Presentation is loading. Please wait.

Presentation is loading. Please wait.

HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.

Similar presentations


Presentation on theme: "HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009."— Presentation transcript:

1 HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009

2 HITECH ACT Dedicates over $31 billion in stimulus funds for Healthcare Infrastructure and the adoption of Electronic Health Record (EHR). Dedicates over $31 billion in stimulus funds for Healthcare Infrastructure and the adoption of Electronic Health Record (EHR). Also imposes new medical privacy requirements. Also imposes new medical privacy requirements.

3 Changes to Medical Privacy Requirements Fundamental changes in the areas of accountability, data breach notification, consumer access, and use of personal health information. Fundamental changes in the areas of accountability, data breach notification, consumer access, and use of personal health information. Unlike HIPAA, HITECH ACT one year for most provisions. Unlike HIPAA, HITECH ACT one year for most provisions.

4 Accountability Imposes new levels of accountability for medical privacy. Imposes new levels of accountability for medical privacy. Periodic audits by HHS to ensure compliance within the first 12 months after enactment of the new rules. Periodic audits by HHS to ensure compliance within the first 12 months after enactment of the new rules.

5 Accountability Tiered penalty structure, with fines ranging from $25,000 to $1.5 million and penalties are mandatory for cases of “willful neglect”. Tiered penalty structure, with fines ranging from $25,000 to $1.5 million and penalties are mandatory for cases of “willful neglect”. All violations occurring after February 2009 enactment date are subject to the increased penalties. All violations occurring after February 2009 enactment date are subject to the increased penalties.

6 Accountability Business Associates with access PHI bound by the same requirements as the Organization (Feb 2010). Business Associates with access PHI bound by the same requirements as the Organization (Feb 2010).

7 Accountability Assure business associate contracts, authorizing and defining their use of the PHI shared with them. Assure business associate contracts, authorizing and defining their use of the PHI shared with them. Obligated to report the violation to appropriate authorities and discontinue the relationship. Obligated to report the violation to appropriate authorities and discontinue the relationship.

8 Consumer Access (Feb 2010) Gives individuals clear access rights to their own health records, and it gives them the right to restrict disclosure of PHI if they pay the healthcare providers themselves. Gives individuals clear access rights to their own health records, and it gives them the right to restrict disclosure of PHI if they pay the healthcare providers themselves.

9 Use of PHI (Feb 2010) CE’s and their business associates are also prohibited from selling PHI without explicit, documented authorization from the individual whose information is contained in the record. CE’s and their business associates are also prohibited from selling PHI without explicit, documented authorization from the individual whose information is contained in the record.

10 Breach Notification Defined: Unauthorized acquisition, access use, or disclosure of PHI compromises the security or privacy of the data. Defined: Unauthorized acquisition, access use, or disclosure of PHI compromises the security or privacy of the data. Unsecured PHI – Not secured through technology as: unusable, unreadable, or indecipherable to unauthorized individual Unsecured PHI – Not secured through technology as: unusable, unreadable, or indecipherable to unauthorized individual Additional guidance technology. Additional guidance technology.

11 Breach Notification Obligation to notify all breaches that are discovered on or after September 15, Obligation to notify all breaches that are discovered on or after September 15, Notification within 60 days when PHI in any form or medium is breached, not just electronic records. Notification within 60 days when PHI in any form or medium is breached, not just electronic records. Breach is officially discovered on “the first day it is known to the HIPAA entity or business associate or should reasonably have been known”. Breach is officially discovered on “the first day it is known to the HIPAA entity or business associate or should reasonably have been known”.

12 Breach Notification HIPAA covered entity that suffered the breach demonstrates required notifications were made. HIPAA covered entity that suffered the breach demonstrates required notifications were made. Telephone notifications can be made in urgent situations. Telephone notifications can be made in urgent situations. Business Associates required to notify the covered entity including the individuals affected. Business Associates required to notify the covered entity including the individuals affected.

13 Breach Notification Breach Affecting 500 or more individuals, CE required to provide “immediate” notice to HHS. Breach Affecting 500 or more individuals, CE required to provide “immediate” notice to HHS. Thus the breach notice is public. Thus the breach notice is public. Rule of 500 applies in a single state or jurisdiction. Rule of 500 applies in a single state or jurisdiction. Notice must be provided to prominent media outlets. Notice must be provided to prominent media outlets.

14 Methods of Notice Individual Notice Individual Notice Notice required under this section to be provided to an individual, with respect to a breach, shall be provided promptly and in the following form: Notice required under this section to be provided to an individual, with respect to a breach, shall be provided promptly and in the following form: Written notification by first-class mail to the individual at the last known address. Written notification by first-class mail to the individual at the last known address. In the case of insufficient, or out-of-date contact information that precludes direct written specified by the individual under subparagraph. In the case of insufficient, or out-of-date contact information that precludes direct written specified by the individual under subparagraph.

15 Media Notice Notice shall be provided to prominent media outlets serving a State or jurisdiction, following the discovery of a breach of unsecured protected health information of more than 500 residents in such State, or jurisdiction. Notice shall be provided to prominent media outlets serving a State or jurisdiction, following the discovery of a breach of unsecured protected health information of more than 500 residents in such State, or jurisdiction.

16 Notice to HHS Secretary Required immediately if the breach involved 500 or more individuals. These breaches will be posted on the HHS public website including the name of the covered entity. Required immediately if the breach involved 500 or more individuals. These breaches will be posted on the HHS public website including the name of the covered entity. If the breach less than 500 individuals, the covered entity may maintain a log of any such breach occurring. If the breach less than 500 individuals, the covered entity may maintain a log of any such breach occurring. Annually submit such a log to HHS documenting breaches occurrence during the year involved. Annually submit such a log to HHS documenting breaches occurrence during the year involved.

17 Content of Notification Regardless of the method by which notice is provided to individuals under this section, Notice of a breach shall include, to the extent possible, the following: Regardless of the method by which notice is provided to individuals under this section, Notice of a breach shall include, to the extent possible, the following: A brief description of what happened, including the date of the breach and the date of the discovery of the breach. A brief description of what happened, including the date of the breach and the date of the discovery of the breach. Description of unsecured PHI, such as SSN, address, etc. Description of unsecured PHI, such as SSN, address, etc.

18 Content of Notification Contact procedures for individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an address, website, or postal address. Contact procedures for individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an address, website, or postal address. Time consuming, costly, overwhelming. Time consuming, costly, overwhelming. Potential long term damage with customers. Potential long term damage with customers.

19 Content of Notification The steps the individuals should take to protect themselves from potential harm resulting from the breach. The steps the individuals should take to protect themselves from potential harm resulting from the breach. A brief description from covered entity to investigate the breach, to mitigate losses, and to protect against any further breaches. A brief description from covered entity to investigate the breach, to mitigate losses, and to protect against any further breaches.

20 Data Breach Response Provide recovery services for individuals who become victims of identity crime. Provide recovery services for individuals who become victims of identity crime. Restore their medical identities to pre-theft status. Restore their medical identities to pre-theft status. Designate an Individual, or company to manage Customer calls. Designate an Individual, or company to manage Customer calls.

21 Business Impacts Inventory PHI=Risk Assessment Inventory PHI=Risk Assessment 70% of all organizations do not have an accurate inventory of personally identifiable information (PII) in their custody and documented. 70% of all organizations do not have an accurate inventory of personally identifiable information (PII) in their custody and documented. Includes data shared with a Business Associate. Includes data shared with a Business Associate. Price Waterhouse Coopers reports that 44% of data breach incidents are due to third-party handling of data. Price Waterhouse Coopers reports that 44% of data breach incidents are due to third-party handling of data.

22 Breach Impact Small-scale data breaches will now be obligated to notify in each instance, and to keep detailed proof of notification, causing significant effort and cost. Small-scale data breaches will now be obligated to notify in each instance, and to keep detailed proof of notification, causing significant effort and cost.

23 Business Impact Data breaches damage Businesses credibility. Data breaches damage Businesses credibility. Medical and Financial risks to the people whose data is lost. Medical and Financial risks to the people whose data is lost.

24 Questions & Answers Clarification of the Privacy Requirements within the AARA rule in the next 12 months. Clarification of the Privacy Requirements within the AARA rule in the next 12 months. Key strategies assess PHI, including BAA’s. Key strategies assess PHI, including BAA’s. Utilize appropriate Security Standards. Utilize appropriate Security Standards. Staff, computer access, etc. Staff, computer access, etc.


Download ppt "HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009."

Similar presentations


Ads by Google