HITECH & Breach Notification
Penalty increased
$1.5M
Meaningful use in a nutshell
-Use of a certified electronic product complete w/ e-prescribing -Connected for the electronic exchange of PHI (had to be intraopable) -Couples w/ submission of reports on clinical quality measures
Changes to the Notice
Add prohibition on sale of PHI Add duty to notify affected individuals of a breach of unsecured PHI Expanded right re: fundraising opt-out Add the absolute right to restrict disclosure of PHI when paying for items/services in full out of pocket Removal from the notice statements that we may contact the individual to provide appointment reminders or information about treatment alternatives or other health benefits & services that may be of interest to the individual. Now can consider these treatment and health care operation uses.* * Exception when receiving remuneration for the communication then patient must authorize.
Fundraising
Added categories of PHI that can be used/disclosed for fundraising purposes: Department or Service Treating Physician Outcome information Health Insurance status Strengthened the opt-out for fundraising: Clear and Conspicuous Must not require undue burden May not condition treatment/payment Must ensure no further fundraising communications are sent Must provide method to opt-back-in
Marketing
Communications about a product or service that encourages purchase/use is marketing & requires patient authorization 2 exceptions: #1 Refill reminders about a drug or biologic currently prescribed for the patient- Any remuneration received for making the communication is reasonably related to the cost of making the communication #2 Communication is provided specifically for treatment or health care operations- treatment of a patient by a health care provider including case mgmt/care coordination - to describe a health related product or service - case mgmt/care coordination, contacting the patient regarding treatment alternatives CANNOT RECEIVE or ACCEPT REMUNERATION IN EXCHANGE FOR MAKING THE COMMUNICATION
Worse Case Scenario.......
Criminal Penalties : Criminal penalties = large fines + jail time, and increase with the degree of the offense. Example: A hospital employee steals and sells patient information for personal profit. Criminal penalties could be as much as $1.5 million and/or 10 years in jail.
Research
Harmonized Common Rule w/ HIPAA Now Permits compound authorizations -conditioned & unconditioned participation -unconditioned must be specifically opted-in Research authorization may now govern future research - must reasonably identify potential future research ** makes research easier
What else could we expect? New Restrictions on...
Marketing - definition of marketing clarified Fundraising must have a clear and conspicuous way to "opt out" of future communications applicable for communications made after February 17, 2010. Sale of PHI - CE is no longer permitted to receive payment for PHI even if the disclosure is otherwise lawful and permitted by the Privacy Rule (exceptions research, public health activities, sale or transfer of a practice)
What else could we expect? New Right to Obtain Copies of Electronic Health Record
New Right to Obtain Copies of Electronic Health Record: When the CE uses an EHR, the individual has the right to request and receive an electronic copy of their records. -Individual can direct CE to send electronic copy directly to another party or entity -Maximum fees are the direct labor costs associated with fulfilling the request
HITECH Act 2009
-American Recovery & Reinvestment Act -Signed into law 2/17/09 -Enforcement date 2/18/2010
HHS Guidance defined in the Act
-April 17, 2009 Secretary of HHS to define "unsecured PHI" (September 2009) -August 17, 2009 FTC to issue final regulations on what constitutes a breach (Sept 2009) -August 17, 2009 Secretary of HHS to identify what must be included in an AoD from an EHR (individuals can now access disclosures for treatment, payment and healthcare operations) -February 17, 2010 Restrictions on marketing and fundraising take affect (January 25, 2013) -February 17, 2010 Secretary of HHS to issue guidance de-identification of PHI (Nov 2012) -August 17, 2010 Secretary of HHS to issue regulations on the sale of PHI (January 25, 2013) -August 17, 2010 Report to the Secretary of HHS/recommendations what a patient harmed by a breach is entitled to in a financial settlement. (wasn't completed in time)
What changes could we expect?
-Breach Notification (Interim Reg September 23, 2009)-notification when information is sent to the wrong place -Electronic Copies (patient access law) -Individually Directed Privacy Restrictions (pay out of pocket for a service so it doesn't go on insurance claims) -Restrictions on Marketing, Fundraising and the sale of PHI -Preference for Limited Data Sets and De-Identification -Extension of Minimum Necessary -Vendors/Business Associates (subject to penalties) -Accounting for Disclosures (NPRM 5/31/11) -Increased Enforcement and New Penalties - Individual's are subject to the criminal provisions; State AG's can bring civil suit in Federal Courts on behalf of state residents; harmed individuals can receive a % of CMP's or settlement (AG's Trained 2012)
Breach Notification Interim Regulation
-Effective September 23, 2009 Breach Notification is required for any unauthorized acquisition, access, use or disclosure of "unsecured" PHI -"Breach" being the acquisition, access, use or disclosure of protected health information in a manner not permitted under HIPAA privacy rules and also compromises the security or privacy of the protected health information. -A breach of protected health information can lead to "unprotected" protected health information. "Unprotected" being any protected health information that has not been rendered unusable or unreadable to unauthorized individuals through the use of a technology or methodology specified by the Secretary of HHS guidance -Guidance provided August 27, 2009 Breach Notification Standards required the provision of notice to affected individuals, HHS and in some cases the media, in the event of a breach of unsecured PHI. Prescribed rules w/ respect to methods, content, permissible time frame for providing such notice. Specifications of appropriate technologies or methodologies encryption or destruction (proper disposal). Focus on mobile devices, data a rest and data in transit.
Business Associates & Subcontractors Changes
-Expanded the definition of BA & includes HIE's, e-prescribing gateways, cloud storage vendors, Patient Safety Orgs Directly applies key part of the HIPAA Privacy Rule and all of the HIPAA Security Rule to BA's along with direct liability Still require Business Associate Agreements (BAA's) "Subcontractors" are now BA's - a person or entity to whom a BA delegates a function, activity or service on behalf of the BA for a Covered Entity. "Satisfactory Assurances" of compliance are needed for each downstream agreement (CE>BA; BA>Subcontactor of BA; Subcontractor BA>Sub-Subcontractor of BA, etc.) "Conduits" that only have access to PHI on a random or infrequent basis are not considered BA's (USPS, courier services and electronic equivalents - distinction between transmission considered transient vs. storage considered persistent) don't maintain or store
Meaningful use and Stimulus $
-Incentives for adoption of EHR's included in the ARRA -2 payment programs one thru Medicare and the other thru Medicaid -Providers can only submit for payment of incentive bonus from one of the programs so payer mix will have to be analyzed to determine where greatest benefit will be attained. -Incentive payments to begin 2011 -Penalties begin 2015 payment reductions 99%>2016 98%>2017 and thereafter 97% further cuts may occur after 2018
Decedent Information
-No longer have to protect an individual's health info 50 years following date of the individual's death -Disclosure of decedent's PHI to family members and others involved in the care or payment for care (NY "qualified person") - unless contrary to prior expressed preference - limited to PHI relevant to person's involvement -Does not apply to sensitive information protected by state law (HIV/AIDS, mental health) or federal law (substance abuse treatment) **Not to be interpreted as a required retention period
What is HITECH?
-On February 17, 2009 the Federal Stimulus Bill or American Recovery and Reinvestment Act (ARRA) was signed into law and included provisions to address Health Information Technology For Economic and Clinical Health Act (HITECH). -Purpose is to create a national health information infrastructure and widespread adoption of electronic health records through monetary incentives. -Provide enhanced Privacy & Security Protections under HIPAA including increased legal liability for non-compliance and greater enforcement.
Exceptions to the sale prohibition
-Public Health Purposes -Research -Treatment & Payment Sale transfer, merger or consolidation To or by a Business Associate for activities that the BA undertakes on behalf of a CE To an individual Required by law For a permitted purpose where the only remuneration received by the CE or BA is a reasonable, cost-based fee to cover the cost to prepare and transmit the PHI
What were we waiting on?
-The regulations and guidance for the HITECH Act from the Secretary of Health and Human Services (HHS) -The Act is effective as of February 18, 2010
Risk of Harm >Assessment of Probability
-Under the interim regulation we were required to notify patient's when we didn't get their PHI to the correct recipient...(misdialed fax #, employee snooping, handing the wrong discharge documents to the wrong patient, wrong address on an envelope when mailing test results, you get the picture)...if when performing an "assessment of risk" we identified the potential for harm either financial, reputational or other to the patient. Now instead of assessing potential harm in our risk assessment we need to consider the probability that the PHI has been compromised. A breach is presumed to be reportable unless our risk assessment indicates a low probability the PHI has been compromised
Prohibition on the sale of PHI
-Unless authorized the sale of PHI is not permitted. -"Sale" is defined as disclosure of PHI where the seller directly or indirectly receives remuneration from or on behalf of the recipient of the PHI in exchange for the PHI -Any authorization for the sale of PHI must state that the disclosure will result in remuneration (money paid for work or a service) to the Covered Entity
Patient Rights Access
Access to readable electronic copies of their PHI maintained electronically (CD, usb-drive, PHR) Request to transmit copy of PHI to 3rd party electronically including via email (request in writing, signed by pt., clearly identifies to who and where to send the copy, pt. must be informed of the risk if email is unencrypted - expectation to educate) Cost/Time - reasonable cost based fee/↓30 days (NYS PHL preempts -10 day response)
What else could we expect? Accounting of Disclosures
Accounting of Disclosures from the electronic medical record to now include treatment, payment and healthcare operations for up to a 3 year period. NPRM 5/31/2011 -Requirements include audit trails - content yet to be defined - proposed date/time, name, action -Scope including T,P,O electronic record - In addition to paper record requirements under HIPAA -Challenges -Tracking batch releases -Printing performed through ad hoc means -To include unintentional/inadvertent accesses?
Top 5 Issues for Physician Practices
Breach Notification Policy and Securing PHI Updating Business Associate Agreements Privacy and Security Policies Training Notice of Privacy Practices and Patient Rights -New restrictions on disclosure -Accounting of Disclosures from electronic record -Access to PHI in electronic format -New marketing and sale of PHI restrictions and minimum necessary
What else could we expect? Business Associates of a Covered Entity
Business Associates of a Covered Entity are held to the same standards and are liable under the HITECH Act. Business Associate Agreements must be updated to include HITECH provisions. -BA's must comply with the administrative, technical and physical safeguards defined in the HIPAA Security Rule. -BA's must establish and maintain appropriate P&P's -BA's must report breaches just like CE's -Guidance finalized 1/25/2013 re: addendums vs. new BAA's
The New HIPAA → HITECH Act
Changes include: Increased Patient Rights Business Associates & Subcontractors New Limits on Uses & Disclosures of PHI Notice of Privacy Practices Breach Notification Rule Increased Enforcement
How is HIPAA Enforced under HITECH Rules?
Civil monetary penalty: Civil penalty for inadvertent violation = fines of $100 - $1k/per incident up to $250,000/per year for each similar offense. EXAMPLE A hospital employee violates HIPAA by misdialing a fax number and sending 100 patient records to Starbucks. The hospital & the employee may have to pay a $10k - $100K fine.
Key Phrase - Willful Neglect
Defined as conscious, intentional failure or reckless indifference -OCR will investigate all cases of possible willful neglect -OCR will impose penalties on all violations due to willful neglect -OCR may proceed directly to penalty without seeking informal resolution or settlement. Direct liability (civil and criminal) for Business Associates Covered Entities and Business Associates remain liable for the acts or omissions of their "agents" CE for BA agents and BA for subcontractors agents (reasonable cause).
HHS Office of Civil Rights (OCR)
Enforces privacy & security standards
Authorization must be obtained for any use/disclosure of PHI for marketing except:
Face-to-face communications Promotional gift of nominal value **When a marketing activity includes remuneration from a 3rd party the authorization must include such in detail
Proof of Immunizations
Immunization records may be to schools: - if state law requires schools to have immunization records - written or documented oral agreement by the parent, guardian or emancipated minor is required
Enforcement and New Penalties
Increased enforcement and oversight activities; CE's and BA's are subject to the same civil and criminal penalties; CE's and individual(s) now made subject to criminal provisions; State AG's can bring civil suit in Federal Courts on behalf of state residents; harmed individuals can receive a % of CMP's or financial settlement(s) percentage TBD.
What else could we expect? Individually Directed Privacy Restrictions
Individually Directed Privacy Restrictions expanded the patients right to request restriction of disclosure to health plan: -If health services are paid in full by the patient (out-of- pocket at the time of service) -CE must agree to the individual disclosure restriction - No longer optional now mandatory -Downstream effects
"Omnibus Rule" / "Mega Rule"
Privacy & Security Rules Breach Notification Rule Genetic Information Nondiscrimination Act(GINA) Enforcement Rule Compliance Date September 23, 2013 Jan 25, 2013
Request to Restrict
The Final Rule creates a new patient right to restrict disclosures of PHI to a health plan for payment and health care operations where the individual, or a family member, or other person pays out of pocket in full for the healthcare items/services. Must abide by the request. (for discussion bounced checks, health savings accounts) We will need to develop methods to create a notation in the medical record related to the restriction so that the restricted information is not sent or accessible to the health plan. Under the "required by law" requirement we can disclose the restricted information to Medicare/Medicaid audits. **Has 20 days before they bill to insurance because of bad checks or credit cards
So, what is considered compromised?
The rule doesn't define compromised but does give us factors to take into consideration when assessing risk. All breaches must be reported promptly (PHI that does not get to the correct recipient) Required perform a risk assessment to determine if notification to the affected patient(s) is needed and send the notification in compliance w/ the regulatory requirements. Employees are responsible for 65% of the data breaches due to poor/improper handling of paper a and devices.
Tiered penalties
Tier A - Offender didn't know, and by reasonable diligence would not have know that he/she violated the law $100/violation and $25K annual max total/violator. Tier B - Violation due to reasonable cause and not willful neglect $1000/violation and $100k annual max total/violator Tier C - Violation due to willful neglect but was corrected $10,000/violation and $250K annual max total/violator Tier D - Violation due to willful neglect and was not corrected $50k/violation and $1.5 million annual max total/violator
Audit law
can track log of medical record access