1 / 15

American Recovery and Reinvestment Act ARRA of 2009

emma
Download Presentation

American Recovery and Reinvestment Act ARRA of 2009

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


    1. American Recovery and Reinvestment Act (ARRA) of 2009 Health Information Technology for Economic and Clinical Health (HITECH)

    2. Purpose of ARRA Increased HIPAA regulatory standards in support of the National Health Information Technology and the Electronic Medical Records Initiative.

    3. Breach Notification Regulation (Subpart D of HITECH) Effective 9/2009 Enforcement 2/18/2010

    4. Overview of the Breach Notification Regulation Requires covered entities to notify affected individuals and Health and Human Services (HHS) of security breaches involving unauthorized acquisition, access, use or disclosure of unsecured PHI which compromises the security or privacy of such information.

    5. Defined Terms Breach: Unauthorized acquisition, access, use or disclosure of protected health information (PHI) which compromises the security or privacy of the protected health information (PHI), except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information.

    6. Defined Terms Protected Health Information (PHI): Individually identifiable health information Name and/or initials Social Security number Geographic information Medical Record number (town, city, state, zip code) Telephone or Fax number E-mail address Account number Device identifiers Vehicle identifiers

    7. Criteria for Breach Notification A breach must at a minimum constitute a violation of the Privacy Rule to require notification. A security breach must pose a “significant risk of harm” to an affected individual before a report is required.

    8. What’s all the Fuss about? Compliance is mandatory! Noncompliance is costly! Civil and Criminal Penalties exist!

    9. Tiers of Civil Money Penalties Person had no knowledge they were violating HIPAA a. Minimum $100/violation – capping at $25K b. Maximum $50K/violation – capping at $1.5 million

    10. Tiers of Civil Money Penalties (continued) 2. Violation due to reasonable cause, not willful neglect a. Minimum $1K/violation – capping at $100K b. Maximum $50K/violation – capping at $1.5 million

    11. Tiers of Civil Money Penalties (Continued) 3. Violation due to willful neglect, but was timely corrected a. Minimum $10K/violation – capping at $250K b. Maximum $50K/violation – capping at $1.5 million

    12. Tiers of Civil Money Penalties (Continued) 4. Violation due to willful neglect but was NOT timely corrected a. Maximum $50K/violation – capping at $1.5 million

    13. Criminal Penalties 1. Person had no knowledge they were in violation a. NOT more than $50K, imprisonment of NOT more than 1 year, or both 2. Violation under false pretenses a. NOT more than $100K, imprisonment of NOT more than 5 years, or both 3. Violation with intent to sell, transfer, use PHI for commercial advantages, personal gain, malicious harm a. NOT more than $250K, imprisonment of NOT more than 10 years, or both

    14. Breach Notification Examples 1. E-mail that includes patient information is sent outside the secured system (includes responding to an e-mail with patient information). 2. Documents are faxed, intended for a physician’s office, but a call is received by the office that the fax was received by an automobile dealership. 3. A patient’s documents are placed in regular trash. Trash is dumped outside area. Documents are later found by another and reported.

    15. Breach Notifications Examples (Continued) 4. A phone, laptop, dictating device or flash drive containing patient information is misplaced or stolen. 5. Utilizing your access rights to locate patient information for non-treatment purposes.

More Related