Your Keys to Compliance: From HIPAA to Meaningful Use Virginia Brooks VHIT Director Mark Watson Director, Hancock, Daniel, Johnson & Nagle, PC January 15, 2014 Today’s Presentation Focus on Privacy & Security Know the Rules Meaningful Use Risk Assessment Be Prepared How Can VHIT Help You? Why Focus on Privacy & Security? • • • • • Key to building patients’ trust Important for patient safety Essential for realizing full benefits of EHRs Avoid penalties for breaches Necessary to comply with federal, state and local laws HIPAA & HITECH Act • Health Insurance Portability and Accountability Act of 1996 (HIPAA) protects confidentiality and privacy of healthcare information • American Recovery and Reinvestment Act of 2009 (“stimulus package”) of 2009 includes Health Information Technology for Economic Clinical Health (HITECH) Act – Promotes adoption of EHRs by offering Medicare & Medicaid incentives to physicians demonstrating Meaningful Use Be Advised This presentation is for informational purposes only and is not intended to suggest or offer legal advice. Know the Rules • How do the new HIPAA regulations change things? o Updated terms/standards on: • Notice of privacy practices • Business associate agreements (and business associates) • Breach notification • Patient requests for restrictions • Access rights for patients • Marketing • Sale of PHI, Research, PHI of decedents, and more ... Know the Rules • Notices of Privacy Practices o Must state authorization typically required for: most uses and disclosures of psychotherapy notes most uses and disclosures for marketing most uses of PHI o Must include statement on right to breach notification Know the Rules • Notices of Privacy Practices o Has your NPP been updated regarding requested restrictions? Know the Rules • Business Associates o HIPAA rule now includes entities and individuals that create, receive, maintain or transmit health information on behalf of the covered entity o Prior definition applied only to entities and individuals that used or disclosed health information Know the Rules • Business Associates o “Conduit” exception o Regulatory comments say it’s narrow to exclude “only those entities providing mere courier services” such as the post office and ISPs. o Random or infrequent access to PHI doesn’t eliminate the “conduit” exception, BUT o If the entity requires access regularly, or is involved in something other than just transmission, the conduit exception doesn’t apply Know the Rules • Business Associates o “Conduit” exception cont’d o Data storage company ( digital or hard copy) is a BA even if it does not view the information o Document disposal company is a BA even if it does not view the information o BAAs should address subcontractors Know the Rules • Business Associates o Timing for updates / changes o New arrangements on or after Jan. 25, 2013, new BAA standards apply o If the arrangement was in place before Jan. 25, 2013 and isn’t modified or renewed between March 26, 2013 and Sept. 23, 2013 – you have until Sept. 22, 2014 o If the arrangement is modified or renewed after March 26, 2013 – new BAA standards apply Know the Rules • HIPAA o Security Rule: establishes requirements for protecting electronic PHI o o o o o o Confidentiality / Integrity / Availability Physical / Technical / Administrative Safeguards Develop and maintain policies and procedures Back up / disaster recovery / emergency plans Risk Assessment Record incidents Know the Rules • HIPAA o Breach Notification Rule: unauthorized acquisition, access, use or disclosure of PHI which compromises the security or privacy of the information o Prior regulations defined a “Breach” as a compromise involving a significant risk of financial, reputational or other harm Know the Rules • Breach o “Risk” criteria has technincally been eliminated, BUT o Situation may not be a “compromise” if the CE or BA demonstrates that there is a “low probability” that the PHI has been compromised Know the Rules • Breach o “Compromise” assessment based on: o The nature and extent of the PHI involved, including the types of identifiers and the likelihood of reidentification o The unauthorized person who used the PHI or to whom disclosure was made o Whether the PHI was actually acquired or viewed o The extent to which the risk to the PHI has been mitigated Know the Rules • HITECH Act changed things o CEs are required to agree to requests for restrictions in certain cases • New regulations finalize these standards o CEs must agree to restrict disclosure of PHI to a health plan if o The disclosure is for the purpose of carrying out payment or health care operations and is not otherwise required by law o The PHI pertains solely to a health care item or service for which the individual, or someone other than the health plan, has paid in full HITECH Civil Monetary Penalties Violation Category Each Violation Did Not Know Reasonable Cause $100 - $50,000 $1,000 - $50,000 Willful Neglect – $10,000 - $50,000 corrected in 30 days Willful Neglect – not corrected $50,000 All Identical Violations per Calendar Year $1,500,000 $1,500,000 $1,500,000 $1,500,000 Know the Rules Access to ePHI • If ePHI is in a designated record set and the individual requests an electronic copy, the CE must provide the individual with access in the electronic form and format requested by the individual, if it is readily producible in such form and format; or, if not, in a readable electronic form and format as agreed to by the covered entity and the individual Know the Rules Marketing • Has always required authorization, But • Has also included “carve outs” for communications to describe other services by the CE and for case management/care coordination • New regulations include similar terms, but many carve outs do not apply where the CE receives “ financial remuneration” • Financial remuneration means direct or indirect payment from or on behalf of a third party whose product is being described Know the Rules Sale of PHI • Strict prohibition on sale of PHI without authorization with limited exceptions • Authorization must state that the disclosure will result in remuneration to the CE • Sale does not include (i.e. authorization isn’t required) for: o Research o The sale or transfer of all or part of the CE and related due diligence Action Items • Review and update your policies and procedures, including: o o o o o o o o Breach notification Requests for restrictions Access rights Marketing? Research? Sale of PHI? Decedents? Immunization records? Action Items • Are other updates/revisions appropriate? • Are your security policies, procedures and actual security measures appropriate? Enforcement Examples • Rite Aid (2010) o Improper disposal of prescriptions and pill bottles o $1 million settlement, CAP, training for employees • Massachusetts General (2011) o Employee took billing encounter forms home; 192 paper records lost o OCR settlement for $1 million, 3 year CAP • Phoenix Cardiac Surgery (2012) o Patient appointments posted on Internet-based calendar o Practice implemented few policies/procedures, limited safeguards o OCR settlement for $100,000 Meaningful Use Standards for Privacy & Security • HITECH promotes adoption of EHRs by offering Medicare & Medicaid incentives to physicians demonstrating Meaningful Use • MU Core Objectives require providers to protect health information created and maintained by an EHR. • Having an ONC certified EHR vendor is not enough Data Security Safeguards • Conduct security risk analysis • Perform a thorough compliance audit • Safeguards may include: o Documented policies and procedures that govern physical and environmental security of data, to include firewalls and more o Visitors are authenticated and escorted at all times, and there are detailed records of visits o Mobile devices are vulnerable and require much more than password or PIN to be secure Safeguards Continued o Secure areas are physically protected, such as monitoring by a receptionist, and security by locked doors and cameras o Keys and combinations are password protected or otherwise secure, and locks are changed when keys are lost or stolen and when employees are terminated o Adequate fire detectors exist and powered by an independent energy source o And many more safeguards … Risk Assessment vs. Risk Analysis • Risk assessment must be completed per HIPAA Security Rules to address reasonably anticipated risks to protect health information • Risk analysis of EHR environment for Meaningful Use is necessary per HITECH to assess damage related to Breach Notification Perform a HIPAA Risk Assessment Top 5 Privacy Issues Identified by OCR: • • • • Impermissible uses and disclosures Insufficient safeguards of PHI Failure to provide patient access to PHI Use/disclosure of more than minimum necessary PHI • Insufficient notice to patients of use/disclosure of PHI Resources are Available • Risk Analysis Now = Future Time + Savings • Checklists & self-help tools can help you get ready • Thorough risk analysis that will pass a compliance review requires expert knowledge • VHIT is ready to help you! How VHIT Will Help • Privacy & Security Risk Assessment – Verify physical, administrative and technical safeguards – Verify current Privacy & Security policies and procedures, BAA agreements, and business contingency plan – Risk mitigation plan based on findings What You Will Get • Privacy & Security Risk Assessment results in hard copy and CD-ROM • Policy templates and supporting documents • Additional materials, including incident logs, cyber security tips, and FAQ tip sheets • HIPAA/HITECH Security training certificates VHIT Expertise and Experience • A Top 5 Regional Extension Center • Supporting 4,000+ providers • Helped 2,200+ qualify for federal EHR incentive payments • Uniquely qualified Questions / Contact Us • Virginia Brooks, MHA, CPHQ (804) 289-5343 vbrooks@vhqc.org http://vhitrec.org • Mark C. Watson, JD (866) 967-9604 mwatson@hdjn.com http://hdjn.com Hancock, Daniel, Johnson & Nagle, P.C.