Lorman Medical Records Seminar

Welcome!
Nell & Associates, S.C. RickN@nalawyers.com
Richard E. Nell
Gray Plant Mooty Jesse.berg@gpmlaw.com
Jesse A. Berg
The health care facet of our group focuses on contract drafting, review and negotiation, as well as entity formation and regulatory compliance. Our practice encompasses all of the laws and regulations affecting the business of health care and HIPAA including Civil Monetary Penalties, EMTALA including defense of EMTALA proceedings, NPDB, tax exempt issues, practice management, professional licensure and medical staff issues.
Jesse counsels health care providers on federal and state anti kickback laws, the Stark physician selfreferral law, Medicare and Medicaid reimbursement, enrollment and participation issues, HIPAA and state privacy and confidentiality matters, as well as federal and state antitrust issues. Jesse provides legal guidance to a variety of different types of health care providers. 1
Background on HIPAA and HITECH: Privacy and Security Regulations and the Status of HITECH Regulations
Lorman Education Services: Medical Records Law March 23, 2012
Richard E. Nell
Nell & Associates, S.C.
Jesse A. Berg
Gray Plant & Mooty
Key Changes Under HITECH

Breach notification Business associates subject to privacy, security rules Accounting of Disclosure requirements Access to PHI kept in EHR Minimum Necessary Rule Request for Restrictions on Disclosures Disclosures for Marketing Fundraising Sale of PHI HHS investigations and penalties required for cases involving willful neglect State attorneys general authorized to sue for HIPAA violations Adversely affected parties can recover a percentage of civil monetary penalties or settlements
3
Effective Dates of Key HITECH Provisions

2009
Feb. 17
CMPs applicable to BAs State AGO enforcement Notification of breach interim regulations Effective Date of Breach Notification regulations
2010
Feb. 17
BA contracts required for certain entities BAs security obligations BAs privacy obligations Access to information in electronic format Request on restrictions for PHI disclosures to plans when payment is out of pocket Conditions on certain communication as part of health care operations Guidance on minimum necessary rule Proposed regulations on prohibition on sale of EHRs or PHI Criminal willful neglect regulations
Aug. 24
Sep. 23
2011
Jan. 1
Accounting for EHR disclosures (if EHR acquired after 1/1/09)
Aug. 17

Feb. 17
Effective date for final regulations on sale of EHRs or PHI Criminal willful neglect effective
Sep. 17
2014
Jan 1
Accounting for EHR disclosures (if EHR acquired as of 1/1/09) 4
HITECH Developments: where are we now?

HITECH Act (Feb. 17, 2009) Breach Notification Interim Final Rule (74 FR 42740, Aug. 2009)
Effective Sep. 23, 2009
HITECH Enforcement Interim Final Rule (74 FR 56123, Oct. 2009)

Effective Nov. 30, 2009
HITECH Proposed Rule (July 2010)

Addresses HIPAA Privacy, Security & Enforcement Rules
5
Overview of Proposed Regulations

Dates: Content:
Business associates Enforcement Electronic access Marketing Fundraising Sale of PHI Right to request restrictions Minimum necessary Notice of privacy practices Research authorizations Student immunization records Decedent information
6
Published July 14, 2010 (75 Fed. Reg. 40,868) Deadline for submitting comments was September 13, 2010 Unless otherwise indicated, compliance date is 180 days after publication of Final Rule Later date for revising BA contracts
Modifications to Privacy, Security and Enforcement Rules

Proposed modifications included:
Require BAs to be subject to Security Rule and parts of Privacy Rule
Written agreements between BAs and subcontractors
Issue of whether amendments to BA contracts with Covered Entities is required New limitations on use and disclosure of PHI for marketing, fundraising Individual rights (access, requesting restrictions, notice of privacy practices) HHS sought guidance on minimum necessary
Modifications to Privacy, Security and Enforcement Rules

Proposed regulations (July 14, 2010)
Comment period closed on Sep. 13, 2010 No final rule to date, which means regulations remain nonbinding
HHS has indicated it will be issuing an omnibus HIPAA rule

Addressing penalties, breach notification and issues from the July 2010 proposal
HIPAA Enforcement: A Perfect Storm

Why?
Increased regulation and greater complexity
HITECH and HIPAA State laws
Increasing volumes and types of information

EHRs Mobile devices and locations Social media Online treatment options
Increasing enforcement
Enhanced penalties Aggressive regulators
9
HITECH Act
Required Covered Entities to provide accounting of disclosures from an electronic health record to carry out treatment, payment and health care operations May 3, 2010: HHS issues request for information for HITECH AOD standard
10
ACCOUNTING OF DISCLOSURES Current Rule:

Accounting of disclosures is required in only a limited number of instances Accounting of disclosures not required for disclosures for Treatment, Payment or Health Care Operations
11
ACCOUNTING OF DISCLOSURES
Under HITECH, CEs and BAs will need to account for TPO disclosures if they use an EHR: CEs that have EHR before 1/1/09 not bound until 2014 CEs that acquire EHR after 1/1/09 bound on 1/1/11 Applies to 3 years prior to date on which accounting requested HHS can postpone compliance dates for two years
12
Proposed AOD Regulations

Issued May 31, 2011; comments accepted through Aug 1, 2011
76 Fed. Reg. 31426 (May 31, 2011)
Key components:
Created broad new access report right Limited current AOD right
Effective Dates
Access reports on 1/1/13 or 1/1/14 AOD requirement 240 days after final regulations published
13
Right to AOD
Scope of information subject to accounting is information in designated record set (DRS) Proposal would require the CE to include the disclosures of its BAs in the accounting. Reduces the accounting period to disclosures occurring during the previous 3 years, rather than 6 years.
14
Right to AOD
Provides a list of the types of disclosures subject to the accounting:
Public health Judicial and administrative proceedings Law enforcement Avert threat to health/safety Military and veterans activities Dept. of state Government programs providing public benefits Workers compensation Impermissible disclosures, unless constitutes a breach.
15
Right to AOD
Modifies elements of the existing content requirements:
An explanation of the type of PHI disclosed, instead of a brief description of the PHI disclosed A description of the purpose, instead of a statement of the purpose, in an effort to clarify that only a minimum description is required if it reasonably informs the individual of the purpose. Gives individuals the option to limit their accounting to either a particular time period, type of disclosure or recipient.
16
Access Report
Covered entities required to provide an individual with an access report identifying who has accessed the individuals electronic designated record set information. Access right does not extend to paper records.
17
Access Report
Two major differences from HITECH Act statutory provisions:
Provides an individual with the right to be informed of all persons who have accessed their record
Regardless of whether the information was actually disclosed to someone outside of the entitys workforce.
Creates a new right to receive an access report with respect to the designated record set maintained by all covered entities, regardless of whether those entities have implemented EHRs.
HITECH provided for accounting of disclosures from EHRs
18
Access Report
HHS: new access right would not impose an unreasonable burden on covered entities HHS: under HIPAA Security Rule, electronic systems with designated record set information should currently be creating access logs with sufficient information to create an access report
19
Access Report
Report must include the following elements:
date of the access time of the access; name of the individual, if available, or otherwise the name of the entity who accessed the information description of what information was accessed, if available description of the action by the user, if available
Electronic DRS information will often reside on a number of distinct systems with separate access logs. HHS expects covered entities to aggregate that data into a single access report.
20
Access Report
30 day timeline for providing the access report Within the 30 day period, a covered entity also would need to include the access logs of its business associates that create, receive, maintain or transmit electronic designated record set information.
21
Access Report
Covered entity would need to provide an individual with a notice of privacy practices that contains a statement of the individuals right to receive both an accounting of disclosures of PHI and an access report. Because the access report requirement is new, it would require an amendment to existing privacy notices. Other changes to NPP as HITECH regulations are finalized?
22
Right to AOD
Provision of an accounting of disclosures:
Timeframe for responding to an accounting request decreased to 30 days Must provide individuals with the accounting in the form (e.g. paper or electronic) and format (i.e., compatible with a specific software application) requested by the individual, if readily producible May require the individual to submit the accounting request in writing (which includes electronic requests)
Covered entity informs individuals of this requirement.
23
Problems with Proposed Regulations

HHS recognizes that EHRs do not have technical capacity to allow HITECH accountings HHS believes HIPAA Security Rule already requires all access report information already to be tracked Fundamental re-thinking of regulators interpretation of Security Rule? Is this a reasonable burden to place on covered entities? What is the patient interest being advanced?
24
Minimum Necessary
HITECH section 13405(b): Covered entity must limit PHI, to extent practicable, to limited data set, or, if necessary, to minimum necessary. HHS to issue guidance on what constitutes minimum necessary (at which time provision sunsets). HHS asked for comment on what guidance would be helpful to covered entities and BAs No change to current regulation
25
Electronic Access to PHI

For ePHI, covered entity must provide electronic access:
In form and format requested by individual, if readily producible, otherwise Readable electronic form and format as agreed to by CE and individual
Must provide copy to individuals designee:

Request must be in writing Must clearly identify designated person
26
Electronic Access to PHI

Covered entity may charge for:
Labor
Time attributable to reviewing request and producing copy
Cost of electronic media

CD, USB drive, or similar portable media/device Cant charge for access through portal, e-mail, or PHR
BA must provide PHI to covered entity, individual, or individuals designee as set forth in BA agreement
27 27
MARKETING
Current rule: certain marketing-type activities are exempted from definition of marketing and are considered as part of treatment or healthcare operations Under HITECH, authorization is required for such disclosures if the CE receives direct or indirect payment in connection with the communication Effective Feb. 17, 2010
28
HITECH Audit Program

HITECH required HHS to conduct periodic audits of Covered Entities & Business Associates 2 contracts (June, July 2011) with Booz Allen Hamilton and KPMG to engage in audits
Booz to identify audit candidate information KPMG to develop audit protocol and conduct audits
Audits to conclude by Dec. 31, 2012

29
HITECH Audit Program

Audits to include
Site visit (interview with CIO, legal counsel, HIM/medical records director, other leaders)
Examination of physical features, operations and adherence to policies
Audit report:
Best practices noted; instances of noncompliance Raw data (completed checklists, interview notes) Recommendations for actions to address compliance problems Recommendations to HHS for corrective action
30
Right to Request Restrictions

Covered entity must agree to individuals request to restrict disclosure of PHI to health plan if:
PHI pertains solely to health care for which individual (or person on behalf of individual other than health plan) has paid covered entity in full out of pocket Disclosure is for payment or health care operations purposes and not required by other law
31
Right to Request Restrictions

Covered entity cannot require individual to pay out of pocket for all services if individual wishes to restrict disclosures regarding only certain services If individuals payment not honored, and payment issue cannot otherwise be resolved with individual, covered entity may submit PHI to health plan for payment HHS asked for public comment on various operational issues
32
Notice of Privacy Practices

Changes to NPPs
Statement regarding sale of PHI and other purposes that require authorization Statement regarding subsidized treatment communications, if applicable, and that individual can opt out Statement regarding fundraising communications, including that individual can opt out Statement that covered entity must agree to restrict disclosure to health plan if individual pays out of pocket in full for health care service
33

HHS requested comment:
Include specific statement on breach notification? Options for health plans to distribute revised NPP
In next annual mailing to enrollees Extension or waiver of current 60-day deadline Retain 60-day deadline Others?
34
Research Authorizations
Covered entity can use one authorization form for use and disclosure of PHI in clinical trial and for PHI to be placed into repository (biospecimen storage) Requested comment on amount of specificity about future research uses needed in authorization
Do authorizations have to be research specific?
35
Student Immunization Records

Covered entity may disclose proof of immunization of child to schools in States with school entry laws
Written authorization not required Need prior oral or written agreement from parent
36
Decedent Information
Decedents information is no longer PHI after 50-year period
Request for comment on proposal of 50 years
Covered entity may disclose decedents PHI to family members and others who were involved in care/payment for care of decedent prior to death, unless inconsistent with prior expressed preference
37
Future HHS/OCR HITECH Activities

Accounting of Disclosures Final Rule Reports to Congress on Compliance, Breach Notification HIPAA Audit Program State Attorneys General Enforcement Minimum Necessary Guidance De-identification Guidance Final Rules on HITECH, Breach Notification, Enforcement
38
Overview of HIPAA Privacy Rule: Application, Patient Access Rights and Restrictions
Richard E. Nell
Jesse A. Berg
Gray Plant & Mooty
39
The Privacy Rule

The Privacy Rule Does Not Preempt State Law Where the Provision of State Law Relates to the Privacy of Health Information and Is Contrary to and More Stringent Than a Provision of the Privacy Rule
40
The Privacy Rule

The Privacy Rule Also Does Not Preempt:
State Laws That Provide for the Reporting of Disease or Injury, Child Abuse, Birth or Death, or for the Conduct of Public Health Surveillance Investigation or Intervention; State Laws That Require a Health Plan to Report, or to Provide Access to Information, for the Purpose of Management or Financial Audits, Program Monitoring and Evaluation, Licensing, and Related Issues; Laws That the Secretary of HHS Has Determined Should Not Be Preempted
41
Covered Entities
Health Plans Group Health Plans Health Care Clearinghouses Health Care Providers Who Engage in Electronic Transactions
42
Health Plans
Individual or Group Plan That Pays for the Cost of Medical Care, Includes:
Health Insurance Issuer HMO Medicare Medicaid Medicare Supplement Policy
43
Health Plans
Long Term Care Policies (Excluding Nursing Home Fixed Indemnity) Employee Welfare Benefit Plan Health Care Program for Active Military Veterans Health Program CHAMPUS Indian Health Service Program
44
Health Plans
Federal Employees Health Benefits Program SCHIP Medicare+Choice High Risk Pool Any Other Individual or Group Plan or Combination
45
Health Plans
Excluded From Health Plans:
Policy, Plan, or Program to Extent it Provides or Pays for Benefits Excepted Under the PHS Act A Government Funded Program (Other Than Those Listed) Whose Principal Purpose is Other Than Providing or Paying for Health Care or Direct Provision or Grants Workers Compensation, Automobile, Property and Casualty Insurance
46
Group Health Plans

How Most Employers Will Get Pulled Into HIPAA Employee Welfare Benefit Plan (ERISA)
Possibly Include Flex Plans, FSAs
Insured and Self-Insured Plans To Extent Plan Provides Medical Care to Employees or Participants
50 or More Participants OR Administered by Third Party
47
Health Care Clearinghouse

Public or Private Entity Including:
Billing Service Community Health Management Information System Community Health Information System
48
Health Care Clearinghouse

Does Either of the Following:
Processes Health Information From Another Entity in Non-Standard Format or NonStandard Data into Standard Data Elements or Standard Transaction; OR Vice-Versa
49
Health Care Provider

Provider of Services Provider of Medical or Health Services Provider of Health Care
50

Provider of Services
Hospital Critical Access Hospital Skilled Nursing Facility Outpatient Rehab Facility Home Health Agency Hospice Program
51

Provider of Medical Services
Physician Services Hospital Services Diagnostic Services Outpatient PT Services Outpatient OT Services Rural Health Clinic Services Home Dialysis Supplies and Equipment
52

Provider of Medical Services Continued:
Self-Care Home Dialysis Support Services Physician Assistant Services Nurse Practitioner Services Certified Nurse Midwife Services Psychological Services Clinical Social Worker Services X-Ray Services
53

Provider of Medical Services Continued:
DME Ambulance Services Prosthetic Devices Certified Nurse Anesthetist Services Other Services, Which if Provided by Physician, Would be Considered Physician Services
54

Only Health Care Providers Who Transmit Health Information in Electronic Form in Connection With a Transaction, Are Covered Electronic Does Not Include Facsimile
55

Transaction Means
Transmission Between Two Parties to Carry Out Financial or Administrative Activities Includes
Health Care Claims Health Care Payment and Remittance Advice Coordination of Benefits Enrollment and Disenrollment Referral Certification
56
HIPAA and Employers

Only Certain Health Care Providers, Health Plans, and Health Care Clearinghouses Are Covered Entities Employers Not Generally Covered Unless Fall Under Above Definitions Caveat: Medical Information Provided to Employers and Employer Sponsored Group Health Plans
57
What is Covered
Protected Health Information
Also Known as PHI Individually Identifiable Health Information Transmitted Electronically Maintained in any Media Described Under HIPAA Transmitted or Maintained in ANY OTHER FORM
58

Individually Identifiable Health Information
Relates to Past, Present, or Future Physical or Mental Health or Condition of an Individual Provision of Health Care to Individual Past, Present, or Future Payment for Health Care to an Individual That Identifies the Individual, or Reasonably Used to Identify
59

Excludes
Education Records Under FERPA Certain Other Records Defined Under FERPA Employment Records Held by a Covered Entity in Capacity as Employer
60
Employment Records and PHI

Definition of Protected Health Information (PHI) Specifically Excludes:
Employment Records Held by a Covered Entity in its Role as Employer
45 C.F.R. 165.501
Example: Drug Testing or Fitness for Duty

Must be Provided to CE in Capacity as Employer If Conducting Testing, Must Get Authorization to Transmit to HR
Example: Professional Sports Teams Player Information

61
Personal Rights
Overview
Covered Entities Must Grant Certain Rights to Individuals Informational Forms and Means of Access and Accounting
62

Covered Entity Must Provide Notice of Uses and Disclosures of PHI Not Directly Applicable to Group Health Plans
63

Not Applicable to Inmates or Correctional Facilities Content
Written Plain Language No Prescribed Font Size
64

Elements
Header Prominent, All Capital Letters Description of Uses and Disclosures
TPO Other Purposes Without Authorization Must Reflect More Stringent State Law Those Disclosures Requiring Authorization Right to Revoke Authorization
65

Specific Uses or Disclosures
Appointment Reminders Treatment Alternatives Fundraising Group Plan Disclosure to Plan Sponsor Marketing, per Restrictions Health-Related Benefits/Communications
66

Individual Rights
Right to Request Restrictions Right to Receive Confidential Communications Right to Access Right to Amend Right to Accounting Right to Copy of Notice
67

Covered Entitys Duties
Required by Law to Maintain Confidential Required to Abide by Notice May Only Change Privacy Practices Through Revised Notice
Complaint Process
Internal and DHHS
Contact
Privacy Officer
Effective Date
68

Optional Elements
Covered Entity May Further Restrict Use or Disclosure No Restriction on Legally-Required Disclosures
Revise
Covered Entity Must Promptly Revise and Distribute if Material Change
69

Providing Notice
Health Plans
No Later than Compliance Date To New Enrollees at Time of Enrollment Within 60 Days of Revision At Least Once per Three Years Provided to Named Insured Only
70

Health Care Providers
Direct Treatment Relationship Date of First Service on or After April 14, 2003 In Emergency, May Provide When Reasonably Practicable Good Faith Effort to Obtain Written Acknowledgment (Non-Emergency) Document Failed Attempts
71

Electronic Notice
If Maintain Website, Must Post If Requested, Provide Notice via Email If Failed, or if Requests, Must Provide Paper Copy Good Faith Effort Must be Documented
72

Joint Notice
OHCA All Covered Entities Must Abide by Joint Notice Contains Elements Listed Above States Entities in OHCA May Share PHI OHCA Entities Now Provide the Notice Entities Must Document Compliance
73

Changes to Privacy Practices
Notice Must be Revised Revised Notice Available to Individuals No Changes Prior to Effective Date of Notice If Not Reserved Right to Change, Covered Entity Bound for All Prior PHI Received If Not Reserved, Change Only if
Meets Requirements Above Effective Only as to PHI Created/Received After Date
74
ACCESS TO PHI
Effective Feb. 17, 2010 - CE which maintains an EHR is required: To produce a copy of such PHI in electronic format upon individuals request To transmit an electronic copy directly to an entity designated by the individual if request is clear and specific Fees for this may not be greater than CEs labor costs in responding to the request for the copy 75
Access to PHI
Individual Has Right of Access and Inspection No Right to Psychotherapy Notes, Information Compiled for Legal Proceeding, or Exempt Under CLIA May Deny Without Review if For Above, if For Inmate, if During Research, if Under Privacy Act, or if Obtained From Another Party Access to Designated Record Set
76
Right of Access
Must Provide Review if Refused Due to Endangerment, Due to Mention Another Person, or if Access by Personal Representative a Danger Response to Request Within 30 Days + 30 Day Extension If Reasonable, Must be in Requested Format or Summary if Acceptable; Costbased Fee
77
Denial of Access
Provide Access to Non-Objectionable PHI Written Denial, in Plain Language, of Basis and Complaint Process Notify Individual of Location if Not With Covered Entity
78
Right to Amendment
Individual May Request Amendment to PHI Covered Entity May Deny if Not Its Record, Not Available for Access, or if Accurate Covered Entity May Require That in Writing and Provide Reason 60 Day Time Limit + 30 Day Extension
79
Acceptance of Amendment
Covered Entity Must Amend/Append Record Covered Entity Must Notify Individual Covered Entity Must Notify Third Parties and Business Associates of Amendment
80
Denial of Amendment
Must Provide Individual With Written Denial Provide Individual Right to Submit Statement in Disagreement Copies Sent Out to Third Parties Covered Entity May Submit Rebuttal Statement
81
Current Accounting of Disclosures Rule

Individual has right to receive an accounting of disclosures of PHI by Covered Entity or its Business Associate up to 6 years prior to the the request CEs and BAs required to track PHI disclosures that fall under accounting rule:
Date Name of recipient of PHI (Address, if available) Brief description of PHI Purpose of the disclosure
82

No tracking required:
For treatment For payment For healthcare operations Incidental to permitted disclosures Disclosures under an authorization
83

For the facilitys directory To persons involved in the individuals care For national security or intelligence purposes
To law enforcement officials or correctional institutions about an inmate
84
Current Accounting of Disclosures Rule:

As part of a limited data set, or information that has been de-identified Made prior to April 14, 2003 Made more than 6 years prior to the date of the request
85

Tracking required:
To the Secretary of DHHS Required by law (e.g., mandated reporting under state law) For public health activities/reporting About victims of abuse, neglect or domestic violence For health oversight activities (e.g., licensure actions)
86

Tracking required:
In response to a court order In response to a subpoena or discovery request For law enforcement To a medical examiner or funeral director, or for cadaveric organ donations For research where authorization is not required
87
Suspension of Accounting
Temporarily Suspend Accounting if Health Oversight Agency or Law Enforcement Official Provides Statement If in Writing, for as Long as Specified If Orally, for 30 Days
88
Providing the Accounting

Date of Disclosure Name of Party Receiving Description of PHI Brief Statement of Purpose for Disclosure or Copy of the Request 60 Day Time Limit + 30 Day Extension
89
Request for Restriction on Use or Disclosure of PHI

Request for Restrictions on Any Aspect Covered Entity Need Not Comply with Request If Agree, Then may Not Disclose Except in Emergency
Even Then, Must Obtain Assurance from Recipient That Will Not Further Disclose Not a Bar to Disclosures for Facility Directory (Unless Otherwise Objects) or for Other Legally-Required Disclosures
May Terminate Orally if Documented and PostPHI Only

90
RESTRICTIONS ON DISCLOSURES
Effective Feb. 17, 2010, CE must agree to requested restrictions on disclosures of PHI if: Disclosure is to health plan for purposes of carrying out payment or health care operations; and PHI pertains solely to an item/service for which provider involved was paid out of pocket in full
91
Uses and Disclosures of PHI Including Authorization, Business Associates, and Other Key Components
Richard E. Nell
Jesse A. Berg
Gray Plant & Mooty
92
Uses or Disclosures
Use and Disclosure for Treatment, Payment, and Health Care Operations (TPO)
Covered Entity Generally May Use and Disclose PHI for TPO No Consent Now Notice of Privacy Practices Treatment
Use or Disclose to Any Provider
Payment
Use or Disclose Minimum Necessary to Any Other
93
Uses or Disclosures
Health Care Operations
Quality Assurance Activities
Quality Assessment and Guidelines, Case Mgmt.
Professional Competency Activities

Accreditation, Credentialing, Licensing
Insurance Activities
Underwriting, Premium Rating
Compliance Activities
Fraud and Abuse Compliance
Business Activities
Legal, Auditing, Business Planning, Sale of Practice
94
Uses or Disclosures
De-Identified Information
Not PHI May Statistically Determine That PHI has Been De-Identified
Qualified Individual Offer Professional Conclusion Mathematically Not Identifiable
95
Uses or Disclosures
De-Identified Information Safe Harbor
Names Geographic Subdivisions Dates Telephone Numbers Facsimile Numbers Email Address Social Security Numbers Medical Record Numbers Health Plans Numbers
96
Uses or Disclosures
De-Identified Information Safe Harbor
Account Numbers License Numbers Vehicle Identifiers Device Identifiers URLs Internet Addresses Biometric Finger and Voice Prints Facial Photographs Etc.
97
PROHIBITION ON SALE OF PHI

Effective Feb. 2011- HITECH prohibits CEs, BAs from receiving ANY payment for PHI, unless individual signs authorization Limited exceptions exist Transfer in connection with sale or merger of CE Transfer for treatment, public health or research activities Providing individuals with copy of their PHI HHS to issue regulations by Aug. 2010
98
Sale of PHI
Covered entity prohibited from disclosing PHI (without individual authorization) in exchange for remuneration If authorization obtained, authorization must state that disclosure will result in remuneration Exceptions:
Public health Research, if remuneration limited to cost to prepare and transmit PHI Treatment & payment
99
Sale of PHI
Exceptions (cont.)
Sale of business Remuneration to BA for services rendered Providing access or accounting to individual Disclosure required by law Where only remuneration received for otherwise permitted disclosure is reasonable, cost-based fee to prepare and transmit PHI or fee otherwise expressly permitted by other law
100
Authorization
Elements
Meaningful Description of PHI Identify Entities or Class Disclosing Identify Entities or Class Receiving Purpose Expiration Date or Event Individuals Rights Revocation Marketing = Remuneration Dated and Signed
101
Authorization
Typically Cannot Condition Treatment Upon Execution Allowed to Condition if for Third Party Fitness for Duty, etc. Health Plan May Condition for Underwriting or Risk Rating Provider May Condition for Research
102
Authorization
Psychotherapy Notes Require Marketing Requires Research Typically Requires Any Use or Disclosure Not Addressed by the Rule
103
Use and Disclosure of PHI

Overview
Use
Sharing, Employment, Application, Utilization, Examination, or Analysis of PHI Within the Covered Entity
Disclosure
Release, Transfer, Provision of Access to, or Divulging PHI In Any Manner Outside Covered Entity
104
Use and Disclosure of PHI

Mandatory Disclosures
CE Must Disclose to Individual or Personal Representative CE Must Disclose to DHHS for Investigation
105
Other Uses or Disclosures Requiring Opportunity to Object Covered Entity may Use or Disclose PHI in Limited Situations Based Upon Informal Permission Disclose to Family Members, Relatives, Individuals Identified Who Are Involved in Care or Treatment Use or Disclose for Facility Directory to Anyone Asking for by Name, Clergy
106
Opportunity to Object
Permission in Advance No Documentation Required If Emergency, May Disclose to Those Involved in Care, if Professional Judgment Exercised Covered Entity May Release X-Rays, Rxs, Supplies to Person Acting on Individuals Behalf, if Professional Judgment
107
Other Uses or Disclosures Without Opportunity to Object Covered Entity Must Verify Identity of Requester and Authority Where Required by Law Public Health Activities
Reporting Disease Reporting Vital Statistics Reporting to FDA Reporting to Employer Reporting Communicable Diseases
108
Disclosures Without Objection

Victims of Abuse, Neglect, or Domestic Violence
Reasonably Believes and Required/Allowed by Law No Consent or Notification From/to Individual if Danger Notice to Personal Representative Unless Harm
109

Health Oversight Activities
Audits Civil or Criminal Investigations Not Where Individuals Health is at Issue
110

Law Enforcement
Where Required by Law Information Must be Relevant Minimum Necessary Disclosed
111

Decedents
Disclose to Coroners, Medical Examiners, and Funeral Directors to Carry out Duties
Organ, Eye, or Tissue Donation

Use or Disclose PHI to Procurement Organizations
112

Research Purposes
Must Satisfy Conditions With Respect to IRB Waiver
To Avert Serious Threat to Public Certain Specialized Governmental Functions: National Security, VA, Military, Secret Service Workers Compensation Act
113
Disclosures to Attorneys
Subpoenas
Notice and Opportunity to Object or Move for Qualified Protective Order (QPO) QPO Not a Good Choice
Would Appear to Require Return or Destruction No Not Feasible Language in the Order
114
Subpoenas
Proposed Procedure
Notice Letter to Patient/Patients Attorney
Allow for Reasonable Time (14 Days) to File Objection Dispute Over Notice to Attorney Only?
Upon Conclusion of Time Period Send Subpoena, Copy of Notice Letter, and Cover Letter to Covered Entity
One Package, Not Waiting on Objections
115
Subpoena - Guidance
A Copy of the Subpoena (or Other Lawful Process) is Sufficient When, On Its Face, It Meets the Requirements of 45 CFR 164.512(e)(1)(iii), Such as Demonstrating the Individual Who is the Subject of the PHI is a Party to the Litigation, Notice of the Request has Been Provided to the Individual or His or Her Attorney, and the Time for Objections has Elapsed and No Objections Were Filed or All Objections Have Been Resolved. When These Requirements are Evident on the Face of the Request, No Additional Documentation is Required. HHS FAQ #708
116
Incidental Uses or Disclosures

Where Covered Entity has Engaged in Reasonable Efforts to Safeguard PHI Minimum Necessary Utilized for Uses and Disclosures of PHI Unintentional or Incidental Uses or Disclosures Not Violation Byproduct of Otherwise Permissible Action
117
MINIMUM NECESSARY RULE

Current rule: With certain exceptions, a CE must limit uses and disclosures of PHI to the minimum necessary information for the purpose of the disclosure By Aug. 17, 2010, new regulations defining minimum necessary PHI Until that time, CE should limit PHI, to the extent practicable, to the limited data set Excludes names, addresses, phone and fax numbers, email, social security and medical record numbers and nine other identifiers
118
Minimum Necessary
Must Use or Disclose the Minimum Necessary PHI to Carry Out Task Specifically Restricted From Using Entire Medical Record May Reasonably Rely Upon Statement of Professional or Law Enforcement Internally, Restrict Access Role-Based
119
Minimum Necessary
Exceptions
Treatment Authorization To the Individual To DHHS Where Required by Law, Including HIPAA
120
Law Enforcement
Disclosure for law enforcement purpose to law enforcement official
As required by law; reporting of wounds/injuries To comply with a court order or courtordered warrant, a subpoena or summons In response to a grand jury subpoena To respond to an administrative request Only Minimum Necessary
121
Law Enforcement Official

Definition of Law Enforcement Official
Officer or employee of US, State, Tribe, or political subdivision Empowered by law to investigate or Prosecute or conduct criminal, civil, or administrative proceeding
If requesting official unknown, Covered Entity must identify and verify authority of official
CE may reasonably rely upon officials representation that minimum necessary requested
122
Required by Law
To report PHI to law enforcement when required by law to do so (45 CFR 164.512(f)(1)(i))
Example, state laws commonly require providers to report gunshot or stab wounds, or other violent injuries Required by law
Mandate contained in law compelling disclosure which is enforceable in a court of law
123
Process
Court order, court-ordered warrant, or a subpoena or summons issued by a judicial officer (45 CFR 164.512(f)(1)(ii)(A))
The Rule recognizes the legal process in obtaining a court order protects the PHI Judicial Officer
Preamble originally required finding Term is not defined look to state law? Appears to be different than court
124
Grand Jury Subpoena

To comply with a grand jury subpoena (45 CFR 164.512(f)(1)(ii)(B))
State or Federal Grand Jury The Rule recognizes that the secrecy of the grand jury process provides protections for the individuals PHI
125
Administrative Request
To respond to an administrative request, such as an administrative subpoena or summons, civil or authorized investigative demand or similar process authorized under law (45 CFR 164.512(f)(1)(ii)(C))
May be without judicial involvement Must provide that:
PHI is relevant and material, PHI is specific and limited in scope, and De-identified information not sufficient
126
Identification and Location

Disclosure of limited information in response to request of law enforcement official for purpose of identifying or locating a suspect, fugitive, material witness, or missing person (45 CFR 164.512(f)(2)) Only if requested
Request may be oral or written Includes person acting on behalf of law enforcement
E.g., media making announcement seeking publics assistance in identifying suspect or Wanted Poster
127
Limited Information
Limited information to be disclosed:
Name and address Date and place of birth Social Security number ABO blood type and rh factor Type of injury Date and time of treatment Date and time of death Distinguishing physical characteristics
Height, weight, gender, race, hair and eye color, facial hair, scars, and tattoos
128
Information Not to be Disclosed

Except as otherwise permitted, following information not to be disclosed PHI relating to:
DNA or DNA analysis Dental records Typing, samples, or analysis of body fluids or tissue
129
Victims of Crime
Disclosure of PHI in response to law enforcement officials request for information about victim or suspected victim of crime (45 CFR 164.512(f)(3)) Only if individual agrees
Agreement may be oral or written
If unable to obtain agreement, other factors must be satisfied
130
Victims of Crime
Disclosure if individual agrees or Lack of agreement due to incapacity or emergency and
Law enforcement official represents PHI is needed to determine if violation of law by person other than victim and not intended to be used against victim Law enforcement official represents that immediate action depends upon disclosure and would be materially and adversely impacted if waited; and Disclosure is in the bests interests of individual in professional judgment
131
Workforce Victims
No violation if workforce member who is the victim of a criminal act discloses PHI to a law enforcement official (45 CFR 164.502(j)(2))
PHI is about the suspected perpetrator Only limited information (name, address, SSN#, date of treatment, etc.) Crime does not need to occur on premises
132
Other Provisions on Victims

Child abuse victims or adult victims of abuse, neglect or domestic violence, other provisions apply:
Child abuse or neglect reported to law enforcement official authorized by law to receive such reports and agreement of individual is not required (45 CFR 164.512(b)(1)(ii))
133
Business Associates
Historically not Covered Directly by HIPAA Third Parties Who Use or Disclose PHI on Behalf of a Covered Entity, Other Than as Workforce Member Workforce Member
More Than Employees Also Volunteers, Aides, Trainees, and Some Agents
134
Business Associates
Examples
Claims Processing Utilization Review Quality Assurance Billing Legal Accounting Consulting
135
Business Associates
Covered Entity Must Obtain Satisfactory Assurances From Business Associate
Business Associate Agreement If Public Entities, Memorandum of Understanding Covered in Greater Detail
136
Identifying Business Associates

Formal Definition
Person Who on Behalf of Covered Entity or OHCA Performs or Assists in Activity Involving Use or Disclosure of PHI
Including Claims Processing, Data Analysis or Processing, Billing, Etc.
Or
Who Provides Legal, Actuarial, Accounting, Consulting, or Similar Services Involving Use or Disclosure of PHI
Not a Workforce Member

137
Entities/Persons Not Business Associates

Workforce Members
Workforce Includes employees, volunteers, trainees, and Other Persons Conducting Work Under Direct Control of Covered Entity Look Beyond Titles If Workstation on Site, Then Likely Workforce If No BA Agreement, Then Presumed to be Workforce
138
Not Considered Business Associates

Entity Not Using or Disclosing PHI
Regardless of Title Examples: Janitors, Maintenance Services Only Incidental Uses or Disclosures
139
Not Business Associates

OHCA
Organized Health Care Arrangement Technical Relationship Same Said Regarding Affiliated Covered Entities (ACE)
140

Conduits
Entity or Person That Transports PHI, but Only Accesses it Incidentally Examples: US Mail, Couriers, Electronic Transmitters
141

De-Identified Information
Where Identifying Factors Removed, No Need to Protect Any Person May Use or Disclose De-Identified Information
142

Covered Entities
May Be Considered a Business Associate of Another Covered Entity If Acting as Business Associate, and Makes Mistake, Then DHHS Will Treat as Covered Entity and Not Business Associate
143
Business Associate Contract/Agreement

Documents the Satisfactory Assurances Prerequisite Before Covered Entity May
Disclose PHI to the BA Allow BA to Create PHI on Behalf of the Covered Entity Allow BA to Receive PHI on Behalf of the Covered Entity
144
No Business Associate Contract or Agreement Covered Entity Transmitting PHI to a Provider for Treatment Group Health Plan and Plan Sponsor, If Otherwise Comply With Rule Interagency Disclosure Among Government Health Plans
145
Business Associate Agreement

Non-Governmental Entities
Written Contract Required Permitted and Required Uses and Disclosures of PHI BA Not Further Use or Disclose BA Use Appropriate Safeguards BA Report Breach BA Ensure Subcontractors Agree to Same Terms
146
Business Associate Agreement Terms

Make PHI Available for Access Make PHI Available for Amendment and Incorporate Amendments Make PHI Available to Prepare Accounting Compliance with DHHS Investigation Return, Destroy, or Safeguard PHI
147

Covered Entity Must Be Able to Terminate if Violation Covered Entity Must Attempt to Mitigate or Cure Breach, and Report to DHHS
148
Business Associate Agreement Additions

Permit BA to Use or Disclose PHI to Provide Data Aggregation Services
Combining PHI From One Covered Entity, with PHI of Another to Prepare Data Analysis That Relates to Operations of the Respective Covered Entities
149
Business Associate Agreement Additions

BA May USE PHI
Proper Management and Administration Carry Out Legal Responsibilities
BA May DISCLOSE PHI

Proper Management and Administration Carry Out Legal Responsibilities Reasonable Assurances Obtained
150
Business Associate Model Contract

Not State Law Compliant Not All Essential Terms Not All Desirable Terms
151
Suggested Business Associate Agreement Terms

Negotiating Power/Leverage Deciding Factor
Large Provider vs. Small BA JCAHO vs. Large Provider
Damages/Liquidated Damages Clauses Indemnification Clauses Insurance Coverage Requirement Burden of Proof CE Will Oversee BA Response to Access, Amendment, Accounting, and Any Other Disclosures
152
Other Terms in Your BAA

Many Covered Entities Require Indemnification Clause in Business Associate Agreement
Contractual Indemnity May Void Legal Malpractice Insurance Coverage Appears that Contractual Obligation Imposed Under BAA Would be Covered
Best Choice for Client May be No Indemnification Clause

Full Disclosure Conflict of Interest?
153
Other Aspects of Relationship

Privacy Rule Requires Business Associate to Return or Destroy PHI Upon Conclusion or Termination of Relationship
Not Required if Not Feasible But Then Must Extend Protections to PHI Attorney Obligated to Maintain Records
154
Accountability
Penalties for Non-Compliance On Covered Entity If Covered Entity Knew of Pattern or Practice That Constitutes Material Breach
CE Must Take Steps to Cure Breach or End Violation If Unsuccessful, CE May Terminate Agreement If Termination Not Feasible, Then Report to DHHS Not Obligated to Monitor Must Investigate All Complaints Must Act Upon Any Knowledge of Violation
155
New Definition of Business Associate?

Health Information Organizations E-Prescribing Gateways Others that provide
Data transmission services with respect to PHI and Require access on a routine basis to such PHI
Conduits that only access PHI on random or infrequent basis to support transport are not BAs
156
Definition of Business Associate

PHR vendors acting on behalf of covered entities are BAs
PHR vendor can be a BA with respect to only some individuals
Subcontractors
Treated as BAs if they create, receive, maintain, or transmit PHI on behalf of a BA BA must have BA agreement with subcontractor BA No BA agreement required between CE and subcontractor BA
157
Business Associates
BAs directly liable for:
Security Rule violations Impermissible uses and disclosures under Privacy Rule
Uses and disclosures must comply with Privacy Rule and business associate agreement
Failure to disclose to Secretary or provide e-access Minimum necessary rule
Covered entities (and BAs) liable for acts of BAs acting as agents within scope of agency BA must take reasonable steps in response to impermissible pattern or practice of subcontractor BA
158
Business Associate Contracts Amendments Required?
HITECH statute said privacy and security requirements that apply to covered entities shall be incorporated into business associate agreement Uncertainty as to whether this required an actual amendment or provisions incorporated into BA contracts as matter of law
159
Business Associate Contracts Amendments Required? Under Proposed Rule following provisions need to be added:
BAs to use appropriate safeguards and comply with Security Rule with respect to E-PHI BAs must report to CE any breach of unsecured PHI Enter into written agreements with subcontractors that create/receive PHI on behalf of BA imposing same restrictions that apply to BA BAs must comply with Privacy Rule to extent BA is to carry out a CEs obligation under the 160 Privacy Rule
Compliance Date, Generally

Covered entities and BAs will have 240 days from publication of final rule to comply
Rule will become effective 60 days after publication Additional 180-day compliance period
Enforcement Rule changes effective immediately when final rule goes into effect
161
Compliance Date for Amending Business Associate Contracts

If (1) a BA contract (compliant with pre-HITECH BA requirements) is entered into prior to publication date of Final Rule; and (2) that contract is not renewed or modified during the time period that is 60 days to 240 days after the publication of the final rule, then the contract deemed to be compliant until the earlier of:
The date the contract is renewed or modified on or after the 240-day post-publication date; or The date that is one year and 240 days after publication of the Final Rule
Bottom Line:
CEs and BAs will have up to 1 year and 8 months after Final Rule published to revise BA agreements BAs must comply with other applicable provisions of Privacy and Security Rules during this transition period 162
Notification by Business Associates

BAs required to notify CE of breach Notification to occur no later than 60 days after discovery of breach Breach treated as discovered by BA as of first day breach is known to BA, or through reasonable diligence, would have been known BA deemed to have knowledge of breach if breach would have been known through reasonable diligence to anyone who is agent of BA If BA is an agent, then BAs discovery of breach is imputed to CE
163
Business Associates
Historically were not covered directly by HIPAA
Generally liable only for breaching their business associate agreement with a covered entity
HITECH:
Clarifies that certain entities are BAs Expands HIPAA requirements that apply to BAs
164
Business Associateswho is a BA?

In the past, entities that provided networks or other hardware for data transmission were not considered BAs Under HITECH, entities that provide data transmission services and require access to PHI are BAs, including:
Health information exchange organizations RHIOs E-Prescribing gateways PHR vendors that provide PHRs to covered entities
165
Business AssociatesNew Requirements

HITECH: BAs are required to: Notify CE if they discover a breach Directly comply with HIPAA Security Rule administrative, physical and technical safeguards and documentation requirementsas if they were CEs Means regulators may impose fines directly on BAs who fail to comply with Security Rule
166

HITECH: BAs are required to: Use or disclose PHI only if such use or disclosure is in compliance with the privacy provisions of their BA contracts Means BAs are subject to same penalties as CEs if they violate Privacy Rule
167

Other HITECH privacy and security requirements that apply to covered entities shall be incorporated into business associate agreement
168

WHAT DOES THIS MEAN FOR BAs? BAs must take action if they know of a pattern of activity or practice by CE that constitutes a breach of the CEs obligations under the contract:
Reasonable steps to cure breach Terminate the arrangement Report the problem to HHS if termination is not feasible
If BA does not do the above, it may be liable for HIPAA penalties
169
HIPAA and Attorneys

Interaction of HIPAA Requirements Imposed Upon Attorneys via Business Associate Agreements
170
Business Associates
Business Associate Means a Person, Other Than a Workforce Member, Who:
Provides Legal, Actuarial, Accounting, Consulting, , Where the Provision of the Service Involves the Disclosure of Individually Identifiable Health Information
Lawyers May Be Business Associates
171

Covered Entity Must Enter Into Business Associate Agreement With Lawyer if Using or Disclosing Protected Health Information (PHI) If Business Associate Fails to Comply, Covered Entity Must Do One of the Following:
Try to Cure Breach Terminate the Agreement Report Violation to DHHS
172
Violation of Business Associate Agreement If Business Associate Violates Agreement, and Covered Entity Fails to Act, Then Covered Entity is Subject to Penalties Note that Business Associate Attorney is NOT Subject to Penalties
Privacy Rule Does Not Directly Govern Business Associates
173
Business Associate Agreement Terms

Agreement Must Contain Specified Terms:
Permitted and Required Uses and Disclosures of PHI Required Safeguards for PHI Ensure Subcontractors Comply Make PHI Available for Access, Accounting, and Amendment Upon Termination, Return, Destroy, or Keep in Accordance with Privacy Rule
174

Specified Terms of BA Agreement Include that Business Associate Must:
Make its Internal Practices, Books, and Records Relating to the Use and Disclosure of Protected Health Information (PHI) Available to DHHS for Inspection to Determine Compliance
175
Waiver/Loss of Protections
BA Agreement Requirement That BA Attorney Must Make Internal Practices, Books, and Records Available
Could Result in Requiring Production of Privileged and/or Work Product Materials Issue Whether Must Produce to DHHS and Whether Waives Protections as to Others
176
Overview of HIPAA Security Rule: Obligations of Covered Entities and Business Associates
Richard E. Nell
Jesse A. Berg
Gray Plant & Mooty
177
HIPAA Security Rule

Security Rule
Addressable Implementation Specifications (AIS) Allows Covered Entities Additional Flexibility Covered Entity Must Do One of the Following
Implement One or More AIS Implement One or More Alternative Security Measures Implement One or the Other Implement Neither
178
Security Rule
Security Rule Administrative Safeguards
Security Management Process
Implement Policies and Procedures to Prevent, Detect, Contain, and Correct Security Violations Implementation Analysis
Risk Analysis (Required)
Conduct an Accurate and Thorough Assessment of the Potential Risks and Vulnerabilities to the Confidentiality, Integrity, and Availability of Electronic Protected Health Information
Risk Management (Required)

Implement Security Measures Sufficient to Reduce Risks and Vulnerabilities to a Reasonable and Appropriate Level
179
Security Rule
Implementation Analysis (Continued)
Sanction Policy (Required)
Appropriate Sanctions Against Workforce Members Who Fail to Comply With the Security Policies and Procedures
Information System Activity Review (Required)

Implement Procedures to Regularly Review Records of Information System Activity, Such As Audit Logs, Access Reports, and Security Incident Tracking Reports
180
Security Rule
Assigned Security Responsibility
Identify the Security Official
Workforce Security
Implement Policies and Procedures to Ensure That All Members of Its Workforce Have Appropriate Access to Electronic Protected Health Information Prevent Those Workforce Members Who Do Not Have Access From Obtaining Access
181
Security Rule
Workforce Security (Continued)
Implementation Analysis
Authorization and/or Supervision (Addressable)
Procedures for the Authorization And/or Supervision of Workforce Members Who Work With Electronic Protected Health Information
Workforce Clearance Procedure (Addressable)

Procedures to Determine That the Access of a Workforce Member to Electronic Protected Health Information
182
Security Rule
Workforce Security Implementation Analysis (Continued)
Termination Procedures (Addressable)
Procedures for Terminating Access to Electronic PHI When Employment Ends
Information Access Management

Implement Policies and Procedures for Authorizing Access to Electronic Protected Health Information
183
Security Rule
Information Access Management Implementation Analysis
Isolating Clearinghouse Functions (Required) Access Authorization (Addressable)
Implement Policies and Procedures for Granting Access to Electronic Protected Health Information
Access Establishment and Modification (Addressable)

Implement Policies and Procedures That, Based Upon the Entity's Access Authorization Policies, Establish, Document, Review, and Modify a User's Right of Access
184
Security Rule
Security Awareness and Training
Security Reminders (Addressable)
Periodic Security Updates
Protection From Malicious Software (Addressable)

Procedures for Guarding Against, Detecting, and Reporting Malicious Software
Log In Monitoring (Addressable)

Monitor Access and Discrepancies
Password Management (Addressable)

Procedures for Creating, Changing, and Safeguarding
185
Security Rule
Security Incident Procedures
Response and Reporting (Required)
Identify and Respond to Suspected or Known Security Incidents; Mitigate Harmful Effects of Security Incidents and Document Security Incidents and Their Outcomes
186
Security Rule
Contingency Plan
Data Backup Plan (Required)
Procedures to Create and Maintain Retrievable Exact Copies of Electronic Protected Health Information
Disaster Recovery Plan (Required) Emergency Mode Operation Plan (Required)

Procedures to Enable Continuation of Critical Business Processes for Protection of the Security of Electronic Protected Health Information While Operating in Emergency Mode
187
Security Rule
Contingency Plan Implementation Analysis (Continued)
Testing and Revision Procedures (Addressable) Applications and Data Criticality Analysis (Addressable)
Evaluation
Periodic Technical and Nontechnical Evaluation, Based Initially Upon the Standards Implemented Under This Rule and Subsequently, in Response to Environmental or Operational Changes Affecting the Security of Electronic Protected Health Information
188
Security Rule
Security Rule Physical Safeguards
Facility Access Controls
Contingency Operations (Addressable)
Procedures That Allow Facility Access in Support of Restoration of Lost Data
Facility Security Plan (Addressable)

Procedures to Safeguard the Facility and the Equipment
Access Control and Validation Procedures (Addressable)

Procedures to Control and Validate a Person's Access to Facilities Based on Their Role or Function
189
Security Rule
Facility Access Controls Implementation Analysis (Continued)
Maintenance Records (Addressable)
Procedures to Document Repairs and Modifications to the Physical Components of a Facility
Workstation Use
Procedures That Specify the Proper Functions to Be Performed, the Manner in Which Those Functions Are to Be Performed, and the Physical Attributes of the Surroundings of a Specific Workstation or Class of Workstation
Workstation Security
Physical Safeguards for All Workstations
190
Security Rule
Device and Media Controls
Disposal (Required) Media Reuse (Required) Accountability (Addressable) Data Backup and Storage (Addressable)
191
Security Rule
Security Rule Technical Safeguards
Access Control
Unique User Identification (Required)
Unique Name And/or Number for Identifying and Tracking User Identity
Emergency Access Procedure (Required)

Procedures for Obtaining Necessary Electronic Protected Health Information During an Emergency
Automatic Logoff (Addressable) Encryption and Decryption (Addressable)
192
Security Rule
Audit Controls
Hardware, Software, And/or Procedural Mechanisms That Record and Examine Activity in Information Systems
Integrity
Procedures to Protect Electronic Protected Health Information From Improper Alteration or Destruction Mechanism to Authenticate Electronic PHI (Addressable)
193
Security Rule
Person or Entity Authentication
Procedures to Verify That a Person or Entity Seeking Access to Electronic Protected Health Information Is the One Claimed
Transmission Security
Integrity Controls (Addressable)
Security Measures to Ensure That Electronically Transmitted Electronic Protected Health Information Is Not Improperly Modified Without Detection
Encryption (Addressable)
194
Security Rule
Security Rule Organizational Requirements
Business Associate Contracts
Very Similar to the Requirements Imposed for Business Associates Under the Privacy Rule
Group Health Plans

Except in Certain Situations, Group Health Plan Must Ensure That Its Plan Documents Provide That the Plan Sponsor Will Reasonably and Appropriately Safeguard Electronic Protected Health Information Created, Received, Maintained, or Transmitted to or by the Plan Sponsor on Behalf of the Group Health Plan
195
Security Rule
Security Rule Policies and Procedures and Documentation Requirements
Policies and Procedures
Reasonable and Appropriate Policies and Procedures to Comply With the Standards, Implementation Specifications, or Other Requirements
196
Security Rule
Security Rule Policies and Procedures Documentation
Time Limit (Required)
6 Years
Availability (Required) Updates (Required)
197
Security Rule
198
HIPAA Breach Notification
Richard E. Nell
Jesse A. Berg
Gray Plant & Mooty
199
Breach Notification
Previous Rule:
Covered Entities (CEs) must mitigate, to the extent practicable, any harmful effect that is known to the CE of an unauthorized use or disclosure of PHI by the CE or its Business Associate (BA)
HITECH established breach notification requirement for CEs and BAs Interim Final Regulations published on Aug. 24, 2009 (74 FR 42740)
Regulations will be at 45 CFR Subpart D
Effective on Sept. 23, 2009 6-month delay in enforcement

200
Breach Notification
The Basics:
Covered Entities must provide notification to individuals in event of breach of the security or privacy of unsecured PHI Notice must also be provided to HHS BAs must provide notice to CEs
201
Breach Notification
Interim Final Rule (Aug. 2009)
Effective Sept. 23, 2009 Final Rule submitted to OMB in May, 2010 but withdrawn for further consideration
Key elements:
Notification if breach of unsecured PHI and significant risk of harm Unsecured = unusable, unreadable or indecipherable Notice w/in 60 days of discovery or date should have known. Content requirements for notice Notice to media and HHS if more than 500 people; annual reporting to HHS if less than 500 people Direct application to Covered Entities and BAs
202
Key TermsUnsecured PHI

PHI not secured through use of a technology or methodology specified in Federal Register guidance published by HHS on 4/27/09 (74 FR 19006)
Encryption (as specified in Security Rule) Destruction of media on which PHI is stored or recorded
Why secure your PHI?
203
Breach Notification Analysis

If your PHI is unsecured, a 3-step analysis applies:
Has there been an impermissible use or disclosure of PHI under the Privacy Rule? Has the impermissible use or disclosure compromised the security or privacy of the PHI? Does an exception apply?
204
Step 1Breach
The acquisition, access, use, or disclosure of PHI in a manner not permitted under subpart E (the HIPAA privacy rule) which compromises the security or privacy of the PHI
Information must be PHI For disclosure, acquisition, etc., to be a breach it must violate the Privacy Rule
205
Step 2Compromises Security or Privacy of PHI

Harm threshold must be met for breach to compromise the security or privacy of the PHI
Must pose a significant risk of financial, reputational or other harm to the individual
CEs and BAs must perform risk assessment to determine whether this threshold is met Documentation of risk assessment is key for CE, BA if they decide harm threshold has not been met
206
Step 2Compromises Security or Privacy of PHI

Risk assessment factors:
Status of person who impermissibly used or to whom the PHI was improperly disclosed Nature of mitigation efforts undertaken Whether PHI was returned prior to being accessed for improper purpose Type and amount of PHI involved If LDS was involved, whether the date of birth and zip code are also excluded (if so, not a breach). Also, likelihood of re-association with individual is factor to be considered.
207
Step 3the Exceptions

3 Exceptions:
(1) Unintentional acquisition, access or use of PHI by work force member or person acting under authority of CE or BA, if acquisition was made in good faith, within scope of authority and does not result in further impermissible use or disclosure
208

(2) Any inadvertent disclosure by a person who is authorized to access PHI at a CE or BA to another person authorized to access PHI at the same CE, BA (or OHCA in which CE participates) and information received is not further used or disclosed in an impermissible manner
209

(3) A disclosure of PHI where a CE or BA has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information
210
Notification
Breach discovered on the first day it is known, or by exercising reasonable diligence, would have been known Notice can be imputed to CE or BA from a variety of its representatives, including employees (other than the employee causing the breach) and from agents
211
Timing of Notification
All notifications must be made without unreasonable delay
No later than 60 calendar days after discovery Burden on notifying entity to demonstrate that
All required notifications were made Explain any delays
60 day period not tolled by time spent in analysis or investigation Limited delay if requested by law enforcement
212
Methods of Notice
Notice must be
In writing By first class mail Sent to the last known address of individual (if individual specified preference for email notification, that should be done) One or more mailings (as more information becomes available) If more than 500 residents of a state or jurisdiction are affected:
Notices described above; and Notification to prominent media outlets in state or jurisdiction
213
Methods of Notice
Special circumstances notices:
If insufficient or out-of-date information and Fewer than 10 affected people:
By an alternative form of written notice, telephone or other means
More than 10 affected people:

Conspicuous posting for 90 days on CEs homepage; or Notice to major print or broadcast media Must include toll-free phone number
Notice to HHS:
If more than 500 individuals affected, notice must be contemporaneous with notice to individuals Can keep log of breaches affecting fewer people and provide annually to HHS HHS to publicize breached entities on its web site
214
Content of Notice
All notices, to the extent possible, must include:
Description of what happened, including date of breach and date breach was discovered Description of the types of unsecured PHI involved in the breach Steps individuals should take to protect themselves from potential harm resulting from breach Description of what CE is doing to investigate breach, mitigate harm to the individual and protect against further breaches Contact procedures for individuals to ask questions or learn additional information, including toll-free number, email, web site or postal address
215
Wisconsin Law
Richard E. Nell
Jesse A. Berg
Gray Plant & Mooty
216
Applicable Medical Records Statutes & Regulations

Wisconsin Statutes:
51.30(4): Access to Registration and Treatment Records 134.97: Disposal of Records Containing Personal Information 146.81-146.84: Health Care Records 146.83: Access to Patient Health Care Records 146.83(3f): Record Copy Fees 153.50-153.55: Protection of Patient Confidentiality 610.70: Disclosure of Personal medical Information 146.82: Confidentiality of Patient Healthcare Records 252.15: Restrictions on use of an HIV Test 118.125: Pupil Records 631.89: Restrictions on use of Genetic Test Results 51.47: AODA Treatment for Minors without Parental Consent
217

DHS:
92: Confidentiality of Treatment Records 94: Patient Rights and Resolution of Patient Grievances 89.34: Residential Care Apartments & ComplexesRights of Tenants 145.12: Certification of public heath dispensaries 124.14: Medical Records Services 105.36: Family Planning Clinics or Agencies 104.01: Recipient rights 109.51: Provider Responsibility 134.47: Facilities servicing people with developmental disabilities-Records 120.30: Patient data elements considered patientidentifiable 105.16: Home Health Agencies (Medical Record)
218

DOC:
348.09: Records & Reporting 346.28 : Medical Records
DCF:
53.06: Release of adoption information 54.06: Child Placing Agencies- Records 56.09: Care of Foster Children
219
Confidentiality of Patient Healthcare Records

WSA 146.82- Confidentiality of Patient Healthcare Records Default Rule: All patient healthcare records are confidential Patient Healthcare Records may be released only to the persons designated in Section 146.82 Disclosure must be made by informed consent of the patient or person authorized by patient. All consents must be in writing and include:
Patients name Purpose of disclosure Type of professional making disclosure Information to be disclosed Entity to which disclosure is to be made Time period during which consent is effective Signature of patient Relationship of signatory to patient (if not patient) Date of execution
Wis Stats 146.81(2)

220
Informed Consent Expectations

Wis. Stats. 146.81- Informed Consent Expectations
Informed consent is not required for the following:
Release of information necessary to conduct management or financial audits or evaluations of programs & services Research purposes under specific conditions Various state agencies whose function it is to protect vulnerable populations Persons rendering assistance when a persons life or health appears to be in danger A lawful court order Parent, guardian, or legal custodian of a minor or incompetent patient Guardian of an adjudged incompetent patient A personal representative of surviving spouse of a deceased patient
Wis. Stats. 146.82(2), 146.81(5) and 148.82(2)

221
Who is the boss?

HIPAA vs. Wis. Stats
Covered Entity vs. Custodian of Records Protected Health Information (PHI) vs. Patient Healthcare Records
Administrative requirements imposed by HIPAA generally have no Wis. Law counterpart Most issues are created by the interaction of HIPAA and Wis. Law HIPAA and Wis. Law both impose restrictions on the disclosure of confidential medical information Practical approach is to look first to HIPAA for baseline guidance and then to Wis. Law for more stringent legal requirements Examples
222
Deceased Patients Medical Records

HIPAA extends persons privacy rights into death HIPAA requires release of records to authorized individuals HIPAA defers to state law to determine access rights Who is authorized in WI?
Personal representatives and surviving spouses If no Personal Rep. or surviving spouse, next responsible member of the deceaseds family
Behavioral Health Records
223
Pupil Records
Federal Law (FERPA) Wis. Stats. 118.125
Adds to the FERPA definition Defines Patient records within a school Pupil physical record Disclosure is subject to Wis. Stats 118.125(2)
Exceptions to Patient Healthcare Records
224
Medical Record Confidentiality & Litigation

Wis. Stats 804.10, 146.82 and 51.30 Discovery of healthcare records
What to do when you receive a Subpoena or Medical Request Consent and HIPAA Authorization
Mental Health, AODA records and Developmental Disabilities

Permitted discovery Lawful order
225
Mental Health Records & Confidentiality

HIPAA allows broad use of PHI for treatment, payment & health care operations without patient consent Wis. Stats 51.30 allows the release of mental health treatment records without patient authorization only within the facility where the patient is being treated Wisconsin allows the release of mental health treatment records without patient authorizations for billing or collection purposes only to DHFS or a county department Compliance with HIPAA does not mean compliance with Wisconsin Law
226
Summary
Check application of HIPAA first Check application of various Wisconsin Statutes and Regulations Choose most favorable provision for the patient When in doubt either:
Seek informed consent; or Call your attorney
227
Enforcement
Richard E. Nell
Jesse A. Berg
Gray Plant & Mooty
228
229
230
Enforcement Rule
OCR will investigate and conduct compliance review when preliminary investigation indicates willful neglect OCR may proceed directly to formal enforcement without seeking informal resolution Definition of reasonable cause
Necessary for culpability tiers used under HITECH to impose penalties
Preamble includes examples of conduct triggering various tiers of culpability (and associated penalties)
231
Enforcement Rule
Rule would eliminate exception from liability of CEs for civil monetary penalties for violations resulting from acts of agents if:
Agent is BA Compliant BA agreement in place CE did not (1) know of pattern of activity or practice of BA; and (2) did not fail to act as required by Privacy Rule/Security Rule with regard to such violations
CEs directly liable for acts of BAs who are agents within meaning of federal common law BAs similarly liable for acts of their agents (including subcontractors and workforce members)
232
HIPAA Enforcement Rule

Investigation Notice of Proposed Determination Administrative Hearing Appeal Judicial Review Informal Resolution
Available at Any Time
233
Enforcement Authority
Secretary of HHS Delegated to the Administrator, CMS Authority to Investigate Noncompliance and Enforcement of Certain Regulations:
Transaction and Code Set Rule National Employer Identifier Number (EIN) Rule Security Rule National Provider Identifier Rule National Plan Identifier Rule
Delegation Does Not Include Authority with Respect to the Privacy Rule
Delegated to the Office for Civil Rights
234
Criminal Enforcement
Previous rule: up to $250,000 in fines and 10 years in prison for disclosing or obtaining PHI with intent to sell, transfer or use it for commercial advantage, personal gain or malicious harm. Only a CEnot an employee or agent of CEmay be held criminally liable Under HITECH, penalties for wrongful disclosure of PHI apply to individuals who without authorization obtain or disclose such information maintained by CE, regardless of whether such person is employed by CE
235
Civil Enforcement
Previous Rule: HHS may impose CMPs for failure to comply with the Privacy and Security Rules, with a maximum civil fine of $100 per violation and up to $25,000 for all violations of an identical type during a calendar year CMPs may not be imposed if:
The violation is a criminal offense under HIPAAs criminal penalty provisions The person did not have actual or constructive knowledge of the violation The failure to comply with due to reasonable cause and not to willful neglect and the failure to comply was corrected within 30 days of discovery
236
Civil Enforcement under HITECH

New approach to civil enforcement, with civil monetary penalties of varying amounts based on level of intent:
Level of Intent
Person did not know, and through reasonable diligence, would not have known
Amount of CMP
$100 for each identical violation up to $25,000 for all identical violations, but no more than $1.5 million for all violations of this type within calendar year $1,000 per violation up to $100,000 for all identical violations, with a cap of $1.5 million for all violations of this type within calendar year $10,000 per violation up to $250,000 for all identical violations, with a cap of $1.5 million for all violations of this type within calendar year $50,000 per violation, with an annual cap of $1.5 million for all violations due to willful neglect that are not corrected within 30 days
Violation was due to reasonable cause and not willful neglect
Violation due to willful neglect but was corrected within 30 days
Violation due to willful neglect and was not corrected within 30 days
237
Federal Enforcement
HHS required to investigate complaints if preliminary investigation indicates violation due to willful neglect
If HHS finds violation due to willful neglect, penalties are mandatory
Distribution of CMPs:
Proceeds from CMPs to go to OCR for purposes of further Privacy and Security Rule enforcement activities Portion will be paid directly to harmed individuals
Similar to qui tam provisions in False Claims Act HHS must issue regulations within 3 years to implement this requirement
HHS to conduct audits of CEs and BAs to ensure compliance with Privacy, Security Rules
238
State Attorney General Enforcement

AGOs authorized to bring civil action in federal court against persons who violate HIPAA if AGO has reason to believe that violation threatens or adversely affects any state resident
Unless a federal action is pending
Can enjoin violations and obtain damages:

$100 per separate violation with a cap of $25,000 for all identical violations within calendar year Costs and attorneys fees
AGO required to give HHS notice of suit HHS can intervene and take over action HHS can also file appeals
239

HITECH provides state AGOs authority to bring civil actions on behalf of residents for violations of Privacy & Security Rules
AGO can obtain damages on behalf of residents and enjoin further violations
OCR offered free training sessions for AGOs

Dallas, TX (Apr. 4-5, 2011) Atlanta, GA (May 9-10, 2011) Washington, DC (May 19-20, 2011) San Francisco, CA (Jun. 13-14, 2011)
240
Privacy Complaints
Approximately 19,420 Privacy Complaints Filed With OCR Most Common Allegations Have Been:
Personal Medical Details Wrongly Disclosed Information Was Poorly Protected More Details Were Disclosed Than Necessary Proper Authorization Was Not Obtained Patients Frustrated in Attempting to Get Their Own Records
Washington Post June 5, 2006

241
Security Complaints
CMS Has Received Approximately 106 Security Complaints (as of last year)
Also Inappropriately Received 28 PrivacyRelated Complaints To be Directed to OCR
CMS Has Received Approximately 450 Transaction & Code Set Complaints
129 Remain Open Majority Involve Private Sector Organizations
Health Information Privacy/Security Alert, Melamedia LLC May 22, 2006

242
Top 5 Issues in Enforcement

Year 2010 Issue 1 Impermissible Uses & Disclosures Impermissible Uses & Disclosures Impermissible Uses & Disclosures Impermissible Uses & Disclosures Impermissible Uses & Disclosures Impermissible Uses & Disclosures Impermissible Uses & Disclosures Issue 2 Safeguards Issue 3 Access Issue 4 Minimum Necessary Issue 5 Notice
2009
Safeguards
Access
Minimum Necessary
Complaints to Covered Entity
2008
Safeguards
Access
Minimum Necessary
Complaints to Covered Entity
2007
Safeguards
Access
Minimum Necessary
Notice
2006
Safeguards
Access
Minimum Necessary
Notice
2005
Safeguards
Access
Minimum Necessary
Mitigation
2004
Safeguards
Access
Minimum Necessary
Authorizations
partial year 2003
Safeguards
Impermissible Uses & Disclosures
Access
Notice
243 Minimum Necessary
Criminal HIPAA Enforcement

Dr. Huping Zhou (April, 2010)
Sentenced to 4 months in prison, fined $2000 Pled to 4 misdemeanor counts of accessing and reading medical records Accessed system 323 times during 3-week period after UCLA informed him he would be let go No attempt to improperly use or sell the PHI
244
Criminal HIPAA Enforcement

Dr. Richard Alan Kaye
Indicted June 21, 2011 for wrongful disclosure of PHI; maximum of 5 years in prison Medical director of psychiatric care center at Suffolk, VA hospital Treated patient between Aug. 20, 2007-Sep. 4, 2007 3 occasions in Feb. 2008, Dr. Kaye disclosed PHI to patients employer Did so under false pretenses that patient was a serious and imminent threat
245

Health Net (July, 2010)
Connecticut AGO settled with insurer for $250,000
Additional $500,000 contingent fund in event lost PHI is used illegally Corrective action plan
Health Net lost hard drive with over 500,000 patients PHI Health Net delayed notifying individuals for 6 months
246

WellPoint (July, 2011)
Indiana AGO settled with insurer for $100,000
Reimbursement of up to $50,000 per individual for any losses resulting from identity theft
32,051 insurance applicants information were accessible to the public through unsecured website Information accessible between Oct. 23, 2009-Mar. 8, 2010.
Consumer notified Well Point on Feb. 22, 2010 Individuals not notified by Well Point until Jun. 18, 2010
247
Enforcement
Blue Cross Blue Shield of Tennessee (BCBST)
OCR expects a carefully designed, delivered and monitored HIPAA compliance program Agreed to pay US Department of Health and Human Services $1.5 million to settle potential HIPAA violations Agreed to a corrective action plan to address gaps in its HIPAA compliance program
248

Accretive Health, Inc.
July, 2011laptop with 23,500 patients PHI stolen from car Accretive is business associate of Fairview and North Memorial
FV and NM notified patients
AG suit alleges Accretive violated HIPAA, state health records law, debt collection and consumer fraud statutes First action against business associate? Status of HIPAA as to BAs?
249
Reported HIPAA Breaches in MN

Name of Covered Entity UnitedHealth Group--SACE Business Associate State Involved Individual Date of s Affected Breach Type of Breach Location of Date Breached Posted or Information Updated Summary
MN
Unauthorized 16291 1/26/2010 Access/Disclosure Paper
6/9/2010
UnitedHealth Group--SACE
MN
735
Theft, Unauthorized 3/2/2010 Access/Disclosure Paper
On March 2, 2010, the covered entity, United, discovered that remittance forms containing member information that accompany paper checks were stolen. The invoices contained the protected health information of over 735 individuals. The protected health information involved member information that allowed providers to properly record claim payments and credit accounts on behalf of each member for whom United was making a payment. Following the breach, the covered entity notified its clients of the incident, placed notice in The Miami Herald, provided each member with a credit monitoring package, reviewed its payment and remittance information controls, and notified its provider call centers to remain on a high level alert to 8/4/2010 monitor all remittance payments.
250

Name of Covered Entity Business Associate State Involved Individual Date of s Affected Breach Type of Breach Location of Date Breached Posted or Information Updated Summary
Mayo Clinic
MN
Electronic Unauthorized Medical 1740 7/15/2010 Access/Disclosure Record
Following the breach, the covered entity: conducted an investigation; terminated the employee who had inappropriately accessed the PHI; re-educated its employees regarding patient privacy and access to PHI; enhanced its supervision of employees and monitoring of their access activity; notified individuals reasonably believed to have been affected and provided them with an information hotline and identity theft services at no cost, if so requested; placed a notice of the breach on its website and in the local newspaper; and submitted a breach report to OCR along with documentation of its voluntary 9/20/2010 compliance actions
UnitedHealth Group--SACE
MN
CareCore National
1270
Unauthorized 7/8/2010 Access/Disclosure Paper
10/7/2010
251

Name of Covered Entity Business Associate State Involved Individual Date of s Affected Breach Type of Breach Location of Date Breached Posted or Information Updated Summary
Mankato Clinic
MN
3159 11/2/2010 Theft
Laptop
North Memorial MN
Accretive Health, Inc
2,800 7/25/2011 Theft
Laptop
Fairview Health Services MN
Accretive Health, Inc
14,000 7/25/2011 Theft
Laptop
Fairview Health Services MN
1,215 2/19/2011 Loss
Paper
United Health Group Health Plan
MN
Futurity First Insurance Group
3,994 7/28/2011 Theft
Other Portable Electronic Device
InStep Foot Clinic, P.A.
MN
2,600 8/28/2011 Theft
Laptop, Electronic Medical Record
252
UCLA-Reagan (July 2011)

Allegations that UCLA employees repeatedly accessed ePHI of patients
Complaint filed on behalf of 2 celebrities OCR investigation concluded that numerous other patients ePHI improperly accessed between 20052008 Alleged violations of both Privacy Rule and Security Rule
UCLA paid $865,000 and agreed to corrective action plan and independent monitor of HIPAA compliance for 3 years
165 employees disciplined, 2 former employees face criminal charges
253
Mass. Gen. Hospital (Feb. 2011)

Hospital employee left documents on subway train commute
192 patient records (some with HIV/AIDS)
HHS alleged violations of Privacy Rule Mass. Gen agreed to pay $1 million and implement CAP
P & Ps subject to HHS approval Independent monitoring of HIPAA compliance Submit compliance reports to HHS for 3 years
254
HIPAA and Other Issues in Electronic Medical Records
Richard E. Nell
Jesse A. Berg
Gray Plant & Mooty
255
HITECH PHYSICIAN INCENTIVES

2011 2012 2013 2014 2015 2016 2017 TOTAL
2011 $18K $12K $8K $4K $2K $0 $0 $44K 2012 $18K $12K $8K $4K $2K $0 $44K 2013 $15K $12K $8K $4K $0 $39K 2014 $12K $8K $4K $0 $24K
256
Meaningful Use Update

Medicare program: up to $44,000 for eligible hospitals, professionals that demonstrate meaningful use of certified EHR technology
Over 5 year period To achieve maximum payments, participation must begin by 2012 Failure to demonstrate MU by 2015 will result in reimbursement reductions
Medicaid program: up to $63,750 available over 6-year period

Beneficiary volume requirements
257

Registration for Medicare program began Jan. 3, 2011
Registration for Medicaid program varies by state MN DHS has indicated registration will begin at end of 2011
Attestation period for Stage 1 compliance began April 18, 2011 Meaningful use payments began in May, 2011
CMS: Within first month, more than 300 hospitals and physicians qualified for incentives and received payments under Medicare program CMS: by end of May, more than $83 million dispersed under Medicaid program (7 states)
258

July 3, 2011: last day for eligible hospitals to begin 90-day reporting period Oct. 3, 2011: last day for eligible professionals to begin 90-day reporting period Nov. 30, 2011: last day for eligible hospitals, CAHs to register and attest to receive incentive payments for 2011 Feb. 29, 2012: last day for eligible professionals to register and attest to receive incentive payments for 2011
259

July 6, 2011: Dr. Farzad Moshashari (National Health IT Coordinator) said he agreed with conclusion that Stage 2 should be delayed until 2014 Proposed Stage 2 rule issued in March 2012
260

Stage 2 and 3:
July 28, 2010 Final Rule on Meaningful Use (Stage 1) did not propose specific regulatory language for Stages 2 or 3. CMS indicated:
Stage 2 requirements by end of 2011 Stage 3 criteria by end of 2013
In January 2011, the Health IT Policy Committee (HHS advisory committee) released for public comment preliminary recommendations for Stage 2 and 3 Meaningful Use
In general, Stage 2 requires more thorough implementation of EHRs into daily practice and increased HIE
261
HITPC Preliminary Recommendations

Stage 2 Preliminary Recommendations
14 measures have higher standards
CPOE increased from 30% to 60%
Record demographics increased from 50% to 80%
Current requirement to perform test of HIE changed to connect to at least three external providers
8 new measures
List of care team members (including PCP) for 10% of patients in EHR
Hospitals only 30% of medication orders automatically tracked via electronic administration recording
Menu measures would become core measures 262

Feedback from stakeholders on HITPC recommendations:
Providers
Consistent message: slow down Learn from actual experience in Stage 1 before requiring Stage 2 measures Stage 2 should not start until at least 75% of eligible hospitals and professionals have successfully reached Stage 1 and not before 2014
Vendors
Need adequate lead time to be able to add new functionalities to EHR products
263
Still Have Questions?

Feel free to contact us after the seminar!
Richard E. Nell Nell & Associates, S.C.
380 Main Avenue De Pere, WI 54115 Phone: 920.339.6377 RickN@nalawyers.com www.nellandassociates.com
Jesse A. Berg Gray Plant Mooty

500 IDS Center 80 South 8th St Minneapolis, MN 55402 Phone: 612.632.4444
Jesse.berg@gpmlaw.com www.gpm.law.com
264

Lorman Medical Records Seminar

Enviado por

Dados do documento

Descrição original:

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

Lorman Medical Records Seminar

Enviado por

Direitos autorais:

Formatos disponíveis

Welcome!

Nell & Associates, S.C. RickN@nalawyers.com

Gray Plant Mooty Jesse.berg@gpmlaw.com

Lorman Education Services: Medical Records Law March 23, 2012

Key Changes Under HITECH

Effective Dates of Key HITECH Provisions

HITECH Developments: where are we now?

HITECH Enforcement Interim Final Rule (74 FR 56123, Oct. 2009)

HITECH Proposed Rule (July 2010)

Overview of Proposed Regulations

Modifications to Privacy, Security and Enforcement Rules

Modifications to Privacy, Security and Enforcement Rules

HHS has indicated it will be issuing an omnibus HIPAA rule

HIPAA Enforcement: A Perfect Storm

Increasing volumes and types of information

ACCOUNTING OF DISCLOSURES Current Rule:

Proposed AOD Regulations

Problems with Proposed Regulations

Electronic Access to PHI

Must provide copy to individuals designee:

Electronic Access to PHI

Cost of electronic media

HITECH Audit Program

Audits to conclude by Dec. 31, 2012

HITECH Audit Program

Right to Request Restrictions

Right to Request Restrictions

Notice of Privacy Practices

Notice of Privacy Practices

Student Immunization Records

Future HHS/OCR HITECH Activities

Lorman Education Services: Medical Records Law March 23, 2012

The Privacy Rule

The Privacy Rule

Group Health Plans

Health Care Clearinghouse

Health Care Clearinghouse

Health Care Provider

Health Care Provider

Health Care Provider

Health Care Provider

Health Care Provider

Health Care Provider

Health Care Provider

HIPAA and Employers

Protected Health Information

Protected Health Information

Employment Records and PHI

Example: Drug Testing or Fitness for Duty

Example: Professional Sports Teams Player Information

Notice of Privacy Practices

Notice of Privacy Practices

Notice of Privacy Practices

Notice of Privacy Practices

Notice of Privacy Practices

Notice of Privacy Practices

Notice of Privacy Practices

Notice of Privacy Practices

Notice of Privacy Practices

Notice of Privacy Practices

Notice of Privacy Practices

Notice of Privacy Practices

Current Accounting of Disclosures Rule