• No results found

HIPAA 101. March 18, 2015 Webinar

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "HIPAA 101. March 18, 2015 Webinar"

Copied!
25
0
0

Loading.... (view fulltext now)

Download now ( 25 Page )

Full text

(1)

HIPAA 101

March 18, 2015

(2)

Agenda



Acronyms to Know



HIPAA Basics

 What is HIPAA and to whom does it apply?

 What is protected by HIPAA?

 Privacy Rule

 Security Rule



HITECH Basics



Breaches and Responses

 What is a breach?

 How should I respond to a breach?



Enforcement

(3)

Acronyms



HIPAA – Health Insurance Portability and Accountability Act



HITECH – Health Information Technology for Economic and

Clinical Health Act



BA – Business Associate



CE – Covered Entity



PHI – Protected Health Information



ePHI – Electronic PHI



HHS – U.S. Department of Health and Human Services

(4)

HIPAA:

Who is covered?



Enacted in 1996 and administered by the Department of Health

and Human Services (HHS)



Applies to “covered entities”

 Healthcare Providers

 Healthcare Clearinghouses

 Health Plans

 Health Plan: employee welfare benefit plan that provides medical care to employees or dependents  Includes governmental health plans

 Does not include: disability plans, life insurance, or workers compensation plans

 Self-Funded Employers = Health Plans



And to “business associates” of covered entities

 Performs services for or assists covered entities with functions that involve the use or disclosure of PHI

 Billing, claims processing, data analysis, benefit management, etc.

 Provides legal, actuarial, accounting, consulting, management, financial or other advice for a covered entity where PHI is involved

(5)

HIPAA:

Business Associates



Covered entities may disclose PHI to “business associates” if

they obtain “satisfactory assurances” that the PHI will be

appropriately safeguarded



BA Agreement must be in writing and contain magic language

 Describe permitted and required uses of PHI by BA

 Forbid BA from further disclosing PHI absent permission or legal requirement

 Require BA to use appropriate safeguards to protect PHI



BA Agreement may also shift burden of providing breach

notices

(6)

HIPAA:

What does it do?



2 main components of HIPAA:

 Privacy

 Security



Regulates the disclosure, sharing

and storage of PHI, which is

information relating to:

 An individual’s past, present or future physical or mental health or condition;

 The provision of health care to the individual; or

 The past, present or future payment for the provision of health care.



PHI either identifies the individual or for which there is a

reasonable basis to believe it can be used to identify the

individual.

(7)

PHI:

What is it?



Names



Addresses



Zip codes



Dates (except year)

 DOB  Admission date  Discharge date  Treatment date



Telephone #s



Fax #s



Email addresses



SSNs



IP addresses



Fingerprints



Full face photos



Medical record #s



Health plan Beneficiary #s



Account #s



Certificate / license #s



Vehicle IDs (plates, VINs)

(8)

PHI:

What isn’t?



Employment records

 In what capacity did you receive the record?

 When submitting doctor’s note or return to work certification to

employer, “information becomes part of the employment record, and, as such, is no longer protected health information.”

 Distinguish between role as employer and role as plan administrator (if self-funded)



Certain education records covered by the Family Educational

Rights and Privacy Act

(9)

HIPAA:

Privacy Rule



Purpose: define and limit

circumstances in which PHI

may be used or disclosed



All uses or disclosures must either: 1) comport with privacy

rule or 2) authorized by individual in writing



Privacy rule required disclosures:

 To individual upon request

(10)

HIPAA:

Privacy Rule



Permitted uses and disclosures (no authorization needed):

 To the individual

 For purposes of Treatment, Payment or health care Operation

 T: provision of care, including consultation between providers

 P: obtaining premiums, determining coverage, providing benefits, reimbursement  O: quality assessment, peer reviews, legal / accounting services, insurance

underwriting, business planning, business management

 Individual given opportunity to agree or object (informal permission)

 Facility directories, notification to families, picking up spouse’s prescriptions, etc.

 Incidental use (sign in sheets, doctor/patient convos in waiting rooms)

 Public Interest (reporting abuse, controlling diseases, court proceedings, criminal investigations, research, decedents)

 Limited Data Set (direct identifiers removed for research or health care operation purposes)

(11)

HIPAA:

Privacy Rule



Minimum Necessary Rule – component of the privacy rule



Must make “reasonable efforts” to use, disclose, and request

only the minimum amount of PHI needed



Must develop and implement policies to reasonably limit uses

and disclosures to minimum necessary

 “Do I need this information to do my job?”



Exceptions:

 Disclosure to health care provider for treatment

 Disclosure to an individual of his or her own PHI

 Use or disclosure pursuant to an authorization

 Disclosure to HHS for investigation, review or enforcement

(12)

HIPAA:

Security Rule



Purpose: create standard protocol for transmitting and storing ePHI

 Ensure Confidentiality, Integrity and Security of ePHI

 ePHI: data stored in electronic form:

 Computers, laptops, phones, Blackberries, CD/ DVD, thumb drive, networks, clouds, etc.



5 categories of safeguards in regs:

 Administrative

 Physical

 Technical

 Organizational

 Documentation



CE: must comply with all safeguards.



BA: must comply with Administrative, Technical and Physical



Key to compliance with Security Rule: document processes and

procedures

(13)

HIPAA:

Security Rule



Some best administrative, organizational and documentation

requirements to consider:

 Risk Analysis – conduct assessment of potential risks.

 Risk Management – implement security measures to reduce risks.

 Sanctions Policy – set penalties for employees who fail to comply.

 Security Officer – identify a person responsible for implementing policies and ensuring security of ePHI.

 System Review – regularly review records of system activity and access.

 Response and Reporting – develop procedures for responding to suspected or known security incidents.

 Data Backup – establish and implement backup copies of ePHI.

 Disaster Recovery – establish procedures to restore loss of data.

 Emergency Mode – establish procedures for ensuring security during an emergency.

(14)

HIPAA Amendment:

HITECH



Enacted in 2009.



Expanded HIPAA to cover business associates



Heightened Enforcement

 HHS investigates complaints

 Increased penalties – up to $1.5 million per year



Expanded definition of “breach”

(15)

Data Breaches:

What are they?



Before HITECH: significant risk of financial or reputational harm

required.



Now, a breach is “acquisition, access or use or disclosure of PHI in

an impermissible manner which compromises the Security or

Privacy of PHI.”



Presume a breach unless there is a low probability that PHI has

been compromised, based on:

 Nature of the PHI and likelihood of re-identification

 Unauthorized person who accessed PHI

 Whether PHI was actually acquired or viewed

(16)

Data Breaches:

Exceptions



3 Exceptions to the definition of “breach”:

 Unintentional, good-faith, access of PHI by employee of same entity

 Inadvertent disclosure of PHI to authorized person at same entity or BA

 Good-faith belief the unauthorized person would not be able to retain the information



Burden of proving exception falls on person claiming it, so

construe it narrowly.

(17)

Data Breaches:

Encryption



If ePHI is “unusable, unreadable and indecipherable to

unauthorized individuals,” then no notification required.

 Encryption must be consistent with National Institute of Standards and Technology (NIST)

 Encryption keys must be kept on a separate device from the data

 Destroying data: redaction is not enough! Clear, purge or destroy consistent with NIST guidelines for sanitizing media.

(18)

Data Breaches:

Notification



If risk analysis reveals breach occurred, covered entity must

notify affected persons within 60 days after discovering it.

 If BA discovered = CE deemed to have discovered the same day



Notification must include:

 A brief description of what occurred, including the date of breach and date of discovery

 A description of the type of PHI involved

 Steps affected individuals should take to protect themselves

 What the covered entity is doing to mitigate the harm

 Contact information for covered entity



If BA has a breach = BA must notify the CE; CEultimately

responsible

(19)

Data Breaches:

Notification



If fewer than 500 individuals effected:

 Notify individuals

 Record breach on annual breach log (report to HHS by March of following year)



If more than 500 individuals effected:

 Notify individuals

 Notify HHS immediately

(20)

HIPAA Enforcement



HHS – Office of Civil Rights (OCR)



OCR investigates complaints.

 69,369 investigations since 2003.

 23,366 resulted in corrective action.

 Since October 2009 – 689 investigations into Security Rule complaints.



Penalties – can be enforced by OCR or State Attorneys General

 $100 per violation ($25,000 cap per year) if violations unknown and offender would not have known by exercising reasonable diligence.

 $100 per violation ($100,000 cap per year) for reasonable violation not caused by deliberate neglect. Fine waived if corrected within 30 days.

 $10,000 per violation ($250,000 cap per year) for corrected violation caused by deliberate neglect.

 $50,000 per violation ($1.5 M cap per year) for uncorrected violations caused by deliberate neglect.

(21)

Best Practices



Documented policies and procedures (that are followed!)



Annual risk assessment



Annual workforce training



Evaluate possible encryption solution



Pay particular attention to portable ePHI (laptops, phones,

jump drives, etc.)



Investigate all suspicious activity (and document your efforts)



Access control

 Who needs access to PHI to do their job?

 What PHI do they need to access?

 How can you restrict access? (by employee, by data point, etc.)

 User authentication?

(22)

Anthem Data Breach



Anthem discovered breach on January 29, 2015

 Suspicious activity began December 2014



Unauthorized disclosure of ePHI

 Names, DOBs, SSNs, health IDs, home and email addresses

 No medical information

 Info back to 2004, possibly affecting 80 million individuals

 Affected fully insured and TPA or ASO clients



What does it mean for employers?

(23)

Anthem Data Breach



Fully Insured Plans – limited responsibility

 Anthem has primary responsibility for breach response

 Communicate with Anthem regarding their response and ensure employees are receiving communications from Anthem

 Supplement Anthem communications where necessary

 Identity theft protection, updates on status  https://www.anthemfacts.com/



Self-Insured Plans – primary responsibility as CE

 BUT: check BA / ASO / TPA agreement. Likely that Anthem assumed responsibility for breach notification

 Review Plan’s HIPAA policies and procedures

 Communicate with employees and Anthem early and often

 What plan participants were effected, distribute notices regarding Anthem’s efforts and breach notification responsibility (if appropriate)

(24)

Reform:

Stay Connected

 Stay on top of changing landscape of

health care reform and other employment laws through J.W. Terrill’s Seminar Series and TerrillConnect.

 Subscribe to TerrillConnect for weekly email Updates.

(25)

Health Care Reform Update:

Q&A

Marcus Wilbers

Senior Compliance Attorney Manager Compliance Consulting

References

Download now ( PDF - 25 Page - 1.64 MB )

Related documents

128549475 Major Synopsis on Hydraulic Arm

The column of water or hydrostatic engine is the inverse of the force pump, used to turn a large head (pressure) of water into rotary motion.. It looks like a steam engine, with

MANDATED BENEFITS DATA CALL CODE LIST

Health benefit plans other than small employer health benefit plans: A health benefit plan must include coverage for cognitive rehabilitation therapy, cognitive

STATE OF ILLINOIS BENEFITS HANDBOOK

All Plan Participants covered by any of the health plans offered by the State Employees Group Insurance Program (Program) are eligible for the Vision Care Benefit Plan.. Frequency

Plans may cover active employees, terminated employees, dependents, retirees, or beneficiaries.

This primer provides a general overview of health and welfare plans; discusses defining the plan, unique aspects of health and welfare plan contributions, funding of benefits,

HIPAA - - Basic Concepts and Implementation Roadmap

share protected health information with an employee working on disability plan fraud After HIPAA i An authorization is necessary to share medical protected health information

Terrorism As a Serious Security Threat for European Society

Přístup ČR k boji s terorismem a ochraně měkkých cílů odráží úsilí našich hlavních strategických partnerů, tedy Euroatlantické aliance a Evropské unie za

HMO Dental Rider. Offered by Quartz Health Benefit Plans Corporation. 840 Carolina Street Sauk City, WI (800) Fax (608)

“Quartz” refers to the family of health plan businesses that includes Quartz Health Solutions, Inc.; Quartz Health Benefit Plans Corporation; Quartz Health Plan Corporation;

BEFORE THE PUBLIC UTILITY COMMISSION OF OREGON PACIFICORP. Direct Testimony of Erich D. Wilson

annual incentive), pension plan, and health care benefit plans.. These plans are