Top 10 Series Changes to HIPAA Devon Bernard AOPA Reimbursement Services Coordinator
Why the Changes? American Recovery & Reinvestment Act (ARRA) –Signed into law February 2009 Title XIII: Health Information Technology for Economic & Clinical Health Act (HITECH) –Enacted February 2009 –Effective February 2010
Breaches Under HIPAA: No requirement to notify patients of a breach of their PHI Under HITECH: Must notify a patient of a breach –Also must notify Health and Human Services (HHS) of breaches
Breaches What is a breach? The acquisition, access, use, or disclosure of PHI in a manner not permitted by the Privacy Rule, which compromises the security or privacy of the PHI and poses a significant risk of financial, reputational, or other harm to the individual
Breaches Determine if a breach requires notification –Risk of Harm/Risk Assessment Who accessed or used the PHI Was the information useable What information was breached Can potential harm be limited Are the breaches exempt under the HITECH Act Document/log your findings –Maintain documentation for 6 years
Breaches Involving less than 500 people Notification in writing, no more than 60 days after discovery of the breach Notification should include: –Description of the breach –Steps patient can take to limit harm –What you are doing about the breach –Contact information
Breaches Involving 500 or more people Notify the individuals affected Notify the media Notify HHS, no more than 60 days after discovery of the breach –Will post the information on their website
Breaches Yearly reporting to HHS No more than 60 days after the end of the year Information from your breach log –Date of the breach –Description –Notification required –Action taken
Disclosure of PHI Under HIPAA: Patient had the right to request that their PHI not be disclosed to a health plan –Under no obligation to comply with request
Disclosure of PHI Under HITECH: You must comply with the request. If: –The request is only related to payment –The patient pays for the service out of pocket and pays for the service in full
Access Under HIPAA: Patient had a right to access or receive a copy of their medical record –In any format requested by the patient, if readily available
Access Under HITECH: Patient has a right to access or receive a copy of their medical record If you maintain electronic health records: –Patient has right to request electronic copies of their record –Request a copy be provided to a third party in electronic form
Accounting Under HIPAA: Only had to account for disclosures that were not routine Under HITECH: If you maintain electronic health records, you must also account for routine disclosures for a three year period, prior to the request
Accounting For a covered entity who acquired an EHR before January 1, 2009, the accounting requirement applies to disclosures made on or after January 1, For a covered entity who acquired an EHR on or after January 1, 2009, the provision will be effective for disclosures made on or after January 1, 2011.
Business Associates (BA) Under HIPAA: BAs not directly bound by HIPAA regulations –Bound by contracts with covered entities Under HITECH: BAs required to directly comply with all HIPAA Regulations –Technical, Administrative, and Physical Safeguards –Including the regulations of the HITECH Act
Business Associates (BA) BA Agreements (BAA) should be updated to reflect the BAs new responsibilities Review current BAAs –Current BAA allows for changes = An Addendum –Current BAA doesn’t allow for changes = A new BAA
Enforcement Under HIPAA: Investigations of compliance were complaint driven Under HITECH: Department of Health and Human Services is required to conduct random compliance audits
Enforcement Under HIPAA: A civil monetary penalty of no more than $100 per violation up to a maximum of $25,000 for all violations occurring in a calendar year could be imposed Under HITECH: Tiered Civil Monetary Fines –Four tiers of fines
Enforcement Tier I: Didn’t Know –$100 for each violation –Not to exceed $25,000 for the year Tier II: Reasonable Cause, and not Willful Neglect –$1,000 for each violation –Not to exceed $100,000 for the year
Enforcement Tier III: Willful Neglect, Violation Corrected –$10,000 per violation –Not to exceed $250,000 for the year Tier IV: Willful Neglect, Violation not Corrected –$50,000 per violation –Not to exceed $1.5 million for the year
Enforcement State Attorneys General –Initiate civil actions for violations of HIPAA Enforcement activities and penalties are not limited to just covered entities. Who else is subject to the new enforcement activities and penalties: –Business Associates –Individuals
Summary of Changes Breaches of PHI –Notification Requirements –Yearly Reporting Business Associates –Directly comply with HIPAA –New/Updated BA Agreements
Summary of Changes Access & Disclosure of PHI –No disclosure of PHI for self pay –Obtain copy of electronic health record –Accounting of routine disclosures Enforcement Activities –Increased civil monetary penalties –Mandatory Compliance Audits –Individuals held accountable