hipaa in the era of ehr mo dept hss
TRANSCRIPT
![Page 1: Hipaa in the era of ehr mo dept hss](https://reader033.vdocuments.net/reader033/viewer/2022042714/554b441fb4c905b5378b4e58/html5/thumbnails/1.jpg)
HIPAA in the Era of EHR
Rural Hospital Health Information Technology ConferenceMay 27, 2010
Stacy Harper, JD, MHSA, CPCForbes Law Group, LLC
(913) 341 – [email protected]
![Page 2: Hipaa in the era of ehr mo dept hss](https://reader033.vdocuments.net/reader033/viewer/2022042714/554b441fb4c905b5378b4e58/html5/thumbnails/2.jpg)
Summary of HIPAA to Date Impact of EMR Implementation Considerations with EHR
Overview
![Page 3: Hipaa in the era of ehr mo dept hss](https://reader033.vdocuments.net/reader033/viewer/2022042714/554b441fb4c905b5378b4e58/html5/thumbnails/3.jpg)
Administrative Simplification Privacy Security HITECH
Summary of HIPAA To Date
![Page 4: Hipaa in the era of ehr mo dept hss](https://reader033.vdocuments.net/reader033/viewer/2022042714/554b441fb4c905b5378b4e58/html5/thumbnails/4.jpg)
Standardized Electronic Transactions and Code Sets
Unique Identifier for Employers Unique Identifier for Providers Unique Identifier for Health Plans
HIPAA Administrative Simplification
![Page 5: Hipaa in the era of ehr mo dept hss](https://reader033.vdocuments.net/reader033/viewer/2022042714/554b441fb4c905b5378b4e58/html5/thumbnails/5.jpg)
April 14, 2003 Applies to all Protected Health Information Included requirements for:
◦ Safeguards◦ Notice of Privacy Practices◦ Use and Disclosure of Protected Health
Information◦ Patient Rights◦ Business Associates◦ Other General Requirements
HIPAA Privacy
![Page 6: Hipaa in the era of ehr mo dept hss](https://reader033.vdocuments.net/reader033/viewer/2022042714/554b441fb4c905b5378b4e58/html5/thumbnails/6.jpg)
April 14, 2005 Applies to Electronic Protected Health
Information (EPHI) Included Requirements related to:
◦ Safeguards and protection of EPHI◦ Device and Media Controls◦ Contingency and Back Up Plan◦ Individual Access to Information◦ Information System Activity Review
HIPAA Security
![Page 7: Hipaa in the era of ehr mo dept hss](https://reader033.vdocuments.net/reader033/viewer/2022042714/554b441fb4c905b5378b4e58/html5/thumbnails/7.jpg)
February 17, 2010 (with few exceptions) Applies to all protected health information
◦ Privacy and Security Provisions now apply to Business Associates
◦ Breach is Distinguished from a Violation◦ Requirements of Notice of Breach◦ Disclosures of Information to Payors◦ Electronic Health Record Accounting and Access◦ New Penalties◦ Enforcement by State Attorney General◦ Guidance from HHS
HIPAA HITECH
![Page 8: Hipaa in the era of ehr mo dept hss](https://reader033.vdocuments.net/reader033/viewer/2022042714/554b441fb4c905b5378b4e58/html5/thumbnails/8.jpg)
“An unauthorized acquisition, access, use, or disclosure of phi which compromises the security or privacy of such information, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information.”
Exceptions Clarifications from HHS
HITECH- Definition of Breach
![Page 9: Hipaa in the era of ehr mo dept hss](https://reader033.vdocuments.net/reader033/viewer/2022042714/554b441fb4c905b5378b4e58/html5/thumbnails/9.jpg)
Step 1: Was the Information Secure?
Determination of Breach
![Page 10: Hipaa in the era of ehr mo dept hss](https://reader033.vdocuments.net/reader033/viewer/2022042714/554b441fb4c905b5378b4e58/html5/thumbnails/10.jpg)
Approved Methods: Encryption Destruction
But NOT Access Controls Redaction Limited Data Set
HITECH- Methods of Rendering PHI Unusable
![Page 11: Hipaa in the era of ehr mo dept hss](https://reader033.vdocuments.net/reader033/viewer/2022042714/554b441fb4c905b5378b4e58/html5/thumbnails/11.jpg)
Step 1: Was the Information Secure?
Step 2: Do One of the Exclusions Apply?
Determination of Breach
![Page 12: Hipaa in the era of ehr mo dept hss](https://reader033.vdocuments.net/reader033/viewer/2022042714/554b441fb4c905b5378b4e58/html5/thumbnails/12.jpg)
Workforce Use – Unintentional acquisition, access or use of PHI by a workforce member if the PHI is not further used or disclosed in a manner that violates the Privacy Rule
Workforce Disclosure - Unintentional disclosure of PHI by a workforce member if the PHI is not further used or disclosed in a manner that violates the Privacy Rule
No Way to Retain Info – Unauthorized disclosure to which the CE or BA has a good faith belief that the unauthorized person to whom the PHI is disclosed would not reasonably have been able to retain info.
Exclusions to Breach
![Page 13: Hipaa in the era of ehr mo dept hss](https://reader033.vdocuments.net/reader033/viewer/2022042714/554b441fb4c905b5378b4e58/html5/thumbnails/13.jpg)
Step 1: Was the Information Secure?
Step 2: Do One of the Exclusions Apply?
Step 3: Does the Use/Disclosure Pose a Significant Risk to the Individual?
Determination of Breach
![Page 14: Hipaa in the era of ehr mo dept hss](https://reader033.vdocuments.net/reader033/viewer/2022042714/554b441fb4c905b5378b4e58/html5/thumbnails/14.jpg)
Covered Entity to Covered Entity – Inadvertent disclosure of PHI from one covered entity or BA employee to another similarly situated covered entity or BA employee, provided that PHI is not further used or disclosed in any manner that violates the Privacy Rule.
Immediate Steps to Mitigate – Were immediate steps taken to mitigate the harm including return or destruction of the information and a written confidentiality agreement
Types of information included – Was the information disclosed limited to the name of the individual or a limited data set?
Guidance for Significant Risk
![Page 15: Hipaa in the era of ehr mo dept hss](https://reader033.vdocuments.net/reader033/viewer/2022042714/554b441fb4c905b5378b4e58/html5/thumbnails/15.jpg)
Effective 9/23/09, but HHS will not impose sanctions until 2/22/10
Business Associate must notify Covered Entity of breach including individuals whose information was included in the breach
Covered Entity has 60 days from the day discovered to notify the individual of a breach◦ Day discovered is the date when provider knew or
could have known through reasonable diligence◦ Increases importance of system to check for breaches
to phi and track compliance with HIPAA privacy and security regulations
HITECH- Notice of Breach
![Page 16: Hipaa in the era of ehr mo dept hss](https://reader033.vdocuments.net/reader033/viewer/2022042714/554b441fb4c905b5378b4e58/html5/thumbnails/16.jpg)
Notice of Breach must include: A description of what happened including the
date of breach and date of discovery A description of the types of phi involved Steps the individual should take to protect
themselves Steps taken by the provider to investigate,
mitigate, and protect against further disclosure Contact information for questions including a
toll-free telephone number, e-mail address, website, or postal address
HITECH- Notice of Breach
![Page 17: Hipaa in the era of ehr mo dept hss](https://reader033.vdocuments.net/reader033/viewer/2022042714/554b441fb4c905b5378b4e58/html5/thumbnails/17.jpg)
Notice must be provided to: Individual
◦ In writing to last known address Website
◦ If the provider does not have current contact information on more than 10 patients involved
Media◦ If breach affected more than 500 patients in one state or
jurisdiction Secretary of HHS
◦ Within 60 days if more than 500 people affected◦ Annual report of breaches affecting less than 500 people
HITECH- Notice of Breach
![Page 18: Hipaa in the era of ehr mo dept hss](https://reader033.vdocuments.net/reader033/viewer/2022042714/554b441fb4c905b5378b4e58/html5/thumbnails/18.jpg)
HIPAA Security Now Applies to Medical Records
Increased Risk of Breach Importance of Monitoring Implementation and IT Considerations
Impact of EMR Implementation
![Page 19: Hipaa in the era of ehr mo dept hss](https://reader033.vdocuments.net/reader033/viewer/2022042714/554b441fb4c905b5378b4e58/html5/thumbnails/19.jpg)
Safeguards and protection of EPH◦ Perform a New Risk Assessment◦ Physical Access to EPHI◦ Encryption and Decryption of Data◦ Tracking of Changes and Maintaining Integrity◦ Remote Access
Device and Media Control◦ Use, Re-use, and Destruction◦ New Concerns re: Copiers and Scan to E-mail
EMR and HIPAA Security
![Page 20: Hipaa in the era of ehr mo dept hss](https://reader033.vdocuments.net/reader033/viewer/2022042714/554b441fb4c905b5378b4e58/html5/thumbnails/20.jpg)
Contingency and Back Up Plan◦ New criticality analysis◦ Redundancy and Back-Up Systems◦ Emergency Mode and Recovery Operations
Individual Access to Information◦ Determination of Access Levels◦ Granting, Modifying or Terminating Authority◦ Protection of User Names and Passwords◦ Automatic Log Off
EMR and HIPAA Security
![Page 21: Hipaa in the era of ehr mo dept hss](https://reader033.vdocuments.net/reader033/viewer/2022042714/554b441fb4c905b5378b4e58/html5/thumbnails/21.jpg)
Information System Activity Review◦ Review of log on attempts◦ Audit logs◦ Access reports◦ Security incidents◦ Other system activity
EMR and HIPAA Security
![Page 22: Hipaa in the era of ehr mo dept hss](https://reader033.vdocuments.net/reader033/viewer/2022042714/554b441fb4c905b5378b4e58/html5/thumbnails/22.jpg)
More methods of access Records more likely to leave the facility Increased transferability of information More interest in the information Greater impact if a breach occurs
Increased Risk of Breach
![Page 23: Hipaa in the era of ehr mo dept hss](https://reader033.vdocuments.net/reader033/viewer/2022042714/554b441fb4c905b5378b4e58/html5/thumbnails/23.jpg)
36%
25%
18%
9%
12%
Hospital
Physician Practice
Insurance Company
Government Agency
Other
Type of Entity with Breach over 500
![Page 24: Hipaa in the era of ehr mo dept hss](https://reader033.vdocuments.net/reader033/viewer/2022042714/554b441fb4c905b5378b4e58/html5/thumbnails/24.jpg)
57%
20%
1%
9%
13%
Theft
Unauthorized Access
Improper Disposal
Loss
Other
Method of Breach
![Page 25: Hipaa in the era of ehr mo dept hss](https://reader033.vdocuments.net/reader033/viewer/2022042714/554b441fb4c905b5378b4e58/html5/thumbnails/25.jpg)
25%
23%
19%
16%
6%
10%
Laptop
Paper Record
Portable Device/Media
Desktop Computer
Server
Other
Location of Breach
![Page 26: Hipaa in the era of ehr mo dept hss](https://reader033.vdocuments.net/reader033/viewer/2022042714/554b441fb4c905b5378b4e58/html5/thumbnails/26.jpg)
Notice from the date you knew or should have known of the breach
Increased penalties and scrutiny Failure to monitor can result in increased
liability Renew the training for your staff and get
them involved
Importance of Monitoring
![Page 27: Hipaa in the era of ehr mo dept hss](https://reader033.vdocuments.net/reader033/viewer/2022042714/554b441fb4c905b5378b4e58/html5/thumbnails/27.jpg)
Incorporate the HIPAA discussion into your implementation plan
Consider “upgrading” some of the hardware and other software options to improve encryption and security
Security programs for handheld devices
Implementation and IT Considerations
![Page 28: Hipaa in the era of ehr mo dept hss](https://reader033.vdocuments.net/reader033/viewer/2022042714/554b441fb4c905b5378b4e58/html5/thumbnails/28.jpg)
Created Framework for Communication Opt-In versus Opt-Out Specificity of Patient Consent Who is responsible for Security Modification of State privacy laws Current focus is at the state level Future amendments to HIPAA to encourage
sharing of information?
Considerations with EHR
![Page 29: Hipaa in the era of ehr mo dept hss](https://reader033.vdocuments.net/reader033/viewer/2022042714/554b441fb4c905b5378b4e58/html5/thumbnails/29.jpg)
Questions??Stacy Harper, JD, MHSA, CPC
Forbes Law Group, LLC10740 Nall Avenue, Suite 330
Overland Park, KS 66211(913) 641-8619