CAHF 2010 HIPAA II and HITECH “Your Plan” Rhonda Anderson, RHIA, President Lizeth Flores, RHIT,...
-
Upload
cynthia-hudson -
Category
Documents
-
view
216 -
download
0
Transcript of CAHF 2010 HIPAA II and HITECH “Your Plan” Rhonda Anderson, RHIA, President Lizeth Flores, RHIT,...
![Page 1: CAHF 2010 HIPAA II and HITECH “Your Plan” Rhonda Anderson, RHIA, President Lizeth Flores, RHIT, Consultant Anderson Health Information Systems, Inc. 940.](https://reader035.fdocuments.us/reader035/viewer/2022062518/56649efa5503460f94c0d14c/html5/thumbnails/1.jpg)
CAHF 2010HIPAA II and HITECH
“Your Plan”
Rhonda Anderson, RHIA, President
Lizeth Flores, RHIT, ConsultantAnderson Health Information Systems, Inc.
940 W. 17th Street, Suite B
Santa Ana, CA 92706
![Page 2: CAHF 2010 HIPAA II and HITECH “Your Plan” Rhonda Anderson, RHIA, President Lizeth Flores, RHIT, Consultant Anderson Health Information Systems, Inc. 940.](https://reader035.fdocuments.us/reader035/viewer/2022062518/56649efa5503460f94c0d14c/html5/thumbnails/2.jpg)
Objectives
• The participants will identify the following and what it means to you and your staff:
1. HiTech Final rule - key points2. Determining Risks from a risk assessment in your
organization3. Policies and Procedures, Privacy and Security - update4. Steps to Protect Your Organization 5. Security, who establishes access to records and at what
level?6. Role of Office of Civil Rights7. What you should do to meet the HiTech Requirements8. Introduction to 'Meaningful Use'
2
![Page 3: CAHF 2010 HIPAA II and HITECH “Your Plan” Rhonda Anderson, RHIA, President Lizeth Flores, RHIT, Consultant Anderson Health Information Systems, Inc. 940.](https://reader035.fdocuments.us/reader035/viewer/2022062518/56649efa5503460f94c0d14c/html5/thumbnails/3.jpg)
Applicability
• Breach Notification applies to HIPAA covered entities BA that:• Access• Maintain, modify, record, store, use, hold, or
disclosed secured PHI
3
![Page 4: CAHF 2010 HIPAA II and HITECH “Your Plan” Rhonda Anderson, RHIA, President Lizeth Flores, RHIT, Consultant Anderson Health Information Systems, Inc. 940.](https://reader035.fdocuments.us/reader035/viewer/2022062518/56649efa5503460f94c0d14c/html5/thumbnails/4.jpg)
General Reg. Act Requires
• HIPAA – Covered entities (CEs) provide notification to affected individual of
breach of unsecured PHI• CEs provide notification to the media
breaches in some situations!!!!
4
![Page 5: CAHF 2010 HIPAA II and HITECH “Your Plan” Rhonda Anderson, RHIA, President Lizeth Flores, RHIT, Consultant Anderson Health Information Systems, Inc. 940.](https://reader035.fdocuments.us/reader035/viewer/2022062518/56649efa5503460f94c0d14c/html5/thumbnails/5.jpg)
Unsecured PHI – Breach by BA
• BA = Notify CE of Breach
• BA = Agreement to include notification and indemnification and will meet requirements
• HHS posts list of CE with breach of unsecured PHI
5
![Page 6: CAHF 2010 HIPAA II and HITECH “Your Plan” Rhonda Anderson, RHIA, President Lizeth Flores, RHIT, Consultant Anderson Health Information Systems, Inc. 940.](https://reader035.fdocuments.us/reader035/viewer/2022062518/56649efa5503460f94c0d14c/html5/thumbnails/6.jpg)
Exceptions
• CE & BA that implement the specified technology and methodologies with request to safeguarding.
• CE & BA NOT required to provide notifications in event of a breach PHI.
6
![Page 7: CAHF 2010 HIPAA II and HITECH “Your Plan” Rhonda Anderson, RHIA, President Lizeth Flores, RHIT, Consultant Anderson Health Information Systems, Inc. 940.](https://reader035.fdocuments.us/reader035/viewer/2022062518/56649efa5503460f94c0d14c/html5/thumbnails/7.jpg)
Exceptions -2
• CE & BA not required to provide notification in event of a breach PHI IF• PHI safeguarded using technologies and
methods not considered “unsecured” (Reference Federal Register Vol. 74, No. 162, Page 42740-42741 (8/24/09) )
• http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=2009_register&docid=DOCID:fr24au09-10.pdf
7
![Page 8: CAHF 2010 HIPAA II and HITECH “Your Plan” Rhonda Anderson, RHIA, President Lizeth Flores, RHIT, Consultant Anderson Health Information Systems, Inc. 940.](https://reader035.fdocuments.us/reader035/viewer/2022062518/56649efa5503460f94c0d14c/html5/thumbnails/8.jpg)
Applicability
• New Subpart D to part 164 – Title 45 – Code of Federal Regulations
8
![Page 9: CAHF 2010 HIPAA II and HITECH “Your Plan” Rhonda Anderson, RHIA, President Lizeth Flores, RHIT, Consultant Anderson Health Information Systems, Inc. 940.](https://reader035.fdocuments.us/reader035/viewer/2022062518/56649efa5503460f94c0d14c/html5/thumbnails/9.jpg)
Breaches Effective
• NOW – BA as of Feb 2010
• All should begin sanctions -- Feb 2010.
• Document efforts to meet compliance!!! NOW if not before.
9
![Page 10: CAHF 2010 HIPAA II and HITECH “Your Plan” Rhonda Anderson, RHIA, President Lizeth Flores, RHIT, Consultant Anderson Health Information Systems, Inc. 940.](https://reader035.fdocuments.us/reader035/viewer/2022062518/56649efa5503460f94c0d14c/html5/thumbnails/10.jpg)
Breach Notification Apply To
10
1. Business Associate Agreements 1. Business Associate Agreements
2. SB 541, 337 – California 2. SB 541, 337 – California
3. Penalties 3. Penalties
![Page 11: CAHF 2010 HIPAA II and HITECH “Your Plan” Rhonda Anderson, RHIA, President Lizeth Flores, RHIT, Consultant Anderson Health Information Systems, Inc. 940.](https://reader035.fdocuments.us/reader035/viewer/2022062518/56649efa5503460f94c0d14c/html5/thumbnails/11.jpg)
Vendors of a PHR
• On occasions are a BA or a CE
• Notification made on behalf of the CE may in part, satisfy the reporting requirements
11
![Page 12: CAHF 2010 HIPAA II and HITECH “Your Plan” Rhonda Anderson, RHIA, President Lizeth Flores, RHIT, Consultant Anderson Health Information Systems, Inc. 940.](https://reader035.fdocuments.us/reader035/viewer/2022062518/56649efa5503460f94c0d14c/html5/thumbnails/12.jpg)
Requirements
• Breach discovery (unsecured PHI) PHI the CE notifies:• Each individual of breach of
UNSECURED PHI – has or believed to access acquired, USED or disclosed breach. 45 CFR 164.04
12
![Page 13: CAHF 2010 HIPAA II and HITECH “Your Plan” Rhonda Anderson, RHIA, President Lizeth Flores, RHIT, Consultant Anderson Health Information Systems, Inc. 940.](https://reader035.fdocuments.us/reader035/viewer/2022062518/56649efa5503460f94c0d14c/html5/thumbnails/13.jpg)
Breach Discovered
• Discovered = Incident becomes KNOWN – Not when CE or BA concludes analysis = Breach occurred
13
![Page 14: CAHF 2010 HIPAA II and HITECH “Your Plan” Rhonda Anderson, RHIA, President Lizeth Flores, RHIT, Consultant Anderson Health Information Systems, Inc. 940.](https://reader035.fdocuments.us/reader035/viewer/2022062518/56649efa5503460f94c0d14c/html5/thumbnails/14.jpg)
Breach Treated As Discovered
• 1st day breach known to CE
OR
• Exercise reasonable diligence = CE (45 CFR 164-404
14
![Page 15: CAHF 2010 HIPAA II and HITECH “Your Plan” Rhonda Anderson, RHIA, President Lizeth Flores, RHIT, Consultant Anderson Health Information Systems, Inc. 940.](https://reader035.fdocuments.us/reader035/viewer/2022062518/56649efa5503460f94c0d14c/html5/thumbnails/15.jpg)
Breach “Discovered”
• When the clock starts = Notifications = No case later than 60 calendar days
• BA discovers = Breach = Report to CE >> Clock starts re: notification
15
![Page 16: CAHF 2010 HIPAA II and HITECH “Your Plan” Rhonda Anderson, RHIA, President Lizeth Flores, RHIT, Consultant Anderson Health Information Systems, Inc. 940.](https://reader035.fdocuments.us/reader035/viewer/2022062518/56649efa5503460f94c0d14c/html5/thumbnails/16.jpg)
CE Ensure
• BA Contracts = language re: BA notification and requirements
16
![Page 17: CAHF 2010 HIPAA II and HITECH “Your Plan” Rhonda Anderson, RHIA, President Lizeth Flores, RHIT, Consultant Anderson Health Information Systems, Inc. 940.](https://reader035.fdocuments.us/reader035/viewer/2022062518/56649efa5503460f94c0d14c/html5/thumbnails/17.jpg)
In-Service
• CE & BA are trained (all staff trained and aware of IMPORTANCE timely reporting of privacy and security incidents
17
![Page 18: CAHF 2010 HIPAA II and HITECH “Your Plan” Rhonda Anderson, RHIA, President Lizeth Flores, RHIT, Consultant Anderson Health Information Systems, Inc. 940.](https://reader035.fdocuments.us/reader035/viewer/2022062518/56649efa5503460f94c0d14c/html5/thumbnails/18.jpg)
Exceptions
• Unintentional break by a staff member or person acting for CE or BA
• Acquisition made = good faith – within authority scope – NO – Further use or disclosure
18
![Page 19: CAHF 2010 HIPAA II and HITECH “Your Plan” Rhonda Anderson, RHIA, President Lizeth Flores, RHIT, Consultant Anderson Health Information Systems, Inc. 940.](https://reader035.fdocuments.us/reader035/viewer/2022062518/56649efa5503460f94c0d14c/html5/thumbnails/19.jpg)
Exceptions – Example #1 - Unintentional
• Physical Therapist reviews record realizes does not = the correct resident within scope of contract of who they should be treating.
19
![Page 20: CAHF 2010 HIPAA II and HITECH “Your Plan” Rhonda Anderson, RHIA, President Lizeth Flores, RHIT, Consultant Anderson Health Information Systems, Inc. 940.](https://reader035.fdocuments.us/reader035/viewer/2022062518/56649efa5503460f94c0d14c/html5/thumbnails/20.jpg)
Exceptions – Example #2 – Inadvertent Disclosure
• Person authorized to access PHI for CE or BA discloses PHI to another person at CE or BA. PHI = No further use or disclosure
20
![Page 21: CAHF 2010 HIPAA II and HITECH “Your Plan” Rhonda Anderson, RHIA, President Lizeth Flores, RHIT, Consultant Anderson Health Information Systems, Inc. 940.](https://reader035.fdocuments.us/reader035/viewer/2022062518/56649efa5503460f94c0d14c/html5/thumbnails/21.jpg)
Exceptions – Example #3 – Inadvertent Disclosure
• Director of Nursing receives an email from hospital not intended for her – re: PHI – email referred to correct person and deleted
21
![Page 22: CAHF 2010 HIPAA II and HITECH “Your Plan” Rhonda Anderson, RHIA, President Lizeth Flores, RHIT, Consultant Anderson Health Information Systems, Inc. 940.](https://reader035.fdocuments.us/reader035/viewer/2022062518/56649efa5503460f94c0d14c/html5/thumbnails/22.jpg)
Exceptions Not Reasonably Able to Retain – Example #4
• Unauthorized person to whom the disclosure made not reasonably able to retain such information.
• PHI given to “unauthorized” – wrong resident - exchange right away for correct information.
22
![Page 23: CAHF 2010 HIPAA II and HITECH “Your Plan” Rhonda Anderson, RHIA, President Lizeth Flores, RHIT, Consultant Anderson Health Information Systems, Inc. 940.](https://reader035.fdocuments.us/reader035/viewer/2022062518/56649efa5503460f94c0d14c/html5/thumbnails/23.jpg)
Exception – Proof is On “U”
• CE or BA – has burden of proof to show = no breach = why breach notice = not required.
• Document – why not allowed – use or disclosure falls under an exception.
23
![Page 24: CAHF 2010 HIPAA II and HITECH “Your Plan” Rhonda Anderson, RHIA, President Lizeth Flores, RHIT, Consultant Anderson Health Information Systems, Inc. 940.](https://reader035.fdocuments.us/reader035/viewer/2022062518/56649efa5503460f94c0d14c/html5/thumbnails/24.jpg)
Limited Data Set & De-ID Information
• CE-BA – Created Limited Data Sets & De-ID PHI through redaction if removal identifiers result information = criteria 45 CFR 164.514(e)(2) or 164.514(b)(H.O. #1)
• Exception – PHI redacted – may not require notification – cannot be identified to a resident - PHI
24
![Page 25: CAHF 2010 HIPAA II and HITECH “Your Plan” Rhonda Anderson, RHIA, President Lizeth Flores, RHIT, Consultant Anderson Health Information Systems, Inc. 940.](https://reader035.fdocuments.us/reader035/viewer/2022062518/56649efa5503460f94c0d14c/html5/thumbnails/25.jpg)
Limited Data Set & De-ID Information -3
• Loss/Theft – Redacted information
• Loss/Theft = Not require notification because under Rules – because > information not PHI – i.e. de-identified information
OR
• Redacted info does not compromise security & privacy = No Breach
25
![Page 26: CAHF 2010 HIPAA II and HITECH “Your Plan” Rhonda Anderson, RHIA, President Lizeth Flores, RHIT, Consultant Anderson Health Information Systems, Inc. 940.](https://reader035.fdocuments.us/reader035/viewer/2022062518/56649efa5503460f94c0d14c/html5/thumbnails/26.jpg)
Limited Data Set
• Created by direct ID from PHI
• Include in Risk Assessment
26
![Page 27: CAHF 2010 HIPAA II and HITECH “Your Plan” Rhonda Anderson, RHIA, President Lizeth Flores, RHIT, Consultant Anderson Health Information Systems, Inc. 940.](https://reader035.fdocuments.us/reader035/viewer/2022062518/56649efa5503460f94c0d14c/html5/thumbnails/27.jpg)
HHS = Exception Statement
• Narrow exception would not apply if for example zip code information or contains birthdates and zip code information
• ? Re: ID is there risk of reidenfication poses a significant risk harm to the individual
27
![Page 28: CAHF 2010 HIPAA II and HITECH “Your Plan” Rhonda Anderson, RHIA, President Lizeth Flores, RHIT, Consultant Anderson Health Information Systems, Inc. 940.](https://reader035.fdocuments.us/reader035/viewer/2022062518/56649efa5503460f94c0d14c/html5/thumbnails/28.jpg)
Responsibility
• CE is not responsible for breach if 3rd party unless = role as an agent of the CE or BA
28
![Page 29: CAHF 2010 HIPAA II and HITECH “Your Plan” Rhonda Anderson, RHIA, President Lizeth Flores, RHIT, Consultant Anderson Health Information Systems, Inc. 940.](https://reader035.fdocuments.us/reader035/viewer/2022062518/56649efa5503460f94c0d14c/html5/thumbnails/29.jpg)
3rd Party Responsibility
• Receive BA or CE provided info to 3rd party
• Breached = 3rd Party
• Used-disclosed not permissible
• Determine if privacy & security compromised
• Responsible for complying with Rule• http://frwebgate2.access.gpo.gov/cgi-bin/TEXT
gate.cgi?WAISdocID=oHkL0Q/0/1/0&WAISaction=retrieve 29
![Page 30: CAHF 2010 HIPAA II and HITECH “Your Plan” Rhonda Anderson, RHIA, President Lizeth Flores, RHIT, Consultant Anderson Health Information Systems, Inc. 940.](https://reader035.fdocuments.us/reader035/viewer/2022062518/56649efa5503460f94c0d14c/html5/thumbnails/30.jpg)
Limited Data Sets – Burden of Proof
• PHI = No zip code or Birthdate = lost information did not include identifiers
30
![Page 31: CAHF 2010 HIPAA II and HITECH “Your Plan” Rhonda Anderson, RHIA, President Lizeth Flores, RHIT, Consultant Anderson Health Information Systems, Inc. 940.](https://reader035.fdocuments.us/reader035/viewer/2022062518/56649efa5503460f94c0d14c/html5/thumbnails/31.jpg)
Risk Assessment of the Breach
• Establish Breach = Violates Privacy Rule
• CE = ?? Whether the violation compromise Security/Privacy of PHI
31
![Page 32: CAHF 2010 HIPAA II and HITECH “Your Plan” Rhonda Anderson, RHIA, President Lizeth Flores, RHIT, Consultant Anderson Health Information Systems, Inc. 940.](https://reader035.fdocuments.us/reader035/viewer/2022062518/56649efa5503460f94c0d14c/html5/thumbnails/32.jpg)
Risk Assessment –Security / Privacy
• Compromise PHI
• Significant Risk of $$ - Reputation
• Harm to person
32
![Page 33: CAHF 2010 HIPAA II and HITECH “Your Plan” Rhonda Anderson, RHIA, President Lizeth Flores, RHIT, Consultant Anderson Health Information Systems, Inc. 940.](https://reader035.fdocuments.us/reader035/viewer/2022062518/56649efa5503460f94c0d14c/html5/thumbnails/33.jpg)
Breach – Risk Assessment Steps
• Who impermissibly used or to whom the information was impermissibly disclosed
• Obtaining the recipient’s assurances that information will not be further used or disclosed
• Steps eliminate or reduce the risk of harm less than “significant risk”
33
![Page 34: CAHF 2010 HIPAA II and HITECH “Your Plan” Rhonda Anderson, RHIA, President Lizeth Flores, RHIT, Consultant Anderson Health Information Systems, Inc. 940.](https://reader035.fdocuments.us/reader035/viewer/2022062518/56649efa5503460f94c0d14c/html5/thumbnails/34.jpg)
Breach – Risk Assessment Steps -2
• Security & privacy of the information has not been compromised, no breach
• Impermissible disclosed PHI is returned prior to it being accessed –may not be breach
• CE & BA should also consider the type & amount of PHI involved in the breach. • If PHI does not pose significant risk of financial,
reputational, or other harm, violation is not a breach.
34
![Page 35: CAHF 2010 HIPAA II and HITECH “Your Plan” Rhonda Anderson, RHIA, President Lizeth Flores, RHIT, Consultant Anderson Health Information Systems, Inc. 940.](https://reader035.fdocuments.us/reader035/viewer/2022062518/56649efa5503460f94c0d14c/html5/thumbnails/35.jpg)
Risk Assessment Documentation
• CEs & BAs demonstrate in writing that no breach has occurred because it did not pose a significant risk of harm.
• CE & BAs document risk assessments.• PHI is a limited data set that
does not include zip codes, dates of birth, documentation to demonstrate that the lost information did not include these identifiers.
35
![Page 36: CAHF 2010 HIPAA II and HITECH “Your Plan” Rhonda Anderson, RHIA, President Lizeth Flores, RHIT, Consultant Anderson Health Information Systems, Inc. 940.](https://reader035.fdocuments.us/reader035/viewer/2022062518/56649efa5503460f94c0d14c/html5/thumbnails/36.jpg)
Notification Content
• No later than 60 days following the discovery of a breach, notification must be made to the individual.• A brief description of what happened, date it
happened, and when discovered (if known);• Description of the types of unsecured PHI that
was involved in the breach (name, date of birth, diagnosis)
• Steps the impacted persons take to protect themselves from potential harm (check credit reports in cases of financial information being breached)
36
![Page 37: CAHF 2010 HIPAA II and HITECH “Your Plan” Rhonda Anderson, RHIA, President Lizeth Flores, RHIT, Consultant Anderson Health Information Systems, Inc. 940.](https://reader035.fdocuments.us/reader035/viewer/2022062518/56649efa5503460f94c0d14c/html5/thumbnails/37.jpg)
Notification Content -2
• No later than 60 days…(con’t.)• Description of what the covered entity is doing
to investigate & mitigate harm protect against future breaches
• Contact procedures for the person to ask questions or seek additional information
• Written in plain language
• (45 CFR § 164.404(c))
37
![Page 38: CAHF 2010 HIPAA II and HITECH “Your Plan” Rhonda Anderson, RHIA, President Lizeth Flores, RHIT, Consultant Anderson Health Information Systems, Inc. 940.](https://reader035.fdocuments.us/reader035/viewer/2022062518/56649efa5503460f94c0d14c/html5/thumbnails/38.jpg)
Notification Requirements
• Written notices to the individual, if contact information is insufficient or out of date, is required. Breach notice must be made:• To the individual in written form by first-class
mail at their last known address, electronic mail, provided the individual agrees
• Individual affected by a breach is a minor, otherwise lacks legal capacity due to a physical or mental condition, notice representative of the individual
38
![Page 39: CAHF 2010 HIPAA II and HITECH “Your Plan” Rhonda Anderson, RHIA, President Lizeth Flores, RHIT, Consultant Anderson Health Information Systems, Inc. 940.](https://reader035.fdocuments.us/reader035/viewer/2022062518/56649efa5503460f94c0d14c/html5/thumbnails/39.jpg)
Notification Requirements -2
• Written notices (con’t)• Individual is deceased, notice must be sent to
the last known address of the next of kin. Next of kin personal representative is only required if the covered entity knows that the individual is deceased, has address of the next of kin or personal representative
39
![Page 40: CAHF 2010 HIPAA II and HITECH “Your Plan” Rhonda Anderson, RHIA, President Lizeth Flores, RHIT, Consultant Anderson Health Information Systems, Inc. 940.](https://reader035.fdocuments.us/reader035/viewer/2022062518/56649efa5503460f94c0d14c/html5/thumbnails/40.jpg)
Substitute Notices
• CE does not have sufficient contact information or if notices returned as undelivered, the CE must provide substitute notice for the unreachable individuals.
• Decedents, a CE is not required to provide substitute notice either does not have contact information.
40
![Page 41: CAHF 2010 HIPAA II and HITECH “Your Plan” Rhonda Anderson, RHIA, President Lizeth Flores, RHIT, Consultant Anderson Health Information Systems, Inc. 940.](https://reader035.fdocuments.us/reader035/viewer/2022062518/56649efa5503460f94c0d14c/html5/thumbnails/41.jpg)
Substitute Notices -2
• Fewer than 10 individuals for whom the covered entity insufficient or out-of-date contact information to provide the written notice; provide substitute notice to such individuals through an alternative form of written notice, telephone, other means.
41
![Page 42: CAHF 2010 HIPAA II and HITECH “Your Plan” Rhonda Anderson, RHIA, President Lizeth Flores, RHIT, Consultant Anderson Health Information Systems, Inc. 940.](https://reader035.fdocuments.us/reader035/viewer/2022062518/56649efa5503460f94c0d14c/html5/thumbnails/42.jpg)
Substitute Notices -3
• Posting a notice on the web site of the CE or at another location.
• Posting should not disclose any information which would identify an individual
42
![Page 43: CAHF 2010 HIPAA II and HITECH “Your Plan” Rhonda Anderson, RHIA, President Lizeth Flores, RHIT, Consultant Anderson Health Information Systems, Inc. 940.](https://reader035.fdocuments.us/reader035/viewer/2022062518/56649efa5503460f94c0d14c/html5/thumbnails/43.jpg)
Substitute Notices -4
• CE insufficient or out-of-date contact information for 10 or more individuals, the rule requires CE provide substitute notice:• A conspicuous posting for a period of 90 days.
Notification must include a toll-free phone number, active for 90 days.
• A major print or broadcast media notice in geographic areas where the individuals affected by the breach likely reside.
43
![Page 44: CAHF 2010 HIPAA II and HITECH “Your Plan” Rhonda Anderson, RHIA, President Lizeth Flores, RHIT, Consultant Anderson Health Information Systems, Inc. 940.](https://reader035.fdocuments.us/reader035/viewer/2022062518/56649efa5503460f94c0d14c/html5/thumbnails/44.jpg)
Urgent Situations
• Notice by telephone or other means may be made, written notice, cases deemed by the CE to require immediate notification because of possible imminent misuse or unsecured PHI.
• Notice, in addition to, and not in lieu of direct written notice.
44
![Page 45: CAHF 2010 HIPAA II and HITECH “Your Plan” Rhonda Anderson, RHIA, President Lizeth Flores, RHIT, Consultant Anderson Health Information Systems, Inc. 940.](https://reader035.fdocuments.us/reader035/viewer/2022062518/56649efa5503460f94c0d14c/html5/thumbnails/45.jpg)
Notification to the Media
• Notice to media outlets serving State or jurisdiction, following a breach of unsecured PHI involving 500 or more residents of the State or jurisdiction.
• Supplement, not substitute for, individual notices.
• Media must be notified within 60 days of the discovery of the breach of unsecured PHI. 45
![Page 46: CAHF 2010 HIPAA II and HITECH “Your Plan” Rhonda Anderson, RHIA, President Lizeth Flores, RHIT, Consultant Anderson Health Information Systems, Inc. 940.](https://reader035.fdocuments.us/reader035/viewer/2022062518/56649efa5503460f94c0d14c/html5/thumbnails/46.jpg)
Notification to the Media -2
• The notice must include:• Brief description of what happened,
including date it happened and when discovered (if known)
• Description of the types of unsecured PHI involved in the breach (name, date of birth, diagnosis
• Steps the impacted persons take to protect themselves from potential harm (check credit reports in cases of financial information being breached) 46
![Page 47: CAHF 2010 HIPAA II and HITECH “Your Plan” Rhonda Anderson, RHIA, President Lizeth Flores, RHIT, Consultant Anderson Health Information Systems, Inc. 940.](https://reader035.fdocuments.us/reader035/viewer/2022062518/56649efa5503460f94c0d14c/html5/thumbnails/47.jpg)
Notification to the Media -3
• The notice must include (con’t):• Description of what the covered entity is doing
to investigate & mitigate harm protect against future breaches
• Contact procedures for questions or seek additional information (toll-free telephone number, an email address, a website, or postal address
• (45 CFR § 164.404(c))
47
![Page 48: CAHF 2010 HIPAA II and HITECH “Your Plan” Rhonda Anderson, RHIA, President Lizeth Flores, RHIT, Consultant Anderson Health Information Systems, Inc. 940.](https://reader035.fdocuments.us/reader035/viewer/2022062518/56649efa5503460f94c0d14c/html5/thumbnails/48.jpg)
Notification to the Media -4
• Breach, another state, of 600 individuals, 200 reside in California and 400 reside in Nevada, did not affect 500 or more residents of any one State.
48
• Notification to the media is not required
• Notifications to both California & Nevada still applies.
![Page 49: CAHF 2010 HIPAA II and HITECH “Your Plan” Rhonda Anderson, RHIA, President Lizeth Flores, RHIT, Consultant Anderson Health Information Systems, Inc. 940.](https://reader035.fdocuments.us/reader035/viewer/2022062518/56649efa5503460f94c0d14c/html5/thumbnails/49.jpg)
Notification to the Secretary of HHS
• Breaches of unsecured PHI involving less than 500 individuals, CE maintains a log of such breaches, annually submit the log to the Office of Civil Right (OCR) documenting the breaches.
• Breaches involving 500 or more people, CE is required to notify the OCR immediately.
49
![Page 50: CAHF 2010 HIPAA II and HITECH “Your Plan” Rhonda Anderson, RHIA, President Lizeth Flores, RHIT, Consultant Anderson Health Information Systems, Inc. 940.](https://reader035.fdocuments.us/reader035/viewer/2022062518/56649efa5503460f94c0d14c/html5/thumbnails/50.jpg)
HITECH Act
• Who enforces for failure to notify or when notification is provided in an untimely matter?• Department of Health and Human Services
• HIPAA covered entities and their business associates.
50
![Page 51: CAHF 2010 HIPAA II and HITECH “Your Plan” Rhonda Anderson, RHIA, President Lizeth Flores, RHIT, Consultant Anderson Health Information Systems, Inc. 940.](https://reader035.fdocuments.us/reader035/viewer/2022062518/56649efa5503460f94c0d14c/html5/thumbnails/51.jpg)
HITECH Act -2
• Subpart D – Breach• Untimely notification – Enforces failure to
notify timely – Attorney General• Untimely Notification – Federal Trade
Commission• Office of Civil Rights Notification
51
![Page 52: CAHF 2010 HIPAA II and HITECH “Your Plan” Rhonda Anderson, RHIA, President Lizeth Flores, RHIT, Consultant Anderson Health Information Systems, Inc. 940.](https://reader035.fdocuments.us/reader035/viewer/2022062518/56649efa5503460f94c0d14c/html5/thumbnails/52.jpg)
Notification by a Business Associate (in review)
• Breach shall be treated as discovered by a BA first day on which such breach is known to the BA, by exercising reasonable intelligence.
52
![Page 53: CAHF 2010 HIPAA II and HITECH “Your Plan” Rhonda Anderson, RHIA, President Lizeth Flores, RHIT, Consultant Anderson Health Information Systems, Inc. 940.](https://reader035.fdocuments.us/reader035/viewer/2022062518/56649efa5503460f94c0d14c/html5/thumbnails/53.jpg)
Notification by a Business Associate(in review) -2
• BA is required to:• Notify the CE without unreasonable delay no case
later than 60 days following the discovery of the breach that the CE can notify affected individuals.
• Identity of each individuals whose unsecured PHI has been or is reasonably believed to have been breached or other available information that the CE is required to include in the notification to the individual.
53
![Page 54: CAHF 2010 HIPAA II and HITECH “Your Plan” Rhonda Anderson, RHIA, President Lizeth Flores, RHIT, Consultant Anderson Health Information Systems, Inc. 940.](https://reader035.fdocuments.us/reader035/viewer/2022062518/56649efa5503460f94c0d14c/html5/thumbnails/54.jpg)
Law Enforcement Delay
• Law enforcement official determines notification notice would impede a criminal investigation.
• CE or BA must temporarily delay notification.
54
![Page 55: CAHF 2010 HIPAA II and HITECH “Your Plan” Rhonda Anderson, RHIA, President Lizeth Flores, RHIT, Consultant Anderson Health Information Systems, Inc. 940.](https://reader035.fdocuments.us/reader035/viewer/2022062518/56649efa5503460f94c0d14c/html5/thumbnails/55.jpg)
Law Enforcement Delay -2
• Written Request – Law enforcement provides a written statement that:• Delay is necessary• Notification would impede criminal
investigation• Cause damage to national security• Specifies the time for which
a delay is required
55
![Page 56: CAHF 2010 HIPAA II and HITECH “Your Plan” Rhonda Anderson, RHIA, President Lizeth Flores, RHIT, Consultant Anderson Health Information Systems, Inc. 940.](https://reader035.fdocuments.us/reader035/viewer/2022062518/56649efa5503460f94c0d14c/html5/thumbnails/56.jpg)
Law Enforcement Delay -3
• Oral Request – The law enforcement states orally that:
56
• Notification would impede criminal investigation
• Cause damage to national security
• CE or BA required to document the statement and identity of the official
![Page 57: CAHF 2010 HIPAA II and HITECH “Your Plan” Rhonda Anderson, RHIA, President Lizeth Flores, RHIT, Consultant Anderson Health Information Systems, Inc. 940.](https://reader035.fdocuments.us/reader035/viewer/2022062518/56649efa5503460f94c0d14c/html5/thumbnails/57.jpg)
Personal Health Records (PHRs)
• The Federal Trade Commission (FTC) imposes similar breach notification requirements upon vendors of PHRs and third party service providers.• A breach of security of unsecured PHR
identifiable health information
57
![Page 58: CAHF 2010 HIPAA II and HITECH “Your Plan” Rhonda Anderson, RHIA, President Lizeth Flores, RHIT, Consultant Anderson Health Information Systems, Inc. 940.](https://reader035.fdocuments.us/reader035/viewer/2022062518/56649efa5503460f94c0d14c/html5/thumbnails/58.jpg)
Personal Health Records (PHRs) -2
• Entity providers PHRs to customers of HIPAA CE through a BA.
• PHRs directly to the public, a breach of its records occurs, certain cases, described in its rule, FTC will deem compliance .
• May be appropriate for the vendor to provide the same breach notice.
58
![Page 59: CAHF 2010 HIPAA II and HITECH “Your Plan” Rhonda Anderson, RHIA, President Lizeth Flores, RHIT, Consultant Anderson Health Information Systems, Inc. 940.](https://reader035.fdocuments.us/reader035/viewer/2022062518/56649efa5503460f94c0d14c/html5/thumbnails/59.jpg)
HITECH Flow Chart
• See H.O. #2
59
![Page 60: CAHF 2010 HIPAA II and HITECH “Your Plan” Rhonda Anderson, RHIA, President Lizeth Flores, RHIT, Consultant Anderson Health Information Systems, Inc. 940.](https://reader035.fdocuments.us/reader035/viewer/2022062518/56649efa5503460f94c0d14c/html5/thumbnails/60.jpg)
HITECH Flow Chart -2
60
![Page 61: CAHF 2010 HIPAA II and HITECH “Your Plan” Rhonda Anderson, RHIA, President Lizeth Flores, RHIT, Consultant Anderson Health Information Systems, Inc. 940.](https://reader035.fdocuments.us/reader035/viewer/2022062518/56649efa5503460f94c0d14c/html5/thumbnails/61.jpg)
HITECH Flow Chart -3
61
![Page 62: CAHF 2010 HIPAA II and HITECH “Your Plan” Rhonda Anderson, RHIA, President Lizeth Flores, RHIT, Consultant Anderson Health Information Systems, Inc. 940.](https://reader035.fdocuments.us/reader035/viewer/2022062518/56649efa5503460f94c0d14c/html5/thumbnails/62.jpg)
HITECH Flow Chart -4
62
![Page 63: CAHF 2010 HIPAA II and HITECH “Your Plan” Rhonda Anderson, RHIA, President Lizeth Flores, RHIT, Consultant Anderson Health Information Systems, Inc. 940.](https://reader035.fdocuments.us/reader035/viewer/2022062518/56649efa5503460f94c0d14c/html5/thumbnails/63.jpg)
Notice To Individuals
• Must contain a description of what happened and the unsecured PHI involved, steps for individuals to protect themselves, a description of the covered entity’s efforts to investigate, mitigate and prevent further breaches and contact information.
63
![Page 64: CAHF 2010 HIPAA II and HITECH “Your Plan” Rhonda Anderson, RHIA, President Lizeth Flores, RHIT, Consultant Anderson Health Information Systems, Inc. 940.](https://reader035.fdocuments.us/reader035/viewer/2022062518/56649efa5503460f94c0d14c/html5/thumbnails/64.jpg)
HIPAA – Retention of Disclosures
• The HIPAA requirement for a six year accounting of disclosures still applies to non EHR disclosures.
64
![Page 65: CAHF 2010 HIPAA II and HITECH “Your Plan” Rhonda Anderson, RHIA, President Lizeth Flores, RHIT, Consultant Anderson Health Information Systems, Inc. 940.](https://reader035.fdocuments.us/reader035/viewer/2022062518/56649efa5503460f94c0d14c/html5/thumbnails/65.jpg)
Accounting Of Disclosures
• Under HITECH covered entities and business associates are required to maintain an accounting of disclosures made through HER including disclosures made for treatment, payment and health care operations.
• Information is limited to three years of disclosure information rather than the current 6 year requirement under HIPAA.
65
![Page 66: CAHF 2010 HIPAA II and HITECH “Your Plan” Rhonda Anderson, RHIA, President Lizeth Flores, RHIT, Consultant Anderson Health Information Systems, Inc. 940.](https://reader035.fdocuments.us/reader035/viewer/2022062518/56649efa5503460f94c0d14c/html5/thumbnails/66.jpg)
HIPAA Civil Penalties Under New HITECH Provisions
Effective November 30, 2009
Violation Category Each Violation
All such violations of an identical provision in a calendar year
Did not know $100-50,000 $1,500,000
Reasonable Cause $1,000-50,000 1,500,000
Willful neglect corrected within 30
days $10,000-50,000 1,500,000
Willful neglect - not corrected
$50,000 1,500,000
66
![Page 67: CAHF 2010 HIPAA II and HITECH “Your Plan” Rhonda Anderson, RHIA, President Lizeth Flores, RHIT, Consultant Anderson Health Information Systems, Inc. 940.](https://reader035.fdocuments.us/reader035/viewer/2022062518/56649efa5503460f94c0d14c/html5/thumbnails/67.jpg)
BA Agreement
• Update the business associate agreement policy to include the new HITECH requirements
• Covered entities must update all business associate agreements and ensure that they include HITECH requirements
67
![Page 68: CAHF 2010 HIPAA II and HITECH “Your Plan” Rhonda Anderson, RHIA, President Lizeth Flores, RHIT, Consultant Anderson Health Information Systems, Inc. 940.](https://reader035.fdocuments.us/reader035/viewer/2022062518/56649efa5503460f94c0d14c/html5/thumbnails/68.jpg)
California - Breach
• PHI – incl. medical information (1798.29(e)(4) and (1798.29 (e) (5)
• Notify breach of computerized data containing PHI (1798.29(a)
• PHI protection 1798.81.5• Proper disposal and destruction of records
containing PHI (1798.81• http://www.leginfo.ca.gov/cgi-bin/displaycode?sec
tion=civ&group=01001-02000&file=1798.25-1798.29
68
![Page 69: CAHF 2010 HIPAA II and HITECH “Your Plan” Rhonda Anderson, RHIA, President Lizeth Flores, RHIT, Consultant Anderson Health Information Systems, Inc. 940.](https://reader035.fdocuments.us/reader035/viewer/2022062518/56649efa5503460f94c0d14c/html5/thumbnails/69.jpg)
California CE
• Required to report unlawful or unauthorized access, use or disclosure of a patient’s medical information within 5 working days to comply with SB 541 –337 which has been in effect since January 2009. (See H.O. #3.)
69
![Page 70: CAHF 2010 HIPAA II and HITECH “Your Plan” Rhonda Anderson, RHIA, President Lizeth Flores, RHIT, Consultant Anderson Health Information Systems, Inc. 940.](https://reader035.fdocuments.us/reader035/viewer/2022062518/56649efa5503460f94c0d14c/html5/thumbnails/70.jpg)
Penalties
• SB-541 – AB337 - failure to report within 5 working days • $100 per day for each day that the unlawful or
unauthorized access, use or disclosure is not reported up to a maximum of $250,000
70
![Page 71: CAHF 2010 HIPAA II and HITECH “Your Plan” Rhonda Anderson, RHIA, President Lizeth Flores, RHIT, Consultant Anderson Health Information Systems, Inc. 940.](https://reader035.fdocuments.us/reader035/viewer/2022062518/56649efa5503460f94c0d14c/html5/thumbnails/71.jpg)
HITECH/CALIFORNIA --Risk Analysis & Implementation
• Analyze possible areas of risk • Guidance on documentation of investigation
and notification of breaches • Breach Response policies and procedures• Breach Response – process• Analysis of where you stand with security??
encryption?? Exposure (YOU) and (BA)??• See checklist (H.O. #4)
71
![Page 72: CAHF 2010 HIPAA II and HITECH “Your Plan” Rhonda Anderson, RHIA, President Lizeth Flores, RHIT, Consultant Anderson Health Information Systems, Inc. 940.](https://reader035.fdocuments.us/reader035/viewer/2022062518/56649efa5503460f94c0d14c/html5/thumbnails/72.jpg)
California Privacy and Security & More!!
• There is more in California• SB1386 – Security Breaches =encryption• AB1950 – Protection of personal data• AB1298 – Encrypted medical hx., etc.• AB211 fines• SB 541-337 Breaches
72
![Page 73: CAHF 2010 HIPAA II and HITECH “Your Plan” Rhonda Anderson, RHIA, President Lizeth Flores, RHIT, Consultant Anderson Health Information Systems, Inc. 940.](https://reader035.fdocuments.us/reader035/viewer/2022062518/56649efa5503460f94c0d14c/html5/thumbnails/73.jpg)
Security/Access Control
• Does your current E.H.R. have a grid of security and access controls if ask for it?
• Is your data destruction and manual destruction of records secure? How do you know? Who is responsible?
73
![Page 74: CAHF 2010 HIPAA II and HITECH “Your Plan” Rhonda Anderson, RHIA, President Lizeth Flores, RHIT, Consultant Anderson Health Information Systems, Inc. 940.](https://reader035.fdocuments.us/reader035/viewer/2022062518/56649efa5503460f94c0d14c/html5/thumbnails/74.jpg)
Liability ???
• Lets review!!• There are no true absolute tools for PHI breach,
but there may be tools you can develop for yourself that matches your system, i.e., access control logs/HIPAA logs in some companies, sign on/off logs, etc.
• Job duties vs. the assigned data screens
74
![Page 75: CAHF 2010 HIPAA II and HITECH “Your Plan” Rhonda Anderson, RHIA, President Lizeth Flores, RHIT, Consultant Anderson Health Information Systems, Inc. 940.](https://reader035.fdocuments.us/reader035/viewer/2022062518/56649efa5503460f94c0d14c/html5/thumbnails/75.jpg)
Liability -2
• What kind of insurance do you have?
• What will offer for mitigation if this does happen where there is a breach?
• Theft of identity???? Is potential – so how will you cover that?
75
![Page 76: CAHF 2010 HIPAA II and HITECH “Your Plan” Rhonda Anderson, RHIA, President Lizeth Flores, RHIT, Consultant Anderson Health Information Systems, Inc. 940.](https://reader035.fdocuments.us/reader035/viewer/2022062518/56649efa5503460f94c0d14c/html5/thumbnails/76.jpg)
Liability -3
• Breach notifications $$
• Cost of monitoring services/contract or employees $$
• Legal costs possibly $$
• Call center $$
• Identity theft insurance for breach notice
• ???other costs – Administrative – Staff??
76
![Page 77: CAHF 2010 HIPAA II and HITECH “Your Plan” Rhonda Anderson, RHIA, President Lizeth Flores, RHIT, Consultant Anderson Health Information Systems, Inc. 940.](https://reader035.fdocuments.us/reader035/viewer/2022062518/56649efa5503460f94c0d14c/html5/thumbnails/77.jpg)
What Is Next With HIPAA?
• What is next with HIPAA 5010? ARRA/HITECH’s HIPAA “II”
• Revised guidance
• Electronic Health Record, requirements, interoperability
• Meaningful Use
77
![Page 78: CAHF 2010 HIPAA II and HITECH “Your Plan” Rhonda Anderson, RHIA, President Lizeth Flores, RHIT, Consultant Anderson Health Information Systems, Inc. 940.](https://reader035.fdocuments.us/reader035/viewer/2022062518/56649efa5503460f94c0d14c/html5/thumbnails/78.jpg)
Certification of E.H.R. (billing, too)!
• http://healthit.hhs.gov/certification
• Find out is your electronic record (clinical or billing) certified! Have they applied! Will they apply?? When??
78
![Page 79: CAHF 2010 HIPAA II and HITECH “Your Plan” Rhonda Anderson, RHIA, President Lizeth Flores, RHIT, Consultant Anderson Health Information Systems, Inc. 940.](https://reader035.fdocuments.us/reader035/viewer/2022062518/56649efa5503460f94c0d14c/html5/thumbnails/79.jpg)
There is More!!
• Is your organization ready for what is in our future?• More in requirements coming on the breaches,
electronic record monitoring policies and procedures, assurances of security and privacy, assessment of your risk ongoing.
• 5010, ICD -10, More ARRA!!
79
![Page 80: CAHF 2010 HIPAA II and HITECH “Your Plan” Rhonda Anderson, RHIA, President Lizeth Flores, RHIT, Consultant Anderson Health Information Systems, Inc. 940.](https://reader035.fdocuments.us/reader035/viewer/2022062518/56649efa5503460f94c0d14c/html5/thumbnails/80.jpg)
Recap
• Make your TO DO LIST
80
![Page 81: CAHF 2010 HIPAA II and HITECH “Your Plan” Rhonda Anderson, RHIA, President Lizeth Flores, RHIT, Consultant Anderson Health Information Systems, Inc. 940.](https://reader035.fdocuments.us/reader035/viewer/2022062518/56649efa5503460f94c0d14c/html5/thumbnails/81.jpg)
Resources
• AHIS - Prior Presentations
• AHIMA
• Federal Register
• California Office of Health Information Integrity.
81
![Page 82: CAHF 2010 HIPAA II and HITECH “Your Plan” Rhonda Anderson, RHIA, President Lizeth Flores, RHIT, Consultant Anderson Health Information Systems, Inc. 940.](https://reader035.fdocuments.us/reader035/viewer/2022062518/56649efa5503460f94c0d14c/html5/thumbnails/82.jpg)
Evaluation
Rhonda Anderson, RHIA
Lizeth Flores, RHIT
Anderson Health Information Systems, Inc.
940 W. 17th Street, Suite B
Santa Ana, CA 92706
714-558-388782