HealthBridge is one of the nation’s largest and most successful health information exchange organizations. Tri-State REC: Privacy and Security Issues for Physician Practices Claudia Allen, JD Privacy Officer HealthBridge

ARRA Privacy Provisions American Recovery and Reinvestment Act (“ARRA”) established new rules for electronic health data: Established the Office of the National Coordinator for Health Information Technology (“ONC”) Extended HIPAA Privacy and Security requirements directly to Business Associates (“BA”) Established breach identification and notification requirements Supports education initiatives on the uses of health information Established further restrictions on “sales” of health information Set out new disclosure accounting requirements Increased enforcement initiatives Generally effective February 17,

A Bit of History The Health Insurance Portability and Accountability Act (“HIPAA”) was passed in 1996, but the Privacy and Security Rules did not go into effect until HIPAA does not pre-empt state law if the state law requires a higher standard. Ohio, Kentucky and Indiana follow HIPAA rules. Covered Entities (“CEs”)are subject to rules protecting the privacy of Protected Health Information (“PHI”) 3

A Bit of History (cont.) Covered Entities Providers of health care services Physicians, dentists, chiropractors, psychologists Clinics, Nursing Homes, Pharmacies, Laboratories Health Plans and Clearinghouses PHI is medically related information that is Identifiable to the individual E.g., includes name, address, phone, birth date, social security number Transmitted or maintained by electronic media in any other media 4

Permitted Uses of PHI without patient consent: Treatment Payment Operation of Business Limited uses for research Public health As required by law 5 A Bit of History (cont.)

BAs are required to enter into an agreement with CEs in which they agree to protect PHI Breach by the BA would subject the CE to liability Redress against BA was by breach of contract lawsuit 6 A Bit of History (cont.)

An Overview for Physician Practices

ARRA and HITECH Extends Privacy and Security to Business Associates (“BA”) Business Associates are now directly subject to the Security Rule and privacy/confidentiality requirements Breach by BA results in direct liability for criminal and civil penalties imposed by HIPAA on CEs Four tiers ranging from $100 to $50,000 per violation Individuals harmed may recover part of penalty States Attorney General authorized to bring suit Attorneys fees may be awarded BA required to respond to privacy non-compliance by CE BA Agreements are now required with entities that provide data transmission of PHI on a regular basis such as Health Information Exchanges 8 1. Business Associates

ARRA Requires Breach Notification of Unsecured PHI Breach is defined as unauthorized acquisition, access, use or disclosure of Unsecured PHI (“UPHI”) which compromises the security or privacy of information Unsecured PHI is defined as PHI that is not secured through the use of technology or methodology specified by the Secretary that renders the information unusable, unreadable, or undecipherable to unauthorized persons. Breach does not include: Unintentional acquisition, access or use made in good faith within the course of employment with BA or CE and not further acquired, used, or disclosed by any person made by an individual acting under the authority of the CE or BA of information the disclosure of which could not reasonably be retained 9 2. Breach Notification

Notification upon discovery of Breach CEs must notify each individual whose UPHI is breached BA must notify the CE Time period: without unreasonable delay but no later than 60 calendar days after discovery (first day known or should have been known) – BAA may modify this timeframe Burden on discoverer Written notice by mail unless urgent If more than 9 individuals involved, must post on web Notice to media if over 500 residents in state or jurisdiction affected Immediate notice to Secretary if over 500 affected Breach log required to be sent to Secretary annually 10 Breach Notification (cont.)

Breach Notice contains Description of what happened Description of types of data involved Steps individuals should take to protect themselves What CE is doing to investigate, mitigate losses, and protect from further breaches Contact procedures 11 Breach Notification (cont.)

ARRA Requires Accounting for Disclosures of PHI New rules require CEs to account for all electronic disclosures of PHI including those for Payment, Treatment and Operations Records for the prior 3 years must be available Proposed rule: CEs with EHR technology prior to January 1, 2009 must comply by January 1, 2014 Proposed rule: CEs acquiring EHR technology after January 1, 2009 must comply by January 1, 2013 or if later, when it acquires an EHR Accounting for Disclosure

ARRA Prohibits Sales of PHI No direct or indirect remuneration in exchange for PHI unless covered by a valid authorization. Exceptions: Public Health Research Data where the cost is all that is reimbursed Exchange for health care operations or treatment as permitted by regulation Prohibition on Sale of Data

ARRA allows restrictions on Disclosures Individuals may restrict disclosure to a health plan for payment or operations Individual must have paid out of pocket in full Disclosure Restrictions

Inventory and review all BAAs to determine if they need to be amended. ARRA Security and Privacy provisions are required to be incorporated into the BA Agreements. Review all policies and procedures to incorporate the new obligations of ARRA. Modify training of personnel to include the changes made by ARRA. Enter into BA Agreements with any organizations with which the CE transmits PHI electronically. 15 Practical Guidance

Conduct a risk assessment to determine if office procedures are consistent with protecting PHI:  Doors locked except for business entrances and exits during business hours  Employee access restricted during non-business hours  Patients, families not allowed access to provider offices  Patient sign-up sheets not visible to non-employees  Employees’ visitors not allowed access  Employees are restricted from mentioning patients on social media sites  Remote access to data is limited, inventoried  Portable electronics secured, if not encrypted  Keys, pass codes inventoried  Workstations secured, screens not in view of public  Implement procedures for terminated employees to limit access to PHI  Implement procedures to report suspicious activity  Implement hiring practices that minimize risk, check references and background  Conduct periodic training on privacy and security 16 Practical Guidance

Questions? The Tri-State REC can help!