Your Keys to Compliance:From HIPAA to Meaningful

UseVirginia Brooks

VHIT Director

Mark WatsonDirector, Hancock, Daniel,

Johnson & Nagle, PC

January 15, 2014

Today’s Presentation

Focus on Privacy & Security

Know the Rules Meaningful Use Risk Assessment Be Prepared How Can VHIT Help

You?

Why Focus on Privacy & Security?

• Key to building patients’ trust• Important for patient safety• Essential for realizing full benefits of

EHRs• Avoid penalties for breaches• Necessary to comply with federal,

state and local laws

HIPAA & HITECH Act

• Health Insurance Portability and Accountability Act of 1996 (HIPAA) protects confidentiality and privacy of healthcare information

• American Recovery and Reinvestment Act of 2009 (“stimulus package”) of 2009 includes Health Information Technology for Economic Clinical Health (HITECH) Act– Promotes adoption of EHRs by offering

Medicare & Medicaid incentives to physicians demonstrating Meaningful Use

Be Advised

This presentation is for informational purposes only and is not intended to suggest or offer legal advice.

Know the Rules

• How do the new HIPAA regulations change things?oUpdated terms/standards on:• Notice of privacy practices• Business associate agreements (and business

associates)• Breach notification• Patient requests for restrictions• Access rights for patients• Marketing• Sale of PHI, Research, PHI of decedents, and

more ...

Know the Rules

• Notices of Privacy PracticesoMust state authorization typically

required for: most uses and disclosures of psychotherapy

notes most uses and disclosures for marketing most uses of PHI

o Must include statement on right to breach notification

Know the Rules

• Notices of Privacy PracticesoHas your NPP been updated regarding

requested restrictions?

Know the Rules

• Business AssociatesoHIPAA rule now includes entities and

individuals that create, receive, maintain or transmit health information on behalf of the covered entity

o Prior definition applied only to entities and individuals that used or disclosed health information

Know the Rules

• Business Associateso “Conduit” exception

oRegulatory comments say it’s narrow to exclude “only those entities providing mere courier services” such as the post office and ISPs.

oRandom or infrequent access to PHI doesn’t eliminate the “conduit” exception, BUT

o If the entity requires access regularly, or is involved in something other than just transmission, the conduit exception doesn’t apply

Know the Rules

• Business Associateso “Conduit” exception cont’d

oData storage company ( digital or hard copy) is a BA even if it does not view the information

oDocument disposal company is a BA even if it does not view the information

oBAAs should address subcontractors

Know the Rules

• Business Associateso Timing for updates / changes

oNew arrangements on or after Jan. 25, 2013, new BAA standards apply

o If the arrangement was in place before Jan. 25, 2013 and isn’t modified or renewed between March 26, 2013 and Sept. 23, 2013 – you have until Sept. 22, 2014

o If the arrangement is modified or renewed after March 26, 2013 – new BAA standards apply

Know the Rules

• HIPAAoSecurity Rule: establishes

requirements for protecting electronic PHIo Confidentiality / Integrity / Availabilityo Physical / Technical / Administrative

Safeguardso Develop and maintain policies and

procedureso Back up / disaster recovery / emergency

planso Risk Assessmento Record incidents

Know the Rules

• HIPAAoBreach Notification Rule:

unauthorized acquisition, access, use or disclosure of PHI which compromises the security or privacy of the informationoPrior regulations defined a “Breach” as a

compromise involving a significant risk of financial, reputational or other harm

Know the Rules

• Breacho “Risk” criteria has technincally been

eliminated, BUTo Situation may not be a “compromise” if

the CE or BA demonstrates that there is a “low probability” that the PHI has been compromised

Know the Rules

• Breacho “Compromise” assessment based on:

oThe nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification

oThe unauthorized person who used the PHI or to whom disclosure was made

oWhether the PHI was actually acquired or viewed

oThe extent to which the risk to the PHI has been mitigated

Know the Rules

• HITECH Act changed thingso CEs are required to agree to requests

for restrictions in certain cases

• New regulations finalize these standards

o CEs must agree to restrict disclosure of PHI to a health plan ifo The disclosure is for the purpose of carrying out

payment or health care operations and is not otherwise required by law

o The PHI pertains solely to a health care item or service for which the individual, or someone other than the health plan, has paid in full

HITECH Civil Monetary Penalties

Violation Category Each Violation All Identical Violations per Calendar Year

Did Not Know $100 - $50,000 $1,500,000Reasonable Cause $1,000 - $50,000 $1,500,000Willful Neglect –corrected in 30 days

$10,000 - $50,000 $1,500,000

Willful Neglect –not corrected

$50,000 $1,500,000

Know the Rules

Access to ePHI

• If ePHI is in a designated record set and the individual requests an electronic copy, the CE must provide the individual with access in the electronic form and format requested by the individual, if it is readily producible in such form and format; or, if not, in a readable electronic form and format as agreed to by the covered entity and the individual

Know the Rules

Marketing• Has always required authorization, But• Has also included “carve outs” for

communications to describe other services by the CE and for case management/care coordination

• New regulations include similar terms, but many carve outs do not apply where the CE receives “ financial remuneration”

• Financial remuneration means direct or indirect payment from or on behalf of a third party whose product is being described

Know the Rules

Sale of PHI• Strict prohibition on sale of PHI without

authorization with limited exceptions• Authorization must state that the

disclosure will result in remuneration to the CE

• Sale does not include (i.e. authorization isn’t required) for:o Research o The sale or transfer of all or part of the CE and

related due diligence

Action Items

• Review and update your policies and procedures, including:o Breach notification o Requests for restrictionso Access rightso Marketing?o Research?o Sale of PHI?o Decedents?o Immunization records?

Action Items

• Are other updates/revisions appropriate?• Are your security policies, procedures and

actual security measures appropriate?

Enforcement Examples

• Rite Aid (2010)o Improper disposal of prescriptions and pill bottleso $1 million settlement, CAP, training for employees

• Massachusetts General (2011)o Employee took billing encounter forms home; 192 paper

records losto OCR settlement for $1 million, 3 year CAP

• Phoenix Cardiac Surgery (2012)o Patient appointments posted on Internet-based calendaro Practice implemented few policies/procedures, limited

safeguardso OCR settlement for $100,000

Meaningful Use Standards for Privacy & Security

• HITECH promotes adoption of EHRs by offering Medicare & Medicaid incentives to physicians demonstrating Meaningful Use

• MU Core Objectives require providers to protect health information created and maintained by an EHR.

• Having an ONC certified EHR vendor is not enough

Data Security Safeguards

• Conduct security risk analysis• Perform a thorough compliance audit• Safeguards may include:

oDocumented policies and procedures that govern physical and environmental security of data, to include firewalls and more

oVisitors are authenticated and escorted at all times, and there are detailed records of visits

oMobile devices are vulnerable and require much more than password or PIN to be secure

Safeguards Continued

o Secure areas are physically protected, such as monitoring by a receptionist, and security by locked doors and cameras

o Keys and combinations are password protected or otherwise secure, and locks are changed when keys are lost or stolen and when employees are terminated

o Adequate fire detectors exist and powered by an independent energy source

o And many more safeguards …

Risk Assessment vs. Risk Analysis

• Risk assessment must be completed per HIPAA Security Rules to address reasonably anticipated risks to protect health information

• Risk analysis of EHR environment for Meaningful Use is necessary per HITECH to assess damage related to Breach Notification

Perform a HIPAA Risk Assessment

Top 5 Privacy Issues Identified by OCR:• Impermissible uses and disclosures• Insufficient safeguards of PHI• Failure to provide patient access to PHI• Use/disclosure of more than minimum

necessary PHI• Insufficient notice to patients of

use/disclosure of PHI

Resources are Available

• Risk Analysis Now = Future Time + Savings

• Checklists & self-help tools can help you get ready

• Thorough risk analysis that will pass a compliance review requires expert knowledge

• VHIT is ready to help you!

How VHIT Will Help

• Privacy & Security Risk Assessment– Verify physical, administrative and

technical safeguards– Verify current Privacy & Security policies

and procedures, BAA agreements, and business contingency plan

– Risk mitigation plan based on findings

What You Will Get

• Privacy & Security Risk Assessment results in hard copy and CD-ROM

• Policy templates and supporting documents

• Additional materials, including incident logs, cyber security tips, and FAQ tip sheets

• HIPAA/HITECH Security training certificates

VHIT Expertise and Experience

• A Top 5 Regional Extension Center

• Supporting 4,000+ providers

• Helped 2,200+ qualify for federal EHR incentive payments

• Uniquely qualified

Questions / Contact Us

• Virginia Brooks, MHA, CPHQ (804) 289-5343vbrooks@vhqc.org http://vhitrec.org

• Mark C. Watson, JD(866) 967-9604mwatson@hdjn.com http://hdjn.com Hancock, Daniel, Johnson & Nagle, P.C.