Embed Size (px)
Citation preview
Welcome to HIPAA/HITECH, Security Standards and Breach Notification Compliance Training
Knock knock!!!...
Topics: HIPAA Foundation
HIPAA’s Major Players
Transactions, Code Sets, and Identifiers
Privacy Rule
Protected Health Information (“PHI”)
Patient Rights
Security Rule
Risk Management & Security Rule
Standards
Administrative Safeguards
Compliance, Rules, and Agreements
Historical facts: So what exactly is HIPAA?
HIPAA stands for the Health Insurance Portability and Accountability Act.
The federal act was passed on Aug. 21, 1996.
Often times – referred to as Public Law 104.191 [H.R. 3103] or the
Kennedy – Kassebaum Bill.
The 1st law to address confidentiality or privacy, security and
standardization of data (especially electronic data) in the health care
industry.
(Cont.)
Congress passed HIPAA to:
Make is easier to transfer health information
coverage (port);
To promote medical savings accounts;
To combat fraud, waste and abuse in the health
care insurance and delivery;
To simplify the administration of health; and lastly
To promote the safe exchange of health data
electronically.
(Cont.) The Standards (Titles):
The HIPAA legislation required the Department of Health and Human
Services (“DHHS”) to broadcast regulations on the specific areas of
HIPAA, called the Rules. These Rules were finalized at various times and
health care organizations had 2 or 3 years (depending on size) to comply
with the specific requirements.
(Cont.) The law consist of 5 titles; However, focus will be directed to the
Administrative Simplifications branch.
Who is affected by HIPAA?
HIPAA applies to all health plans, healthcare
clearinghouses, and healthcare providers that
electronically transmit health information in connection
with standard transactions: Also,
Companies and/ or organizations that provide services
on behalf of Covered Entities (“CE”) as well as vendors
who sell products to the healthcare industry.
A closer look at these entities:
Health plan generally includes any individual or group
plan, private or governmental—that provides or pays for
medical care.
Healthcare clearinghouse is a public or private entity that
processes health information received from another entity,
or converts transactions from non-standard into standard
format, or vice versa.
Healthcare provider is any person or organization who
furnishes, bills, or is paid for health care in the normal
course of business.
Definition of a Business Associate (“BA”) The 2013 Final Rule expands the definition of a business associate (“BA”)
to generally include a person who creates, receives, maintains, or
transmits protected health information (“PHI”) on behalf of a covered
entity. This now includes:
Subcontractor(s)—person(s) other than a business associate workforce
member to whom a business associate delegates a function, activity, or
services where the delegated function involves the creation, receipt,
maintenances, or transmission of PHI.
Health information organization(s), e-prescribing gateways and other
person that "provide data transmission services with respect to PHI to a
covered entity and that requires access on a routine basis to such PHI.
Person(s) who offer a personal health record to one or more individuals
"on behalf of" a covered entity.
Title I: Healthcare Access, Portability and Renewability.
o Protects health insurance coverage when
someone loses or changes job.
o Addresses issues such as pre-existing
conditions.
Title II: Administrative Simplification
Includes three main bodies of standards:
o Includes provisions for the privacy and security of health information;
o Specifies electronic standards for the transmission of health information
(prevents health care fraud and abuse);
o Requires unique identifiers for providers – safeguards to protect the
privacy and confidentiality of patient records.
Title III: Tax-Related Health Provisions
o The title and standards – standardizes the
amount you can save in a medical savings
account (we will not be focusing on this
title).
Title IV: Group Health Plan Requirements
o Primary focus is on insurance reform (we will not
be focusing on this title).
Title V: Revenue offset.
o And, this title contains regulations on how employers
can deduct company-owned life insurance premiums
for income tax purposes (we will not be focusing on
this title).
Administrative Simplification:
Other regulations also affect the Administrative Simplifications provisions of
HIPPA.
ARRA Title XIII (Known as HITECH) simply states the procedures an
entity must take to inform its patients and the general public that a privacy
breach took place—it only relates to certain medical codes.
Administrative Simplification Compliance Act
(ASCA):
Requires all Medicare claims to be submitted
electronically.
Affordable Care Act (HIPAA Title VIII and IX):
Requires adoptions of operating rules for HIPAA transactions
Establishes a unique, standard Health Plan Identifier for each
patient; and
Requires standardization of electronic funds transfers.
ARRA/HITECT: Omnibus Rulemaking (HIPAA
Title VII): Expands protections to patient information to include companies
who do business with covered entities.
The U.S. Department of Health and Human Services (“DHHS”)
and Office for Civil Rights (“OCR”) announced a final rule that
implements a number of provisions of the Health Information
Technology for Economic and Clinical Health (“HITECH”) Act,
enacted as part of the American Recovery and Reinvestment Act
(“ARRA”) of 2009, to strengthen the privacy and security
protections for health information established under the Health
Insurance Portability and Accountability Act of 1996 (“HIPAA”).
Compliance date: January 17, 2013
http://www.hhs.gov/news/press/2013pres/01/20130117b.html
Patient Safety & Quality Improvement Act
(PSQIA): Allows providers to protect patient health information when
reporting medical error information to oversight agencies.
A closer look at Title II: Administrative Simplification.
Title II: Administrative Simplification (Cont.) Electronic data interchange (Transactions and Code Sets)
Electronic data interchange (“EDI”) is the electronic transfer of information, such as electronic media
health claim(s), in a standard format between trading partners. EDI allows entities within the health care
system to exchange medical, billing, and other information and to process transactions in a manner
which is fast and cost effective. With EDI there is a substantial reduction in handling and processing
time compared to paper, and the risk of lost paper documents is eliminated. EDI can eliminate the
inefficiencies of handling paper documents, which will significantly reduce administrative burden, lower
operating costs, and improve overall data quality.
The health care industry recognizes the benefits of EDI and many entities in the industry have
developed proprietary EDI formats. Currently, there are about 400 formats for electronic health claims
being used in the United States. The lack of standardization makes it difficult and expensive to develop
and maintain software. Moreover, the lack of standardization minimizes the ability of health care
providers and health plans to achieve efficiency and savings.
Title II: Administrative Simplification (Cont.)
Security Rule
The intent of the SR is to maintain the security of all electronic protected
health information (“EPHI”).
Security meaning having controls, countermeasures, and procedures in place
to ensure the appropriate protection of your information assets. Therefore,
the goal of security is to counter identifiable threats to business assets and to
satisfy HIPAA security policies and requirements.
To simplify it, security is how an entity decides to protect its information assets.
Title II: Administrative Simplification (Cont.):
Privacy Rule
The privacy rule is the largest of all of the HIPAA Rules. It’s over 800 pages
long—that’s longer than all the other rules put together! And lawmakers have
added to it since its inception.
Many states have enacted privacy rules. Each has different penalties for wrongful
disclosures, and each have processes for notifying individuals of breaches of
their personal information, including protected health information.
Which brings us to what is PHI and do we know what is stands for?
Definition of PHI:
Protected Health Information (“PHI”): Refers to individually identifiable health
information transmitted or maintained in any form or medium (electronic,
written or oral).
Furthermore, is any information about health status, provision of health care,
or payment for health care that can be linked to a specific individual. This is
interpreted rather broadly and includes any part of a patient's medical record
or payment history.
Definition of PHI (Cont.): Individually identifiable health information means information:
Collected from an individual.
Created or received by a Covered Entity.
That relates to past, present or future physical or mental health
condition of an individual; provision of health care to an
individual; or the past, present or future payment for the
provision of health care; and,
That identifies the individual or can be used to identify the
individual.
Use and Disclosures of PHI (Cont.): A Covered Entity (CE) may not use or disclose protected health information
except:
As the Privacy Rule permits or requires; or
Pursuant to a written authorization acknowledgment (or the individual(s)
personal representative).
Required Disclosures:
To individuals or their personal representatives (specifically when they
request access to, or an accounting of disclosures of, their protected
health information; and,
To HHS when it’s undertaking a compliance investigation of review or
enforcement action.
When is Authorization required?
Authorization is required to disclose or use PHI for purposes other
than TPO and not otherwise authorized under the rule, such as:
Sales
Marketing
Fundraising (new opt-out requirement under HITECH)
Requirements for an authorization
Must be in plain language.
Include a description of the information to
be used or disclosed.
Include the name of the person(s) or
class of persons authorized to make the
request, use and/ or disclose .
Include the name of the person(s) or
class of person(s) to whom the use or
disclosure is permitted.
A description of the purpose of the use or
disclosure or event.
Requirements for an Authorization
Must include an expiration date.
Explain patient’s rights to revoke authorization in writing.
Statement that information used or disclosed may be subject to re-disclosure
by the recipient, in which case it is no longer subject to the rule.
Must be signed and dated by the authorized representative (patient) may be
in electronic format.
Cover Entity (“CE”) may not condition the provision of the treatment upon an
authorization.
Cover Entity (“CE”) must document and retain authorization for six years.
Title II: Administrative Simplification (Cont.):
Privacy Rule also requires that entities:
Adopt written privacy policies, procedures and contract provisions;
Designate a Privacy Officer or a Compliance Officer (This would be me)
Train employees and other workforce member.
Establish privacy safeguards (locking file cabinets, shredding, computers,
etc.)
Ensure that health information is not used for non-health purposes.
Establish clear, strong protections against marketing.
Provide the minimum amount of information necessary.
Support individual privacy rights; and, lastly
Obey authorization policies.
Minimum Necessary Rule:
Means whatever it takes, but just enough, to respond to the request. If a
doctor or hospital needs and entire medical record for treatment, then that
would be the minimum necessary.
Five disclosures are in place:
Required disclosure: Disclosure of an individual(s) own health records
to that individual.
Permitted disclosure: Disclosure for research purposes.
Internal disclosure: Disclosure within a CE workplace.
Routine disclosure: Disclosure that happens periodically.
Non-Routine disclosure: Disclosure that has not precedent.
Minimum Necessary Rule: For more information on Florida’s privacy laws, please visit:
http://privacy.ufl.edu/uf-health-privacy/frequently-asked-questions/hipaa-and-
disclosures-under-florida-state-law/
Individual Rights: Notice of Privacy Practices
Access to PHI
Amendment of PHI
Accounting of Disclosures
Additional Restrictions
Confidential Communications
Notice of Privacy Practices
Covered Entities (“CE”) must provide a Notice of Privacy Practices which
prescribes the ways in which the Covered Entity (“CE”) may use and disclose
PHI; and, states the CE’s duties to protect the privacy of the PHI.
The Privacy Rules requires that the Notice of Privacy Practices contains
specific elements.
Access to PHI
You have a right to review, amend your PHI and obtain a copy for your
records.
However, exceptions to right of access is denied to:
Psychotherapy notes.
Information compiled for legal proceedings.
Access to Accounting Disclosures You have a right to a copy of your accounting disclosures.
Accounting disclosure period is 6 years.
However, you don’t have access to certain disclosures including:
Disclosures for TPOs.
Disclosures to the individual or the individual's personal
representative.
Disclosure to the persons involved in an individual's health care.
Expansion of Security and Privacy
Provisions and Penalties to HIPAA
Business Associates (BAs)
The Omnibus Rule applies some of the administrative, physical, and
technical safeguards of the HIPAA security regulations directly to
BAs.
The Omnibus Rule imposes additional obligation upon BAs regarding
policies, procedures and documentation.
Business Associates can be subject to audits and penalties.
Breach Response and Notification Definition of Breach
A breach is, generally, an impermissible use or disclosure under the Privacy
Rule that compromises the security or privacy of the protected health
information. An impermissible use or disclosure of protected health information
is presumed to be a breach unless the covered entity or business associate, as
applicable, demonstrates that there is a low probability that the protected health
information has been compromised based on a risk assessment of at least the
following factors:
The nature and extent of the protected health information involved, including the types of
identifiers and the likelihood of re-identification;
The unauthorized person who used the protected health information or to whom the
disclosure was made;
Whether the protected health information was actually acquired or viewed; and
The extent to which the risk to the protected health information has been mitigated.
Upon notification of a breach, the entity
has a legal obligation to immediately
assemble a response team.
Determination:
1. Determine whether the breach was impermissible and disclosure of
unsecured protected health information was an automatic
unsecured breach under the HIPAA Privacy rule.
2. Analyze the facts and circumstance of the breach:
1. Was the information “unsecured?”
2. Do any exceptions to a breach apply?
3. Why? or Why not?
Document all facts obtained and analyzed—render your verdict.
Notification Following a breach of unsecured protected health information, covered
entities must provide notification of the breach to affected individuals via:
Individual Notice
Media Notice
Notice to the Secretary
Notification by a Business Associate
For more information, please visit:
http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/i
ndex.html
Notification must include (Cont.)
A brief description of the breach; including date, time, etc.
A brief description of the type of unsecured PHI that was involved in the
breach.
Any steps individuals should take to protect themselves from potential
harm resulting from the breach.
A description of the investigation into the breach.
Contact procedures, which must include a toll-free telephone number, an
e-mail address, website, or postal address.
Notification (Cont.)
Must be in plain language
Translation
Website
Substitute notice, if necessary
Broadcast or print media (major television or newspaper serving primarily
the residents of the city or state)
Written notification
Telephone notification
Notification to Media and HHS
If breach involves more than 500 individuals residing in the same state,
notice must be made to prominent media outlets and the Secretary of
Health and Human Services (“HHS”).
Document notification made to each individual, press/media.
Logs must be maintain for six (6) years.
When in doubt consult with outside counsel.
Employees Sanctions for Failure to Comply with
the Policies and Procedures:
Warning Up to possible termination
Legislation and Enforcement
Failure to adhere to any of these Rules can result in high penalties for:
Noncompliance civil penalties for the following violations; unknowing,
reasonable cause, willful neglect – corrected, willful neglect – not corrected can
range from $100 up to $1.5.
Criminal penalties range from 1 up to 10 years in Federal prison.
Enforcement audits are in full force – be cautious and obey the law!
Penalties for Violation(s) Penalties are tiered, depending on conduct.
Unknown
$100 per violation up to $25,000 for all identical violations in a
calendar year, w/ a cap of $1.5 million.
Reasonable cause that is not willful neglect
$1,000 for each violation up to $100,000 for all identical violations in a
calendar year, with a cap of $1.5 million for all violations of this type in
a calendar year.
Willful Neglect
If violation corrected within 30 days of knowledge:
$10,000 per each identical violation, up to $250,000 for all
identical violations in a calendar year, with a cap of $1.5
million for all violations of this type in a calendar year.
If violation not corrected:
$50,000 for each violation, up to $1.5 million for all identical
or non-identical violations in a calendar year.
Enforcement by State Attorneys General
State AGs may commence civil actions in federal district courts for HIPAA
violations.
Damages: $100 per violation with a cap of $25,000.
Costs and attorney’s fees may be awarded to the State.
OCR has trained all State Attorney Generals on HIPAA enforcement.
No private right of action to enforce HIPAA.
Recommended practices to avoid
computer breaches Change computer password quarterly;
Log out from your computer whenever you step away from it;
Set computer to log out after a period of inactivity;
Lock any electronic devices w/ company information;
Avoid writing passwords in a piece of paper;
Don’t install any unknown or suspicious programs (contact IT);
Don’t put sensitive information in places where there is access/ open to
everyone;
Comply with all already installed software updates;
Stay away from unauthorized social media websites (FB, Twitter, etc.)
unless its part of your job description.
Reporting Security Incidents
To report an information security problem, theft of a computer equipment
or if you suspect there may be a problem, contact the Compliance Officer
and your Compliance Officer will report it to IT.
When in doubt REPORT!-REPORT-REPORT!
Do not attempt to make investigative or illegal decision.
In a nutshell
The goal of the Administrative Simplification title is to protect the
exchange of health information data, keep it safe, and make it more
efficient. In other words, HIPAA requires that each entity is held
accountable for the privacy of patient records.
For more information on HIPAA visit the U.S. Department of
Health and Human Services website:
http://www.hhs.gov/ocr/privacy/hipaa/understanding/index.html
