HIPAA: Privacy, Security, and HITECH, Oh My!

Presented byStephanie L. Ganucheau,

Special Assistant Attorney General

Knock, knock

HIPAA – 1996Protects the security and privacy of all medical records and other health information shared in

any form (oral, written, electronic, etc.).

HIPAA Privacy Rule – First published 12-28-2000, then

amended in 2002, with first compliance to begin on April 14,

2003 Applies to covered entities and their usage and

disclosure of protected health information.

HIPAA Security Rule – Rule adopted in 2003, but first

compliance to begin on April 20, 2005.

This regulation provided guidance for protecting electronic personal health information, and specified

various procedures for doing so. It applies to personal health information created, received, maintained, or transmitted by a covered entity in electronic form. It

does not apply to PHI transmitted orally or in writing.

HITECH became effective on 2-17-2009,

with most compliance to begin in February 2010

Widens the scope of privacy and security provisions; increases the potential legal liability

for non-compliance; and it provides for more enforcement.

Definitions

• Covered Entities - 1) a health plan; 2) a health care clearinghouse; and 3) a health care provider who transmits any health information in electronic form in connection with various financial and administrative actions.

Health Care Information - Any information, whether oral or recorded in any form or medium that:

(A) is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse, and

(B) relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual.

Individually Identifiable Health Information - Any information, including demographic information collected from an individual that:

(A) is created or received by a health care provider, health plan, employer, or health care clearinghouse; and

(B) relates to the past, present or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present or future payment for the provision of health care to an individual, and

(i) identifies the individual; or (ii) with respect to which there is a reasonable basis to believe that the information can be used to identify the individual.

Business Associates - A person who, on behalf of a covered entity or of an organized health care arrangement in which the covered entity participates, but other than in the capacity of a member of the workforce of such covered entity or arrangement:

(A) performs or assists in the performance of a function or activity involving the use or disclosure of protected health information, including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, patient safety activities, billing, benefit management, and repricing; or

(B) provides legal, actuarial, accounting, consulting, data aggregation, management, administration, accreditation, or financial services, when the provision of the service involves the disclosure of protected health information.

A covered entity may be a business associate of another covered entity.

Business Associate does not include: 1) a health care provider using the information for treatment purposes; 2) a plan sponsor for the purposes of making health care payments under a group insurance plan or HMO; and 3) a governmental agency with respect to determining eligibility for or enrollment in a governmental health plan.

Changes Under HITECH Act

• Business Associates and Business Associate Agreements

• Notification Requirements• Heightened Civil Enforcement

Potential Problem Areas

Enforcement Actions