1 / 29

HITECH ACT AND RED FLAG RULES

HITECH ACT. The Health Information Technology for Economic and Clinical Health Act (HITECH Act) was passed on February 17, 2009 as part of the American Recovery and Reinvestment Act of 2009 (aka The Stimulus Bill).. HITECH Act. Allocates money for healthcare infrastructure and adoption of electronic health records (EHRs)Adds breach notification requirementsExpands business associate obligations and establishes direct liabilityAmends the HIPAA Privacy RuleEnhances enforcement and increases penalties.

JasminFlorian
Download Presentation

HITECH ACT AND RED FLAG RULES

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

    1. HITECH ACT AND RED FLAG RULES Presented by: Jason Davis Stoel Rives LLP October 9, 2009

    2. HITECH ACT The Health Information Technology for Economic and Clinical Health Act (HITECH Act) was passed on February 17, 2009 as part of the American Recovery and Reinvestment Act of 2009 (aka The Stimulus Bill).

    3. HITECH Act Allocates money for healthcare infrastructure and adoption of electronic health records (EHRs) Adds breach notification requirements Expands business associate obligations and establishes direct liability Amends the HIPAA Privacy Rule Enhances enforcement and increases penalties

    4. HITECH Act: Plan Promote electronic exchange and use of health information and enterprise integration of such information Enhance use of health information technology to improve the quality of healthcare, reduce medical errors, reduce health disparities, improve public health, and improve the continuity of care Utilization of an EHR for each person by 2014 Incorporate privacy and security protections for the electronic exchange of health information

    5. HITECH Act: Financial Incentives $19 billion investment to further national adoption of health information technology and infrastructure To receive incentive payments, providers must demonstrate “meaningful use” of a certified EHR Neither meaningful use nor certification has been defined at this time Proposed rules expected by end of 2009

    6. Financial Incentives: Eligible Professionals

    7. Financial Incentives: Hospitals Begin October 2010 for meaningful EHR users Eligible hospital can receive up to 4 years of payments Incentive Payments are based on a formula that starts with a base amount of $2,000,000 and then is adjusted taking into account hospital Medicare discharges and charity care. No payments to hospitals after 2015

    8. Medicaid Payment Incentives 100% Federal matching for state expenditures for provider incentives to encourage eligible Medicaid providers to purchase certified EHRs. Not a direct reimbursement, but payments can be made for up to 85% of allowable costs of such for EHR technology The statute does not define fixed amounts for the incentive payments, only ceilings that cannot be exceeded. It is expected that actual payment amounts will be addressed through rulemaking Cannot receive incentive payments under both Medicare and Medicaid

    9. Financial Penalties Eligible Professionals who are not using certified EHRs by 2015 will see reductions in Medicare Part B payments: 1% in 2015 2% in 2016 3% in 2017 and thereafter If by 2018 75% of eligible professionals are not using EHR, the HHS Secretary can continue reducing Medicare payments up to 5% Eligible hospitals that are not meaningful users will receive a net reduction of Ľ, ˝ and ľ of the market basket update that would apply in 2015, 2016, 2017 and thereafter.

    10. HIPAA: Breach Notification Obligations Beginning September 23, 2009, covered entities and business associates have new notification obligations for a breach of unsecured protected health information. “Unsecured Protected Health Information” is PHI in any form that is not rendered unusable, unreadable, or indecipherable through the use of a technology or methodology specified by HHS guidance (for now, encryption or destruction). “Breach” is defined as the unauthorized acquisition, access, use or disclosure of PHI in a manner not permitted by the HIPAA Privacy Rule that compromises the security or privacy of such information. “Compromises the security or privacy” of the PHI means poses a significant risk of financial, reputational, or other harm to the individual. Certain actions are excluded from the definition of breach.

    11. Breach Analysis PHI? Use or disclosure prohibited by the HIPAA Privacy Rule? Is a safe harbor met? Does an exception apply? Does the use or disclosure pose a significant risk to the patient?

    12. Notice Requirements If a breach of unsecured PHI has occurred then: Covered entities must notify all affected individuals without unreasonable delay, and in no case later than 60 calendar days. Business associates must notify the covered entity of the breach, and the covered entity in turn must notify the impacted individuals.

    13. Delivery of the Notice Notice must be: in writing; sent to the individual’s last known address; if 10 or more individuals with no known address, substitute notice must be provided; If breach involves more than 500 people in one state, notice must be provided through major media outlets; if a breach involves more than 500 individuals, must notify HHS immediately. if 500 or less individuals are affected, then must keep a log of the breach and submit log annually to HHS.

    14. Content of the Notice Notice must contain: brief description of the breach; types of unsecured PHI involved in the breach; steps an individual should take to protect himself or herself; actions the covered entity is taking to investigate and mitigate losses from the breach; and contact information for additional questions.

    15. Breach Challenges More stringent state laws are not preempted Documentation Training the workforce Updating policies and procedures

    16. Business Associates Must comply with HIPAA Security Rule Directly subject to enforcement and penalties Impact to Business Associate Agreements Roles and responsibilities relating to breach notification obligations HHS likely to issue future guidance

    17. Amendments to Privacy Rule Patient Right: Right to a Restriction Effective February 17, 2010 Patient Right: Access to Electronic PHI Effective February 17, 2010 Patient Right: Accounting of Disclosures For entities with an EHR as of January 1, 2009, this obligation is effective January 1, 2014 For all others, effective the later of January 1, 2011 or the date the entity acquires an EHR HHS is to issue guidance about this requirement and may delay implementation an additional 2 years

    18. Amendments to Privacy Rule (con’t) Redefines minimum necessary standard Effective February 17, 2010 By August 17, 2010, HHS is to issue further guidance on what constitutes the minimum necessary Marketing communications further restricted Effective February 17, 2010 Prohibition on sale of Electronic PHI Regulations are to be issued by August 17, 2010, to be effective not later than 6 months after issuance

    19. Enhanced Enforcement Public Education Audits State Attorneys General civil actions Patients share in monetary penalties (Regulations to be issued no later than February 17, 2012) Civil monetary penalties collected to be retained by HHS for additional enforcement

    20. Increase Penalties: Tiered Approach No knowledge Minimum civil penalties: $100 to $50,000 per violation Maximum: $1,500,000 for all violations of an identical requirement or prohibition during a calendar year Reasonable cause, but not willful neglect Minimum: $1,000 to $50,000 per violation Maximum: $1,500,000 during a calendar year Willful neglect Minimum: $10,000 to $50,000 per violation Maximum: $1,500,000 during a calendar year Beginning February 17, 2011, HHS will be required to impose a monetary penalty if a violation is found due to willful neglect

    21. Coming Soon Rulemaking by 12/31/2009 adopting standards and criteria on the following: Technologies that protect the privacy and security of health information in a qualified EHR A nationwide HIT infrastructure that allows for the electronic use and accurate exchange of health information Utilization of a certified EHR by 2014 Technologies that allow health information to be rendered unusable, unreadable, or indecipherable to unauthorized persons when transmitted in the nationwide health information network

    22. Red Flag Rules Rules implementing Section 114 of the Fair and Accurate Credit Transactions Act of 2003 (FACTA) Compliance Deadline: November 1, 2009? Financial institutions and creditors must develop policies and procedures to identify and detect red flags and respond appropriately to prevent and mitigate identity theft.

    23. Red Flag Rules Very broad coverage Any financial institution or creditors Creditor is defined broadly to include any business that regularly defers payments for goods or services or provide goods or services and bill the consumer later. “Covered accounts” includes any account that a financial institution or creditor offers or maintains where there is a foreseeable risk of identity theft Identity theft is broadly defined

    24. What are Red Flags? Red Flags are potential patterns, practices or specific activities indicating the possibility of identity theft Examples: Alerts, Notifications or Warnings from a Consumer Reporting Agency or Service Provider (such as a fraud detection service) Suspicious Documents Suspicious Personal Identifying Information Suspicious Activity Related to the Covered Account Notice from Customers, Victims of Identity Theft, Law Enforcement Authorities, or Other Sources

    25. Program Development and Compliance: Step 1: Risk Assessment A. Identify Covered Accounts (e.g., patient accounts) Reasonably foreseeable risk to customers or the safety and soundness of the financial institution or creditor Using the red flag examples provided in the Rules, identify relevant red flags that could occur. Consider: The types of accounts offered The methods to open or access an account Previous experience with identity theft Initiate risk management efforts as needed (gap remediation)

    26. Program Development and Compliance: Step 2: Detect Red Flags Develop process to detect red flags at account origination Obtain and verify identifying information Monitor for red flags Reconcile discrepancies Develop process to detect red flags for existing accounts Monitor accounts and transactions for red flags Verify change of address requests Train the workforce

    27. Program Development and Compliance: Step 3: Respond to red flags to prevent and mitigate the occurrence of identity theft Analyze red flags that are detected Identify stakeholders to investigate possible red flags Take responsive measures for actual risk Document a reasonable basis for “non-action” Step 4: Oversee Service Provider Identify service providers granted access to covered accounts Ensure contracts require service providers to maintain an Identity Theft Prevention Program

    28. Program Development and Compliance: Step 5: Oversee Program Board of Directors (or Board Committee) must approve the Program Ensure independent review of the Program (Audit) Receive annual reporting to address: Effectiveness of the Program and policies and procedures Service provider arrangements Management response to significant incidents Recommendations for updating the Program

    29. Program Development and Compliance: Step 6: Train relevant employees Step 7: Develop comprehensive reporting to the Board Step 8: Update the Program periodically: Revisit the risk assessment considering new business units and types of accounts Reassess red flag relevancy considering new fraud experiences, trends and techniques

    30. Questions? Jason Davis, Stoel Rives LLP jwdavis@stoel.com 503-294-9868

More Related