America’s Voice for Community Health Care

The NACHC Mission

To promote the provision of high quality, comprehensive and affordable health care that is coordinated, culturally and linguistically competent, and community directed for all medically underserved people.

American Recovery and Reinvestment Act

Changes to HIPAA

Michael Lardiere, LCSW

Director, Health Information Technology

Sr. Advisor, Behavioral Health

National Association of Community Health Centers

mlardiere@nachc.com

October 16 - 18 2009

American Recovery and Reinvestment Act of 2009

Includes the Health Information Technology for Economic and Clinical Health Act (HITECH Act).

Important substantive changes to the Health Insurance Portability and Accountability Act of 1996 (HIPAA)

Mandates extensive new regulations around electronic medical records.  

Extends the HIPAA Privacy and Security Provisions and Penalties to Business Associates of Covered Entities

Health information exchangesRegional health information organizationse-prescribing gateways and Other technology vendors Vendors contracted with a Covered Entity to provide a Personal Health Record (PHR) as part of an Electronic Health Record (EHR).

  The HITECH Act defines a “personal health record” as an electronic record of identifiable health information on an individual that can be drawn from multiple sources and that is managed, shared, and controlled by or primarily for the individual. An electronic health record is defined as “an electronic record of health-related information on an individual that is created, gathered, managed, and consulted by authorized health care clinicians and staff.”

BAs will be treated just like Covered Entities for purposes of the HIPAA privacy and security provisions and be respopnsible for

Administrative SafeguardsPhysical SafeguardsTechnical SafeguardsPolicies and Procedures and Documentation requirements of the Security Rule

45 C.F.R. §§ 164.308, 164.310, 164.312 and 164.316, respectively. 

Liability for civil and criminal penalties

Covered Entities will likely have to revise their existing Business Associate Agreements to incorporate language reflecting this change

Business Associates will have an obligation to terminate their Business Associate Agreements with Covered Entities if they have knowledge of a pattern of noncompliance with the Privacy Rule by the Covered Entity

Increases Penalties for HIPAA Violations and Expands Enforcement Mechanisms

Amount of civil monetary penalties (CMPs) available has increasedCivil monetary penalties are now structured in a tiered format

Ranging from $100 per violation Up to $50,000 per violation

Anyone whose PHI is accessed in violation of HIPAA will be eligible to share a percentage of any CMPs collected

Office of Civil Rights will continue to enforce HIPAA compliance

State Attorneys General will now have the power to enforce HIPAA by bringing suit in federal district court

Act requires DHHS to periodically audit Covered Entities and Business Associates to assess HIPAA compliance

Covered Entities and Business Associates need to make sure that all of their HIPAA policies and procedures are up to date and in use

Creates a Comprehensive New Set of Requirements Around

Notification of Data Breaches or Suspected Data Breaches

Notification must be made within 60 days of discovery Will require prompt investigation and assessment of suspected breaches

Mandates public reporting to both the DHHS and media outlets in the event of a breach affecting more than 500 individuals

DHHS will publish a list on its website that identifies each Covered Entity involved in a breach of more than 500 individuals

The notice must include: (1) a brief description of the breach, including

the date it occurred and the date it was discovered

(2) the types of PHI involved in the breach(3) steps individuals should take to protect themselves(4) steps the Covered Entity is taking to investigate the breach and protect against future breaches and (5) contact information to ask questions and learn more

Notice must be provided by first class mail to the individual’s last known address

Unless the individual has specified to receive information by electronic mail

Then notice may be provided electronically

If the contact information for more than 10 affected individuals is out of date

Notice may be through a posting on the entity’s web site or In major print or broadcast media

If a Business Associate discovers a breach of unsecured PHI

It must notify the Covered Entity of such breach, and Include a list of each individual whose PHI was or is reasonably believed to have been accessed or acquired during the breach

If the breach involves the access or acquisition of more than 500 residents of

a State or Jurisdiction

Notice must be made to the prominent media outlets of that State or jurisdiction

The Covered Entity must Keep a log of its discovered breaches and Provide a copy of the log to DHHS annually

If a breach involves the access or acquisition of the PHI of more than 500 individuals

Notice must be provided to DHHS immediately

Creates a New Breach Notification Requirement for Vendors of Personal Health Records and Other Non-HIPAA Covered Entities

Vendors of personal health records and related vendors must notify

The Federal Trade Commission (FTC) and Any U.S. citizens whose information was acquired as a result of the breach

Empowers the FTC to begin policing medical privacy which is a significant expansion of federal oversight of medical information. 

Expands HIPAA Mandated Accounting of Disclosures for Those Using Electronic Health Records

Covered Entities and Business Associates using electronic health records will be required to

Make available an accounting of all uses and disclosures of the electronic health record

in the previous three years, including disclosures for payment, treatment, and OperationsTime period an individual may request such an accounting is shortened from up to 6 years to 3 years

In responding to a request for an accounting, the Covered Entity can

Choose to provide either

The disclosures of the patient’s PHI made by the Covered Entity and its Business Associates, or Merely provide the disclosures made by the Covered Entity and a list of its Business Associates

For entities that were using EHRs as of January 1, 2009,

The provision applies to disclosures made on or after January 1, 2014.

For entities that adopt EHRs after January 1, 2009 the provision will apply on

January 1, 2011 or The date when the Covered Entity begins using EHRs, whichever is later

Revisions to an Individual’s Right to Request a Copy of His or Her Record

If the Covered Entity uses EHR, the patient may request his or her record be produced in an electronic format and to be transmitted to a person designated by the patient

The fee for production of an electronic copy of the record shall not be greater than the labor costs of responding to the request

Establishment of the “Minimum Necessary” Standard

Covered Entities and Business Associates must, to the extent practicable

Limit use or disclosure of PHI either To the limited data set or To the “minimum necessary” to accomplish the stated purpose of the use/disclosure

Adopts New Prohibitions on the Sale of Electronic Health Information

Language is sufficiently vague to create uncertainty about the ability of

Regional health information organizationsHealth information exchanges, and e-prescribing services to charge fees for their services

Eliminates Sharing of PHI for Marketing and Fundraising Purposes from the Definition of Health Care Operations Under HIPAA

Fundraising is no longer considered part of operations

In order to use PHI for direct fundraising campaigns, a Covered Entity must first obtain an authorization from the patient

Then modified to allow to continue fundraising but must give the patient the option to opt out of future

De-Identified Health Information

There are no restrictions on the use ordisclosure of de-identified health information

De-identified health informationneither identifies nor provides a reasonable basis to identify an individual

There are two ways to de-identify information1) a formal determination by a qualifiedStatistician or

2) the removal of specified identifiers of the individual and of the individual’s relatives, household members, and employers is required, and is adequate only if the covered entity has no actual knowledge that the remaining information could be used to identify the individual

The following identifiers of the individual or of relatives, employers, or household members ofthe individual must be removed to achieve the “safe harbor” method of de-identification

(A) Names(B) Geographic subdivisions smaller than a State including

Street addressCityCountyPrecinctZip code, and their equivalent geocodes

Except for the initial three digits of a zip code

(B) The geographic units formed by combining all zip codes with the same three initial digits containsmore than 20,000 peopleThe initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000

(C) All elements of dates (except year) fordates directly related to the individual, including

birth dateadmission datedischarge date

date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except

that such ages and elements may be aggregated into a single category of age 90 or older

(D) Telephone numbers(E) Fax numbers(F) Electronic mail addresses(G) Social security numbers(H) Medical record numbers

(I) Health plan beneficiary numbers(J) Account numbers(K) Certificate/license numbers(L) Vehicle identifiers and serial numbers including license plate numbers(M) Device identifiers and serial numbers(N) Web Universal Resource Locators (URLs)(O) Internet Protocol (IP) address numbers(P) Biometric identifiers, including finger and voice prints (Q) Full face photographic images and any comparable images; any other unique identifying number, characteristic, or code, except as permitted for re-identificationpurposes provided certain conditions are met

In addition to the removal of the above-statedidentifiers, the covered entity may not have actual knowledge that the remaining information could be used alone or in combination with any other information to identify an individual who is subject of the information

SUMMARY OF THE HIPAA PRIVACY RULEOffice of Civil rights

http://www.nachc.com/client/HIPAA%20Privacy%20Rule%20Summary_8_19_09.pdf

To reduce risks covered entities should consider accomplishing the following tasks:

Implement systems for detecting a security breach

Create a security breach response plan or update the existing plan

 Conduct workforce training in responding to a security breach.

 Negotiate amendments to business associate agreement to address security breaches

 Revise HIPAA policies and procedures regarding to address the security breach regulations.

 

Federally Qualified Health Centers

Michael Lardiere, LCSWDirector HIT; Sr. Advisor Behavioral HealthNational Association of Community Health

Centers301-347-0400 xt 2069mlardiere@nachc.com