1 / 18

Key Changes to HIPAA from the Stimulus Bill (ARRA)

Key Changes to HIPAA from the Stimulus Bill (ARRA). Children’s Health System Department Leadership Meeting October 28, 2009 Kathleen Street Privacy Officer/Risk Manager. How has HIPAA changed?. ARRA = American Recovery and Reinvestment Act of 2009 or Stimulus Bill

leif
Download Presentation

Key Changes to HIPAA from the Stimulus Bill (ARRA)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Key Changes to HIPAA from the Stimulus Bill (ARRA) Children’s Health System Department Leadership Meeting October 28, 2009 Kathleen Street Privacy Officer/Risk Manager

  2. How has HIPAA changed? ARRA = American Recovery and Reinvestment Act of 2009 or Stimulus Bill Example of Three Major Changes which impact You: New Breach Notification Rules to Patients New Stricter Fines and Penalties HIPAA rules now apply to Business Associates Effective September 23, 2009

  3. First Example of Key Change New Breach Notification Rules to Patients

  4. New Breach Notification Requirements to Patients Old HIPAA: No breach notification requirements on federal level, except for a business associate to notify a covered entity. Requirement to “mitigate harm.” New HIPAA: Covered Entities (CHS) must notify individuals when their unsecured Protected Health Information has been breached.

  5. New Breach Notification Rules: Method and Notice Make notification without “unreasonable delay,” no later than 60 calendar days after discovery The individual is notified by mail. If a business associate discovers a breach, the business associate must notify the covered entity. If the contact information for the individual is unavailable or outdated, and the breach involved more than 10 people, the covered entity must put a notice on its website or in the media with a toll-free number for information.

  6. New Breach Rules: Media Notice and Posting to Public Website For breaches affecting greater than 500 individuals, covered entities will be required to give notice to prominent media outlets and alert the Secretary of HHS. The Secretary of HHS will then post the names of the covered entities on a public website. Breaches involving less than 500 individuals will still need to be reported to the Secretary of HHS in the form of a log of breaches that is maintained continuously and reported annually.

  7. How can I prevent a breach? • If Protected Health Information is ENCRYPTED (electronic) or SHREDDED (paper), then it is not a breach. • Place Protected Health Information as appropriate in the Document Destruction Bins. • If you must place Protected Health Information on a thumb drive or laptop: • Enforce with your staff they must have permission of their Supervisor (i.e., Your permission) • Information Technology must provide authorization and the device must be encrypted through Information Technology • Do not place Protected Health Information on a Personal Digital Assistant/Cell Phone. If your phone has access to CHS e-mail, you must password protect it.

  8. Note: • The Department where the breach occurred will be responsible for the cost of patient notification, credit monitoring, and all other associated costs of breach notification.

  9. If a breach occurs… • What could be a breach? • Example: A missing or stolen laptop or any missing protected health information • It is your responsibility to report it: 1. Discuss with Your Supervisor; or 2. Contact the HIPAA Privacy Officer and/or HIPAA Security Officer; and/or 3. Report through the Corporate Compliance Hotline

  10. Second Example of Key Change • New Stricter Fines and Penalties

  11. New Stricter Fines and Penalties • Civil Fines • Old HIPAA: General penalty is $100 per HIPAA violation (cap of $25,000) for multiple series of identical violations in same year.

  12. New Stricter Fines and Penalties • Civil Fines • New HIPAA: • Same $100 if did not know if violation and would not have known even with reasonable diligence. • Now $1,000 penalty if due to reasonable cause and not willful neglect ($100k cap). • Now $10,000-$50,000 penalty if “willful neglect” ($250k -$1.5M cap)

  13. New Stricter Fines and Penalties • New HIPAA: • Civil and Criminal Fines enforced against individuals as well as covered entities • State Attorney generals can bring civil actions against individuals

  14. New Stricter Fines and Penalties • New HIPAA: • Secretary of HHS is now required to conduct periodic audits • Within three years, there will be a mechanism for individuals harmed by the disclosure to share in civil monetary penalties collected by HHS

  15. Third Example of Key Change HIPAA Rule Now Apply to Business Associates

  16. HIPAA Rule Now Apply to Business Associates Old HIPAA: Business Associates liability was to Covered Entity for breach of the Business Associate contract, “indirect” coverage

  17. HIPAA Rule Now Apply to Business Associates New HIPAA: HIPAA Rules Now directly apply to Business Associates, including penalties.

  18. Finally, key reminders remain the same… • Only know if you have a legitimate need to know for your job • Audits of Access to PHI are performed • Don’t inappropriately access, use, disclose, take or post patient information.

More Related