:– Patient has right to request electronic copies

of their record– Request a copy be provided to a third party in

electronic form

Accounting

• Under HIPAA: Only had to account for disclosures that were not routine

• Under HITECH: If you maintain electronic health records, you must also account for routine disclosures for a three year period, prior to the request

Accounting

• For a covered entity who acquired an EHR before January 1, 2009, the accounting requirement applies to disclosures made on or after January 1, 2014.

• For a covered entity who acquired an EHR on or after January 1, 2009, the provision will be effective for disclosures made on or after January 1, 2011.

Business Associates (BA)

• Under HIPAA: BAs not directly bound by HIPAA regulations– Bound by contracts with covered entities

• Under HITECH: BAs required to directly comply with all HIPAA Regulations– Technical, Administrative, and Physical

Safeguards– Including the regulations of the HITECH Act

Business Associates (BA)

• BA Agreements (BAA) should be updated to reflect the BAs new responsibilities

• Review current BAAs– Current BAA allows for changes = An

Addendum– Current BAA doesn’t allow for changes = A

new BAA

Enforcement

• Under HIPAA: Investigations of compliance were complaint driven

• Under HITECH: Department of Health and Human Services is required to conduct random compliance audits

Enforcement

• Under HIPAA: A civil monetary penalty of no more than $100 per violation up to a maximum of $25,000 for all violations occurring in a calendar year could be imposed

• Under HITECH: Tiered Civil Monetary Fines– Four tiers of fines

Enforcement

• Tier I: Didn’t Know– $100 for each violation– Not to exceed $25,000 for the year

• Tier II: Reasonable Cause, and not Willful Neglect– $1,000 for each violation– Not to exceed $100,000 for the year

Enforcement

• Tier III: Willful Neglect, Violation Corrected– $10,000 per violation– Not to exceed $250,000 for the year

• Tier IV: Willful Neglect, Violation not Corrected– $50,000 per violation– Not to exceed $1.5 million for the year

Enforcement

• State Attorneys General– Initiate civil actions for violations of HIPAA

• Enforcement activities and penalties are not limited to just covered entities.

• Who else is subject to the new enforcement activities and penalties:– Business Associates– Individuals

Summary of Changes

• Breaches of PHI– Notification Requirements – Yearly Reporting

• Business Associates– Directly comply with HIPAA– New/Updated BA Agreements

Summary of Changes

• Access & Disclosure of PHI– No disclosure of PHI for self pay– Obtain copy of electronic health record– Accounting of routine disclosures

• Enforcement Activities– Increased civil monetary penalties– Mandatory Compliance Audits– Individuals held accountable