Module Introduction Module 4: Introduction This module provides detail on: • The Health Information Technology for Economic and Clinical Health (HITECH) Act, Division A, d Cli i l H l h (HITECH) A Di i i A Title XIII, Subtitle D of the American Recovery and Reinvestment Act (ARRA) of 2009 Reinvestment Act (ARRA) of 2009 • The role of State Attorneys General (SAG) under ARRA/HITECH • Application Application of the Privacy and Security Rules to business of the Privacy and Security Rules to business associates under ARRA/HITECH • Other provisions related to HIPAA under ARRA/HITECH p / HIPAA Enforcement Training for State Attorneys General 1 Module Objectives Module 4: Objectives After completing this module, you will be able to: • Discuss your authority to enforce HIPAA • Describe the civil money penalty (CMP) structure established under ARRA/HITECH • Discuss the application of Privacy and Security provisions to business associates under ARRA/HITECH • Summarize the breach notification requirements established by ARRA/HITECH • Discuss other provisions related to HIPAA under ARRA/HITECH HIPAA Enforcement Training for State Attorneys General 2 Lesson 1: Overview of ARRA/HITECH Module 4 Lesson 1: Overview of ARRA/HITECH The Health Information Technology The Health Information Technology for Economic and Clinical Health (HITECH) Act: • Enacted as part of the American Recovery and Reinvestment Act (ARRA) of 2009 of 2009 • Signed into law on February 17, 2009 • Enhances enforcement of the HIPAA regulations Enhances enforcement of the HIPAA regulations • Gives enforcement authority to SAG to protect state residents whose HIPAA protections or rights have been residents whose HIPAA protections or rights have been violated HIPAA Enforcement Training for State Attorneys General 3 Lesson 2: A New Role for SAG in HIPAA Enforcement Module 4 Lesson 2: A New Role for SAG in HIPAA Enforcement Section 13410(e), “Enforcement Through State Attorneys ( ) General,” of ARRA/HITECH gives authority to SAG to bring a civil action on behalf of state residents that have been or are civil action on behalf of state residents that have been or are threatened or adversely affected by any covered entity or business associate that violates HIPAA requirements. requirements Amends Section 1176 of the Social Security Act (42 USC 1320d 5) the Social Security Act (42 USC 1320d‐5) HIPAA Enforcement Training for State Attorneys General 4 Lesson 3: Increased Civil Money Penalties Module 4 Lesson 3: Increased Civil Money Penalties (CMP) Violation Category Each Violation (A) Did Not Know For violations occurring before 2/18/2009 Up to $100 For violations occurring on or after 2/18/2009 $100 ‐ $50,000 (B) Reasonable Cause Up to $100 $1,000 ‐ $50,000 (C)(i) Willful Neglect‐Corrected Up to $100 $10,000 ‐ $50,000 (C)(ii) Willful Neglect‐Not Corrected Up to $100 $50,000 All Identical Violations per Calendar Year For violations occurring before 2/18/2009 For violations occurring on or after 2/18/2009 $25,000 $1,500,000 Section 13410(d) of the HITECH Act revised section 1176(a) of the Social Security Act (“the Act”) by establishing a tiered increase in CMP, including: • Four categories of violations that reflect increasing levels of culpability Four categories of violations that reflect increasing levels of culpability • Four corresponding tiers of penalty amounts that significantly increase the minimum penalty amount for each violation • A maximum penalty amount of $1.5 million for all violations of an identical provision HIPAA Enforcement Training for State Attorneys General 5 Lesson 4: Periodic Audits Module 4 Lesson 4: Periodic Audits Section 13411 states that the Secretary of Health and Human Services (HHS) shall provide for periodic audits to shall provide for periodic audits to ensure that covered entities and business associates that are subject to the requirements of the HIPAA Privacy and Security Rules comply with the requirements. requirements HIPAA Enforcement Training for State Attorneys General 6 Lesson 5: Clarification of Wrongful Disclosures Criminal Penalties Module 4 Lesson 5: Clarification of Wrongful Disclosures Criminal Penalties Section 13409 amends Section 1177(a) of the Social Security p ( g p y Act to state that a person (including an employee or other individual) shall be considered to have obtained or disclosed individually identifiable health information in violation of HIPAA if h i f if the information is maintained by a covered entity (as defined i i i i db d i ( d fi d in the HIPAA privacy regulation described in section 1180(b)(3)) and the individual obtained or disclosed such information and the individual obtained or disclosed such information without authorization. Reference: 42 U S C 1320d‐6(a) Reference: 42 U.S.C. 1320d 6(a) HIPAA Enforcement Training for State Attorneys General 7 Lesson 6: Effective Date Module 4 Lesson 6: Effective Date HITECH, Section 13410 (“Improved Enforcement”); ( ) Subsection (e), (Enforcement through State Attorneys General); Subsection (3) (“Effective General); Subsection (3) ( Effective Date Date”): ): SAG may pursue damages for violations of the Privacy and Security Rules that occur after February 17 2009 However, Security Rules that occur after February 17, 2009. However the effective date of most HITECH provisions is February 17, 2010, unless otherwise specified in the statute. HIPAA Enforcement Training for State Attorneys General 8 Lesson 7: Application of Privacy and Security Provisions to Business Associates Module 4 Lesson 7: Application of Privacy and Security Provisions to Business Associates to Business Associates Sections 13401 and 13404 of the HITECH Act: Extend to business associates certain of the same certain of the same requirements of the HIPAA Rules that apply to covered entities HIPAA Enforcement Training for State Attorneys General 9 Lesson 7: Application of Privacy and Security Provisions to Business Associates Module 4 Lesson 7: Application of Privacy and Security Provisions to Business Associates (continued) Sections 13401 and 13404 of the HITECH Act: • Require business associates to comply with most provisions in the Security Rule, and with the Privacy Rule’s limitations on the use and disclosure of PHI • Require the business associate agreement (e.g., contract) between a covered entity and its business associate to incorporate the relevant HIPAA Privacy Rule requirements incorporate the relevant HIPAA Privacy Rule requirements • Apply civil and criminal penalties to a business associate in th the same manner they are applied to a covered entity that th li d t d tit th t violates the HIPAA Privacy or Security Rules HIPAA Enforcement Training for State Attorneys General 10 Lesson 8: Business Associate Contracts Required for Certain Entities Module 4 Lesson 8: Business Associate Contracts Required for Certain Entities Certain Entities Section 13408 states that each organization that: • Provides data transmission of protected ( ) health information (PHI) to a covered entity or its business associate, and • Requires routine access to the PHI …must enter into a business associate contract and shall be y treated as a business associate of the covered entity under the HIPAA Privacy and Security Rules. HIPAA Enforcement Training for State Attorneys General 11 Lesson 9: Breach Notification Requirements Module 4 Lesson 9: Breach Notification Requirements Section 13402 of the HITECH Act requires covered entities to notify each affected individual notify each affected individual, HHS, and in some cases the media of a breach of “unsecured PHI.” Office for Civil Rights (OCR) issued, in August 2009, an interim final rule for breach notification requirements, which are enforceable by OCR and SAG. HIPAA Enforcement Training for State Attorneys General 12 Lesson 9: Breach Notification Requirements Module 4 Lesson 9: Breach Notification Requirements (continued) ““Unsecured PHI” is defined as PHI d ” d f d that is not secured through the use of a technology or methodology gy gy specified by HHS’ Breach Notification Guidance. • Titled “Guidance Specifying the Technologies and Methodologies that Render Protected Health Information Unusable, , Unreadable, or Indecipherable to Unauthorized Individuals.” The guidance identifies encryption and destruction as the accepted methods for securing PHI. HIPAA Enforcement Training for State Attorneys General 13 Lesson 9: Breach Notification Requirements Module 4 Lesson 9: Breach Notification Requirements (continued) Notification of a breach of N tifi ti f b h f unsecured PHI: • Is Is required within 60 days required within 60 days after discovery of the breach, unless delay is requested by law enforcement • A breach is considered “di “discovered” by a covered d” b d entity or by a business associate as of the first day on which the breach is or should reasonably have been known to have occurred HIPAA Enforcement Training for State Attorneys General 14 Lesson 9: Breach Notification Requirements Module 4 Lesson 9: Breach Notification Requirements (continued) Notification of a breach of unsecured PHI: • Business associates must notify the covered entity of a breach and in some cases breach, and in some cases may be required by the covered entity to notify affected individuals • Is sent in paper form by first class mail to the last known address of the individual or his/her next of kin, unless preference is specified by the individual for electronic mail HIPAA Enforcement Training for State Attorneys General 15 Lesson 9: Breach Notification Requirements Module 4 Lesson 9: Breach Notification Requirements (continued) Breach involving less than 500 individuals: • Notice to affected individuals individuals • Notice to HHS. A covered entity may maintain a entity may maintain a log and submit it annually to the Secretary of HHS f HHS HIPAA Enforcement Training for State Attorneys General 16 Lesson 9: Breach Notification Requirements Module 4 Lesson 9: Breach Notification Requirements (continued) Breach involving more individuals: • Notice to affected individuals • Contemporaneous notice to the Secretary of HHS to the Secretary of HHS for posting to the HHS public website (if 500 or more individuals affected) i di id l ff t d) • Notice to prominent media within the state or jurisdiction media within the state or jurisdiction (if more than 500 individuals affected) HIPAA Enforcement Training for State Attorneys General 17 Lesson 10: Other Provisions Module 4 Lesson 10: Other Provisions HITECH provides for additional provisions: • Requested Restrictions on • Education on Health Certain Disclosures i i l Information Privacy f i i • Accounting of Certain PHI • Conditions on Certain Contacts Disclosures if the Covered Disclosures if the Covered as Part of Health Care as Part of Health Care Entity Uses Electronic Health Operations – Marketing Records • Conditions on Certain Contacts • Prohibition on the Sale of PHI as Part of Health Care and ePHI Operations – Fundraising Access in Electronic Format • Access in Electronic Format HIPAA Enforcement Training for State Attorneys General 18 Module Recap Module 4: Recap Under ARRA/HITECH Under ARRA/HITECH: • HIPAA enforcement authority was granted to SAG • A tiered increase in CMP was established A tiered increase in CMP was established • The HIPAA Rules apply to business associates in much the same way they do to covered entities • Breach notifications must be sent to affected individuals, the Breach notifications must be sent to affected individuals the Secretary of HHS, and in some cases the media • New limitations are implemented related to individually requested restrictions on disclosures sale of PHI and marketing requested restrictions on disclosures, sale of PHI, and marketing communications • Widened application of criminal penalties to business associates, employees of covered entities l f d titi HIPAA Enforcement Training for State Attorneys General 19 Module Summary Module 4: Summary Having completed this module, you are able to: • Discuss your authority to enforce HIPAA • Describe the civil money penalty (CMP) structure established under ARRA/HITECH • Discuss the application of Privacy and Security provisions to business associates under ARRA/HITECH • Summarize the breach notification requirements established by ARRA/HITECH • Discuss other provisions related to HIPAA under ARRA/HITECH HIPAA Enforcement Training for State Attorneys General 20