Presentation is loading. Please wait.

Presentation is loading. Please wait.

HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.

Published byWinston Peer Modified over 9 years ago

Similar presentations

Presentation on theme: "HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009."— Presentation transcript:

1 HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009

2 HITECH ACT Dedicates over $31 billion in stimulus funds for Healthcare Infrastructure and the adoption of Electronic Health Record (EHR). Dedicates over $31 billion in stimulus funds for Healthcare Infrastructure and the adoption of Electronic Health Record (EHR). Also imposes new medical privacy requirements. Also imposes new medical privacy requirements.

3 Changes to Medical Privacy Requirements Fundamental changes in the areas of accountability, data breach notification, consumer access, and use of personal health information. Fundamental changes in the areas of accountability, data breach notification, consumer access, and use of personal health information. Unlike HIPAA, HITECH ACT one year for most provisions. Unlike HIPAA, HITECH ACT one year for most provisions.

4 Accountability Imposes new levels of accountability for medical privacy. Imposes new levels of accountability for medical privacy. Periodic audits by HHS to ensure compliance within the first 12 months after enactment of the new rules. Periodic audits by HHS to ensure compliance within the first 12 months after enactment of the new rules.

5 Accountability Tiered penalty structure, with fines ranging from $25,000 to $1.5 million and penalties are mandatory for cases of “willful neglect”. Tiered penalty structure, with fines ranging from $25,000 to $1.5 million and penalties are mandatory for cases of “willful neglect”. All violations occurring after February 2009 enactment date are subject to the increased penalties. All violations occurring after February 2009 enactment date are subject to the increased penalties.

6 Accountability Business Associates with access PHI bound by the same requirements as the Organization (Feb 2010). Business Associates with access PHI bound by the same requirements as the Organization (Feb 2010).

7 Accountability Assure business associate contracts, authorizing and defining their use of the PHI shared with them. Assure business associate contracts, authorizing and defining their use of the PHI shared with them. Obligated to report the violation to appropriate authorities and discontinue the relationship. Obligated to report the violation to appropriate authorities and discontinue the relationship.

8 Consumer Access (Feb 2010) Gives individuals clear access rights to their own health records, and it gives them the right to restrict disclosure of PHI if they pay the healthcare providers themselves. Gives individuals clear access rights to their own health records, and it gives them the right to restrict disclosure of PHI if they pay the healthcare providers themselves.

9 Use of PHI (Feb 2010) CE’s and their business associates are also prohibited from selling PHI without explicit, documented authorization from the individual whose information is contained in the record. CE’s and their business associates are also prohibited from selling PHI without explicit, documented authorization from the individual whose information is contained in the record.

10 Breach Notification Defined: Unauthorized acquisition, access use, or disclosure of PHI compromises the security or privacy of the data. Defined: Unauthorized acquisition, access use, or disclosure of PHI compromises the security or privacy of the data. Unsecured PHI – Not secured through technology as: unusable, unreadable, or indecipherable to unauthorized individual Unsecured PHI – Not secured through technology as: unusable, unreadable, or indecipherable to unauthorized individual Additional guidance technology. Additional guidance technology.

11 Breach Notification Obligation to notify all breaches that are discovered on or after September 15, 2009. Obligation to notify all breaches that are discovered on or after September 15, 2009. Notification within 60 days when PHI in any form or medium is breached, not just electronic records. Notification within 60 days when PHI in any form or medium is breached, not just electronic records. Breach is officially discovered on “the first day it is known to the HIPAA entity or business associate or should reasonably have been known”. Breach is officially discovered on “the first day it is known to the HIPAA entity or business associate or should reasonably have been known”.

12 Breach Notification HIPAA covered entity that suffered the breach demonstrates required notifications were made. HIPAA covered entity that suffered the breach demonstrates required notifications were made. Telephone notifications can be made in urgent situations. Telephone notifications can be made in urgent situations. Business Associates required to notify the covered entity including the individuals affected. Business Associates required to notify the covered entity including the individuals affected.

13 Breach Notification Breach Affecting 500 or more individuals, CE required to provide “immediate” notice to HHS. Breach Affecting 500 or more individuals, CE required to provide “immediate” notice to HHS. Thus the breach notice is public. Thus the breach notice is public. Rule of 500 applies in a single state or jurisdiction. Rule of 500 applies in a single state or jurisdiction. Notice must be provided to prominent media outlets. Notice must be provided to prominent media outlets.

14 Methods of Notice Individual Notice Individual Notice Notice required under this section to be provided to an individual, with respect to a breach, shall be provided promptly and in the following form: Notice required under this section to be provided to an individual, with respect to a breach, shall be provided promptly and in the following form: Written notification by first-class mail to the individual at the last known address. Written notification by first-class mail to the individual at the last known address. In the case of insufficient, or out-of-date contact information that precludes direct written specified by the individual under subparagraph. In the case of insufficient, or out-of-date contact information that precludes direct written specified by the individual under subparagraph.

15 Media Notice Notice shall be provided to prominent media outlets serving a State or jurisdiction, following the discovery of a breach of unsecured protected health information of more than 500 residents in such State, or jurisdiction. Notice shall be provided to prominent media outlets serving a State or jurisdiction, following the discovery of a breach of unsecured protected health information of more than 500 residents in such State, or jurisdiction.

16 Notice to HHS Secretary Required immediately if the breach involved 500 or more individuals. These breaches will be posted on the HHS public website including the name of the covered entity. Required immediately if the breach involved 500 or more individuals. These breaches will be posted on the HHS public website including the name of the covered entity. If the breach less than 500 individuals, the covered entity may maintain a log of any such breach occurring. If the breach less than 500 individuals, the covered entity may maintain a log of any such breach occurring. Annually submit such a log to HHS documenting breaches occurrence during the year involved. Annually submit such a log to HHS documenting breaches occurrence during the year involved.

17 Content of Notification Regardless of the method by which notice is provided to individuals under this section, Notice of a breach shall include, to the extent possible, the following: Regardless of the method by which notice is provided to individuals under this section, Notice of a breach shall include, to the extent possible, the following: A brief description of what happened, including the date of the breach and the date of the discovery of the breach. A brief description of what happened, including the date of the breach and the date of the discovery of the breach. Description of unsecured PHI, such as SSN, address, etc. Description of unsecured PHI, such as SSN, address, etc.

18 Content of Notification Contact procedures for individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, website, or postal address. Contact procedures for individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, website, or postal address. Time consuming, costly, overwhelming. Time consuming, costly, overwhelming. Potential long term damage with customers. Potential long term damage with customers.

19 Content of Notification The steps the individuals should take to protect themselves from potential harm resulting from the breach. The steps the individuals should take to protect themselves from potential harm resulting from the breach. A brief description from covered entity to investigate the breach, to mitigate losses, and to protect against any further breaches. A brief description from covered entity to investigate the breach, to mitigate losses, and to protect against any further breaches.

20 Data Breach Response Provide recovery services for individuals who become victims of identity crime. Provide recovery services for individuals who become victims of identity crime. Restore their medical identities to pre-theft status. Restore their medical identities to pre-theft status. Designate an Individual, or company to manage Customer calls. Designate an Individual, or company to manage Customer calls.

21 Business Impacts Inventory PHI=Risk Assessment Inventory PHI=Risk Assessment 70% of all organizations do not have an accurate inventory of personally identifiable information (PII) in their custody and documented. 70% of all organizations do not have an accurate inventory of personally identifiable information (PII) in their custody and documented. Includes data shared with a Business Associate. Includes data shared with a Business Associate. Price Waterhouse Coopers reports that 44% of data breach incidents are due to third-party handling of data. Price Waterhouse Coopers reports that 44% of data breach incidents are due to third-party handling of data.

22 Breach Impact Small-scale data breaches will now be obligated to notify in each instance, and to keep detailed proof of notification, causing significant effort and cost. Small-scale data breaches will now be obligated to notify in each instance, and to keep detailed proof of notification, causing significant effort and cost.

23 Business Impact Data breaches damage Businesses credibility. Data breaches damage Businesses credibility. Medical and Financial risks to the people whose data is lost. Medical and Financial risks to the people whose data is lost.

24 Questions & Answers Clarification of the Privacy Requirements within the AARA rule in the next 12 months. Clarification of the Privacy Requirements within the AARA rule in the next 12 months. Key strategies assess PHI, including BAA’s. Key strategies assess PHI, including BAA’s. Utilize appropriate Security Standards. Utilize appropriate Security Standards. Staff, computer access, etc. Staff, computer access, etc.

Download ppt "HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009."

Similar presentations

HIPAA Privacy Practices. Notice A copy of the current DMH Notice must be posted at each service site where persons seeking DMH services will be able to.

HIPAA Privacy Practices. Notice A copy of the current DMH Notice must be posted at each service site where persons seeking DMH services will be able to.
The Department has declared itself to be a single covered entity. Thus, each and every one of our divisions is a covered entity and must comply with.

The Department has declared itself to be a single covered entity. Thus, each and every one of our divisions is a covered entity and must comply with.
HIPAA: An Overview of Transaction, Privacy and Security Regulations Training for Providers and Staff.

HIPAA: An Overview of Transaction, Privacy and Security Regulations Training for Providers and Staff.
An Overview for In-Home Service Providers Legal advice must be tailored to specific circumstances. Information provided in this presentation should not.

An Overview for In-Home Service Providers Legal advice must be tailored to specific circumstances. Information provided in this presentation should not.
“Reaching across Arizona to provide comprehensive quality health care for those in need” Our first care is your health care Arizona Health Care Cost Containment.

“Reaching across Arizona to provide comprehensive quality health care for those in need” Our first care is your health care Arizona Health Care Cost Containment.
HIPAA Basics Brian Fleetham Dickinson Wright PLLC.

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
HIPAA What’s New? 2010. What Is HIPAA Health Insurance Portability and Accountability Act of 1996 Health Insurance Portability and Accountability Act.

HIPAA What’s New? What Is HIPAA Health Insurance Portability and Accountability Act of 1996 Health Insurance Portability and Accountability Act.
Changes to HIPAA (as they pertain to records management) Health Information Technology for Economic Clinical Health Act (HITECH) – federal regulation included.

Changes to HIPAA (as they pertain to records management) Health Information Technology for Economic Clinical Health Act (HITECH) – federal regulation included.
1 Navigating the Privacy and Security Issues: HITECH Overview Rebecca L. Williams, RN, JD Partner Co-chair of HIT/HIPAA Practice Davis Wright Tremaine.

1 Navigating the Privacy and Security Issues: HITECH Overview Rebecca L. Williams, RN, JD Partner Co-chair of HIT/HIPAA Practice Davis Wright Tremaine.
Key Changes to HIPAA from the Stimulus Bill (ARRA) Children’s Health System Department Leadership Meeting October 28, 2009 Kathleen Street Privacy Officer/Risk.

Key Changes to HIPAA from the Stimulus Bill (ARRA) Children’s Health System Department Leadership Meeting October 28, 2009 Kathleen Street Privacy Officer/Risk.
HIPAA CHANGES: HITECH ACT AND BREACH NOTIFICATION RULES February 3, 2010 Kristen L. Gentry, Esq. Catherine M. Stowers, Esq.

HIPAA CHANGES: HITECH ACT AND BREACH NOTIFICATION RULES February 3, 2010 Kristen L. Gentry, Esq. Catherine M. Stowers, Esq.
 July 10, 2013 Richard D. Sanders T HE S ANDERS L AW F IRM, P.C. 7 Piedmont Center, Suite 300 3525 Piedmont Road Atlanta, Georgia 30305 (404) 364-1819.

 July 10, 2013 Richard D. Sanders T HE S ANDERS L AW F IRM, P.C. 7 Piedmont Center, Suite Piedmont Road Atlanta, Georgia (404)
Thank You For Your Participation Kansas City   Omaha  Overland Park St. Louis  Jefferson City www.spencerfane.com www.UBAbenefits.com This Employer.

Thank You For Your Participation Kansas City   Omaha  Overland Park St. Louis  Jefferson City This Employer.
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)
HIPAA Regulations What do you need to know?.

HIPAA Regulations What do you need to know?.
Importance of the Information Risk Assessment. Compliance Programs are intended to proactively audit and assess an organization’s operations to detect.

Importance of the Information Risk Assessment. Compliance Programs are intended to proactively audit and assess an organization’s operations to detect.
COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.

COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.
Impact of HITECH Act on HIPAA and the interface New Hampshire Privacy Law Cinde Warmington Shaheen & Gordon, P.A. 107 Storrs Street P.O. Box 2703 Concord,

Impact of HITECH Act on HIPAA and the interface New Hampshire Privacy Law Cinde Warmington Shaheen & Gordon, P.A. 107 Storrs Street P.O. Box 2703 Concord,
Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.

Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.
HIPAA Privacy of Health Information Claudia Allen, Esq. General Counsel HealthBridge.

HIPAA Privacy of Health Information Claudia Allen, Esq. General Counsel HealthBridge.

Similar presentations

Ads by Google