1 / 35

America’s Voice for Community Health Care

America’s Voice for Community Health Care. The NACHC Mission To promote the provision of high quality, comprehensive and affordable health care that is coordinated, culturally and linguistically competent, and community directed for all medically underserved people.

shino
Download Presentation

America’s Voice for Community Health Care

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. America’s Voice for Community Health Care The NACHC Mission To promote the provision of high quality, comprehensive and affordable health care that is coordinated, culturally and linguistically competent, and community directed for all medically underserved people.

  2. American Recovery and Reinvestment Act Changes to HIPAA Michael Lardiere, LCSW Director, Health Information Technology Sr. Advisor, Behavioral Health National Association of Community Health Centers mlardiere@nachc.com October 16 - 18 2009

  3. American Recovery and Reinvestment Act of 2009 • Includes the Health Information Technology for Economic and Clinical Health Act (HITECH Act). • Important substantive changes to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) • Mandates extensive new regulations around electronic medical records.  

  4. Extends theHIPAA Privacy and Security Provisions and Penalties to Business Associates of Covered Entities • Health information exchanges • Regional health information organizations • e-prescribing gateways and • Other technology vendors  • Vendors contracted with a Covered Entity to provide a Personal Health Record (PHR) as part of an Electronic Health Record (EHR).

  5. The HITECH Act defines a “personal health record” as an electronic record of identifiable health information on an individual that can be drawn from multiple sources and that is managed, shared, and controlled by or primarily for the individual. An electronic health record is defined as “an electronic record of health-related information on an individual that is created, gathered, managed, and consulted by authorized health care clinicians and staff.”

  6. BAs will be treated just like Covered Entities for purposes of the HIPAA privacy and security provisions and be respopnsible for • Administrative Safeguards • Physical Safeguards • Technical Safeguards • Policies and Procedures and • Documentation requirements of the Security Rule • 45 C.F.R. §§ 164.308, 164.310, 164.312 and 164.316, respectively.

  7. Liability for civil and criminal penalties • Covered Entities will likely have to revise their existing Business Associate Agreements to incorporate language reflecting this change

  8. Business Associates will have an obligation to terminate their Business Associate Agreements with Covered Entities if they have knowledge of a pattern of noncompliance with the Privacy Rule by the Covered Entity

  9. Increases Penalties for HIPAA Violations and Expands Enforcement Mechanisms • Amount of civil monetary penalties (CMPs) available has increased • Civil monetary penalties are now structured in a tiered format • Ranging from $100 per violation • Up to $50,000 per violation

  10. Anyone whose PHI is accessed in violation of HIPAA will be eligible to share a percentage of any CMPs collected • Office of Civil Rights will continue to enforce HIPAA compliance • State Attorneys General will now have the power to enforce HIPAA by bringing suit in federal district court

  11. Act requires DHHS to periodically audit Covered Entities and Business Associates to assess HIPAA compliance • Covered Entities and Business Associates need to make sure that all of their HIPAA policies and procedures are up to date and in use

  12. Creates a Comprehensive New Set of Requirements Around • Notification of Data Breaches or • Suspected Data Breaches • Notification must be made within 60 days of discovery • Will require prompt investigation and assessment of suspected breaches • Mandates public reporting to both the DHHS and media outlets in the event of a breach affecting more than 500 individuals • DHHS will publish a list on its website that identifies each Covered Entity involved in a breach of more than 500 individuals

  13. The notice must include: • (1) a brief description of the breach, including • the date it occurred and • the date it was discovered • (2) the types of PHI involved in the breach • (3) steps individuals should take to protect themselves • (4) steps the Covered Entity is taking to investigate the breach and protect against future breaches and • (5) contact information to ask questions and learn more

  14. Notice must be provided by first class mail to the individual’s last known address • Unless the individual has specified to receive information by electronic mail • Then notice may be provided electronically • If the contact information for more than 10 affected individuals is out of date • Notice may be through a posting on the entity’s web site or • In major print or broadcast media

  15. If a Business Associate discovers a breach of unsecured PHI • It must notify the Covered Entity of such breach, and • Include a list of each individual whose PHI was or is reasonably believed to have been accessed or acquired during the breach

  16. If the breach involves the access or acquisition of more than 500 residents of • a State or • Jurisdiction • Notice must be made to the prominent media outlets of that State or jurisdiction

  17. The Covered Entity must • Keep a log of its discovered breaches and • Provide a copy of the log to DHHS annually • If a breach involves the access or acquisition of the PHI of more than 500 individuals • Notice must be provided to DHHS immediately

  18. Creates a New Breach Notification Requirement for Vendors of Personal Health Records and Other Non-HIPAA Covered Entities • Vendors of personal health records and related vendors must notify • The Federal Trade Commission (FTC) and • Any U.S. citizens whose information was acquired as a result of the breach • Empowers the FTC to begin policing medical privacy which is a significant expansion of federal oversight of medical information. 

  19. Expands HIPAA Mandated Accounting of Disclosures for Those Using Electronic Health Records • Covered Entities and Business Associates using electronic health records will be required to • Make available an accounting of all uses and disclosures of the electronic health record • in the previous three years, including • disclosures for payment, • treatment, and • Operations • Time period an individual may request such an accounting is shortened from up to 6 years to 3 years

  20. In responding to a request for an accounting, the Covered Entity can • Choose to provide either • The disclosures of the patient’s PHI made by the Covered Entity and its Business Associates, or • Merely provide the disclosures made by the Covered Entity and a list of its Business Associates

  21. For entities that were using EHRs as of January 1, 2009, • The provision applies to disclosures made on or after January 1, 2014. • For entities that adopt EHRs after January 1, 2009 the provision will apply on • January 1, 2011 or • The date when the Covered Entity begins using EHRs, whichever is later

  22. Revisions to an Individual’s Right to Request a Copy of His or Her Record • If the Covered Entity uses EHR, the patient may request his or her record be produced in an electronic format and to be transmitted to a person designated by the patient • The fee for production of an electronic copy of the record shall not be greater than the labor costs of responding to the request

  23. Establishment of the “Minimum Necessary” Standard • Covered Entities and Business Associates must, to the extent practicable • Limit use or disclosure of PHI either • To the limited data set or • To the “minimum necessary” to accomplish the stated purpose of the use/disclosure

  24. Adopts New Prohibitions on the Sale of Electronic Health Information • Language is sufficiently vague to create uncertainty about the ability of • Regional health information organizations • Health information exchanges, and • e-prescribing services to charge fees for their services

  25. Eliminates Sharing of PHI for Marketing and Fundraising Purposes from the Definition of Health Care Operations Under HIPAA • Fundraising is no longer considered part of operations • In order to use PHI for direct fundraising campaigns, a Covered Entity must first obtain an authorization from the patient • Then modified to allow to continue fundraising but must give the patient the option to opt out of future

  26. De-Identified Health Information • There are no restrictions on the use or • disclosure of de-identified health information • De-identified health information • neither identifies nor • provides a reasonable basis to identify an individual

  27. There are two ways to de-identify information • 1) a formal determination by a qualified • Statistician or • 2) the removal of specified identifiers of the individual and of the individual’s relatives, household members, and employers is required, and is adequate only if the covered entity has no actual knowledge that the remaining information could be used to identify the individual

  28. The following identifiers of the individual or of relatives, employers, or household members of • the individual must be removed to achieve the “safe harbor” method of de-identification • (A) Names • (B) Geographic subdivisions smaller than a • State including • Street address • City • County • Precinct • Zip code, and their equivalent geocodes • Except for the initial three digits of a zip • code

  29. (B) The geographic units formed by combining all zip codes with the same three initial digits contains • more than 20,000 people • The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000 • (C) All elements of dates (except year) for • dates directly related to the individual, including • birth date • admission date • discharge date

  30. date of death; and • all ages over 89 and all elements of dates (including year) indicative of such age, except • that such ages and elements may be aggregated into a single category of age 90 or older • (D) Telephone numbers • (E) Fax numbers • (F) Electronic mail addresses • (G) Social security numbers • (H) Medical record numbers

  31. (I) Health plan beneficiary numbers • (J) Account numbers • (K) Certificate/license numbers • (L) Vehicle identifiers and serial numbers • including license plate numbers • (M) Device identifiers and serial numbers • (N) Web Universal Resource Locators (URLs) • (O) Internet Protocol (IP) address numbers • (P) Biometric identifiers, including finger and • voice prints • (Q) Full face photographic images and any comparable images; any other unique identifying number, characteristic, or code, except as permitted for re-identification • purposes provided certain conditions are met

  32. In addition to the removal of the above-stated identifiers, the covered entity may not have actual knowledge that the remaining information could be used alone or in combination with any other information to identify an individual who is subject of the information SUMMARY OF THE HIPAA PRIVACY RULE Office of Civil rights http://www.nachc.com/client/HIPAA%20Privacy%20Rule%20Summary_8_19_09.pdf

  33. To reduce risks covered entities should consider accomplishing the following tasks: • Implement systems for detecting a security breach • Create a security breach response plan or update the existing plan • Conduct workforce training in responding to a security breach. • Negotiate amendments to business associate agreement to address security breaches • Revise HIPAA policies and procedures regarding to address the security breach regulations.

  34. Federally Qualified Health Centers • Michael Lardiere, LCSW • Director HIT; Sr. Advisor Behavioral Health • National Association of Community Health Centers • 301-347-0400 xt 2069 • mlardiere@nachc.com

More Related