American Recovery and American Recovery and Reinvestment Act of 2009Reinvestment Act of 2009

Changes to HIPAA andChanges to HIPAA andthe Impact to YOUthe Impact to YOU

Terrell Herzig, Data Security Officer, HSISTerrell Herzig, Data Security Officer, HSIS

The goal: to stimulate the US economy, but impacts go beyond economic/financial arenas

Privacy and security provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) are expanded: HIPAA regulations apply to business associates Breach notification requirements Regional privacy advisors and education campaign Improved enforcement

American Recovery and American Recovery and Reinvestment Act of 2009 (ARRA)Reinvestment Act of 2009 (ARRA)

Today’s ObjectivesToday’s Objectives

To make members of the UAB/UABHS workforce aware of new HIPAA regulations, or changes in current HIPAA regulations with regard to the following: Breach and breach notification Enforcement Business Associate Agreements

First Federal Definition of Breach First Federal Definition of Breach Breach:

The unauthorized acquisition, access, use or disclosure of protected health information (PHI) which compromises the security or privacy of the information

Exceptions: Unintentional acquisition, access or use of PHI by an employee

or individual acting under the authority of a covered entity Inadvertent disclosure of PHI from one person authorized to

access PHI at a covered entity, to another person authorized to access PHI at the covered entity

Unauthorized disclosures in which an unauthorized person to whom PHI is disclosed would not reasonably have been able to retain the information

What constitutes a breach?What constitutes a breach? A breach could result from:

Failing to log off when leaving a workstation Unauthorized access to PHI Sharing confidential information, including passwords Having patient-related conversations in public settings Improper disposal of confidential materials in any form Copying or removing PHI/Electronic PHI (ePHI) from the

appropriate area Why?

Curiosity Laziness Compassion Greed or malicious intent

So…So…

Bill, a billing employee, receives and opens an email containing PHI that a nurse, Nancy, mistakenly sent to Bill. Bill notices that he is not the intended recipient, alerts Nancy to the misdirected email and deletes it. Bill unintentionally accessed PHI that he was not authorized to access. However, he opened the email within the scope of his job for the covered entity. He did not further use or disclose the PHI. Was this a breach of PHI?

And the answer is…And the answer is…

No. This was not a breach of PHI as long as Bill did not further use or disclose the information accessed in a manner not permitted by the privacy rule.

What about…What about…

Rhonda is a receptionist for a covered entity, and due to her work responsibilities, she is not authorized to access PHI. Rhonda decides to look through patient files to learn about a friend’s last visit to the doctor. Does Rhonda’s action constitute a breach?

The answer is…The answer is…

Yes. Rhonda accessed PHI without a work-related need to know. This access was not unintentional, done in good faith or within the scope of her job for the covered entity.

How about this?

Breach NotificationBreach Notification If it is determined that a breach of PHI occurred, then the covered

entity must notify the affected individual (or next-of-kin) as soon as possible, but not later than 60 days from discovering the breach. First class letter (or email if appropriate) detailing the breach Add to breach log maintained and submitted annually to the

Department of Health and Human Services to be posted on its Web site

If more than 500 individuals are affected, additional requirements include: Immediate notification of the Department of Health and

Human Services to post on its Web site Notify major media outlets in covered entity area Post on covered entity Web site home page for 90 days

Breach NotificationBreach Notification

September 23, 2009: Breach notification regulations take effect

February 22, 2010: Department of Health and Human Services (HHS) begins enforcement of the rule

Breach Notification Process at Breach Notification Process at UAB/UABHSUAB/UABHS The UAB/UABHS Privacy Office is responsible for overseeing

and/or managing the breach investigation and notification processes. Privacy complaints and suspected breach response

procedures: The covered entity’s Entity Privacy Coordinator (EPC) will

notify Privacy Officer (PO) and lead the preliminary investigation.

EPCs will provide PO with all necessary documentation. Breach notification procedures:

PO will notify appropriate UAB/UABHS officials PO and Legal, with UAB HIPAA security officer, will

determine risks and actions to be taken EPC and the covered entity will notify patients as directed

by PO and Legal

Breach Notification Process at Breach Notification Process at UAB/UABHSUAB/UABHS Step-by-step procedures are provided to EPCs. Although each breach will be considered on a case-by-case basis,

templates for notification letters and media press releases are available.

Assistance for posting to UAB/UABHS website is provided. Procedure for establishing a toll-free, call-in number for affected

individuals is available. Credit monitoring services may be offered to impacted individuals. Department in which breach occurs will be responsible for cost of

patient notification, credit monitoring and other associated costs.

Enhanced EnforcementsEnhanced Enforcements ARRA provides that the HIPAA criminal and civil fines and

penalties can be enforced against INDIVIDUALS, as well as covered entities who obtain or disclose PHI without authorization.

State attorneys general can pursue civil cases against INDIVIDUALS who violate the HIPAA privacy and security regulations.

Four tiers of civil monetary penalties are available to HHS. Civil monetary penalties include fines from $100 per

violation up to $1.5 million for a series of identical violations during a calendar year.

Criminal penalties for “wrongful disclosure” continue, which include both large fines of $50,000 to $250,000, and up to 10 years in prison.

A Breach Has Many Risks A Breach Has Many Risks Risks to individual whose PHI is compromised:

Embarrassment, misuse of personal data, victim of fraud or scams, identity theft

Risks to employee: Loss of data, time, funding, reputation, embarrassment,

disciplinary action up to and including termination, fines, penalties, prosecution

Risks to the institution: Loss of information and equipment, trust of constituencies,

reputation, future grant awards, negative publicity, penalties, fines, litigation

Risks to research: Loss of data or data integrity, funding in jeopardy

Any Good News?Any Good News? ARRA further identified the information to which the

breach notification provisions apply. It defined “unsecured protected health information” as PHI that is not secured through the use of a technology or methodology that renders it unusable, unreadable or indecipherable, and that is developed or endorsed by the American National Standards Institute.

Therefore, for breaches involving the misuse, loss or inappropriate disclosure of paper or electronic data, there are some home-free methods under which the loss would indicate no harm done: Paper = secured by use of crosscut shredder

(destroyed) Electronic data = encrypted data files and/or

transmissions

A Coordinated EffortA Coordinated Effort

When receiving a privacy complaint, learning of a suspected breach in privacy or security, or noticing something is “just not right,” we must work together Immediately Cooperatively Efficiently Carefully Confidentially

RemindersReminders Documents containing PHI or other sensitive information must be

shredded when no longer needed. Shred immediately or place in securely locked boxes or rooms to await shredding.

Media such as CDs, disks or thumb drives containing PHI/sensitive information must be cleaned or sanitized before reallocating or destroying.

Sanitize means to eliminate confidential or sensitive information from computer/electronic media by either overwriting the data or magnetically erasing data from the media.

If media are to be destroyed, place them in specially marked secure containers for destruction after they have been sanitized. NOTES: Deleting a file does not actually remove the data from the

media. Formatting does not constitute sanitizing the media. Contact your information systems representative for assistance with

sanitization and destruction methods.

More RemindersMore Reminders

Store sensitive and confidential information securely in a directory on a secure network file server. Information stored on the hard drive (C: drive) of a computer or portable computing device (PCD) can be lost or compromised. PCDs include handheld, notebook and laptop computers, personal digital assistants (PDAs) and portable memory devices such as flash disks, thumb drives, jump drives, etc.

Use of PCDs for ePHI must be approved by senior management. PCDs must be inventoried and maintain appropriate security

protection. PCDs used for PHI must be encrypted. Ask your information systems representative for help securing PCDs.

Your ResponsibilityYour Responsibility If you notice, hear, see or witness any activity that you think

might be a breach of privacy or security, please let someone know immediately. It is much better to investigate and discover no breach than to wait and later discover that something did happen. The 60-day clock of notifying affected individuals begins when the breach should have been discovered.

Continue to be mindful of HIPAA privacy and security regulations, and practice the provisions of the UAB/UABHS privacy and security core standards. Additionally, the basic HIPAA training is always available for review on the UAB/UABHS HIPAA Web site at http://www.hipaa.uab.edu/pdffiles/UABHS_HIPAA_training_08_2009.pdf.

Refer to the UAB/UABHS Information Security Handbook at www.hipaa.uab.edu/pdffiles/Information_Security_Handbook_03_2009.pdf.

Business Associate Agreements Business Associate Agreements (BAAs)(BAAs) Review: A BAA is required before a covered entity can contract with a

third party individual or vendor (subcontractor) to perform activities or functions which will involve the use or disclosure of the covered entity’s PHI.

Make sure your department has BAAs for vendors that access our PHI. The UAB/UABHS BAA is being revised and will be available for use

beginning October 1, 2009. At this time, current BAAs will not have to be replaced with the new

format; however, that could change depending upon additional guidance from the Department of Health and Human Services.

Biggest change: entities must maintain a list of all active BAAs and copies of the fully executed BAAs.

Additional CommunicationsAdditional Communications

The American Recovery and Reinvestment Act of 2009 (ARRA) brought with it major impacts to the HIPAA privacy and security regulations. These changes do not occur over a period of several years as was experienced with the enforcement of HIPAA.

This update provides the most immediate changes to HIPAA compliance.

Additional guidance is expected from the Department of Health and Human Services.

Other meetings, announcements, trainings and awareness activities are most probable.

So, until next time… Thank you!