HIPAA PRIVACY AND SECURITY OVERVIEW

August 25th, 2016Presented by: Mark Rambo – HR Workplace

SPONSORS

22

OBJECTIVES

This training should give you an understanding of:

• What information is protected• Basic requirements of HIPAA’s Privacy and Security Rules• Responsibilities of business associates• Practical privacy policies• How the rules are enforced• Changes made by the HITECH Act and Final HIPAA Rule from Jan.

25, 2013

WHAT IS HIPAA?

• “Health Insurance Portability and Accountability Act of 1996” (HIPAA)

• HIPAA includes: oPortability Rules ➨ portability, special enrollment,

nondiscriminationoAdministrative Simplification ➨ privacy, security, electronic code

sets and operating rules (EDI)

• Goals = protect patient information, reduce costs

HIPAA PRIVACY

WHAT INFORMATION IS PROTECTED?

Protected Health Information (PHI) = individually identifiable health information that is created or received by a Covered Entity

oDoes not include employment recordso Includes electronic PHI (ePHI) and Summary Health Information oDoes not include de-identified information

INFORMATION DEFINITIONS

Individually identifiable information = health information, including demographic information thato Relates to the past, present, or future physical or mental health or

condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual; and

o Identifies the individual or there is a reasonable basis to believe the information can be used to identify the individual

INFORMATION DEFINITIONS

• Summary Health Information: Information summarizing claims history, expenses or types of claims with specific identifiers removed

• De-identified Health Information: Health information that doesn't identify an individual and can’t be used to identify an individualo Expert determination - professional statistical analysiso Safe harbor method – remove identifiers

WHO MUST COMPLY?

• HIPAA applies to “Covered Entities”o Health planso Health care clearinghouseso Health care providers that conduct certain electronic transactions

• Contractual obligations imposed on “Business Associates”o HIPAA regulates what contracts must include

• HITECH Act ➔ many parts of the law now apply directly to Business Associates

PRIVACY RULE PROVISIONS

• Standards for access, use and disclosure of PHI

• Individual rights regarding access, use and disclosure of PHI and right to receive notice of privacy practices

• Administrative requirements

• Health plan sponsor compliance obligation varies depending onoSelf-insured vs. fully-insuredoAccess to PHI for plan administration

USE AND DISCLOSURE RULES

• Covered entities may use and disclose PHI for treatment, payment and health care operations

• Other disclosures require authorization from the individual or a specific exceptiono For example, disclosures for law enforcemento 2013 Final HIPAA Rule includes new authorization requirements for

marketing and sale of PHI

• Minimum necessary standardo HITECH Act requires new regulationso Until they are released, use limited data set if possible

• Plan amendment required for plan sponsor to receive PHIo Summary Health Informationo De-identified information

INDIVIDUAL RIGHTS

• Inspect and copy their own PHIoHITECH Act and 2013 Final HIPAA Rule – expand an individual’s right to

access electronic PHI

• Amend or correct incorrect or incomplete PHI

• Obtain an accounting of disclosures

• Receive a notice of privacy practices

• Request restrictions on use or disclosure of PHIoHITECH Act and 2013 Final HIPAA Rule – must agree to restrict disclosures

to a health plan for payment or health care operations if the PHI pertains to services or treatment that have been paid out of pocket and in full

BUSINESS ASSOCIATES

• Covered Entities work with service providers and vendors

• Certain service providers may be Business Associates

• Covered Entities can disclose PHI to Business Associates if there is a Business Associate Agreement in place

BUSINESS ASSOCIATE – DEFINITION

• Person who (on behalf of a Covered Entity) creates, receives, maintains or transmits PHI for o Claims processing or administrationo Data analysis, processing or administrationo Utilization reviewo Quality assurance o Billing o Benefit managemento Practice managemento Repricing

Or…

BUSINESS ASSOCIATE – DEFINITION

A person who provides the following services to or for a Covered Entity, if the services involve use or disclosure of PHIo Legal o Actuarial o Accounting o Consulting o Data aggregation o Management o Administrative o Accreditation o Financial

BUSINESS ASSOCIATE AGREEMENTS

• Establish permitted uses and disclosures

• Prohibit improper use or disclosure

• Require appropriate safeguards

• Require reporting of unauthorized use or disclosure

• Impose same requirements on subcontractorsoUnder 2013 Final HIPAA Rule, business associates (not their

covered entities) are responsible for entering into business associate agreements with their subcontractors

BUSINESS ASSOCIATE AGREEMENTS

• Make PHI available in accordance with individual’s right to access, amend and receive an accounting of disclosures of PHI

• Make internal books and records available to HHS

• Require return or destruction of PHI

• Authorize the Covered Entity to terminate the contract if Business Associate breaches contract

HIPAA SECURITY RULE

HIPAA SECURITY RULE

• Standards for protecting ePHI maintained by a Covered Entity

• Covered Entities must implement safeguards to:o Ensure confidentiality, integrity and availability of ePHIo Protect against reasonably anticipated threats to security

and impermissible uses or disclosureso Ensure compliance by workforce

SECURITY STANDARDS

• Covered Entities must comply with specific security standardso Administrative safeguardso Physical safeguardso Technical safeguards

• Covered Entities must perform a risk analysiso Implementation specificationso Required vs. addressableo Flexibility

• HITECH Act – many security standards now directly apply to Business Associates

BUSINESS ASSOCIATES

• Implement safeguards to protect confidentiality, integrity and availability of ePHI

• Ensure that any subcontractor implements appropriate safeguards

• Authorize termination of contract if business associate breaches contract

• Report security incidents to Covered Entity

BREACH NOTIFICATION RULE

SECURITY BREACH NOTIFICATION

• Created by HITECH Act

• Requires Covered Entities to notify individuals whose “unsecured PHI” has been breached

• If breach involves PHI held by a Business Associate, the Business Associate must notify the Covered Entity

• Covered Entities also must notify HHS of breaches and, in some cases, the media

WHAT IS A BREACH?

• Unauthorized acquisition, access, use or disclosure of PHI which compromises the security or privacy of the information

• Exceptions –o No retention of informationo Certain unintentional, internal disclosureso Certain inadvertent disclosures among people authorized to

access PHI

2013 FINAL HIPAA RULE CHANGE

• Breach will compromise security or privacy of PHI if it poses a significant risk of financial, reputational or other harm to the individual

• Effective Sept. 23, 2013, final HIPAA rule replaces “harm” standard with more objective standardo Impermissible use or disclosure presumed to be breach unless

Covered Entity can show through risk assessment there is a low probability PHI has been compromised

oRisk assessment factors:o Nature and extent of PHI involved;o Unauthorized person who received or used PHI;o Whether PHI was actually acquired or viewed; ando Extent risk to PHI has been mitigated.

UNSECURED PHI

• Breach notification rule applies only to breaches of “unsecured PHI”

• PHI that is not secured by a technology or methodology approved by HHS

• Must render PHI “unusable, unreadable or indecipherable” to unauthorized individuals

• Approved methods:o Encryptiono Destruction

PROVIDING NOTICE OF BREACH

• Deadline for notice: without unreasonable delay and no later than 60 days

• Must be in writing and delivered via first class mailo May use e-mail if individual has specified preferenceo May use phone if urgent

• Provide notice to media outlets if breach affects more than 500 individuals in a particular area

• Notify HHS of all breaches

CONTENT OF NOTICE

• Description of the breacho Including date of the breach and date of discovery

• Type of PHI involved o Full name, Social Security number, date of birth, home address,

account number, etc.

• Steps individuals should take to protect themselves from potential harm resulting from the breach

• Steps the Covered Entity is taking to investigate breach, mitigate losses and protect against future breaches

• Contact information for individuals to ask questionso Toll-free telephone number, e-mail address, website, postal address

COMPLIANCE STEPS

• Review breach notification rule requirements

• Review whether PHI is secured or unsecured

• Update policies and procedures to include risk assessment factors

• Train staff about updated policies and procedures

POLICIES AND PROCEDURES

PRIVACY PROCEDURES – DISCLOSURE

• Access, discuss, use and disclose PHI only for reasons related to specific job functions and responsibilities

• Only disclose PHI to those who have a legitimate, business need to know or prior authorization and only for claims payment or health care operationso Only disclose the minimum necessary amount of PHI

• Do not discuss PHI where it could be improperly overheard

PRIVACY PROCEDURES – ACCESS

• Only access PHI if it relates to your specific job functions and responsibilities

• No casual reading of PHI

• Protect PHI from casual or unauthorized access

PRIVACY PROCEDURES – SECURITY

• Implement appropriate safeguards

• Only remove PHI from the worksite if it relates to specific job functions or responsibilities

• After using PHI, destroy copies

• Review PHI in a secure area

• Set workstations to be locked after inactivity and require periodic password changes

DESTRUCTION OF PHI

• Paper PHI (any paper-based document)o Destroy hard copies by placing in a sealed bin for shredding

• Electronic PHI (disks, e-mails, files)o Destroy electronic copies or save as password protected using

encryption procedureso Disks can be destroyed or reformattedo E-mails and electronic files should be purged from the system

after use

PHYSICAL SAFEGUARDS

• Do not leave PHI on fax machines, printers or copiers

• Clean workspace of PHI at end of day

• Secure all hard copy mail containing PHI

• Use caution when leaving voicemail messages containing PHI or e-mailing PHI internally

• Escort visitors through work areas

ENFORCEMENT

ENFORCEMENT FOR COVERED ENTITIES

• The Office for Civil Rights (OCR) is responsible for enforcing the HIPAA Privacy and Security Ruleso Investigates complaintso Conducts compliance reviews o Performs education and outreach to foster compliance

• OCR may impose civil monetary penalties or bring criminal charges (or refer the case to the DOJ for criminal prosecution)

• Enforcement has become more stringent over past few years

ENFORCEMENT PROVISIONS

• OCR must perform periodic audits of Covered Entities to ensure their compliance and is required to investigate complaints of willful neglect

• State Attorneys General may bring suit against Covered Entities to enjoin further violations and obtain damages on behalf of residents of their states, if HHS has not already taken action

• 2013 Final HIPAA Rule: OCR is not required to address non-compliance through informal means, but can go straight to imposing penalties when an investigation indicates violation has occurred

CIVIL PENALTIES

HITECH Act increased the civil penalties that may be assessed and distinguishes between the types of violationso Penalties may not apply if the violation is corrected within 30 days

of the date the person knew, or should have known, of the violation

o 2013 Final HIPAA Rule gives OCR discretion to expand 30-day time period

o OCR must assess penalties for cases involving willful neglect

CIVIL PENALTY AMOUNTS

If individual does not know of the violation:o minimum penalty remains $100 per violation o up to $25,000 per calendar year for identical violations

Violations due to reasonable cause:o minimum penalty is $1,000 per violationo up to $100,000 per calendar year

Corrected violations caused by willful neglect:o the minimum penalty is $10,000 per violationo up to $250,000 per calendar year

Maximum civil penalty for any type of violation and minimum penalty for violations caused by willful neglect that are not corrected:o $50,000 per violation o up to $1.5 million per calendar year for identical violations.

CRIMINAL PENALTIES

• $50,000 fine and up to one year in prison for a “knowing violation”

• $100,000 fine and up to five years in prison for a violation committed under “false pretenses”

• $250,000 fine and up to 10 years in prison for a violation with the intent to sell, transfer or use PHI for commercial advantage, personal gain or malicious harm

• Now apply to anyone who improperly uses/discloses PHI, not just Covered Entities and their employees

ACTION ON COMPLAINTS

• OCR may take action only on complaints that meet the following conditions: o Alleged action must have taken place after April 14, 2003 o Complaint must be filed against an entity that is required by law to

comply with the Privacy Rule o Complaint must allege an activity that, if proven true, would

violate the Privacy Rule o Complaints must be filed within 180 days of when the person

submitting the complaint knew or should have known about the alleged violation of the Privacy Rule

o OCR must know the identity of the person who filed the complaint, and have a way to contact that person

SUMMARY

• Violations of policies may lead to disciplinary action, up to and including termination and/or legal action

• Conduct unscheduled audits to ensure compliance

• Use common sense

• When in doubt, consult with legal counsel

QUESTIONS?

THANK YOU!

All rights reserved.

Please take our short follow up survey and tell us how we did. We’d appreciate your feedback!