Presentation is loading. Please wait.

Presentation is loading. Please wait.

The American Recovery and Reinvestment Act of 2009: Changes to HIPAA Privacy and Security Requirements And its Impact on Hospitals Presented By: Michele.

Published bySibyl Osborne Modified over 8 years ago

Similar presentations

Presentation on theme: "The American Recovery and Reinvestment Act of 2009: Changes to HIPAA Privacy and Security Requirements And its Impact on Hospitals Presented By: Michele."— Presentation transcript:

1 The American Recovery and Reinvestment Act of 2009: Changes to HIPAA Privacy and Security Requirements And its Impact on Hospitals Presented By: Michele Madison 404-504-7621 mmadison@mmmlaw.com

2 Overview Impact of HIPAA Changes Review of Privacy and Security Increased Penalties Your Next Operational Steps Notification Requirements and Preparation Potential Funding Opportunities

3 Patient Rights

4 4 Enhanced Restrictions on Disclosures PHI Disclosures (Section 13405(a)) HITECH Act requires CEs to comply with a patient’s request not to use or disclose PHI if the disclosure –Would be to a health plan for carrying out payment or health care operations (not for treatment); and –PHI “pertains solely to a health care item or service for which the health care provider involved has been paid out of pocket in full.”

5 5 Minimum Necessary Limited Data Set and Minimum Necessary HITECH Act (Section 13405(b)) requires CEs to limit PHI disclosures “to the extent practicable” to the “limited data set” as defined under HIPAA, or, if more information is “needed,” to the minimum necessary “to accomplish the intended purpose of such use, disclosure, or request, respectively”.

6 6 Minimum Necessary Secretary guidance on what constitutes “minimum necessary” will be issued in next 18 months –All the current exceptions to the existing minimum necessary disclosure standard, including disclosures made for treatment purposes and disclosure required by law are retained –This is not applicable to de-identified PHI

7 7 Accounting to Patients Accounting for PHI Disclosures (Section 13405(c)) Covered Entities are required by HITECH to account for disclosures of PHI to carry out treatment, payment and health care operations. Disclosures must be accounted for during the three years prior to the request if an EHR was used

8 8 Accounting to Patients New Regulations Regulations will be promulgated concerning the information that should be collected about PHI disclosures within 6 months after adoption of the accounting disclosure standards Regulations must balance both the privacy concerns of individuals and the accounting administrative burden The Act permits CEs to provide a PHI disclosure accounting to the requesting patient for disclosure of the CE AND its BA or just the CE disclosures and contact information of the BA

9 9 Accounting to Patients Effective Date The accounting requirement effective date depends on when the CE received the EHR –For EHR received as of January 1, 2009, these accounting rules apply to PHI disclosures starting January 1, 2014 –For EHR received after January 1, 2009, these accounting rules apply to disclosures starting the later of: January 1, 2011, or the actual date of receipt of the EHR –Secretary can postpone the compliance for current users to 2016 and for future users to 2013, if “necessary”

10 10 Sale of PHI Prohibitions Receiving remuneration in exchange for any PHI of an individual is prohibited without obtaining a specific authorization from the individual (Section 13405(d)) Additional regulations will be issue within 18 months after February 17, 2009 Effective for exchanges of PHI occurring 6 months after the date of promulgation of the final regulations

11 11 Sale of PHI Prohibitions Seven exceptions to Sale of PHI Prohibitions. The sale prohibitions does not apply to: Public Health activities as defined under HIPAA Research, up to the costs of preparation and transmittal of PHI; Treatment of the individual Sale, transfer, merger or consolidation of all or part of the Covered Entity and due diligence related A Business Associate’s duties to a Covered Entity under a business associate agreement Delivering a copy of the individual’s PHI pursuant to HIPAA section 164.524 and Other PHI exchanges that the Secretary deems similarly “appropriate and necessary” as exceptions in the new regulations

12 12 Right of Access Right of Access to PHI in EHR (Section 13405(e)) If a CE “maintains an electronic health record with respect to” the CE must –produce a copy of that PHI in electronic format upon request of a patient –transmit the copy directly to an entity or person designated by the individual –But only if the patient’s request is “clear, conspicuous, and specific” (45 CFR 164.524 - the Access of Individuals to PHI) Charges cannot exceed the labor costs in responding to the request

13 13 Restrictions on Marketing Communications Restrictions on communications of CE and BA marketing to potential buyers or users (Section 13406) Any communication that encourages the recipient to purchase or use a product or service is not considered a health care operation unless it is made: –to describe a product or service (or payment therefore) that is provided by, or included in a plan of benefits of, the Covered Entity making the communication, including communications about: “the entities participating in a health care provider network or health plan network health plan replacements or enhancements and health-related products or services available only to a health plan enrollee that add value to, but are not part of, a plan of benefits”

14 14 Restrictions on Marketing Communications Further exceptions: –treatment of the individual; or –case management or care coordination for the individual, or to direct or recommend alternative treatments, therapies, health care providers, or settings of care to the individual

15 15 Fundraising Restrictions A written communication for fundraising that is a healthcare operation under HIPAA section 164.501 must allow “in a clear and conspicuous manner” –the recipient to opt out to receive any communications –opting out, is to be treated as a revocation of authorization under section 164.508 Restrictions on marketing and fundraising communications will apply after February 17, 2010

16 Business Associates Expanded

17 Business Associate Contracts Required for Certain Entities More vendors to covered entities or business associates will now be deemed to be business associates each organization that provides data transmission of protected health information and that requires access on a routine basis to such protected health information, such as Health Information Exchange Organization, Regional Health Information Organization, E- prescribing Gateway, or each vendor that contracts with a covered entity to allow that covered entity to offer a personal health record to patients as part of its electronic health record

18 Application of Privacy Provisions and Penalties to BA Additional requirements that relate to privacy and security are now applicable to Business Associate Include provisions in Business Associate Agreement –Administrative Safeguards –Physical Safeguards –Technical Safeguards Civil and Criminal Penalties apply to Business Associate

19 Criminal Penalties Covered Entities should be aware of the additional Penalties and the Enforcement Activities: –Enhanced Criminal Penalties Willful neglect standard Additional funding for Enforcement Activities In 3 years, the “individual harmed” may receive a % of the CMP collected from the offense

20 Penalty Tiered Increase Minimal levels of Penalties based on Intent: $100 - $25,000 -Person did not know and would not have known $1,000 - $100,000- Reasonable cause and not willful neglect $10,000 - $250,000 Willful Neglect $50,000 -$1,500,000 Willful neglect and not corrected

21 State Attorney General Permits civil actions on behalf of patients –May enjoin the actions; and –Obtain damages not to exceed $25,000 annually Attorneys fees may be recovered by State

22 Notification

23 Security and Notice Requirements Unsecured Protected Health Information means (Section 13402(h)) protected health information that is not secured through the use of a technology or methodology specified by the Secretary in the guidance issued under this section Guidance issued on April 17, 2009 Safe Harbor from Notification if: 1. Use of Encryption 2. Destruction Comments accepted until May 21, 2009

24 Security and Notice Requirements Obligation to notify triggers upon discovery of a breach –Discovery determined to be the first day on which such breach is known or should reasonably have been known to such entity or associate to have occurred –Knowledge by any person that is an employee, officer or other agent of the entity or associate Following discovery of a breach of unsecured protected health information, Covered Entity and Business Associate must: Covered Entity must notify the individual Business Associate must notify the Covered Entity

25 Security and Notice Requirements Notice to Individual must include: Identification of each individual whose unsecured protected health information has been, or is reasonably believed to have been accessed, acquired, or disclosed during such breach Brief description of what happened, including the date of the breach and the date of discovery of the breach Description of the types of unsecured protected health information that were involved Steps the individual should take to protect themselves from potential harm resulting from the breach Description of watt the covered entity involved is doing to investigate the breach, to mitigate losses, and to protect against any further breaches Contact procedures for individuals to ask question or learn additional information

26 Security and Notice Requirements Notice to the Secretary by Covered Entities: For breaches impacting 500 or more individuals, notify the Secretary immediately For breaches impacting fewer than 500 individuals, maintain a log and notify the Secretary annually submit such log

27 Security and Notice Requirements Notice Process Notice Timing: Notice must be made without unreasonable delay and in no case later than 60 calendar days after discovery of a breach Delay allowed if a law enforcement official determines that a notification, notice or posting would impede a criminal investigation or cause damage to national security Methods of Notice: Written notification by first class mail to individual Substitute notice process for insufficient or out of date contact information Media notice information for 500 individuals or more

28 FUNDING

29 Health Information Technology Implementation Program Health Information Technology Research Centers -technical assistance and develop best practices to support utilization of Health IT in compliance with standards, implementation specifications and certification criteria Health Information Technology Regional Extension Centers -technical assistance to disseminate best practices learned from Center to accelerate adoption of Health IT -affiliated with United States nonprofit institution or organization that applies

30 Health Information Technology Regional Extension Center Regional Assistance: Priority:(1) not for profit/CAH; (2) Federally Qualified Health Centers; (3) Rural and Uninsured or MUSA; (4) individual or small primary care groups Merit Review: (1) ability to provide assistance to specific types of providers; (2) types of services provided; (3) geographic diversity; (4) in kind support from other sources Financial Support: - Limited to Four Years -No more than 50% of the capital and annual operating and maintenance funds (unless exception applies) -Draft Description of Program forthcoming –90 days

31 State Grants Planning Grants and Implementation Grants Goal: Conduct activities to facilitate and expand the electronic movement and use of Health Information according to Nationally recognized standards. The State must match the funds from the Federal Government

32 State Grants Elements: 1.Must be a Qualified State Designated Entity 2.Pursued in Public Interest 3.Consistent with Strategic Plan 4.Description of How Program will be performed 5.Contain elements required by DHHS 6. Require Consultation from Specific Healthcare participants

33 Competitive Grants for Loans Eligible Entity = State or Indian Tribe Establish a Certified EHR Technology Loan Fund May be used by a healthcare provider to: 1. Purchase certified EHR; 2. Enhance the utilization of EHR; 3. Train personnel; or 4. Improve secure electronic exchange Effective January 1, 2010 – Matching Required $1 per $5 of Federal $$

34 Educational Institutions WHO: DHHS WHEN: ?? HOW: Grants—cannot be used to purchase hardware, software, or services TO WHOM: Demonstration Program –Educational Institution 1.Exiting Education Programs 2.Programs to be completed in less than 6 months

35 Medicare Incentives Incentives for Adoption and Meaningful Use of Certified EHR -paid to the Eligible Professional (physician) - Payment depend upon the year of use (i.e. 2011-$18K - $12K - $8K - $4K - $2 K) Single payment or periodic payments No funding if initial adoption is after 2014 Not apply to Hospital-Based Professionals

36 Meaningful Use 1.Use of certified EHR including e-prescribing 2.Information Exchange to improve healthcare (care coordination) 3.Use Certified EHR to report on clinical quality measures selected by DHHS Demonstrate Use (1) attestation; (2) submit claims; (3) survey; (4) reporting Meaningful Users will be identified on CMS website

37 Incentives for Hospitals Meaningful Use of Certified EHR Information Exchange for improving healthcare (care coordination) Reporting on Measures as selected by DHHS Medicare Dis-Incentive for failure to meaningfully using Certified EHR Amount is based upon a Hospital Specific Calculation

38 Thank you Michele Madison Partner, Healthcare Practice 404.504.7621 mmadison@mmmlaw.com This presentation is provided as a general informational service to clients and friends of Morris, Manning & Martin LLP. It should not be construed as, and does not constitute, legal advice on any specific matter, nor does this message create an attorney-client relationship. These materials may be considered Attorney Advertising in some states. Please note, prior results discussed in the material do not guarantee similar outcomes.

Download ppt "The American Recovery and Reinvestment Act of 2009: Changes to HIPAA Privacy and Security Requirements And its Impact on Hospitals Presented By: Michele."

Similar presentations

HIPAA Privacy Practices. Notice A copy of the current DMH Notice must be posted at each service site where persons seeking DMH services will be able to.

HIPAA Privacy Practices. Notice A copy of the current DMH Notice must be posted at each service site where persons seeking DMH services will be able to.
HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.

HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.
“Reaching across Arizona to provide comprehensive quality health care for those in need” Our first care is your health care Arizona Health Care Cost Containment.

“Reaching across Arizona to provide comprehensive quality health care for those in need” Our first care is your health care Arizona Health Care Cost Containment.
HIPAA Basics Brian Fleetham Dickinson Wright PLLC.

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.

HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
HIPAA Privacy Rule Training

HIPAA Privacy Rule Training
Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.

Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.
The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.

The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.
Navigating HIPAA & Recent Healthcare Reform: What You Need to Know.

Navigating HIPAA & Recent Healthcare Reform: What You Need to Know.
HIPAA What’s New? 2010. What Is HIPAA Health Insurance Portability and Accountability Act of 1996 Health Insurance Portability and Accountability Act.

HIPAA What’s New? What Is HIPAA Health Insurance Portability and Accountability Act of 1996 Health Insurance Portability and Accountability Act.
HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Constangy, Brooks & Smith, LLC (205) 252-9321; Victoria Nemerson.

HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Constangy, Brooks & Smith, LLC (205) ; Victoria Nemerson.
Changes to HIPAA (as they pertain to records management) Health Information Technology for Economic Clinical Health Act (HITECH) – federal regulation included.

Changes to HIPAA (as they pertain to records management) Health Information Technology for Economic Clinical Health Act (HITECH) – federal regulation included.
1 Navigating the Privacy and Security Issues: HITECH Overview Rebecca L. Williams, RN, JD Partner Co-chair of HIT/HIPAA Practice Davis Wright Tremaine.

1 Navigating the Privacy and Security Issues: HITECH Overview Rebecca L. Williams, RN, JD Partner Co-chair of HIT/HIPAA Practice Davis Wright Tremaine.
TM The HIPAA Privacy Rule: Safeguarding Health Information in Research and Public Health Practice Centers for Disease Control and Prevention Beverly A.

TM The HIPAA Privacy Rule: Safeguarding Health Information in Research and Public Health Practice Centers for Disease Control and Prevention Beverly A.
1 HIPAA Challenges Ahead in Mining Patient-Centric Data Kristen B. Rosati Coppersmith Schermer & Brockelman, PLC PRISM Forum SIG on Clinical Informatics.

1 HIPAA Challenges Ahead in Mining Patient-Centric Data Kristen B. Rosati Coppersmith Schermer & Brockelman, PLC PRISM Forum SIG on Clinical Informatics.
Thank You For Your Participation Kansas City   Omaha  Overland Park St. Louis  Jefferson City www.spencerfane.com www.UBAbenefits.com This Employer.

Thank You For Your Participation Kansas City   Omaha  Overland Park St. Louis  Jefferson City This Employer.
HIPAA Regulations What do you need to know?.

HIPAA Regulations What do you need to know?.
Importance of the Information Risk Assessment. Compliance Programs are intended to proactively audit and assess an organization’s operations to detect.

Importance of the Information Risk Assessment. Compliance Programs are intended to proactively audit and assess an organization’s operations to detect.
COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.

COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.
Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.

Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.

Similar presentations

Ads by Google