HIPAA Update for Hospice Presented by Heather P. Wilson, Ph.D. Weatherbee Resources, Inc. Hospice Education Network, Inc. 259 North Street Hyannis, MA 02601 www.weatherbeeresources.com www.hospiceonline.com

HIPAA Update for Hospice - Home Care Information · • CMS – Security Rule Since August 2009, OCR assumed responsibility for Security Rule enforcement as well. HIPAA is back •

  • Upload

  • View

  • Download

Embed Size (px)

Citation preview

Page 1: HIPAA Update for Hospice - Home Care Information · • CMS – Security Rule Since August 2009, OCR assumed responsibility for Security Rule enforcement as well. HIPAA is back •

HIPAA Update for Hospice

Presented by Heather P. Wilson, Ph.D.

Weatherbee Resources, Inc.

Hospice Education Network, Inc. 259 North Street

Hyannis, MA 02601 www.weatherbeeresources.com


Page 2: HIPAA Update for Hospice - Home Care Information · • CMS – Security Rule Since August 2009, OCR assumed responsibility for Security Rule enforcement as well. HIPAA is back •

HIPAA Update

Heather P. Wilson, [email protected]


• HIPAA background• How HITECH changes HIPAA

requirements– Breach notification– Business Associates– Other provisions of HIPAA privacy– Enforcement issues

• What do hospices need to do• Additional resources

HIPAA Background

• Health Insurance Portability and Accountability Act of 1996– Administrative Simplification

• Electronic Data Interchange

• Privacy Rule – Compliance deadline April 2003

• Security Rule – Compliance Deadline April 2005

Hospice Education Network HIPAA Update

2010 Weatherbee Resources, Inc. All rights reserved


Page 3: HIPAA Update for Hospice - Home Care Information · • CMS – Security Rule Since August 2009, OCR assumed responsibility for Security Rule enforcement as well. HIPAA is back •

HIPAA since the compliance deadlines

Minimal enforcement

• OCR – Privacy Rule

• CMS – Security Rule

Since August 2009, OCR assumed responsibility for Security Rule enforcement as well.

HIPAA is back

• Health Information Technology for Economic and Clinical Health(HITECH) Act

• Part of the American Recovery and Reinvestment Act (ARRA) of 2009

• Signed into law February 17, 2009

Hospice Education Network HIPAA Update

2010 Weatherbee Resources, Inc. All rights reserved


Page 4: HIPAA Update for Hospice - Home Care Information · • CMS – Security Rule Since August 2009, OCR assumed responsibility for Security Rule enforcement as well. HIPAA is back •

HITECH Changes


●Fundraising / Marketing

●Minimum necessary

●Access rights to ePHI

●Requested restrictions on PHI

●Accounting of disclosures

●Business Associates

●Breach Notification


HITECH deadlines and compliance confusion

Intro to breach notification

• Breach final rule published August 24, 2009

• Effective date September 23, 2009

• Need to understand what a breach is and what you have to do about them

Hospice Education Network HIPAA Update

2010 Weatherbee Resources, Inc. All rights reserved


Page 5: HIPAA Update for Hospice - Home Care Information · • CMS – Security Rule Since August 2009, OCR assumed responsibility for Security Rule enforcement as well. HIPAA is back •

Definition of Breach

• An unauthorized acquisition, access, use or disclosure of PHI not permitted by the Privacy Rule that compromises the security or privacy of the PHI to such an extent that there is a significant risk of financial or other harm to the individual whose protected health information was wrongfully acquired, accessed, used or disclosed.

Definition of unsecured PHI

• Breaches only apply to “unsecured protected health information” – if the PHI is secured, it can not be breached.

• Unsecured PHI is defined as PHI that is not rendered unusable, unreadable or indecipherable by a technology or methodology specified by HHS

How to secure PHI

• Guidance provided April 27, 2009, further clarified August 24th, 2009– Encryption

– Destruction

Hospice Education Network HIPAA Update

2010 Weatherbee Resources, Inc. All rights reserved


Page 6: HIPAA Update for Hospice - Home Care Information · • CMS – Security Rule Since August 2009, OCR assumed responsibility for Security Rule enforcement as well. HIPAA is back •


• How to identify when a reportable breach occurs– Need to conduct a risk assessment

– Need to determine if the incident meets the definition of a breach

Notification requirements

• To individuals

• To the media

• To the government

Notifying individuals

• Major rule of thumb:– No matter who else the covered entity has

to notify, it always has to attempt to notify the affected individuals

• Notification letter needs to include required elements and I must be sent by first class mail

• Must be sent as soon as reasonable but no later than 60 calendar days after discovery of the breach

Hospice Education Network HIPAA Update

2010 Weatherbee Resources, Inc. All rights reserved


Page 7: HIPAA Update for Hospice - Home Care Information · • CMS – Security Rule Since August 2009, OCR assumed responsibility for Security Rule enforcement as well. HIPAA is back •

Notifying individuals (cont’d)

• If ten or more affected individuals can not be reached, the covered entity must post the notice (containing the same information as the letter) on its Web site for 90 days.

• Or, in prominent media in state or jurisdiction where affected individuals reside

Notifying the media

• Required when 500 or more individuals affected by the breach –as soon as possible after the breach but no later than 60 days.

Notifying the government

• Must be done as soon as possible after a breach affecting 500 or more individuals

• All other breaches must be reported annually (60 days after the end of the calendar year).

• OCR Web site provides info:• http://www.hhs.gov/ocr/privacy/hipaa/ad


Hospice Education Network HIPAA Update

2010 Weatherbee Resources, Inc. All rights reserved


Page 8: HIPAA Update for Hospice - Home Care Information · • CMS – Security Rule Since August 2009, OCR assumed responsibility for Security Rule enforcement as well. HIPAA is back •

Additional requirements

• Business associates have breach reporting responsibilities – should be spelled out in written agreement

• Staff need to be trained on breach rule

• Policies and procedures should be updated to include breach requirements related to sanctions, complaints, documentation, etc)

What do you need to do?

• Have a breach notification policy and procedure

• Have a breach notification letter template

• Have a tool/process for conducting breach risk assessments

• Have a process for logging breaches for annual reporting

• Teach staff reporting requirements

Hospice Education Network HIPAA Update

2010 Weatherbee Resources, Inc. All rights reserved


Page 9: HIPAA Update for Hospice - Home Care Information · • CMS – Security Rule Since August 2009, OCR assumed responsibility for Security Rule enforcement as well. HIPAA is back •

Business associates

• Definition: A person or entity that uses (or creates, or obtains or discloses) the protected health information of a covered entity to perform a function or activity on behalf of the covered entity.

HITECH changes to business associate requirements

• Business associates have the same responsibility as covered entities to meet the majority of the requirements of the HIPAA Security Rule, Privacy Rule, and HITECH

• Business associates are subject to the same enforcement/penalties/fines as covered entities

Business associates (cont’d)

• Effective date: February 17, 2010• Implementing regulations not

published in time to be helpful for compliance

• Business associate agreements need to be amended

Hospice Education Network HIPAA Update

2010 Weatherbee Resources, Inc. All rights reserved


Page 10: HIPAA Update for Hospice - Home Care Information · • CMS – Security Rule Since August 2009, OCR assumed responsibility for Security Rule enforcement as well. HIPAA is back •

Accounting of disclosures

• Individuals have the right to request an accounting of disclosures for treatment, payment and health care operations for the three year period prior to the request.

• This requirement only applies to covered entities that use an electronic medical record and the date of implementation depends upon when the entity acquired and began using electronic health records

Requested restrictions on PHI

• Covered entities MUST comply with a request for restrictions if:– the disclosure is to a health plan for

purposes of carrying out healthcare operations or payment (and not for treatment purposes), except as required by law; and

– the PHI pertains solely to a healthcare item or service for which the company has been paid in full by the individual, out of pocket.

Access rights to ePHI

• The HITECH Act amends the HIPAA Privacy Rule to give individuals the right to obtain access to their PHI in electronic format, if they so request.

Hospice Education Network HIPAA Update

2010 Weatherbee Resources, Inc. All rights reserved


Page 11: HIPAA Update for Hospice - Home Care Information · • CMS – Security Rule Since August 2009, OCR assumed responsibility for Security Rule enforcement as well. HIPAA is back •

Minimum necessary

• Prior to HITECH - covered entities could use their own judgment regarding how much PHI would constitute the minimum necessary for particular purposes.

• The HITECH Act requires covered entities "to the extent practicable" to limit the use of PHI to a "limited data set,"

• This may be challenging given that a limited data set is similar to de-identified data but may include date of birth, date of death, date of service, and city, state, and ZIP code. and is frequently far less than what is needed for most purposes.

• Effective February 17, 2010 / Guidance from HHS by August 17, 2010



• Any written fundraising communication that is considered a health care operation must clearly and conspicuously provide an opportunity for the recipient to opt out and elect not to receive any further communications.

• When an individual elects to opt-out, this must be treated as a revocation of authorization.


• A communication is excepted from the definition of “marketing” only if the communication meets one of the exceptions to the HIPAA definition of marketing and no direct or indirect payment is received for making the communication.

• If payment is received for a communication considered marketing, it is no longer considered part of health care operations and an authorization is required – but then there are exceptions to this.

Hospice Education Network HIPAA Update

2010 Weatherbee Resources, Inc. All rights reserved


Page 12: HIPAA Update for Hospice - Home Care Information · • CMS – Security Rule Since August 2009, OCR assumed responsibility for Security Rule enforcement as well. HIPAA is back •

Notice of Privacy Practices

• No new requirements but given the new HITECH requirements, the NPP should be updated.

Enforcement before

• Enforcement minimal since 2003/2005

• OCR has only levied two major fines for HIPAA violations: one for $100,000 fine and another for $2.25 million.

• Enforcement essentially complaint-driven

Enforcement after HITECH

• Penalty structure has changed

• Fines have increased

• Enforcement resources have been augmented

Hospice Education Network HIPAA Update

2010 Weatherbee Resources, Inc. All rights reserved


Page 13: HIPAA Update for Hospice - Home Care Information · • CMS – Security Rule Since August 2009, OCR assumed responsibility for Security Rule enforcement as well. HIPAA is back •

Penalty structure and fines

$1,500,000$50,000Willful neglect and not corrected


Willful neglect but corrected


Reasonable cause

$1,500,000$100 -$50,000

Did not know

Maximum / year for each

Penalty for each


Compare to before

• Not more than $100 per violation up to a maximum of $25,000 for all violations occurring during a calendar year

• With a number of exceptions to when they could be imposed

Enforcement resources

• As much as $24 million dollars may be spent on enhancing HIPAA enforcement.

• State attorneys general can file HIPAA enforcement actions on behalf of the people of their state

• All penalty money will be plowed back into enforcement activities

• Compliance audits required• In the future (2012) individuals affected by

violations can share in penalties collected

Hospice Education Network HIPAA Update

2010 Weatherbee Resources, Inc. All rights reserved


Page 14: HIPAA Update for Hospice - Home Care Information · • CMS – Security Rule Since August 2009, OCR assumed responsibility for Security Rule enforcement as well. HIPAA is back •

www.weatherbeeresources.com • www.hospiceonline.com • www.hospicequality.com




HIPAA Update for Hospiceby Heather P. Wilson, Ph.D.

Page 15: HIPAA Update for Hospice - Home Care Information · • CMS – Security Rule Since August 2009, OCR assumed responsibility for Security Rule enforcement as well. HIPAA is back •



PREFACE                      6 CHAPTER I: INTRODUCTION 7 Background and history of HIPAA                7 HIPAA since 2005                    11 An overview of the HITECH ACT and its impact on HIPAA compliance      13 Timelines and deadlines                  14 How to use and update this manual                16  

CHAPTER II: Breach Notification 17 Introduction                      17 Definitions                      17   Breach                     17   Unsecured protected health information            18 Technologies and methods for securing PHI              18   Destruction                    18   Encryption                    19 Encryption and the Security Rule                19 Discovery of a breach                   20   Tool:  Breach Risk Assessment              22   Tool: Breach Risk Assessment Summary            24 Breach notification requirements                25 

Notification requirements of individual(s) affected by a breach      25 Timeliness of notification              25 Content of a breach notification            26 

Template: Breach Notification Letter to an Individual    27     Methods of notification              28 

Notification to the media                29 Notification to the government              29   Breaches affecting 500 or more individuals          32   Breaches affecting fewer than 500 individuals        32 

    Tool: Notice to the Secretary of HHS of Breach of Unsecured PHI    34 Notification requirements for business associates          37 Administrative and burden of proof requirements           37 

    Training                  38     Tool: Sample Policy and Procedure:  Privacy and Security                            Awareness and Training            39 

Sanctions                   40 Tool: Sample Policy and Procedure:  Sanctions for  Privacy and Security Violations          41 

Complaints and refraining from intimidating or retaliatory acts    42 Tool: Sample Policy and Procedure:  Complaint Resolution    43 


Page 16: HIPAA Update for Hospice - Home Care Information · • CMS – Security Rule Since August 2009, OCR assumed responsibility for Security Rule enforcement as well. HIPAA is back •



Documentation and burden of proof           44 Policies and Procedures              44 

Tool: Sample Policy and Procedure:  Security Incidents    45   Tool: Sample Policy and Procedure:  Breach Notification    46 

CHAPTER III: Business Associates 48 Introduction                       48 Business associate requirements before the HITECH Act          48   What is a business associate?               48   The business associate agreement              49 Business associate requirements after the HITECH Act          50 What a hospice needs to do to comply with the new business associate requirements  53 

Template:  Model Letter Notifying Business Associates That  New Business Associate Addendum Must Be Executed      54 

Template:  Sample Privacy And Security Business Associate Addendum    55 Tool: Business associate policy and procedure          62 

CHAPTER IV: Other HITECH Changes to the HIPAA Privacy Rule 63 Introduction                       63 Accounting of disclosures 

Tool:  Requests for an accounting of disclosures policy and procedure                       [ for hospices that do not use an electronic health record]      65 

Tool:  Requests for an accounting of disclosures policy and procedure        [ for hospices that do use an electronic health record]        67 

Requests for restrictions                  69   Tool:  Requests for restrictions policy and procedure         70 Requests for access                     72   Tool: Requests for access policy and procedure          73 Minimum necessary standard                75 Marketing                      75 Fundraising                      76   Tool:  Fundraising and protected health information policy and procedure    78 Notice of Privacy Practices                  79   Tool:  Notice of Privacy Practices Policy and Procedure        80 

Tool: Updated Notice of Privacy Practices             81 

CHAPTER V: Looking to the Future of HIPAA – the Future is Now 89 Introduction                       89 Enforcement before the HITECH Act                89 Enforcement after the HITECH Act                90 


Page 17: HIPAA Update for Hospice - Home Care Information · • CMS – Security Rule Since August 2009, OCR assumed responsibility for Security Rule enforcement as well. HIPAA is back •



  Civil monetary penalties                90   Increased enforcement resources              91   Increased enforcement incentives              91 How to prepare for increased HIPAA scrutiny            91 Summary                      92 

TABLES: Table 1:  Similarities between the Privacy and Security Rules        10   Table 2:  Differences between the Privacy and Security Rules        11 Table 3:  HITECH Act’s changes to HIPAA privacy and security requirements    14 Table 4:  HITECH Act’s timeline and deadlines            15 Table 5:  Required contents of a breach notification letter          26 Table 6:  List of common hospice business associates          49 Table 7:  Similarities and differences between Privacy Rule and Security Rule                  business associate requirements              50 Table 8:  The HITECH Act’s requirements related to business associates      51 Table 9: Standards and implementation specifications of the HIPAA Security Rule    52 Table 10: Violation categories, culpability and penalties          90 

HIPAA Update for Hospice  Electronic Resources Folders  

 Additional Resources Folder    Enforcement Resources Folder:     CMS Compliance Reviews 2008     CMS Compliance Reviews 2009     Interview and Documentation Request for HIPA Onsite Investigation and                                Compliance Reviews     RFQ – State Attorneys General HIPAA Training/SOW     Enforcement Rule – October 30, 2009     NIST Publications     SP 800‐88 –Guidelines for Media Sanitation     SP 800‐52 – Guidelines for the Selection and Use of Transport Layer Security                             (TLS) Implementation     SP 800‐111‐ Storage Encryption Technologies 

SP 800 – 66 – Introductory Resource Guide for Implementing the HIPAA Security Rule 



Page 18: HIPAA Update for Hospice - Home Care Information · • CMS – Security Rule Since August 2009, OCR assumed responsibility for Security Rule enforcement as well. HIPAA is back •




  Regulatory Texts     Breach Notification Rule – August 24, 1009     Subtitle D of the HITECH Act – February 17, 2009     Privacy Final Rule – with Preamble – August 14, 2002     Security Final Rule – with Preamble – February 20, 2003     HIPAA Combined Regulation Text – OCR Publication of HIPAA Rules     Enforcement Rule – October 30, 2009     Guidance on Technologies and Methodologies for Securing PHI – April 27, 2009  Breach Notification Tools   Breach Risk Assessment   Breach Risk Assessment Summary   Sample Breach Notification Letter to an Individual   Notice to the Secretary of HHS of Breach of Unsecured PHI   Breach Notification Policy and Procedure   Privacy and Security Training Policy and Procedure   Sanctions Policy and Procedure   Security Incident Policy and Procedure 

Complaint Resolution Policy and Procedure  Business Associate Tools   Model Business Associate Letter   Business Associate Addendum   Business Associate Policy and Procedure  Miscellaneous Provisions Folder 

Requests for an accounting of disclosures policy and procedure                       [ for hospices that do not use an electronic health record]       

Requests for an accounting of disclosures policy and procedure        [ for hospices that do use an electronic health record]         

  Requests for restrictions policy and procedure             Requests for access policy and procedure             Fundraising and protected health information policy and procedure       Notice of Privacy Practices Policy and Procedure         

Updated Notice of Privacy Practices              

Page 19: HIPAA Update for Hospice - Home Care Information · • CMS – Security Rule Since August 2009, OCR assumed responsibility for Security Rule enforcement as well. HIPAA is back •

HIPAA Update for HospiceOrder Form

Contact Name: Phone: Date:

Organization: Fax:

Shipping Address: Email:

City: State: Zip:

Download instructions and serial number for the e-manual will be emailed to contact name / email aboveupon receipt. To order online for immediate download, go to www.weatherbeeresources.com/hipaa.html

259 North Street, Hyannis, MA 02601 | Tel: 508-778-0008 | Fax: 508-778-8899 | Toll Free: 866-989-7124 | www.weatherbeeresources.com

To Order:

Call: 866-969-7124 (Mon - Fri 9 to 5 EST)

Fax: 508-778-8899

Mail: 259 North StreetHyannis, MA 02601

Online: www.weatherbeeresources.com/hipaa.html

■■ Check enclosed payable to Weatherbee Resources, Inc.

Please Charge my Credit Card ■■ Visa ■■ MC ■■ AMEX

Account No.:

Security Code (located on back) Exp. Date:

Billing ZIP Code:

Name on Card:


Office use:

Date Rec’d: Received:

Processed By: Authorization #:

Processing Date: Amount Charged:

All orders must be pre-paid

HIPAA Update for HospiceThe HIPAA privacy and security regulations have changed and are likely todo so for the next few years as a result of the HITECH Act.

HIPAA Update for Hospice provides clear and concise explanations of thechanges as well as tools and resources for dealing with them.

Since the regulations will continue to be updated over the next few years,HIPAA Update for Hospice is available as a downloadable “e-manual” andthe purchase of this product includes electronic updates through 2012.

Order your copy today to be certain you have the most up-to-date resources and information for compliance with the HIPAA privacy and security regulations. For more information and the Table of Contents, go to www.weatherbeeresources.com/hipaa.html

Order Subtotal: $195.00

Add 7% for S&H: NONE

Total Due: $195.00