From HIPAA to HITECH OMH Briefing Overview Part

From HIPAA to HITECH OMH Briefing

Overview Part 1: HIPAA Review Part 2: HITECH Highlights Part 3: HITECH Breach Notification Requirements

PART ONE: Review Of HIPAA

Background OMH is a covered entity required to comply with the requirements of the HIPAA Privacy and Security Rules February 17, 2010: Additional federal requirements now enforceable against covered entities as a result of the HITECH Act (Health Information Technology for Economic and Clinical Health Act, Title XIII of the American Recovery and Reinvestment Act of 2009)

HIPAA Review Privacy Rule Development of policy for use and disclosure of PHI/clinical information and to assure individual rights Implementation of appropriate safeguards for protecting PHI/clinical information Workforce training

HIPAA Review Privacy Rule Each covered entity must: • Issue Privacy notices • Have privacy officer and privacy liaisons at each facility • Use business associate agreements

HIPAA Review Privacy Rule A covered entity can only use or disclose PHI: • For treatment, payment, or healthcare operations • As specifically authorized requests by the patient in writing • If HIPAA provides another exception

HIPAA Review Privacy Rule No consent required for uses and disclosures of PHI for treatment*, payment and health care operations (* Note that Mental Hygiene Law is more stringent; no consent needed if provider has “nexus/link” with OMH) • Thru licensure, local agreement, services plan With some exceptions, individual’s written authorization required for all other disclosures Use of OMH authorization form (OMH-11)

HIPAA Review Privacy Rule Clinical information protected under Mental Hygiene Law § 33. 13 is Protected Health Information (PHI) under HIPAA State or federal rule providing greater confidentiality or greater access to information to the individual will prevail (preemption)

Patient Authorization Needed: Agencies/Individuals involved in discharge planning/follow-up services Attorney Physicians/Providers of health/mental health • Unless there is nexus/link with NYS OMH

Patient Authorization Needed (cont. ): Children Protective Agency Department of Social Services Family Probation Department VESID Media

HIPAA Review Privacy Rule Minimum Necessary Rule Limit use and disclosures of PHI to amount necessary to fulfill purpose of the disclosure (or perform job functions) Exceptions: provider use for treatment purposes, disclosures to individuals and disclosures required by law

PHI Identifiers Names All elements of dates (except year) for dates directly related to an individual Phone numbers Social security numbers Medical record numbers

PHI Identifiers Health plan beneficiary numbers Account numbers Full face photographic images and any comparable images Any other unique identifying number, characteristic, or code

HIPAA Review Security Rule Requires Safeguards to protect Electronic PHI (EPHI): C Confidentiality of EPHI; I Integrity of EPHI; and A Accessibility of EPHI

HIPAA Review Security Rule Administrative safeguards • Security Awareness and Training • Information Access Management • Contingency Plan • Business Associate Contracts and Arrangements Physical safeguards • Device and Media Controls • Facility Access Controls • Workstation Security • Workstation Use Technical safeguards • Access Control • Audit Controls • Integrity • Person or Entity Authentication • Transmission Security

PART TWO: HITECH Highlights

HITECH-2009 Amends HIPAA- now includes breach reporting and notification requirements Significantly increases civil and criminal penalties for violations Enhances state and federal enforcement and oversight activities HIPAA provisions are now directly applicable to Business Associates

Business Associates Must comply with all safeguards under HIPAA security rule for E-PHI Required to document policies and procedures for safeguarding PHI Must report security breaches Must fix/report any known pattern of activity or practice by a covered entity that breaches or terminates the BAA Now directly liable for civil and criminal penalties

Business Associates Revised OMH Business Associate Agreement in accordance with HITECH changes Business associates: • BOCES staff • IT vendors • Consultants (PT, OT)

Additional HITECH Changes Mandated Audits-to ensure compliance Audits performed by: - HIM - IT - CIT

Additional HITECH Changes OMH continues to follow Mental Hygiene and Confidentiality rules Allows individuals to have broader rights of access to their records

Additional HITECH changes Mental Hygiene Law- “need to know” similar to HIPAA- “minimum necessary standard” Access and disclosure of PHI • Only what is required to provide care/treatment or in order to perform job duty

Patient Rights Now have the right to request an accounting of disclosures (EHR): made for treatment, payment, healthcare operations, and those authorized by patient Can go back as far as 3 years

Patient Rights Individuals may file privacy complaints Designated OMH contact persons • • • Facility Director QM HIM HHS OCR

Patient Rights CE MUST comply with individual’s request to restrict use or disclosure for payment or health care operations purposes when PHI pertains to service paid in full and out of pocket by individual

Additional HITECH Changes Individuals have right to access their PHI in electronic format, if requested Limits use of PHI for marketing purposes Prohibition on sale of PHI, HHS regulations to be promulgated

Safeguards to Protect PHI Follow the “Minimum necessary rule” except for treatment purposes, use and disclosure of PHI is limited to amount necessary to perform job functions Use file covers, locked filing cabinets and locked record rooms Avoid conversations identifying individuals in public places Avoid posting PHI where it can be seen by unauthorized individuals

Safeguards to Protect PHI Don’t leave the worksite with unsecured PHI Use, but don’t share, computer passwords Follow computer security policies for desktops, laptops, disks and other media. DO NOT email confidential clinical information or PHI over the internet Keep track of paper files and electronic devices which contain PHI.

Safeguards to Protect PHI When faxing or phoning PHI, know or verify the receiving party and the contact numbers Be mindful of disposing of PHI: Shred don’t toss and use secure waste systems, not regular trash receptacles When storing PHI: choose the most secure, accessible media: encryptable portable devices, hard drives, OMH system drives Avoid storing PHI on personally owned devices and home computers

Safeguards to Protect PHI Remove PHI from electronic files and storage devices when no longer needed When changing job functions or leaving OMH, discuss with your supervisor the secured return or destruction of PHI Report suspected violations of HIPAA privacy or security requirements to your supervisor Immediately report any suspected instance of lost or stolen paper or electronic files containing PHI to your supervisor

PART THREE: HITECH Breach Notification Requirements

What is a Breach? HITECH defines “breach” as: Unauthorized acquisition, access, use, or disclosure of PHI which compromises the security or privacy of the PHI

Notification of Breech OMH and business associates are required to notify individuals when there is a breach of unsecured PHI Previously this was not a HIPAA requirement If more than 500 residents in a state are involved - media outlets MUST be notified

What is “Unsecured PHI? ” Protected Health Information (PHI) that is NOT: Encrypted Destroyed prior to Disposal Unreadable, unusable or indecipherable Includes both hard copy and electronic information

How Can a Breach Occur? It may include: Loss of an information device or media that contains PHI Smartphone, flash drive, laptop, CD, etc. ) Unauthorized access, use, or disclosure included in clinical records

How can a Breach Occur? Sending PHI to an incorrect email address or fax number Posting PHI on an unsecured website Unauthorized access from an application, database, or another individual’s private account

Notification of Breach Internal Procedure- when breach is suspected Report Breach to HIM Director Risk Assessment completed • HIM • IT Determination Made Information Reported to Central Office

Risk Assessment Factors Considered: What type of PHI was disclosed? What amount of PHI was disclosed as a result of the incident? Who used or had unauthorized access to the disclosed information? Was it a disclosure to another entity?

Risk Assessment Method of Disclosure • Verbal • Paper • Electronic Recipient of Information • Internal Workforce • Agency • Business Associate

Risk Assessment Circumstances of Release • • • Unintentional use/access Intentional disclosure w/o authorization Theft Loss Hack

Risk Assessment Was the unauthorized disclosure PHI returned before it could be accessed and used? What immediate steps were taken to mitigate the risks associated with the unauthorized use or disclosure?

Who must be notified when Breach is discovered? Affected individuals • No later than 60 days after discovery Media • If affects more than 500 residents of a state or jurisdiction Secretary of Breaches of PHI (HHS) • By filling out an electronic breach report form Covered Entity • If breach of PHI occurs at/by a Business Associate

Risks Impact • Financial • Reputational • Other Harm Categories • Low • Medium • High

Breach Notification OMH will provide written notice: By first class mail to each individual involved; By hand delivery

Breach Notifications to individuals must include: Brief description of incident Description of the types of unsecured PHI Steps that should be taken by individual to protect themselves from harm Brief description of the actions taken by OMH Contact information to ask questions or gather additional information

Documentation OMH must create a log of all notifications of breaches involving less than 500 individuals Submit log within 60 days of the end of each calendar year Log and all other documentation will be maintained for 6 years

Enforcing HITECH significantly increases civil and criminal penalties for violating HIPAA Civil penalties are tiered and can range from $100 a violation to $1. 5 million per year, Criminal fines up to $50, 000 and/or imprisonment

Next Steps Workforce Training • Current Employees • Review 2010 Information Security Mandated Training from the Bureau of Education and Workforce Development • Future Employees • HIPAA videos and all mandated HIPAA Privacy and Security materials Manual Updates

Next Steps Posting of Information • Brochures • FAQ’s on intranet • Posters around buildings HIM attendance at department/discipline meetings Continued staff awareness

Q&A Remember… Information Privacy and Security is everyone’s responsibility.