Data file.technical drs.hipaa presentation may 2011

Notification of BreachRelease of Information Discussion

Presented By: Janine Akers from DataFile Technologies

Technical Doctor, Inc.Connecting Technology & Professionals

About DataFile TechnologiesAbout DataFile Technologies

•Privately Held Kansas City Company

•Work with Major EMRs•Work with Major EMRs

•National Partnership with Multiple Companies


OverviewOverview

• HITECH Act Changes to HIPAA gNotification of Breach

• Release of Information Best Practice Resources

• How our eROI Services can work for You.


Notification of BreachNotification of Breach

Do we need Do we need to notify a to notify a patient?patient?patient?patient?


HITECH Historical ViewHITECH Historical View

Brief History of HITECH Act Subtitle D—13400’s Section

August 2009 1st Set of Proposed Rules for HIPAA Privacy1st Set of Proposed Rules for HIPAA Privacy, Security and Enforcement Rules

F b 2010February 2010Above proposed rules are finalized

July 2010Above final was recalled and 2nd set of

d l bli h dTechnical Doctor, Inc.Connecting Technology & Professionals

proposed rules were published

HITECH Proposed ChangesHITECH Proposed Changes

Changes Proposed in Current Comment Period

Notice of Privacy Practices

Changes to definition of medical necessity

Immunization records & deceased records

Definitions of electronic media


Breaches – Guidance for Significant Risk

What is a Breach?What is a Breach?

How does HITECH Act define a breach?

Was the protected health information secure?

Do one of the exclusions apply?

Is there a significant risk of financial, reputational, or other harm to the individual?


The ExclusionsThe Exclusions

What are the exclusions provided by HITECH?Workforce useWorkforce use• Unintentional acquisition, access or use of PHI by a

workforce member if the PHI is not further used or disclosed in a manner that violates the Privacy Ruledisclosed in a manner that violates the Privacy Rule

Workforce disclosure• Unintentional disclosure of PHI by a workforce member to

another workforce member if the PHI is not further used oranother workforce member if the PHI is not further used or disclosed in a manner that violates the Privacy Rule

No way to retain the informationU th i d di l t hi h th CE BA h d• Unauthorized disclosure to which the CE or BA has a good faith belief that the unauthorized person to whom the PHI is disclosed would not reasonably have been able to retain info.


Guidance for Significant RiskGuidance for Significant Risk

What guidance is provided by HITECH?

Covered Entity to Covered Entity• Inadvertent disclosure of PHI from one covered entity or BA y

employee to another similarly situated covered entity or BA employee, provided that PHI is not further used or disclosed in any manner that violates the Privacy Rule.

Immediate steps to mitigateImmediate steps to mitigate• Were immediate steps taken to mitigate the harm including

return or destruction of the information and a written confidentiality agreement ?confidentiality agreement ?

Types of information included• Was the information disclosed limited to the name of the

indi id al or a limited data set?


individual or a limited data set?

Notification ComponentsNotification Components

What are the required notification components?

A description of what happened including the date of breach and date of discoveryyA description of the types of PHI involvedSteps the individual should take to protect themselvesSteps taken by the provider to investigate, mitigate and protect against further disclosuremitigate and protect against further disclosureContact information for questions including a toll-free telephone number, email address,

b it t l ddTechnical Doctor, Inc.Connecting Technology & Professionals

website or postal address

Example Letter of NotificationExample Letter of Notification


Penalties & ReportingPenalties & Reporting

What are the penalties & reporting obligations?D fi d d t d b k i F b 2009 iDefined and enacted back in February 2009 in original ARRA/HITECH Act - HIPAA Section to apply to both the Breach and the Notification

Nature of Violation Fine Per Violation Annual Maximum

Unknowing $100 $25,000Reasonable Cause $1,000 $100,000Willful Neglect $10 000 $250 000Willful Neglect $10,000 $250,000Willful Neglect Not Corrected

$50,000 $1,500,000


Reporting ReferenceReporting Reference

Date PatientRecords

Originated from Clinic

Authorized Recipient

Incident How mistake happened Mistake discovered Mistake rectified and NotificationProactive approach for preventive

measures

DatePatient Name & DOB

Medical Practice

RequestorDescription of the unique

After it has been brought to our attention that there has been an oversight, mistake, or HIPAA

violation (regardless of how big or small)‐we will document, research and come to understand what

Starting with date and resource, describe in

detail how this mistake

Starting with date and name of employee initiating report and

correcting the problem, describe in detail actions t k t t th

Starting with date and supervisor’s name, document how we will use this occurrence to train the entire staff regarding our best practice procedures to

DOB occurrence. happened and describe in detail how

this occurred. Include date and employee names involved in the

communication trail.

was discovered.taken to correct the

problem and how patient and covered entity were

notified.

p pprevent the possibility of a

similar occurrence happening again.


Limit Your LiabilityLimit Your Liability

• Staff training

• Process improvement

• Transfer the liabilityy


Why DataFile?Why DataFile?

Improve customer serviceImprove customer service

Mitigate risk

Offer rapid responsep p

Eliminate training expenses

Take fewer calls


DataFile Technologies eROIDataFile Technologies eROI

How do our services work?


How It Works: Step 1How It Works: Step 1

1. Establish HIPAA1. Establish HIPAA secure network connectionsecure network connection



2. Set2. Set up a User in the EMR for “DataFile”up a User in the EMR for “DataFile”



33. Scan/attach appropriate Patient. Scan/attach appropriate Patient and Task or Message to user and Task or Message to user “DataFile”“DataFile”


Start a Request to DataFileStart a Request to DataFile


Status Update on RequestStatus Update on Request


The Brass TacksThe Brass Tacks

What is the cost for eROI services?T i ll NONE• Typically…

• The variables involved in eROI

NONE

include – Specialty

Number of Providers

• Providers can maximize service while

– Number of Providers– State

Providers can maximize service whileeliminating costs with eROI services


Questions & Thank YouQuestions & Thank You

Janine B. Akers, MBADataFile Technologies, LLC

[email protected]‐437‐9134


Data file.technical drs.hipaa presentation may 2011

Technology

Transcript of Data file.technical drs.hipaa presentation may 2011