Understanding HITECH Impact of HITECH Act on HIPAA and the

interface New Hampshire Privacy Law

Cinde WarmingtonShaheen & Gordon, P.A.107 Storrs StreetP.O. Box 2703Concord, NH 03302-2703(603) 225-7262cwarmington@shaheengordon.com

2

Understanding HITECH

This presentation is for informational purposes only. It does not constitute legal advice. You should seek the advice of counsel if you need legal assistance.

3

HITECHThe Health Information Technology for Economic and

Clinical Health Act (HITECH) was enacted as part of the American Recovery and Reinvestment Act of 2009 (ARRA) on February 17, 2009.

Contains provisions affecting HIPAA including breach notification requirements.

Interim final rule on breach notifications was issued August 24, 2009 effective September 23, 2009.

74 Fed. Reg. 42740.Sanctions will not be imposed for failure to comply

with notification requirements for breaches which are discovered before February 22, 2010.

4

Breach Notification RequirementsPrior to HITECH, there was no affirmative duty

under HIPAA to notify an individual if protected health information (PHI) was breached unless the breach involved “personal information” as defined under NH law and notification was required under RSA 359-C:20;

HIPAA does include a duty to mitigate harm (which may require notification of the individual); and

HIPAA does include a duty to keep an accounting of certain disclosures which individuals can request;

But there was no explicit duty to notify individuals of a breach.

5

Breach Notification RequirementsHITECH imposes an affirmative duty to notify

each individual whose “unsecured PHI” is breached.

“A covered entity shall, following the discovery of a breach of unsecured protected health information, notify each individual whose unsecured protected health information has been, or is reasonably believed by the covered entity to have been, accessed, acquired, used, or disclosed as a result of a breach.”

45 CFR §164.404

6

What is a breach?Breach means the acquisition, access, use, or

disclosure of protected health information not permitted under HIPAA which compromises the security or privacy of the PHI.

“Compromises the security or privacy of the PHI means poses a significant risk of financial, reputational, or other harm to the individual.”

45 CFR § 164.402(1)(i)

7

What is “unsecured” protected health information?PHI that is not rendered unusable,

unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology specified in guidance issued by Secretary of DHHS.

45 CFR § 164.402Approved technologies/methodologies

includeEncryption Destruction

8

EncryptionMeans “the use of an algorithmic process to

transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key.” 45 CFR §164.304.

Requires that the confidential process or key has not been breached.

9

EncryptionValid encryption processes: “Data at rest” are

set forth in NIST Special Publication 800-111.Valid encryption processes for “data in

motion” must comply with the Federal Information Processes (FIPS 140-2).

Available at http://www/csrc.nist.gov

10

Valid Destruction Processes:Paper, film or other hard copy media must be

shredded or destroyed in such a way that the PHI cannot be read or otherwise reconstructed.

Electronic media must be cleared, purged or destroyed so that PHI cannot be retrieved consistent with NIST Special Publication 800-88

Available at http://www.csrc.nist.gov

11

Is there a breach?If the PHI is encrypted or destroyed through

a means specified in DHHS guidance, disclosure of the PHI will not result in a breach.

…and, therefore, no notification is required.

12

Is there a breach?Does the improper acquisition, access, use or

disclosure compromise the security or privacy of the PHI?

In other words, does it impose a significant risk of financial, reputational or other harm to the individual?

The covered entity (or business associate) must perform a risk assessment.

13

Factors to be considered in performing risk assessment

Who used the PHI? Who received the PHI?Was the disclosure to another covered entity?Was there evidence that the information was

accessed?What was the nature of the information

disclosed?Was the covered entity able to take immediate

steps to mitigate the harm?

14

Examples from preamble to Interim Final Rule:If disclosure was to another covered entity, there

may be less risk of harm to the individual;If a lost or stolen laptop is returned and testing shows PHI was not accessed, the risk of

harm is lessened;If the PHI included only limited information not

likely to cause harm (e.g. patient’s name and name of hospital where patient was treated);

If the covered entity obtains immediate assurances from recipient that PHI will not be disclosed and will be destroyed, risk of harm may be lessened.

15

Risk AssessmentEach risk assessment will be individual and

fact specific;The covered entity or business associate

must document the risk assessment, the factors considered to support conclusions;

The burden of proof is on the covered entity or business associate to show no breach has occurred;

If no risk of harm then no breach notification.

16

Breach notification requirementsTimelinessIf the covered entity determines there is a

breach, each individual must be notified without unreasonable delay but no later than sixty (60) days after discovery.

If a business associate determines there is a breach, it must notify the covered entity.

17

Breach notification requirementWhen is the breach discovered?On the first day the covered entity or

business associate knows of the breach or would have known if it had exercised reasonable diligence.

18

Breach notification requirementsCovered entity’s written notification of the breach must

include:Brief description of what happened;Date of the breach and date of discovery of the breach, if

known;Description of information disclosed;Any steps individuals should take to protect themselves;Brief description of what the covered entity is doing to

investigate the breach, mitigate any harm and prevent future breaches; and

Toll free number, email address, website or postal address where individuals can receive additional information.

19

Notice must be written in plain language:Must take reasonable steps to ensure that

meaningful access for individuals with Limited English Proficiency (may have to translate).

Must ensure effective communications with individuals with disabilities (may require notice be made in Braille, large print or audio).

20

Methods of NotificationWritten notice must be:By first class mail;To last known address or by email if

individual agrees to electronic notice*;Must notify next of kin or personal

representative if individual is deceased and address is known.

*Covered entities may want to start obtaining this consent at time of patient registration.

21

Substitute Notice:If contact information is insufficient or out-of-

date, substitute notice must be provided.Substitute notice is not required if person is

deceased and there is insufficient contact information for next of kin or personal representative.

22

Substitute NoticeIf there is insufficient or out-of-date contact

information for fewer than 10 individuals, then substitute notice can be provided by an alternative form of written notice, telephone or other means.

23

Substitute NoticeFrom a practical perspective what does this mean?If covered entity does not have a valid street

address but does have an email address, the email can be used and without individual’s consent.

If the covered entity has a phone number and not an email or street address, the individual can be notified by telephone.

It may not be immediately clear whether there are more or less than ten individuals with insufficient contact information (returned mail may be first notice that info is out-of-date).

24

Substitute Notice If there is insufficient or out-of-date contact

information for 10 or more individuals, substitute notice shall be either:

Conspicuous posting for 90 days on home page of covered entity’s web-site;

Conspicuous notice in major print or broadcast media in geographic areas where affected individuals may reside;

Must include a toll-free number where an individual can learn whether their information may have been breached.

25

Substitute Notice Practical Concerns regarding the cost of

providing notice with toll-free numberSince public notice will not identify the 10 or

more affected individuals, notice may prompt a deluge of calls from unaffected individuals at a substantial cost to covered entity.

DHHS notes that the toll-free number is statutorily required.

DHHS suggests that notice can include another means of determining if the person is affected by the breach.

26

Notice in Urgent SituationsIn addition to written notice, the covered

entity may provide notice by telephone if it is urgent because of possible, imminent misuse of PHI.

27

Breach involving more than 500 residentsFor breaches involving more than 500 residents

of a State or jurisdiction.Covered entity must notify prominent media

outlets in the State or jurisdiction.Notice must be without reasonable delay but no

later than sixty (60) days after discovery of the breach.

Notification must include the same information that would be given to the individuals (except would not identify the individuals).

Notice would most likely be in the form of a press release.

28

Notification to the Secretary of DHHSFor breaches involving 500 or more

individuals, must notify DHHS at the same time as individuals are notified.

For breaches involving less than 500 individuals, the covered entity must maintain a log of breaches and submit annually to Secretary within 60 days after the end of the calendar year.

29

AdministrationCovered entity must train its workforce;Covered entity must have appropriate

sanctions against workforce members who fail to comply with its privacy policies;

Covered entity must change its policies and procedures.

Covered entity must revise its Business Associates Agreements

30

Notification by Business AssociateBusiness associate must notify covered entity

of a breach without unreasonable delay but not later than sixty (60) days after discovery.

Notification shall include the identification of individuals whose PHI has been breached.

Business associate will provide covered entity with additional information needed for notice as required above or promptly thereafter as information becomes available.

31

NH State Law RSA 359-C:20Requires notification of individuals in the

event of a security breach of computerized personal information if there is a determination that misuse of the information has occurred or is likely to occur or if a determination cannot be made.

Health care providers must also notify the Attorney General’s office.

32

NH State Law RSA 359-C:20Personal information is more limited than PHIPersonal information includes:

o An individual’s first name or initial and last name in combination with any of the following data elements when the name or the data element is not encrypted:

• Social Security Number;• Driver’s license number or other government ID number

or• Account number, credit card number, or debit card

number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.

33

NH State Law RSA 359-C:20Notification Requirements

Written Notice Electronic (if that is the primary means of

communication with individuals) Telephonic notice (must keep a log)

HIPAA require written notification.

34

NH State Law RSA 359-C:20Substitute Notice

If cost of notice would exceed $5000*, or Affected class of individuals exceed 1000*; or There is insufficient contact information to provide

notice; theno Substitute notice can be given via:

Email ; Conspicuous posting on web-site; or Notification of major statewide media.

*HIPAA breach notifications requirements will preempt.

35

NH State Law RSA 359-C:20Notice includes:*

General description of incident; Approximate date of breach; Type of information involved; and Telephonic contact information where affected person

can call.* Notice will also need to comply with HIPAA

requirements.If more than 1000 are affected then, must also

notify all consumer reporting credit agencies, without unreasonable delay (but notice is not required to include names of affected persons).

36

HIPAA/ State Law InterfaceSee decision matrix attached as pdf

document.

37

Accounting for DisclosuresA new requirement to account for disclosures

made for treatment, payment and healthcare operations for covered entities using an EHR.

Effective Dates: By 1/1/2014 for EHRs acquired as of 1/1/2009. By the later of 1/1/2011 or the date the EHR is

acquired for EHRs acquired after 1/1/2009.

Individuals entitled to receive an accounting for such disclosure for a period of three years.

This accounting is of “disclosures” and not “uses”. It is not the same as an audit trail.

38

“Minimum Necessary”Covered entity must limit disclosure of PHI to

a limited data set rather than minimum necessary to the extent practicable – this will sunset when guidance concerning “minimum necessary” is issued.

Secretary shall issue guidelines on what constitutes minimum necessary by August 10, 2010.

39

Requested RestrictionsCurrently an individual can request

restrictions on the use and disclosure of PHI but covered entity does not have to agree to such requests.

Under HITECH, covered entities must comply with a request if:The disclosure is to a health plan for

payment or healthcare operations; andThe PHI pertains to an item or service for

which the healthcare provider has been paid out-of-pocket in full.

Effective Feb. 2010.

40

Access to Info in EHRIndividual has a right to receive information

stored in a EHR in an electronic format.If directed by an individual, covered entity

must transfer a copy to someone designated by the individual.

Charge cannot be greater than labor costs for responding to request.

Effective Feb. 2010.

41

Marketing and Fundraising- HIPAA Changes (Effective 2/2010)If remuneration is received, an authorization is

required except in very limited circumstances.Marketing communications are not defined as

health care operations except for treatment, case. management, care coordination, alternative therapies, providers or care settings or descriptions of covered entities own services.

Fundraising communications will need to include a clear and conspicuous opportunity to opt out.

42

Marketing Changes –NH State Law (Effective 1/1/ 2010)Under HB 619 -- Marketing means: (1) To make a communication

about a product or service that encourages recipients of the communication to purchase or use the product or service, unless the communication is made by the individual’s health care provider:

o For treatment of the individual;o For case management or care coordination for the individual;o To direct or recommend alternative treatments, therapies, health care

providers or settings of care.o For treatment-related reminders or health promotion activities by health

care providers.

(2) An arrangement whereby the health care provider discloses PHI in exchange for payment so that third party can make a marketing communication about its own products/services.

An authorization is required for any use or disclosure of marketing information.

To the extent State law is contrary to HIPAA and more protective of privacy, State law will preempt HIPAA.

43

Fundraising-NH LawFundraising communications must include a

clear and conspicuous opportunity to opt out of receiving such communications. Notice must be provided:

o 60 days prior to any fundraising communication; oro In the Notice of Privacy Practices if the notice is

given prior to any fundraising communication;o In any subsequent fundraising communications.

Once a person opts out, it is treated as a revocation of an authorization.

44

Marketing and Fundraising- NH LawEnforcement: An aggrieved individual may

bring a civil action under RSA 332-I:4 or 332-I:5 and, if successful, shall be awarded special or general damages of not less than $1000 for each violation, for each violation, and costs and reasonable legal fees.

The interface between state and federal law still to be determined.

45

Prohibition on the Sale of EHR/PHIHITECH prohibits a covered entity from

receiving directly or indirect remuneration in exchange for PHI unless the person provides a valid authorization.

Exceptionso Pubic health activities;o Research ( price is for preparation and transmittal

of data)o For treatment of the individualo For health care operations associate with the

sale/merge/consolidation of the covered entityo Payment by the covered entity for the services of a

business associate;o To provide individual a copy of record

46

Prohibition on the Sale of EHR/PHISecretary to promulgate regulations not later

than 18 months after enactment.Prohibition becomes effective 6 months after

regualtions are promulgated.

47

Business Associates Breach notification requirements apply.Security Rule Sections 45 CFR §§ 164.308,

310, 312, 316 apply.HIPAA provisions governing use and

disclosure of PHI apply to business associates.

Civil and criminal penalties now apply to business associates.

Business Associates will need to maintain an accounting of any disclosures of EHR.

48

HIPAA Enforcement and Penalties

Violation category – Section 1176(a)(1)

Each violation All such violations of an identical provision in acalendar year

(A) Did Not Know… $100-$50,000 $1,500,000

(B) Reasonable Cause… $1,000-$50,000 $1,500,000

(C)(i) Willful Neglect-Corrected… $10,000-$50,000 $1,500,000

(C)(ii) Willful Neglect-Not Corrected…

$50,000 $1,500,000

CATEGORIES OF VIOLATIONS AND RESPECTIVE PENALTY AMOUNTS AVAILABLE

49

HIPAA Enforcement and PenaltiesReasonable cause means circumstances that

would make it unreasonable for the covered entity, despite the exercise of ordinary business care and prudence, to comply with the [HIPAA] provision violated.

Reasonable diligence means the business care and prudence expected from a person seeking to satisfy a legal requirement under similar circumstances.

Willful neglect means conscious, intentional failure or reckless indifference to the obligation to comply with the [HIPAA] provision violated.

50

HIPAA Enforcement and PenaltiesHIPAA imposes a minimum penalty amount in

each categoryPreviously, a covered entity would have an

affirmative defense if it did not know or reasonably would not have known of the violation;

HITECH removes this affirmative defense;However, if the violation is not due to willful

neglect and is corrected within 30 days of discovery (or the date covered should have know by exercising reasonable diligence), this will be an affirmative defense

51

HIPAA Enforcement and PenaltiesSecretary still has discretion to limit or

waive penalties in cases due to reasonable cause and not willful neglect.

No later than 3 years after enactment, the Secretary shall establish a methodology under which an individual harmed may receive a percentage of the penalties collected.

52

Enforcement by State Attorneys GeneralState Attorneys General may bring a civil

action on behalf of residents of the State who have been or are threatened or adversely affected by any person violating the statute:

o State may seek equitable injunctive relief.o Damages calculated by multiplying $100 times the

number of violations.o Total amount of damages for identical violations in a

calendar year is $25,000.o State may seek payment of attorney fees.