• No results found

Understanding HIPAA Regulations and How They Impact Your Organization!

N/A
N/A
Protected

Academic year: 2021

Share "Understanding HIPAA Regulations and How They Impact Your Organization!"

Copied!
36
0
0

Loading.... (view fulltext now)

Full text

(1)

Understanding HIPAA Regulations

and How They Impact Your

Organization

!

Presented by: HealthInfoNet & Systems Engineering!

(2)

Introductions

!

Todd Rogow

Director of IT

HealthInfoNet

Adam Victor

Director of Operations

Systems Engineering

(3)

What is HealthInfoNet?

!

HealthInfoNet operates Maine

s

statewide

health information exchange (HIE)

, a secure,

standardized electronic system where providers

can share important patient health information.

!

The use of this system:

!

–  Saves time and reduces paperwork!

–  Facilitates more informed treatment decision-making! –  Leads to improved care coordination, higher quality of

(4)

Clinical Exchange Highlights

!

•  Hospitals Connected: 34

•  Hospitals Under Contract: All 38 within Maine

•  Practices Connected: ~400

•  Others Connected: 2 Long-term Care, 3 Home Health

Agencies and 15 Behavioral Health Organizations •  Individual Lives with Records in the HIE: 1,175,749

•  Patient’s who have opted-out: 1% •  HIE user accounts: 7,284

•  User Logins: 1,781 patient lookup & 463 unique users per week

(5)

HIPAA Trivia

!

What does HIPAA stand for?

ü

Health Insurance Portability and

Accountability Act

When did HIPAA start?

ü

1996

What is the maximum penalty for a single

HIPAA violation?

ü

$1.5 million per violation category per

(6)

Agenda

!

HIPAA Review

Compliance Requirements

Omnibus Rule

Recommendations/Best Practices

(7)

HIPAA Review

!

The Health Insurance Portability and Accountability Act of 1996 ("HIPAA") and its regulations (the

"Privacy Rule" – Dec. 2000 and the "Security Rule“ – Feb. 2003) protect the privacy of an individual’s

health information and govern the way certain health care providers and benefits plans collect, maintain, use and disclose protected health information

(8)

What is the Privacy Rule?

!

•  Establishes national standards to protect

individuals’ medical records and other personal health information.

•  Requires safeguards to protect the privacy of personal

health information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization.

•  Gives patients rights over their health information,

including rights to examine and obtain a copy of their health records, and to request corrections.

(9)

What is the Security Rule?

!

•  Requires appropriate administrative, physical and

technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.

•  Establishes national standards to protect

individuals’ electronic personal health information that is created, received, used, or maintained by a

(10)

Personal Health Information (PHI)

!

PHI includes all individually identifiable health information (including information in research databases and tissue bank samples with identifiers) relating to the:!

•  Past, present, or future physical or mental condition of an individual!

•  Provision of health care to an individual!

•  Past, present or future payment for the provision of health care to an individual!

(11)

PHI – Eighteen Identifiers

!

Name!

Address -- street address, city, county, zip code (more than 3 digits) or other geographic codes!

Dates directly related to patient !

Telephone Number!

Fax Number!

E-mail addresses!

Social Security Number !

Medical Record Number!

Health Plan Beneficiary Number !

Account Number!

Certificate/License Number!

Any vehicle identifier!

Any device identifier!

Web URL !

Internet Protocol (IP) Address!

Finger or voice prints !

Photographic images!

Any other unique identifying number, characteristic, or code (whether generally available in the public realm or not)!

(12)

PHI Continued

!

ePHI: Data in an electronic format that contains

any of the 18 identifiers

!

This may include but is not limited to the following:!

–  Data stored on the network, internet, or intranet!

–  Data stored on a personal computer or personal

digital assistant (e.g. a smartphone)!

–  Data stored on a USB drive, DVD, or other

external media!

–  Data stored on your HOME computer !

(13)

Recommendations for Compliance

!

•  Keep all files containing PHI protected!

•  Place computer screens so they are not readily visible by

people passing by!

•  Use of home computers is not a good idea!

•  Ensure your vendors are in compliance with HIPAA

regulations!

•  Eliminate all names and other identifiers when doing

presentations including PHI!

•  Don’t share subject names and other identifiers in

conversations with colleagues outside of your department or

lab!

•  Don’t send PHI by e-mail if at all possible. When necessary,

be sure it is encrypted!

(14)

Who Is Systems Engineering?

!

Maine

s largest IT Services provider, with over

100 employees serving hundreds of businesses

throughout northern New England, including

numerous Maine health organizations.

!

A provider of technical security that provides

(15)

General HIPAA Security Rules

!

Ensure confidentiality, integrity, and availability of

all ePHI you create, receive, maintain, or

transmit

!

Identify/Protect against reasonably anticipated

threats or hazards to the security or integrity of

ePHI

!

Protect against reasonably anticipated uses or

disclosures of ePHI

!

(16)

Risk Analysis/Management

!

•  CE’s Must Conduct a Risk Analysis as Part of Their

Security Management Processes. It includes, but is not limited to:!

–  Evaluation of likelihood and impact of potential risks to ePHI!

–  Implementation of appropriate security measures to address identified risks!

–  Documentation of security measures!

–  Maintenance of continuous, reasonable, and appropriate security protections!

(17)

Administrative Safeguards

!

•  Security Management Process!

–  Based on Risk Analysis!

–  Assigned official responsibility for developing/implementing security policies/procedures. !

•  Information Access Management – Appropriate process for role-based access to ePHI.!

•  Workforce Training and Management!

–  Training isn’t optional.!

–  Sanctions must exist for policy violations.!

•  Evaluation – Periodic assessment of how procedures comply with HIPAA!

(18)

Physical Safeguards

!

Facility Access and Control

!

Limit physical access to necessary individuals

!

Workstation and Device Security

!

Policies and procedures to specify proper use

of and access to workstations and electronic

media.

!

Policies and procedures regarding the

transfer, removal, disposal, and reuse of

electronic media.

!

(19)

Technical Safeguards

!

•  Access Control – Reiterating, only authorized personnel have access to ePHI!

•  Audit Controls - CE’s must implement hardware,

software, and/or procedural mechanisms to record and examine access and other activity in systems that

contain or use ePHI.!

•  Integrity Controls – Policies/procedures, along with electronic measures to ensure that ePHI is not

improperly altered or destroyed.!

•  Transmission Security – CE’s must implement technical security measures that guard against unauthorized

(20)

9/22/2009 to 07/04/2012!

Compliance and Safety LLC  

(21)

The Omnibus Rule

!

“A volume containing several novels or other items previously published separately.”!

(22)

HIPAA Omnibus Final Rule

!

Final modifications to the HIPAA Privacy, Security, and

Enforcement Rules:!

!

•  Make Business Associates of Covered Entities directly liable

for compliance with certain aspects of the HIPAA Privacy and

Security Rules requirements. !

•  Strengthen the limitations on the use and disclosure of

protected health information for marketing and fundraising

purposes, and prohibit the sale of protected health information

without individual authorization. !

•  Expand individuals' rights to receive electronic copies of their

health information and to restrict disclosures to a health plan concerning treatment for which the individual has paid out of

(23)

HIPAA Omnibus Final Rule

!

•  Require modifications to, and redistribution of, a Covered Entity's notice of privacy practices. !

•  Modify the individual authorization and other

requirements to facilitate research and disclosure of child immunization proof to schools, and to enable access to deceased information by family members or others. ! •  Increased and tiered civil money penalty structure

provided by the HITECH Act!

•  Course reversal: Guilty until proven innocent for data breaches!

•  Prohibits most health plans from using or disclosing genetic information for underwriting purposes

!

(24)

The Omnibus Rule

!

Office of Civil Rights (OCR) Director Leon

Rodriguez:

– “These changes not only greatly enhance a patient’s

privacy rights and protections, but also strengthen the

ability of my office to vigorously enforce the HIPAA privacy and security protections…

(25)

When Does It Take Effect?

!

The Omnibus Rules are effective as of

March 26, 2013

!

Effective Date: Date on which a rule or

regulation becomes law

!

All CEs and BAs need to be in full

compliance by September 23, 2013

!

Compliance Date: Date by which all affected

(26)

Business Associates

!

Old Rule:

!

–  The HIPAA Rules define “business associate” to mean a person who performs functions or activities on behalf of, or certain services for, a CE that involve the use or disclosure of PHI.!

New Rule:

!

–  The definition of “business associate” was modified to include a person who “creates,

receives, maintains, or transmits” PHI on behalf of a CE.!

(27)

Patient Empowerment

!

Old Rule:

–  Individuals could request a CE to restrict uses or

disclosures of their PHI.

–  But, CEs were not required to agree to such restrictions. If

the CE did agree, however, than they were required to abide by the restriction.

New Rule:

–  Individuals can request a restriction on disclosure of PHI to

a health plan and the CE must agree if the restriction

applies to PHI that pertains solely to a health care item or service for which the health care provider has been paid out of pocket in full (unless such disclosure is otherwise required by law).

(28)

Breach Notification

!

Previously, CEs and BAs were required to

perform a risk assessment to determine if there

was a significant risk of harm to the individual as

a result of the impermissible use or disclosure.

Now, an impermissible use or disclosure of PHI

is

presumed

to be a breach unless the CE or

BA demonstrates that there is a low probability

that the PHI has been compromised.

(29)

Enforcement

!

Largest HIPAA fine:

$4.3M against Cignet

Health in MD in February 2011 ($3M was for

willful neglect)

!

HIPAA jail time:

In April 2010 Dr. Huping Zhou

of UCLA Health System was sentenced to 4

months in prison

!

Smallest provider enforcement:

In April 2012,

a practice owned by 2 physicians paid $100,000

to settle HIPAA violations

!

(30)

Enforcement

!

!

!

!

•  A CE or BA may be liable for multiple violations of multiple requirements, and a violation of each requirement may be counted separately.!

•  A CE or BA may be subject to multiple violations of up to a $1.5 million cap for each violation, which would result in a total penalty above $1.5 million.!

Violation! Penalty! Max Calendar

Year!

Did Not Know! $100 - $50,000! $1,500,000!

Reasonable Cause! $1,000 - $50,000! $1,500,000!

Willful Neglect (Corrected)!

$10,000 - $50,000! $1,500,000!

Willful Neglect!

(Not Corrected)!

(31)

Suggested Next Steps

!

• 

Update Notice of Privacy Practices

!

• 

Review and identify all Business Associates and

update Business Associate Agreements

!

• 

Update breach notification policies and procedures

!

• 

Develop and train employees on new policies

(patient requested PHI restrictions, breach

notification, etc.)

!

• 

Review and update authorization and other forms as

(32)

Recommendations

!

•  All EHRs will need to be encrypted at rest to be certified in 2014!

•  Encrypt your office computers using a free software, TrueCrypt: www.truecrypt.org!

•  Evaluate your technology posture, and seek assistance where necessary!

(33)

Helpful Resources

!

•  For more information on Privacy/Security, go to provider section at: www.HealthIt.gov!

•  HealthInfoNet’s Website:!

–  Sample Risk Assessment!

–  Sample Policy and Procedures Templates !

–  Privacy and Security Guide!

•  Omnibus Press Release:

http://www.hhs.gov/news/press/2013pres/01/20130117b.html

•  Omnibus Final Rule:

http://www.gpo.gov/fdsys/pkg/FR-2013-01-25/pdf/ 2013-01073.pdf

•  BAA Sample Language:

http://www.hhs.gov/ocr/privacy/hipaa/understanding/ coveredentities/contractprov.html

(34)

Helpful Webinar

!

•  HIT "ASK THE EXPERTS" ROUNDTABLE WEBINAR SERIES!

HIPAA Rules Have Changed: Are You Ready?!

•  HIPAA covered entities and business associates have until

September 23, 2013, to become compliant with changes to the

Privacy and Security Rules.    !

•  Join us on Thursday, May 9 at 12N to learn about the modifications to the HIPAA law, including:!

–  What are the Key Changes Under the Omnibus Rule?!

–  Who do the Changes Affect?!

–  What Action is Required? !

–  What's at Stake?!

–  What are the Mechanisms for Minimizing the Risk of HIPAA Liability?!

•  ABOUT OUR SPEAKER: Kathleen Healy, a Partner with the law firm Verrill Dana

!

(35)
(36)

Contact Information

!

Todd Rogow, Director

of IT, HealthInfoNet

!

[email protected]

!

!

!

HealthInfoNet Website:

www.hinfonet.org

!

!

Adam Victor, Director

of Operations, Systems

Engineering, Inc.

!

[email protected]

!

!

Systems Engineering

Website:

www.syseng.com

!

!

References

Related documents

This notice of Privacy Practices describes how we may use and disclose your protected health information (PHI) to carry out treatment, payment or health care operations (TPO) and

This Notice of Privacy Practices describes how we may use and disclose your protected health information (PHI) to carry out treatment, payment, or health care operations (TPO) and

This Notice of Privacy Practices describes how we may use and disclose your protected health information (PHI) to carry out treatment, payment or health care operations.. (TPO) and

  This Notice of Privacy Practices describes how we may use and disclose your protected health information (PHI) to carry out treatment, payment or health care operations

The information we collect from you is called “PHI,” which stands for “protected health information.” This information goes into your medical or health care

This Notice of Privacy Practices describes how we may use and disclose your protected health information (PHI) to carry out treatment, payment or health care

This Notice of Privacy Practices describes how we may use and disclose your protected health information (PHI) to carry out treatment, payment or health care operations (TPO) and

The Security Rule of HIPAA requires health care providers to put in place certain administrative, physical and technical safeguards for protected patient health information