HITECH ACT - PowerPoint PPT Presentation

1 / 24
About This Presentation
Title:

HITECH ACT

Description:

... areas of accountability, data breach notification, consumer access, and use of ... Utilize appropriate Security Standards. Staff, computer access, etc. ... – PowerPoint PPT presentation

Number of Views:1492
Avg rating:3.0/5.0
Slides: 25
Provided by: colleen65
Category:

less

Transcript and Presenter's Notes

Title: HITECH ACT


1
HITECH ACT
  • Privacy Security Requirements
  • Cathleen Casagrande
  • Privacy Officer
  • July 23, 2009

2
HITECH ACT
  • Dedicates over 31 billion in stimulus funds for
    Healthcare Infrastructure and the adoption of
    Electronic Health Record (EHR).
  • Also imposes new medical privacy requirements.

3
Changes to Medical Privacy Requirements
  • Fundamental changes in the areas of
    accountability, data breach notification,
    consumer access, and use of personal health
    information.
  • Unlike HIPAA, HITECH ACT one year for most
    provisions.

4
Accountability
  • Imposes new levels of accountability for medical
    privacy.
  • Periodic audits by HHS to ensure compliance
    within the first 12 months after enactment of the
    new rules.

5
Accountability
  • Tiered penalty structure, with fines ranging from
    25,000 to 1.5 million and penalties are
    mandatory for cases of willful neglect.
  • All violations occurring after February 2009
    enactment date are subject to the increased
    penalties.

6
Accountability
  • Business Associates with access PHI bound by the
    same requirements as the Organization (Feb 2010).

7
Accountability
  • Assure business associate contracts, authorizing
    and defining their use of the PHI shared with
    them.
  • Obligated to report the violation to appropriate
    authorities and discontinue the relationship.

8
Consumer Access (Feb 2010)
  • Gives individuals clear access rights to their
    own health records, and it gives them the right
    to restrict disclosure of PHI if they pay the
    healthcare providers themselves.

9
Use of PHI (Feb 2010)
  • CEs and their business associates are also
    prohibited from selling PHI without explicit,
    documented authorization from the individual
    whose information is contained in the record.

10
Breach Notification
  • Defined Unauthorized acquisition, access use, or
    disclosure of PHI compromises the security or
    privacy of the data.
  • Unsecured PHI Not secured through technology
    as unusable, unreadable, or indecipherable to
    unauthorized individual
  • Additional guidance technology.

11
Breach Notification
  • Obligation to notify all breaches that are
    discovered on or after September 15, 2009.
  • Notification within 60 days when PHI in any form
    or medium is breached, not just electronic
    records.
  • Breach is officially discovered on the first day
    it is known to the HIPAA entity or business
    associate or should reasonably have been known.

12
Breach Notification
  • HIPAA covered entity that suffered the breach
    demonstrates required notifications were made.
  • Telephone notifications can be made in urgent
    situations.
  • Business Associates required to notify the
    covered entity including the individuals affected.

13
Breach Notification
  • Breach Affecting 500 or more individuals, CE
    required to provide immediate notice to HHS.
  • Thus the breach notice is public.
  • Rule of 500 applies in a single state or
    jurisdiction.
  • Notice must be provided to prominent media
    outlets.

14
Methods of Notice
  • Individual Notice
  • Notice required under this section to be provided
    to an individual, with respect to a breach, shall
    be provided promptly and in the following form
  • Written notification by first-class mail to the
    individual at the last known address.
  • In the case of insufficient, or out-of-date
    contact information that precludes direct written
    specified by the individual under subparagraph.

15
Media Notice
  • Notice shall be provided to prominent media
    outlets serving a State or jurisdiction,
    following the discovery of a breach of unsecured
    protected health information of more than 500
    residents in such State, or jurisdiction.

16
Notice to HHS Secretary
  • Required immediately if the breach involved 500
    or more individuals. These breaches will be
    posted on the HHS public website including the
    name of the covered entity.
  • If the breach less than 500 individuals, the
    covered entity may maintain a log of any such
    breach occurring.
  • Annually submit such a log to HHS documenting
    breaches occurrence during the year involved.

17
Content of Notification
  • Regardless of the method by which notice is
    provided to individuals under this section,
    Notice of a breach shall include, to the extent
    possible, the following
  • A brief description of what happened, including
    the date of the breach and the date of the
    discovery of the breach.
  • Description of unsecured PHI, such as SSN,
    address, etc.

18
Content of Notification
  • Contact procedures for individuals to ask
    questions or learn additional information, which
    shall include a toll-free telephone number, an
    e-mail address, website, or postal address.
  • Time consuming, costly, overwhelming.
  • Potential long term damage with customers.

19
Content of Notification
  • The steps the individuals should take to protect
    themselves from potential harm resulting from the
    breach.
  • A brief description from covered entity to
    investigate the breach, to mitigate losses, and
    to protect against any further breaches.

20
Data Breach Response
  • Provide recovery services for individuals who
    become victims of identity crime.
  • Restore their medical identities to pre-theft
    status.
  • Designate an Individual, or company to manage
    Customer calls.

21
Business Impacts
  • Inventory PHIRisk Assessment
  • 70 of all organizations do not have an accurate
    inventory of personally identifiable information
    (PII) in their custody and documented.
  • Includes data shared with a Business Associate.
  • Price Waterhouse Coopers reports that 44 of data
    breach incidents are due to third-party handling
    of data.

22
Breach Impact
  • Small-scale data breaches will now be obligated
    to notify in each instance, and to keep detailed
    proof of notification, causing significant effort
    and cost.

23
Business Impact
  • Data breaches damage Businesses credibility.
  • Medical and Financial risks to the people whose
    data is lost.

24
Questions Answers
  • Clarification of the Privacy Requirements within
    the AARA rule in the next 12 months.
  • Key strategies assess PHI, including BAAs.
  • Utilize appropriate Security Standards.
  • Staff, computer access, etc.
Write a Comment
User Comments (0)
About PowerShow.com