ARRA/HITECH Update

ARRA/HITECH Update

HIPAA COW WebinarFebruary 23, 2010Welcome!

Everyone please mute your phone at this time by pressing *6

This session is being recorded and will begin in a few minutes.

11

ARRA/HITECH Update:

Compliance with BAA Requirements

HIPAA COW WebinarFebruary 23, 2010Presented By: Cathy Boerner, JD, CHC

22

Session to Cover:

Overview of HITECH Business Associate Agreement (BAA) Provisions

Strategies for BAA Compliance

Review of HIPAA COW BAA Documents

33

Disclaimer

The information provided in this presentation does not constitute legal advice and is intended to be used for guidance.

If you require legal advice, please consult with an attorney.

44

Overview of HITECH Business Associate Agreement Provisions Feb. 17, 2009, President Obama Feb. 17, 2009, President Obama

signed the American Recovery and signed the American Recovery and Reinvestment Act of 2009 (Reinvestment Act of 2009 (ARRAARRA) )

Title XIII Title XIII of ARRA is Health Information of ARRA is Health Information Technology for Economic and Clinical Technology for Economic and Clinical Health Act (HITECH)Health Act (HITECH)

HITECH Subtitle D, Part 1 – Improved Privacy Provisions and Security Provisions

55

Overview of HITECH Business Associate Agreement Provisions The Office of Civil Rights (OCR) is The Office of Civil Rights (OCR) is

developing developing regulationsregulations which HHS is which HHS is issuing to implement provisions of the issuing to implement provisions of the HITECH Act. It is important to keep up-HITECH Act. It is important to keep up-to-date as the regulations come out in to-date as the regulations come out in the Federal Register. Check the OCR the Federal Register. Check the OCR What’s New website section at What’s New website section at http://www.hhs.gov/ocr/office/news/index.html 66

Overview of HITECH Business Associate Agreement Provisions HIPAA Security Provisions 13401(a)

HIPAA Privacy Provisions 13404(a)(b)

Enforcement 13401(b) & 13404 (c)

Accounting of Disclosures 13405 (c)(3)

Notification of Breaches 45 CFR 164.402-164.412

77

Overview of HITECH Business Associate Agreement Provisions HITECH requires covered entities

to incorporate new business associate provisions into business associate agreements. HITECH Section 13401(a) & 13404(a) of the Act (42 U.S.C. § 17931)

Effective February 17, 2010

88

HITECH Provisions – HIPAA Security

Sections 164.308, 164.310, 164.312, Sections 164.308, 164.310, 164.312, and 164.316 of title 45, Code of and 164.316 of title 45, Code of Federal Regulations, shall apply to a Federal Regulations, shall apply to a business associate of a covered entity business associate of a covered entity in the same mannerin the same manner that such sections that such sections apply to the covered entity. apply to the covered entity. HITECH Section 13401(a) of the Act (42 U.S.C. § 17931)

99


The additional requirements of this The additional requirements of this title that relate to security and that are title that relate to security and that are made applicable with respect to made applicable with respect to covered entities shall also be covered entities shall also be applicable to such a business associate applicable to such a business associate and and shall be incorporated into theshall be incorporated into the business associate agreementbusiness associate agreement between the business associate and between the business associate and the covered entity. the covered entity. HITECH Section 13401(a) of the Act (42 U.S.C. § 17931)

1010


164.308 – Administrative safeguards164.308 – Administrative safeguards 164.310 – Physical safeguards164.310 – Physical safeguards 164.312 – Technical safeguards164.312 – Technical safeguards 164.316 – Policies and procedures and 164.316 – Policies and procedures and

documentation requirementsdocumentation requirements

1111


CurrentCurrent Business Associate Agreement Business Associate Agreement language says: language says:

““Implement administrative, physical, and Implement administrative, physical, and technical safeguards that reasonably and technical safeguards that reasonably and appropriately protect the confidentiality, appropriately protect the confidentiality, integrity, and availability of the electronic integrity, and availability of the electronic protected health information that it protected health information that it creates, receives, maintains, or transmits creates, receives, maintains, or transmits on behalf of the covered entity as required on behalf of the covered entity as required by this subpart.” 45 CFR 164.314by this subpart.” 45 CFR 164.314

1212


For HITECH add: For HITECH add:

… …Business Associate shall document Business Associate shall document and keep these security measures and keep these security measures current. Business Associate shall current. Business Associate shall cooperate in good faith in response to cooperate in good faith in response to any reasonable requests from Covered any reasonable requests from Covered Entity to discuss, review, inspect, Entity to discuss, review, inspect, and/or audit Business Associates’ and/or audit Business Associates’ safeguards.safeguards.

1313

HITECH Provisions – HIPAA Privacy

Sections 164.504(e) of title 45, Code of Sections 164.504(e) of title 45, Code of Federal Regulations, shall apply to a Federal Regulations, shall apply to a business associate of a covered entity business associate of a covered entity in the same mannerin the same manner that such sections that such sections apply to the covered entity. apply to the covered entity. See HITECH Section 13404(a)(b) of the Act (42 U.S.C. § 17931)

1414


The additional requirements of this The additional requirements of this subtitle that relate to privacy and that subtitle that relate to privacy and that are made applicable with respect to are made applicable with respect to covered entities shall also be covered entities shall also be applicable to such a business associate applicable to such a business associate and and shall be incorporated into the shall be incorporated into the business associate agreementbusiness associate agreement between the business associate and between the business associate and the covered entity. the covered entity. HITECH Section 13404(a)(b) of the Act (42 U.S.C. § 17931)

1515


164.504(e) – Business Associate 164.504(e) – Business Associate ContractsContracts

1616


CurrentCurrent Business Associate Agreement Business Associate Agreement language says: language says:

“ “Ensure that any agents, including a Ensure that any agents, including a subcontractor, to whom it provides subcontractor, to whom it provides protected health information…received protected health information…received by the business associate, on behalf of by the business associate, on behalf of the covered entity, agrees to the same the covered entity, agrees to the same restrictions and conditions that apply to restrictions and conditions that apply to the business associate with respect to the business associate with respect to such information;”such information;”

1717


For HITECH add: For HITECH add:

“ “Ensure that any agents, including a Ensure that any agents, including a subcontractor, to whom it provides subcontractor, to whom it provides protected health information…received protected health information…received by the business associate, on behalf of by the business associate, on behalf of the covered entity, agrees the covered entity, agrees in writingin writing to to the same restrictions and conditions the same restrictions and conditions that apply to the business associate that apply to the business associate with respect to such information;”with respect to such information;”

1818

HITECH Provisions – Civil and Criminal Penalties

In the case of a business associate In the case of a business associate that violates applicable provisions civil that violates applicable provisions civil and criminal penalties shall apply to and criminal penalties shall apply to the business associate with respect to the business associate with respect to such violation such violation in the same mannerin the same manner as as a covered entity that violates such a covered entity that violates such provision. provision. See See HITECH Section 13401(b) of the Act (42 U.S.C. § 17931); See Section 13404 (c).

1919

HITECH Provisions

Accounting of Disclosures Accounting of Disclosures (HIPAA Privacy)(HIPAA Privacy)

2020

HITECH Provisions – Accounting of Disclosures (HIPAA Privacy) (HIPAA Privacy)

BAA already state “Make BAA already state “Make available the information available the information required to provide an required to provide an accounting of disclosures in accounting of disclosures in accordance with §164.528” accordance with §164.528” 45 45

CFR §164.504(e)(2)(ii)(G) ; (See HITECH CFR §164.504(e)(2)(ii)(G) ; (See HITECH Section 13405(c) of the Act (42 U.S.C. § 17931)

2121

HITECH Provisions – Accounting of Disclosures

HITECH added: HITECH added: 13405 (c)(1) If the covered entity uses an electronic

health record then:– The accounting of disclosures shall include

those to carry out treatment, payment and health care operations

– During only the three years prior to the date on which the accounting is requested.

2222

HITECH Provisions – Accounting of Disclosures

HITECH added: HITECH added: 13405 (c)(3) In response to a request from an individual In response to a request from an individual

for an accounting, a covered entity shall for an accounting, a covered entity shall elect to provide either an— elect to provide either an—

‘‘ ‘‘(A) accounting, as specified under (A) accounting, as specified under paragraph (1), for disclosures of protected paragraph (1), for disclosures of protected health information that are made by such health information that are made by such covered entity covered entity and by a business associate and by a business associate acting on behalf of the covered entityacting on behalf of the covered entity; or; or

2323

HITECH Provisions – Accounting of Disclosures13405(c)(3)

‘‘‘‘(B) accounting, as specified under paragraph (1), for(B) accounting, as specified under paragraph (1), for

disclosures that are made by such covered entity disclosures that are made by such covered entity and and provide a list of all business associates provide a list of all business associates acting acting on behalf of the covered entity, including contact on behalf of the covered entity, including contact information for such associates (such as mailing information for such associates (such as mailing address, phone, and email address).address, phone, and email address).

A business associate included on a list under A business associate included on a list under subparagraph (B) shall provide an accounting of subparagraph (B) shall provide an accounting of disclosures (as required under paragraph (1) for a disclosures (as required under paragraph (1) for a covered entity) made by the business associate covered entity) made by the business associate upon a request made by an individual directly to upon a request made by an individual directly to the business associate for such an accounting.”the business associate for such an accounting.”

2424

HITECH Provisions

Business Associates Business Associates

Breach NotificationBreach Notification

2525

HITECH Provisions – Notification of Notification of Covered Entity by Business Associate Covered Entity by Business Associate

A business associate of a covered entity A business associate of a covered entity that accesses, maintains, retains, that accesses, maintains, retains, modifies, records, stores, destroys, or modifies, records, stores, destroys, or otherwise holds, uses, or discloses otherwise holds, uses, or discloses unsecuredunsecured protected health information protected health information shall, following the discovery of a shall, following the discovery of a breach of such information, breach of such information, notify the notify the covered entity covered entity of such breach. of such breach. HITECH Section 13402(b) of the Act (42 U.S.C. § 17931); 45 CFR §164.410(a)(1) – Notification by a business associate.

2626

HITECH Provisions - Notification of Notification of Covered Entity by Business Associate Covered Entity by Business Associate

Such notice shall include the Such notice shall include the identification of identification of each individual each individual whose whose unsecured protected health unsecured protected health information has been, or is reasonably information has been, or is reasonably believed by the business associate to believed by the business associate to have been, accessed, acquired, or have been, accessed, acquired, or disclosed during such breach. disclosed during such breach. See HITECH See HITECH Section 13402(b) of the Act (42 U.S.C. § 17931)

2727


Breaches treated as discovered. Breaches treated as discovered. “ “A breach shall be treated as A breach shall be treated as

discovered by a business associate as discovered by a business associate as of the of the first day first day on which such breach is on which such breach is known to the business associate or, by known to the business associate or, by exercising reasonable diligence, would exercising reasonable diligence, would have been known to the business have been known to the business associate.” associate.” 45 CFR 164.410(a) (2)

2828


Breaches treated as discovered. Breaches treated as discovered. ““A business associate shall be deemed to A business associate shall be deemed to

have knowledge of a breach if the breach have knowledge of a breach if the breach is known, or by exercising reasonable is known, or by exercising reasonable diligence would have been known, to any diligence would have been known, to any person, other than the person committing person, other than the person committing the breach, who is an employee, officer, or the breach, who is an employee, officer, or other agent of the business associate other agent of the business associate (determined in accordance with the (determined in accordance with the federal common law of agency).” federal common law of agency).” 45 CFR 164.410(a) (2)

2929


Timeliness of notification. Timeliness of notification. Except as provided in §164.412 Except as provided in §164.412 [Law [Law

Enforcement Exception], Enforcement Exception], a business a business associate shall provide the notification associate shall provide the notification required by paragraph (a) of this required by paragraph (a) of this section without unreasonable delay section without unreasonable delay and in no case later than 60 calendar and in no case later than 60 calendar days after discovery of a breach. days after discovery of a breach. 45 CFR 164.410(b)

3030


Content of notification. Content of notification. The notification required shall include, The notification required shall include,

to the extent possible, the to the extent possible, the identification of identification of each individual each individual whose whose unsecured protected health unsecured protected health information has been, or is reasonably information has been, or is reasonably believed by the business associate to believed by the business associate to have been, accessed, acquired, used, have been, accessed, acquired, used, or disclosed during the breach. or disclosed during the breach. 45 CFR 164.410(c)(1)

3131


Content of notification. Content of notification. A business associate shall provide the A business associate shall provide the

covered entity with any other available covered entity with any other available information that information that the covered entity is the covered entity is requiredrequired to include in notification to to include in notification to the individual the individual under §164.404(c)under §164.404(c) at the at the time of the notification required by time of the notification required by paragraph (a) of this section or paragraph (a) of this section or promptly thereafter as information promptly thereafter as information becomes . becomes . 45 CFR 164.410(c)(2)

3232

Review of HIPAA COW BAA Documents - Addendum

Current Business Associate Agreement Current Business Associate Agreement language says: language says:

– ““Report to the covered entity any security incident Report to the covered entity any security incident of which it becomes aware;” 45 CFR 314(a)(2)(i)of which it becomes aware;” 45 CFR 314(a)(2)(i)(C)(C)

– ““Report to the covered entity any use or disclosure Report to the covered entity any use or disclosure of the information not provided for by its contract of the information not provided for by its contract of which it becomes aware;” 45 CFR 504(e)(2)(ii)of which it becomes aware;” 45 CFR 504(e)(2)(ii)(C)(C)

HIPAA COW Sample BAA includes all three - Reporting of an Incident/Breach, Unauthorized Disclosures or Misuse of PHI (occurrence) Section

3333

Strategies for BAA Compliance Update your Business Associate Agreements

Send existing Business Associates new agreements or letter informing them of updates

Emphasize your Breach Notification process with your Business Associates and consider providing a notification form

Read the regulations when they are published

3434

HIPAA COW Resources

BUSINESS ASSOCIATE AGREEMENT TEMPLATE INCLUDING HITECH ACT

REQUIREMENTS & BUSINESS ASSOCIATE NOTIFICATION LETTER

(Updated 1/12/2010)

www.hipaacow.org3535

Review of HIPAA COW BAA Documents

Sample Business Associate Notification Letter

3636

Review of HIPAA COW BAA Documents - Addendum Definition Section (1)

– Breach – Electronic Health Record– Unsecured Protected Health Information

Safeguarding of PHI Section (6 & Exhibit) Subcontractors and Agents (7) Reporting of an Incident/Breach,

Unauthorized Disclosures or Misuse of PHI (occurrence) Section (11)

Tracking of Accounting of Disclosures Section (14 D, E & F)

3737

Contact Information

Catherine Boerner, JD, CHCCatherine Boerner, JD, CHC

PresidentPresident

(414) 427-8263(414) 427-8263

[email protected]@boernerconsultingllc.comm

3838

Implementing Breach Notification – Lessons Learned

HIPAA COW WebinarFebruary 23, 2010Presented By: Nancy Davis

3939

Session to Cover:

Overview of HITECH Breach Notification Provisions

Strategies for Breach Notification Compliance

Review of HIPAA COW Breach Notification Tools

Case Examples4040

Disclaimer

The information provided in this presentation does not constitute legal advice and is intended to be used for guidance.

If you require legal advice, please consult with an attorney.

4141

HITECH Provisions

Require Covered Entities to Notify Individuals of a Breach as Well as HHS “without reasonable delay” or within 60 days – All Breaches (<500) to be Reported to

Secretary of DHS on Annual Basis – Year End

Further Notification Requirements if > 500 Individuals Involved (Media Outlets)

Requirements for Business Associates to Notify Covered Entity of Breach

4242

What is a Breach?

“Unauthorized acquisition, access, use, or disclosure of unsecured patient protected health information (PHI) which compro-mises the privacy, security, or integrity of the PHI.

4343

Analysis of Breach

Was the PHI Unsecured?

Was the HIPAA Privacy Rule Violated?

Does the breach pose a significant risk of financial, reputational, or other harm to the individual?

If “Yes” to the Above, has the Risk been Mitigated?

4444

Risk Assessment

To determine if an impermissible use or disclosure of PHI constitutes a breach, the organization will need to perform a risk assessment to determine if there is significant risk of harm to the individual.

The risk assessment shall be fact specific and shall address:– Consideration of who impermissibly used or to

whom the information was impermissibly disclosed.– The type and amount of PHI involved.– The potential for significant risk of financial,

reputational, or other harm.4545

Strategies for Breach Notification Compliance

Have a Policy in PlaceHave a Policy in Place

Educate Staff on PolicyEducate Staff on Policy

Develop Relevant Forms/Data Develop Relevant Forms/Data BasesBases– Incident ReportIncident Report– Breach LogBreach Log– Letter TemplateLetter Template

4646

Breach Investigation Report Incident Report

Build in Risk Assessment Questions

Use to Supplement Log Information

4747

Breach Log

Maintain a process to record or log all breaches of unsecured PHI regardless of the number of patients affected. The following information should be collected/logged:

– A description of what happened, including the date of the breach, the date of the discovery of the breach, and the number of patients affected, if known.

– A description of the types of unsecured protected health information that were involved in the breach (such as full name, Social Security number, date of birth, home address, account number, etc.).

– A description of the action taken with regard to notification of patients regarding the breach.

4848

Business Associate Responsibilities

The business associate (BA) of the organization shall, without unreasonable delay and in no case later than 60 calendar days after discovery of a breach, notify the organization of such breach. Notice shall include the identification of each individual whose unsecured PHI has been, or is reasonably believed by the business associate to have been, accessed, acquired, or disclosed during such breach.

Business associate responsibility under ARRA/HITECH for breach notification should be included in the organization’s business associate agreement (BAA) with the associate.

4949

HIPAA COW Resource

BREACH NOTIFICATION POLICYPROTECTED

HEALTH INFORMATIONPOLICY

www.hipaacow.org

5050

Breach Notification Policy

Background Definitions Attachments Policy Statements Applicable Federal and State

Regulations

5151

Attachments

Examples of Breaches of Unsecured Protected Health Information

Breach Penalties Sample Notification Letter to Patients Sample Notification Letter to Secretary of

Health & Human Services Sample Media Notification Statement/Release Sample Talking Points Sample Breach Notification Log

5252

Lessons Learned

Workforce Awareness and Education– Change in “Stakes”– Snooping = Breach– Social Media

Develop and Maintain Breach Log that is Compatible with CMS Reporting Site

5353

Lessons Learned - Continued Risk Assessment – Harm?

Role of Business Associate

Letter Template– Requires Customization by Case

5454

Lessons Learned - Continued Over 500

– Know Resources Legal Support Public Relations Support Insurance Coverage/Issues Forensic Analysts Credit Card Monitoring Services

5555

Lessons Learned - Continued Increase in Reporting of Breaches

Increase in Investigations

Increase in Documentation Requirements

Increase in Overall Workload!

5656

Case Study #1

A hospital accidentally faxes lab results to another hospital.

Is this a breach?

5757

Answer – Case Study #1

Probably not. While a violation of the HIPAA Privacy Rule, the disclosure would probably not compromise the patient’s privacy or security and thus not cause harm as the fax was received by another covered entity subject to HIPAA.

5858

Case Study #2

A clinic accidentally faxes lab results to a public utility company instead of the provider it was intended for.

Is this a breach?

5959


Yes. The HIPAA Privacy Rule was violated and the patient could suffer harm to his or her reputation based on the content of the fax.

6060

Case #3

A provider’s laptop was stolen and it was determined that he had downloaded files on fifty patients to his hard-drive. The laptop was recovered by law enforcement and a forensic analysis determined that the laptop was not opened, altered or accessed.

Is this a breach?6161


No. The HIPAA Privacy Rule was violated, but the PHI was not compromised. There was no significant risk of reputational or financial harm to the patient.

6262

Case #4

The privacy officer is notified by the The privacy officer is notified by the patient that his son received the patient that his son received the EOB for his (the father’s) recent EOB for his (the father’s) recent ED encounter. Both individuals ED encounter. Both individuals have exactly the same name with have exactly the same name with no Jr. or Sr. as a suffix.no Jr. or Sr. as a suffix.

Is this a breach?

6363


The HIPAA Privacy Rule was violated but…

– Was there financial, reputational, or other harm to the individual?

Depends – This will be based on how the patient expresses his concern?

6464

Case #5

During the course of a random access audit, it is determined that one of organization’s workforce members has accessed family member records, including:

– 10 y/o minor son– 17 y/o minor daughter– 42 y/o husband (required SSN to fill out

open enrollment dental forms)

Is this a breach?

6565


Access to minors’ records not a HIPAA violation, but may be a violation of organizational policy (may further be complicated by care the 17 y/o was receiving).

Access to husband’s record a violation of HIPAA, but was there harm?

6666

Questions

6767

Is it a reportable breach when the patient is the one who notifies the organization of the unauthorized disclosure and there is no further need for notification on the part of the organization (other than a letter of acknowledgement and apology)?

6868

How do you best determine harm?

– Does the patient’s reaction to the unauthorized disclosure impact determine status of “harm?”

6969

Rogue Employees – Violate policies despite….

Criminal background checks Orientation, training, education Signed confidentiality agreements Established sanctions/corrective action

process

How does the organization protect itself?

7070

Snooping – Identified through Snooping – Identified through auditing processes…auditing processes…

– How do you disclose the results to How do you disclose the results to the patients?the patients?

– Do you include the name of the Do you include the name of the individual(s) found snooping?individual(s) found snooping?

7171

With an inadvertent disclosure to the wrong recipient, how much assurance /proof do you need that something was discarded before it was opened, that copies have not been made, etc?

Submitted by S. Coyne

7272

Should access audits automatically be run on the EMR when a celebrity is admitted as an inpatient? When a fellow employee is admitted as an inpatient?


7373

In a shared record environment, how much say should one entity have about how the employees of another entity are sanctioned for breach?


7474

It seems clear that one way to avoid the willful level of penalty is to evidence full compliance with all new HITECH parameters - what are people doing with regard to training - who should attend, what topics should be covered?


7575

If a laptop is stolen and the laptop has a log-in process where you'd have to know a password to even get at the icons/start menu, how far does that get you down the road to "secured" - (probably not very far). How far does that get you in terms of reduced risk of harm?


7676

How are people operationally How are people operationally implementing safeguards where a implementing safeguards where a patient requests a restriction of PHI patient requests a restriction of PHI flowing to payers for services paid out of flowing to payers for services paid out of pocket and ensuring that breaches (in pocket and ensuring that breaches (in the form of sending the information the form of sending the information anyway) do not occur? If we sent the anyway) do not occur? If we sent the information anyway, presumably, that information anyway, presumably, that would require notification? would require notification?


7777

Contact Information

Nancy Davis, Director of Privacy/Security Officer

Ministry Health [email protected]

7878

ARRA/HITECH Update

Documents

Transcript of ARRA/HITECH Update