© Grant Thornton LLP. All rights reserved.© Grant Thornton LLP. All rights reserved.
Prepare for new HIPAA-HITECH security rulesHow breach notification requirements and changes in the enforcement landscape will impact your business
Today's session begins at 3:00 pm eastern time
To receive 1.5 hours of CPE or CLE, you must individually participate by:- Remaining logged in for the entire session- Responding to all polling questions
For technical support, please contact LearnLive at:- E-mail – [email protected] Phone – 888.228.0988
AudioSlides
Video
2© Grant Thornton LLP. All rights reserved. 2© Grant Thornton LLP. All rights reserved.
Awarding CPE for this sessionIf you experience any technical difficulties, please contact 888.228.0988 or [email protected]
For those of you seeking continuing legal education credits please print out the attendance verifications forms.
A course code specific to continuing legal education credits will be read aloud at the end of the program,
© Grant Thornton LLP. All rights reserved.© Grant Thornton LLP. All rights reserved.
Addressing your questions…
If you experience any technical difficulties, please contact 888.228.0988 or [email protected]
4© Grant Thornton LLP. All rights reserved. 4© Grant Thornton LLP. All rights reserved.
1. Group check
Tell us a little bit about your organization. Do you work in the:
A. health care industryB. insurance industryC. governmentD. financial industryE. technology industryF. other
5© Grant Thornton LLP. All rights reserved. 5© Grant Thornton LLP. All rights reserved.
Welcome
Anne McGeorgeNational Managing Partner of the Health Care Industry Practice,Charlotte
6© Grant Thornton LLP. All rights reserved. 6© Grant Thornton LLP. All rights reserved.
Welcome to our presenters
Sheila SokolowskiAssociateKatten Muchin Rosenman LLPChicago, IL
Mark J. SullivanPrincipalForensic Accounting & Investigative Services Practice LeaderGrant Thornton LLPChicago, IL
7© Grant Thornton LLP. All rights reserved. 7© Grant Thornton LLP. All rights reserved.
Welcome to our presenters
Jan HertzbergAdvisory Services Executive DirectorGrant Thornton LLPHealth Care Industry Practice,Chicago, IL
8© Grant Thornton LLP. All rights reserved. 8© Grant Thornton LLP. All rights reserved.
Learning objectivesAt the end of this webcast, you will better understand…
• The new Health Insurance Portability and Accountability Act (HIPAA) of 1996 (P.L.104-191) (HIPAA) security rules– Overview of the new HITECH legislation, the new
security requirements, deadlines and consequences for noncompliance
• 7 steps to HIPAA compliance
9© Grant Thornton LLP. All rights reserved.
Today’s agenda
• Legal overview– Health Information Technology for Economic and
Clinical Health Act (HITECH)– New breach requirements– Elements of an effective breach notification process
• Case Study• 7 steps to HIPAA compliance• Take-away• Questions?
10© Grant Thornton LLP. All rights reserved. 10© Grant Thornton LLP. All rights reserved.
2. Group check
How well do you understand the new HITECH act overall?A. Very wellB. I understand the components that are important to meC. I understand a little bitD. I’m hoping to understand more by attending this
Webcast!
11© Grant Thornton LLP. All rights reserved.
Background
• Health Information Technology for Economic and Clinical Health Act (HITECH Act)– accelerates move to transaction-based, Healthcare
Information Network to:• provide more efficient, higher quality care• enhance communications among doctors, staff,
patients and third-party providers• securely move health records, services, money
11
12© Grant Thornton LLP. All rights reserved.
Background
– Recognizes growing trends in the healthcare industry• geographically-dispersed delivery of care• increasing use of specialists and sophisticated
diagnostic and treatment technology• need for ready-access to patient and disease
data as automated decision-support tools• increasingly mobile medical personnel who
deliver patient care, inside and outside the hospital
12
© Grant Thornton LLP. All rights reserved.
Healthcare Information Network
Government &Private Payers
Public Health Organizations Social Services
Home &Long Term Care
Business Associates
Clinics
Hospitals
Healthcare Information
Network
Labs
SuppliersPharmacies
14© Grant Thornton LLP. All rights reserved.
Critical Success Factors
• Ubiquitous access– common communication protocols, data standards
• Collaborative exchange of information • Secure infrastructure
– real-time monitoring, tracking, reporting– continuous audit, forensics and enforcement
capabilities
14
15© Grant Thornton LLP. All rights reserved.
Current State (according to Forrester Research (7/09))
• Many providers lack basic security technologies and processes
• Security spending lags behind other regulated industries
• Providers moving to electronic health records (EHR) without considering security implications
• Hackers increasingly targeting healthcare and medical facilities
15
16© Grant Thornton LLP. All rights reserved. 16© Grant Thornton LLP. All rights reserved.
3. Group check
Has there been a data breach within your organization in thepast twelve months?
A. YesB. NoC. I don’t know
17© Grant Thornton LLP. All rights reserved.
HITECH Enforcement Context
History of HIPAA Enforcement• 48,000 complaints received by Department of Health &
Human Services (HHS)• Vast majority resolved through voluntary compliance or
corrective action• Two “Resolution Agreements”• Handful of criminal prosecutions
18© Grant Thornton LLP. All rights reserved.
HITECH Enforcement ContextPost-HITECH Civil Monetary Penalty(s) (CMPs) in effect now:
Violation Category –Section 1176(a)(1)
Each violation All such violations of an Identical Provision in a Calendar Year
(A) Did Not Know $100-$50,000 $1,500,000
(B) Reasonable Cause $1,000-$50,000 $1,500,000
(C)(i) Willful Neglect –Corrected
$10,000-$50,000 $1,500,000
(C)(ii) Willful Neglect -Not Corrected
$50,000 $1,500,000
19© Grant Thornton LLP. All rights reserved.
HITECH Enforcement Context
Other key changes• Business Associates liable for criminal and civil penalties • Compliance audits required• State Attorneys General expressly authorized to enforce• Enforcement funding and, by 2012, percentage of CMPs/settlement distributed
to individuals• Explicit authority to seek criminal penalties for wrongful disclosure of protected
health information (PHI)• PHI against individuals• Net effect
– More aggressive enforcement– higher penalties – more potential opportunities for enforcement
20© Grant Thornton LLP. All rights reserved.
4. Group check
Has your organization performed a thorough risk assessment in the…A. Last 12 monthsB. Last two yearsC.Not sure when we did one lastD. I don’t know, I’m stumped
21© Grant Thornton LLP. All rights reserved.
Overview of HITECH Breach Notification Law
• Covered Entities and Business Associates required to provide notice of any breach of unsecured PHI
• Notice must be provided without unreasonable delay• Specific content and procedure requirements for providing
notices of breach• In effect now, for breaches discovered on or after
September 23, 2009• Enforcement delayed until February 23, 2010
22© Grant Thornton LLP. All rights reserved.
Breach of unsecured PHI
• Notice requirements apply only to breaches of unsecured PHI
• Breach is:– Acquisition, access, use or disclosure of PHI in a
manner not permitted by HIPAA Privacy RegulationsAnd
– Compromises security or privacy of PHI, which means there is significant risk of harm to individual
23© Grant Thornton LLP. All rights reserved.
Significant Risk of Harm
• Risk of Harm Assessment/Factors to Consider– Type and amount of information disclosed– Likelihood that the information is accessible and
usable– Likelihood that breach will lead to harm to individual– Steps taken to mitigate harm to individual
23
24© Grant Thornton LLP. All rights reserved.
Exceptions to Breach
• Unintentional acquisition, access, or use by workforce members of Covered Entity or Business Associate
• Inadvertent disclosure to similarly situated individuals at same facility
• Disclosure to an unauthorized person not reasonably able to retain the information
24
25© Grant Thornton LLP. All rights reserved.
Unreasonable Delay and Discovery of Breach
• Covered Entity must notify individuals of a security breach without unreasonable delay and no later than 60 days from the date of discovery
• Business Associate has same timeliness obligations with respect to notifying Covered Entity
• Delay if law enforcement official requests for criminal investigation or national security
• Breaches treated as discovered when discovered by Covered Entity or Business Associate, or would have been known byexercising “reasonable diligence”
25
26© Grant Thornton LLP. All rights reserved.
Notice to Individual
• Content– Description of breach, including dates of breach and discovery– Description of types of PHI involved– Steps individuals should take to protect against harm– Steps taken by Covered Entity to mitigate and protect against harm– Contact procedures
• Procedures– Written notice via First Class mail to last known address– Substitute notice, if insufficient or out of date information– May use telephone or other means if urgent
• Single notice may meet any state law requirements• Multiple notices permitted
26
27© Grant Thornton LLP. All rights reserved.
Notice to Media
• If breach involves more than 500 residents of a state or jurisdiction, provide notice to prominent media outlets in that state or jurisdiction
• Provide in addition to notice to individual• Same content and timeliness requirements as notice to
individual
27
28© Grant Thornton LLP. All rights reserved.
Notice to Secretary
• If breach involves 500 or more individuals, notify HHS Secretarysimultaneously with notice to individuals
• If less than 500 individuals, maintain log and provide information to HHS Secretary within 60 days of the end of the calendar year
• Form for notification of HHS Secretary (OMB No. 0990-0346) at http://transparency.cit.nih.gov/breach/index.cfm.
• Among other things, form requires an attestation and requests information about:– Type of breach e.g., theft, loss– Location of breached PHI– Safeguards in place prior to breach– Actions taken in response to breach
28
29© Grant Thornton LLP. All rights reserved. 29© Grant Thornton LLP. All rights reserved.
5. Group check
Has your organization been trained to respond appropriatelyshould a breach occur?
A. YesB. NoC. I don’t know
30© Grant Thornton LLP. All rights reserved.
Legal Action Steps
Create/refine your breach response plan (now)• Identify your team
– Internal– Line up potential external resources now
• Develop breach notice form, policies, response flow chart– Don’t forget state law
• Train your workforce• Strategy for dealing with BAs and BA contracts• Insurance options • Practice drill(s)
30
31© Grant Thornton LLP. All rights reserved.
Case Study – We’ve Lost Our Client’s Data!
A business associate discovers a computer belonging to its client is missing. The last time they remember seeing it was three months ago.
•Where do you start?•What should you be concerned with?
31
32© Grant Thornton LLP. All rights reserved. 32© Grant Thornton LLP. All rights reserved.
6. Group check
Which of the following describes your organization? We are…A. Well-prepared to respond to a breach.B. Somewhat prepared to respond to a breach.C.Not at all prepared to respond to a breach.D.We'll just figure it out, if and when it happens.
33© Grant Thornton LLP. All rights reserved.
Seven Steps to HIPAA Compliance
1. Begin with a thorough risk assessment2. Identify all locations with PHI3. Determine whether encryption is warranted, and to what
extent4. Create a cost-effective plan to mitigate top risks5. Ensure business associate contracts are modified6. Update policies and procedures7. Take a cross-functional approach to compliance
33
34© Grant Thornton LLP. All rights reserved.
Take-away
• Expect more enforcement and bigger penalties for HIPAA violations
• Have a well-thought out breach response plan before the breach occurs
• Managing a breach correctly after it occurs requires understanding its scope and extent
• Basic safeguards can help prevent a breach or, if it does occur, can minimize its impact
34
35© Grant Thornton LLP. All rights reserved.
7. Group check
How would improved breach readiness help your organization?A. avoid litigationB. avoid negative pressC. avoid serious legal and administrative costsD. all of the above
36© Grant Thornton LLP. All rights reserved.
Our presenters will now answer your questions
Sheila [email protected] Muchin Rosenman LLPChicago, IL
Mark J. [email protected] Thornton LLPChicago, IL
Jan [email protected] Thornton LLPChicago, IL
37© Grant Thornton LLP. All rights reserved.
To stay up to date on health care reform and its’impact to you…please click on the links below…
• Grant Thornton’s health care reform resource center
• Katten Muchin Rosenman Health Care Practice
38© Grant Thornton LLP. All rights reserved.
After the program
Respond to online evaluation form.Print your CPE Certificate from a CPE confirmation email.
Note: Group participation will not receive CPE.Download today’s slides as a reference resource.
For questions regarding your CPE certificate, contact LearnLive at 888.228.0988
regarding your CLE certificate, contact [email protected]
© Grant Thornton LLP. All rights reserved.© Grant Thornton LLP. All rights reserved.
Thank you…
Tax Professional Standards StatementThis document supports Grant Thornton LLP’s marketing of professional services, and is not written tax advice directed at the particular facts and circumstances of any person. If you are interested in the subject of this document we encourage you to contact us or an independent tax advisor to discuss the potential application to your particular situation. Nothing herein shall be construed as imposing a limitation on any person from disclosing the tax treatment or tax structure of any matter addressed herein. To the extent this document may be considered to contain written tax advice, any written advice contained in, forwarded with, or attached to this document is not intended by Grant Thornton to be used, and cannot be used, by any person for the purpose of avoiding penalties that may be imposed under the Internal Revenue Code.
Top Related