Module 4: Effects of ARRA/HITECH

Iliana Peters
Length: 21:55 | Format: Video with PowerPoint
Related Content: Module 4 Effects of ARRA/HITECH.pdf

Loading the player ...

I know that Verne talked about this a little bit at the very beginning of the morning, so it has been quite a while since we talked about HITECH. I also talked a little bit about the different privacy provisions that will be, some of them, that will be affected by the HITECH changes. The Health Information Technology for Economic and Clinical Health Act, is what we refer to as the HITECH Act is found in Title 13 Subtitle D of the American Recovery and Reinvestment Act and it is contained in your binder. So, we've pulled HITECH for you. Besides, expanding our enforcement significantly and including you, the States Attorney General, in that enforcement scheme, the privacy and security provisions are also affected by HITECH. So, the main point that I think you need to take home on this, is that we are currently…we did notice a proposed rulemaking in July of last year and we're currently working on the final rule. So, keep your eyes peeled for the final rule because that will contain all of these changes, the regulatory changes to the rules. So, right now, the statute is in effect and I'll get into that, but until we actually have the final regulations which will be coming out soon we hope, then that will actually talk about the implementation required pursuant to HITECH. So, after this module hopefully, you'll understand a little bit better what was what is in HITECH, some of the provisions pertaining to your authority, although Louis will cover that in depth tomorrow morning. So, the HITECH provisions will be covered specifically those that apply to you, Attorneys General, will be covered in depth tomorrow morning. So, just so you know this is just a quick intro to that piece of it. We're also going to talk through this module a little bit more about application of the rules to business associates, and particularly about the breach notification rule. We published two interim final rules pursuant to the HITECH Act. One of them is our enforcement scheme because we wanted to be able to use that civil money penalty structure immediately. And the other piece is breach notification. So, where as I was said before, we are waiting on a final rule on everything else, breach notification and the enforcement part of the enforcement piece are in effect now. It was an interim final rule so we did an interim final rule with comment, which means we are going to modify probably those provisions a little bit more in the final rule that will be coming out with the rest of it. But they are currently in effect, breach and enforcement…something to keep in mind. So, HITECH was really about promoting the adoption and meaningful use of health information technologies. So if you think about back to the discussion this morning about HIPAA, HIPAA was really about streamlining electronic transactions for payment purposes. HITECH is really about health information technology and trying to improve security, so we can really roll out health information technology in a meaningful way and get people to use it, get people to buy onto the use of health information technology. So, it contains some provisions that strengthen civil and criminal enforcement and as we said earlier, grants authority to the States Attorney General to enforce the HIPAA requirements when a state resident is affected by a violation of the rules in their state. Section 13 4 10 E is your specific grant of authority, and as I've said that Louis will get into that section in depth tomorrow, and gives the State Attorney the authority to bring a civil action when one or more state residents are or have been threatened or adversely affected by a covered entity or business associate with regard to the HIPAA requirements. The Attorney can bring a civil action in the District Court of appropriate jurisdiction. This is should be review by this point since Verne covered this this morning. This is the civil money penalty structure for purposes of OCR. This is really for your information. What's important for you to know is that there's now four-tiered categories and they kind of really talk about an intent-based system. So when we talk about did not know, reasonable cause and willful neglect, either corrected or not corrected, for your purposes, that's really the jist. That you need to sort of think of did not know violations, reasonable cause violations, and willful neglect violations. The HITECH Act also provided for the establishment of an audit program. So, we're currently working on how to go about implementing this audit program, something we've been working on for a little bit and we're really trying to integrate this into our enforcement scheme at HHS. HITECH also modified the criminal penalties just a little bit. Previously, when we referred to person under the rules, we were really talking about covered entities. So HITECH has changed that a little bit to make it clear that the criminal, the criminal penalties do in fact apply to employees or other individuals, so whereas before it had been interpreted to only apply to covered entities. So it was a little bit difficult to try and bring criminal penalties against individual or employees. HITECH clarifies that no, by person we also mean employees and individuals and we can prosecute them criminally. We don't. We refer them to the Department of Justice and the Department of Justice does that criminal prosecution, but now it is much clearer for them to do that prosecution against an employee and an individual. So, the effective date of HITECH was February 17th of 2009 and provided all of the other jurisdictional and procedural requirements are met, a State Attorney General may investigate and penalize a covered entity or business associate after that date of February 17th of 2009. The effective date for most of HITECH is February 17th of 2010. So those provisions in HITECH that make specific changes, most of those are effective as of February 17th 2010. As I said, most of those also have to be implemented by regulation, so despite the fact that the effective date has already passed so the statute is technically in effect now, we really can't do much with that until we have those implementing regulations, so they can interpret the statute and specifically tell covered entities and business associates how to go forward with their compliance. As I said before, we have issued that notice of proposed rulemaking, we also issued those two interim final rules that I was talking about. We have a statement on our website that clarifies this for people because there was little bit of confusion about what's in effect now, what's going to be in effect in the future, what do we have to start doing now. And again, breach and the civil money penalties scheme are in effect now. The other pieces that I will talk about need to be finalized through regulation and hopefully, will be soon. So before HITECH, OCR only had direct jurisdiction over covered entities because that's what HIPAA gave us jurisdiction over. Those covered entities, remember, health plans, healthcare clearinghouses, and healthcare providers that are doing electronic transactions. So what we did was we designed the rule to use a contractual obligation. Remember I told you about those business associate agreements, those obtaining satisfactory assurances by using a contract. So we used contract obligations between the covered entity and the business associate to ensure the privacy and security of that information that was flowing from the covered entity to the business associate. Congress recognized this and they recognized this that this was a little bit awkward because we can enforce against the covered entity but we couldn't necessarily enforce against the business associate. The covered entity would have to do that through contract. So, we're going to provide more guidance on this, but HITECH extends liability to business associates for the Security Rule and for parts of the Privacy Rule, those parts dealing with uses and disclosures of information. So, again, this is something that we, if you want to read our notice of proposed rulemaking, we talk about at length in the notice of proposed rulemaking and we'll also clarify farther in the final rule, talk more about how this liability will extend to business associates specifically…which parts of the rule. So, the takeaway here is that business associates will be covered with regard to the Security Rule and with regard to parts of the Privacy Rule after the final regulations are published, so we can enforce directly against those business associates at that time.The HITECH also talked about certain types of entities that it wanted to make sure to clarify our business associates and must have business associate contracts in place. So again, that's going to be illuminated a bit more. We talk about it in the notice of proposed rulemaking and will be illuminated more on the final rule. So, let's get into breach notification a little bit. Section 13-4-0-2 requires covered entities to notify effected individuals, HHS and in some cases, the media, of breaches of unsecured protected health information. So I'm sure of you..I'm sure some you live and work in states that have state breach notification requirements. Congress saw this and decided that it really should be included in HITECH as well, to cover protected health information, one held by covered entities. So, as I said, when there's a breach of unsecured protected health information, a covered entity must notify the individual, they have to notify HHS, and in some cases, they have to notify the media. Let's talk about that more. In August of 2009, we issued this final interim rule that I told you about. So, the rule, this breach notification rule is currently in effect and enforceable both by us and by you. The rule requires notification when there's a breach of unsecured protected health information. And what is unsecured protected health information? That is talked about in this guidance that we published in conjunction of the interim final rule. The guidance basically says that if it's encrypted, or if it's destroyed, it's secured information. So the first step is, do we have unsecured protected health information? If it's encrypted, if it's destroyed, it's secured and you don't have a breach. In any other circumstance, you have to proceed with your analysis. So, again, encryption and destruction. If you have those two circumstances, you do not have a breach because it's secured protected health information. If there is a breach, notification is required without unreasonable delay and in no case later than sixty days after the discovery of the breach, unless there is a law enforcement involvement here and the rule spells this out. So, I'd refer you to the breach notification rule if you're curious as to how that works. But, generally, if there's a breach of unsecured protected health information, the covered entity has to notify individuals and HHS, well in most…in some cases, notify individuals no later than sixty days after the discovery of the breach. The breach is considered discovered by a covered entity or by a business associate as of the first day on which the breach is or should reasonably have been known to occurred. So, I know this is a little's a difficult concept, but it's basically trying to prompt covered entities and business associates to have robust programs in place to identify when these breaches happen and to respond immediately…to these breaches…because they can't put their head in the sand and say “We didn't know.” So business associates are required by the rule to notify the covered entity. So, the business associate is not required to notify the individual directly, they're required to notify the covered entity. However, some covered entities have decided through their business associate agreements that they want the business associate to do that notification because they're really the ones who have the relationship with the patient. They're the ones who have the information, whatever the reason is, that's okay. The rule says that's okay, but the covered entity is ultimately responsible for that notification. So if the business associate doesn't do it, the covered entity is on the hook for that. Paper notification, whether it's sent by the covered entity or the business associate as required, by first class mail to the last known address of the individual or their next of kin, unless other preference is specified by the individual. So, in every case, the covered entity has to provide notification to individuals affected and to OCR. In every case. For breaches involving fewer than five hundred individuals, the covered entity can submit annually to the Secretary, to our office. Basically, the year's worth of these smaller, quote-en-quote “smaller breaches”. So they would have to notify the individual within sixty days and then they would have to notify HHS within that…within that year. So, those are for fewer than five hundred individuals. If five hundred or more individuals are affected by the breach, then the covered entity is required to immediately notify OCR. So, we have to know right away. OCR has to know right away. Not within the year. Right away. Five hundred or more individuals, you have to notify the individual, you have to notify OCR immediately and you also have to provide notice to a prominent media outlet within the state or jurisdiction. So if you have a “small” breach, it's individual and HHS. If you have one of these “larger” breaches, five hundred or more individuals, individual, HHS and media. As you can see from the website, we'll get more into this tomorrow. I'll show you where this is on the website. We post the list of these covered entities that have had these large breaches. So, this can be a great resource for you guys. The states are listed, the state of the entity is listed and I'll show you exactly where this is tomorrow, so we'll get more into this tomorrow. But it is required to be posted on our website. Okay, so just a quick review of breach, before we move onto some of the other HITECH provisions. Breach requires, in cases where this a breach of unsecured protected health information. Unsecured, again, is encrypted or destroyed. If it's fewer than five hundred people, you have to notify the individual and HHS. If it's five hundred or more individuals, the individual, HHS and the media. Okay. So, some of the other HITECH provisions that are included in HITECH, changes to the Privacy and Security Rules. As we talked about earlier with regards to restrictions. Remember I told you in our Privacy Rule module that after HITECH, if the individual requests a restriction for an item or service for which they have paid out-of-pocket in full, then that restriction would have to be abided by. We talk about that in the NPRM and we'll talk about more in the final role. As I also said when I talked about accounting, there's going to be changes to the accounting rule that will include accounting for disclosures, including treatment, payment and healthcare operations if there's an electronic healthcare record. That will be coming out soon as well. Prohibition on the sale of PHI and e-PHI. Sale of information wasn't allowed under the rule before, but HITECH wanted to make it clear that it's absolutely not allowed. So there is some provisions that will address sale. There's some provisions that talk about access if there's an electronic format. Education on health information privacy is required, much like we're doing today. There certain provisions that discuss marketing and how marketing can work and it significantly limits how covered entities can quote-en-quote “market” to individuals. And there certain conditions placed on fundraising by covered entities as well. And if you're curious what these look like, again, the notice of proposed rulemaking is currently available, it's available on our website. And then we'll be, these changes will be included in the final role. Okay, so we talked about some of these major changes that will be in place after HITECH. Your enforcement authority increases and civil money penalties for OCR. For your purposes, you wanna make sure and keep in mind those tiered penalty structures. Business associates will now be directly liable after the final regulations. Breach notification is in effect now. And there other limitations that are placed on things like sale and marketing, fundraising. And there'll be provisions for restrictions, access and accounting. Okay, so does anyone have any questions at this point? With regard to HITECH or with regard to Day One? Yes? (from the audience): “How do we reconcile the notification requirement that you have to provide written notification to consumers if…if you talked about an earlier module where if they requested ‘don't send anything to my address', can we reconcile that? Does one trump the other?” That's a good question. It's required by the breach notification rule, so unless the individual has requested and the covered entity has agreed to some other means, then they would have to require that. They would still ..they're required to provide that notification. (reply from the audience): “So, it would still have to be written and…I guess I am just thinking of a situation where somebody's gone to a clinic or a center where they don't want their family to know they've been there. I guess is full notification okay in that kind of circumstance, or no?” Well, the covered entity certainly arrange with that individual to, as we said, all communications in a different way, but they're still required to be notified, however that happens. Okay? Yes? (from the audience): “The..uh..CMP Provisions, if those are being enforced By HHS….” Yes, they are. (from the audience): “…why do…what effect does it have on us? Because we don't…the states and territories don't get money or don't enforce…” Right. Louis, tomorrow, will talk more about the statutory damages available to you, as States Attorney General. The reason we provided this information is because it's important to keep in mind these tiered, the tiers of penalties for your purposes when you're counting violations. And again, Louis will get into that in depth tomorrow on how to count violations, and how things like knowledge and willful neglect play into those. Other questions? Okay, tomorrow, we will cover more information and on your authority under the HITECH Act, (unintelligible), State Law, and we'll also get into how we enforce the Rule for purposes of perhaps you might want to look at that for designing your own enforcement programs in the States. And we'll also help you look at where you can find all the resources for this information on our website and other places. So, thank you so much again for your continued attention, for your participation. I will be here tomorrow and I will see you at the end of the day. And I am hopefully…some of you will join us upstairs in The Lobby
(To use allow video to load completely)
  • Module 4: Introduction, Objectives and Overview
  • Lessons 1-10: ARRA/HITECH
  • Module 4: Recap and Summary

Tell a friend: