your keys to compliance: from hipaa to meaningful use virginia brooks vhit director mark watson...
TRANSCRIPT
Your Keys to Compliance:From HIPAA to Meaningful
UseVirginia Brooks
VHIT Director
Mark WatsonDirector, Hancock, Daniel,
Johnson & Nagle, PC
January 15, 2014
Today’s Presentation
Focus on Privacy & Security
Know the Rules Meaningful Use Risk Assessment Be Prepared How Can VHIT Help
You?
Why Focus on Privacy & Security?
• Key to building patients’ trust• Important for patient safety• Essential for realizing full benefits of
EHRs• Avoid penalties for breaches• Necessary to comply with federal,
state and local laws
HIPAA & HITECH Act
• Health Insurance Portability and Accountability Act of 1996 (HIPAA) protects confidentiality and privacy of healthcare information
• American Recovery and Reinvestment Act of 2009 (“stimulus package”) of 2009 includes Health Information Technology for Economic Clinical Health (HITECH) Act– Promotes adoption of EHRs by offering
Medicare & Medicaid incentives to physicians demonstrating Meaningful Use
Be Advised
This presentation is for informational purposes only and is not intended to suggest or offer legal advice.
Know the Rules
• How do the new HIPAA regulations change things?oUpdated terms/standards on:• Notice of privacy practices• Business associate agreements (and business
associates)• Breach notification• Patient requests for restrictions• Access rights for patients• Marketing• Sale of PHI, Research, PHI of decedents, and
more ...
Know the Rules
• Notices of Privacy PracticesoMust state authorization typically
required for: most uses and disclosures of psychotherapy
notes most uses and disclosures for marketing most uses of PHI
o Must include statement on right to breach notification
Know the Rules
• Notices of Privacy PracticesoHas your NPP been updated regarding
requested restrictions?
Know the Rules
• Business AssociatesoHIPAA rule now includes entities and
individuals that create, receive, maintain or transmit health information on behalf of the covered entity
o Prior definition applied only to entities and individuals that used or disclosed health information
Know the Rules
• Business Associateso “Conduit” exception
oRegulatory comments say it’s narrow to exclude “only those entities providing mere courier services” such as the post office and ISPs.
oRandom or infrequent access to PHI doesn’t eliminate the “conduit” exception, BUT
o If the entity requires access regularly, or is involved in something other than just transmission, the conduit exception doesn’t apply
Know the Rules
• Business Associateso “Conduit” exception cont’d
oData storage company ( digital or hard copy) is a BA even if it does not view the information
oDocument disposal company is a BA even if it does not view the information
oBAAs should address subcontractors
Know the Rules
• Business Associateso Timing for updates / changes
oNew arrangements on or after Jan. 25, 2013, new BAA standards apply
o If the arrangement was in place before Jan. 25, 2013 and isn’t modified or renewed between March 26, 2013 and Sept. 23, 2013 – you have until Sept. 22, 2014
o If the arrangement is modified or renewed after March 26, 2013 – new BAA standards apply
Know the Rules
• HIPAAoSecurity Rule: establishes
requirements for protecting electronic PHIo Confidentiality / Integrity / Availabilityo Physical / Technical / Administrative
Safeguardso Develop and maintain policies and
procedureso Back up / disaster recovery / emergency
planso Risk Assessmento Record incidents
Know the Rules
• HIPAAoBreach Notification Rule:
unauthorized acquisition, access, use or disclosure of PHI which compromises the security or privacy of the informationoPrior regulations defined a “Breach” as a
compromise involving a significant risk of financial, reputational or other harm
Know the Rules
• Breacho “Risk” criteria has technincally been
eliminated, BUTo Situation may not be a “compromise” if
the CE or BA demonstrates that there is a “low probability” that the PHI has been compromised
Know the Rules
• Breacho “Compromise” assessment based on:
oThe nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification
oThe unauthorized person who used the PHI or to whom disclosure was made
oWhether the PHI was actually acquired or viewed
oThe extent to which the risk to the PHI has been mitigated
Know the Rules
• HITECH Act changed thingso CEs are required to agree to requests
for restrictions in certain cases
• New regulations finalize these standards
o CEs must agree to restrict disclosure of PHI to a health plan ifo The disclosure is for the purpose of carrying out
payment or health care operations and is not otherwise required by law
o The PHI pertains solely to a health care item or service for which the individual, or someone other than the health plan, has paid in full
HITECH Civil Monetary Penalties
Violation Category Each Violation All Identical Violations per Calendar Year
Did Not Know $100 - $50,000 $1,500,000Reasonable Cause $1,000 - $50,000 $1,500,000Willful Neglect –corrected in 30 days
$10,000 - $50,000 $1,500,000
Willful Neglect –not corrected
$50,000 $1,500,000
Know the Rules
Access to ePHI
• If ePHI is in a designated record set and the individual requests an electronic copy, the CE must provide the individual with access in the electronic form and format requested by the individual, if it is readily producible in such form and format; or, if not, in a readable electronic form and format as agreed to by the covered entity and the individual
Know the Rules
Marketing• Has always required authorization, But• Has also included “carve outs” for
communications to describe other services by the CE and for case management/care coordination
• New regulations include similar terms, but many carve outs do not apply where the CE receives “ financial remuneration”
• Financial remuneration means direct or indirect payment from or on behalf of a third party whose product is being described
Know the Rules
Sale of PHI• Strict prohibition on sale of PHI without
authorization with limited exceptions• Authorization must state that the
disclosure will result in remuneration to the CE
• Sale does not include (i.e. authorization isn’t required) for:o Research o The sale or transfer of all or part of the CE and
related due diligence
Action Items
• Review and update your policies and procedures, including:o Breach notification o Requests for restrictionso Access rightso Marketing?o Research?o Sale of PHI?o Decedents?o Immunization records?
Action Items
• Are other updates/revisions appropriate?• Are your security policies, procedures and
actual security measures appropriate?
Enforcement Examples
• Rite Aid (2010)o Improper disposal of prescriptions and pill bottleso $1 million settlement, CAP, training for employees
• Massachusetts General (2011)o Employee took billing encounter forms home; 192 paper
records losto OCR settlement for $1 million, 3 year CAP
• Phoenix Cardiac Surgery (2012)o Patient appointments posted on Internet-based calendaro Practice implemented few policies/procedures, limited
safeguardso OCR settlement for $100,000
Meaningful Use Standards for Privacy & Security
• HITECH promotes adoption of EHRs by offering Medicare & Medicaid incentives to physicians demonstrating Meaningful Use
• MU Core Objectives require providers to protect health information created and maintained by an EHR.
• Having an ONC certified EHR vendor is not enough
Data Security Safeguards
• Conduct security risk analysis• Perform a thorough compliance audit• Safeguards may include:
oDocumented policies and procedures that govern physical and environmental security of data, to include firewalls and more
oVisitors are authenticated and escorted at all times, and there are detailed records of visits
oMobile devices are vulnerable and require much more than password or PIN to be secure
Safeguards Continued
o Secure areas are physically protected, such as monitoring by a receptionist, and security by locked doors and cameras
o Keys and combinations are password protected or otherwise secure, and locks are changed when keys are lost or stolen and when employees are terminated
o Adequate fire detectors exist and powered by an independent energy source
o And many more safeguards …
Risk Assessment vs. Risk Analysis
• Risk assessment must be completed per HIPAA Security Rules to address reasonably anticipated risks to protect health information
• Risk analysis of EHR environment for Meaningful Use is necessary per HITECH to assess damage related to Breach Notification
Perform a HIPAA Risk Assessment
Top 5 Privacy Issues Identified by OCR:• Impermissible uses and disclosures• Insufficient safeguards of PHI• Failure to provide patient access to PHI• Use/disclosure of more than minimum
necessary PHI• Insufficient notice to patients of
use/disclosure of PHI
Resources are Available
• Risk Analysis Now = Future Time + Savings
• Checklists & self-help tools can help you get ready
• Thorough risk analysis that will pass a compliance review requires expert knowledge
• VHIT is ready to help you!
How VHIT Will Help
• Privacy & Security Risk Assessment– Verify physical, administrative and
technical safeguards– Verify current Privacy & Security policies
and procedures, BAA agreements, and business contingency plan
– Risk mitigation plan based on findings
What You Will Get
• Privacy & Security Risk Assessment results in hard copy and CD-ROM
• Policy templates and supporting documents
• Additional materials, including incident logs, cyber security tips, and FAQ tip sheets
• HIPAA/HITECH Security training certificates
VHIT Expertise and Experience
• A Top 5 Regional Extension Center
• Supporting 4,000+ providers
• Helped 2,200+ qualify for federal EHR incentive payments
• Uniquely qualified
Questions / Contact Us
• Virginia Brooks, MHA, CPHQ (804) [email protected] http://vhitrec.org
• Mark C. Watson, JD(866) [email protected] http://hdjn.com Hancock, Daniel, Johnson & Nagle, P.C.