HOT-108

Electronic Health RecordsElectronic Health Records, Privacy, and HIPAA Kristi L. Remington Blank Rome Government Relations LLC 04/21/09 | Session ID: HOT 10804/21/09 | Session ID: HOT-108 Session Classification: Intermediate Agenda I. HITECH Act – An Overview II. Security Changes III. Privacy Changes IV E f tIV. Enforcement V Next StepsV. Next Steps VI. Q&A 2 HITECH Act— What it is and isWhat it is and is supposed to do… HITECH Act What Is the HITECH Act? Health Information Technology for Economic and Clinical Health Act (HITECH) is the section of the A i R dAmerican Recovery and Reinvestment Act of 2009 relating to health information technology. 4 HITECH Act What Is the Big Picture? – Provide the means to transform the health care system in the U.S. – Provide caregivers with the tools to improve the treatment of patients Ha e an EHR for e er one in the US b 2014– Have an EHR for everyone in the US by 2014 HITECH Act How Does HITECH Help Get Us There? Th 3 t t th A t– There are 3 parts to the Act: • Formalizes in statute the health IT efforts put in place by the Bush Administration and creates a p y framework for the NHIN. • Provides a privacy and security framework and f d i d t k l f t blsafeguards in order to make people comfortable enough to accept EHRs. • Provides over $30 billion in direct and incentiveProvides over $30 billion in direct and incentive payments to promote the use and adoption of HIT. HITECH Act What Are Some of the Patient/ Consumer Safeguards in the HITECH A ?HITECH Act? – HITECH significantly expands the HIPAA i l d itHIPAA privacy rule and security standards – Changes the rules for business associates – Adds accounting of disclosure requirementsq – Adds provisions on breach notification – Tightens marketing restrictions E h f i i– Enhances enforcement provisions HITECH Act Why Should You Care? M titi ill b– Many more entities will be subject to the HIPAA privacy and security p y y requirements – There are increased civil and criminal penalties for violations of the privacy and security requirementsand security requirements – $30 billion in funding available for health IT HITECH Act—Business Associates Who Is a Business Associate Under the Act? – The definition of business associate of a covered entity was expanded to include: • Each organization that provides data transmission• Each organization that provides data transmission of PHI to a covered entity OR its business associate and those that requires access on a ti b i t h PHIroutine basis to such PHI • Vendors that contract with a covered entity to offer PHRs to patientsPHRs to patients The new definition went into effect upon enactment. HITECH Act—Business Associates Business Associates—What Are the Changes? Th HIPAA S it St d d d th i il d i i l– The HIPAA Security Standards, and the civil and criminal penalties for violating those standards, will apply to business associates directly, as such standards apply to the covered entities for whom they work.y • Previously, violations could NOT be enforced directly against business associates. – Business associates have a statutory obligation to comply with the security standards, and are subject to civil and criminal enforcement if they fail to comply.y p y Changes to HIPAA Security Provisions HITECH Act—Security Breach New Rules on Breach In the event of a breach ofIn the event of a breach of “unsecured PHI” that is discovered by a covered tit th d titentity, the covered entity must notify each individual whose information has been, , or is reasonably believed to have been, accessed, acquired or disclosed as aacquired, or disclosed as a result of the breach. HITECH Act—Security Breach To Whom Do the New Breach Rules Apply? • Covered Entities and • Business Associates HITECH Act—Security Breach What Is a Breach? A b h i “th th i dA breach is “the unauthorized acquisition, access, use, or disclosure of protected health i f i hi hinformation which compromises the security or privacy of such information…” except where it is not reasonably expected that the information would be retained. HITECH Act—Security Breach What Is Not a Breach? A i t ti l i iti f PHI b– An unintentional acquisition, access, or use of PHI by an employee or someone acting under the authority of a covered entity/business associate, if: • Good faith and within the scope of employment; and • Not further acquired, accessed, used or disclosed – An inadvertent disclosure from one employee to another and the information is not further acquired, accessed used or disclosedaccessed, used or disclosed HITECH Act—Security Breach Notification Rules Apply for “Unsecured PHI” – “Unsecured PHI” means PHI that is not secured using the technology or methodology identified by the Secretary of HHS in its to-be-issued guidance on the subject. • Guidance is due under the Act on April 18, 2009 • If no guidance issues then “unsecured PHI” = PHI• If no guidance issues, then unsecured PHI = PHI that is not secured by a technology standard that renders PHI unusable, unreadable, or i d i h bl t th i d i di id l d iindecipherable to unauthorized individuals and is developed or endorsed by a standard developing organization that is accredited by ANSI.g y HITECH Act—Security Breach When Must A Covered Entity Provide Notice?Provide Notice? • Generally, covered entities must d b h ti ith tsend breach notices without unreasonable delay and in no case later than 60 calendar days y after discovery. Breaches are not limited to online information, nor restricted to financially sensitiverestricted to financially sensitive information or social security number. HITECH Act—Security Breach When Must A Covered Entity Provide Notice? • For purposes of notification a breach is “discovered” onFor purposes of notification, a breach is discovered on the first day on which such breach is known to the covered entity or business associate, or reasonably should have b k Th l k t t ibeen known. The clock starts running as soon as anyone in the organization knows or should have known about the breach. • If the breach is discovered by a business associate, the business associate is required to notify the covered entity f th b h i l di th id tifi ti f h i di id lof the breach, including the identification of each individual who has been or is reasonably believed to have been affected by the breach.y HITECH Act—Security Breach Security Breaches— Notice Required to Each Individual • A brief description of the incident, including the date of the breach and the date of the discovery of the breach. A d i ti f th t f d PHI i l d• A description of the types of unsecured PHI involved. • The steps individuals should take to protect themselves from potential harm resulting from the breach. p g • A brief description of what the covered entity is doing to investigate the breach, to mitigate losses, and to protect against any further breachesagainst any further breaches. • Contact procedures for individuals to ask questions or learn additional information. HITECH Act—Security Breach Reporting Requirements If th 500 i di id l i t d ti f th• If more than 500 individuals were impacted, notice of the breach must be provided to HHS immediately and prominent media outlets serving the applicable p g pp geographic area must be notified. • If the breach impacted fewer than 500 individuals, an entity must maintain a log of such breaches and annually submit it to the Secretary. HITECH Act—PHR v. EHR PHR v. EHR: What is the difference and why does itdifference and why does it matter under the HITECH Act?Act? • Personal Health Record patient controlledpatient controlled • Electronic Health Record provider controlled HITECH Act—Security Breach PHR Vendor Breach Requirements • PHRs are subject to breach notification requirements – Must notify each individual who is a citizen or resident of the US and – Notify the Federal Trade Commission (FTC) – Third party service providers to PHRs are required to report back to PHR – The FTC is responsible for issuing regulations within 6 months of the Act (August 2009) Changes to HIPAA P i P i iPrivacy Provisions HITECH Act—Privacy Requirements HITECH Implements Additional Privacy Requirements and Applies Them toRequirements and Applies Them to Business Associates • Provides additional rights to limit access to PHI Alt th “ i i ” l• Alters the “minimum necessary” rule • Strengthens the accounting requirement • Provides the right for a patient to access his PHI in electronic form HITECH Act—Privacy Requirements Right to Limit Access to PHI • Prior to HITECH, a patient could request that his healthcare provider restrict certain disclosures of PHI, but the provider did not have to agreebut the provider did not have to agree. • HITECH requires that a provider (or any covered entity) l ith th t t f di l tcomply with the request except for disclosures to a health plan for payment or “health care operations.” HITECH Act—Privacy Requirements Minimum Necessary Standard • Prior to HITECH covered entities had to apply a “minimum necessary” standard to uses and disclosures of PHI and requests for PHIof PHI and requests for PHI. – A covered entity must make reasonable efforts to limit the information to the minimum necessary to accomplish the i t d d f th di lintended purpose of the use or disclosure. • HITECH requires HHS to issue guidance on what constitutes “minimum necessary” within 18 monthsconstitutes minimum necessary within 18 months. HITECH Act – Privacy Requirements Accounting Requirement • Prior to HITECH, the accounting requirement did not include PHI disclosures for treatment, payment and healthcare operationshealthcare operations. • HITECH allows a patient to request an accounting of PHI disclosures for treatment, payment and healthcare , p y operations for the past 3 years from both a covered entity and a business associate. HITECH Act – Privacy Requirements Access in Electronic Form • Prior to HITECH, there was no responsibility to provide a patient access to his PHI inpatient access to his PHI in electronic form. • HITECH requires covered q entities that use or maintain EHRs to provide individuals access to their PHI inaccess to their PHI in electronic format, if requested. New Enforcement P i iProvisions HITECH Act—Enforcement Who Is Subject to Enforcement? • Covered Entities and Business Associates • The HITECH Act provides that criminal penalties forThe HITECH Act provides that criminal penalties for wrongful disclosure of PHI apply to individuals who without authorization obtain or disclose PHI maintained b a co ered entit hether the aremaintained by a covered entity, whether they are employees of the covered entity or not. HITECH Act—Enforcement Who Gets to Enforce? • State Attorneys Generaly • The HITECH Act authorizes State Attorneys General to bring a civil action in Federal district court against i di id l h i l t HIPAAindividuals who violate HIPAA. • Damages of up to $100 per violation, capped at $25,000 for all violations of an identical requirement or$25,000 for all violations of an identical requirement or prohibition in any calendar year. • No state action if a federal action against that same individual is pending. HITECH Act—Enforcement Are the State Attorney GeneralAttorney General Penalties Weak? NAAGNAAG HITECH Act—Enforcement Who Else Gets New Enforcement? • The Office of Civil Rights (OCR) mayThe Office of Civil Rights (OCR) may investigate and impose civil monetary penalties against any individual for an alleged criminal violation of HIPAA if thealleged criminal violation of HIPAA if the Justice Department had not prosecuted the individual • OCR may also require a formal investigation of complaints and the imposition of civil monetary penalties for violations due to willful neglect. HITECH—Enforcement What Are the Civil Penalties for ViolatingPenalties for Violating HIPAA Privacy and Security Provisions? The Act amends HIPAA to increase penalties for violations f HIPAA d th A t Thof HIPAA and the Act. These increased penalties for HIPAA violations go into effect g immediately. HITECH—Enforcement Violation Minimum Penalty Maximum Penalty • Unknowing Violations • $100/violation • No more than• Unknowing Violations • $100/violation • No more than $25K/calendar year • Violation does not • $1000/violation • No more thanViolation does not involve willful neglect $1000/violation No more than $100K/calendar year • Willful neglect • $10 000/violation • No more than• Willful neglect • $10,000/violation • No more than $250K/calendar year • Willful neglect with • $50 000/violation • No more than $1 5M• Willful neglect with aggravating factors • $50,000/violation • No more than $1.5M What Are the Next Steps? Next Steps—Implementation HHS Is Required to Issue GuidanceGuidance – Who Will Take the Lead? • The Office of the NationalThe Office of the National Coordinator and CMS are taking the lead on the guidance and regulationsguidance and regulations. • HHS needs to get confirmed political leadership in place to ensure timely enactment of guidance and regulations. Next Steps—Implementation What are the upcoming relevant deadlines? April 18 HHS Guidance on BreachApril 18 HHS Guidance on Breach Notification May 18 Standards Committee ScheduleMay 18 Standards Committee Schedule August 18 Interim Final Rules on Breach Notification for EHR and PHR December 31 Initial Standards Published F b 17 2010 All i d it i iFebruary 17, 2010 All privacy and security provisions effective June 2010 Accounting for disclosure regulationsJune 2010 Accounting for disclosure regulations Next Steps—Adoption Will Health Care Providers Adopt EHRs?Providers Adopt EHRs? • Ease of Use • Incentives• Incentives • Money Provided Next Steps—Adoption Will Patients Want to Use EHRs/PHRs?Use EHRs/PHRs? • Patient Benefit • Privacy and Security• Privacy and Security How Will Health C R fCare Reform Change Things?Change Things? Health Care Reform Legislators May Very Well Revisit These Issues in Overall Health Care Reform— Wh t Mi ht W S ?What Might We See? • Additional changes to privacy and securityprivacy and security • Tinkering around the edges What You Should Do Next • Determine whether you might be a business associate. If so review all of your current contracts they will likely• If so, review all of your current contracts—they will likely need to be updated. • Determine what safeguards or additional technology youDetermine what safeguards or additional technology you might need. • Keep in mind the dates that additional information will be l d b HHS d f llreleased by HHS and follow up. Questions?Questions?