E-Technology and Privacy: The New Frontier of Opportunity and Liability Victoria L. Vance Tucker...

e-Technology and Privacy: The New Frontier of Opportunity and Liability

Victoria L. VanceTucker Ellis & West LLP

According to President Obama:

“To improve the quality of our health care while lowering its cost, we will make theImmediate investments necessary to ensure that, within five years, all of America’s medical records are computerized . . . This will cut waste, eliminate red tape and reduce the need to repeat expensive medical tests.”

These people may have a different opinion about electronic medical records.

The Victims of Identity Theft May Not be Well Known, but the Costs are Real

• 2007-average total data breach per incident cost $6.3m (per Ponemon Institute);

• 2008-total fraud up 7%, to $48B over 2007 (per Javelin Strategy & Research study);

• Hard dollar costs: direct loss, cost of investigation, mitigation, replacement and repair;

• Soft costs: reputational damage, loss of business;

• Human costs: time, fear, replacement efforts, credit problems;

• In medical settings: cost of mistaken identity means risk of treatment being mistaken or delayed

OBJECTIVES:

1. Survey the array of electronic products and technologies that increase access (and risk) to PHI.

2. Prepare for the increased enforcement of privacy and security laws, and the surge in patient claims.

3. Enhance prevention efforts while readying a response protocol to activate in the event of breach.

I. Electronic World of Modern Healthcare: Traps for the Unwary

The Electronic Medical Record (EMR)

• Goal is to improve patient care, lower mortality, increase efficiency and reduce costs

• P4P rewards quality care

• Ideal for managing chronic diseases (obesity, heart disease, hypertension, diabetes). Baby boomers are aging: will peak in 2020 with 71.5 million 55 yo+

• In a recent study,< 2% acute care hospitals have a comprehensive EMR system; and only 8-12% a basic system [1]

[1] Jha, AK, et al., “Use of Electronic Health Records in U.S. Hospitals.” N. Engl J Med

2009; 360.

Electronic Medical Records

Privacy Risk:

Who has access?

What access?

When?

How?

EMR: Privacy Risks

Who has Access?

• Patients (and family members)

Log on as inpatient (“Open Medical Record”)

Log on remotely

Ability to “View Only”

Some systems allow patients to add data (i.e., BP checks, glucose levels, pacemaker settings, etc.)

EMR: Privacy Risks

Who has Access?• Healthcare providers

At the “home” institution

But also, remote access for other treating

physicians, referring physicians (and their staff)

• Payers (and their designees) to conduct utilization, quality, billing and coding checks

EMR: Privacy Risks

What is in the EMR?

Content goes far beyond the “paper chart”

• Photographs

• X-ray images• Genetic Information(Now subject to new restrictions in GINA-The Genetic Information Non Discrimination Act of 2008)

• Clinical trial data• All correspondence: legal, disability, insurance, and more• E-mail• Outside medical records• Links to electronic billing systems• And more

EMR: Privacy Risks

EMR tells more of a story than the paper chart

• When were records/entries made?

• Who made the entries? (Doctor, nurse resident, PA, secretary, clerk)?

• Have the entries been changed (edited, deleted, recreated)? What portion, when, and by whom?

• Were the entries made at or after the time of care? Or before?

• Are the entries genuine, or “cut and paste” copies of a prior entry?

• Or are the entries rote, used repeatedly with every patient?

EMR: Privacy Risks

When and how can the EMR be accessed

• Immediately

• At the point of care

• Remotely – intentionally or externally

• Via thumb drives and other mobile media

EMR Privacy Breaches: How Can it Happen?

• Lost laptop (containing clinical trial data on 5,000+ patients)

• PHI uploaded to unsecured websites and mobile media (for researcher’s ease access while travelling)

• Co-workers snooping

• Hackers hacking (Akron Children’s Hospital; Sept. 2006)

• Billing snafus (sent ex-wife’s OB records to new wife’s home)

• “Misfiled” electronic records and data (into the wrong patient’s electronic chart; nearly impossible to remove)

• EMR mined for fraudulent billing schemes

The Newest Technologies: Risk and Reward

E-Mails

• Written in shorthand, cryptic and casual; can lead to misunderstanding and misinterpretation

• Often not effective for discussing complex clinical issues

• Not a substitute for a physical exam and direct patient dialogue

• Do you know your audience ?

• Take care with content: third-party liability for employees’ alleged libel, slander and defamation

• Demands of eDiscovery: must be able to save and produce


But added privacy risks when e-mail used with or about patients:

• A medical postcard

• Who has access?

• Risk of being misdirected or intercepted

• Often not password protected or encrypted, especially when sent from home e-mail system

• Internal e-mail about patients, adverse events, quality concerns and gripes

• Can live on and on: forwarded, printed, but never really deleted

• Often pasted into the EMR

A picture’s worth . . . a thousand words,

and a lot of money!



Pictures can be funny or embarrassing


but if patients are involved, the pictures can be devastating:

• ED footage of dying patients leaked to the internet

• Inappropriate cell phone pictures of patients, especially children

Triggers for adverse publicity, reputational damage,lawsuits, investigations, surveys and more


Social Networks, You Tube and blogs


www.facebook.com

• Started as a social network for Harvard students in 2004

• Since September 2006, site is open to anyone

• Allows members to join “networks” based on geography, profession, interests, etc.

• Users can add friends and then post messages, photos, videos for these friends to see

• Important to read Terms and Conditions, to know how networks will share member information. (Blockbuster sued over Facebook ad program, May 2008)


www.myspace.com• Smaller globally than Facebook • Focused targeting towards teens and young adults• offers e-mail, forums, communities, videos and weblog space

www.twitter.com• 6 million users since 2006 • 140 character “tweets”• Read by “followers” individually, or by the thousands, all

simultaneously• Accepts photos, video, text• “Virtual water cooler”[2]

”[2] Julio Ojeda-Zapata, Twitter Means Business

http://www.myspace.com/

http://www.twitter.com/


Social Network sites: A Global Consumer Phenomenon

• Adult usage of social networking sites has more than quadrupled in the past four years: 8% of adults in 2005; to 35% of adults in 2009 [3]

• 79% of employees use social media at work for business reasons

• 51% access media sites at least once per day [4]

[3] Pew Internet Project’s December 2008 survey; http://pewresearch.org

[4] FaceTime Communications Survey, Oct. 27, 2008; http://www.facetime.com

http://pewresearch.org/


Change in total minutes between Dec ’07 and Dec ‘08

All Internet

18%

Member Communities 63%

Facebook 566%

Figure 3: The total amount of time spent on Facebook increased by 566% (Nielsen Company Report, March 2009)


Rank Social Network Global Unique Audience (millions)

Active Reach

Dec 08

Active Reach

Dec 07

Relative Change in Active Reach

1 Facebook 108.3 29.9% 11.1% 168%

2 MySpace 81.0 22.4% 23.0% -3%

3 Classmates Online 19.7 5.5% 3.9% 40%

4 Orkut 17.5 4.9% 4.6% 7%

5 Linkedin 15.0 4.2% 1.8% 137%

Figure 10: Facebook and LinkedIn have experienced large relative increases in globalOnline reach (Nielsen Company Report, March 2009)


In the healthcare setting, social network sites are used:

By patients and families

• As a bulletin board to update friends about status and care• Often contain sensitive identifying information• Latest invention: Twitter can detect movement; pregnant

couple uploaded moment to moment baby kicks• What’s next? patients can send “tweets” regarding blood

sugar or heart rate readings, and more…


Social Network Sites are Used:

By Hospital CEO

• Runningahospital.blogspot.com, by Paul Levy, President and CEO of Beth Israel Deaconess Medical Center

• To “share thoughts about hospitals, medicine and healthcare issues”

• July 2008, Levy blogged openly about a wrong site surgery event that occurred at BIDMC;notified the entire BID staff within a few days of the mistake, as well as initiated contact with the media

• Paul Levy admits he is on a crusade to reduce medical mistakes, regularly blogging about the issue and publicly disclosing preventable events; confident the “short-term adverse publicity” will soon be outweighed by improved patient care and greater trust within the institution.


By healthcare providers: M.D.s, RNs, students

• As a tool for public health outreach (e.g., notification to patients, groups or “networks” potentially exposed to HIV, STDs)

• “Grand Rounds on the Internet”

• Surgeons tweeting from the OR

• Even the AMA launched a Twitter profile page: “to provide updates on what is needed to better serve patients and empower physicians to deliver the highest quality care (AMA Press Release, 04/06/09)

• UCSF using a YouTube channel and Facebook page to communicate with patients about chronic diseases, connect with external audiences, reach donors, and recruit potential clinical trial participants

• But some providers just want to rant (and rave) about their patients and their day


The problem? These sites are viewed by medical colleagues and patients

In a recent study of 271 medical blogs:

• 45% written by identified authors

• 42% included descriptions of interactions with patients

• 17% included sufficient detail for patients to identify their doctors or themselves

• 3 blogs showed recognizable photograph images of patients [5]

[5] Lagu, T. et al. J Gen Intern Med 23(10):1642-6 (July 23, 2008)


Privacy risks

• One slip . . . – Patient name– Identifying information– Picture or video– Poor choice of words

• One click . . .

. . . and it’s on the network


Risks of social network sites include

• If the social network is maintained by a healthcare provider, it may trigger HIPAA Privacy Rule Obligations

• Possible liability for torts committed by employee(s) including disparagement, embarrassment, harassment, discrimination, defamation, libel, invasion of privacy

• Possible intellectual property infringement, or dissemination of employer’s confidential or proprietary information

• Retention demands of e-Discovery


The Newest Frontier: Personal Health Records

• A tool for patients to better manage their health and wellness

• Collection of medical data, gathered from various providers and controlled by the patient

PHR

Individual

HealthcareProvider


Personal Health Records

• Hosted by vendor site (Microsoft™ “Health Vault™, Google Health) not by the healthcare provider

• Some PHR sites are offered by employers and insurers (Aetna’Care Engine™)

• Patient controlled access (for relatives, friends, caregivers and physicians)

• Some PHR platforms have applications for (1) searching for relevant medical articles and (2) uploading data from patients: family history, Rx, appointment, test results and data from home devices that manage chronic diseases



• Mobile for ease of access and interoperable; not tethered to one institution

• Enhanced continuity of care and efficient communication• Some sites have lax password acces• Not recognized as a legal medical record

• Unless hosted by a HIPAA-covered entity, most) PHRs are still beyond the reach of HIPAA

• But HIPAA does control how PHI enters a PHR: direct transfer to the PHR, or via the patient



• Privacy protections derive from the vendor’s privacy notice; subject to change

• Potential for production to third-parties without patient consent

• Some PHR providers seek to sell or share PHI information with contractors and business partners, and link with advertisers and insurers

• Exposing sensitive PHI to “strangers” – the employees of and associates of the PHR storage company

II. Enforcement Measures to Secure Privacy

Calendar of Events:

FTC “Red Flag Rules” – (slated to take effect November 2008; postponed to May 1, 2009)

Purpose: to detect, prevent and mitigate identity theft (misappropriation of a patient’s name, insurance information, SSN, identity, in order to obtain medical goods or services)

Risk: in a medical setting, identity theft can cause inaccurate information to be placed in victims or a perpetrator’s medical record, leading to wrong treatment given or correct withheld

Scope: financial institutions and “creditors” that maintain “covered accounts”; by definition, will include medical providers that regularly allow patients to defer payment or pay in installments

Goal: to establish reasonable processes and procedures to detect, prevent and mitigate instances of identity theft


Key Features of Red Flag Rules:

1. Program must be in writing

2. Include policies and procedures to identify, detect and respond appropriately to red flag triggers

3. Organizations have flexibility to tailor its Red Flag program in accord with the organization’s size, complexity, and past experience with identity theft

4. Red Flag program cannot trump EMTALA

5. Program must be formally approved and regularly reviewed by the Board (or designated senior management)

6. Include staff training and oversight

7. Conduct periodic risk assessments


Genetic Information Non-Disclosure Act of 2008

• Signed into law 05/21/08; effective 11/21/09

• Prohibits discrimination by employers and health insurers on the basis of genetic information

• Directs employers to treat genetic information as a confidential medical record

• Requires genetic information to be maintained on separate forms and in separate medical files

• Restricts the disclosure of genetic information to third parties, researchers, labor organizations, and government officials


Providence Health Settlement (07/15/08)

• HHS and Providence entered a Resolution Agreement, including a monetary settlement ($100K) and corrective action plan

• Sanction for loss of backup tapes, optical discs and laptops containing unencrypted electronic PHI of ~386,000 patients

• No evidence of actual disclosure of individually identifiable information

• Corrective action plan required revision of Providence’s HIPAA policies focusing on physical and technical safeguards, offsite transport and storage of electronic media, workforce training, audits and site visits and submitting compliance reports to HHS

• Announcement of Settlement came with explicit warning to other covered entities


OIG Work Plan for 2009 (10/08)

Includes:

• Plan to review hospitals’ and contractors’ security controls relating to electronic health information protections, access, storage and transport

• OIG critical of CMS’s oversight of HIPAA security rule; recommend CMS become proactive in enforcement by focusing on compliance reviews

• OIG plans to review OCR’s oversight of HIPAA privacy rule


FTC Report on Protecting Social Security Numbers (12/17/08)

5 measures to help prevent social security numbers from being used as a tool for ID theft

1. Improve consumer authentication – consider establishing national consumer authentication standards

2. Restrict public display and transmission of SSN

3. Establish standards for data protection and breach notification – require private sector entities to provide public notice in the event of a security breach

4. Further guidance to businesses and consumers to decrease use of SSN and increase protections

5. Develop government – private clearing house of “best practices” for SSN usage and fraud protection


CVS settlement with OCR and FTC (01/16/09)

• First such joint investigation and resolution between OCR and FTC

• Arose from failures to safeguard PHI when disposing of pill bottles: bottles found in industrial trash bins, unsecured and publicly accessible

• Corrective plan focuses on policy practices and training regarding proper disposal processes

• CVS must actively monitor its compliance, engage a 3rd party auditor, report on compliance to OCR (for 3 years) and FTC (for up to 20 years)


• 02/26/09 – two Wisconsin nurses were fired and case referred to FBI when they took a cell phone picture of a patient’s x-ray and posted it on a Face Book Page

• Peeking into celebrity records continue: 03/31/09 Kaiser Permanente fired 15 employees who accessed records of octuplet mom, Nadya Suleman


INDIVIDUAL LAWSUITS

No private right of action under HIPAA, but . . . class action filings are increasing, as wide scale breaches are publicly disclosed

• Plaintiffs now using negligence theories to frame a cause of action (failure to comply with industry “standards of care”)

• Establishing actual damages remains the plaintiffs’ biggest challenge

• Plaintiffs ideal case: negligence approach, large class size, statutory damages:

Melvin Gene Snow, et al. vs. Lenscrafters, Inc., et al. Superior Court of California, San Francisco County, Case No. CGC-02-405544 (July 2008):

>$20m expected to be paid to 1.6m California consumers for misuse of patients’ medical and prescription information in violation of California’s Confidentiality of Medical Information Act and other consumer

protection laws.


Private Litigation

• Potential for D & O exposure: Claims against management for failing to take steps to prevent cyber damage: hacking, loss of PHI, misuse/manipulation of or mitigate data; Board accountability per FTC Red Flag Rules Lesson: hospital leadership and Board must ensure strong IT security

practices and polices are in place; understand security trends, evaluate exposures, document compliance testing and regular auditing [6]

• Potential for punitive damages? Hospitals having prior notice and knowledge of risk, past history of

identity theft mishaps Incumbent on hospitals to document ongoing compliance effort

• Criminal and civil claims for unauthorized photography

[6] Source AON P Technical


State Specific Security Laws

NEVADA – effective 10/01/08, “a business in this state shall not transfer any personal information of a customer through an electronic transmission other than a facsimile to a person outside of the secured system of the business unless the business uses encryption to ensure the security of electronic transmission.”

MASSACHUSETTS – effective 05/01/09, new set of security practice obligations; applicable to businesses in all sectors; safeguards include encryption standards and physical access restrictions


CALIFORNIA – Effective 01/01/09, two California laws penalize snooping in Medical Records.

Senate Bill 541

• Healthcare providers, clinics, hospices and home health agencies must prevent unauthorized access to or disclosure of PHI

• Substantial monetary penalties by California Department of Public Health

• Patients (and DPH) must be notified of breach within 5 days

• Greater penalties for egregious noncompliance causing patient injury or death

California Assembly Bill 211

• Focus on the offending providers; civil penalties for licensed workers who “knowingly and willfully” obtain, disclose or use PHI unlawfully

• Gives patients a private right of action to sue, for actual or nominal damages

• Establishes “the Office of Health Information Integrity” within California’s HHS; enforcement oriented, including ability to make referrals to State Licensing Boards


The American Recovery and Reinvestment Act of 2009(“ARRA”): a.k.a HITECH Act of 2009

• Incentives for increased use of “meaningful” EMRs (for e-prescribing, interconnectivity, and reporting of quality measures), but with increased security measures as well: to encourage use and build trust in the EMR technology

• $20B commitment; “the most important legislation to ever impact health IT.” (Steve Lieber, President of HIMSS)

HITECH Act of 2009

ARRA-HITECH utilizes HIPAA framework, but broader coverage and increased burdens

1. Expansion of security and privacy rules to Business Associates (eff. 02/17/10)• Administrative, physical and technical safeguards• Security awareness and training programs• Policy, procedure and documentation requirements• New disclosures/accounting obligations to patients upon

request • Notification of breach to covered entities• Civil and criminal penalties apply

HITECH Act of 2009

2. Expanded scope to PHR vendors and others; notification of breaches to FTC and individuals

3. Restrictions on use of PHI (eff. 02/17/10)• Self-paid patients can restrict use and disclosure of

out-of-pocket PHI to health plans• Restrictions on sale or use of PHI for marketing

4. Patient access to EMR (eff. 02/17/10)• Covered entity must provide patients’ records in

electronic format upon request

HITECH Act of 2009

5. Increased accounting for disclosures (rolling eff. dates: 01/01/11 for post-’09 EHR systems; 01/01/14 for pre-’09 systems)• Must track disclosures of EMR for treatment, payment

and healthcare operations• Provide accounting for disclosures upon request, going

back 3 years• Account for disclosures by BAs – or ask BA to make

their own accounting• This represents an enormous change to disclosure

obligations

HITECH Act 2009

6. Broad based enforcement tools

• HHS is required to conduct compliance audits of covered entities and business associates

• HHS is required to investigate complaints and impose penalties for willful neglect

• Civil penalties for violations are increased: ranging from $100 up to $50K per violation; with annual maximum ranging from $25K to $1.5M!

Note: HHS required to share a portion of the collected penalty with the victim – will incentivize a new form of whistle blower? (due 02/17/12)

• States’ Attorneys General given new civil enforcement authority; should lead to more investigations and enforcement, but also more state to state variability in outcomes (eff. 02/17/09)

III. Guidance and Prevention: How to safeguard PHI and patient privacy

Keys to prevention

• Control the access

• Training and policies

• Auditing and monitoring

• Stay informed


Control Access to the EMR/PHI• Employees

Access to the EMR should be on a strict “need to know” basis

• Non employees (esp non-employed physicians, 3rd party payers) Limit access to the doctor’s own patients, only Limit payers to the claims they paid Demand strict identification of users and prompt notification of

changes: to add new employees and delete former employees Develop a protocol for notification and coordinated handling of

requests for release of records Perform audit checks to ensure compliance


Control Access• Access for “friends and family” – know and follow the OCR guidance

(09/16/08): FAQ format to guide disclosures of patient information to family and friends, whether in person, in writing or over the telephone

• Storage-- all PHI, including clinical trial data, must be kept on secured, password protected, encrypted devices including laptops and mobile media

• PHI should never be placed on personally owned computers

• Secure the devices – do not leave computers, PDA’s, blackberry’s or cell phones unattended, in offices, cars

• Mind the paper PHI: if you print it, file it, guard it, or shred it!

• Keep printers in secure areas – retrieve printed material immediately


Training and policies1. E-mail security policies

• Secure passwords, change frequently, do not share

• Confirm correct e-mail address for recipient/patient

• Include only minimum necessary PHI in the message

• Do not “cc”, “bcc”, “reply all” or “forward” without patient consent

• Cut the string: e-mail chains convey unnecessary and risky information

• Include confidentiality warning and provide directions for handling if e-mail received by unintended recipient

• Watch out for attachments; resist using; never in bulk and never forward

• Utilize firewalls and secure remote access into the provider’s e-mail system


2. Social Network Policies

• Policies must be broad enough to cover the employee’s use of social network sites (whether a personal site or the employer’s site) and should integrate policies on confidentiality, non-disclosure of proprietary information, antidiscrimination, anti-harassment

• Also advise employees they have no expectation of privacy; employer reserves the right to monitor their computer usage to assure compliance with institutional policies

• Include the right to inspect and confiscate any communication technology devices issued to or used by employees – and do so!

• Warn of consequences of policy violations

• Provide a central source (such as HR) for reporting (and responding to) allegations of inappropriate social networking and blogging


Best Practices for Policies

1) Breadth and scope• must be broad enough to include all users (all employees,

nurses, assistants, trainees, agency staff, privileged physicians, visiting faculty, remote users)

• must be broad enough to include the latest technologies: e-mail, the internet, instant messaging, intranets, weblogs, social list networking sites, hand held wireless devices (blackberry, PDAs, palm pilots), cell phone/camera phones, laptops, thumb drives, mobile media, pagers


2) Proof of training – maintain detailed records showing distribution of policies, acknowledgement of receipt, confirm attendance at meetings when policies discussed, require refreshers on a regular basis, develop internet training modules to log access

3) Learn the lessons of Quon v. Arch Wireless Operating Co. (9th Circuit June 2008): • A service provider for electronic communications cannot release records,

even to the employer/subscriber, without consent of the intended recipient or addressee; and

• Employer cannot rely on its formal computer and internet usage policy if these policies are not consistently enforced

Advice:1) Bring communications systems in-house, rather than use third-party

provider; and2) Policies should state that they cannot be modified by “informal” practices


Auditing and monitoring:

1) Consider “end point monitoring”: track mobile devices that connect into laptops and desktops;– Able to detect and restrict use of mobile devices– Able to monitor usage in real time– Create log of all file transfers between host device and

mobile media

2) Mock and real audits:

• Conduct them, log them, and learn from them


Stay informed• Know and follow all available guidance from the FDA, OCR, HHS,

OIG, FTC, JCAHO• Know the state rules: HIPAA is a floor, not a ceiling• Regular (monthly) meeting with IT, risk managers, HR, medical

records, legal, compliance, clinical end users; discuss: latest technology, policies, education, training

HITECH Compliance Plan:• Start planning now for BA amendments, increase in training, new

policies and procedures• Comply now: honor restrictions on use and disclosure of PHI,

provide electronic copies of EMR as requested• Watch for more regs and guidance

IV. In the Event of Breach: Response, Recovery, and Mitigate damages

What to do now?

A time tested strategy for response

Stay tuned, more to come in the ARRA/HITECH regs


Time Tested SOP

1) Coordinate communications around the institution• Appoint a quarterback: one person/department in charge to direct the

response

2) Coordinate with Compliance Office, Privacy Office, Office of General Counsel, Risk Management, Insurance, Patient Ombudsman, Clinical Leadership in the affected area(s)

3) Contain and control: plug the leak, collect the paper, disable the devices

4) Get the facts, but do not delay the disclosure

5) Identify the affected patients as completely and accurately as possible; neither minimize nor exaggerate the event


6) Analyze the patient list: active patients; deceased; minors; out of state; out of country

7) Also check for donors, VIPs, claimants/plaintiffs, employees

8) Prompt Disclosure in Writing: Be factually accurate: what happened, how it happened• Decide who should sign: sends a message; face of the institution;

media contact• Be helpful: offer ID theft protection, courtesy visits, repeat tests• Provide reassurance: taking steps to tighten up processes, prevent

recurrence


9) Set up a communications network: dedicate a toll free line, extended hours of operation, all calls must be answered

• Draft talking points and script• Track call volume and callers• Take notes on content of calls• Gauge patient reaction

10) Coordinate with media department – share all information such as talking points, script, and stats on patient reaction; decide whether to alert local media in advance


11) But be careful what you say – disclosures must be factual and accurate, commitments for followup must be met

12) Must use this as an occasion for more training; OCR wants to see evidence of education, policies, and user compliance and confirmation of remedial actions taken

RESULTS: No suits, some modest expenses, many satisfied patients


What’s Ahead? HITECH Act’s Provisions for Breach Notification

• “Breach” defined (note: definition of breach already differs state to state, and now, state to federal)

• Notice to individuals – within 60 days, via mail, to the patient’s last known address – notice must include:

(1) a description of what happened and when;

(2) description of the information involved in the breach;

(3) steps the person should take to protect himself/herself; and

(4) a description of the covered entity’s investigation and mitigation efforts


HITECH Act of 2009: Provisions for Breach Notification

• BAs must notify covered entities of breaches, including the patient’s identity

• Notice to local media – in cases > 500 persons

• Notice to HHS – notify immediately if the breach > 500 persons; annual tracking and report < 500 persons

Detailed HITECH regulations due soon:

HHS’ breach notification regs due 08/17/09;

Estimated Effective date: approximately September 2009 (30 days after interim final regs are published)

Resources

Privacy rights: www.patientprivacyrights.org

PHR’s: www.chcf.org/documents/chronicdisease/PHRperspectives.pdf

http://www.patientprivacyrights.org/

http://www.chcf.org/documents/chronicdisease/PHRperspectives.pdf

Questions?

Thank you.

E-Technology and Privacy: The New Frontier of Opportunity and Liability Victoria L. Vance Tucker...

Documents

Transcript of E-Technology and Privacy: The New Frontier of Opportunity and Liability Victoria L. Vance Tucker...