CONFIDENTIALITY – REALITY AND MYTHS COUNTRY VILLA HEALTH INFORMATION/ RECORD DEPARTMENT ROLE JULY 16, 2012 Rhonda L. Anderson, RHIA President, AHIS, Inc.
HITECH and HIPAA Presented by Rhonda Anderson, RHIA Anderson Health Information Systems, Inc. 940 W. 17 th Street, Suite B Santa Ana, CA Telephone
HIPAA IS BROADER NOW!! 3 HIPAA Health Insurance Portability and Accountability Act Guidance for Privacy and Security of protected health information 45CFR Effective Date 2003 SB 541 California legislature that enforces reporting requirements for unlawful or unauthorized access, use or disclosure of a patient’s medical information Reporting requirement within 5 days of discovery Effective Date 2009 HITECH ACT Part of the American Recovery and Reinvestment Act of 2009 Applies the HIPAA privacy and security rules and their penalties to HIPAA business associates Creates a new breach reporting requirement for HIPAA CEs and BAs Effective Date February 2009
HITECH & HIPAA ACCESS HITECH HIPAA SB 541 BREACHES 4
AGENDA 1. What is TODAYS CONFIDENTIALITY? 2. Disclosure of Health Information 4. OCR Reviews- SB 541 – California 5. Penalties 3. Breach Reporting 5
HITECH VOCABULARY Breach – the unauthorized acquisition, access, use or disclosure of protected health information which compromises the security or privacy of such information 6
HITECH VOCABULARY -2 Unsecured PHI – PHI that is not secured through the use of a technology or methodology that renders PHI “unusable, unreadable, or indecipherable to unauthorized individuals. 7
HITECH VOCABULARY -3 Acceptable methodologies – Encryption as specified in the HIPAA security rule Shredding or destroying of non- electronic PHI 8
HITECH REPORTING REQUIREMENTS Notification to each individual whose unsecured PHI has been or is reasonably believed by the CE to have been accessed, acquired or disclosed as a result of such breach without reasonable delay no later than 60 days of discovery of the breach by the CE or BA 9
HITECH REPORTING REQUIREMENTS -2 Notice must be made by first-class mail or if specified by an individual. If there are more than 10 affected individuals, the entity must do a conspicuous web site posting or notice in major print or broadcast media 10
HITECH REPORTING REQUIREMENTS -3 If there are more than 500 individuals all residents of the same State or jurisdiction the entity must provide immediate notice to HHS and notice to the media 11
HITECH REPORTING REQUIREMENTS -4 Business associates must adhere to the same reporting timeline but are not required to provide notice of breach to the individual but instead notify the covered entity of a breach along with identification of the each affected individual The Covered Entity is then responsible for notifying each affected individual 12
HITECH REPORTING REQUIREMENTS -5 The clock starts for the CE when the BA reports the breach Covered entities and Business associates are required to keep a log of breaches and submit it within 60 days after the end of the year unless immediate notification is required such as in the case of more than 500 affected individuals 13
BA AGREEMENTS Covered entities must update all business associate agreements and ensure that they include HITECH requirements 14
BA AGREEMENTS -2 Who applies in this situation Vendors such as the Computer company, HealthMedX Rehab. Computer systems (if the rehab. Contractor is using a computerized system); who is responsible, where is information stored? The facility must have a complete copy that affects their records? 15
HITECH REPORTING REQUIREMENTS -6 Documentation should also be maintained for suspected breaches that after investigation are deemed as not constituting a Breach under the HITECH requirements 16
HITECH REPORTING REQUIREMENTS -7 The notice to individuals must contain a description of what happened and the unsecured PHI involved, steps for individuals to protect themselves, a description of the covered entity’s efforts to investigate, mitigate and prevent further breaches and contact information. 17
HIPAA CIVIL PENALTIES UNDER NEW HITECH PROVISIONS EFFECTIVE 11/30/09 Violation CategoryEach Violation All such violations of an identical provision in a calendar year Did not know$100-50,000$1,500,000 Reasonable Cause$1,000-50,0001,500,000 Willful neglect corrected within 30 days $10,000-50,0001,500,000 Willful neglect - not corrected $50,0001,500,000 18
RISKS With unsecured PHI? Does the facility have any RISK? 19
RISK ANALYSIS AND IMPLEMENTATION Analyze possible areas of risk Re: you Disclosure of Information Re: your risks of electronic breaches 20
YOUR LATEST ISSUES FOR DISCLOSURE OF PHI PROTECTED HEALTH INFORMATION List your main issues!! 21
REQUESTS FOR PHI In the Middle of HIPAA and HITECH there are requests for information other providers insurance and other providers, Medicare, MediCal, Palmetto, RAC audits Safeguard Response to requests –type of request and how requested List your most challenging requests? What about Dept. Public Health? 22
TRADITIONAL CONFIDENTIALITY All information – automated and manual are confidential and protected and must be secured against loss, destruction and unauthorized access. Facility and Corporate data are confidential if it includes PHI Who is authorized to release information? 23
REQUESTS FOR INFORMATION What are the steps? What will you do? 24
LIST THEM Check the request as to who has the legal access Clear as to what is requested Check to see if you have the information Log the request Provide input as to the time the information will be available (we will discuss that later) 25
REQUESTS FOR INFORMATION CALIFORNIA LAW Legislature expressed intent to permit access to medical information for people who are responsible for the health care of others. “Patient Representative” –parent, guardian of minor, guardian/conservator of adult, beneficiary or personal representative of deceased resident 26
REQUESTS FOR INFORMATION -2 Protection and Advocacy access to state agency files (that would be 2567 for instance; although names are not included. Ombudsmen on resident request/authority 27
VALID AUTHORIZATION Written/typewritten by person Signed by the resident/legal representative/resident identified representative/conservator Specific date of end of authorization Copy of authorization – kept by individual Description of information to be used/disclosed 28
VALID AUTHORIZATION -2 Right to revoke Cannot conditions services/benefits on signing of authorization Statement re: re-disclosure-may be re- disclosed (this has effects beyond us and is an attorney decision as to how this is done) California law brings other concerns… 29
VALID AUTHORIZATION -3 CALIFORNIA LAW Handwritten or typed Only one purpose – auth. To release info Signed dated by: resident, Legal Rep. of resident, beneficiary or personal rep. of deceased resident. States limitations, states who may disclose, who can receive, end date, right for a copy, revoke, no conditions, re-disclosure statement 30
ACCOUNTING OF DISCLOSURES Under HITECH, covered entities and business associates are required to maintain an accounting of disclosures made through EHR including disclosures made for treatment, payment and health care operations. This may mean tracking. Information is limited to 3 years of disclosure information rather than the current 6 years requirement under HIPAA. 31
CV – ACCOUNTING OF DISCLOSURES A checklist for yourself How many request have you had? Have you kept a record of resident’s own requests (or family members w/authority)? Do you have a record of the copies of DPH records taken? Is this required by HIPAA/HITECH? WHAT ARE YOUR QUESTIONS? 32
TRACKING OF DISCLOSURES Document request received and action taken. Note there are different times for requests response. 48 hrs. response 5 days to respond (Calif. Med. Info. Act) subpoenas has other time frames (can ask for extension) 33
TRACKING OF DISCLOSURES -2 Log all disclosures except for tx., payment and operation Do we know what that means to you? Can the resident or responsible party ask for disclosure logs? What would you do? Let’s list the steps. 34
TRACKING OF DISCLOSURES -3 Accounting of disclosure within 60 days of request Can obtain 30 day extension from resident responsible party Check out who really has access to the accounting? What would you do to determine this? Are there exceptions? Yes…survey…law enforcement 35
HIPAA – VS - HITECH 6 years Accounting of Disclosure The HIPAA requirement for a six year accounting of disclosures still applies to non EHR disclosures. HITECH is 3 years for electronic records requests. 36
BROAD REQUESTS Requests from Residents Subpoenas. (what you should know and who do you report to re: subpoenas?) Surveyor requests. Watch about RAC or other requestors!! Importance of Legal Authority – What to do? 37
ATTORNEY REQUESTS What you should know! Attorney can present an authorization or a subpoena. Follow CV p/p re: notification to the Administrator and to CV Attorney to handle or provide direction. 38
SUBPOENA Notice to include the resident has been notified of the subpoena and the right to object to disclosure before the court or tribunal long with a copy of the notice or statement of the notice. Usually served together now. Facility can respond – of course it is Corporate who will deal with this; the facility will make the records available. 39
WHAT CAN YOU CHARGE – TIME OF RESPONSE? California Evidence Code 1158 – 1563 (b) Attorneys and Subpoenas HIPAA Allowance- 45CFR {Part 164} Health and Safety Code (b) California Medical Record Information Act. Same as (b) 40
SEE HANDOUT #1 ecords.pdfhttp://healthconsumer.org/cs028MedicalR ecords.pdf A good link for resources.
NO SAFE HARBOR California covered entities are still required to report unlawful or unauthorized access, use or disclosure of a patient’s medical information within 5 days to comply with SB 541 – which has been in effect since January
PENALTIES SB-541 – failure to report within 5 days $100 per day for each day that the unlawful or unauthorized access, use or disclosure is not reported up to a maximum of $250,
ELECTRONIC STATE HEALTH RECORD SURVEY PROCEDURES SURVEY GUIDELINES IN TWO DOCUMENTS CMS Department of Public Health Not their role to check on Privacy and Security or the Medical Information Act- but under Title 22- Protection of Health Records and meeting professional standards re: records management Looks at indicators of how the facility maintains privacy of resident records and not focusing on details of HIPAA or CMIA compliance. 44
DPH AREAS OF ATTENTION Give attention to and how workforce deals with EHR ?? And answer with workforce may be a focus Evaluation of terminals, screen access, Terminals log off Password easy access 45
DPH AREAS OF ATTENTION -2 Records kept electronically – is there a system to identify EHR documents. Purging of e-records – what is process & access, storage & retrieval. Back-up, etc. +++focus on privacy, access potential, etc. 46
DPH AREAS OF ATTENTION -3 Quality assurance monitoring (another day I will deal with this in more detail) re: Health MedX Make records available to DPH = track!!! 47
SB 580 Audits – SECTION 1. Section of the Civil Code –(B) Automatically record and preserve any change or deletion of any electronically stored medical information. 48
SB 850 The record of any change or deletion shall include the identity of the person who accessed and changed the medical information, the date and time the medical information was accessed, and the change that was made to the medical information.
SOCIAL MEDIA Threat to resident confidentiality, Social media has no constraints, potentially spontaneous, widespread and searchable all at once – available to the world. Watch the use of Face Book, Tweets, Many do not allow social media on the facility websites for employee access Corporate, employment and HIPAA risks!
WHAT IS USED NOW AND IN FUTURE RISKS ? Providers may prohibit workforce members from discussing work-related matters on “sites other than secure work related sites”. No FACEBOOK discussions re: work that can identify any resident No FACEBOOK discussions re: work as a good idea in all cases. 51
CV & AHIS AS YOUR PARTNER 52 IMPLEMENTATION PLAN TRAINING CURRENT SYSTEM REVIEW POLICY & PROCEDURE ACTION AS NEEDED
QUESTIONS & ANSWERS 53 Rhonda Anderson, RHIA President, AHIS, Inc Thank You!