American Recovery and Reinvestment Act ARRA of 2009

1. American Recovery and Reinvestment Act (ARRA) of 2009 Health Information Technology for Economic and Clinical Health (HITECH)

2. Purpose of ARRA Increased HIPAA regulatory standards in support of the National Health Information Technology and the Electronic Medical Records Initiative.

3. Breach Notification Regulation (Subpart D of HITECH) Effective 9/2009 Enforcement 2/18/2010

4. Overview of the Breach Notification Regulation Requires covered entities to notify affected individuals and Health and Human Services (HHS) of security breaches involving unauthorized acquisition, access, use or disclosure of unsecured PHI which compromises the security or privacy of such information.

5. Defined Terms Breach: Unauthorized acquisition, access, use or disclosure of protected health information (PHI) which compromises the security or privacy of the protected health information (PHI), except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information.

6. Defined Terms Protected Health Information (PHI): Individually identifiable health information Name and/or initials Social Security number Geographic information Medical Record number (town, city, state, zip code) Telephone or Fax number E-mail address Account number Device identifiers Vehicle identifiers

7. Criteria for Breach Notification A breach must at a minimum constitute a violation of the Privacy Rule to require notification. A security breach must pose a �significant risk of harm� to an affected individual before a report is required.

8. What�s all the Fuss about? Compliance is mandatory! Noncompliance is costly! Civil and Criminal Penalties exist!

9. Tiers of Civil Money Penalties Person had no knowledge they were violating HIPAA a. Minimum $100/violation � capping at $25K b. Maximum $50K/violation � capping at $1.5 million

10. Tiers of Civil Money Penalties (continued) 2. Violation due to reasonable cause, not willful neglect a. Minimum $1K/violation � capping at $100K b. Maximum $50K/violation � capping at $1.5 million

11. Tiers of Civil Money Penalties(Continued) 3. Violation due to willful neglect, but was timely corrected a. Minimum $10K/violation � capping at $250K b. Maximum $50K/violation � capping at $1.5 million

12. Tiers of Civil Money Penalties (Continued) 4. Violation due to willful neglect but was NOT timely corrected a. Maximum $50K/violation � capping at $1.5 million

13. Criminal Penalties 1. Person had no knowledge they were in violation a. NOT more than $50K, imprisonment of NOT more than 1 year, or both 2. Violation under false pretenses a. NOT more than $100K, imprisonment of NOT more than 5 years, or both 3. Violation with intent to sell, transfer, use PHI for commercial advantages, personal gain, malicious harm a. NOT more than $250K, imprisonment of NOT more than 10 years, or both

14. Breach Notification Examples 1. E-mail that includes patient information is sent outside the secured system (includes responding to an e-mail with patient information). 2. Documents are faxed, intended for a physician�s office, but a call is received by the office that the fax was received by an automobile dealership. 3. A patient�s documents are placed in regular trash. Trash is dumped outside area. Documents are later found by another and reported.

15. Breach Notifications Examples(Continued) 4. A phone, laptop, dictating device or flash drive containing patient information is misplaced or stolen. 5. Utilizing your access rights to locate patient information for non-treatment purposes.