HITECH ACT

1
HITECH ACT

• Privacy Security Requirements
• Cathleen Casagrande
• Privacy Officer
• July 23, 2009

2
HITECH ACT

• Dedicates over 31 billion in stimulus funds for
  Healthcare Infrastructure and the adoption of
  Electronic Health Record (EHR).
• Also imposes new medical privacy requirements.

3
Changes to Medical Privacy Requirements

• Fundamental changes in the areas of
  accountability, data breach notification,
  consumer access, and use of personal health
  information.
• Unlike HIPAA, HITECH ACT one year for most
  provisions.

4
Accountability

• Imposes new levels of accountability for medical
  privacy.
• Periodic audits by HHS to ensure compliance
  within the first 12 months after enactment of the
  new rules.

5
Accountability

• Tiered penalty structure, with fines ranging from
  25,000 to 1.5 million and penalties are
  mandatory for cases of willful neglect.
• All violations occurring after February 2009
  enactment date are subject to the increased
  penalties.

6
Accountability

• Business Associates with access PHI bound by the
  same requirements as the Organization (Feb 2010).

7
Accountability

• Assure business associate contracts, authorizing
  and defining their use of the PHI shared with
  them.
• Obligated to report the violation to appropriate
  authorities and discontinue the relationship.

8
Consumer Access (Feb 2010)

• Gives individuals clear access rights to their
  own health records, and it gives them the right
  to restrict disclosure of PHI if they pay the
  healthcare providers themselves.

9
Use of PHI (Feb 2010)

• CEs and their business associates are also
  prohibited from selling PHI without explicit,
  documented authorization from the individual
  whose information is contained in the record.

10
Breach Notification

• Defined Unauthorized acquisition, access use, or
  disclosure of PHI compromises the security or
  privacy of the data.
• Unsecured PHI Not secured through technology
  as unusable, unreadable, or indecipherable to
  unauthorized individual
• Additional guidance technology.

11
Breach Notification

• Obligation to notify all breaches that are
  discovered on or after September 15, 2009.
• Notification within 60 days when PHI in any form
  or medium is breached, not just electronic
  records.
• Breach is officially discovered on the first day
  it is known to the HIPAA entity or business
  associate or should reasonably have been known.

12
Breach Notification

• HIPAA covered entity that suffered the breach
  demonstrates required notifications were made.
• Telephone notifications can be made in urgent
  situations.
• Business Associates required to notify the
  covered entity including the individuals affected.

13
Breach Notification

• Breach Affecting 500 or more individuals, CE
  required to provide immediate notice to HHS.
• Thus the breach notice is public.
• Rule of 500 applies in a single state or
  jurisdiction.
• Notice must be provided to prominent media
  outlets.

14
Methods of Notice

• Individual Notice
• Notice required under this section to be provided
  to an individual, with respect to a breach, shall
  be provided promptly and in the following form
• Written notification by first-class mail to the
  individual at the last known address.
• In the case of insufficient, or out-of-date
  contact information that precludes direct written
  specified by the individual under subparagraph.

15
Media Notice

• Notice shall be provided to prominent media
  outlets serving a State or jurisdiction,
  following the discovery of a breach of unsecured
  protected health information of more than 500
  residents in such State, or jurisdiction.

16
Notice to HHS Secretary

• Required immediately if the breach involved 500
  or more individuals. These breaches will be
  posted on the HHS public website including the
  name of the covered entity.
• If the breach less than 500 individuals, the
  covered entity may maintain a log of any such
  breach occurring.
• Annually submit such a log to HHS documenting
  breaches occurrence during the year involved.

17
Content of Notification

• Regardless of the method by which notice is
  provided to individuals under this section,
  Notice of a breach shall include, to the extent
  possible, the following
• A brief description of what happened, including
  the date of the breach and the date of the
  discovery of the breach.
• Description of unsecured PHI, such as SSN,
  address, etc.

18
Content of Notification

• Contact procedures for individuals to ask
  questions or learn additional information, which
  shall include a toll-free telephone number, an
  e-mail address, website, or postal address.
• Time consuming, costly, overwhelming.
• Potential long term damage with customers.

19
Content of Notification

• The steps the individuals should take to protect
  themselves from potential harm resulting from the
  breach.
• A brief description from covered entity to
  investigate the breach, to mitigate losses, and
  to protect against any further breaches.

20
Data Breach Response

• Provide recovery services for individuals who
  become victims of identity crime.
• Restore their medical identities to pre-theft
  status.
• Designate an Individual, or company to manage
  Customer calls.

21
Business Impacts

• Inventory PHIRisk Assessment
• 70 of all organizations do not have an accurate
  inventory of personally identifiable information
  (PII) in their custody and documented.
• Includes data shared with a Business Associate.
• Price Waterhouse Coopers reports that 44 of data
  breach incidents are due to third-party handling
  of data.

22
Breach Impact

• Small-scale data breaches will now be obligated
  to notify in each instance, and to keep detailed
  proof of notification, causing significant effort
  and cost.

23
Business Impact

• Data breaches damage Businesses credibility.
• Medical and Financial risks to the people whose
  data is lost.

24
Questions Answers

• Clarification of the Privacy Requirements within
  the AARA rule in the next 12 months.
• Key strategies assess PHI, including BAAs.
• Utilize appropriate Security Standards.
• Staff, computer access, etc.