1. From HIPAA to HITECH
OMH Briefing

2. Overview Part 1: HIPAA Review Part 2: HITECH Highlights
Part 3: HITECH Breach Notification Requirements

3. PART ONE: Review Of HIPAA
The Health Insurance Portability and Accountability Act (HIPAA) of 1996 was enacted by the U.S. Congress in Also known as the Kennedy Kassebaum Act.
Originally enacted in order to protect health insurance coverage for workers and their families when they change or lose their jobs.
The Administrative Simplification (AS) provisions of HIPAA required the establishment of national standards for electronic health care transactions and national identifiers for providers, health insurance plans, and employers.
The Administration Simplification provisions also address the security and privacy of health data. The standards are meant to improve the efficiency and effectiveness of the nation's health care system by encouraging the widespread use of electronic data interchange in the U.S. health care system.

4. Background
OMH is a covered entity required to comply with the requirements of the HIPAA Privacy and Security Rules
February 17, 2010: Additional federal requirements now enforceable against covered entities as a result of the HITECH Act (Health Information Technology for Economic and Clinical Health Act, Title XIII of the American Recovery and Reinvestment Act of 2009)
Compliance with Privacy regs came in 2003 and compliance with security regs in 2006.

5. HIPAA Review Privacy Rule
Development of policy for use and disclosure of PHI/clinical information and to assure individual rights
Implementation of appropriate safeguards for protecting PHI/clinical information
Workforce training
PHI – Protected Health Information: Individually identifiable information related to past, present or future physical or mental health condition of an individual, provision of health care to an individual, or the past, present or future payment for health care provided to an individual.
Under HIPAA – information related to treatment, payment and healthcare operations can be released w/o authorization. BUT – as we all know, MHL, specifically and are more stringent specifically deals with the release of information other than to the patient deals with providing the patient/personal representative with their medical record.
Safeguards protecting PHI/clinical information: B/c OMH is governed by Mental Hygiene Law – many of our safeguards were already in place.
Workforce training: Those of you who were with OMH back in 2003 received HIPAA training. IPAA training occurs for all new hires and annually related to security of information. HIM also provides on-the-spot training for individuals, as well as the occasional facility-wide training.

6. HIPAA Review Privacy Rule
Each covered entity must:
Issue Privacy notices
Have privacy officer and privacy liaisons at each facility
Use business associate agreements
Privacy notices are given to all patients upon admission (both inpatient and outpatient). An acknowledgement statement is signed by the patient and/or personal representative acknowledging receipt of the notice. There is no requirement to send an annual notice.
The OMH Privacy Officer is Julie Rodak who is an attorney at OMH.
The Privacy Liason for St. Lawrence is Mari Pirie-St. Pierre. If Mari is not available, Leslie Mills serves as back up.
Business Associate Agreements (BAA) are coordinated by Fran DeFazio and Terri Dishaw out of the business office.
A BA is a person who:
(i) Is NOT a member of the work force, but an individual who performs, or assists in the performance of
A function or activity involving the use or disclosure of individually identifiable health information
This could include: claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, billing, benefit management, practice management, legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services to or for such covered entity, or to or for an organized health care arrangement in which the covered entity participates, where the provision of the services involves the disclosure of individually identifiable health information from such covered entity or arrangement, or from another business associate of such covered entity or arrangement, to the person.

7. HIPAA Review Privacy Rule
A covered entity can only use or disclose PHI:
For treatment, payment, or healthcare operations
As specifically authorized requests by the patient in writing
If HIPAA provides another exception
Note various ways to disclose information:
Written (faxed, snailmail, )
Verbal
All disclosures of information should be documented in the record:
Who disclosed
What was disclosed
When was it disclosed

8. HIPAA Review Privacy Rule
No consent required for uses and disclosures of PHI for treatment*, payment and health care operations (* Note that Mental Hygiene Law is more stringent; no consent needed if provider has “nexus/link” with OMH)
Thru licensure, local agreement, services plan
With some exceptions, individual’s written authorization required for all other disclosures
Use of OMH authorization form (OMH-11)
Exceptions under HIPAA – where NO consent is required
Health Oversight Activities (audit civil, administrative and criminal investigations and proceedings; inspections; licensure and disciplinary actions)
Public Health Activities
Required by Law (applications for firearms/explosives)
Incident reporting
Subpoena
Law Enforcement
Serious Threat to Health and Safety
If an OMH 11 is not used we must at least have the following included on the authorization:
Specific description of the information to be used/disclosed;
Name of the person/authorized party to make the use/disclosure;
Name/identify of the person/party to whom the requested use/disclosure may be made;
Purpose of the use/disclosure;
Expiration date, condition or event that relates to the individual or the purpose of the use/disclosure;
Statement of the individual’s right to revoke the authorization in writing
Statement that treatment, payment or eligibility for benefits cannot be conditioned on whether or not the person provides the authorization
Statement that the authorization will expire after 90 days unless the patient has opted for a shorter or longer term
Original authorization/consent.

9. HIPAA Review Privacy Rule
Clinical information protected under Mental Hygiene Law §33.13 is Protected Health Information (PHI) under HIPAA
State or federal rule providing greater confidentiality or greater access to information to the individual will prevail (preemption)

10. Patient Authorization Needed:
Agencies/Individuals involved in discharge planning/follow-up services
Attorney
Physicians/Providers of health/mental health
Unless there is nexus/link with NYS OMH

11. Patient Authorization Needed (cont.):
Children Protective Agency
Department of Social Services
Family
Probation Department
VESID
Media
Families: when unable to obtain authorization to disclose, dos not mean they are barred from participating in treatment planning of the patient. Unless plainly contraindicated, it is OMH policy not only to allow but to encourage family involvement. When done in such a manner as to not compromise or reveal material that should be kept b/t therapist and patient.

12. HIPAA Review Privacy Rule
Minimum Necessary Rule
Limit use and disclosures of PHI to amount necessary to fulfill purpose of the disclosure (or perform job functions)
Exceptions: provider use for treatment purposes, disclosures to individuals and disclosures required by law
Under the minimal necessary rule, we allow for the clinician to determine the right amount of information to release. Unless we have an authorization signed by the patient and the patient and the agency are specifically requesting the entire medical record.
Generally we release the discharge summary as this encompasses reason for admission, course of treatment, condition on discharge as well as medication and diagnoses.

13. PHI Identifiers
Names
All elements of dates (except year) for dates directly related to an individual
Phone numbers
Social security numbers
Medical record numbers

14. PHI Identifiers Health plan beneficiary numbers Account numbers
Full face photographic images and any comparable images
Any other unique identifying number, characteristic, or code

15. HIPAA Review Security Rule
Requires Safeguards to protect Electronic PHI (EPHI):
C Confidentiality of EPHI;
I Integrity of EPHI; and
A Accessibility of EPHI

16. HIPAA Review Security Rule
Physical safeguards
Device and Media Controls
Facility Access Controls
Workstation Security
Workstation Use
Technical safeguards
Access Control
Audit Controls
Integrity
Person or Entity Authentication
Transmission Security
Administrative safeguards
Security Awareness and Training
Information Access Management
Contingency Plan
Business Associate Contracts and Arrangements
Workstation Security – when you walk away from your computer – Press the Windows + L key on your keyboard. The window key is the one located in the lower left-hand corner of your keyboard b/t Ctrl and the Alt keys.
Passwords – at least 8 characters
Also wanted to mention the use of PHI in . In keeping with OMH security rules, PHI is NOT allowed in the subject or first line of .
Also, in regarding to , we are NOT allowed to PHI outside of OMH network. It should be noted that MHLS is NOT part of OMH network.
If you use your home computer/device to monitor your – NO PHI should be left on the screen or saved to your home computer. PHI should NOT be viewed with others in the household present.

17. PART TWO:
HITECH Highlights

18. HITECH-2009
Amends HIPAA- now includes breach reporting and notification requirements
Significantly increases civil and criminal penalties for violations
Enhances state and federal enforcement and oversight activities
HIPAA provisions are now directly applicable to Business Associates
Prior to this, business associates did not have to follow HIPAA. The law now requires them to follow all the regulations that covered entities follow.

19. Business Associates
Must comply with all safeguards under HIPAA security rule for E-PHI
Required to document policies and procedures for safeguarding PHI
Must report security breaches
Must fix/report any known pattern of activity or practice by a covered entity that breaches or terminates the BAA
Now directly liable for civil and criminal penalties

20. Business Associates
Revised OMH Business Associate Agreement in accordance with HITECH changes
Business associates:
BOCES staff
IT vendors
Consultants (PT, OT)
SLPC is in the process of having all BAAs updated. Fran can give an update on that….

21. Additional HITECH Changes
Mandated Audits-to ensure compliance
Audits performed by:
- HIM
- IT
- CIT
An example of an HIM audit would be if we had incident occur (high profile); a relative of an employee; if an employee or family member was receiving services. The records in MHARS would be reviewed to ascertain who is accessing the information. If a breach is noted, risk assessment is completed.

22. Additional HITECH Changes
OMH continues to follow Mental Hygiene and Confidentiality rules
Allows individuals to have broader rights of access to their records

23. Additional HITECH changes
Mental Hygiene Law- “need to know” similar to HIPAA- “minimum necessary standard”
Access and disclosure of PHI
Only what is required to provide care/treatment or in order to perform job duty
As an agency we need to be careful with what we discuss amongst ourselves as staff - and where those discussions occur.
Examples:
If we are in a meeting with clinical and support staff, if support staff do NOT have a need to know regarding specific patient information, this should NOT be discussed.
If we need to speak with a patient about delicate treatment information, we should make all attempts to do this away from other patients; especially if that information is related to HIV/AIDS.
We should NOT be discussing patient information in the hallways.
We should NOT be discussing patient care and treatment outside of the hospital (example – at home).

24. Patient Rights
Now have the right to request an accounting of disclosures (EHR): made for treatment, payment, healthcare operations, and those authorized by patient
Can go back as far as 3 years
It should be noted that this right to accounting of disclosures is outside the traditional accounting that HIPAA provides. We now must account for whomever (that includes hospital employees) had access to the patient’s information).
As of yet, we have not had any requests related to this. All requests should go to HIM Director who will work with local IT and CO CIT to coordinate this disclosure effort.

25. Patient Rights Individuals may file privacy complaints
Designated OMH contact persons
Facility Director QM
HIM
HHS
OCR
All privacy complaints can be sent to HIM Director who will coordinate with other facility staff as necessary.

26. Patient Rights
CE MUST comply with individual’s request to restrict use or disclosure for payment or health care operations purposes when PHI pertains to service paid in full and out of pocket by individual
If a patient does not want their information disclosed for health care purposes, we must comply with those requests.

27. Additional HITECH Changes
Individuals have right to access their PHI in electronic format, if requested
Limits use of PHI for marketing purposes
Prohibition on sale of PHI, HHS regulations to be promulgated
If patients request their PHI in electronic format, efforts to honor these requests will be coordinated by HIM/IT/CIT staff.

28. Safeguards to Protect PHI
Follow the “Minimum necessary rule” except for treatment purposes, use and disclosure of PHI is limited to amount necessary to perform job functions
Use file covers, locked filing cabinets and locked record rooms
Avoid conversations identifying individuals in public places
Avoid posting PHI where it can be seen by unauthorized individuals

29. Safeguards to Protect PHI
Don’t leave the worksite with unsecured PHI
Use, but don’t share, computer passwords
Follow computer security policies for desktops, laptops, disks and other media.
DO NOT confidential clinical information or PHI over the internet
Keep track of paper files and electronic devices which contain PHI.
Patient records should NOT remain in staff offices. They should be returned to assigned filing areas.
Keeping track of files – all files should be signed out to the person who will be responsible for it.

30. Safeguards to Protect PHI
When faxing or phoning PHI, know or verify the receiving party and the contact numbers
Be mindful of disposing of PHI: Shred don’t toss and use secure waste systems, not regular trash receptacles
When storing PHI: choose the most secure, accessible media: encryptable portable devices, hard drives, OMH system drives
Avoid storing PHI on personally owned devices and home computers

31. Safeguards to Protect PHI
Remove PHI from electronic files and storage devices when no longer needed
When changing job functions or leaving OMH, discuss with your supervisor the secured return or destruction of PHI
Report suspected violations of HIPAA privacy or security requirements to your supervisor
Immediately report any suspected instance of lost or stolen paper or electronic files containing PHI to your supervisor

32. HITECH Breach Notification Requirements
PART THREE:
HITECH Breach Notification Requirements

33. What is a Breach? HITECH defines “breach” as:
Unauthorized acquisition, access, use, or disclosure of PHI which compromises the security or privacy of the PHI

34. Notification of Breech
OMH and business associates are required to notify individuals when there is a breach of unsecured PHI
Previously this was not a HIPAA requirement
If more than 500 residents in a state are involved - media outlets MUST be notified

35. What is “Unsecured PHI?”
Protected Health Information (PHI) that is NOT:
Encrypted
Destroyed prior to Disposal
Unreadable, unusable or indecipherable
Includes both hard copy and electronic information

36. How Can a Breach Occur? It may include:
Loss of an information device or media that contains PHI Smartphone, flash drive, laptop, CD, etc.)
Unauthorized access, use, or disclosure included in clinical records
It should be noted that unauthorized access could be a staff person viewing a patient file when they are not involved in the care or treatment of that individual.
An example of unauthorized access– if you previously provided treatment to a patient that say expired and you wanted to see what happened – that is an unauthorized access.
An example of an unauthorized disclosure of information – if you discuss PHI and/or treatment information w/o the patient/personal representative’s authorization to do so.

37. How can a Breach Occur?
Sending PHI to an incorrect address or fax number
Posting PHI on an unsecured website
Unauthorized access from an application, database, or another individual’s private account
Sending PHI in – outside of OMH network. It is well worth stress again, MHLS is NOT within OMH network. Attorney general’s office is though.

38. Notification of Breach
Internal Procedure- when breach is suspected
Report Breach to HIM Director
Risk Assessment completed
HIM IT
Determination Made
Information Reported to Central Office
The HITECH breach notification rule has been in effect since September 23, Currently, OMH breaches are reported via the agency’s internally developed Information Security Event Response (ISER) reporting facility. The ISER system predates HITECH and as such, does not enforce inclusion of certain detailed information that is important for compliance with some key HITECH breach notification requirements.

39. Risk Assessment Factors Considered: What type of PHI was disclosed?
What amount of PHI was disclosed as a result of the incident?
Who used or had unauthorized access to the disclosed information? Was it a disclosure to another entity?
Determine whether PHI security and privacy has been compromised and if there is a significant risk of harm to the individual, from the perspective of their financial situation, reputation or other considerations

40. Risk Assessment Method of Disclosure Recipient of Information Verbal
Paper
Electronic
Recipient of Information
Internal Workforce
Agency
Business Associate

41. Risk Assessment Circumstances of Release Unintentional use/access
Intentional disclosure w/o authorization
Theft
Loss
Hack

42. Risk Assessment
Was the unauthorized disclosure PHI returned before it could be accessed and used?
What immediate steps were taken to mitigate the risks associated with the unauthorized use or disclosure?
Information returned complete?
Information properly destroyed attested to?
Information properly destroyed (Unattested)?
Sent to media?
Unable to retrieve?
Unsure of disposition?

43. Who must be notified when Breach is discovered?
Affected individuals
No later than 60 days after discovery
Media
If affects more than 500 residents of a state or jurisdiction
Secretary of Breaches of PHI (HHS)
By filling out an electronic breach report form
Covered Entity
If breach of PHI occurs at/by a Business Associate

44. Risks Impact Categories Financial Reputational Other Harm Low Medium
High
LOWEST RISK: Impacts Financial, Reputational, or Other Harm
● Limited Data Set
● Only identifiers are breached: name, address, city, state, telephone number, fax number, address, date of death
MEDIUM RISK: Impacts Financial, Reputational, or Other Harm
● Non-sensitive protected health information, which may include information about commonly prescribed physical health-related medications (e.g., Tylenol, antibiotics, cholesterol medication), participation in wellness programs, etc (Even so, evaluate closely the possibility that the breach of such information causing harm to the person(s) impacted by the breach, because the information breached may not be considered sensitive health information, but looking at the circumstances, it could still cause harm to the patient)
HIGHEST RISK: Impacts Financial, Reputational, or Other Harm
● Impacts Reputational or Other Harm - Sensitive Protected Health Information which may include information about diagnoses such as mental health, HIV, alcohol/substance abuse, or mental retardation or developmental disabilities.
● Impacts Financial Harm: Information defined by the NYS Internet Security and Privacy Act (NYS Technology Law §208) which includes personal information in combination with any one or more of the following data elements, when either the personal information or the data element is not encrypted or encrypted with an encryption key that has also been acquired:
(1) social security number; (2) driver's license number or non-driver identification card number;  or (3) account number, credit or debit card number, in combination with any required security code, access code, or password which would permit access to an individual's financial account.

45. Breach Notification OMH will provide written notice:
By first class mail to each individual involved;
By hand delivery

46. Breach Notification Notifications to individuals must include:
Brief description of incident
Description of the types of unsecured PHI
Steps that should be taken by individual to protect themselves from harm
Brief description of the actions taken by OMH
Contact information to ask questions or gather additional information

47. Documentation
OMH must create a log of all notifications of breaches involving less than 500 individuals
Submit log within 60 days of the end of each calendar year
Log and all other documentation will be maintained for 6 years

48. Enforcing HITECH
HITECH significantly increases civil and criminal penalties for violating HIPAA
Civil penalties are tiered and can range from $100 a violation to $1.5 million per year,
Criminal fines up to $50,000 and/or imprisonment

49. Next Steps Workforce Training Manual Updates Current Employees
Review 2010 Information Security Mandated Training from the Bureau of Education and Workforce Development
Future Employees
HIPAA videos and all mandated HIPAA Privacy and Security materials
Manual Updates

50. Next Steps Posting of Information
Brochures
FAQ’s on intranet
Posters around buildings
HIM attendance at department/discipline meetings
Continued staff awareness

51. Q & A
Remember… Information Privacy and Security is everyone’s responsibility.