2. Americas Voice for Community Health Care The NACHC Mission To promote the provision of high quality, comprehensive and affordable health care that is coordinated, culturally and linguistically competent, and community directed for all medically underserved people.

3. American Recovery and Reinvestment Act Changes to HIPAA Michael Lardiere, LCSW Director, Health Information Technology Sr. Advisor, Behavioral Health National Association of Community Health Centers mlardiere@nachc.com October 16 - 18 2009

4. American Recovery and Reinvestment Act of 2009 Includes the Health Information Technology for Economic and Clinical Health Act (HITECH Act). Important substantive changes to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Mandates extensive new regulations around electronic medical records.

5. Extends the HIPAA Privacy and Security Provisions and Penalties to Business Associates of Covered Entities Health information exchanges Regional health information organizations e-prescribing gateways and Other technology vendors Vendors contracted with a Covered Entity to provide a Personal Health Record (PHR) as part of an Electronic Health Record (EHR).

6. The HITECH Act defines a personal health record as an electronic record of identifiable health information on an individual that can be drawn from multiple sources and that is managed, shared, and controlled by or primarily for the individual. An electronic health record is defined as an electronic record of health- related information on an individual that is created, gathered, managed, and consulted by authorized health care clinicians and staff.

7. BAs will be treated just like Covered Entities for purposes of the HIPAA privacy and security provisions and be respopnsible for Administrative Safeguards Physical Safeguards Technical Safeguards Policies and Procedures and Documentation requirements of the Security Rule 45 C.F.R. §§ 164.308, 164.310, 164.312 and 164.316, respectively.

8. Liability for civil and criminal penalties Covered Entities will likely have to revise their existing Business Associate Agreements to incorporate language reflecting this change

9. Business Associates will have an obligation to terminate their Business Associate Agreements with Covered Entities if they have knowledge of a pattern of noncompliance with the Privacy Rule by the Covered Entity

10. Increases Penalties for HIPAA Violations and Expands Enforcement Mechanisms Amount of civil monetary penalties (CMPs) available has increased Civil monetary penalties are now structured in a tiered format Ranging from $100 per violation Up to $50,000 per violation

11. Anyone whose PHI is accessed in violation of HIPAA will be eligible to share a percentage of any CMPs collected Office of Civil Rights will continue to enforce HIPAA compliance State Attorneys General will now have the power to enforce HIPAA by bringing suit in federal district court

12. Act requires DHHS to periodically audit Covered Entities and Business Associates to assess HIPAA compliance Covered Entities and Business Associates need to make sure that all of their HIPAA policies and procedures are up to date and in use

13. Creates a Comprehensive New Set of Requirements Around Notification of Data Breaches or Suspected Data Breaches Notification must be made within 60 days of discovery Will require prompt investigation and assessment of suspected breaches Mandates public reporting to both the DHHS and media outlets in the event of a breach affecting more than 500 individuals DHHS will publish a list on its website that identifies each Covered Entity involved in a breach of more than 500 individuals

14. The notice must include: (1) a brief description of the breach, including the date it occurred and the date it was discovered (2) the types of PHI involved in the breach (3) steps individuals should take to protect themselves (4) steps the Covered Entity is taking to investigate the breach and protect against future breaches and (5) contact information to ask questions and learn more

15. Notice must be provided by first class mail to the individuals last known address Unless the individual has specified to receive information by electronic mail Then notice may be provided electronically If the contact information for more than 10 affected individuals is out of date Notice may be through a posting on the entitys web site or In major print or broadcast media

16. If a Business Associate discovers a breach of unsecured PHI It must notify the Covered Entity of such breach, and Include a list of each individual whose PHI was or is reasonably believed to have been accessed or acquired during the breach

17. If the breach involves the access or acquisition of more than 500 residents of a State or Jurisdiction Notice must be made to the prominent media outlets of that State or jurisdiction

18. The Covered Entity must Keep a log of its discovered breaches and Provide a copy of the log to DHHS annually If a breach involves the access or acquisition of the PHI of more than 500 individuals Notice must be provided to DHHS immediately

19. Creates a New Breach Notification Requirement for Vendors of Personal Health Records and Other Non-HIPAA Covered Entities Vendors of personal health records and related vendors must notify The Federal Trade Commission (FTC) and Any U.S. citizens whose information was acquired as a result of the breach Empowers the FTC to begin policing medical privacy which is a significant expansion of federal oversight of medical information.

20. Expands HIPAA Mandated Accounting of Disclosures for Those Using Electronic Health Records Covered Entities and Business Associates using electronic health records will be required to Make available an accounting of all uses and disclosures of the electronic health record in the previous three years, including disclosures for payment, treatment, and Operations Time period an individual may request such an accounting is shortened from up to 6 years to 3 years

21. In responding to a request for an accounting, the Covered Entity can Choose to provide either The disclosures of the patients PHI made by the Covered Entity and its Business Associates, or Merely provide the disclosures made by the Covered Entity and a list of its Business Associates

22. For entities that were using EHRs as of January 1, 2009, The provision applies to disclosures made on or after January 1, 2014. For entities that adopt EHRs after January 1, 2009 the provision will apply on January 1, 2011 or The date when the Covered Entity begins using EHRs, whichever is later

23. Revisions to an Individuals Right to Request a Copy of His or Her Record If the Covered Entity uses EHR, the patient may request his or her record be produced in an electronic format and to be transmitted to a person designated by the patient The fee for production of an electronic copy of the record shall not be greater than the labor costs of responding to the request

24. Establishment of the Minimum Necessary Standard Covered Entities and Business Associates must, to the extent practicable Limit use or disclosure of PHI either To the limited data set or To the minimum necessary to accomplish the stated purpose of the use/disclosure

25. Adopts New Prohibitions on the Sale of Electronic Health Information Language is sufficiently vague to create uncertainty about the ability of Regional health information organizations Health information exchanges, and e-prescribing services to charge fees for their services

26. Eliminates Sharing of PHI for Marketing and Fundraising Purposes from the Definition of Health Care Operations Under HIPAA Fundraising is no longer considered part of operations In order to use PHI for direct fundraising campaigns, a Covered Entity must first obtain an authorization from the patient Then modified to allow to continue fundraising but must give the patient the option to opt out of future

27. De-Identified Health Information There are no restrictions on the use or disclosure of de-identified health information De-identified health information neither identifies nor provides a reasonable basis to identify an individual

28. There are two ways to de-identify information 1) a formal determination by a qualified Statistician or 2) the removal of specified identifiers of the individual and of the individuals relatives, household members, and employers is required, and is adequate only if the covered entity has no actual knowledge that the remaining information could be used to identify the individual

29. The following identifiers of the individual or of relatives, employers, or household members of the individual must be removed to achieve the safe harbor method of de-identification (A) Names (B) Geographic subdivisions smaller than a State including Street address City County Precinct Zip code, and their equivalent geocodes Except for the initial three digits of a zip code

30. (B) The geographic units formed by combining all zip codes with the same three initial digits contains more than 20,000 people The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000 (C) All elements of dates (except year) for dates directly related to the individual, including birth date admission date discharge date

31. date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older (D) Telephone numbers (E) Fax numbers (F) Electronic mail addresses (G) Social security numbers (H) Medical record numbers

32. (I) Health plan beneficiary numbers (J) Account numbers (K) Certificate/license numbers (L) Vehicle identifiers and serial numbers including license plate numbers (M) Device identifiers and serial numbers (N) Web Universal Resource Locators (URLs) (O) Internet Protocol (IP) address numbers (P) Biometric identifiers, including finger and voice prints (Q) Full face photographic images and any comparable images; any other unique identifying number, characteristic, or code, except as permitted for re-identification purposes provided certain conditions are met

33. In addition to the removal of the above-stated identifiers, the covered entity may not have actual knowledge that the remaining information could be used alone or in combination with any other information to identify an individual who is subject of the information SUMMARY OF THE HIPAA PRIVACY RULE Office of Civil rights http://www.nachc.com/client/HIPAA%20Privacy% 20Rule%20Summary_8_19_09.pdf

34. To reduce risks covered entities should consider accomplishing the following tasks: Implement systems for detecting a security breach Create a security breach response plan or update the existing plan Conduct workforce training in responding to a security breach. Negotiate amendments to business associate agreement to address security breaches Revise HIPAA policies and procedures regarding to address the security breach regulations.

35. Federally Qualified Health Centers Michael Lardiere, LCSW Director HIT; Sr. Advisor Behavioral Health National Association of Community Health Centers 301-347-0400 xt 2069 mlardiere@nachc.com