1 / 65

RAC

RAC. Recovery Audit Contractor Connolly Healthcare. ARRA and HITECH: Two Years Later Management Resource Group, LLC & Associates Lunch & Learn Biloxi, Mississippi April 14, 2011.

bettytodd
Download Presentation

RAC

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. RAC Recovery Audit Contractor Connolly Healthcare ARRA and HITECH: Two Years Later Management Resource Group, LLC & Associates Lunch & Learn Biloxi, Mississippi April 14, 2011 Connolly is tasked with auditing Region C, which consists of the states of: AL, AR, CO, FL, GA, LA, MS, NC, NM, OK, SC, TN, TX, VA, WV and the territories of Puerto Rico and U.S. Virgin Islands.The RAC Program’s Mission: "To reduce Medicare improper payments through efficient detection and collection of overpayments, the identification of underpayments, and the implementation of actions that will prevent future improper payments.” Dinetia M. Newman, Esquire Balch & Bingham LLP

  2. ARRA and HITECH: Two Years Later Today’s Agenda: Background Rules for Business Associates Definition of “Breach” Breach Analysis Notification Requirements Operational and Compliance Challenges New Mississippi Law (H.B. 583) Penalty Structure Recent Enforcement Developments Best Practices and Recommendations

  3. Background • HIPAA—August 1996 • Privacy Rule—April 2003 • Security Rule—April 2005 • Enforcement Rule—March 2006 • American Reinvestment and Recovery Act (“ARRA”)—February 17, 2009 • Health Information Technology for Economic and Clinical Health Act (“HITECH”)—ARRA Division A, Title XIII – Health Information Technology, § 13001 et seq

  4. Background • April 17, 2009—Security methodology for PHI • August 24, 2009 (effective September 23, 2009)—HITECH breach notification/ interim final rule (74 Fed. Reg. 42740) • October 30, 2009 (effective November 30, 2009)—HITECH enforcement/ interim final rule (74 Fed. Reg. 56123) • May 7, 2010 – Draft HIPAA Security Standards: Guidance on Risk Analysis • July 14, 2010 – Modifications to the HIPAA Privacy Security, and Enforcement Rules under HITECH Act: Proposed Rule (75 Fed. Reg. 40868) (“Proposed Rule”) (Proposed effective date 180 days following effective date of final rule’s issuance)

  5. Rules for Business Associates

  6. What is a “Business Associate”? • Defined at 45 C.F.R. §160.103 • Essentially, a person who performs or assists in performing, on behalf of a CE or OHCA (but not as part of the CE’s or OHCA’s workforce), a function or activity involving the use or disclosure of individually identifiable health information • Subcontractors as BAs?

  7. Regulation of Business Associates Prior to HITECH • HIPAA Privacy (2002) and Security (2003) Rules applied indirectly to BAs through BA Agreements (BAAs) • With few exceptions, CEs required to have written BAA with BAs • If BA violated a term of the BAA, only CE faced penalties for violating HIPAA Privacy or Security only if complaint BAA was not in effect • CE could terminate the BAA and underlying contract or bring a contract action for damages but seldom did so.

  8. Regulation of Business Associates After HITECH • Must comply with the Privacy Rule and the additional requirements of HITECH • “Minimum Necessary” disclosures • Disclosures to Health Plans • Marketing and Fundraising Limitations • Accounting of Disclosures • Access to PHI • Prohibition on Sale of PHI

  9. Regulation of Business Associates After HITECH • Must comply with the administrative, physical and technical safeguards of the Security Rule • Must also comply with policies and procedures documentation requirements of Security Rule • Must comply with additional requirements of HITECH related to Security of ePHI • Unsecured PHI breach reporting requirement

  10. What is a “Business Associate” • Proposed Rule: • Includes specifically PSOs, HIEs, e-prescribing gateways, and PHR vendors • Broadens BA definition to include non-workforce subcontractors • Should BAAs be revised to update based on Privacy and Security Rule amendments in HITECH and clarifications and changes in Proposed Rule?

  11. HIPAA “Breach and Breach Analysis”

  12. What is a HIPAA Breach? • Breach= • “Unauthorized acquisition, access, use or disclosure of PHI in a manner not permitted under subpart E of this part • which compromises the security or privacy of the PHI.” • 45 C.F.R. Section 164.402

  13. New Definition of “Breach” – 45 C.F.R. §164.402(1) • Paragraph (1) clarifies when security or privacy is considered to be compromised: • When the disclosure of PHI “poses a significant risk of financial, reputational, or other harm to the individual” • BUT note that • (ii) A use or disclosure of PHI that doesn’t include the identifiers in §164.514(e)(2), date of birth, and zip code doesn’t compromise the security or privacy of the information.

  14. New Definition of “Breach” – Breach Exceptions – 45 C.F.R. §164.402(2) • Paragraph (2) includes the statutory exceptions to a breach. • (i): any unintentional acquisition, access or use of PHI by a workforce member or person acting under the authority of a CE or BA, if done in good faith and within the scope of authority and doesn’t result in further use or disclosure • Example: A workforce member, in the course of her duties, accidentally types in the wrong encounter number, i.e., 01234 instead of 01243. When Jane Doe’s account instead of John Smith’s account is retrieved, she immediately recognizes her mistake and exits the chart

  15. New Definition of “Breach” – Breach Exceptions, cont. • (ii): any inadvertent disclosure by a person authorized to access PHI to another person authorized to access PHI at the same CE or BA or OHCA and the information received is not further used or disclosed • Example: Genie sending Julie Jones (instead of Joan Johnson) an email containing PHI, where: • Genie, Julie and Joan are part of the same workforce • Genie, Julie and Joan are authorized to access PHI • Julie recognizes the mistake and deletes the email

  16. New Definition of “Breach” – Breach Exceptions, cont. • (iii): a disclosure of PHI where a CE or BA has a good faith belief that the unauthorized person to whom the disclosure was made would not reasonably be able to retain such information • Example: The medical records copy clerk accidently drops an entire stack of copied medical records on the floor and a visitor to the hospital, seeing the mess, stops and helps her pick them up.

  17. New Definition of “Breach” – Other Points • Most of the PHI we will encounter will be deemed “unsecured PHI”. • Neither password protection nor firewalls make PHI “secured PHI”. • The breach notification rules apply only to breaches of unsecured PHI.

  18. Securing PHI: Encrypt or Destroy Encryption • Data at rest (NIST Special Publication 800-111, Guide to Storage Encryption Technologies for End User Devices) • Data in transit (Federal Information Processing Standards 140-2) Destruction • Non-electronic media: shredded or destroyed such that the PHI cannot be read or otherwise reconstructed • Electronic media: cleared, purged or destroyed consistent with NIST Special Publication 800-88, Guidelines for Media Sanitization, so that PHI cannot be retrieved

  19. Breach Analysis

  20. Breach Analysis Step One: Is the information in question PHI and “unsecured”? No Yes No breach

  21. Breach Analysis Step Two: Do we have an unauthorized use/disclosure of unsecured PHI? No Yes No breach

  22. Breach Analysis Step Three: Do any of the exceptions in §164.402(2) from “breach” definition apply to these facts? Yes No No breach

  23. Breach Analysis Step Four: Does the use/access/ disclosure pose a significant risk of financial, reputational or other harm to the individual? No Yes No breach

  24. Breach Analysis Step Five: Does the compromised information include any of the identifiers listed in §164.514(e)(2), date of birth and zip code? No Yes Breach has occurred; Notification is required No breach

  25. Query whether Breach analysis will be included in revised Final Rule

  26. Breach Notification Requirements

  27. Breach Notification Requirements • The number of people affected by the breach is critical to assess because it determines how notice of the breach is given, to whom, and when. • The statute does allow for delays in notification because of law enforcement involvement under certain circumstances, but documentation requirements apply. See §164.412 for requirements and definition of law enforcement official in §164.103.

  28. Breach Notification Requirements • Individuals • Notification to each affected individual is required “without unreasonable delay” and not later than 60 calendar days after discovery. • Notices to individuals are required to contain specific information about the breach in understandable language. See §164.404(c). • Notices are to be provided by mail or if agreed upon earlier, by email. See §164.404(d)(1).

  29. Breach Notification Requirements • Substitute Notice: §164.404(d)(2) • If you have insufficient or out of date contact information for fewer than 10 individuals, substitute notice can be provided by an alternative form of written notice, telephone or other means.

  30. Breach Notification Requirements • If you have insufficient or out of date contact information for more than 10 individuals, substitute notice must be: • in the form of a conspicuous posting on the home page of the website of the CE or • a “conspicuous notice in major print or broadcast media in geographic areas where the individuals affected by the breach likely reside” and • include a toll-free phone number active for at least 90 days where an individual can learn if his/her PHI was included in the breach.

  31. Breach Notification Requirements • Media • If you have a breach involving more than 500 residents of a state, the CE must “notify prominent media outlets serving the state or jurisdiction”. • Timing is the same as for individual notice—without unreasonable delay NTE 60 days

  32. Breach Notification Requirements • Secretary of HHS • If you have a breach involving more than 500 individuals, the CE must notify the Secretary of HHS contemporaneously with the notification to individuals • For breaches of fewer than 500 individuals, a CE must maintain a log or other documentation of breaches and, not later than 60 days after the end of each calendar year, provide notice to the Secretary of breaches occurring during the preceding calendar year.

  33. Operational and Compliance Challenges

  34. Operational and Compliance Challenges: Business Associate Agreements • HITECH • Business Associates are required to notify the CE following discovery of a breach “without unreasonable delay” NTE 60 days after discovery. • Business Associate Agreements may shorten this time frame, particularly if BA is an “agent” of the CE. • Business Associates are required to provide the CE with information for the notice. • Debate over amending Business Associate Agreements continues.

  35. Operational and Compliance Challenges: New Rules for Accounting Disclosures and TPO • PRE-HITECH: CEs were required to provide an accounting of non-routine disclosures occurring during the prior 6 years; disclosures for TPO weren’t included. • HITECH: Accounting obligation will apply to TPO disclosures made through an EHR during the prior 3 years

  36. Operational and Compliance Challenges: Rights of Individual to Access PHI • Pre-HITECH: Individuals have right to review and obtain copies of their PHI contained in a CE’s designated record set (within 30 days or, if off site, 60 days) with possible 30-day extension. • HITECH: Access rights expanded • Individual may direct a CE with an EHR to send a copy directly to a designee, but request must be clear, conspicuous and specific. • CE’s fee to provide electronic copy cannot exceed CEs labor costs involved. • Proposed Rule: If CE maintains PHI electronically and individual requests PHI in electronic form, CE must so provide it if readily producible and, if not, in a mutually agreeable electronic form and format.

  37. Operational and Compliance Challenges:Notice of Privacy Practices • Pre-HITECH: NPPs must state that uses and disclosures in addition to permitted disclosures require individual’s written authorization and provide ability to opt out. • Proposed Rule: • NPP must state individual may opt out of various CE communications: those about treatment alternatives and other health related products and fund-raising communications. • NPP must state that individual may ask CE to restrict PHI disclosures regarding treatment for which individual (rather than health plan) has paid in full.

  38. Operational and Compliance Challenges: Rules for PHI Restrictions • Pre-HITECH: CEs were not required to agree to restrictions on disclosures that they were otherwise able to make for TPO purposes • HITECH: Patient’s request must be honored by CE if the disclosure is to a health plan for purposes of carrying out payment or health care operations (not treatment) AND the PHI pertains solely to a health care item or service for which the provider has been paid out of pocket in full.

  39. Operational and Compliance Challenges: Restrictions on Sale of PHI • HITECH: Prohibition on sale of PHI except in certain limited circumstances • Statutory exemptions – public health activities, research, treatment, sale/merger/consolidation of CE, BA services, providing PHI to individual. • CE may receive financial remuneration for written treatment communications without authorization. • CE may not receive financial remuneration for HCO communications without authorization.

  40. Operational and Compliance Challenges: Restrictions on Marketing and Fundraising • Right to opt-out of receiving fundraising communications • Proposed Rule: • Opt-out method must not cause individual undue burden • CE cannot condition treatment or payment on whether individual ops out • CE must assure opting out individual does not receive fund-raising communication (vs. just make “reasonable efforts”). • Changes in definition of marketing • HITECH: HCO disclosures for which CE receives direct or indirect payment require marketing authorization • Proposed Rule: Changes “direct or indirect payment” to “financial remuneration”. “Financial remuneration” includes cash and cash equivalents but does not include in-kind remuneration or payment for treatment by health plan or other responsible party. CE may receive remuneration for refill reminders if the payments is reasonably related to the CE’s cost to make the communication. • For most non-treatment related purposes, disclosures must be limited to “minimum necessary”

  41. Operational and Compliance Challenges: • Pre-HITECH: • CE may condition receipt of research-related treatment on subject’s agreement to execute disclosure authorization • Compound authorization allowed, e.g., including subject’s consent to participate in research trial with authorization to disclose subject’s PHI • Proposed Rule: • Would eliminate requirement for separate documents if certain conditions met • Must be clear differentiation between the two authorizations • Must allow for subject to approve or decline authorization for corollary activity • Issue: When research trial includes research-related treatment and corollary activity, e.g., banking of tissue (and associated PHI), CE must obtain separate authorization • HHS requests comments regarding differentiating authorizations for treatment-related research and those for corollary activities NOTE: Issue involves research entities’ need to use PHI in databases for future research • Disclosure authorizations must be study specific • Future research would require recontacting individual to sign additional authorization forms • HHS solicits comments on the proposed options to better understand impact on conduct of research and patient understanding of authorization. • Patient must still be able to revoke authorization for future research at any time

  42. HIPAA Penalty Structure

  43. HIPAA Penalty Structure • Pre-HITECH: $100/ violation, NTE $25,000/yr for all violations of an identical requirement. • BUT there were limitations on the imposition of these penalties • HITECH and Enforcement Rule: • Tiered penalty structure tied to increasing levels of culpability • Penalties are based on the nature and extent of the violation, the nature and extent of the harm caused by the violation, and other factors in Section 160.408 (history of compliance, etc.)

  44. HITECH Penalty Structure • Tier 1: “Did not know and would not have known through reasonable diligence”= $100-$50,000 each violation, NTE $1,500,000/ calendar year for identical violations • Tier 2: “Reasonable cause”= $1,000-$50,000 each violation, NTE $1,500,000/ calendar year for identical violations

  45. HITECH Penalty Structure • Tier 3: “Willful Neglect—corrected”= $10,000-$50,000 each violation, NTE $1,500,000/ calendar year for identical violations • Tier 4: “Willful Neglect—uncorrected”= minimum $50,000 penalty each violation, NTE $1,500,000/ calendar year for identical violations

  46. HITECH Penalty Structure • 30 day cure period unchanged • Cure period begins on date of knowledge of the occurrence of a violation, not just the underlying facts • Consider: When did you have actual or constructive knowledge of the violation? • Agency implications • Business Associate implications

  47. HITECH Penalty Structure • Pre-HITECH: 3 affirmative defenses • HITECH: Timely correction is required for “did not know” and “reasonable cause” violations to establish an affirmative defense and avoid penalties. • Note: no affirmative defense is available for violations due to willful neglect, but their timely correction will result in the application of a lesser tier of penalties.

  48. Proposed Rule Changes in Penalty Structure and OCR Enforcement • Significant changes to compliance provisions, investigations and civil monetary penalty (CMP) imposition • Mandatory Investigations vs. Informal Means • 2009 Enforcement Rule: permits, but does not require OCR to investigate HIPAA complaints • Proposed Rule: requires OCR investigation if preliminary review indicates willful neglect • 2009 Enforcement Rule: requires OCR to resolve noncompliance through “informal means” • Proposed Rule: permits, but does not require OCR to use “informal means”

  49. Proposed Rule Changes in Penalty Structure and OCR Enforcement • Tiered Penalty Structure • Amends definition of “reasonable cause” • Explains how OCR will determine “reasonable cause”, “reasonable diligence”, “willful neglect” Example: Failure to develop compliant HIPAA policies and procedures demonstrates either “conscious intent or reckless disregard” and may be basis for violation due to “willful neglect”

  50. Proposed Rule Changes in Penalty Structure and OCR Enforcement • Penalty Amounts • HITECH: penalty amounts based on factors – nature and extent of violation and harm • Proposed Rule: Permits OCR to consider number of individuals affected; time period affected; physical, financial or reputational harm; whether violation hindered an individual from obtaining healthcare

More Related