Health Information Technology for the Economic and Clinical Health Act of 2009
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Video Transcription
00:00
>> Hello everyone, welcome back to the course.
00:00
It's always, a pleasure to be your instructor.
00:00
My name is Chris and I'm sorry,
00:00
about the instructor for it's
00:00
US information privacy courts.
00:00
In the lesson 6.2, we're going to look at
00:00
the Health Information Technology
00:00
for Economic and Clinical Health Act
00:00
of 2009.
00:00
It was the American Reinvestment and Recovery Act
00:00
of 2009 that established HITECH.
00:00
HITECH makes significant amendments to
00:00
the Health Insurance Portability
00:00
and Accountability Act of 1996,
00:00
which we just recently discussed.
00:00
We have several learning objectives.
00:00
We're going to talk about some of
00:00
the changes that HITECHs
00:00
makes to business associate requirements.
00:00
We're going to talk about the incentivization
00:00
of meaningful use,
00:00
or adoption of electronic health records.
00:00
We're going to talk about some of
00:00
those increased civil and criminal penalties
00:00
for noncompliance.
00:00
We'll briefly talk about
00:00
the new breach notification requirements
00:00
as produced as part of HITECH,
00:00
and then we'll conclude with
00:00
a brief discussion on limited data set usage.
00:00
As I previously stated,
00:00
HITECH makes significant amendments to HIPAA.
00:00
As we discussed in lesson 6.1,
00:00
the majority of the responsibility for compliance
00:00
with HIPAA was placed on
00:00
the shoulders of covered entities.
00:00
Not so much on business associates
00:00
which created a lot of problems
00:00
on only for covered entities,
00:00
but also for patients.
00:00
What a HITECH does is it levels a playing field.
00:00
Under HITECH now Business Associates
00:00
are held accountable at the same level as
00:00
those covered entities for how they processed and
00:00
handled either PHI or ePHI.
00:00
It has a requirement that covered entities must have
00:00
a written contract, employees code,
00:00
a business associate agreement or
00:00
business associate contract which explicitly states
00:00
the responsibilities of the business associate
00:00
and processing and handling PHI and ePHI.
00:00
If you were to go to
00:00
the office of Civil Rights and HHS's website,
00:00
you can see and review those resolution agreements and
00:00
corrective action plans that covered entities and
00:00
business associates have entered into
00:00
because of violations of HIPAA and it's amendments.
00:00
There's also in 2009 when HITECH was enacted.
00:00
There was a dry by Congress to incentivize the adoption
00:00
of electronic health records technology
00:00
and the mean for use of these technologies.
00:00
I think we as patients really
00:00
appreciate this change to HIPAA because
00:00
today I widely use
00:00
my patient health portal to
00:00
access my electronic health records routinely.
00:00
We also had new breach notification rules requirements
00:00
that were established under HIPAA.
00:00
We have a definition and
00:00
the breach notification rule that says
00:00
that a breach is generally
00:00
an impermissible use and
00:00
disclosure under the privacy rule that
00:00
compromises the security and privacy of PHI.
00:00
It requires covered entities and
00:00
business associates to demonstrate when there is
00:00
a low probability that PHI has been compromised
00:00
based on a four tiered risk assessment.
00:00
Those factors are determining the nature and
00:00
extent of the PHI involved to include
00:00
those identifiers that might have been
00:00
compromised and the likelihood
00:00
of re-identification of the patient.
00:00
They also have to determine whether
00:00
the unauthorized person who
00:00
access the PHI or to whom the disclosure was made.
00:00
They have to determine whether
00:00
the PHI was actually acquired or viewed.
00:00
Then finally, they have to determine
00:00
the extent to which the rest of
00:00
the PHI has been mitigated by
00:00
the covered entity or business associates.
00:00
Now there are exceptions to the definition of breach.
00:00
One is if the information is encrypted,
00:00
really we're talking about unencrypted PHI,
00:00
ePHI for notification purposes.
00:00
There's also an exception that applies
00:00
to the inadvertent disclosure of PHI to a person
00:00
authorized to access the PHI
00:00
and a covered entity or a business associate to
00:00
another person authorized access
00:00
the PHI at the same covered entity
00:00
>> or business associate.
00:00
>> The final exception is whether the covered entity or
00:00
business associate has in good-faith belief that
00:00
the unauthorized person to whom
00:00
the impermissible disclosure was
00:00
made would not have been able
00:00
>> to retain the information.
00:00
>> The breach notification requirements
00:00
under HITECH also required that
00:00
covered entities must
00:00
notify affected individuals following
00:00
the discovery of a breach of unsecured,
00:00
>> unencrypted PHI.
00:00
>> They must try to notify the individuals first
00:00
in writing by first-class mail.
00:00
Or they can use email if the individual
00:00
has agreed to receive electronic notices.
00:00
If the covered entity has an insufficient or
00:00
out of date contact information
00:00
for 10 or more individuals,
00:00
then they can use some type
00:00
of substitute individual notice.
00:00
Maybe they post in the notice that there are
00:00
homepage of the website for at least 90 days or by
00:00
providing the notice in major print or
00:00
broadcast media where
00:00
the affected individuals are to resign.
00:00
The individual notifications must be provided without
00:00
unreasonable delay and in no case
00:00
later than 60 days following discovery of a breach.
00:00
It must include specific information.
00:00
A brief description of the the breach.
00:00
A description the types of
00:00
information that were involved in a breach.
00:00
The steps that effective individuals
00:00
should take to protect themselves from potential harm.
00:00
A brief description of the covered entity,
00:00
what it's doing to investigate the breach,
00:00
mitigate the harm, and to prevent further breaches.
00:00
At the end of every year,
00:00
these covering entities and
00:00
business associates are going to report
00:00
their breaches to the Secretary of
00:00
HHS at the end of the calendar year.
00:00
If a breach impacts
00:00
500 patients or more within
00:00
a respective state or jurisdiction,
00:00
then a covered entity must notify
00:00
the Secretary of HHS without undue delay.
00:00
If that breach impacts 500 people
00:00
or more within the same state or jurisdiction,
00:00
then they have to notify the media of the breach.
00:00
If the breach occurs at a business associate site,
00:00
then that business associate must
00:00
notify the covered entity without
00:00
unreasonable delay and no
00:00
later than 60 days after the discovery of that breach.
00:00
There are increased civil and criminal penalties
00:00
under HITECH.
00:00
There are four tiers of civil penalties ranging from
00:00
50,000 per violation with a cap
00:00
>> of 1.5 million each year.
00:00
>> For a lack of awareness,
00:00
then those fines start at
00:00
100 and go up to 50,000 per violation,
00:00
capping out at 1.5 million each year.
00:00
There are also criminal penalties.
00:00
The wish there three tiers where
00:00
the Office of Civil Rights at HHS may refer
00:00
a criminal case to the Department of Justice.
00:00
That range for unknowingly a reasonable cause,
00:00
false pretenses, and personal reasons,
00:00
or lawful intent to commit fraud or crime.
00:00
You can have a jail sentence of
00:00
as less as one year
00:00
or for more greatest violations of the law,
00:00
then you could have a jail sentence
00:00
>> of up to 10 years and
00:00
>> a fine of 250,000 per violation.
00:00
I'd like to conclude with
00:00
a discussion on Limited Data Sets.
00:00
Under HITECH, limited data sets are that limited set of
00:00
identifiable patient information that may be
00:00
shared without patient authorization in certain cases.
00:00
Specifically, we're talking about for research,
00:00
public health or health care operations.
00:00
All of the identifiers must be removed in order for
00:00
a PHI not to be considered as part
00:00
>> of a limited data set.
00:00
>> Those include names, street addresses,
00:00
telephone numbers, fax numbers,
00:00
email addresses, and other identifiers.
00:00
Question 1 ask,
00:00
The maximum financial penalty for
00:00
a HIPAA violation was increased
00:00
>> annually to what amount?
00:00
>> The appropriate answer was D. Question 2 ask,
00:00
HITECH requires covered entities and
00:00
their business associates
00:00
>> to report breaches of PHI when?
00:00
>> A and D are the appropriate choices?
00:00
C asked the brief notification rule is
00:00
low probability of compromise risk assessment.
00:00
Factors include A,
00:00
B, C, and D are the appropriate answers.
00:00
Question 4 asks,
00:00
Which of the following identifiers must
00:00
be removed from a Limited data set?
00:00
The appropriate answers are A, B, C,
00:00
and D. Summary,
00:00
HITECH is an important law
00:00
that amends HIPAA in certain ways.
00:00
Electronic health records increase
00:00
criminal civil colonies requirement for
00:00
the meaningful use of electronic health records.
00:00
The use of limited data sets.
00:00
New breach notification requirements.
Up Next
Similar Content
