ACCOUNTABLE HEALTHCARE IPA HIPAA PRIVACY AND SECURITY TRAINING. By: Jerry Jackson Compliance and Privacy Officer

(1)

ACCOUNTABLE HEALTHCARE IPA

HIPAA PRIVACY AND SECURITY

TRAINING

By: Jerry Jackson

(2)

Introduction

Welcome to Privacy and Security Training course.

This course will help you understand and apply AHCIPA’s Privacy and Security policies and procedures.

(3)

HIPAA Law(s)

• Health Insurance Portability and Accountability Act of 1996- Public Law- 104-191 - The law requires each

person who maintains or transmits health information

shall maintain reasonable and appropriate administrative, technical, and physical safeguards.

• The Privacy Rule regulates how certain entities, called covered entities, use and disclose certain individually identifiable health information, called protected health information (PHI).

(4)

HIPAA Law(s) Continued…

The HITECH Act requires entities covered to report data breaches, which affect 500 or more persons, to

• US Dept. Health Human Services,

• The news media, and

• To the people affected by the data breaches.

• On November 30, 2009, the regulations associated with the enhancements to HIPAA enforcement took effect.

(5)

HIPAA Law(s) Continued…

Final Omnibus Rule

• Became effective on March 26, 2013

• Enhanced a patient’s privacy protections

• Provided individuals new rights to their health information, and

• Strengthened the government’s ability to enforce the law.

(6)

Protected and Confidential Information

Everyone is responsible to make sure:

• We use the Protected Information about the individuals appropriately

• Protect that information as required by HIPAA and St. of California laws and regulations applicable to the health care industry

• And by our contracts with our customers, such as health plans

(7)

Officers

• The Privacy Officer serves to oversee the integration of privacy compliance, data protection, and privacy incident management.

• The Security Officer serves to oversee the

establishment, implementation and management of an Information Security Program. This includes creating,

administering, and overseeing policies and procedures to ensure the prevention, detection, containment, and

(8)

Who Does HIPAA Apply to?

Covered Entities

A covered entity is a health plan, health care

clearinghouse, and a health care provider who transmits any health information in electronic form in connection with a transaction.

(9)

Types of Information to Protect

Protected Health Information (PHI) is individually

identifiable and is subject to laws and regulations which

place legal restrictions on what can or cannot be done with the information.

PHI (including demographics) relates to:

• Health care/medical claim data

• An individual’s health condition

• Health records, protected health information (PHI)

• Personally identifiable information (PII)

(10)

Types of Information to Protect

Personally Identifiable Information (PII) is a combination of one or more of the following data elements:

• First name or last name

• Social Security Number

• Driver’s License Number or State Identification Card Number

• Account Number, Credit Card or Debit Card Number in combination with any required security code, access code, or password that would permit access to an individual’s financial account.

PHI & PII can be in any form: Oral/Written/Electronic

(11)

USES AND DISCLOSURES

(12)

When can PHI be shared without an

Authorization?

For PHI and ePHI (electronic), many accesses, uses, and disclosures within AHCIPA may be permitted for purposes of Treatment, Payment, and Health Care Operations

(TPO).

The Privacy Rule permits a covered entity to use and disclose protected health information for TPO without restriction or the individuals consent (an authorized disclosure).

(13)

When can PHI be shared without an

Authorization?

• Treatment means the provision, coordination, or

management of health care and related services by one or more health care providers, including coordination of care by a provider with a third party, consultations

between providers, and referrals to other providers.

• Payment means activities undertaken by a health care provider or a health plan to obtain or provide

reimbursement for health care.

(14)

When can PHI be shared without an

Authorization?

Health Care Operations refers to activities operationally undertaken by health plans, health care providers and clearinghouses, including:

• Quality assessment and improvement activities

• Case management and coordination of care

• Credentialing

• Conducting or arranging for medical review and auditing functions

• Business planning, business management and general administration

(15)

When can PHI be shared without an

Authorization?

• Generally, if the access, use, and/or disclosure is not

permitted under TPO, then PHI and PII can only be used or disclosed if the individual or authorized representative has given written authorization.

• Before accessing, using, or disclosing Protected Information, you must determine whether you are

permitted to do so in that particular situation. If you have questions contact the IPA’s Privacy Officer.

(16)

Other Authorized Disclosures

•

Disclosures to Business Associates

•

Disclosures to Brokers, Agents and Consultants

•

Disclosures to Law Enforcement and Public Health

•

Disclosure of abuse, neglect, and domestic violence

to a state or local authority, as required or permitted

by law

•

Disclosure of PHI to law enforcement, but only if the

request is accompanied by a court order

•

Disclosure of PHI to health oversight agencies

•

Disclosures related to legal actions, if the information

has been requested in a court order or the

information has been requested by means of a

subpoena

(17)

Other Authorized Disclosures

Continued…

•

Disclosure of PHI to coroners, medical

examiners and funeral directors

•

Disclosure of PHI to organ procurement

agencies

•

Disclosure of PHI for purposes of Research

•

Disclosure of PHI needed to prevent or lessen a

serious or imminent threat to the health or

safety of a person or the public

17

(18)

Accounting of Disclosures

•

Upon written request, an individual has the right

to receive a written accounting of certain

disclosures of PHI made by AHCIPA spanning a

period of up to 6 years.

•

The identity of a person making a request for an

accounting of disclosures of PHI must be

authenticated.

•

AHCIPA tracks disclosure of PHI/PII other than

for the purposes of TPO. Any request for

PHI/PII, other than for the purpose of TPO, must

be authorized by the Privacy Office.

(19)

Authorization for Disclosure of PHI/PII

• An individual may provide a written authorization for the release of information. The authorization is a detailed document that gives covered entities permission to use protected health information for specified purposes, other than TPO, or to disclose protected health information to a third party specified by the individual.

• An individual can revoke their authorization at any time.

(20)

Marketing and Use of PHI/PII

AHCIPA may generally use and disclose PHI for purposes of Marketing upon receipt of an authorization from any

individual whose PHI may be used or disclosed for such purposes.

In certain instances, however, AHCIPA may not be required to obtain an authorization from affected individuals.

(21)

INDIVIDUAL RIGHTS

(22)

Members’ Right to Inspect

and Copy PHI

• Individuals have the right to inspect and obtain a copy and request amendment of medical information used to make decisions about their care and billing information.

• Individuals have the right to access and request that AHCIPA amend PHI/PII in the Designated Record Set (DRS).

(23)

Members’ Right to Confidential

Communications

• AHCIPA must permit individuals to request and must accommodate reasonable requests by individuals to receive communications of PHI by alternative means and/or at alternative locations.

• Also, AHCIPA accommodate an individual request

concerning health care communications regarding certain sensitive services to be sent to an alternate address if the individual had, has, or will receive services that fall under

(24)

ADMINISTRATIVE

REQUIREMENTS

(25)

Privacy Safeguards

AHCIPA must have appropriate administrative, technical, and physical safeguards in place to protect the privacy of PHI/PII.

All employees and contractors are required to maintain physical, technical, and administrative safeguards of

systems and tools to ensure the security and availability of confidential information or PHI.

(26)

Improper Use or Disclosure

The risk of organizational or member harm includes:

• Identity theft

• Embarrassment

• Loss of goodwill

• Payment of penalties and fines

• Negative impact to the company’s business and reputation

• Personal liability of employees and contractors

• Criminal penalties

• A breach of contract

(27)

Rules To Protect Information

It is critical to safeguard physical property and information technology systems.

(28)

Physical Security

• Physical security means that we do not let unauthorized people into our facilities and that we keep our tools and documents containing PHI secure.

• Wear your photo identification badge at all times.

• Keep your desk clean! Make sure documents and other protected materials are securely stored.

• Paper documents containing PHI or confidential

information should be discarded in a secure destruction container.

(29)

Information Security

• Desktop and laptop security means that we do not let unauthorized people use our computers and that we secure our computers appropriately when we are away from our work station.

• Information security means that we protect systems

containing data with strong passwords and only send data outside of our system using appropriate and secure

(encrypted) processes.

(30)

Computer Desktop/Laptop Security

Rules

You may not install or store unauthorized computer

applications and material (games, music, data, etc.) on company-provided information technology systems.

• Always use Ctrl+Alt+Del and select Lock Computer when leaving your desk.

• Never leave your laptop in your car or somewhere unattended or unsecured.

• The use of removable storage media (e.g., external hard drives, CDs/DVDs, USB flash/thumb drives or memory cards) is prohibited without a security exception from Information Technology.

(31)

Misdirected Information

There are three common ways in which information can be misdirected:

• Paper Documents

• Faxing Information

• Emailing Information

(32)

Paper Documents

Ways that misdirected or unattended paper documents might create a privacy incident:

• Incorrect mailing address

• Improper disposal of documents

• Leaving documents unattended

(33)

Faxing Information

Faxing might create a privacy incident by:

• Sending a fax to the wrong number

• Sending a fax without a cover page

• Sending a fax without verifying that the receiver is available

(34)

Emailing Information

Emailing information might create a privacy or security incident by:

• Sending an email to the wrong person(s), (avoid using

“Reply All” if unnecessary).

• Sending an email externally without using Secure Delivery (encryption)

• Sending email to your home/personal web mail

(35)

Reporting Requirements

and Incident Management

• You are required to report an actual or suspected privacy or security incident IMMEDIATELY regardless of how

many members are involved.

• AHCIPA strictly enforces a non-retaliation policy for employees and contractors who, in good faith, report suspected incidents.

(36)

Resources for Reporting

•

A Supervisor/Manager

•

The Privacy Officer at: 562-435-3333, ext. 350

•

The Security Officer at: 562-435-3333, ext. 393

36

(37)

Data Security Risks

There are several different types of attacks to manipulate people into performing actions or divulging confidential information.

• Phishing

• Whale Phishing

• Spear Phishing

• Pretexting

(38)

Data Security Risks Continued…

• Phishing is the activity of defrauding an online account holder of financial information by posing as a legitimate company. Typically, the messages appear to come from well-known Web sites.

• Whale Phishing (Whaling) describes a phishing attempt where the target is a wealthy individual or senior

leadership of an organization.

• Spear Phishing describes a phishing attempt that targets a specific organization seeking unauthorized access to

confidential data. These attempts are not typically initiated by “random hackers,” but are more likely to be conducted by perpetrators out for financial gain or trade secrets.

(39)

Data Security Risks Continued…

• Pretexting is when an individual lies or tells a phony story to obtain privileged data. Pretexting often involves a scam where the liar pretends to need information. After

establishing trust with the targeted individual, the

pretexter might ask a series of questions designed to confirm key individual identifiers such as the individual’s Social Security Number, mother’s maiden name, place or date of birth, or account number.

• Trojan Horse is a program in which malicious or harmful code is contained inside apparently harmless

(40)

Consequences of HIPAA Breaches

• The Department of Health and Human Services Officer of Civil Rights health information privacy rights of members who

participate in Federal Healthcare Programs. Their duties

include: investigations, voluntary dispute resolution, technical assistance, and enforcement.

• New York and Presbyterian Hospital and Columbia University- Data breach results in $4.8 million HIPAA settlements:

disclosure of the ePHI of 6,800 individuals, including patient status, vital signs, medications, and laboratory results.

• QCA Health Plan, Inc., of Arkansas- Stolen Laptops Lead to Important HIPAA Settlements in the amount of $1,725,220.

• Affinity Health Plan, Inc. settlement agreement resulted in a payment of $1,215,780 for impermissibly disclosing the PHI of up to 344,579 individuals when it returned multiple

photocopiers to a leasing agent without erasing the data contained on the copier hard drives.

40

(41)

Consequences of HIPAA Breaches

OCR compliance issues investigated most are, in order of frequency:

1. Impermissible uses and disclosures of protected health information;

2. Lack of safeguards of protected health information;

3. Lack of patient access to their protected health information;

4. Lack of administrative safeguards of electronic

(42)

Consequences of HIPAA Breaches

The OCR may impose Civil Monetary Penalties for violations in the amount of:

1. Covered entity or individual did not know (and by exercising reasonable diligence would not have known) the act was a HIPAA violation.

$100-$50,000 for each violation, up to a maximum of $1.5 million for identical provisions during a calendar year.

2. The HIPAA violation had a reasonable cause and was not due to willful neglect.

$1,000-$50,000 for each violation, up to a maximum of $1.5 million for identical

provisions during a calendar year.

3. The HIPAA violation was due to willful neglect but the violation was corrected within the required time period.

$10,000-$50,000 for each violation, up to a maximum of $1.5 million for identical

4. The HIPAA violation was due to willful neglect and was not corrected.

$50,000 or more for each violation, up to a maximum of $1.5 million for identical

(43)

Consequences of HIPAA Breaches

Criminal penalties:

Tier Potential jail sentence

Unknowingly or with

reasonable cause Up to one year

Under false pretenses Up to five years