HIPAA

1
HIPAA

• Whats New?
• 2010

2
What Is HIPAA

• Health Insurance Portability and Accountability
  Act of 1996
• Administrative Simplification Subtitle
• Privacy Rules
• Electronic Data Sets
• Security Rules
• National Provider Identifiers
• HI Tech Security Standards (ARRA Regulation)

3
Are we covered?

• HHS is a Covered Entity
• A Covered Entity is an organization
• Provider
• Health Plan
• Clearing House
• HHS providers are Business Associates
• A business associate is an organization that
  provides any health related services

4
What Is ARRA?

• American Recovery and Reinvestment Act of 2009
• Required for Electronic Health Record Movement
• Required for Healthcare Reform
• Holds Business Associates to the complete set of
  HIPAA Regulations

5
HITECH Security Standards

• Requires Business Associates to
• Notify Covered Entity of Security Breaches
• Latest HI Tech Security Survey shows
• 50 percent organizations have experienced at
  least one data breach this year
• 57 percent of the organizations reported that
  they now have a greater level of awareness of
  data breaches and breach risk and
• 90 percent of the organizations plan to change
  policies and procedures to prevent and detect
  data breaches.

6
HITECH Security Standards

• Breach Notification
• Defines a breach
• Sets Standard Timeframes for notification
• 60 calendar days after discovery
• Notification to individuals when their PHI is
  breached
• Media Notification more than 500 patient records
  breached
• Notice to Department Health and Human Services
• Notice Letters to all involved

7
HITECH Security Standards

• Expanded Restrictions on Accounting and
  Disclosures
• Business Associates are required to provide an
  individual upon request with an accounting of
  disclosures of the information in her electronic
  health record (EHR) over the last three years
• Any organization bringing up an EMR/EHR in 2009
  will be required to be compliant by 2011

8
HITECH Security Standards

• Prohibits sale of Patient Names without
  authorization
• Restricts marketing practices to
• Free marketing if to communicate services within
  a program the individual is participating in OR
• To describe healthcare options

9
HITECH Security Standards

• Minimum Data Set
• Limits the sharing of information to data sets
  that are de-identified
• Requires the removal of Name, Address, Social
  Security Number and other key identifiers
• This is in addition to the HIPAA Privacy Rule
  Minimum Necessary
• Share only the minimum necessary amount of
  information so the next person can complete their
  work responsibilities

10
HITECH Security Standards

• History of HIPAA Enforcement
• 48,000 complaints received by Department of
  Health Human Services (HHS)
• Vast majority resolved through voluntary
  compliance or corrective action
• Handful of criminal prosecutions

11
Sanctions and Penalties

• The original HIPAA regulations held Covered
  Entities to potential sanctions and criminal
  penalties for breaches
• HITECH holds Business Associates to the same
  level of requirements as Covered Entities

12
Case Study Weve Lost Our Clients Data!

• A business associate discovers a computer
  belonging to its employee is missing. The last
  time they remember seeing it was three months
  ago.
• Where do you start?
• What should you be concerned with?

13
HIPAA Breaches

• Breaches are classified as
• Low Risk
• Medium Risk
• High Risk
• Risk is defined as potential litigation,
  confidentiality breach or compliance liability to
  the organization

14
Breach Notification

• Business Associates are required to notify HHS of
  any breaches for HHS program participants being
  managed by the provider along with what has been
  done to mitigate the risk.
• HIPAA issues can be sent to the HIPAA Privacy
  Officer at CQI_at_hhshealthoptions.org or faxed to
  616-954-1520

15
Questions

• Contact HHS via email CQI_at_hhshealthoptions.org or
  
• call 616-954-1576