Presentation Template - Sample with Slide Styles with CMS logo

Download Report

Transcript Presentation Template - Sample with Slide Styles with CMS logo

Privacy and Security
Past, Present, & Future
Danika E. Brinda, MA, RHIA, CHPS
Assistant Professor/REACH HIT Consultant
The College of St. Scholastica
September 27, 2013
Objectives
• Understand the Security Rule and how it
relates to you
• Understand the Privacy Rule and how it
relates to you
• Understand where privacy regulations have
been, where they are at, and where they are
going
• Understand big changes and challenges with
compliance
The transition of Privacy and Security
in Healthcare
• First attempt at development of federal rules and
regulations to protect the privacy and security of
Protected Health Information (PHI)
1996 –
HIPAA
Regulation
Enacted
2005 –
Security Rule
Mandated
2003 –
Privacy Rule
Mandated
2013 – Omnibus
Rule of 2013 (Final
ARRA/HITECH)
2009 – Interim
ARRA/HITECH
Provision on
Privacy and
Security
HIPAA in the News
Feds Go to Court to Collect First‐Ever Fine for
Medical Billing Firm Says
HIPAA Violations
Featured in Health Business Daily, Aug. 18, 2011, and in
Personal Information Leaked to
Government News of the Week,
Theft Ring
In February, the Office for Civil Rights imposed a www.ihealthbeat.org, December 3, 2012
$4.3 million fine on a Maryland medical group that “Advanced Data Processing said that an
employee improperly accessed individual
had refused to honor 41 patients’ requests for
account data in the company's
their medical records…”
Text Message Use Among
Providers Raise HIPAA
Concerns
Written by Joyce McLaughlin, JD, Senior
Counsel, Davis & Wilkerson ,August 11,
2011,http://www.beckershospitalreview.com
“As the possibilities for electronic
communication continue to expand
with great speed, use of the
technology by hospital employees
and physicians without adequate
security can expose your facility to
HIPAA violations. The increasing
use of cell phones and texting …”
ambulance billing system and leaked the
information to a theft ring. The worker has
admitted to the crime and has been
fired…”
9 Patients' Identities
Stolen in Emory
Read
Healthcare Data
Breach
more:
http://www.ihealthbeat.org/artic
Written by Sabrina Rodak| October 25,
les/2012/12/3/medical-billing-firm2011 | http://www.beckershospitalreview.com
“Nine patients says-personal-information-leaked-toof Emory Healthcare's orthopedic clinic
in Tucker, Ga., theft-ring.aspx#ixzz2LMpz9bx2…”
have had fraudulent tax returns filed in
their name, according to a Channel 2 report. The
nine patients were among 32 Emory orthopedic clinic
patients whose hospital bills were stolen in April…”
Hippocratic Oath
• Original Translation (5th Century BCE): “…All that may come to
my knowledge in the exercise of my profession or in daily
commerce with men, which ought not to be spread abroad, I
will keep secret and will never reveal.”
• Classic Translation (A long time ago): : “…What I may see or hear
in the course of treatment or even outside of the treatment in regard
to the life of men, which on no account one must spread abroad, I
will keep myself holding such things shameful to be spoken about.”
• Modern Version – 1964: “…I will respect the privacy of my
patients, for their problems are not disclosed to me that the world
may know. Most especially must I tread with care in matters of life
and death. ”
What is Protected Health Information?
• Protected Health Information (PHI)
– Health information that identifies an individual, or could
create a reasonable basis to believe the information
could be used to identify an individual
– Can be past, present, or future information
• Electronic Protected Health Information (ePHI)
– Health Information that is transmitted or maintained in
electronic format
Examples of Protected Health Information
•
•
•
•
•
•
•
•
•
•
•
•
Patient’s Name
Age / Date of Birth
Address
Telephone Numbers
Medical Record Number
Social Security Number
Account Number
Health History or Conditions
Treatment of Medications
Dates of Treatments and Hospitalizations
Hospital or Clinic Bill
Biometric Identifiers
Location of Breach
September 2009 - July 2013
16%
Computer
23%
2%
2%
Electronic Medical
Record
E-Mail
Laptop
Network Server
Other
13%
25%
9%
10%
Other Portable
Devices
Paper
Breach by Type
September 2009 - July 2013
19%
6%
5%
Hacking/IT Incident
Improper Disposal
11%
1%
Loss
2%
Other
Theft
Unknown
Unauthroized
Access/Disclosure
56%
Bueinss Associate Involvement
September 2009 - July 2013
Total Breaches > 500 People:
627
Business
Associates,
138, 22%
Covered
Entities,
489, 78%
People Impacted By Breach
September 2009 - July 2013
Total People Impacted
22,199,751
Covered
Entities
9,276,985
Business
Associates
12,110,729
43%
57%
Source:
http://www.hipaasec
urenow.com/index.p
hp/blog/
Top 2012 Data Breaches
Source: http://www.dolbey.com/uncategorized/redspin2012-health-data-breach-report-breakdown/
What are the Major HIPAA
Compliance Areas?
• Privacy Requirements
– Notices, Authorizations and Consents
– Accounting of Disclosures
– Business Associates
– Breach Notification
• Security Requirements and
– Administrative, Physical, and Technical Safeguards
– Business Associates
– Risk Assessment and Compliance Programming
HIPAA – The Privacy Rule
• Published on December 28, 2000
• Final Rule published on August 14, 2002
• Effective Date – April 14, 2003
HIPAA – The Privacy Rule
• The Final HIPAA Privacy Rule (45 CFR Parts 160
and 164) focused on three major purposes:
1.
protect and enhance the rights of consumers by providing
them access to their health information and controlling the
inappropriate use of that information;
2.
to improve the quality of health care in the U.S. by
restoring trust in the health care system, and
3.
To improve the efficiency and effectiveness of health
care delivery by creating a national framework for health
privacy protection that builds on efforts by states, health
systems, and individual organizations and individuals.
High Level Overview: Privacy Practices
•
•
•
Appointment of Chief Privacy Officer
Notice of Privacy Practices
Disclosures
•
•
•
•
•
•
•
•
•
•
Minimum Necessary
Authorizations
Accounting of Disclosures (extended through ARRA IFR)
Request Restrictions on where PHI is sent
Designated Record Set
Business Associate Agreements (extended through ARRA IFR)
Medical Record Amendments
Alternative forms of Communication with Patients
Training of the Workforce
Privacy/Breach Investigations and Notifications (extended through ARRA
IFR)
Designated Record Set Components
• Defined by HIPAA to include:
– patient medical records
– billing records
– Enrollment, payment, claims, adjudication, and
cases
– medical management record systems
maintained by or for a health plan
– information used in whole or in part to make
care-related decisions
HIPAA – The Security Rule
• Final Rule Published February 20, 2003
• Effective Date – April 20, 2005
• The Final HIPAA Security Rule defines administrative, physical,
and technical safeguards to protect the confidentiality, integrity,
and availability of electronic PHI.
What’s the Focus of the Security
Rule
There are 4 distinct parts to the Security Rule:
1. Administrative Safeguards are administrative actions, including the
establishment of policies and procedures, to manage the activities needed
to establish security measures that protect ePHI.
2. Physical Safeguards are physical measures and policies and procedures,
including policies and procedures, to protect electronic information
systems and related buildings and equipment from natural and
environmental hazards and unauthorized intrusion.
3. Technical Safeguards are the technology, including policies and
procedures for its use, that protect ePHI and control access to it.
4. Organizational Safeguards are arrangements made between organizations
to protect ePHI, including Business Associate Agreements.
HIPAA and Confidentiality,
Integrity, Accessibility (CIA)
Source: http://www.hipaaacademy.net/consulting/hipaaSecurityRuleOverview.html
Addressable v. Required
• Standards are broken up into two categories (45 CRF 164.306(d))
• Addressable – the covered entity must assess the reasonableness and
appropriateness of the safeguard to protect the entity’s ePHI
– The size, complexity and capability of the covered entity
– The covered entity technical infrastructure, hardware, and software security
capabilities
– The costs of security measures
– The probability and criticality of potential risks to ePHI.
• Required – the covered entity must comply with the standard and
implement policies and/or procedures that meet the requirement
Administrative Safeguards
Standards
Security Management
Process
Assigned Security
Responsibility
Workforce Security
Implementation
Specifications
R = Required
A = Addressable
Risk Analysis
R
Risk Management
R
Sanction Policy
R
Information System Activity
Review
R
Designate Security Officer
R
Authorization and/or
Supervision
A
Workforce Clearance
Procedure
A
Termination Procedures
A
Physical Safeguards
Standards
Facility Access Controls
Implementation
Specifications
R = Required
A = Addressable
Contingency Operations
A
Facility Security Plan
A
Access Control and
Validation Procedures
A
Maintenance Records
A
Workstation Use
R
Workstation Security
R
Device and Media Controls
Disposal
R
Media Re-use
R
Accountability
A
Data Backup and Storage
A
Technical Safeguards
Standards
Access Control
Implementation
Specifications
Unique User Identification
R
Emergency Access
Procedure
R
Automatic Logoff
A
Encryption and Decryption
A
Audit Controls
Integrity
R
Mechanism to Authenticate
Electronic PHI
Person or Entity
Authentication
Transmission Security
R = Required
A = Addressable
A
R
Integrity Controls
A
Encryption
A
Organizational Safeguards
Standards
Implementation
Specifications
Business Associate
Business associate contracts Contracts
or other arrangements
Other Arrangements
Requirements for group
health plans
Implementation
Specification
Policies and
Procedure
Documentation
R = Required
A = Addressable
R
R
R
R
Time Limit
R
Availability
R
Updates
R
American Recovery and Reinvestment Act
(ARRA) of 2009
• February 2009, President Obama signed
ARRA
• ARRA defines the Health Information
Technology for Economic and Clinical Health
(HITECH) Act, Title XIII
– Strengthens HIPAA Privacy and Security Rules
– Affects both Covered Entities and their Business Associates
– Published draft privacy regulations on July 14, 2010 in the
Federal Register
– Responses to the draft regulations were due by September
13, 2010
Modifications to the HIPAA Privacy,
Security, Enforcement, and Breach
Notification Rule 2013
 February 17, 2009 President Obama signed the American Recovery
and Reinvestment Act (ARRA) of 2009
 Title XIII, The Health Information Technology for Economical and
Clinical Health Act (HITECH) included provisions on HIPAA
Privacy, Security and Enforcement.
 Interim Rules were established to address HITECH Privacy
Requirements for Breach Notification and Enforcement
 On January 25, 2013 the Federal Register published Part II, 45 CFR
Parts 160 and 164
 Most of the interim rules that were in the ARRA act are moving
from Interim Rules to Final Rules
 Effective Date: March 26, 2013
 Compliance Date: September 23, 2013 (180 Days)
What’s Still Missing that Keeps Us
Waiting…
Some components of the Interim Rule are
still missing. The hopes is that these will
be published later in 2013
› Accounting of Disclosures/Access Reports
› Minimum Necessary Guidance
› Distribution of penalties and settlements to harmed
individuals
Breach Notification 2013
• Most of the components remained the same except:
– Removed the Risk of Harm analysis and replaced with a more objective
Risk Assessment analysis
– The objective risk analysis needs to show evidence of evaluating:
• The nature and extent of PHI involved – types & likelihood of reidentification
• The unauthorized person(s) who use the PHI or whom it was disclosed to
• If the PHI was acquired, viewed or disclosed (re-disclosed)
• The extent to which the risk to the PHI has been mitigated
– Eliminates the exception in the interim rule that limited data sets were
not included in breach investigation
HITECH Definition 2009
Defined as the “unauthorized acquisition, access, use, or
disclosure of protected health information which compromises the
security or privacy of such information, except where an
unauthorized person to whom such information is disclosed would
not reasonably have been able to retain such information.”
New Breach Definition
An impermissible use or disclosure of PHI is “presumed to be a
breach unless the covered entity or business associate, as
applicable, demonstrates that there is a low probability that the
protected health information has been compromised.”
**A Comment to interim final rule suggesting compromise standard
indicates that it is whether PHI is “inappropriately viewed, reidentified, re-disclosed, or otherwise misused” (Adam Greene)
37
What Did NOT Change from IFR
to Final Rule
•
•
•
•
•
•
•
•
•
•
Definition of “Unsecured Protected Health Information”
When a breach is treated as “discovered”
Timeline for notifications – clock starts at Date of Discovery
Content of notification
Methods of notification
Notification to the media and the Secretary (minor modification –
counting from year of discovery)
Notification by Business Associate
Delay requested by law enforcement
Documentation and burden of proof
Pre-emption standard regarding state laws
Breach Definitions “Exceptions”
• Unintentional acquisition, access, or use of protected health information by a
workforce member acting under the authority of a covered entity or business
associate.
– Example: A staff member receives a fax intended for a nurse on a different
nursing unit. She quickly forwards the information to the correct location
within her healthcare facility.
• Inadvertent disclosure of protected health information from a person
authorized to access protected health information at a covered entity or
business associate to another person authorized to access protected health
information at the covered entity or business associate.
– Example: A nurse call a physician to discuss a patient’s case. After the
nurse finishes that conversation, she realizes that she contact the incorrect
patient information to the physician. As long as the physician doesn’t do
anything else with the information, it is not considered a breach.
39
Breach Definitions “Exceptions”
• Good faith by the covered entity or business associate that the
unauthorized individual, to whom the impermissible disclosure was
made, would not have been able to retain the information.
– Example: A fax was sent to the incorrect recipient. The recipient of the
information calls to inform the facility and returns the documents in its
original condition. As long as the information is returned and assumed
that the incorrect recipient couldn’t have retained the information, it is not
considered a breach.
40
Examples of Potential Breaches
• An Employee inappropriately accesses a co-workers chart
• A fax is sent to the incorrect fax number
• A release of information is sent to the incorrect recipient
• An employee blogs about their work day which included specific patient
diagnosis that can link to a patient
• Someone has hacked into your EHR and obtained SSN for multiple patients
• A physician/employee inappropriately access a chart of a celebrity
• An e-mail with PHI in the context was sent to the incorrect e-mail recipient
Breach Notification 2013
Interim Breach Notification
Final Breach Notification
Analyze Type of PHI disclosed
Analyze Type of PHI disclosed
Evaluate the Recipient of the PHI
Evaluate the Recipient of the PHI
Evaluate if PHI was access, disclosed,
used, or acquired
Evaluate if PHI was access, viewed, reidentified, re-disclosed,
Intent of potential breach
___________
Steps to mitigate or eliminate risk of
harm
Steps to mitigate risk to PHI
Patient Access to Electronic
Health Records
• If PHI held electronically, individual entitled to an electronic copy if
in a “designated record set” (not just the
• information in an “EHR”)
• Must be in the format requested if “readily producible;” if not, in a
readable electronic form and format agreed upon by the entity and
the individual
•
•
•
Not required to buy new software to do this – but must have capability
to provide some electronic copy
If individual declines to accept electronic formats entity makes
available, can default to hard copy
Not required to accept patient’s device – but can’t require individuals to
purchase a device from you if they don’t want to
Patient Access – Technical
Safeguards
• Must have reasonable safeguards in place to
protect transmission of ePHI – but…
• If an individual wants information by unencrypted email,
entity can send if they advise the individual that such
transmission is risky
• Must have a secure mechanism – can’t force individuals to
accept unsecure
• Omnibus Rule allows up to 60 days (30 days
less); preamble urges entities to make
information available sooner when possible
Fundraising and PHI
• Added 4 new categories that can be released
for fundraising: Department of Service,
Treating Physician, Outcome Information, and
Health Insurance Status
• Strengthens and Defines Opt-Out For
Fundraising
•
•
•
•
Clearly Defined
Must not require undue burden (writing a letter)
May not effect treatment or payment
If opt out – CE MUST not make fundraising
communications to patient
Changes to Research
• Covered entities are now allowed to combine
conditioned and unconditioned authorizations
for research; however, they must differentiate
between the two.
• Conditioned: required to participate in this
study
• Unconditioned: optional use/disclosure for
other studies/tissue banking/registries
• NOTE: Unconditioned MUST be opt in such as
a check box or additional signature line.
Changes to Access to
Immunizations
Covered Entities may now release
immunization records to schools without an
authorization IF:
• State law requires the school to have the
immunization record
• The CE received written or oral
documentation (it must be documented)
Changes to Accessed to
Deceased Patient’s Records
• PHI of a deceased patient is no longer
considered protected health information after
50 years from death
• CE may disclose PHI to person(s) involved in
decedent’s care or payment if not contrary to
prior expressed preference
Marketing and PHI
•
In the Omnibus Rule, marketing is defined as “a
communication about a product or service that encourage
recipients to purchase or use the product or service.” –
Federal Register, January 25, 2013
•
Under the new regulation, CE must obtain
authorization to use PHI to make any treatment and
healthcare operations communications IF the CE
receives financial remuneration for making the
communication from a third party that product is being
promoted
Marketing and PHI
• Excluded
• Refill Requests
•
Can be reimbursed for actual costs
• Generic Equivalents
• Adherence communication reminding patients
to take medication
• Costs can only be collected for labor, supplies
and postage
Selling Protected Health
Information
• Covered Entities are not allowed to receive
any remuneration in exchange for protected
health information.
• Exceptions (no limits provided):
•
•
•
•
•
Treatment
Payment
Public Health
Sale of CE to another organization
Required by Law
Selling Protected Health
Information
• Exceptions (Limits Defined)
• Any other permissible purpose if
remuneration limited to reasonable, costbased fee for preparation and transmittal
**This is new from the HITECH Act**
• Research
• To an individual for access and accounting
GINA Act Changes
• Changes impact Health Plans and not Health
Care Organizations.
– Clarification that genetic information is health
information
– Health plan (other than long-term care plan)
may not use or disclose genetic information
for underwriting purposes
Business Associates
Definition of Business Associate has changed
› Old: An individual or organization who uses or
discloses protected health information on behalf of the
covered entity.
› New: An individual or organization that creates,
receives, maintains, or transmits protected health
information on behalf of a covered entity


Examples: Health Information Exchange, e-prescribing
gateway, data transmission services, offers a personal
health record, ect.
Mere Conduits – narrow definition and only apply to
courier services such as the Postal Service or Internet
Service Provider
Business Associates
• Must enter into business associate agreements
with an subcontractors who will receive,
create, or transmit PHI on behalf of the BA
(on behalf of the CE)
• A subcontractor is someone “a person to who a
business associate delegates a function, activity,
or service, other than in the capacity of a
member of the workforce of such business
associate”
• The line is followed as far down as the PHI
Business Associate Compliance
Requirements
Comply with the Security Rule’s administrative,
physical and technical safeguards (including
policies and procedures)
Comply with specific components of the Privacy
Rul
› Not required to provide NPP or designate a privacy
officer
Any other items included by the CE in the
business associate agreement
Business Associates Direct
Liability
• Impermissible uses and disclosures of PHI
• Failure to provide breach notification to the
covered entity
• Failure to provide access to a copy of
electronic PHI to the CE, the individual or
designee(s)
• Failure to disclose PHI to OCR where
requirement during an investigation or
determination of a BA compliance with
Business Associates Compliance
Dates
 Additional time allowed to enter into conforming
business associate agreements (Limited Deemed
Compliance Date)
› If BAAs comply with pre-Omnibus rule, parties have 1
additional year to bring their BAAs into compliance
September 22, 2014
› If BAAs do not comply with pre-Omnibus rule (or no
BAA exists), must enter into BAAs that comply
September 23, 2013
 Regardless of compliance deadlines, compliance with
Omnibus Rule required when existing BAAs renew or
are modified
Restriction of Protected Health
Information
• Covered entity must agree to individual’s
request to restrict disclosure to health plan,
if: For payment or health care operations,
•
Disclosure is not required by law, and
•
Individual (or person on individual’s behalf)
pays for item or service in full out of pocket
• Discussion – what do you think?
Notice of Privacy Practices
• The Notice of Privacy Practices must be
updated by and made available by September
23, 2013.
• Should include all previous information PLUS:
– Prohibition on sale of PHI
– Duty to notify affected individuals of a breach
of unsecured PHI
– Right to opt out of fundraising (if applicable)
Monetary Penalties
• The monetary penalties remain the same from
the Interim Rule
• Four tiered categories defined
• Clearer definitions on each of the categories
• Explanation of how the violations will be
counted
• Factors used to determine a penalty
HITECH Fines for Breaches
Tiers
Definition
Tier A – “Did not
know”
CE or BA did not know or would have not known a violation
occurred
Tier B –
“Reasonable
Cause”
An act or omission in which a CE or BA knew or would have
known that the act violated an administrative simplification
provision, but didn’t act with willful neglect.
Tier C – “Willful
Neglect – Timely
Corrected”
Conscious, intentional failure or reckless indifference to the
obligation to comply with HIPAA – corrected within 30 days
of the date of discovery by CE or BA
Tier D – “Willful
Neglect – Not
timely Corrected”
Conscious, intentional failure or reckless indifference to the
obligation to comply with HIPAA – not corrected within 30
days of the date of discovery by CE or BA
HITECH Fines for Breaches
Tiers
Per Violation
Minimum
Per Violation
Maximum
Max per
Calendar
Year per
Violation
Tier A – “Did not
know”
$100
$50,000
$1,500,000
Tier B –
“Reasonable
Cause”
$1,000
$50,000
$1,500,000
Tier C – “Willful
Neglect – Timely
Corrected”
$10,000
$50,000
$1,500,000
Tier D – “Willful
Neglect – Not
timely Corrected”
$50,000
$1,500,000
$1,500,000
Factors used for Determining Fine
OCR will consider 5 factors in determining the amount of the penalty:
• The nature and extent of the violation (including number of people
involved and the time of the breach)
• The nature and extent of the harm resulting from the violation
(physical, financial, and reputational harm)
• The history of prior compliance with the administrative simplification
provision, including violations by the Covered Entity or Business
Associate
• The financial condition of the Covered Entity or Business Associate
• Such other matters as justice may require
Category
Complaints Filed
Cases Investigated
Cases with Corrective Action
Civil Monetary Penalties&
Resolution Agreements(since 2008)
Total Number
77,200
27,500
18,600
$14.9m Million
Resource: http://conference.himss.org/himss13/pdfs/7.pdf
Starting to Think about September
23, 2013
Steps to take:
• Review and Revise your NPP, plan to
distribute new copy by 9/23/13 (update
everywhere – printed, electronic, ect)
• Review and update policies and procedures
• Update BAA, create BA model to review all
current vendors to determine if they are a
BAA
• Update HIPAA Authorization forms as
needed
Starting to Think about September
23, 2013
• Create/Update a process for releasing
immunizations to schools
• Create/Update a policy/form for request to
restrict information to insurance
companies
• Update Breach Notification Policy and
Procedure
• Plan for regular meeting to assure this is
on task and ownership is assigned.
Some Sample Checklists
• http://www.nixonpeabody.com/webfiles/Nixo
n%20Peabody%20%20HIPAA%20Compliance%20Checklist.pd
f
• http://www.martindale.com/health-carelaw/article_Holland-Hart-LLP_1694528.htm
• http://www.lexology.com/library/detail.aspx?
g=53f3d1e0-e633-4921-ac0a-6619b39a3578
• http://www.ebglaw.com/showclientalert.aspx?
References
• http://www.hipaasurvivalguide.com/hipaaomnibus-rule.php
• http://www.cooley.com/HIPAA-omnibus-rule
• http://www.americanbar.org/content/newsletter/p
ublications/aba_health_esource_home/aba_healt
h_law_esource_1301_hipaa_countryman.html
• AHIMA Live Conference with Adam Greene
• www.himss.org
• www.ahima.org
References
•
•
•
•
•
•
•
•
http://www.hipaasurvivalguide.com/hipaa-omnibus-rule.php
http://www.cooley.com/HIPAA-omnibus-rule
http://www.americanbar.org/content/newsletter/publications/aba_h
ealth_esource_home/aba_health_law_esource_1301_hipaa_country
man.html
AHIMA Live Conference with Adam Greene
www.himss.org
www.ahima.org
http://media.straffordpub.com/products/omnibus-hipaa-ruleimpact-on-covered-entities-2013-03-12/presentation.pdf
http://www.cooley.com/HIPAA-omnibus-rule
HIPAA/HITECH Act Privacy, Security, Enforcement, and
Breach Notification Modifications Final Rule - 2013
• January 17, 2013 – Final Rule Announced
• Friday, January 25, 2013 – Final Rule Published
• The Final Rule Contains Modifications to
•
•
•
•
The Breach Notification Rule.
The HIPAA Enforcement Rule, implementing changes
mandated by the HITECH Act.
The Privacy and Security Rules, implementing changes
mandated by the HITECH Act, as well as other changes to the
Privacy Rule proposed in July 2010.
The Privacy Rule, implementing changes required by the
Genetic Information Nondiscrimination Act.
What Didn’t Change
•
•
•
•
•
•
•
•
•
•
Definition of “Unsecured Protected Health Information”
When a breach is treated as “discovered”
Timeline for notifications – clock starts at Date of Discovery
Content of notification
Methods of notification
Notification to the media and the Secretary (minor
modification – counting from year of discovery)
Notification by Business Associate
Delay requested by law enforcement
Documentation and burden of proof
Pre-emption standard regarding state laws
Monetary Penalties
•
•
•
•
•
The monetary penalties remain the same from the Interim
Rule
Four tiered categories defined
Clearer definitions on each of the categories
Explanation of how the violations will be counted
Factors used to determine a penalty
HITECH Fines for Breaches
Tiers
Definition
Tier A – “Did not
know”
CE or BA did not know or would have not known a violation
occurred
Tier B – “Reasonable An act or omission in which a CE or BA knew or would have
Cause”
known that the act violated an administrative simplification
provision, but didn’t act with willful neglect.
Tier C – “Willful
Neglect – Timely
Corrected”
Conscious, intentional failure or reckless indifference to the
obligation to comply with HIPAA – corrected within 30 days of the
date of discovery by CE or BA
Tier D – “Willful
Conscious, intentional failure or reckless indifference to the
Neglect – Not timely obligation to comply with HIPAA – not corrected within 30 days of
Corrected”
the date of discovery by CE or BA
HITECH Fines for Breaches
Tiers
Per Violation
Minimum
Per Violation
Maximum
Max per
Calendar
Year per
Violation
Tier A – “Did not
know”
$100
$50,000
$1,500,000
Tier B –
“Reasonable
Cause”
$1,000
$50,000
$1,500,000
Tier C – “Willful
Neglect – Timely
Corrected”
$10,000
$50,000
$1,500,000
Tier D – “Willful
Neglect – Not
timely Corrected”
$50,000
$1,500,000
$1,500,000
Factors used for Determining Fine
OCR will consider 5 factors in determining the amount of the penalty:
• The nature and extent of the violation (including number of people
involved and the time of the breach)
• The nature and extent of the harm resulting from the violation
(physical, financial, and reputational harm)
• The history of prior compliance with the administrative simplification
provision, including violations by the Covered Entity or Business
Associate
• The financial condition of the Covered Entity or Business Associate
• Such other matters as justice may require
Category
Complaints Filed
Cases Investigated
Cases with Corrective Action
Civil Monetary Penalties&
Resolution Agreements(since 2008)
Total Number
77,200
27,500
18,600
$14.9 Million
Resource: http://conference.himss.org/himss13/pdfs/7.pdf
Questions?
Danika E. Brinda, MA, RHIA, CHPS
612.325.9742
[email protected]
www.stratishealth.org