Understanding HIPAA Regulations
and How They Impact Your
Organization
!
Presented by: HealthInfoNet & Systems Engineering!
Introductions
!
Todd Rogow
Director of IT
HealthInfoNet
Adam Victor
Director of Operations
Systems Engineering
What is HealthInfoNet?
!
•
HealthInfoNet operates Maine
’
s
statewide
health information exchange (HIE)
, a secure,
standardized electronic system where providers
can share important patient health information.
!
•
The use of this system:
!
– Saves time and reduces paperwork!
– Facilitates more informed treatment decision-making! – Leads to improved care coordination, higher quality of
Clinical Exchange Highlights
!
• Hospitals Connected: 34• Hospitals Under Contract: All 38 within Maine
• Practices Connected: ~400
• Others Connected: 2 Long-term Care, 3 Home Health
Agencies and 15 Behavioral Health Organizations • Individual Lives with Records in the HIE: 1,175,749
• Patient’s who have opted-out: 1% • HIE user accounts: 7,284
• User Logins: 1,781 patient lookup & 463 unique users per week
HIPAA Trivia
!
•
What does HIPAA stand for?
ü
Health Insurance Portability and
Accountability Act
•
When did HIPAA start?
ü
1996
•
What is the maximum penalty for a single
HIPAA violation?
ü
$1.5 million per violation category per
Agenda
!
•
HIPAA Review
•
Compliance Requirements
•
Omnibus Rule
•
Recommendations/Best Practices
HIPAA Review
!
The Health Insurance Portability and Accountability Act of 1996 ("HIPAA") and its regulations (the
"Privacy Rule" – Dec. 2000 and the "Security Rule“ – Feb. 2003) protect the privacy of an individual’s
health information and govern the way certain health care providers and benefits plans collect, maintain, use and disclose protected health information
What is the Privacy Rule?
!
• Establishes national standards to protect
individuals’ medical records and other personal health information.
• Requires safeguards to protect the privacy of personal
health information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization.
• Gives patients rights over their health information,
including rights to examine and obtain a copy of their health records, and to request corrections.
What is the Security Rule?
!
• Requires appropriate administrative, physical andtechnical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.
• Establishes national standards to protect
individuals’ electronic personal health information that is created, received, used, or maintained by a
Personal Health Information (PHI)
!
PHI includes all individually identifiable health information (including information in research databases and tissue bank samples with identifiers) relating to the:!
• Past, present, or future physical or mental condition of an individual!
• Provision of health care to an individual!
• Past, present or future payment for the provision of health care to an individual!
PHI – Eighteen Identifiers
!
Name!
Address -- street address, city, county, zip code (more than 3 digits) or other geographic codes!
Dates directly related to patient !
Telephone Number!
Fax Number!
E-mail addresses!
Social Security Number !
Medical Record Number!
Health Plan Beneficiary Number !
Account Number!
Certificate/License Number!
Any vehicle identifier!
Any device identifier!
Web URL !
Internet Protocol (IP) Address!
Finger or voice prints !
Photographic images!
Any other unique identifying number, characteristic, or code (whether generally available in the public realm or not)!
PHI Continued
!
ePHI: Data in an electronic format that contains
any of the 18 identifiers
!This may include but is not limited to the following:!
– Data stored on the network, internet, or intranet!
– Data stored on a personal computer or personal
digital assistant (e.g. a smartphone)!
– Data stored on a USB drive, DVD, or other
external media!
– Data stored on your HOME computer !
Recommendations for Compliance
!
• Keep all files containing PHI protected!
• Place computer screens so they are not readily visible by
people passing by!
• Use of home computers is not a good idea!
• Ensure your vendors are in compliance with HIPAA
regulations!
• Eliminate all names and other identifiers when doing
presentations including PHI!
• Don’t share subject names and other identifiers in
conversations with colleagues outside of your department or
lab!
• Don’t send PHI by e-mail if at all possible. When necessary,
be sure it is encrypted!
Who Is Systems Engineering?
!
•
Maine
’
s largest IT Services provider, with over
100 employees serving hundreds of businesses
throughout northern New England, including
numerous Maine health organizations.
!
•
A provider of technical security that provides
General HIPAA Security Rules
!
•
Ensure confidentiality, integrity, and availability of
all ePHI you create, receive, maintain, or
transmit
!
•
Identify/Protect against reasonably anticipated
threats or hazards to the security or integrity of
ePHI
!
•
Protect against reasonably anticipated uses or
disclosures of ePHI
!
Risk Analysis/Management
!
• CE’s Must Conduct a Risk Analysis as Part of TheirSecurity Management Processes. It includes, but is not limited to:!
– Evaluation of likelihood and impact of potential risks to ePHI!
– Implementation of appropriate security measures to address identified risks!
– Documentation of security measures!
– Maintenance of continuous, reasonable, and appropriate security protections!
Administrative Safeguards
!
• Security Management Process!– Based on Risk Analysis!
– Assigned official responsibility for developing/implementing security policies/procedures. !
• Information Access Management – Appropriate process for role-based access to ePHI.!
• Workforce Training and Management!
– Training isn’t optional.!
– Sanctions must exist for policy violations.!
• Evaluation – Periodic assessment of how procedures comply with HIPAA!
Physical Safeguards
!
•
Facility Access and Control
!
–
Limit physical access to necessary individuals
!
•
Workstation and Device Security
!
–
Policies and procedures to specify proper use
of and access to workstations and electronic
media.
!
–
Policies and procedures regarding the
transfer, removal, disposal, and reuse of
electronic media.
!
Technical Safeguards
!
• Access Control – Reiterating, only authorized personnel have access to ePHI!
• Audit Controls - CE’s must implement hardware,
software, and/or procedural mechanisms to record and examine access and other activity in systems that
contain or use ePHI.!
• Integrity Controls – Policies/procedures, along with electronic measures to ensure that ePHI is not
improperly altered or destroyed.!
• Transmission Security – CE’s must implement technical security measures that guard against unauthorized
9/22/2009 to 07/04/2012!
Compliance and Safety LLC
The Omnibus Rule
!
“A volume containing several novels or other items previously published separately.”!
HIPAA Omnibus Final Rule
!
Final modifications to the HIPAA Privacy, Security, andEnforcement Rules:!
!
• Make Business Associates of Covered Entities directly liable
for compliance with certain aspects of the HIPAA Privacy and
Security Rules requirements. !
• Strengthen the limitations on the use and disclosure of
protected health information for marketing and fundraising
purposes, and prohibit the sale of protected health information
without individual authorization. !
• Expand individuals' rights to receive electronic copies of their
health information and to restrict disclosures to a health plan concerning treatment for which the individual has paid out of
HIPAA Omnibus Final Rule
!
• Require modifications to, and redistribution of, a Covered Entity's notice of privacy practices. !
• Modify the individual authorization and other
requirements to facilitate research and disclosure of child immunization proof to schools, and to enable access to deceased information by family members or others. ! • Increased and tiered civil money penalty structure
provided by the HITECH Act!
• Course reversal: Guilty until proven innocent for data breaches!
• Prohibits most health plans from using or disclosing genetic information for underwriting purposes
!
The Omnibus Rule
!
Office of Civil Rights (OCR) Director Leon
Rodriguez:
– “These changes not only greatly enhance a patient’s
privacy rights and protections, but also strengthen the
ability of my office to vigorously enforce the HIPAA privacy and security protections…”
When Does It Take Effect?
!
•
The Omnibus Rules are effective as of
March 26, 2013
!
–
Effective Date: Date on which a rule or
regulation becomes law
!
•
All CEs and BAs need to be in full
compliance by September 23, 2013
!
–
Compliance Date: Date by which all affected
Business Associates
!
Old Rule:
!
– The HIPAA Rules define “business associate” to mean a person who performs functions or activities on behalf of, or certain services for, a CE that involve the use or disclosure of PHI.!
New Rule:
!
– The definition of “business associate” was modified to include a person who “creates,
receives, maintains, or transmits” PHI on behalf of a CE.!
Patient Empowerment
!
Old Rule:
– Individuals could request a CE to restrict uses or
disclosures of their PHI.
– But, CEs were not required to agree to such restrictions. If
the CE did agree, however, than they were required to abide by the restriction.
New Rule:
– Individuals can request a restriction on disclosure of PHI to
a health plan and the CE must agree if the restriction
applies to PHI that pertains solely to a health care item or service for which the health care provider has been paid out of pocket in full (unless such disclosure is otherwise required by law).
Breach Notification
!
•
Previously, CEs and BAs were required to
perform a risk assessment to determine if there
was a significant risk of harm to the individual as
a result of the impermissible use or disclosure.
•
Now, an impermissible use or disclosure of PHI
is
presumed
to be a breach unless the CE or
BA demonstrates that there is a low probability
that the PHI has been compromised.
Enforcement
!
•
Largest HIPAA fine:
$4.3M against Cignet
Health in MD in February 2011 ($3M was for
willful neglect)
!
•
HIPAA jail time:
In April 2010 Dr. Huping Zhou
of UCLA Health System was sentenced to 4
months in prison
!
•
Smallest provider enforcement:
In April 2012,
a practice owned by 2 physicians paid $100,000
to settle HIPAA violations
!
Enforcement
!
!
!
!
• A CE or BA may be liable for multiple violations of multiple requirements, and a violation of each requirement may be counted separately.!
• A CE or BA may be subject to multiple violations of up to a $1.5 million cap for each violation, which would result in a total penalty above $1.5 million.!
Violation! Penalty! Max Calendar
Year!
Did Not Know! $100 - $50,000! $1,500,000!
Reasonable Cause! $1,000 - $50,000! $1,500,000!
Willful Neglect (Corrected)!
$10,000 - $50,000! $1,500,000!
Willful Neglect!
(Not Corrected)!
Suggested Next Steps
!
•
Update Notice of Privacy Practices
!
•
Review and identify all Business Associates and
update Business Associate Agreements
!
•
Update breach notification policies and procedures
!
•
Develop and train employees on new policies
(patient requested PHI restrictions, breach
notification, etc.)
!
•
Review and update authorization and other forms as
Recommendations
!
• All EHRs will need to be encrypted at rest to be certified in 2014!
• Encrypt your office computers using a free software, TrueCrypt: www.truecrypt.org!
• Evaluate your technology posture, and seek assistance where necessary!
Helpful Resources
!
• For more information on Privacy/Security, go to provider section at: www.HealthIt.gov!
• HealthInfoNet’s Website:!
– Sample Risk Assessment!
– Sample Policy and Procedures Templates !
– Privacy and Security Guide!
• Omnibus Press Release:
http://www.hhs.gov/news/press/2013pres/01/20130117b.html
• Omnibus Final Rule:
http://www.gpo.gov/fdsys/pkg/FR-2013-01-25/pdf/ 2013-01073.pdf
• BAA Sample Language:
http://www.hhs.gov/ocr/privacy/hipaa/understanding/ coveredentities/contractprov.html
Helpful Webinar
!
• HIT "ASK THE EXPERTS" ROUNDTABLE WEBINAR SERIES!
HIPAA Rules Have Changed: Are You Ready?!
• HIPAA covered entities and business associates have until
September 23, 2013, to become compliant with changes to the
Privacy and Security Rules. !
• Join us on Thursday, May 9 at 12N to learn about the modifications to the HIPAA law, including:!
– What are the Key Changes Under the Omnibus Rule?!
– Who do the Changes Affect?!
– What Action is Required? !
– What's at Stake?!
– What are the Mechanisms for Minimizing the Risk of HIPAA Liability?!
• ABOUT OUR SPEAKER: Kathleen Healy, a Partner with the law firm Verrill Dana