hipaa in the era of ehr mo dept hss
TRANSCRIPT
HIPAA in the Era of EHR
Rural Hospital Health Information Technology ConferenceMay 27, 2010
Stacy Harper, JD, MHSA, CPCForbes Law Group, LLC
(913) 341 – [email protected]
Summary of HIPAA to Date Impact of EMR Implementation Considerations with EHR
Overview
Administrative Simplification Privacy Security HITECH
Summary of HIPAA To Date
Standardized Electronic Transactions and Code Sets
Unique Identifier for Employers Unique Identifier for Providers Unique Identifier for Health Plans
HIPAA Administrative Simplification
April 14, 2003 Applies to all Protected Health Information Included requirements for:
◦ Safeguards◦ Notice of Privacy Practices◦ Use and Disclosure of Protected Health
Information◦ Patient Rights◦ Business Associates◦ Other General Requirements
HIPAA Privacy
April 14, 2005 Applies to Electronic Protected Health
Information (EPHI) Included Requirements related to:
◦ Safeguards and protection of EPHI◦ Device and Media Controls◦ Contingency and Back Up Plan◦ Individual Access to Information◦ Information System Activity Review
HIPAA Security
February 17, 2010 (with few exceptions) Applies to all protected health information
◦ Privacy and Security Provisions now apply to Business Associates
◦ Breach is Distinguished from a Violation◦ Requirements of Notice of Breach◦ Disclosures of Information to Payors◦ Electronic Health Record Accounting and Access◦ New Penalties◦ Enforcement by State Attorney General◦ Guidance from HHS
HIPAA HITECH
“An unauthorized acquisition, access, use, or disclosure of phi which compromises the security or privacy of such information, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information.”
Exceptions Clarifications from HHS
HITECH- Definition of Breach
Step 1: Was the Information Secure?
Determination of Breach
Approved Methods: Encryption Destruction
But NOT Access Controls Redaction Limited Data Set
HITECH- Methods of Rendering PHI Unusable
Step 1: Was the Information Secure?
Step 2: Do One of the Exclusions Apply?
Determination of Breach
Workforce Use – Unintentional acquisition, access or use of PHI by a workforce member if the PHI is not further used or disclosed in a manner that violates the Privacy Rule
Workforce Disclosure - Unintentional disclosure of PHI by a workforce member if the PHI is not further used or disclosed in a manner that violates the Privacy Rule
No Way to Retain Info – Unauthorized disclosure to which the CE or BA has a good faith belief that the unauthorized person to whom the PHI is disclosed would not reasonably have been able to retain info.
Exclusions to Breach
Step 1: Was the Information Secure?
Step 2: Do One of the Exclusions Apply?
Step 3: Does the Use/Disclosure Pose a Significant Risk to the Individual?
Determination of Breach
Covered Entity to Covered Entity – Inadvertent disclosure of PHI from one covered entity or BA employee to another similarly situated covered entity or BA employee, provided that PHI is not further used or disclosed in any manner that violates the Privacy Rule.
Immediate Steps to Mitigate – Were immediate steps taken to mitigate the harm including return or destruction of the information and a written confidentiality agreement
Types of information included – Was the information disclosed limited to the name of the individual or a limited data set?
Guidance for Significant Risk
Effective 9/23/09, but HHS will not impose sanctions until 2/22/10
Business Associate must notify Covered Entity of breach including individuals whose information was included in the breach
Covered Entity has 60 days from the day discovered to notify the individual of a breach◦ Day discovered is the date when provider knew or
could have known through reasonable diligence◦ Increases importance of system to check for breaches
to phi and track compliance with HIPAA privacy and security regulations
HITECH- Notice of Breach
Notice of Breach must include: A description of what happened including the
date of breach and date of discovery A description of the types of phi involved Steps the individual should take to protect
themselves Steps taken by the provider to investigate,
mitigate, and protect against further disclosure Contact information for questions including a
toll-free telephone number, e-mail address, website, or postal address
HITECH- Notice of Breach
Notice must be provided to: Individual
◦ In writing to last known address Website
◦ If the provider does not have current contact information on more than 10 patients involved
Media◦ If breach affected more than 500 patients in one state or
jurisdiction Secretary of HHS
◦ Within 60 days if more than 500 people affected◦ Annual report of breaches affecting less than 500 people
HITECH- Notice of Breach
HIPAA Security Now Applies to Medical Records
Increased Risk of Breach Importance of Monitoring Implementation and IT Considerations
Impact of EMR Implementation
Safeguards and protection of EPH◦ Perform a New Risk Assessment◦ Physical Access to EPHI◦ Encryption and Decryption of Data◦ Tracking of Changes and Maintaining Integrity◦ Remote Access
Device and Media Control◦ Use, Re-use, and Destruction◦ New Concerns re: Copiers and Scan to E-mail
EMR and HIPAA Security
Contingency and Back Up Plan◦ New criticality analysis◦ Redundancy and Back-Up Systems◦ Emergency Mode and Recovery Operations
Individual Access to Information◦ Determination of Access Levels◦ Granting, Modifying or Terminating Authority◦ Protection of User Names and Passwords◦ Automatic Log Off
EMR and HIPAA Security
Information System Activity Review◦ Review of log on attempts◦ Audit logs◦ Access reports◦ Security incidents◦ Other system activity
EMR and HIPAA Security
More methods of access Records more likely to leave the facility Increased transferability of information More interest in the information Greater impact if a breach occurs
Increased Risk of Breach
36%
25%
18%
9%
12%
Hospital
Physician Practice
Insurance Company
Government Agency
Other
Type of Entity with Breach over 500
57%
20%
1%
9%
13%
Theft
Unauthorized Access
Improper Disposal
Loss
Other
Method of Breach
25%
23%
19%
16%
6%
10%
Laptop
Paper Record
Portable Device/Media
Desktop Computer
Server
Other
Location of Breach
Notice from the date you knew or should have known of the breach
Increased penalties and scrutiny Failure to monitor can result in increased
liability Renew the training for your staff and get
them involved
Importance of Monitoring
Incorporate the HIPAA discussion into your implementation plan
Consider “upgrading” some of the hardware and other software options to improve encryption and security
Security programs for handheld devices
Implementation and IT Considerations
Created Framework for Communication Opt-In versus Opt-Out Specificity of Patient Consent Who is responsible for Security Modification of State privacy laws Current focus is at the state level Future amendments to HIPAA to encourage
sharing of information?
Considerations with EHR
Questions??Stacy Harper, JD, MHSA, CPC
Forbes Law Group, LLC10740 Nall Avenue, Suite 330
Overland Park, KS 66211(913) 641-8619