Presentation on theme: "Key Changes to HIPAA from the Stimulus Bill (ARRA) Children’s Health System Department Leadership Meeting October 28, 2009 Kathleen Street Privacy Officer/Risk."— Presentation transcript:
Key Changes to HIPAA from the Stimulus Bill (ARRA) Children’s Health System Department Leadership Meeting October 28, 2009 Kathleen Street Privacy Officer/Risk Manager
How has HIPAA changed? ARRA = American Recovery and Reinvestment Act of 2009 or Stimulus Bill Example of Three Major Changes which impact You: 1.New Breach Notification Rules to Patients 2.New Stricter Fines and Penalties 3.HIPAA rules now apply to Business Associates Effective September 23, 2009
First Example of Key Change New Breach Notification Rules to Patients
New Breach Notification Requirements to Patients Old HIPAA: No breach notification requirements on federal level, except for a business associate to notify a covered entity. Requirement to “mitigate harm.” New HIPAA: Covered Entities (CHS) must notify individuals when their unsecured Protected Health Information has been breached.
New Breach Notification Rules: Method and Notice Make notification without “unreasonable delay,” no later than 60 calendar days after discovery The individual is notified by mail. If a business associate discovers a breach, the business associate must notify the covered entity. If the contact information for the individual is unavailable or outdated, and the breach involved more than 10 people, the covered entity must put a notice on its website or in the media with a toll-free number for information.
New Breach Rules: Media Notice and Posting to Public Website For breaches affecting greater than 500 individuals, covered entities will be required to give notice to prominent media outlets and alert the Secretary of HHS. The Secretary of HHS will then post the names of the covered entities on a public website. Breaches involving less than 500 individuals will still need to be reported to the Secretary of HHS in the form of a log of breaches that is maintained continuously and reported annually.
How can I prevent a breach? If Protected Health Information is ENCRYPTED (electronic) or SHREDDED (paper), then it is not a breach. Place Protected Health Information as appropriate in the Document Destruction Bins. If you must place Protected Health Information on a thumb drive or laptop: Enforce with your staff they must have permission of their Supervisor (i.e., Your permission) Information Technology must provide authorization and the device must be encrypted through Information Technology Do not place Protected Health Information on a Personal Digital Assistant/Cell Phone. If your phone has access to CHS e-mail, you must password protect it.
Note: The Department where the breach occurred will be responsible for the cost of patient notification, credit monitoring, and all other associated costs of breach notification.
If a breach occurs… What could be a breach? Example: A missing or stolen laptop or any missing protected health information It is your responsibility to report it: 1. Discuss with Your Supervisor; or 2. Contact the HIPAA Privacy Officer and/or HIPAA Security Officer; and/or 3. Report through the Corporate Compliance Hotline
Second Example of Key Change New Stricter Fines and Penalties
Civil Fines Old HIPAA: General penalty is $100 per HIPAA violation (cap of $25,000) for multiple series of identical violations in same year.
New Stricter Fines and Penalties Civil Fines New HIPAA: Same $100 if did not know if violation and would not have known even with reasonable diligence. Now $1,000 penalty if due to reasonable cause and not willful neglect ($100k cap). Now $10,000-$50,000 penalty if “willful neglect” ($250k -$1.5M cap)
New Stricter Fines and Penalties New HIPAA: Civil and Criminal Fines enforced against individuals as well as covered entities State Attorney generals can bring civil actions against individuals
New Stricter Fines and Penalties New HIPAA: Secretary of HHS is now required to conduct periodic audits Within three years, there will be a mechanism for individuals harmed by the disclosure to share in civil monetary penalties collected by HHS
Third Example of Key Change HIPAA Rule Now Apply to Business Associates
Old HIPAA: Business Associates liability was to Covered Entity for breach of the Business Associate contract, “indirect” coverage
HIPAA Rule Now Apply to Business Associates New HIPAA: HIPAA Rules Now directly apply to Business Associates, including penalties.
Finally, key reminders remain the same… Only know if you have a legitimate need to know for your job Audits of Access to PHI are performed Don’t inappropriately access, use, disclose, take or post patient information.