Electronic Health RecordsElectronic Health Records,
Privacy, and HIPAA
Kristi L. Remington
Blank Rome Government Relations LLC
04/21/09 | Session ID: HOT 10804/21/09 | Session ID: HOT-108
Session Classification: Intermediate
Agenda
I. HITECH Act – An Overview
II. Security Changes
III. Privacy Changes
IV E f tIV. Enforcement
V Next StepsV. Next Steps
VI. Q&A
2
HITECH Act—
What it is and isWhat it is and is
supposed to do…
HITECH Act
What Is the HITECH Act?
Health Information Technology for
Economic and Clinical Health Act
(HITECH) is the section of the
A i R dAmerican Recovery and
Reinvestment Act of 2009 relating
to health information technology.
4
HITECH Act
What Is the Big Picture?
– Provide the means to transform the health care
system in the U.S.
– Provide caregivers with the tools to improve the
treatment of patients
Ha e an EHR for e er one in the US b 2014– Have an EHR for everyone in the US by 2014
HITECH Act
How Does HITECH Help Get Us There?
Th 3 t t th A t– There are 3 parts to the Act:
• Formalizes in statute the health IT efforts put in
place by the Bush Administration and creates a p y
framework for the NHIN.
• Provides a privacy and security framework and
f d i d t k l f t blsafeguards in order to make people comfortable
enough to accept EHRs.
• Provides over $30 billion in direct and incentiveProvides over $30 billion in direct and incentive
payments to promote the use and adoption of HIT.
HITECH Act
What Are Some of the Patient/
Consumer Safeguards in the
HITECH A ?HITECH Act?
– HITECH significantly expands the
HIPAA i l d itHIPAA privacy rule and security
standards
– Changes the rules for business
associates
– Adds accounting of disclosure
requirementsq
– Adds provisions on breach notification
– Tightens marketing restrictions
E h f i i– Enhances enforcement provisions
HITECH Act
Why Should You Care?
M titi ill b– Many more entities will be
subject to the HIPAA
privacy and security p y y
requirements
– There are increased civil
and criminal penalties for
violations of the privacy
and security requirementsand security requirements
– $30 billion in funding
available for health IT
HITECH Act—Business Associates
Who Is a Business Associate Under the Act?
– The definition of business associate of a covered entity was
expanded to include:
• Each organization that provides data transmission• Each organization that provides data transmission
of PHI to a covered entity OR its business
associate and those that requires access on a
ti b i t h PHIroutine basis to such PHI
• Vendors that contract with a covered entity to offer
PHRs to patientsPHRs to patients
The new definition went into effect upon enactment.
HITECH Act—Business Associates
Business Associates—What Are the Changes?
Th HIPAA S it St d d d th i il d i i l– The HIPAA Security Standards, and the civil and criminal
penalties for violating those standards, will apply to business
associates directly, as such standards apply to the covered
entities for whom they work.y
• Previously, violations could NOT be enforced
directly against business associates.
– Business associates have a statutory obligation to comply with
the security standards, and are subject to civil and criminal
enforcement if they fail to comply.y p y
Changes to
HIPAA Security
Provisions
HITECH Act—Security Breach
New Rules on Breach
In the event of a breach ofIn the event of a breach of
“unsecured PHI” that is
discovered by a covered
tit th d titentity, the covered entity
must notify each individual
whose information has been, ,
or is reasonably believed to
have been, accessed,
acquired or disclosed as aacquired, or disclosed as a
result of the breach.
HITECH Act—Security Breach
To Whom Do the New Breach Rules Apply?
• Covered Entities and
• Business Associates
HITECH Act—Security Breach
What Is a Breach?
A b h i “th th i dA breach is “the unauthorized
acquisition, access, use, or
disclosure of protected health
i f i hi hinformation which
compromises the security or
privacy of such information…”
except where it is not
reasonably expected that the
information would be
retained.
HITECH Act—Security Breach
What Is Not a Breach?
A i t ti l i iti f PHI b– An unintentional acquisition, access, or use of PHI by
an employee or someone acting under the authority of
a covered entity/business associate, if:
• Good faith and within the scope of employment; and
• Not further acquired, accessed, used or disclosed
– An inadvertent disclosure from one employee to
another and the information is not further acquired,
accessed used or disclosedaccessed, used or disclosed
HITECH Act—Security Breach
Notification Rules Apply for “Unsecured PHI”
– “Unsecured PHI” means PHI that is not secured using the
technology or methodology identified by the Secretary of HHS in
its to-be-issued guidance on the subject.
• Guidance is due under the Act on April 18, 2009
• If no guidance issues then “unsecured PHI” = PHI• If no guidance issues, then unsecured PHI = PHI
that is not secured by a technology standard that
renders PHI unusable, unreadable, or
i d i h bl t th i d i di id l d iindecipherable to unauthorized individuals and is
developed or endorsed by a standard developing
organization that is accredited by ANSI.g y
HITECH Act—Security Breach
When Must A Covered Entity
Provide Notice?Provide Notice?
• Generally, covered entities must
d b h ti ith tsend breach notices without
unreasonable delay and in no
case later than 60 calendar days y
after discovery. Breaches are not
limited to online information, nor
restricted to financially sensitiverestricted to financially sensitive
information or social security
number.
HITECH Act—Security Breach
When Must A Covered Entity Provide Notice?
• For purposes of notification a breach is “discovered” onFor purposes of notification, a breach is discovered on
the first day on which such breach is known to the covered
entity or business associate, or reasonably should have
b k Th l k t t ibeen known. The clock starts running as soon as anyone
in the organization knows or should have known about the
breach.
• If the breach is discovered by a business associate, the
business associate is required to notify the covered entity
f th b h i l di th id tifi ti f h i di id lof the breach, including the identification of each individual
who has been or is reasonably believed to have been
affected by the breach.y
HITECH Act—Security Breach
Security Breaches—
Notice Required to Each Individual
• A brief description of the incident, including the date of the
breach and the date of the discovery of the breach.
A d i ti f th t f d PHI i l d• A description of the types of unsecured PHI involved.
• The steps individuals should take to protect themselves from
potential harm resulting from the breach. p g
• A brief description of what the covered entity is doing to
investigate the breach, to mitigate losses, and to protect
against any further breachesagainst any further breaches.
• Contact procedures for individuals to ask questions or learn
additional information.
HITECH Act—Security Breach
Reporting Requirements
If th 500 i di id l i t d ti f th• If more than 500 individuals were impacted, notice of the
breach must be provided to HHS immediately and
prominent media outlets serving the applicable p g pp
geographic area must be notified.
• If the breach impacted fewer than 500 individuals, an
entity must maintain a log of such breaches and annually
submit it to the Secretary.
HITECH Act—PHR v. EHR
PHR v. EHR: What is the
difference and why does itdifference and why does it
matter under the HITECH
Act?Act?
• Personal Health Record
patient controlledpatient controlled
• Electronic Health Record
provider controlled
HITECH Act—Security Breach
PHR Vendor Breach Requirements
• PHRs are subject to breach notification requirements
– Must notify each individual who is a citizen or resident
of the US and
– Notify the Federal Trade Commission (FTC)
– Third party service providers to PHRs are required to
report back to PHR
– The FTC is responsible for issuing regulations within
6 months of the Act (August 2009)
Changes to HIPAA
P i P i iPrivacy Provisions
HITECH Act—Privacy Requirements
HITECH Implements Additional Privacy
Requirements and Applies Them toRequirements and Applies Them to
Business Associates
• Provides additional rights to limit access
to PHI
Alt th “ i i ” l• Alters the “minimum necessary” rule
• Strengthens the accounting requirement
• Provides the right for a patient to access
his PHI in electronic form
HITECH Act—Privacy Requirements
Right to Limit Access to PHI
• Prior to HITECH, a patient could request that his
healthcare provider restrict certain disclosures of PHI,
but the provider did not have to agreebut the provider did not have to agree.
• HITECH requires that a provider (or any covered entity)
l ith th t t f di l tcomply with the request except for disclosures to a
health plan for payment or “health care operations.”
HITECH Act—Privacy Requirements
Minimum Necessary Standard
• Prior to HITECH covered entities had to apply a
“minimum necessary” standard to uses and disclosures
of PHI and requests for PHIof PHI and requests for PHI.
– A covered entity must make reasonable efforts to limit the
information to the minimum necessary to accomplish the
i t d d f th di lintended purpose of the use or disclosure.
• HITECH requires HHS to issue guidance on what
constitutes “minimum necessary” within 18 monthsconstitutes minimum necessary within 18 months.
HITECH Act – Privacy Requirements
Accounting Requirement
• Prior to HITECH, the accounting requirement did not
include PHI disclosures for treatment, payment and
healthcare operationshealthcare operations.
• HITECH allows a patient to request an accounting of PHI
disclosures for treatment, payment and healthcare , p y
operations for the past 3 years from both a covered
entity and a business associate.
HITECH Act – Privacy Requirements
Access in Electronic Form
• Prior to HITECH, there was no
responsibility to provide a
patient access to his PHI inpatient access to his PHI in
electronic form.
• HITECH requires covered q
entities that use or maintain
EHRs to provide individuals
access to their PHI inaccess to their PHI in
electronic format, if requested.
New Enforcement
P i iProvisions
HITECH Act—Enforcement
Who Is Subject to Enforcement?
• Covered Entities and Business Associates
• The HITECH Act provides that criminal penalties forThe HITECH Act provides that criminal penalties for
wrongful disclosure of PHI apply to individuals who
without authorization obtain or disclose PHI
maintained b a co ered entit hether the aremaintained by a covered entity, whether they are
employees of the covered entity or not.
HITECH Act—Enforcement
Who Gets to Enforce?
• State Attorneys Generaly
• The HITECH Act authorizes State Attorneys General
to bring a civil action in Federal district court against
i di id l h i l t HIPAAindividuals who violate HIPAA.
• Damages of up to $100 per violation, capped at
$25,000 for all violations of an identical requirement or$25,000 for all violations of an identical requirement or
prohibition in any calendar year.
• No state action if a federal action against that same
individual is pending.
HITECH Act—Enforcement
Are the State
Attorney GeneralAttorney General
Penalties Weak?
NAAGNAAG
HITECH Act—Enforcement
Who Else Gets New Enforcement?
• The Office of Civil Rights (OCR) mayThe Office of Civil Rights (OCR) may
investigate and impose civil monetary
penalties against any individual for an
alleged criminal violation of HIPAA if thealleged criminal violation of HIPAA if the
Justice Department had not prosecuted the
individual
• OCR may also require a formal investigation
of complaints and the imposition of civil
monetary penalties for violations due to
willful neglect.
HITECH—Enforcement
What Are the Civil
Penalties for ViolatingPenalties for Violating
HIPAA Privacy and
Security Provisions?
The Act amends HIPAA to
increase penalties for violations
f HIPAA d th A t Thof HIPAA and the Act. These
increased penalties for HIPAA
violations go into effect g
immediately.
HITECH—Enforcement
Violation Minimum Penalty Maximum Penalty
• Unknowing Violations • $100/violation • No more than• Unknowing Violations • $100/violation • No more than
$25K/calendar year
• Violation does not • $1000/violation • No more thanViolation does not
involve willful neglect
$1000/violation No more than
$100K/calendar
year
• Willful neglect • $10 000/violation • No more than• Willful neglect • $10,000/violation • No more than
$250K/calendar
year
• Willful neglect with • $50 000/violation • No more than $1 5M• Willful neglect with
aggravating factors
• $50,000/violation • No more than $1.5M
What Are the Next
Steps?
Next Steps—Implementation
HHS Is Required to Issue
GuidanceGuidance
– Who Will Take the Lead?
• The Office of the NationalThe Office of the National
Coordinator and CMS are
taking the lead on the
guidance and regulationsguidance and regulations.
• HHS needs to get confirmed
political leadership in place to
ensure timely enactment of
guidance and regulations.
Next Steps—Implementation
What are the upcoming relevant deadlines?
April 18 HHS Guidance on BreachApril 18 HHS Guidance on Breach
Notification
May 18 Standards Committee ScheduleMay 18 Standards Committee Schedule
August 18 Interim Final Rules on Breach
Notification for EHR and PHR
December 31 Initial Standards Published
F b 17 2010 All i d it i iFebruary 17, 2010 All privacy and security provisions
effective
June 2010 Accounting for disclosure regulationsJune 2010 Accounting for disclosure regulations
Next Steps—Adoption
Will Health Care
Providers Adopt EHRs?Providers Adopt EHRs?
• Ease of Use
• Incentives• Incentives
• Money Provided
Next Steps—Adoption
Will Patients Want to
Use EHRs/PHRs?Use EHRs/PHRs?
• Patient Benefit
• Privacy and Security• Privacy and Security
How Will Health
C R fCare Reform
Change Things?Change Things?
Health Care Reform
Legislators May Very Well
Revisit These Issues in
Overall Health Care
Reform—
Wh t Mi ht W S ?What Might We See?
• Additional changes to
privacy and securityprivacy and security
• Tinkering around the
edges
What You Should Do Next
• Determine whether you might be a business associate.
If so review all of your current contracts they will likely• If so, review all of your current contracts—they will likely
need to be updated.
• Determine what safeguards or additional technology youDetermine what safeguards or additional technology you
might need.
• Keep in mind the dates that additional information will be
l d b HHS d f llreleased by HHS and follow up.
Questions?Questions?