ARRA Town Hall Webinar June 25, 2009 Practical Tools for Seminar Learning Copyright 2009 American Health Information Management Association. All rights reserved.
Disclaimer The American Health Information Management Association makes no representation or guarantee with respect to the contents herein and specifically disclaims any implied guarantee of suitability for any specific purpose. AHIMA has no liability or responsibility to any person or entity with respect to any loss or damage caused by the use of this audio seminar, including but not limited to any loss of revenue, interruption of service, loss of business, or indirect damages resulting from the use of this program. AHIMA makes no guarantee that the use of this program will prevent differences of opinion or disputes with Medicare or other third party payers as to the amount that will be paid to providers of service. As a provider of continuing education the American Health Information Management Association (AHIMA) must assure balance, independence, objectivity and scientific rigor in all of its endeavors. AHIMA is solely responsible for control of program objectives and content and the selection of presenters. All speakers and planning committee members are expected to disclose to the audience: (1) any significant financial interest or other relationships with the manufacturer(s) or provider(s) of any commercial product(s) or services(s) discussed in an educational presentation; (2) any significant financial interest or other relationship with any companies providing commercial support for the activity; and (3) if the presentation will include discussion of investigational or unlabeled uses of a product. The intent of this requirement is not to prevent a speaker with commercial affiliations from presenting, but rather to provide the participants with information from which they may make their own judgments. This seminar's faculty have made no such disclosures. AHIMA 2009 HIM Webinar Series i
Faculty M. Peter Adler, Esq. M. Peter Adler, Esq., is a partner with Pepper Hamilton LLP, in Washington DC. Mr. Adler has over 18 years of experience in healthcare, and devotes his practice to helping clients understand and comply with myriad laws and regulations concerning information privacy and security. adlerp@pepperlaw.com Rose T. Dunn, RHIA, CPA, CHPS, FACHE Rose T. Dunn, RHIA, CPA, CHPS, FACHE, is chief operating officer of First Class Solutions, Inc., a St. Louis-based national HIM consulting firm providing coding compliance and operational consulting services. Ms. Dunn is an expert on revenue cycle management best practices. rose@firstclasssolutions.com Dan Rode, MBA, CHPS, FHFMA Dan Rode, MBA, CHPS, FHFMA, is AHIMA's vice president of Policy and Government Relations. His responsibilities include working with federal agencies, Congress, and providing AHIMA's members with up-to-date information on legislative, regulatory, and public policy developments that affect HIM. dan.rode@ahima.org AHIMA 2009 HIM Webinar Series ii
Table of Contents Disclaimer... i Faculty... ii Presenting: Dan Rode... 1 ARRA Agenda... 1 ARRA Definitions... 2 History... 2 Broadband... 3 Indian Health Service... 3 Department of Labor... 4 National Science Foundation... 4 HHS HRSA... 5 HHS CMS... 5 HHS ONC... 6-8 ARRA AHIMA Activity... 8 Advocacy Meanwhile Back in the States... 9 Presenting: Rose Dunn... 9 Funding for EHRs Title IV... 10 ARRA Focus on IT and Quality... 10 ARRA Focus on IT and Quality Measures... 11 Medicare Incentives... 12 Hospital Incentives... 13 Physicians... 14 Incentives: Medicare vs. Medicaid... 15 Critical Access Facilities... 15 Incentives: Medicare vs. Medicaid... 16 Meaningful Use... 16 Meaningful Use: 2011 Objectives and Measures... 17 Meaningful Use: 2013 Objectives and Measures... 18 Meaningful Use: 2015 Objectives and Measures... 19 Meaningful Use HIM Impact... 20 Presenting: M. Peter Adler... 20 2009 What to Focus on Today... 21 2010 Busiest Year... 21-22 2011: Three or Four Things... 23 2014 2016... 23 Polling Question... 24 Overview of HITECH Breach Notification... 24 EHR Breach Notification Rules... 25 Unsecured PHI... 25 (CONTINUED) AHIMA 2009 HIM Webinar Series
Table of Contents HHS Breach Notification Procedures... 26 Breach Notification Content... 27 HHS Guidance April 17, 2009... 27 Security Incident Response Program: Key Elements... 28 Incident Response and Notification... 28 Criminal Penalties... 29 Applies to Individual/Entity... 29 Willful Neglect... 30 Civil Penalty Tiers... 30 Enforcement History... 31 Enforcement Funding... 31 Enforcement by State AG... 32 Audience Questions... 32 Thank You... 33 Audio Seminar Discussion and Audio Seminar Information Online... 33-34 Upcoming Webinars... 34 AHIMA Distance Education online courses... 35 Thank You/Evaluation Form and CE Certificate (Web Address)... 35 Resource/Reference List... 36-37 Appendix... 38 CE Certificate Instructions... 39 AHIMA 2009 HIM Webinar Series
Presenting Dan Rode, MBA, CHPS, FHFMA Vice President of Policy and Government Relations AHIMA Washington, D.C. 1 ARRA Agenda 2 AHIMA 2009 HIM Webinar Series 1
ARRA Definitions AHIC American Health Information Community AHRQ Agency for Healthcare Research & Quality ARRA American Recovery and Reinvestment Act Public Law 111-5 CMS Centers for Medicare and Medicaid Services FTC Federal Trade Commission HHS US Department of Health and Human Services HITECH Health Information Technology for Economic and Clinical Health Act (ARRA Title XIII) HRSA Health Resources and Services Administration NCVHS National Committee on Vital & Health Statistics NIST National Institute of Standards & Technology ONC Office of the National Coordinator for HIT 3 History HIPAA 1996 HIPAA established 2000-2005 Presidential Call 2004 ONC Established 2004 Congress and HIT AHIC Established 2005 AHIC II > NeHC 110 th Congress Economy Stimulus ARRA February 17, 2009 4 AHIMA 2009 HIM Webinar Series 2
Broadband Department of Agriculture: Rural Utilities Distance Learning Telemedicine and Broadband Program $2.5B loans and grants National Telecommunications & Information Administration Broadband Technology Opportunities Program $4.7B Federal Communications Commission 5 Indian Health Service IHS Discretionary Funding $85 M for health information technology activities. Additional funding under HITECH loan programs for HIT adoption 6 AHIMA 2009 HIM Webinar Series 3
Department of Labor Employment & Training Administration Training & Employment Services: $3.95 B training & employment services $1.24 B dislocated worker employment & training $200 M dislocated workers national reserve $750 M program of competitive grants for worker training & placement in high growth & emerging industry sectors. 7 National Science Foundation Academic Research Facilities Modernization Research $ Related Activities: $2.5 B for research and related activities 8 AHIMA 2009 HIM Webinar Series 4
HHS HRSA Community Health Centers $500 M grants to health centers $1.1 B for grants for the acquisition of HIT systems for health centers $500 M to address health professions workforce shortages (funds can be used for scholarships, loan repayment, and grants to programs for equipment) 9 HHS CMS Medicaid State Funding Programs Medicare and Medicaid HIT Incentives $19 29 B for provider incentives under Medicare and Medicaid Begins in 2011 (FY for hospital calendar for others) Penalties begin in 2015 Relies on a meaningful use definition 10 AHIMA 2009 HIM Webinar Series 5
HHS ONC HITECH (XIII) New definitions Coordinator position & ONC made permanent Established HIT Policy Committee Established HIT Standards Committee Brings NIST more into the HIT standards process Establishes process for adoption of standards Establishes ONC Privacy Office 11 HHS ONC (continued) Make EHR technology available Establishes a number of reports to Congress related to HICT and adoption Establishes the testing of standards via NIST Establishes Healthcare Information Enterprise Integration Research Centers Funding for HIT Infrastructure via HHS agencies Architecture / Certified EHRs / Training / Telemedicine / Interoperability of clinical data registries / protection of identifiable health information / use of HIT by PH 12 AHIMA 2009 HIM Webinar Series 6
HHS ONC (continued) Health Information Technology Implementation Assistance HIT Research Center HIT Regional Extension Centers Extension Programs State Grants to Promote HIT Planning Implementation State or qualified State-designated entity Matching funds 13 HHS ONC (continued) Competitive Grants to States and Tribes Strategic plan Loan funds Demo. to Integrate IT into Clinical Programs Information Technology Professions in Health Care Existing Programs Six Month Programs 14 AHIMA 2009 HIM Webinar Series 7
HHS ONC (continued) Studies, Reports & Guidance Compliance ARRA & HIPAA Application of privacy and security requirements to non-hipaa-covered entities Guidance on De-Identified PHI (GAO) Report on treatment disclosures Impact of ARRA on health insurance premiums, health care costs, adoption of EHRs, and reduction in medical errors 15 ARRA AHIMA Activity Reviews and Analysis www.ahima.org ARRA Healthcare Related Provisions ONC Activity ARRA Privacy Provisions Webinars, articles, and notices Section by section review and action plan HIM Education Education Programs / Curriculum Task Force Comments Product review for updates Washington meetings Ongoing monitoring: Congress/Administration 16 AHIMA 2009 HIM Webinar Series 8
Advocacy Meanwhile Back in the States ARRA Privacy (Breach) HIE HIEO/RHIO Education Privacy Legislation Health Information Exchange Education Legal Health Records ICD-10-CM/PCS & X12 5010 Implementation HIM Identification Congress in Your Neighborhood 17 Presenting Rose Dunn, RHIA, CPA, CHPS, FACHE Chief Operating Officer First Class Solutions, Inc. Saint Louis, Missouri 18 AHIMA 2009 HIM Webinar Series 9
Funding for EHRs Title IV All providers to have EHR by 2014 10 years after Bush s 2004 proclaimed Decade of Technology ELECTRONIC HEALTH RECORD The term electronic health record means an electronic record of health-related information on an individual that is created, gathered, managed, and consulted by authorized health care clinicians and staff.* Funding tied to meaningful use * Conference Report pg. H1345 of Congressional Record 2/12/09 19 ARRA focus on IT and quality Meaningful Use Criteria: Use certified EHR E-prescribing capability Connectivity/HIE RHIO/HSHIE Quality measures data submission 20 AHIMA 2009 HIM Webinar Series 10
ARRA focus on IT and Quality Measures Providers (Look at Definitions Sec. 3000 in HR1) Hospitals (acute and critical access) SNFs (including long term care) HHA Clinics (including rural health) Community Mental Health Centers Renal dialysis centers Blood centers Ambulatory surgery centers 21 ARRA focus on IT and Quality Measures Hospital incentive payments for EHR use Available for FY2011-FY2014 $2 million base $200/discharge for discharges>1,150 through 23,000 1 st yr 2011: 100% of the incentive payment EHR 2012: 100% 2013: 75% 2014: 50% 2015: 25% Penalties if no EHR implemented by 2015 22 AHIMA 2009 HIM Webinar Series 11
23 1150 thru 23,000 24 AHIMA 2009 HIM Webinar Series 12
Hospital Incentives Year of Adoption Payment for adopting in 2011 or prior If first adopting FY 2012 If first adopting FY 2013 If first adopting FY 2014 If first adopting FY 2015 2011 2012 2013 2014 2015 2016 2017 100% 75% 50% 25% 100% 75% 50% 25% 100% 75% 50% 25% 75% 50% 25% 50% 25% 25 Hospital Incentives If first adopting 2016 or thereafter 0 Market Basket Update Factor reduced: 33.3% in 2015 66.7% in 2016 100% in 2017 and thereafter 26 AHIMA 2009 HIM Webinar Series 13
Physicians For meaningful users of EHRs 2011-2012 Initial incentive: 75% of Medicare Part B charges up to $18,000 Penalty for not adopting/using EHR by 2015-1% in 2015 (if e-prescribing/-2% if not e-prescribing) -2% in 2016-3% in 2017 Rural Health Physicians: 10% add l incentive If physician s EHR also has e-prescribing Can t get both e-prescribing bonus and HIT incentive 27 Physicians Source: AMA 28 AHIMA 2009 HIM Webinar Series 14
Incentives: Medicare vs. Medicaid Source: Cisco FAQs 29 Critical Access Facilities Special treatment Apply for cost-based reimbursement during period 2011-2014 The Medicare Share portion gets bumped up by 20 percentage points x 101% of hospital s reasonable cost of purchasing the EHR Prompt payments no waiting over several years Failure to become a meaningful user reduction in cost reimbursement 2015: From 101% to 100.66% 2016: From 100.66% to 100.33% 2017: 100%... Hardship waiver possible for up to 5 years 30 AHIMA 2009 HIM Webinar Series 15
Incentives: Medicare vs. Medicaid Source: Cisco FAQs 31 Meaningful Use Proposed rule released 6/16/09 Includes phase-in through 2015 Deadline for comment: 6/26/09 Focus Areas-same Health information exchange Quality measures E-Prescribing More 32 AHIMA 2009 HIM Webinar Series 16
Meaningful Use: 2011-Objectives CPOE (In/Out) Problem List (In/Out) E-prescribe (Out) Active medication lists (In/Out) Demographic info (In/Out) VS (In/Out) Lab results (In/Out) Progress Notes (Out) Patient access to information (electronic copies or access electronically) (In/Out) Patient educational info (In/Out) Clinical summaries given to patients for each encounter (In/Out) Reminders for F/U care (In/Out) Exchange clinical info between providers (In/Out) Medication reconciliation (In/out) Submit data to registries (In/Out) and public health agencies (In) Compliance with HIPAA (Privacy and Security) Compliance with Fair Data Sharing practices 33 Meaningful Use: 2011-Measures (ex) Reporting quality measures: % Diabetics with A1c under control (OP) % eligible surgical patients who received VTE prophylaxis (IP) % lab results incorporated into EHR in coded format (OP/IP) % of all patients with access to PHI electronically (IP/OP) % of encounters for which clinical summaries were provided Report 30-day readmission rate An entity under investigation for a HIPAA privacy or security violation cannot achieve meaningful use until cleared 34 AHIMA 2009 HIM Webinar Series 17
Meaningful Use: 2013-Objectives Evidence-based order sets (In/Out) Clinical documentation (In) Decision support for patient care purposes (In/Out) Managing chronic conditions Reminders/Alerts Report to registries (In/Out) Bar coding for medications (In) Utilizing immunization registries (In/Out) Receive Public Health Alerts (In/Out) Upload data from home monitoring devices (Out) Capture patient preferences (In/Out) Provide anonymized electronic syndrome surveillance data to public health agencies With capacity to identify the patient (In/Out) Provide de-identified data to public health agencies (?/?) Secure patient-provider messaging (Out) Patient educational materials in common languages Document family medical history (In/Out) Summary for EVERY transition in care including Medication Reconciliation (In/Out) 35 Meaningful Use: 2013-Measures (ex) % of all orders entered by physicians through CPOE (OP/IP) Potentially preventable Emergency Department Visits and Hospitalizations Inappropriate use of imaging (OP/IP) % of patients with access to secure patient messaging % of educational content in common primary languages (IP/OP) % of transitions where med reconciliation was performed (IP/OP) % of patients for whom an assessment of immunization need and status has been completed during the visit (OP) Provide summarized or de-identified data for public health purpose (?/?) 36 AHIMA 2009 HIM Webinar Series 18
Meaningful Use: 2015-Objectives Quality/Safety/Efficiency Measures (?/?) Advanced decision support (In/Out) PHR populated real-time from EHR (In/Out) Self-management tools for patients (In/Out) Electronic reporting on experience of care (satisfaction surveys?) (In/Out) AOD on request Protect sensitive health information to stem privacy concerns Access to comprehensive patient data from all available sources (?/?) Use of epidemiologic data (In/Out) Automated real time surveillance (adverse events, disease outbreaks, etc.) (In/Out) Clinical dashboards (In/Out) Dynamic and ad hoc quality reports (In/Out) Multi-media support (In/Out) Medical device interoperability (In/Out) 37 Meaningful Use: 2015-Measures (ex.) Incorporate technology to segment sensitive data (?/?) HIT-enabled population measures TBD (OP) NQF* Endorsed Care Coordination Measures TBD (?/?) % of patients with full access to PHR populated in real time with EHR data (OP/IP) Clinical outcome measures TBD (IP/OP) Efficiency measures TBD (IP/OP) Safety measures TBD (IP/OP) *National Quality Forum 38 AHIMA 2009 HIM Webinar Series 19
Meaningful Use-HIM Impact More abstracting effort @ time of coding More Core Measure collection activities until all clinician documentation is electronic and in defined fields Generating lists Responding to patient inquiries for information Privacy/Amendment/AOD activity Medical necessity Data management and reporting Educating community on PHR 39 Presenting M. Peter Adler, Esq. Partner Pepper Hamilton LLP. Washington, D.C. 40 AHIMA 2009 HIM Webinar Series 20
2009 What to Focus on Today 2/17/09 (Enactment) Tiered Civil Penalties Based on the Nature of Violations Enforcement by State Attorneys General 4/18/09 Guidance on methodologies and technologies that render information unreadable issued comments due 6/1/09 8/16/09 Interim Final Regulations on Breach Notification Status: 4/16/09, Notice of Proposed Rulemaking and Request for Comment were published 6/1/09 Comments Closed 9/15/09 Effective Date of Breach Notification Regulations 12/31/09 Initial prioritized set of standards adopted, including the accounting for EHR disclosures 41 2010 Busiest Year Why So Busy? General Rule: Unless otherwise specified, the provisions of the HITECH Act go into effect one year after enactment 2/17/10 Business Associate Contracts Required for Certain Entities HIEs, RHIO s, PHRs, E-Prescribing Gateways and other organizations that contract with covered entities for the purpose of exchanging electronic PHI Prior to this date, HHS will provide guidance on which entities are required to be Business Associates Business Associate s Security Obligations Applies the administrative, technical and physical safeguards and document requirements provided in the HIPAA security rule and the security provisions of the legislation to business associates Business Associate s Privacy Obligations Applies the privacy provisions as directed by HIPAA and the legislation to business associates 42 AHIMA 2009 HIM Webinar Series 21
2010 Busiest Year (Cont d) 2/17/10 Access to certain information in electronic format Request on restrictions for PHI disclosures to plans when Treatment is Out-of-Pocket Conditions on certain communications as part of health care operations Rule on opting out of fundraising solicitations An HHS report and provide guidance on de-identification Report and Guidance on the effective technical safeguards for carrying out the HIPAA security rule Clarification on the application pf criminal penalties for non-covered entities Periodic audits of covered entities 43 2010 Busiest Year (Cont d) 8/17/10 Guidance on minimum necessary rule New regulations will be released clarifying the minimum necessary PHI that may be disclosed in limited data sets and for other purposes. Regulations on prohibition on sale of EHRs or PHI Covered entities and business associates may not sell PHI and EHRs, except in limited circumstances, unless the individual authorizes the sale. 9/17/10 Criminal Willful Neglect Regulations 44 AHIMA 2009 HIM Webinar Series 22
2011: Three or Four Things 1/1/11 Accounting for EHR Disclosures if EHRs acquired after 1/1/2009, (may be extended to 1/1/13 by the Secretary) 2/17/11 Effective date for final regulations on prohibition on sale of EHRs or PHI Covered entities and business associates may not sell PHI and EHRs, except in limited circumstances, unless the individual authorizes the sale. Effective Date for Criminal Willful Neglect Clarification of the ability to pursue civil penalties when criminal penalties are not pursued 45 2014 2016 1/1/14 Accounting for EHR Disclosures if EHRs acquired before 1/1/2009, (may be extended to 1/1/16 by the Secretary) Covered entities must provide accounting for disclosure of PHI to carry a treatment, payment, and healthcare operations when the PHI is in an EHR. 46 AHIMA 2009 HIM Webinar Series 23
Polling Question Have you begun to prepare for the new breach notification rule? a) Yes b) No 47 Overview of HITECH Breach Notification Applies State breach notification concepts to federal health care law Applies to Business Associates (BAs) and Covered Entities (CEs) Covers EHR and PHR Expands penalties Guidance(s) issued April 17, 2009 Interim Final Regulations Aug 17, 2009 30 Days! Compliance Required Sept 15, 2009 48 AHIMA 2009 HIM Webinar Series 24
EHR Breach Notification Rules Covered Entity Rule: Applies to a CE that accesses, maintains, retains, modifies, records, stores, destroys or otherwise holds, uses or discloses unsecured PHI When a breach of such information is discovered by the CE The CE must notify each individual whose unsecured PHI has been, or is reasonably believed by the CE to have been, accessed, acquired or disclosed due to a breach Business Associate Rule: Upon discovery of a breach of the same information, a BA must provide CE notice of breach Including identification of each individual 49 Unsecured PHI The term unsecured PHI means a health record that is not secured through the use of a technology or methodology specified by the Secretary in the guidance issued April 17, 2009: PHI is secure if it is rendered unusable, unreadable or indecipherable to unauthorized individual By encryption (and process or key has not been breached) Examples in National Institute of Standards and Technology (NIST) publication 800-111, Federal Information Processing Standards (FIPS) 140-2 By destruction Media is destroyed Media is purged consistent with NIST publication 800-88 50 AHIMA 2009 HIM Webinar Series 25
HHS Breach Notification Procedures Without reasonable delay 60 days after discovery of breach Unclear when 60 days commences if discovery is by BA Notice may delayed at request of law enforcement Individual Notice Written Notice Preferred method of communication First class mail or email if requested Telephone or other means if there is urgency of imminent danger 51 HHS Breach Notification Procedures (cont d) Substitute notice if 10 or more cannot be reached web site, print or media Use of Media Outlets in a state or jurisdiction is a required method if more than 500 residents of a state or region are affected Notice to HHS As soon as possible, not to exceed 5 business days if breach of involves 500 individuals Annual notice to HHS if fewer than 500 individuals 52 AHIMA 2009 HIM Webinar Series 26
Breach Notification Content A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known; A description of the types of unsecured PHI that were involved in the breach (such as full name, Social Security number, date of birth, home address, account number, or disability code); The steps an individual should take to protect themselves from potential harm resulting from the breach; A brief description of what the covered entity involved is doing to investigate the breach, to mitigate losses, and to protect against any further breaches; and Contact procedures for individuals to ask questions or learn additional information, which shall include a toll-free telephone number, and e-mail address, Web site, or postal address. 53 HHS Guidance April 17, 2009 The HHS will provide future guidance Issues raised by HHS Are there technologies that should be recognized or specified? How this be applied to limited data sets? How can state and federal breach notification be harmonized? How can regulation be avoided through proper de-identification? (Guidance forthcoming 2/17/2010) 54 AHIMA 2009 HIM Webinar Series 27
Security Incident Response Program: Key Elements Statement of management Response Procedures commitment and purpose Standard Report Format Purpose and objectives of the Notification Elements policy Reporting and contact forms Communication Plan Scope of the policy Internal Definition of computer security External incidents and their consequences within the Contact list context of the organization Performance measures Categories of Incidents Prioritization or severity ratings Remediation and lessons learned of incidents Annual Review Organizational structure and delineation of roles, Prearranged services: responsibilities, and levels of Mailing, Call Center. authority and the requirements Credit Protection for reporting certain types of incidents 55 Incident Response and Notification HHS, FTC Affected Individuals Law Enforcement BA/ TPA Amend Agreements Content and Procedures Preparation Detection, Investigation and Analysis Mitigation Notification Post-Incident Activity Testing Review 56 AHIMA 2009 HIM Webinar Series 28
Criminal Penalties Wrongful disclosure of individually identifiable information A person who knowingly and wrongfully discloses individually identifiable information Base penalty is a $50,000 fine, imprisonment for not more than one year, or both. For offenses committed under false pretenses, the fine is not more than $100,000, imprisonment for not more than five years, or both. For offense is committed with the intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm, the fine is not more than $250,000, imprisonment for not more than 10 years, or both. 57 Applies to Individual/Entity Wrongful disclosure of individually identifiable information only if: a person (including an employee or other individual) shall be considered to have obtained or disclosed individually identifiable health information in violation of this part if the information is maintained by a covered entity... and the individual obtained or disclose such information without authorization. 58 AHIMA 2009 HIM Webinar Series 29
Willful Neglect The HITECH Act includes civil investigation and action for noncompliance due to willful neglect A formal investigation will be commenced whenever a preliminary investigation of the facts identify that a possible violation is due to willful neglect 59 Civil Penalty Tiers 1. $100 for each violation, except that the total amount imposed on a person for all violations of an identical requirement or prohibition during a calendar year may not exceed $25,000. 2. $1,000 for each violation, may not exceed $100,000. 3. $10,000 for each such violation may not exceed $250,000. 4. $50,000 for each such violation may not exceed $1.5 million. Without Knowledge. When it is established a person did not know (and by exercising reasonable diligence would not have known) Reasonable Cause. When it is established that the violation was due to a reasonable cause and not to willful neglect Willful Neglect. When it is established that the violation was due to willful neglect 60 AHIMA 2009 HIM Webinar Series 30
Enforcement History CVS Caremark (2009) FTC Charges deceptive trade practices regarding privacy notice language about proper disposal of PHI HHS $2.5 million fine Providence Health & Services (2008) Paid HHS $100,000 fine (OCR, CMS) Implemented detailed corrective action plan to ensure that it safeguards identifiable electronic patient information against theft and loss Security audit by OIG of Piedmont Hospital in Atlanta (2007) CMS use of third party auditors 61 Enforcement Funding Any civil monetary penalty or monetary settlement collected with respect to a criminal or civil action brought under the HIPAA security and privacy provisions shall be transferred to the Office for Civil Rights of the HHS This money will be used for enforcing and privacy and security provisions of HIPAA. The HITECH Act calls for a study by the GAO to determine the feasibility of distributing to victims of a violation a percentage of any collected civil monetary penalty or monetary settlement and methodology to accomplish. 62 AHIMA 2009 HIM Webinar Series 31
Enforcement By State AG Reason to believe that an interest of one or more of the residents of that state have been or is threatened or adversely affected by any person who violates the provision of HIPAA the Attorney General of the State, may bring a civil action on behalf of such residents of the state in a U.S. District Court. Damages will be statutorily imposed The amount is calculated by multiplying the number of violations by up to $100 The total amount of damages imposed on the person for violations of all identical requirements or prohibition during a calendar year shall not exceed $25,000 The court may also award the Attorney General reasonable costs for bringing the action and attorney s fees 63 Audience Questions AHIMA 2009 HIM Webinar Series 32
Audio Seminar Discussion Following today s live seminar Available to AHIMA members at www.ahima.org Members Only Communities of Practice (CoP) AHIMA Member ID number and password required Join the e-him Community from your Personal Page. Look under Community Discussions for the Audio Seminar Forum You will be able to: discuss seminar topics network with other AHIMA members enhance your learning experience AHIMA 2009 HIM Webinar Series 33
AHIMA Audio Seminars and Webinars Visit our Web site http://campus.ahima.org for information on the 2009 seminar schedule. While online, you can also register for seminars and webinars or order CDs, MP3s, and webcasts of past seminars. Upcoming Webinars MPI Clean Up: It s a Must! July 21, 2009 Developing Your Records Retention Schedule: It's Bigger than Just Health Records August 11, 2009 ARRA: What's Next for HIM and Privacy? August 25, 2009 AHIMA 2009 HIM Webinar Series 34
AHIMA Distance Education Anyone interested in learning more about e-him should consider one of AHIMA s web-based training courses. For more information visit http://campus.ahima.org Thank you for joining us today! Remember visit the AHIMA Audio Seminars/Webinars Web site to complete your evaluation form and receive your CE Certificate online at: http://campus.ahima.org/audio/2009seminars.html Each person seeking CE credit must complete the sign-in form and evaluation in order to view and print their CE certificate. Certificates will be awarded for AHIMA CEUs. AHIMA 2009 HIM Webinar Series 35
Resources Publications ealert Journal of AHIMA Advance Perspectives in HIM AHIMA Website: www.ahima.org Advocacy Assistant: www.ahima.org/dc Position Statements Practice Briefs Comments and Testimony Resources HHS.gov/Recovery http://www.hhs.gov/recovery/ Office of the National Coordinator for HIT http://healthit.hhs.gov/portal/server.pt HHS ARRA Website http://oig.hhs.gov/recovery A new website is now available from the Centers for Medicare & Medicaid Services (CMS) concerning Health Information Technology as provided for in the American Recovery and Reinvestment Act of 2009. On this website, you can find information pertaining to the Medicare and Medicaid incentives for electronic health records adoption and important links to related websites at the Department of Health and Human Services. Posted now are: A CMS fact sheet and questions/answers pertaining to the incentive programs Link to press release pertaining to the process of defining meaningful use (Comments are due June 26, 2009) Resources on Health IT and privacy & security (HIPAA) Visit http://www.cms.hhs.gov/recovery/11_healthit.asp AHIMA 2009 HIM Webinar Series 36
Resource/Reference List HR. 1 The American Recovery and Reinvestment Act of 2009: Explanation of Health Information Technology (HIT) Provisions. AMA www.ama-assn.org/ama1/pub/upload/mm/399/arrahit-provisions.pdf FAQ for Healthcare ARRA: HIT Stimulus. Cisco www.cisco.com/web/strategy/docs/healthcare/09cs21 46_FAQ_ARRA_HIT_Stim_r1_052709.pdf Meaningful Use documents 6/16/09 available at: http://journal.ahima.org/2009/06/16/onc-releasesmeaningful-use-draft-definition/ Federal Register cite for Meaningful Use: http://edocket.access.gpo.gov/2009/pdf/e9-14379.pdf Resources P&GR Staff Don Asmonga MBA Director Government Relations Washington don.asmonga@ahima.org Allison Viola RHIA, MBA Director Federal Relations Washington allison.viola@ahima.org Sue Bowman RHIA, CCS Director Coding Policy & Compliance Chicago sue.bowman@ahima.org Dan Rode Dan Rode MBA, FHFMA Vice President P&GR Washington dan.rode@ahima.org AHIMA 2009 HIM Webinar Series 37
Appendix CE Certificate Instructions: On next page AHIMA 2009 HIM Webinar Series 38
To receive your CE Certificate Please go to the AHIMA Web site http://campus.ahima.org/audio/2009seminars.html click on the link to Sign In and Complete Online Evaluation listed for this webinar. You will be automatically linked to the CE certificate for this webinar after completing the evaluation. Each participant expecting to receive continuing education credit must complete the online evaluation and sign-in information after the webinar, in order to view and print the CE certificate.