-ANANT VYAS PRIVACY IN DATA MANAGEMENT: CS295D UNIVERSITY OF CALIFORNIA,IRVINE CS295d:Privacy in Data Management University of California, Irvine 1

-ANANT VYAS PRIVACY IN DATA MANAGEMENT: CS295D

UNIVERSITY OF CALIFORNIA,IRVINE

CS295d:Privacy in Data Management University of California, Irvine 1

Why HIPAA?Why HIPAA?

More than 25 cents of every health-care dollar is spent on administration

More than 450 billing forms National changes requested by

providers Increasing public concern around

privacy Highly public breaches of privacy


Health Insurance Health Insurance Portability & Portability & Accountability Act (HIPPAAccountability Act (HIPPA)) In August 1996, President Clinton signed

into law the Public Law 104-91, Health Insurance Portability and Accountability Act (HIPAA).

The Act included provisions for health insurance portability, fraud and abuse control, tax related provisions, group health plan requirements, revenue offset provisions, and administrative simplification requirements.


HIPAA’s IntentHIPAA’s Intent

Improve efficiency and effectiveness of health care system

The HIPAA Privacy Rule for the first time creates national standards to protect the privacy of individuals’ medical records and other personal health information.

Creates standards for the security of health information

Creates standards for electronic exchange of health information


What HIPAA Doesn't doWhat HIPAA Doesn't do

It doesn't: force your employer to offer or pay for health insurance coverage.

guarantee that all those in the workforce will get health coverage.

control how much an insurance company can charge for group coverage.

force group health plans to offer specific benefits.

allow you to keep the exact same health insurance plan that you had at your old job when you go to a new job.

eliminate the use of pre-existing condition exclusions.

replace your specific state as the primary regulator of health insurance.


HIPAA SPEAKHIPAA SPEAK

Individually Identifiable Health Information(IIHI) Related to an individual; the provision of

health care to an individual; or payment for health care

and that identifies the individual or a reasonable basis to believe the

information can be used to identify the individual

Health information + Identifiers (18 defined) = IIHI


HIPAA SPEAK(contd.)HIPAA SPEAK(contd.)18 Identifiers:18 Identifiers:

(1) Names;(2) All geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code(3) All elements of date (except year) for dates directly related to an individual, including birth date etc(4) Telephone numbers;(5) Fax numbers;(6) Electronic mail addresses;(7) Social security numbers;(8) Medical record numbers;(9) Health plan beneficiary numbers;unique identifying number, characteristic, or code.

(10) Account numbers;(11) Certificate/license numbers;(12) Vehicle identifiers and serial numbers, including license plate numbers;(13) Device identifiers and serial numbers;(14) Web Universal Resource Locators (URLs);(15) Internet Protocol (IP) address numbers;(16) Biometric identifiers, including finger and voice prints;(17) Full face photographic images and any comparable images; and(18) Any other


HIPAA SPEAK (contd.)HIPAA SPEAK (contd.)

Use (of IIHI)Sharing within the entity. For example, when members of the covered entity’s workforce share IIHI.

Disclosure (of IIHI)Sharing outside the entity. For example, sharing IIHI with someone who is not a member of the covered entity’s workforce. CS295d:Privacy in Data Management University of California, Irvine 8


Protected Health Information (PHI) Individually Identifiable Health

Information maintained by CE Electronic, paper, oral Created or received by a health care

provider, public health authority, employer, school or university



Covered Entity Health care provider/Health Plan/Health

care clearing house who transmits any health information in electronic form in connection with HIPAA regulations


HI vs. IIHI vs. PHI: Difference?HI vs. IIHI vs. PHI: Difference?


HIPAA: Title IHIPAA: Title I

Health Care Access, Portability, and Renewability

Protects health insurance coverage for workers and their families when they change or lose their jobs

It amended the Employee Retirement Income Security Act, the Public Health Service Act, and the Internal Revenue Code.


HIPAA : Title IIHIPAA : Title II

Standards for Electronic Transactions Implementation of a national standard

for electronic health care transactions All transactions to be processed using

the same electronic format Unique Identifiers Standards

All health car providers, plans and clearinghouses to use NPI(national provider identifier)


HIPAA : Title II RulesHIPAA : Title II Rules

Administrative Simplification rules 5 rules:

Privacy Rule, Transactions and Code Sets Rule, Security Rule, Unique Identifiers Rule, Enforcement Rule.


HIPAA Privacy RuleHIPAA Privacy Rule

The Privacy Rule took effect on April 14, 2003

Establishes regulations for the use and disclosure of Protected Health Information (PHI)


What does the HIPAA What does the HIPAA Privacy Rule do?Privacy Rule do? It gives patients more control over

their health information. It sets boundaries on the use and

release of health records. It establishes appropriate safeguards

that health care providers and others must achieve to protect the privacy of health information.


It holds violators accountable, with civil and criminal penalties that can be imposed if they violate patients’ privacy rights.

And it strikes a balance when public responsibility supports disclosure of some forms of data – for example, to protect public health.


HIPAA Security Rule:HIPAA Security Rule:

Issued on February 20, 2003. It took effect on April 21, 2003.

Deals specifically with Electronic Protected Health Information (EPHI) i.e. individually identifiable information that is in electronic form.


HIPAA Security HIPAA Security Rule(contd.):Rule(contd.):

Confidentiality? Integrity? Availability?


HIPAA Security HIPAA Security Rule(contd.):Rule(contd.):

“ To ensure reasonable and appropriate administrative, technical, and physical safeguards that insure the integrity, availability and confidentiality of health care information, and protect against reasonably foreseeable threats to the security or integrity of the information.”


Security Rule: 4 Security Rule: 4 CategoriesCategories

Administrative Procedures Physical Safeguards Technical data security services Technical security mechanisms


Administrative Procedures:Administrative Procedures:12 Requirements12 Requirements

1.Certification2.Chain of Trust Agreements3.Contingency Plan4.Mechanism for processing records5.Information Access Control6.Internal Audit7.Personnel Security8.Security Configuration Management9.Security Incident Procedures10.Security Management Process11.Termination Procedures12.Training


Physical Safeguards:Physical Safeguards:6 Requirements6 Requirements

1.Assigned Security Responsibility2.Media Controls3.Physical Access Controls4.Policy on Workstation Use5.Secure Workstation Location6.Security Awareness Training


Technical Data Security Technical Data Security Services: 4 RequirementsServices: 4 Requirements

1.Access Control2.Audit Controls4.Data Authentication5.Entity Authentication


Guiding principlesGuiding principles

The Security Rule is based on several important principles.

Scalability Comprehensiveness Technology neutral Internal and external security threats Risk analysis


Non ComplianceNon Compliance

CEs that do not comply with the Security Rule requirements are subject to a number of penalties.

Civil penalties are $100 per violation, up to $25,000 per year for each requirement violated. Criminal penalties range from $50,000 in fines and one year in prison up to $250,000 in fines and 10 years in jail.


Transaction RuleTransaction Rule

July 1, 2005 The transaction rule covers several

key ED transactions Although many companies were

already developing standardized EDI’s, there still wasn’t an industry standard before the rule was put in place.


Transaction and Code Set Transaction and Code Set Rule: “Speak the Same Rule: “Speak the Same Language”Language” Health Care Claim or Encounter (837) Health Care Claim Payment and Remittance (835) Health Care Claim Status Inquiry/Response (276,

277) Health Care Eligibility Inquiry/Response(270, 271) Enrollment and Disenrollment in a Health Plan

(834) Referral Certification and Authorization (278) Health Plan Premium Payments (820) Health Care Claim Attachments (delayed) First Report of Injury (delayed)


Compliance Deadlines:Compliance Deadlines:

Privacy: April 14, 2003 Security: Fall 2004 Transactions & Code Sets:

October 16 2005 Identifiers : Fall 2004


Some common reactionsSome common reactions

HIPAA is an unfunded mandate. It’s an IT issue (like Y2K) It is someone else’s problem

(State’s, Health’s, ITs) Local agencies are waiting for

direction from State, County, Fed…

Compliance issues


Compliance is Compliance is Increasingly an IssueIncreasingly an Issue


The number of HIPAA Privacy Rule compliance and enforcement complaintshave continually increased over the years1.

Complaints Are Complaints Are Consistently Related to Consistently Related to Data PrivacyData Privacy Three of the top five Privacy Rule

Complaints are data privacy issues: Impermissible uses and disclosures

– e.g. providing PHI to external partners Safeguards – e.g. PHI is not

protected in computer systems Access - e.g. PHI is accessible to

those without a need to know


Examples of PHI Leaking Examples of PHI Leaking OutOut Example 1: Safeguards A flaw in a national health maintenance organization’s

computer system sent explanation of benefits to a patient’s unauthorized family member. This flaw put the PHI of approximately 2000 families at risk in violation of the Privacy Rule.

Example 2: Impermissible Disclosures and Safeguard A municipal social service agency disclosed protected

health information while processing Medicaid applications by sending consolidated data to computer vendors who were not business associates. This flaw was putting PHI in the hands of an uncovered entity who could have used it for a variety of harmful purposes

These examples ended with minimal public impact and were remedied with improved security procedures and controls.

But, what if this PHI had gotten into the wrong hands?CS295d:Privacy in Data Management University of California, Irvine 33

Worst Case Scenario: HIPAA Worst Case Scenario: HIPAA Data TheftData Theft The owner of a Florida claims handling

system, Fernando Ferrer, Jr, was convicted of illegally buying PHI from a clinic employee and then submitting fraudulent claims to collect on the resulting payouts. The clinic employee downloaded the PHI of more than 1,100 patients and sold the information to Ferrer.

This theft resulted in the submission of more than $7 million in fraudulent Medicare claims with $2.5 million paid to providers and suppliers.

The risk for such a scenario increases substantially without the necessary controls in place to lock down and minimize the PHI in an enterprise


Conclusion?Conclusion?

HIPAA has had a large effect on the industry today

The type of health information being recorded is changing.

In the end a great act!


More Information:More Information:

Department of Health & Human Services – HIPAA: www.hhs.gov/ocr/hipaa

HIPAA.ORG Overview HIPAA - General

Information http://www.cms.hhs.gov/hipaaGenInfo/


Documents

-ANANT VYAS PRIVACY IN DATA MANAGEMENT: CS295D UNIVERSITY OF CALIFORNIA,IRVINE CS295d:Privacy in Data Management University of California, Irvine 1