180 likes | 333 Views
Putting HB300 Into Practice. Kem McClelland January 22, 2013. HB 300 . Changes to numerous parts of the Texas Code Health & Safety Code (primary changes) Texas Medical Records Privacy Act Business & Commerce Code Insurance Code Government Code Expands definition of Covered Entity
E N D
Putting HB300 Into Practice Kem McClelland January 22, 2013
HB 300 • Changes to numerous parts of the Texas Code • Health & Safety Code (primary changes) • Texas Medical Records Privacy Act • Business & Commerce Code • Insurance Code • Government Code • Expands definition of Covered Entity • TX definition has always been broader than HIPAA • Sweeps in many / most vendors • Business Associates now have separate duty to notify in event of breach • Coordination important to avoid confusion / costs • Attorney General responsibilities: • Expanded enforcement • Website (under Consumer Complaints section) • Develop standard Patient Consent (now available)
HB 300 • Consumer Access – applies only to healthcare providers • Provide record to patient in electronic format (if system capable) • Requests must be in writing • Tightens HIPAA timeframe (15 vs. 30 days) • Standard HIPAA exceptions apply (e.g., psychotherapy notes) • Limits use of PHI for marketing • Prohibits sale of PHI • New Training Requirements • Tailored to business • Tailored to job • Give patients Notice of electronic disclosure of PHI • Expanded / Enhanced Penalties • Injunctive relief • Revocation of license • Monetary
HB 300 • Monetary Penalties: • $5,000 per violation – negligence • $25,000 per violation – knowing or intentional • $250,000 per violation – knowingly / intentionally for financial gain • $1.5 M if a finding that violation represents a pattern or practice • Considered Factors: • Seriousness of violation • Compliance history • Risk to patient • THSA certification (not currently available) • Amount required to deter future violations • Efforts to correct • Damage Caps: • $250,000 IF: • Disclosure for T / P / O, authorized insurance or HMO functions or “otherwise required by law” AND • PHI was encrypted • Recipient didn’t use or re-disclose • CE has security / training policies in place
Implementing HB 300 Requirements • Revise Notice of Privacy Practices (HIPAA CEs) • Develop and implement role-based HIPAA training • Existing workforce should already have completed (w/documentation) • New employees receive revised training within 60 days of employment • Retraining must occur every 2 years • Must get / retain employee-signed verification of training attendance • Revise processes to enable fulfillment of patient’s request for electronic access to records within 15 days (HIPAA CEs) • Review / Revise other Policies and Procedures • Social Media • Device / transmission encryption
Implementing HB 300 Requirements • Business Associate Agreements (BAA) • Revise BAA for execution with new Business Associates • Amend or novate existing BAAs • Notify Vendors that touch PHI • Requirements in addition to revised BAA: • Annual security risk assessment * • HB300 compliant training for all employees • Device / transmission encryption * • Post Notice of Electronic Disclosure • Review Insurance, particularly Cyber Liability or Breach Insurance
Top Legal Issues In Health Information Exchange Kem McClelland, Esq. January 22, 2013
Health Information Exchange • Consumer studies show that so long as privacy is ensured, patients see the benefit of health information sharing. • Patients favor information exchange that can improve their personal health outcomes (and those of their community) by lowering medical costs and reducing medical errors • Patients are concerned about secondary uses of their health information such as for marketing purposes.
Laws Affecting Health Information Exchange • All federal and state laws related to Identity Protection (e.g., Graham, Leach, Bliley) • HIPAA Privacy Rule • HIPAA Security Rule • HITECH (amending HIPAA) • State laws (wide variation among states) • Sensitive PHI • Substance abuse diagnosis & treatment (45 CFR Part 2) • Mental Health (psychotherapy notes particularly) • HIV/AIDS diagnosis & treatment • Genetic testing & diagnosis • STD testing, diagnosis & treatment • Intellectual property laws • HealthTrio v. Aetna (Medicity)
Health Information Exchange – The Hot Issues: • Types of Health Information Exchange • Query (pull) vs. Directed (push) • Enterprise vs. Community / Regional / State • Non-profit vs. For-profit • Organizational Governance • Board composition • Means to impact • Sustainability • Funding / Revenue sources • HB 300 Unsustainable Covered Entities • Axway v. HIT Exchange of CT* • Special thanks to Hank Jones!
Health Information Exchange - The Hot Issues: • Technical Architecture and Data Governance • Architecture matters • Centralized, Federated, Hybrid • Availability • Of the HIE • Of your EHR • Technical Security • Identity-proofing, passwords, account timeouts, account lockdowns • HIPAA risk assessment?
Health Information Exchange – The Hot Issues: • Data Governance • Although legal and statutory requirements have significant impact, Data Governance is not just about the law • Ability to set policies and procedures that determine: • What Data is included in the HIE • Defined “Patient Object” • Clinical data • Claims / Financial data • Non-medical data • How the Data is “included” • Technology model • Consent model (more in a moment) • Who can access the Data • Providers, case managers, payers, consumers, researchers • When the Data can be accessed • Point of care, beyond point of care • How the Data is accessed • Portals, data warehouse/mart/cube access
Health Information Exchange – Hot Issues: CONSENT Keystone to creating a trusted electronic exchange of health information is adoption of patient consent model appropriate for the community and sufficiently flexible to enable interoperability with other HIEs.
Health Information Exchange - Consent • For now, federal law does not require patient consent to disclose most PHI for treatment, payment or healthcare operations (TPO) • State laws related to consent vary widely: • At least 7 states have passed laws explicitly requiring HIEs to solicit patient consent for the disclosure of health information: • Kentucky California (according to HIEs in state) • Massachusetts Minnesota • New York Rhode Island • Vermont • In most instances, disclosure of Sensitive PHI requires specific consent from the patient or his/her legal representative prior to disclosure for any purpose; some Sensitive PHI laws also dictate specific requirements for the form of consent.
Health Information Exchange - Jurisdiction • Exchange Across State / National Borders • Long-standing constitutional, legislative and regulatory privacy requirements dealing with health information, insurance, financial information, medical records, etc. • Some states passing or considering laws to limit liability related to HIEs • HIEs vs. Providers • Data providers vs. Data consumers • States have deep history in patient consent development • Failure to comply with applicable consent requirements may result in penalties, damages, etc. • Variations in SHI specific requirements related to consent • Result: A state-by-state “patchwork” of consents
Health Information Exchange - Jurisdiction • Implications of Jurisdictional Limits • An HIE participant disclosing information from a facility within a state must comply with that state’s consent laws • An HIE participant receiving information from a facility in another state must comply with the laws of the state of receipt in dealing with that information • An HIE (or state) that wanted to maintain protections of its own laws in interstate HIE would need to prohibit transfers from the state unless the recipient HIE agreed to comply with terms equivalent to the state’s law (the European Union to U.S. Safe Harbor model) • If every state passed a law with this requirement, interstate HIE will not be possible
Health Information Exchange – Additional Hot Issues • Patient Matching within the HIE • Merging patient records that should not be merged – has a breach occurred? • Not merging patient records that should be merged – who is liable if problem occurs because relevant information not available? • Complying with Minimum Necessary rule • What does Minimum Necessary mean in context of HIE? • Inclusion of Behavioral Health data in the HIE • Compliance with 45 CFR Part 2 rules • New HIPAA Final Rule • Breach Notification compliance now even more complicated • Breach of even a single record in an HIE could mean a breach for scores of Covered Entities and Business Associates
Contact Information Kem McClelland • General Counsel & Business Development Officer Centex Systems Support Services • Integrated Care Collaboration 8627 N. Mopac Expswy, Suite 350 • Austin, TX 78759 Tel: (512) 686-0152, ext. 10288 • Fax: (512) 338-1112 E-mail: kmcclelland@centexsystems.org