Download - America’s Voice for Community Health Care
America’s Voice for Community Health Care
The NACHC Mission
To promote the provision of high quality, comprehensive and affordable health care that is coordinated, culturally and linguistically competent, and community directed for all medically underserved people.
American Recovery and Reinvestment Act
Changes to HIPAA
Michael Lardiere, LCSW
Director, Health Information Technology
Sr. Advisor, Behavioral Health
National Association of Community Health Centers
October 16 - 18 2009
American Recovery and Reinvestment Act of 2009
Includes the Health Information Technology for Economic and Clinical Health Act (HITECH Act).
Important substantive changes to the Health Insurance Portability and Accountability Act of 1996 (HIPAA)
Mandates extensive new regulations around electronic medical records.
Extends the HIPAA Privacy and Security Provisions and Penalties to Business Associates of Covered Entities
Health information exchangesRegional health information organizationse-prescribing gateways and Other technology vendors Vendors contracted with a Covered Entity to provide a Personal Health Record (PHR) as part of an Electronic Health Record (EHR).
The HITECH Act defines a “personal health record” as an electronic record of identifiable health information on an individual that can be drawn from multiple sources and that is managed, shared, and controlled by or primarily for the individual. An electronic health record is defined as “an electronic record of health-related information on an individual that is created, gathered, managed, and consulted by authorized health care clinicians and staff.”
BAs will be treated just like Covered Entities for purposes of the HIPAA privacy and security provisions and be respopnsible for
Administrative SafeguardsPhysical SafeguardsTechnical SafeguardsPolicies and Procedures and Documentation requirements of the Security Rule
45 C.F.R. §§ 164.308, 164.310, 164.312 and 164.316, respectively.
Liability for civil and criminal penalties
Covered Entities will likely have to revise their existing Business Associate Agreements to incorporate language reflecting this change
Business Associates will have an obligation to terminate their Business Associate Agreements with Covered Entities if they have knowledge of a pattern of noncompliance with the Privacy Rule by the Covered Entity
Increases Penalties for HIPAA Violations and Expands Enforcement Mechanisms
Amount of civil monetary penalties (CMPs) available has increasedCivil monetary penalties are now structured in a tiered format
Ranging from $100 per violation Up to $50,000 per violation
Anyone whose PHI is accessed in violation of HIPAA will be eligible to share a percentage of any CMPs collected
Office of Civil Rights will continue to enforce HIPAA compliance
State Attorneys General will now have the power to enforce HIPAA by bringing suit in federal district court
Act requires DHHS to periodically audit Covered Entities and Business Associates to assess HIPAA compliance
Covered Entities and Business Associates need to make sure that all of their HIPAA policies and procedures are up to date and in use
Creates a Comprehensive New Set of Requirements Around
Notification of Data Breaches or Suspected Data Breaches
Notification must be made within 60 days of discovery Will require prompt investigation and assessment of suspected breaches
Mandates public reporting to both the DHHS and media outlets in the event of a breach affecting more than 500 individuals
DHHS will publish a list on its website that identifies each Covered Entity involved in a breach of more than 500 individuals
The notice must include: (1) a brief description of the breach, including
the date it occurred and the date it was discovered
(2) the types of PHI involved in the breach(3) steps individuals should take to protect themselves(4) steps the Covered Entity is taking to investigate the breach and protect against future breaches and (5) contact information to ask questions and learn more
Notice must be provided by first class mail to the individual’s last known address
Unless the individual has specified to receive information by electronic mail
Then notice may be provided electronically
If the contact information for more than 10 affected individuals is out of date
Notice may be through a posting on the entity’s web site or In major print or broadcast media
If a Business Associate discovers a breach of unsecured PHI
It must notify the Covered Entity of such breach, and Include a list of each individual whose PHI was or is reasonably believed to have been accessed or acquired during the breach
If the breach involves the access or acquisition of more than 500 residents of
a State or Jurisdiction
Notice must be made to the prominent media outlets of that State or jurisdiction
The Covered Entity must Keep a log of its discovered breaches and Provide a copy of the log to DHHS annually
If a breach involves the access or acquisition of the PHI of more than 500 individuals
Notice must be provided to DHHS immediately
Creates a New Breach Notification Requirement for Vendors of Personal Health Records and Other Non-HIPAA Covered Entities
Vendors of personal health records and related vendors must notify
The Federal Trade Commission (FTC) and Any U.S. citizens whose information was acquired as a result of the breach
Empowers the FTC to begin policing medical privacy which is a significant expansion of federal oversight of medical information.
Expands HIPAA Mandated Accounting of Disclosures for Those Using Electronic Health Records
Covered Entities and Business Associates using electronic health records will be required to
Make available an accounting of all uses and disclosures of the electronic health record
in the previous three years, including disclosures for payment, treatment, and OperationsTime period an individual may request such an accounting is shortened from up to 6 years to 3 years
In responding to a request for an accounting, the Covered Entity can
Choose to provide either
The disclosures of the patient’s PHI made by the Covered Entity and its Business Associates, or Merely provide the disclosures made by the Covered Entity and a list of its Business Associates
For entities that were using EHRs as of January 1, 2009,
The provision applies to disclosures made on or after January 1, 2014.
For entities that adopt EHRs after January 1, 2009 the provision will apply on
January 1, 2011 or The date when the Covered Entity begins using EHRs, whichever is later
Revisions to an Individual’s Right to Request a Copy of His or Her Record
If the Covered Entity uses EHR, the patient may request his or her record be produced in an electronic format and to be transmitted to a person designated by the patient
The fee for production of an electronic copy of the record shall not be greater than the labor costs of responding to the request
Establishment of the “Minimum Necessary” Standard
Covered Entities and Business Associates must, to the extent practicable
Limit use or disclosure of PHI either To the limited data set or To the “minimum necessary” to accomplish the stated purpose of the use/disclosure
Adopts New Prohibitions on the Sale of Electronic Health Information
Language is sufficiently vague to create uncertainty about the ability of
Regional health information organizationsHealth information exchanges, and e-prescribing services to charge fees for their services
Eliminates Sharing of PHI for Marketing and Fundraising Purposes from the Definition of Health Care Operations Under HIPAA
Fundraising is no longer considered part of operations
In order to use PHI for direct fundraising campaigns, a Covered Entity must first obtain an authorization from the patient
Then modified to allow to continue fundraising but must give the patient the option to opt out of future
De-Identified Health Information
There are no restrictions on the use ordisclosure of de-identified health information
De-identified health informationneither identifies nor provides a reasonable basis to identify an individual
There are two ways to de-identify information1) a formal determination by a qualifiedStatistician or
2) the removal of specified identifiers of the individual and of the individual’s relatives, household members, and employers is required, and is adequate only if the covered entity has no actual knowledge that the remaining information could be used to identify the individual
The following identifiers of the individual or of relatives, employers, or household members ofthe individual must be removed to achieve the “safe harbor” method of de-identification
(A) Names(B) Geographic subdivisions smaller than a State including
Street addressCityCountyPrecinctZip code, and their equivalent geocodes
Except for the initial three digits of a zip code
(B) The geographic units formed by combining all zip codes with the same three initial digits containsmore than 20,000 peopleThe initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000
(C) All elements of dates (except year) fordates directly related to the individual, including
birth dateadmission datedischarge date
date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except
that such ages and elements may be aggregated into a single category of age 90 or older
(D) Telephone numbers(E) Fax numbers(F) Electronic mail addresses(G) Social security numbers(H) Medical record numbers
(I) Health plan beneficiary numbers(J) Account numbers(K) Certificate/license numbers(L) Vehicle identifiers and serial numbers including license plate numbers(M) Device identifiers and serial numbers(N) Web Universal Resource Locators (URLs)(O) Internet Protocol (IP) address numbers(P) Biometric identifiers, including finger and voice prints (Q) Full face photographic images and any comparable images; any other unique identifying number, characteristic, or code, except as permitted for re-identificationpurposes provided certain conditions are met
In addition to the removal of the above-statedidentifiers, the covered entity may not have actual knowledge that the remaining information could be used alone or in combination with any other information to identify an individual who is subject of the information
SUMMARY OF THE HIPAA PRIVACY RULEOffice of Civil rights
http://www.nachc.com/client/HIPAA%20Privacy%20Rule%20Summary_8_19_09.pdf
To reduce risks covered entities should consider accomplishing the following tasks:
Implement systems for detecting a security breach
Create a security breach response plan or update the existing plan
Conduct workforce training in responding to a security breach.
Negotiate amendments to business associate agreement to address security breaches
Revise HIPAA policies and procedures regarding to address the security breach regulations.
Federally Qualified Health Centers
Michael Lardiere, LCSWDirector HIT; Sr. Advisor Behavioral HealthNational Association of Community Health
Centers301-347-0400 xt [email protected]