L A W S E M I N A R S I N T E R N A T I O N A L Call from Anywhere for A One-Hour Expert Analysis by Phone on New HITECH Act Rules Meeting the challenge January 26, 2010 Copyright 2010 by Law Seminars International file:///C:/New_LSI_Website/section_details/10HTECHTB.html Law Seminars International Presents: Call from Anywhere for A One-Hour Expert Analysis by Phone on New HITECH Act Rules Meeting the challenge Register Agenda Tuition Credits Location Homestudy Faculty Bios Firm Links Register January 26, 2010 Call in from Anywhere! TeleBriefing starts at 10:00 am Pacific, 11:00 am Mountain, 12:00 pm Central, & 1:00 pm Eastern Who Should Dial In Attorneys, executives, business management and medical industry professionals Why You Should Dial In The effects of the Health Information Technology for Economic and Clinical Health Act, or "HITECH," which is part of the American Recovery and Reinvestment Act of 2009, will be felt long after the stimulus package is forgotten. Designed to promote the adoption of health information technology, HITECH also substantially broadens the scope and toughens the requirements of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). One thing is certain: HIPAA is no longer a paper tiger. As of February 2010, business associates will be directly regulated under HIPAA for the first time, subject to Office of Civil Rights enforcement actions and the same penalties and sanctions as covered entities. Business associates must implement and document administrative, physical, and technical safeguards to protect health information, including electronic information. Additionally, individuals, and in some cases the Department of Health and Human Services and local media, must be notified of breaches involving their protected health information. Civil penalty authority has soared to up to $1.5M per violation. In February 2011, minimum penalties will become mandatory in cases of "willful neglect," and State Attorneys General will be authorized to seek damages for individuals harmed by unauthorized disclosures. In this one-hour TeleBriefing, an expert panel featuring a legal practitioner, a hospital association general counsel, and a physician compliance officer will provide a diversity of perspectives on meeting the HITECH challenge. Learn what other providers and organizations are doing to comply, to assess risk in their organizations, and to find realistic workflow solutions. 1 of 4 01/21/10 3:47 PM file:///C:/New_LSI_Website/section_details/10HTECHTB.html Join us and begin your HITECH compliance journey headed in the right direction! What You Will Learn Broader and tougher requirements HITECH will bring to HIPAA New breach notification rules New penalties for noncompliance More stringent standards of minimum necessity New restrictions on marketing and disclosures to health insurers Tips for compliance: risk assessment tools and realistic workflow solutions Timelines for compliance What Attendees Have Said About Similar Programs "The presentation organization was excellent and the program was very informative.'' " All aspects of the seminar were excellent, but it was particularly informative due to the choice in panelists.'' " The presentation organization was excellent and the program was very informative." Agenda Tuition Credits Location Homestudy Faculty Bios Firm Links Register Agenda Tuesday, January 26, 2010 10:00 am New HITECH Act Rules Introduction & Overview Kelly T. Hagan, Esq., Moderator Schwabe Williamson & Wyatt PC / Portland, OR Physician office and business associate practices Gwen M. Dayton, Esq., General Counsel Oregon Medical Association / Portland, OR Operational challenges Ronald G. Marcum, M.D., M.S., Chief Privacy Officer 2 of 4 01/21/10 3:47 PM file:///C:/New_LSI_Website/section_details/10HTECHTB.html Oregon Health & Science University / Portland, OR 11:00 am Q & A (for up to 30 minutes) Agenda Tuition Credits Location Homestudy Faculty Bios Firm Links Register Tuition Tuition is $125 per caller and $50 each for additional people on the same line who wish to receive continuing education credit. Financial aid is available to those who qualify. Contact our office for more information. Cancellation & Substitution You may substitute another person at any time. If you are unable to join the call, you can download the audio and materials later or we'll send you an audio CD and written materials for an additional $10. Continuing Education Credits This TeleBriefing qualifies for 1.0 Washington CLE credit. Upon request, we will apply for CLE credits in other states and other types of credits. Please note that audio programs currently do not qualify for CLE credits from the Delaware, Kansas, and Ohio bar associations. Agenda Tuition Credits Location Homestudy Faculty Bios Firm Links Register Location The telephone number and link to the materials will be E-Mailed to you after we process your order. All 3 of 4 01/21/10 3:47 PM file:///C:/New_LSI_Website/section_details/10HTECHTB.html orders are processed within one business day of receipt. If You Cannot Attend You may download the entire audio and materials for $125 or obtain an audio CD and printed materials for $135. Both options include the written materials. Downloads are available within 48 hours after the TeleBriefing or from the date we receive payment. We will ship a CD order via UPS ground within two weeks after the TeleBriefing or from the date we receive payment. Order Homestudy Agenda Tuition Credits Location Homestudy Faculty Bios Firm Links Register Our Distinguished Panel Kelly T. Hagan is a shareholder in the Portland, Oregon office of Schwabe, Williamson & Wyatt, P.C., where his practice emphasizes business transactions and regulatory compliance in the healthcare industry. Mr. Hagan is a past-Chair of the Health Law Section of the Oregon State Bar, the Oregon State Bar's Joint Committee on the Medical Profession, and is past-President of the Multnomah Bar Association. Mr. Hagan has lectured on health law related topics at the University of Oregon School of Law, Oregon Health and Sciences University, and the Oregon State University School of Public Health. Mr. Hagan is listed in The Best Lawyers in America for health care law. Gwen M. Dayton serves as General Counsel for the Oregon Medical Association. In this role she provides legal advice to the association, informs the membership regarding federal and state regulatory requirements and coordinates the association's quality and patient safety initiatives. Previously, Gwen served as General Counsel for the Oregon Association of Hospitals and Health Systems, where she provided guidance to hospitals on federal and state compliance requirements and served on the association's legislative team. Ronald G. Marcum, M.D., M.S., is Director of the Oregon Health & Science University (OHSU) Integrity Office, Chief Information Security Officer, and Chief Privacy Officer for OHSU. He chairs the OHSU Health Information Committee, which is responsible for the use of information technology as it applies to the content and compliance of the OHSU integrated health record. In the Oregon 2002/2003 legislative session, he was appointed to participate in the SB104 subcommittee to assist with addressing issues of medical record confidentiality and privacy (HIPAA) as it relates to state and federal law. He is currently the physician member of the Oregon Legislative Advisory Committee for Genetic Research and Privacy. 4 of 4 01/21/10 3:47 PM Call from Anywhere for A One-Hour Expert Analysis by Phone on New HITECH Act Rules Meeting the challenge Table of Contents Topic Speaker # New HITECH Act Rules Kelly T. Hagan 1 Gwen M. Dayton 2 Ronald G. Marcum 3 Page 1 of 1 Faculty New HITECH Act Rules January 26, 2010 Ms. Gwen M. Dayton Mr. Kelly T. Hagan Oregon Medical Association Schwabe Williamson & Wyatt PC 11740 SW 68th Pkwy 1211 SW 5th Ave Ste 1900 Suite 100 Portland, OR 97204 Portland, OR 97223-9038 T:(503) 796-2423 F: (503) 796-2900 T:(503) 619-8117 F: Email: [email protected] Email: [email protected] Dr. Ronald G. Marcum Oregon Health & Science University Mail Code BTE355 3181 S.W. Sam Jackson Park Rd. Portland, OR 97239 T:(503) 494-8311 F: Email: [email protected] L A W S E M I N A R S I N T E R N A T I O N A L Call from Anywhere for A One-Hour Expert Analysis by Phone on New HITECH Act Rules Meeting the challenge January 26, 2010 New HITECH Act Rules Kelly T. Hagan, Esq. Schwabe Williamson & Wyatt PC Portland, OR Gwen M. Dayton, Esq. Oregon Medical Association Portland, OR Ronald G. Marcum, M.D., M.S. Oregon Health & Science University Portland, OR 42740 Federal Register/vol, 74, No. 162lMonday, August 24, zooglRules and Regulations DEPARTMENT OF HEALTH AND 509F, 200 Independence Avenue, SW,, Administrative Simplification HUMAN SERVICES Washington, DC 20201.. Please submit provisions of the Health Insurance one original and two copies. Portability and Accountability Act of Office of the Secretary . Hand Delivery or Courier: Office for 1996 (HIPAA) (Pub. L. 104-191)and Civil Rights, Attention: HITECH Breach their business associates. 45 CFR Parts 160 and 164 Notification, Hubert H. Humphrey These breach notification provisions Building, Room 509F, 200 are found in section 13402 ofthe Act RtN 0991-A856 Independence Avenue, SW., and apply to HIPAA covered entities Breach Notification for Unsecured Washington, DC 20201,. Please submit and their business associates that Protected Health Information one original and two copies. (Because access, maintain, retain, modifu, record, access to the interior of the Hubert H. store, destroy, or otherwise hold, use, or AGENcY: Office for Civil Rights, Humphrey Building is not readily disclose unsecured protected health Department of Health and Human available to persons without federal information. The Act incorporates the Services. government identification, commenters definitions of "covered entity," ACTION: Interim final rule with request are encouraged to leave their comments "business associate," and "protected for comments. in the mail drop slots located in the health information" used in the HIPAA main lobby of the building.) Administrative Simplification SUMMAFY: The Department of Health and Inspection of Public Comments: All regulations (45 CFR parts 160, 162, and Human Services (HHS) is issuing this comments received befo¡e the close of 164) (HIPAA Rules) at S 160.103. Under inte¡im final rule with a request for the comment period will be available for the HIPAA Rules, a covered entity is a comments to require notification of public inspection, including any heaìth plan, health care clearinghouse, breaches of unsecured protected healtl personally identifiable or confidential or health care provider that transmits information. Section 13402 of the business information that is included in any health information electronically in Health Information Technology for a comment, We will post all comments connection with a covered transaction, Economic and Clinical Health (HITECH) received before the close ofthe such as submitting health care claims to Act, part of the American Recovery and comment period at http:// a health plan. Business associate, as Reinvestment Act of 2009 (ARRA) that www.regu lati o ns. gov. Because defined in the HIPAA Rules, means a was enacted on February L7,2OO9, comments will be made public, they person who performs functions or requires HHS to issue interim final should not include any sensitive activities on behalf of, or ce¡tain regulations within 180 days to require personal information, such as a person's services for, a covered entity that covered entities under the Health social security number; date of birth; involve the use or disclosure of Insurance Portability and. driver's license number, state individually identifiable health Accountability Act of 1996 (H.IPAA) and identification number or foreign country information. Examples of business their business associates to provide equivalent; passport'number; financial associates include third party notification in the case of breaches of account number; or credit or debit card administrators or pharmacy benefit unsecured protected health information. number. Comments also should not managers for health plans, claims For purposes of determining what include any sensitive health processing or billing companies, information is "unsecured protected information, such as medical records or transcription companies, and persons health information," in this document other individually identifiable health who perform legal, actuarial, HHS is also issuing an update to its information. accounting, management, or guidance spec,ifying the technologies Docket: For access to the docket to administrative services for covered and methodologies that render protected read background documents or entities and who require access to health information unusable, comments received, goto http:// protected health information. The unreadable, or indecipherable to www.regulations.gov ot U.S. Department HIPAA Rules define "protected health unautlorized individuals. of Health and Human Services, Office information" as the individually DATES; Effective Date: This interim final for Civil Rights, 200 Independence identifiable health information held or rule is effective September 23,2OO9, Avenue, SW., Washington, DC 20201 transmitted in any form or medium by Comment Date; Comments on the (call ahead to the contact listed below these HIPAA covered entities and provisions ofthis interim final rule are to arrange for inspection). business associates, subject to certain limited exceptions. due on or before October 23,2OO9. FOR FURTHER INFORMATION CONTACT: The Act requires HIPAA covered Comments on tlre information collection Andra Wicks, 202-205-2292. entities to provide notification to requirements associated with this rule SUPPLEMENTARY INFORMATION : affected individuals and to the Secretary are due on or before September 8, 2009, I. Background of HHS following t}re discovery of a ADDRESSEST You may submit comments, breach of unsecured protected health identified by RIN 0991-4856, by any of The Heaìth Information Technology information. In addition, in some cases, the following methods (pìease do not for Economic and Clinical Health the Act requires covered entities to su.b mit duplicate cornments) : (HITECH) Act, Title XIII of Division A provide notification to the media of Federal eilulemaking Portal: http:// and Title IV of Division B of the breaches. In tlle case of a breach of www.regulatio ns.g ,ov. Follow the American Recovery and Reinvestment unsecured protected health information instructions for submitting comments. Act of 2009 (ARR q,) Pub. L. 111-b), was at or by a business associate of a covered Attachments should be in Microsoft enacted on February 1,7,2009. Subtitle entity, the Act requires the business Word, WordPerfect, or Excel; however, D sf Division A of t}re HITECH Act (the associate to notify the covered entity of we prefer Microsoft Word. Act), entitled "Privacy," arnong other the breach. Finally, the Act requires the o Regular, Express, or Overnight Mail: provisions, requires the Department of Secretary to post on an HHS Web site U.S, Department of Health and Human Health and Human Services (HHS or the a list of covered entities tlat experience Services, Office for Civil Rights, Department) to issue interim final breaches of unsecured protected health Attention: HITECH Breach Notification, regulations for breach notification by information involving more than 500 Hubert H. Humphrey Building, Room covered entities subject to the individuals. Federal Register/Vol. 74, No. 162lMonday, August 24, 2oo9lRules and Regulations 42747 Section 13400(1) ofthe Act defines discovery of a breach of security of "unsecured protected health "breach" to mean, generally, the unsecured PHR identifiable health information" as "protected health unauthorized acquisition, access, use, or information.l As with the definition of information that is not secured through disclosure of protected health "unsecured protected health the use of a technology or methodology information which comprornises the information," the provisions at section specified by t}re Secretary in guidance" security or privacy of such information. 13407(fX3) define "unsecured PHR and requires the Secretary to specify in The Act provides exceptions to this identifiable health information" as PHR the guidance the technologies and . definition to encompass disclosures identifiable health information that is methodologies that render protected where the recipient of the information not protected through the use ofa health information unusable, would not reasonably have been able to technology or methodology specified by unreadable, or indecipherable to retain the i'nformation, certain the Secretary of HHS in guidance. Thus, unauthorized individuals. As required unintentional acquisition, access, or use entities subject to the FTC breach by the Act, this guidance was issued on of information by employees or persons notification rules must also use the ApriÌ rz, 2009, and later published in acting under the authority of a covered Secretary's guidance to determine the Federal Register on April 27,2oog entity or business associate, as well as whether the inforrnation subject to a (74 FR 19006). The guidance specified certain inadvertent disclosures among breach was "unsecured" and, therefore, encryption and destruction as the persons similarly authorized to access whether breach notification is required. technologies and methodologies for protected health information at a When HHS issued the guidance, HHS rendering protected health information, business assoeiate or covered entity. also published in the same document a as well as PHR identifiable healtl Further, section 13402(h) of the Âct request for information (RFI), inviting information under section 13407 of the defines "unsecured protected health public comment both on the guidance Act and the FTC's implementing information" as "protected health itself, as well as on the breach regulation, unusable, unreadable, or information that is not secured through provisions of section 13402 of the Act indecipherable to unauthorized the use of a technology or methodology generally. After considering the public individuals such that breach specified by the Secretary in guidance" comment, we are issuing an updated notification is not required. The RFI and provides that the guidance specify version ofthe guidance in Section II asked for general comment on this the technologies and methodologies that below. In addition, we discuss public guidance as well as for specific render protected health information comment received on the Act's breach comment on the technologies and unusable, unreadable, or indecipherable notification provisions where relevant methodologies to render protected to unauthorized individuals. Covered below in the section-by-section health information unusable, entities and business associates that descriotion ofthe interim final rule. unreadable, or indecipherable to implement tlre specified technologies We have concluded that we have good unauthorized individuals. and methodologies with respect to cause, under 5 U.S.C. 553(b)(B), to Many commenters expressed concern protected health information are not waive the r,rotice-and-comment and confusion regarding the purpose of required to provide notificationé in the requirements of the Administrative the guidance and its impact on a event of a breach of such information- Procedure Act and to proceed with this covered entity's responsibilities under that is, t}re inforrnation is not interim final rule. Section 1,34O2(j) the HIPAA Security Rule (+s CFR part considered "unsecured" in such cases. explicitly required us to issue these 164, subparts A and C). We emphasize As required by the Act, the Secretary regulations as "interim final that this guidance does notling to initially issued this guidance on April regulations" and to do so within 180 modify a covered entity's 1,7,2oo9 (it was subsequently published days, Based on this statutory directive responsibilities with respect to the in the Federal Register at 74 FR 19006 and limited time frame, we concluded Security Rule nor does it impose any on April 27, 2oog). The guidance listed that notice-and-comment rulemaking new requirements upon covered entities and described encryption and was impracticable and contrary to to encrypt all protected health destruction as the two technologies and public policy. Nevertheless, we sought information. The Security Rule requires methodologies for rendering protected comments in the RFI referenced above covered entities to safeguard electronic health information u,nusable, and considered those comments when protected health information and urueadable, or indecipherable to drafting this rule, In addition, we permits covered entities to use any unauthorized individuals. provide the public with a 60-day period security measures that allow them to In cases in which notification is following publication of this document reasonably and appropriately required, the Act at section 13402 to submit comments on the interim final implement all safeguard requirements. prescribes the timeliness, content, and rule. Under 45 CFR 164.312(a)(2)(iv) and methods of providing the breach II. Guidance Specifuing the (eXzXii), a covered entity must consider notifications. We discuss these and the implementing encryption as a method Technologies and Methodologies That above statutory provisions in more for safeguarding electronic protected Render Protected Health Information detail below where we describe section- health information; however, because Unusable, Unreadable, or by-section how these new regulations these are add¡essable implementation Indecipherable to Unauthorized implement the breach notification specifications, a covered entity rnay be lndividuals orovisions at section 13402 ofthe Act. in eompliance with the Security Rule ^ In addition to the breach notification A. Background even if it reasonably decides not to provisions for HIPAA covered entities As discussed above, section 1,34O2 of encrypt electronic protected health and business associates at section the Act requires breach notification information and instead uses a L3402, section 13407 of the Act, which following the discovery of a breach of comparable method to safeguard,the is to be implemented and enforced by unsecured protected health information. information. t}re Federal Trade Commission (FTC), Section 13402(h) ofthe Act defines Therefore, if a covered entity chooses imposes similar breach notification to encrypt protected health information requirements upon vendors of personal to comply with the Security Rule, does health records (FHRs) and their third to 1i mThpele FmTeCn ti ssseucetdio na n1o3t4ic0e7 ooff pthroep ,o{cste do nr uAlepmrila k2i0n,g so pursuant to this guidance, and party service providers following the 2OO9 (74 FR 17914). subsequently discovers a breach of that
Description: