American Recovery and Reinvestment Act of 2009

Changes to HIPAA andthe Impact to YOU

American Recovery and Reinvestment Act of 2009 (ARRA)

• The goal: to stimulate the US economy, but impacts go beyond economic/financial arenas

• Privacy and security provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) are expanded:– HIPAA regulations apply to business associates– Breach notification requirements– Regional privacy advisors and education campaign– Improved enforcement

2

Today’s Objectives

• To make members of the University workforce aware of new HIPAA (interim) regulations or changes in current HIPAA regulations with regard to the following:– Breach and Breach Notification– Enforcement– Business Associate Agreements

3

First Federal Definition of Breach • Breach:

– The unauthorized acquisition, access, use, or disclosure of unsecured protected health information which compromises the security or privacy of the information

– Exceptions:• Unintentional acquisition, access, or use of PHI by an employee or

individual acting under the authority of a covered entity• Inadvertent disclosure of PHI from one person authorized to

access PHI at a covered entity to another person authorized to access protected health information at the covered entity

• Unauthorized disclosures in which an unauthorized person to whom protected health information is disclosed would not reasonably have been able to retain the information

4

What constitutes a breach?• A breach could result from

– Failing to log off when leaving a workstation– Unauthorized access to PHI– Sharing confidential information, including passwords– Having patient-related conversations in public settings– Improper disposal of confidential materials in any form– Copying or removing PHI/ePHI from the appropriate area

• Why?– Curiosity– Laziness– Compassion– Greed or malicious intent

5

Example 1

• Bill, a billing employee, receives and opens an email containing PHI which a nurse, Nancy, mistakenly sent to Bill. Bill notices that he is not the intended recipient, alerts Nancy to the misdirected email, and deletes it. Bill unintentionally accessed PHI that he was not authorized to access. However, he opened the email within the scope of his job for the covered entity. He did not further use or disclose the PHI. Was this a breach of PHI?

6

And the answer is…

• No. This was not a breach of PHI as long as Bill did not further use or disclose the information accessed in a manner not permitted by the Privacy Rule.

7

Example 2

• Rhonda is a receptionist for a covered entity, and, due to her work responsibilities, she is not authorized to access PHI. Rhonda decides to look through patient files to learn about a friend’s last visit to the doctor. Does Rhonda’s action constitute a breach?

8

The answer is…

• Yes. Rhonda accessed PHI without a work-related need to know. This access was not unintentional, done in good faith, or within the scope of her job for the covered entity.

9

Risk Assessment of Harm

A risk assessment must be performed and documented to determine if the security or privacy of PHI was compromised based on: – Any significant risk of financial harm to the individual– Any significant risk of reputational harm to the individual;

and,– Any significant risk of other harm to the individual

If you conclude no additional risk of harm, then no need to notify

10

Breach Process Flow

1. Is the PHI “secure” (encrypted or destroyed)?a. Yes – no reporting requiredb. No – next question

2. Was the use or disclosure of PHI permitted by the HIPAA Privacy Rule? a. Yes – no reporting requiredb. No – next question

11

Breach Process Flow3. Did the use or disclosure of PHI fall within any of the

exceptions to breach reporting?a. Exceptions are:

• disclosure of limited data set (unless it contained DOB or zip code)• unintentional acquisition, access or use of PHI by covered entity workforce

member/BA If it was made in good faith and within scope of authority and does not result in further use or disclosure

• any inadvertent disclosure by an individual authorized to access PHI/BA if it is not further used/disclosed

• disclosure where good faith belief that a recipient of PHI would not reasonably have been able to retain the PHI

1. Sending EOB to wrong person and it is returned to us unopened2. Furnishing discharge instructions to wrong person, but recovering fairly

quickly so retention is not likely

b. Yes – no reporting requiredc. No – next question

12

Breach Process Flow4. Did the use or disclosure of PHI compromise the security or privacy of the PHI

(is there a significant risk of financial, reputational or other harm to the individual?)

a. Factors to consider: who used the PHI or to whom was it disclosed; type and amount of PHI disclosed; and whether we can take immediate steps to mitigate harm.

b. Examples:• If PHI impermissibly disclosed to another entity bound by HIPAA, less risk of harm• Where entity takes immediate steps to mitigate an impermissible use or disclosure, such as

obtaining the recipient’s satisfactory assurances that the info will not be further used/disclosed (via a confidentiality agreement) or will be destroyed, less risk of harm.

• If PHI is returned before being accessed for an improper purposes, such as where forensic analysis of a recovered stolen laptop shows that info was not accessed, less risk of harm.

• Not reasonable to delay notification based on hope stolen property will be returned.• Nature of info may not pose risk, i.e. release of only the name may not pose risk unless

associated with furnishing of “sensitive” type services such as substance abuse, mental health or sexually transmitted diseases.

• Inclusion of SSN, account number and mother’s maiden name increases risk of identity theft.

c. Yes – reporting requiredd. No – reporting not required.

13

So what is the notification process?

Breach Notification• If it is determined that a breach of PHI occurred, then the covered

entity must notify the affected individual (or next of kin) as soon as possible but not later than 60 days from discovering the breach.– First class letter (or email if appropriate) detailing the breach– Add to breach log maintained and submitted annually to the Department

of Health and Human Services to be posted on their website– If more than 500 individuals are affected additional requirements include

• Immediate notification of the Department of Health and Human Services to post on their website

• Notify major media outlets in covered entity area• Post on covered entity website home page for 90 days

15

Breach Notification

• September 23, 2009: Breach notification regulations take effect

• February 22, 2010: Department of Health and Human Services (HHS) begins enforcement of the rule

16

UA Breach Notification Process• Jan Chaisson (UA Privacy Officer) and/or Ashley Ewing (UA

Security Officer) are responsible for overseeing and/or managing the breach investigation and notification processes.– Privacy Complaints and Suspected Breach Response Procedures

• UMC’S Privacy/Security Officer, (Jan Chaisson), will notify UA HIPAA Security Officer (Ashley Ewing) and lead the preliminary investigation.

• Jan Chaisson will provide with all necessary documentation.– Breach Notification Procedures

• Ashley Ewing, Jan Chaisson, and Legal will notify appropriate UA officials.• Ashley Ewing, Jan Chaisson, and Legal, will determine risks and actions to

be taken.• Jan Chaisson and the Covered Entity will notify patients as directed by

Ashley Ewing and Legal.

17

UA Breach Notification Process• Follow step by step procedures provided by your

HIPAA Privacy Officer• Although each breach will be considered on a case-

by-case basis, templates for notification letters and media press releases are available

• Assistance for posting to UA website, if necessary, will be coordinated by University Relations

• Procedure for establishing a toll-free call-in number for affected individuals available

18

Enhanced Enforcements• ARRA provides that the HIPAA criminal and civil fines and penalties can

be enforced against INDIVIDUALS as well as covered entities who obtain or disclose PHI without authorization.

• State attorneys general can pursue civil cases against INDIVIDUALS who violate the HIPAA privacy and security regulations.

• Four tiers of civil monetary penalties available to HHS:– Civil monetary penalties include fines from $100 per violation up to $1.5 million

for a series of identical violations during a calendar year• Criminal penalties for “wrongful disclosure” continue which include both

large fines of $50,000 to $250,000 and up to 10 years in prison

HHS is now required to investigate and impose civil penalties where violations are due to willful neglect

19

A Breach has Many Risks • Risks to Research:

– Loss of data or data integrity, funding in jeopardy• Risks to Individual whose PHI is compromised:

– Embarrassment, misuse of personal data, victim of fraud or scams, identity theft

• Risks to Employee:– Loss of data, time, funding, reputation; embarrassment; disciplinary

action up to and including termination; fines; penalties; prosecution• Risks to the Institution:

– Loss of information and equipment, trust of constituencies, reputation, future grant awards; negative publicity; penalties; fines; litigation

20

Any Good News?• ARRA further identified the information to which the breach

notification provisions apply. It defined “unsecured protected health information” as PHI that is not secured through the use of a technology or methodology that renders it unusable, unreadable, or indecipherable and that is developed or endorsed by the American National Standards Institute.

• Therefore, for breaches involving the misuse, loss, or inappropriate disclosure of paper or electronic data, there are some “home free” methods under which the loss would indicate no harm done: – Paper=secured by use of crosscut shredder (destroyed)– Electronic data=encrypted data files and/or transmissions

21

A Coordinated Effort

• When receiving a privacy complaint, learning of a suspected breach in privacy or security, or noticing something is “just not right,” we must work together – immediately – cooperatively – efficiently – carefully– confidentially

22

Reminder on Data Destruction• Documents containing PHI or other sensitive information must be

shredded when no longer needed. Shred immediately or place in securely locked boxes or rooms to await shredding.

• Media, such as CDs, disks, or thumb drives, containing PHI/sensitive information must be cleaned or sanitized before reallocating or destroying

• “Sanitize” means to eliminate confidential or sensitive information from computer/electronic media by either overwriting the data or magnetically erasing data from the media

• If media are to be destroyed, then once they are sanitized, place them in specially marked secure containers for destruction– NOTE: Deleting a file does not actually remove the data from the

media• Formatting does not constitute sanitizing the media• Contact your OIT systems representative for assistance with sanitization

and destruction methods

23

More Reminders• Store sensitive and confidential information securely in a

directory on a secure network file server. Information stored on the hard drive (C: drive) of a computer or portable computing device (PCD) can be lost or compromised. PCDs include handheld, notebook, and laptop computers, personal digital assistants (PDAs), and portable memory devices such as flash disks, thumb drives, jump drives, etc.

• Use of PCDs for ePHI must be approved by senior management• PCDs must be inventoried and appropriate security protection

maintained. Encryption is recommended for PCDs used for PHI. Ask your OIT representative for help securing PCDs.

24

Your Responsibility• If you notice, hear, see, or witness any activity that you think might be a

breach of privacy or security, please let someone know immediately. It is much better to investigate and discover no breach than to wait and later discover that something DID happen. The 60-day clock of notifying affected individuals begins when the breach SHOULD have been discovered.

• Continue to be mindful of HIPAA privacy and security regulations, and practice the provisions of the University’s privacy and security core standards. Additionally, basic HIPAA information is always available for review on the University HIPAA website at http://hipaa.ua.edu/

• Refer to your HIPPA Privacy Officer and HIPAA Security Officer for your entity’s training process.

• If you have any questions, please contact Jan Chaisson (jchaisson@cchs.ua.edu), UA Privacy Officer, or Ashley Ewing (aewing@ua.edu), UA Security Officer.

25

Business Associate Agreements (BAAs)

• Review: A BAA is required before a covered entity can contract with a third party individual or vendor (subcontractor) to perform activities or functions which will involve the use or disclosure of the covered entity’s PHI.

• The University BAA is being revised and will be available for use beginning October 15, 2009.

• At this time, current BAAs will not have to be replaced with the new format; however, that could change depending upon additional guidance from the Department of Health and Human Services.

• Biggest change: Entities must maintain a list of all active BAAs and copies of the fully executed BAAs.

26

Additional Communications• The American Recovery and Reinvestment Act of 2009 (ARRA)

brought with it major impacts to the HIPAA privacy and security regulations. These changes do not occur over a period of several years as was experienced with the enforcement of HIPAA.

• This update provides the most immediate changes to HIPAA compliance.

• Additional guidance is expected from the Department of Health and Human Services.

• Other meetings, announcements, trainings, and awareness activities are most probable.

• So, until next time…• Thank you!

27