Hipaa in the era of ehr mo dept hss

HIPAA in the Era of EHR

Rural Hospital Health Information Technology ConferenceMay 27, 2010

Stacy Harper, JD, MHSA, CPCForbes Law Group, LLC

(913) 341 – [email protected]

Summary of HIPAA to Date Impact of EMR Implementation Considerations with EHR

Overview

Administrative Simplification Privacy Security HITECH

Summary of HIPAA To Date

Standardized Electronic Transactions and Code Sets

Unique Identifier for Employers Unique Identifier for Providers Unique Identifier for Health Plans

HIPAA Administrative Simplification

April 14, 2003 Applies to all Protected Health Information Included requirements for:

◦ Safeguards◦ Notice of Privacy Practices◦ Use and Disclosure of Protected Health

Information◦ Patient Rights◦ Business Associates◦ Other General Requirements

HIPAA Privacy

April 14, 2005 Applies to Electronic Protected Health

Information (EPHI) Included Requirements related to:

◦ Safeguards and protection of EPHI◦ Device and Media Controls◦ Contingency and Back Up Plan◦ Individual Access to Information◦ Information System Activity Review

HIPAA Security

February 17, 2010 (with few exceptions) Applies to all protected health information

◦ Privacy and Security Provisions now apply to Business Associates

◦ Breach is Distinguished from a Violation◦ Requirements of Notice of Breach◦ Disclosures of Information to Payors◦ Electronic Health Record Accounting and Access◦ New Penalties◦ Enforcement by State Attorney General◦ Guidance from HHS

HIPAA HITECH

“An unauthorized acquisition, access, use, or disclosure of phi which compromises the security or privacy of such information, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information.”

Exceptions Clarifications from HHS

HITECH- Definition of Breach

Step 1: Was the Information Secure?

Determination of Breach

Approved Methods: Encryption Destruction

But NOT Access Controls Redaction Limited Data Set

HITECH- Methods of Rendering PHI Unusable


Step 2: Do One of the Exclusions Apply?


Workforce Use – Unintentional acquisition, access or use of PHI by a workforce member if the PHI is not further used or disclosed in a manner that violates the Privacy Rule

Workforce Disclosure - Unintentional disclosure of PHI by a workforce member if the PHI is not further used or disclosed in a manner that violates the Privacy Rule

No Way to Retain Info – Unauthorized disclosure to which the CE or BA has a good faith belief that the unauthorized person to whom the PHI is disclosed would not reasonably have been able to retain info.

Exclusions to Breach


Step 2: Do One of the Exclusions Apply?

Step 3: Does the Use/Disclosure Pose a Significant Risk to the Individual?


Covered Entity to Covered Entity – Inadvertent disclosure of PHI from one covered entity or BA employee to another similarly situated covered entity or BA employee, provided that PHI is not further used or disclosed in any manner that violates the Privacy Rule.

Immediate Steps to Mitigate – Were immediate steps taken to mitigate the harm including return or destruction of the information and a written confidentiality agreement

Types of information included – Was the information disclosed limited to the name of the individual or a limited data set?

Guidance for Significant Risk

Effective 9/23/09, but HHS will not impose sanctions until 2/22/10

Business Associate must notify Covered Entity of breach including individuals whose information was included in the breach

Covered Entity has 60 days from the day discovered to notify the individual of a breach◦ Day discovered is the date when provider knew or

could have known through reasonable diligence◦ Increases importance of system to check for breaches

to phi and track compliance with HIPAA privacy and security regulations

HITECH- Notice of Breach

Notice of Breach must include: A description of what happened including the

date of breach and date of discovery A description of the types of phi involved Steps the individual should take to protect

themselves Steps taken by the provider to investigate,

mitigate, and protect against further disclosure Contact information for questions including a

toll-free telephone number, e-mail address, website, or postal address


Notice must be provided to: Individual

◦ In writing to last known address Website

◦ If the provider does not have current contact information on more than 10 patients involved

Media◦ If breach affected more than 500 patients in one state or

jurisdiction Secretary of HHS

◦ Within 60 days if more than 500 people affected◦ Annual report of breaches affecting less than 500 people


HIPAA Security Now Applies to Medical Records

Increased Risk of Breach Importance of Monitoring Implementation and IT Considerations

Impact of EMR Implementation

Safeguards and protection of EPH◦ Perform a New Risk Assessment◦ Physical Access to EPHI◦ Encryption and Decryption of Data◦ Tracking of Changes and Maintaining Integrity◦ Remote Access

Device and Media Control◦ Use, Re-use, and Destruction◦ New Concerns re: Copiers and Scan to E-mail

EMR and HIPAA Security

Contingency and Back Up Plan◦ New criticality analysis◦ Redundancy and Back-Up Systems◦ Emergency Mode and Recovery Operations

Individual Access to Information◦ Determination of Access Levels◦ Granting, Modifying or Terminating Authority◦ Protection of User Names and Passwords◦ Automatic Log Off


Information System Activity Review◦ Review of log on attempts◦ Audit logs◦ Access reports◦ Security incidents◦ Other system activity


More methods of access Records more likely to leave the facility Increased transferability of information More interest in the information Greater impact if a breach occurs

Increased Risk of Breach

36%

25%

18%

9%

12%

Hospital

Physician Practice

Insurance Company

Government Agency

Other

Type of Entity with Breach over 500

57%

20%

1%

9%

13%

Theft

Unauthorized Access

Improper Disposal

Loss

Other

Method of Breach

25%

23%

19%

16%

6%

10%

Laptop

Paper Record

Portable Device/Media

Desktop Computer

Server

Other

Location of Breach

Notice from the date you knew or should have known of the breach

Increased penalties and scrutiny Failure to monitor can result in increased

liability Renew the training for your staff and get

them involved

Importance of Monitoring

Incorporate the HIPAA discussion into your implementation plan

Consider “upgrading” some of the hardware and other software options to improve encryption and security

Security programs for handheld devices

Implementation and IT Considerations

Created Framework for Communication Opt-In versus Opt-Out Specificity of Patient Consent Who is responsible for Security Modification of State privacy laws Current focus is at the state level Future amendments to HIPAA to encourage

sharing of information?

Considerations with EHR

Questions??Stacy Harper, JD, MHSA, CPC

Forbes Law Group, LLC10740 Nall Avenue, Suite 330

Overland Park, KS 66211(913) 641-8619

[email protected]