hitech act privacy & security requirements cathleen casagrande privacy officer july 23, 2009

HITECH ACTHITECH ACTPrivacy & Security RequirementsPrivacy & Security Requirements

Cathleen CasagrandeCathleen Casagrande

Privacy OfficerPrivacy Officer

July 23, 2009July 23, 2009

HITECH ACTHITECH ACT

Dedicates over $31 billion in stimulus Dedicates over $31 billion in stimulus funds for Healthcare Infrastructure funds for Healthcare Infrastructure and the adoption of Electronic Health and the adoption of Electronic Health Record (EHR).Record (EHR).

Also imposes new medical privacy Also imposes new medical privacy requirements.requirements.

Changes to Medical Privacy Changes to Medical Privacy RequirementsRequirements

Fundamental changes in the areas of Fundamental changes in the areas of accountability, data breach accountability, data breach notification, consumer access, and notification, consumer access, and use of personal health information.use of personal health information.

Unlike HIPAA, HITECH ACT one year Unlike HIPAA, HITECH ACT one year for most provisions.for most provisions.

AccountabilityAccountability

Imposes new levels of accountability Imposes new levels of accountability for medical privacy.for medical privacy.

Periodic audits by HHS to ensure Periodic audits by HHS to ensure compliance within the first 12 compliance within the first 12 months after enactment of the new months after enactment of the new rules.rules.


Tiered penalty structure, with fines Tiered penalty structure, with fines ranging from $25,000 to $1.5 million ranging from $25,000 to $1.5 million and penalties are mandatory for and penalties are mandatory for cases of “willful neglect”.cases of “willful neglect”.All violations occurring after February All violations occurring after February

2009 enactment date are subject to the 2009 enactment date are subject to the increased penalties.increased penalties.


Business Associates with access PHI Business Associates with access PHI bound by the same requirements as bound by the same requirements as the Organization (Feb 2010).the Organization (Feb 2010).


Assure business associate contracts, Assure business associate contracts, authorizing and defining their use of authorizing and defining their use of the PHI shared with them.the PHI shared with them.

Obligated to report the violation to Obligated to report the violation to appropriate authorities and appropriate authorities and discontinue the relationship.discontinue the relationship.

Consumer Access (Feb 2010)Consumer Access (Feb 2010)

Gives individuals clear access rights Gives individuals clear access rights to their own health records, and it to their own health records, and it gives them the right to restrict gives them the right to restrict disclosure of PHI if they pay the disclosure of PHI if they pay the healthcare providers themselves.healthcare providers themselves.

Use of PHI (Feb 2010)Use of PHI (Feb 2010)

CE’s and their business associates CE’s and their business associates are also prohibited from selling PHI are also prohibited from selling PHI without explicit, documented without explicit, documented authorization from the individual authorization from the individual whose information is contained in the whose information is contained in the record.record.

Breach NotificationBreach Notification

Defined: Unauthorized acquisition, Defined: Unauthorized acquisition, access use, or disclosure of PHI access use, or disclosure of PHI compromises the security or privacy compromises the security or privacy of the data.of the data.

Unsecured PHI – Not secured through Unsecured PHI – Not secured through technology as: unusable, unreadable, technology as: unusable, unreadable, or indecipherable to unauthorized or indecipherable to unauthorized individualindividualAdditional guidance technology.Additional guidance technology.


Obligation to notify all breaches that Obligation to notify all breaches that are discovered on or after September are discovered on or after September 15, 2009.15, 2009.

Notification within 60 days when PHI Notification within 60 days when PHI in any form or medium is breached, in any form or medium is breached, not just electronic records.not just electronic records.

Breach is officially discovered on “the Breach is officially discovered on “the first day it is known to the HIPAA first day it is known to the HIPAA entity or business associate or should entity or business associate or should reasonably have been known”.reasonably have been known”.


HIPAA covered entity that suffered HIPAA covered entity that suffered the breach demonstrates required the breach demonstrates required notifications were made.notifications were made.Telephone notifications can be made in Telephone notifications can be made in

urgent situations.urgent situations.Business Associates required to Business Associates required to

notify the covered entity including notify the covered entity including the individuals affected.the individuals affected.


Breach Affecting 500 or more Breach Affecting 500 or more individuals, CE required to provide individuals, CE required to provide “immediate” notice to HHS. “immediate” notice to HHS. Thus the breach notice is public.Thus the breach notice is public.

Rule of 500 applies in a single state Rule of 500 applies in a single state or jurisdiction.or jurisdiction. Notice must be provided to prominent Notice must be provided to prominent

media outlets.media outlets.

Methods of NoticeMethods of Notice

Individual NoticeIndividual NoticeNotice required under this section to be Notice required under this section to be

provided to an individual, with respect provided to an individual, with respect to a breach, shall be provided promptly to a breach, shall be provided promptly and in the following form:and in the following form:Written notification by first-class mail to the Written notification by first-class mail to the

individual at the last known address.individual at the last known address.In the case of insufficient, or out-of-date In the case of insufficient, or out-of-date

contact information that precludes direct contact information that precludes direct written specified by the individual under written specified by the individual under subparagraph.subparagraph.

Media NoticeMedia Notice

Notice shall be provided to Notice shall be provided to prominent media outlets serving a prominent media outlets serving a State or jurisdiction, following the State or jurisdiction, following the discovery of a breach of unsecured discovery of a breach of unsecured protected health information of more protected health information of more than 500 residents in such State, or than 500 residents in such State, or jurisdiction.jurisdiction.

Notice to HHS SecretaryNotice to HHS Secretary

Required immediately if the breach Required immediately if the breach involved 500 or more individuals. involved 500 or more individuals. These breaches will be posted on the These breaches will be posted on the HHS public website including the HHS public website including the name of the covered entity.name of the covered entity. If the breach less than 500 individuals, the If the breach less than 500 individuals, the

covered entity may maintain a log of any such covered entity may maintain a log of any such breach occurring.breach occurring.

Annually submit such a log to HHS documenting Annually submit such a log to HHS documenting breaches occurrence during the year involved. breaches occurrence during the year involved.

Content of NotificationContent of Notification

Regardless of the method by which Regardless of the method by which notice is provided to individuals under notice is provided to individuals under this section, Notice of a breach shall this section, Notice of a breach shall include, to the extent possible, the include, to the extent possible, the following:following:A brief description of what happened, A brief description of what happened,

including the date of the breach and the including the date of the breach and the date of the discovery of the breach.date of the discovery of the breach.

Description of unsecured PHI, such as Description of unsecured PHI, such as SSN, address, etc.SSN, address, etc.


Contact procedures for individuals to Contact procedures for individuals to ask questions or learn additional ask questions or learn additional information, which shall include a information, which shall include a toll-free telephone number, an e-mail toll-free telephone number, an e-mail address, website, or postal address.address, website, or postal address.Time consuming, costly, overwhelming.Time consuming, costly, overwhelming.Potential long term damage with Potential long term damage with

customers.customers.


The steps the individuals should take The steps the individuals should take to protect themselves from potential to protect themselves from potential harm resulting from the breach.harm resulting from the breach.

A brief description from covered A brief description from covered entity to investigate the breach, to entity to investigate the breach, to mitigate losses, and to protect mitigate losses, and to protect against any further breaches.against any further breaches.

Data Breach ResponseData Breach Response

Provide recovery services for Provide recovery services for individuals who become victims of individuals who become victims of identity crime.identity crime.Restore their medical identities to pre-Restore their medical identities to pre-

theft status.theft status.Designate an Individual, or company to Designate an Individual, or company to

manage Customer calls.manage Customer calls.

Business ImpactsBusiness Impacts

Inventory PHI=Risk AssessmentInventory PHI=Risk Assessment70% of all organizations do not have an 70% of all organizations do not have an

accurate inventory of personally accurate inventory of personally identifiable information (PII) in their identifiable information (PII) in their custody and documented.custody and documented.Includes data shared with a Business Includes data shared with a Business

Associate. Associate. Price Waterhouse Coopers reports that Price Waterhouse Coopers reports that

44% of data breach incidents are due to 44% of data breach incidents are due to third-party handling of data.third-party handling of data.

Breach ImpactBreach Impact

Small-scale data breaches will now Small-scale data breaches will now be obligated to notify in each be obligated to notify in each instance, and to keep detailed proof instance, and to keep detailed proof of notification, causing significant of notification, causing significant effort and cost.effort and cost.

Business ImpactBusiness Impact

Data breaches damage Businesses Data breaches damage Businesses credibility.credibility.Medical and Financial risks to the people Medical and Financial risks to the people

whose data is lost.whose data is lost.

Questions & AnswersQuestions & Answers

Clarification of the Privacy Clarification of the Privacy Requirements within the AARA rule Requirements within the AARA rule in the next 12 months.in the next 12 months.Key strategies assess PHI, including Key strategies assess PHI, including

BAA’s. BAA’s. Utilize appropriate Security Standards.Utilize appropriate Security Standards.

Staff, computer access, etc.Staff, computer access, etc.

hitech act privacy & security requirements cathleen casagrande privacy officer july 23, 2009

Documents