1 / 24

HITECH ACT

HITECH ACT. Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009. HITECH ACT. Dedicates over $31 billion in stimulus funds for Healthcare Infrastructure and the adoption of Electronic Health Record (EHR). Also imposes new medical privacy requirements.

frye
Download Presentation

HITECH ACT

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009

  2. HITECH ACT • Dedicates over $31 billion in stimulus funds for Healthcare Infrastructure and the adoption of Electronic Health Record (EHR). • Also imposes new medical privacy requirements.

  3. Changes to Medical Privacy Requirements • Fundamental changes in the areas of accountability, data breach notification, consumer access, and use of personal health information. • Unlike HIPAA, HITECH ACT one year for most provisions.

  4. Accountability • Imposes new levels of accountability for medical privacy. • Periodic audits by HHS to ensure compliance within the first 12 months after enactment of the new rules.

  5. Accountability • Tiered penalty structure, with fines ranging from $25,000 to $1.5 million and penalties are mandatory for cases of “willful neglect”. • All violations occurring after February 2009 enactment date are subject to the increased penalties.

  6. Accountability • Business Associates with access PHI bound by the same requirements as the Organization (Feb 2010).

  7. Accountability • Assure business associate contracts, authorizing and defining their use of the PHI shared with them. • Obligated to report the violation to appropriate authorities and discontinue the relationship.

  8. Consumer Access (Feb 2010) • Gives individuals clear access rights to their own health records, and it gives them the right to restrict disclosure of PHI if they pay the healthcare providers themselves.

  9. Use of PHI (Feb 2010) • CE’s and their business associates are also prohibited from selling PHI without explicit, documented authorization from the individual whose information is contained in the record.

  10. Breach Notification • Defined: Unauthorized acquisition, access use, or disclosure of PHI compromises the security or privacy of the data. • Unsecured PHI – Not secured through technology as: unusable, unreadable, or indecipherable to unauthorized individual • Additional guidance technology.

  11. Breach Notification • Obligation to notify all breaches that are discovered on or after September 15, 2009. • Notification within 60 days when PHI in any form or medium is breached, not just electronic records. • Breach is officially discovered on “the first day it is known to the HIPAA entity or business associate or should reasonably have been known”.

  12. Breach Notification • HIPAA covered entity that suffered the breach demonstrates required notifications were made. • Telephone notifications can be made in urgent situations. • Business Associates required to notify the covered entity including the individuals affected.

  13. Breach Notification • Breach Affecting 500 or more individuals, CE required to provide “immediate” notice to HHS. • Thus the breach notice is public. • Rule of 500 applies in a single state or jurisdiction. • Notice must be provided to prominent media outlets.

  14. Methods of Notice • Individual Notice • Notice required under this section to be provided to an individual, with respect to a breach, shall be provided promptly and in the following form: • Written notification by first-class mail to the individual at the last known address. • In the case of insufficient, or out-of-date contact information that precludes direct written specified by the individual under subparagraph.

  15. Media Notice • Notice shall be provided to prominent media outlets serving a State or jurisdiction, following the discovery of a breach of unsecured protected health information of more than 500 residents in such State, or jurisdiction.

  16. Notice to HHS Secretary • Required immediately if the breach involved 500 or more individuals. These breaches will be posted on the HHS public website including the name of the covered entity. • If the breach less than 500 individuals, the covered entity may maintain a log of any such breach occurring. • Annually submit such a log to HHS documenting breaches occurrence during the year involved.

  17. Content of Notification • Regardless of the method by which notice is provided to individuals under this section, Notice of a breach shall include, to the extent possible, the following: • A brief description of what happened, including the date of the breach and the date of the discovery of the breach. • Description of unsecured PHI, such as SSN, address, etc.

  18. Content of Notification • Contact procedures for individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, website, or postal address. • Time consuming, costly, overwhelming. • Potential long term damage with customers.

  19. Content of Notification • The steps the individuals should take to protect themselves from potential harm resulting from the breach. • A brief description from covered entity to investigate the breach, to mitigate losses, and to protect against any further breaches.

  20. Data Breach Response • Provide recovery services for individuals who become victims of identity crime. • Restore their medical identities to pre-theft status. • Designate an Individual, or company to manage Customer calls.

  21. Business Impacts • Inventory PHI=Risk Assessment • 70% of all organizations do not have an accurate inventory of personally identifiable information (PII) in their custody and documented. • Includes data shared with a Business Associate. • Price Waterhouse Coopers reports that 44% of data breach incidents are due to third-party handling of data.

  22. Breach Impact • Small-scale data breaches will now be obligated to notify in each instance, and to keep detailed proof of notification, causing significant effort and cost.

  23. Business Impact • Data breaches damage Businesses credibility. • Medical and Financial risks to the people whose data is lost.

  24. Questions & Answers • Clarification of the Privacy Requirements within the AARA rule in the next 12 months. • Key strategies assess PHI, including BAA’s. • Utilize appropriate Security Standards. • Staff, computer access, etc.

More Related