HealthBridge is one of the nation’s largest and most successful health

information exchange organizations.

HealthBridge is one of the nation’s largest and most successful health

information exchange organizations.

Tri-State REC: Basic Privacy and

Security Issues for Physician Practices

Claudia Allen

Privacy Officer

HealthBridge

ARRA Privacy Provisions

American Recovery and Reinvestment Act of 2009 (“ARRA”) :

• Establishes the Office of the National Coordinator for Health Information Technology (“ONC”)

• Extends HIPAA Privacy and Security requirements to Business Associates (“BA”)

• Establishes breach identification and notification requirements• Calls for education initiatives on the uses of health information• Establishes further restrictions on “sales” of health information• New disclosure accounting requirements• New access requirements for EHR by individuals• Increased enforcement initiatives• Generally effective February 17, 2010

2

A Bit of History

• HIPAA passed in 1996, but the Privacy and Security Rules went into effect in 2003

• HIPAA does not pre-empt state law if the state law requires a higher standard

• Covered Entities are subject to rules protecting the privacy/confidentiality of Protected Health Information (“PHI”)

3

A Bit of History (cont.)

• Covered Entities• Providers of health care services

• Physicians, dentists, chiropractors, psychologists• Clinics, Nursing Homes, Pharmacies, Laboratories• Health Plans and Clearinghouses

• PHI is medically related information that is • Identifiable to the individual

• E.g, Name, address, phone, birth date,

social security number• Transmitted or maintained by

• electronic media• in any other media

4

Permitted Uses of PHI without consent:

• Treatment• Payment• Operation of Business• Limited data set

(de-identified) for research, public health

• Required by law

5

A Bit of History (cont.)

Business Associates required to enter into an agreement with CEs to protect PHI

• Breach by the BA would

subject the CE to liability• Redress against BA was

by breach of contract lawsuit

6

A Bit of History (cont.)

An Overview for Physician Practices

ARRA and HITECH Extends Privacy and Security to Business Associates (“BA”)

• Business Associates directly subject to the Security Rule and privacy/confidentiality requirements• Breach by BA results in liability for CE’s criminal and civil

penalties• Four tiers ranging from $100 to $50,000 per violation• Individuals harmed may recover part of penalty• States Attorney General authorized to bring suit

• Attorneys fees may be awarded• BA required to respond to privacy non-compliance by CE

• BA Contracts are now required with entities that provide data transmission of PHI on a regular basis such as Health Information Exchanges

8

1. Business Associates

AARA Requires Breach Notification of Unsecured PHI• Breach is defined as unauthorized acquisition, access, use or

disclosure of Unsecured PHI (“UPHI”) which compromises the security or privacy of information

• Unsecured PHI is defined as PHI that is not secured through the use of technology or methodology specified by the Secretary that renders the information unusable, unreadable, or undecipherable to unauthorized persons.

• Breach does not include:• Unintentional acquisition, access or use

• made in good faith within the course of employment with BA or CE and not further acquired, used, or disclosed by any person

• made by an individual acting under the authority of the CE or BA

• of information the disclosure of which could not reasonably be retained

9

2. Breach Notification

• Notification upon discovery of Breach• CEs must notify each individual whose UPHI is breached• BA must notify the CE• Time period: without unreasonable delay but no later than 60

calendar days after discovery (first day known or should have been known)

• Burden on discoverer • Written notice by mail unless urgent• If more than 9 individuals involved, posting on web• Notice to media if over 500 residents in state or jurisdiction

affected• Immediate notice to Secretary if over 500 affected• Breach log required to be sent to Secretary annually

10

Breach Notification (cont.)

• Breach Notice contains• Description of what happened• Description of types of data involved• Steps individuals should take to protect themselves• What CE is doing to investigate, mitigate losses, and protect

from further breaches• Contact procedures

11

Breach Notification (cont.)

ARRA Requires Accounting for Disclosures of EHR

• CEs are required to account for all disclosures of PHI including those for Payment, Treatment and Operations

• Records for the prior 3 years must be provided

• CEs with EHR technology prior to January 1, 2009 must comply by January 1, 2014

• CEs acquiring EHR technology after January 1, 2009 must comply by January 1, 2011 or if later, when it acquires EHR.

12

3. Disclosure Accounting

ARRA Prohibits Sales of EHR Data or PHI

• No direct or indirect remuneration in exchange for PHI unless covered by a valid authorization.

• Exceptions:

• Public Health

• Research Data where cost is all that is reimbursed

• Exchange for health care operations or treatment as permitted by regulation

13

4. Prohibition on Sale of Data

ARRA allows restrictions on Disclosures

• Individuals may restrict disclosure to a health plan for payment or operations

• Individual must have paid out of pocket in full

14

5. Disclosure Restrictions

• Inventory and review all BAAs to determine if they need to be amended.

• ARRA Security and Privacy provisions are required to be incorporated into the BA Agreements.

• Review all policies and procedures to incorporate the new obligations of ARRA.

• Modify training of personnel to include the changes made by ARRA.

• Enter into BA Agreements with any organizations with which the CE transmits Health Information electronically.

15

Practical Guidance

• Conduct a risk assessment to determine if office procedures are consistent with protecting PHI: Doors locked except for business entrances and exits during business hours Employee access restricted during non-business hours Patients, families not allowed access to provider offices Patient sign-up sheets not visible to non-employees Employees’ visitors not allowed access Employees are restricted from mentioning patients on social media sites Remote access to data is limited, inventoried Portable electronics secured, if not encrypted Keys, pass codes inventoried Workstations secured, screens not in view of public Implement procedures for terminated employees to limit access to PHI Implement procedures to report suspicious activity Implement hiring practices that minimize risk, check references and background Conduct periodic training on privacy and security

16

Practical Guidance

Questions?

The Tri-State REC can help!

www.healthbridge.org

rec@healthbridge.org

513-469-7222

17