Your Keys to Compliance:
From HIPAA to Meaningful Use
Virginia Brooks
VHIT Director
Mark Watson
Director, Hancock, Daniel, Johnson &
Nagle, PC
January 15, 2014
Today’s Presentation
 Focus on Privacy & Security
 Know the Rules
 Meaningful Use
 Risk Assessment
 Be Prepared
 How Can VHIT Help You?
Why Focus on Privacy & Security?
Key to building patients’ trust
Important for patient safety
Essential for realizing full benefits of EHRs
Avoid penalties for breaches
Necessary to comply with federal, state and
local laws
• Health Insurance Portability and Accountability
Act of 1996 (HIPAA) protects confidentiality and
privacy of healthcare information
• American Recovery and Reinvestment Act of 2009
(“stimulus package”) of 2009 includes Health
Information Technology for Economic Clinical
Health (HITECH) Act
– Promotes adoption of EHRs by offering Medicare &
Medicaid incentives to physicians demonstrating
Meaningful Use
Be Advised
This presentation is for informational purposes
only and is not intended to suggest or offer
legal advice.
Know the Rules
• How do the new HIPAA regulations change
o Updated terms/standards on:
• Notice of privacy practices
• Business associate agreements (and business
• Breach notification
• Patient requests for restrictions
• Access rights for patients
• Marketing
• Sale of PHI, Research, PHI of decedents, and more ...
Know the Rules
• Notices of Privacy Practices
o Must state authorization typically required for:
 most uses and disclosures of psychotherapy notes
 most uses and disclosures for marketing
 most uses of PHI
o Must include statement on right to breach
Know the Rules
• Notices of Privacy Practices
o Has your NPP been updated regarding
requested restrictions?
Know the Rules
• Business Associates
o HIPAA rule now includes entities and individuals
that create, receive, maintain or transmit health
information on behalf of the covered entity
o Prior definition applied only to entities and
individuals that used or disclosed health
Know the Rules
• Business Associates
o “Conduit” exception
o Regulatory comments say it’s narrow to exclude “only
those entities providing mere courier services” such as
the post office and ISPs.
o Random or infrequent access to PHI doesn’t
eliminate the “conduit” exception, BUT
o If the entity requires access regularly, or is
involved in something other than just
transmission, the conduit exception doesn’t
Know the Rules
• Business Associates
o “Conduit” exception cont’d
o Data storage company ( digital or hard copy) is a BA
even if it does not view the information
o Document disposal company is a BA even if it does not
view the information
o BAAs should address subcontractors
Know the Rules
• Business Associates
o Timing for updates / changes
o New arrangements on or after Jan. 25, 2013, new BAA
standards apply
o If the arrangement was in place before Jan. 25, 2013
and isn’t modified or renewed between March 26, 2013
and Sept. 23, 2013 – you have until Sept. 22, 2014
o If the arrangement is modified or renewed after March
26, 2013 – new BAA standards apply
Know the Rules
o Security Rule: establishes requirements for
protecting electronic PHI
Confidentiality / Integrity / Availability
Physical / Technical / Administrative Safeguards
Develop and maintain policies and procedures
Back up / disaster recovery / emergency plans
Risk Assessment
Record incidents
Know the Rules
o Breach Notification Rule: unauthorized
acquisition, access, use or disclosure of PHI
which compromises the security or privacy of
the information
o Prior regulations defined a “Breach” as a
compromise involving a significant risk of financial,
reputational or other harm
Know the Rules
• Breach
o “Risk” criteria has technincally been eliminated,
o Situation may not be a “compromise” if the CE
or BA demonstrates that there is a “low
probability” that the PHI has been compromised
Know the Rules
• Breach
o “Compromise” assessment based on:
o The nature and extent of the PHI involved, including
the types of identifiers and the likelihood of reidentification
o The unauthorized person who used the PHI or to
whom disclosure was made
o Whether the PHI was actually acquired or viewed
o The extent to which the risk to the PHI has been
Know the Rules
• HITECH Act changed things
o CEs are required to agree to requests for
restrictions in certain cases
• New regulations finalize these standards
o CEs must agree to restrict disclosure of PHI to a
health plan if
o The disclosure is for the purpose of carrying out payment
or health care operations and is not otherwise required by
o The PHI pertains solely to a health care item or service for
which the individual, or someone other than the health
plan, has paid in full
HITECH Civil Monetary Penalties
Violation Category
Each Violation
Did Not Know
Reasonable Cause
$100 - $50,000
$1,000 - $50,000
Willful Neglect –
$10,000 - $50,000
corrected in 30 days
Willful Neglect –
not corrected
All Identical
Violations per
Calendar Year
Know the Rules
Access to ePHI
• If ePHI is in a designated record set and the
individual requests an electronic copy, the
CE must provide the individual with access in
the electronic form and format requested by
the individual, if it is readily producible in
such form and format; or, if not, in a
readable electronic form and format as
agreed to by the covered entity and the
Know the Rules
• Has always required authorization, But
• Has also included “carve outs” for communications
to describe other services by the CE and for case
management/care coordination
• New regulations include similar terms, but many
carve outs do not apply where the CE receives “
financial remuneration”
• Financial remuneration means direct or indirect
payment from or on behalf of a third party whose
product is being described
Know the Rules
Sale of PHI
• Strict prohibition on sale of PHI without
authorization with limited exceptions
• Authorization must state that the disclosure will
result in remuneration to the CE
• Sale does not include (i.e. authorization isn’t
required) for:
o Research
o The sale or transfer of all or part of the CE and related
due diligence
Action Items
• Review and update your policies and procedures,
Breach notification
Requests for restrictions
Access rights
Sale of PHI?
Immunization records?
Action Items
• Are other updates/revisions appropriate?
• Are your security policies, procedures and actual
security measures appropriate?
Enforcement Examples
• Rite Aid (2010)
o Improper disposal of prescriptions and pill bottles
o $1 million settlement, CAP, training for employees
• Massachusetts General (2011)
o Employee took billing encounter forms home; 192 paper records
o OCR settlement for $1 million, 3 year CAP
• Phoenix Cardiac Surgery (2012)
o Patient appointments posted on Internet-based calendar
o Practice implemented few policies/procedures, limited safeguards
o OCR settlement for $100,000
Meaningful Use Standards for
Privacy & Security
• HITECH promotes adoption of EHRs by
offering Medicare & Medicaid incentives to
physicians demonstrating Meaningful Use
• MU Core Objectives require providers to
protect health information created and
maintained by an EHR.
• Having an ONC certified EHR vendor is not
Data Security Safeguards
• Conduct security risk analysis
• Perform a thorough compliance audit
• Safeguards may include:
o Documented policies and procedures that
govern physical and environmental security of
data, to include firewalls and more
o Visitors are authenticated and escorted at all
times, and there are detailed records of visits
o Mobile devices are vulnerable and require much
more than password or PIN to be secure
Safeguards Continued
o Secure areas are physically protected, such as
monitoring by a receptionist, and security by
locked doors and cameras
o Keys and combinations are password protected
or otherwise secure, and locks are changed
when keys are lost or stolen and when
employees are terminated
o Adequate fire detectors exist and powered by
an independent energy source
o And many more safeguards …
Risk Assessment vs. Risk Analysis
• Risk assessment must be
completed per HIPAA Security
Rules to address reasonably
anticipated risks to protect
health information
• Risk analysis of EHR
environment for Meaningful Use
is necessary per HITECH to assess
damage related to Breach
Perform a HIPAA Risk Assessment
Top 5 Privacy Issues Identified by OCR:
Impermissible uses and disclosures
Insufficient safeguards of PHI
Failure to provide patient access to PHI
Use/disclosure of more than minimum necessary
• Insufficient notice to patients of use/disclosure of
Resources are Available
• Risk Analysis Now = Future Time + Savings
• Checklists & self-help tools can help you get
• Thorough risk analysis that will pass a
compliance review requires expert
• VHIT is ready to help you!
How VHIT Will Help
• Privacy & Security Risk Assessment
– Verify physical, administrative and technical
– Verify current Privacy & Security policies and
procedures, BAA agreements, and business
contingency plan
– Risk mitigation plan based on findings
What You Will Get
• Privacy & Security Risk Assessment results in
hard copy and CD-ROM
• Policy templates and supporting documents
• Additional materials, including incident logs,
cyber security tips, and FAQ tip sheets
• HIPAA/HITECH Security training certificates
VHIT Expertise and Experience
• A Top 5 Regional
Extension Center
• Supporting 4,000+
• Helped 2,200+ qualify for
federal EHR incentive
• Uniquely qualified
Questions / Contact Us
• Virginia Brooks, MHA, CPHQ
(804) 289-5343
[email protected]
• Mark C. Watson, JD
(866) 967-9604
[email protected]
Hancock, Daniel, Johnson & Nagle, P.C.

similar documents