The American Recovery and Reinvestment Act of 2009: Changes to HIPAA Privacy and Security Requirements - PowerPoint PPT Presentation


PPT – The American Recovery and Reinvestment Act of 2009: Changes to HIPAA Privacy and Security Requirements PowerPoint presentation | free to download - id: 77b1b9-YzRlY


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation

The American Recovery and Reinvestment Act of 2009: Changes to HIPAA Privacy and Security Requirements


The American Recovery and Reinvestment Act of 2009: Changes to HIPAA Privacy and Security Requirements And its Impact on Hospitals Presented By: – PowerPoint PPT presentation

Number of Views:30
Avg rating:3.0/5.0
Slides: 38
Provided by: Morr143


Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: The American Recovery and Reinvestment Act of 2009: Changes to HIPAA Privacy and Security Requirements


The American Recovery and Reinvestment Act of
2009 Changes to HIPAA Privacy and Security
Requirements And its Impact on Hospitals
Presented By Michele Madison 404-504-7621 mmad
  • Impact of HIPAA Changes
  • Review of Privacy and Security
  • Increased Penalties
  • Your Next Operational Steps
  • Notification Requirements and Preparation
  • Potential Funding Opportunities


Patient Rights
Enhanced Restrictions on Disclosures
  • PHI Disclosures (Section 13405(a))
  • HITECH Act requires CEs to comply with a
    patients request not to use or disclose PHI if
    the disclosure
  • Would be to a health plan for carrying out
    payment or health care operations (not for
    treatment) and
  • PHI pertains solely to a health care item or
    service for which the health care provider
    involved has been paid out of pocket in full.

Minimum Necessary
  • Limited Data Set and Minimum Necessary
  • HITECH Act (Section 13405(b)) requires CEs to
    limit PHI disclosures to the extent practicable
    to the limited data set as defined under HIPAA,
    or, if more information is needed, to the
    minimum necessary to accomplish the intended
    purpose of such use, disclosure, or request,

Minimum Necessary
  • Secretary guidance on what constitutes minimum
    necessary will be issued in next 18 months
  • All the current exceptions to the existing
    minimum necessary disclosure standard, including
    disclosures made for treatment purposes and
    disclosure required by law are retained
  • This is not applicable to de-identified PHI

Accounting to Patients
  • Accounting for PHI Disclosures (Section 13405(c))
  • Covered Entities are required by HITECH to
    account for disclosures of PHI to carry out
    treatment, payment and health care operations.
  • Disclosures must be accounted for during the
    three years prior to the request if an EHR was

Accounting to Patients
  • New Regulations
  • Regulations will be promulgated concerning the
    information that should be collected about PHI
    disclosures within 6 months after adoption of the
    accounting disclosure standards
  • Regulations must balance both the privacy
    concerns of individuals and the accounting
    administrative burden
  • The Act permits CEs to provide a PHI disclosure
    accounting to the requesting patient for
    disclosure of the CE AND its BA or just the CE
    disclosures and contact information of the BA

Accounting to Patients
  • Effective Date
  • The accounting requirement effective date depends
    on when the CE received the EHR
  • For EHR received as of January 1, 2009, these
    accounting rules apply to PHI disclosures
    starting January 1, 2014
  • For EHR received after January 1, 2009, these
    accounting rules apply to disclosures starting
    the later of
  • January 1, 2011, or
  • the actual date of receipt of the EHR
  • Secretary can postpone the compliance for current
    users to 2016 and for future users to 2013, if

Sale of PHI Prohibitions
  • Sale of PHI Prohibitions
  • Receiving remuneration in exchange for any PHI of
    an individual is prohibited without obtaining a
    specific authorization from the individual
    (Section 13405(d))
  • Additional regulations will be issue within 18
    months after February 17, 2009
  • Effective for exchanges of PHI occurring 6 months
    after the date of promulgation of the final

Sale of PHI Prohibitions
  • Seven exceptions to Sale of PHI Prohibitions.
  • The sale prohibitions does not apply to
  • Public Health activities as defined under HIPAA
  • Research, up to the costs of preparation and
    transmittal of PHI
  • Treatment of the individual
  • Sale, transfer, merger or consolidation of all or
    part of the Covered Entity and due diligence
  • A Business Associates duties to a Covered Entity
    under a business associate agreement
  • Delivering a copy of the individuals PHI
    pursuant to HIPAA section 164.524 and
  • Other PHI exchanges that the Secretary deems
    similarly appropriate and necessary as
    exceptions in the new regulations

Right of Access
  • Right of Access to PHI in EHR (Section 13405(e))
  • If a CE maintains an electronic health record
    with respect to the CE must
  • produce a copy of that PHI in electronic format
    upon request of a patient
  • transmit the copy directly to an entity or person
    designated by the individual
  • But only if the patients request is clear,
    conspicuous, and specific (45 CFR 164.524 - the
    Access of Individuals to PHI)
  • Charges cannot exceed the labor costs in
    responding to the request

Restrictions on Marketing Communications
  • Restrictions on communications of CE and BA
    marketing to potential buyers or users (Section
  • Any communication that encourages the recipient
    to purchase or use a product or service is not
    considered a health care operation unless it is
  • to describe a product or service (or payment
    therefore) that is provided by, or included in a
    plan of benefits of, the Covered Entity making
    the communication, including communications
  • the entities participating in a health care
    provider network or health plan network
  • health plan replacements or enhancements and
  • health-related products or services available
    only to a health plan enrollee that add value to,
    but are not part of, a plan of benefits

Restrictions on Marketing Communications
  • Further exceptions
  • treatment of the individual or
  • case management or care coordination for the
  • or to direct or recommend alternative treatments,
    therapies, health care providers,
  • or settings of care to the individual

Fundraising Restrictions
  • A written communication for fundraising that is a
    healthcare operation under HIPAA section 164.501
    must allow in a clear and conspicuous manner
  • the recipient to opt out to receive any
  • opting out, is to be treated as a revocation of
    authorization under section 164.508
  • Restrictions on marketing and fundraising
    communications will apply after February 17, 2010


Business Associates Expanded
Business Associate Contracts Required for Certain
  • More vendors to covered entities or business
    associates will now be deemed to be business
  • each organization that provides data
    transmission of protected health information and
    that requires access on a routine basis to such
    protected health information, such as Health
    Information Exchange Organization, Regional
    Health Information Organization, E-prescribing
    Gateway, or
  • each vendor that contracts with a covered
    entity to allow that covered entity to offer a
    personal health record to patients as part of its
    electronic health record

Application of Privacy Provisions and Penalties
to BA
  • Additional requirements that relate to privacy
    and security are now applicable to Business
  • Include provisions in Business Associate
  • Administrative Safeguards
  • Physical Safeguards
  • Technical Safeguards
  • Civil and Criminal Penalties apply to Business

Criminal Penalties
  • Covered Entities should be aware of the
    additional Penalties and the Enforcement
  • Enhanced Criminal Penalties
  • Willful neglect standard
  • Additional funding for Enforcement Activities
  • In 3 years, the individual harmed may receive a
    of the CMP collected from the offense

Penalty Tiered Increase
  • Minimal levels of Penalties based on Intent
  • 100 - 25,000 -Person did not know and would
    not have known
  • 1,000 - 100,000- Reasonable cause and not
    willful neglect
  • 10,000 - 250,000 Willful Neglect
  • 50,000 -1,500,000 Willful neglect and not

State Attorney General
  • Permits civil actions on behalf of patients
  • May enjoin the actions and
  • Obtain damages not to exceed 25,000 annually
  • Attorneys fees may be recovered by State

Security and Notice Requirements
  • Unsecured Protected Health Information means
    (Section 13402(h))
  • protected health information that is not
    secured through the use of a technology or
    methodology specified by the Secretary in the
    guidance issued under this section
  • Guidance issued on April 17, 2009
  • Safe Harbor from Notification if
  • 1. Use of Encryption
  • 2. Destruction
  • Comments accepted until May 21, 2009

Security and Notice Requirements
  • Obligation to notify triggers upon discovery of a
  • Discovery determined to be the first day on which
    such breach is known or should reasonably have
    been known to such entity or associate to have
  • Knowledge by any person that is an employee,
    officer or other agent of the entity or associate
  • Following discovery of a breach of unsecured
    protected health information, Covered Entity and
    Business Associate must
  • Covered Entity must notify the individual
  • Business Associate must notify the Covered Entity

Security and Notice Requirements
  • Notice to Individual must include
  • Identification of each individual whose unsecured
    protected health information has been, or is
    reasonably believed to have been accessed,
    acquired, or disclosed during such breach
  • Brief description of what happened, including the
    date of the breach and the date of discovery of
    the breach
  • Description of the types of unsecured protected
    health information that were involved
  • Steps the individual should take to protect
    themselves from potential harm resulting from the
  • Description of watt the covered entity involved
    is doing to investigate the breach, to mitigate
    losses, and to protect against any further
  • Contact procedures for individuals to ask
    question or learn additional information

Security and Notice Requirements
  • Notice to the Secretary by Covered Entities
  • For breaches impacting 500 or more individuals,
    notify the Secretary immediately
  • For breaches impacting fewer than 500
    individuals, maintain a log and notify the
    Secretary annually submit such log

Security and Notice Requirements Notice Process
  • Notice Timing
  • Notice must be made without unreasonable delay
    and in no case later than 60 calendar days after
    discovery of a breach
  • Delay allowed if a law enforcement official
    determines that a notification, notice or posting
    would impede a criminal investigation or cause
    damage to national security
  • Methods of Notice
  • Written notification by first class mail to
  • Substitute notice process for insufficient or out
    of date contact information
  • Media notice information for 500 individuals or

Health Information Technology Implementation
  • Health Information Technology Research Centers
  • -technical assistance and develop best practices
    to support utilization of Health IT in
    compliance with standards, implementation
    specifications and certification criteria
  • Health Information Technology Regional Extension
  • -technical assistance to disseminate best
    practices learned from Center to accelerate
    adoption of Health IT
  • -affiliated with United States nonprofit
    institution or organization that applies

Health Information Technology Regional Extension
  • Regional Assistance
  • Priority (1) not for profit/CAH (2) Federally
    Qualified Health Centers (3) Rural and Uninsured
    or MUSA (4) individual or small primary care
  • Merit Review (1) ability to provide assistance
    to specific types of providers (2) types of
    services provided (3) geographic diversity (4)
    in kind support from other sources
  • Financial Support
  • - Limited to Four Years
  • -No more than 50 of the capital and annual
    operating and maintenance funds (unless exception
  • -Draft Description of Program forthcoming 90

State Grants
  • Planning Grants and Implementation Grants
  • Goal Conduct activities to facilitate and
    expand the electronic movement and use of Health
    Information according to Nationally recognized
  • The State must match the funds from the Federal

State Grants
  • Elements
  • Must be a Qualified State Designated Entity
  • Pursued in Public Interest
  • Consistent with Strategic Plan
  • Description of How Program will be performed
  • Contain elements required by DHHS
  • 6. Require Consultation from Specific Healthcare

Competitive Grants for Loans
  • Eligible Entity State or Indian Tribe
  • Establish a Certified EHR Technology Loan Fund
  • May be used by a healthcare provider to
  • 1. Purchase certified EHR
  • 2. Enhance the utilization of EHR
  • 3. Train personnel or
  • 4. Improve secure electronic exchange
  • Effective January 1, 2010 Matching Required 1
    per 5 of Federal

Educational Institutions
  • WHEN ??
  • HOW Grantscannot be used to purchase hardware,
    software, or services
  • TO WHOM Demonstration Program Educational
  • Exiting Education Programs
  • Programs to be completed in less than 6 months

Medicare Incentives
  • Incentives for Adoption and Meaningful Use of
    Certified EHR
  • -paid to the Eligible Professional (physician)
  • - Payment depend upon the year of use
  • (i.e. 2011-18K - 12K - 8K - 4K - 2 K)
  • Single payment or periodic payments
  • No funding if initial adoption is after 2014
  • Not apply to Hospital-Based Professionals

Meaningful Use
  • Use of certified EHR including e-prescribing
  • Information Exchange to improve healthcare (care
  • Use Certified EHR to report on clinical quality
    measures selected by DHHS
  • Demonstrate Use (1) attestation (2) submit
    claims (3) survey (4) reporting
  • Meaningful Users will be identified on CMS website

Incentives for Hospitals
  • Meaningful Use of Certified EHR
  • Information Exchange for improving healthcare
    (care coordination)
  • Reporting on Measures as selected by DHHS
  • Medicare Dis-Incentive for failure to
    meaningfully using Certified EHR
  • Amount is based upon a Hospital Specific

Thank you
  • Michele Madison
  • Partner, Healthcare Practice
  • 404.504.7621

This presentation is provided as a general
informational service to clients and friends of
Morris, Manning Martin LLP. It should not be
construed as, and does not constitute, legal
advice on any specific matter, nor does this
message create an attorney-client relationship.
These materials may be considered Attorney
Advertising in some states. Please note, prior
results discussed in the material do not
guarantee similar outcomes.