ACCOUNTABLE HEALTHCARE IPA
HIPAA PRIVACY AND SECURITY
TRAINING
By: Jerry Jackson
Introduction
Welcome to Privacy and Security Training course.
This course will help you understand and apply AHCIPA’s Privacy and Security policies and procedures.
HIPAA Law(s)
• Health Insurance Portability and Accountability Act of 1996- Public Law- 104-191 - The law requires each
person who maintains or transmits health information
shall maintain reasonable and appropriate administrative, technical, and physical safeguards.
• The Privacy Rule regulates how certain entities, called covered entities, use and disclose certain individually identifiable health information, called protected health information (PHI).
HIPAA Law(s) Continued…
The HITECH Act requires entities covered to report data breaches, which affect 500 or more persons, to
• US Dept. Health Human Services,
• The news media, and
• To the people affected by the data breaches.
• On November 30, 2009, the regulations associated with the enhancements to HIPAA enforcement took effect.
HIPAA Law(s) Continued…
Final Omnibus Rule
• Became effective on March 26, 2013
• Enhanced a patient’s privacy protections
• Provided individuals new rights to their health information, and
• Strengthened the government’s ability to enforce the law.
Protected and Confidential Information
Everyone is responsible to make sure:
• We use the Protected Information about the individuals appropriately
• Protect that information as required by HIPAA and St. of California laws and regulations applicable to the health care industry
• And by our contracts with our customers, such as health plans
Officers
• The Privacy Officer serves to oversee the integration of privacy compliance, data protection, and privacy incident management.
• The Security Officer serves to oversee the
establishment, implementation and management of an Information Security Program. This includes creating,
administering, and overseeing policies and procedures to ensure the prevention, detection, containment, and
Who Does HIPAA Apply to?
Covered Entities
A covered entity is a health plan, health care
clearinghouse, and a health care provider who transmits any health information in electronic form in connection with a transaction.
Types of Information to Protect
Protected Health Information (PHI) is individually
identifiable and is subject to laws and regulations which
place legal restrictions on what can or cannot be done with the information.
PHI (including demographics) relates to:
• Health care/medical claim data
• An individual’s health condition
• Health records, protected health information (PHI)
• Personally identifiable information (PII)
Types of Information to Protect
Personally Identifiable Information (PII) is a combination of one or more of the following data elements:
• First name or last name
• Social Security Number
• Driver’s License Number or State Identification Card Number
• Account Number, Credit Card or Debit Card Number in combination with any required security code, access code, or password that would permit access to an individual’s financial account.
PHI & PII can be in any form: Oral/Written/Electronic
USES AND DISCLOSURES
When can PHI be shared without an
Authorization?
For PHI and ePHI (electronic), many accesses, uses, and disclosures within AHCIPA may be permitted for purposes of Treatment, Payment, and Health Care Operations
(TPO).
The Privacy Rule permits a covered entity to use and disclose protected health information for TPO without restriction or the individuals consent (an authorized disclosure).
When can PHI be shared without an
Authorization?
• Treatment means the provision, coordination, or
management of health care and related services by one or more health care providers, including coordination of care by a provider with a third party, consultations
between providers, and referrals to other providers.
• Payment means activities undertaken by a health care provider or a health plan to obtain or provide
reimbursement for health care.
When can PHI be shared without an
Authorization?
Health Care Operations refers to activities operationally undertaken by health plans, health care providers and clearinghouses, including:
• Quality assessment and improvement activities
• Case management and coordination of care
• Credentialing
• Conducting or arranging for medical review and auditing functions
• Business planning, business management and general administration
When can PHI be shared without an
Authorization?
• Generally, if the access, use, and/or disclosure is not
permitted under TPO, then PHI and PII can only be used or disclosed if the individual or authorized representative has given written authorization.
• Before accessing, using, or disclosing Protected Information, you must determine whether you are
permitted to do so in that particular situation. If you have questions contact the IPA’s Privacy Officer.
Other Authorized Disclosures
•
Disclosures to Business Associates
•
Disclosures to Brokers, Agents and Consultants
•
Disclosures to Law Enforcement and Public Health
•
Disclosure of abuse, neglect, and domestic violence
to a state or local authority, as required or permitted
by law
•
Disclosure of PHI to law enforcement, but only if the
request is accompanied by a court order
•
Disclosure of PHI to health oversight agencies
•
Disclosures related to legal actions, if the information
has been requested in a court order or the
information has been requested by means of a
subpoena
Other Authorized Disclosures
Continued…
•
Disclosure of PHI to coroners, medical
examiners and funeral directors
•
Disclosure of PHI to organ procurement
agencies
•
Disclosure of PHI for purposes of Research
•
Disclosure of PHI needed to prevent or lessen a
serious or imminent threat to the health or
safety of a person or the public
17
Accounting of Disclosures
•
Upon written request, an individual has the right
to receive a written accounting of certain
disclosures of PHI made by AHCIPA spanning a
period of up to 6 years.
•
The identity of a person making a request for an
accounting of disclosures of PHI must be
authenticated.
•
AHCIPA tracks disclosure of PHI/PII other than
for the purposes of TPO. Any request for
PHI/PII, other than for the purpose of TPO, must
be authorized by the Privacy Office.
Authorization for Disclosure of PHI/PII
• An individual may provide a written authorization for the release of information. The authorization is a detailed document that gives covered entities permission to use protected health information for specified purposes, other than TPO, or to disclose protected health information to a third party specified by the individual.
• An individual can revoke their authorization at any time.
Marketing and Use of PHI/PII
AHCIPA may generally use and disclose PHI for purposes of Marketing upon receipt of an authorization from any
individual whose PHI may be used or disclosed for such purposes.
In certain instances, however, AHCIPA may not be required to obtain an authorization from affected individuals.
INDIVIDUAL RIGHTS
Members’ Right to Inspect
and Copy PHI
• Individuals have the right to inspect and obtain a copy and request amendment of medical information used to make decisions about their care and billing information.
• Individuals have the right to access and request that AHCIPA amend PHI/PII in the Designated Record Set (DRS).
Members’ Right to Confidential
Communications
• AHCIPA must permit individuals to request and must accommodate reasonable requests by individuals to receive communications of PHI by alternative means and/or at alternative locations.
• Also, AHCIPA accommodate an individual request
concerning health care communications regarding certain sensitive services to be sent to an alternate address if the individual had, has, or will receive services that fall under
ADMINISTRATIVE
REQUIREMENTS
Privacy Safeguards
AHCIPA must have appropriate administrative, technical, and physical safeguards in place to protect the privacy of PHI/PII.
All employees and contractors are required to maintain physical, technical, and administrative safeguards of
systems and tools to ensure the security and availability of confidential information or PHI.
Improper Use or Disclosure
The risk of organizational or member harm includes:
• Identity theft
• Embarrassment
• Loss of goodwill
• Payment of penalties and fines
• Negative impact to the company’s business and reputation
• Personal liability of employees and contractors
• Criminal penalties
• A breach of contract
Rules To Protect Information
It is critical to safeguard physical property and information technology systems.
Physical Security
• Physical security means that we do not let unauthorized people into our facilities and that we keep our tools and documents containing PHI secure.
• Wear your photo identification badge at all times.
• Keep your desk clean! Make sure documents and other protected materials are securely stored.
• Paper documents containing PHI or confidential
information should be discarded in a secure destruction container.
Information Security
• Desktop and laptop security means that we do not let unauthorized people use our computers and that we secure our computers appropriately when we are away from our work station.
• Information security means that we protect systems
containing data with strong passwords and only send data outside of our system using appropriate and secure
(encrypted) processes.
Computer Desktop/Laptop Security
Rules
You may not install or store unauthorized computer
applications and material (games, music, data, etc.) on company-provided information technology systems.
• Always use Ctrl+Alt+Del and select Lock Computer when leaving your desk.
• Never leave your laptop in your car or somewhere unattended or unsecured.
• The use of removable storage media (e.g., external hard drives, CDs/DVDs, USB flash/thumb drives or memory cards) is prohibited without a security exception from Information Technology.
Misdirected Information
There are three common ways in which information can be misdirected:
• Paper Documents
• Faxing Information
• Emailing Information
Paper Documents
Ways that misdirected or unattended paper documents might create a privacy incident:
• Incorrect mailing address
• Improper disposal of documents
• Leaving documents unattended
Faxing Information
Faxing might create a privacy incident by:
• Sending a fax to the wrong number
• Sending a fax without a cover page
• Sending a fax without verifying that the receiver is available
Emailing Information
Emailing information might create a privacy or security incident by:
• Sending an email to the wrong person(s), (avoid using
“Reply All” if unnecessary).
• Sending an email externally without using Secure Delivery (encryption)
• Sending email to your home/personal web mail
Reporting Requirements
and Incident Management
• You are required to report an actual or suspected privacy or security incident IMMEDIATELY regardless of how
many members are involved.
• AHCIPA strictly enforces a non-retaliation policy for employees and contractors who, in good faith, report suspected incidents.
Resources for Reporting
•
A Supervisor/Manager
•
The Privacy Officer at: 562-435-3333, ext. 350
•
The Security Officer at: 562-435-3333, ext. 393
36
Data Security Risks
There are several different types of attacks to manipulate people into performing actions or divulging confidential information.
• Phishing
• Whale Phishing
• Spear Phishing
• Pretexting
Data Security Risks Continued…
• Phishing is the activity of defrauding an online account holder of financial information by posing as a legitimate company. Typically, the messages appear to come from well-known Web sites.
• Whale Phishing (Whaling) describes a phishing attempt where the target is a wealthy individual or senior
leadership of an organization.
• Spear Phishing describes a phishing attempt that targets a specific organization seeking unauthorized access to
confidential data. These attempts are not typically initiated by “random hackers,” but are more likely to be conducted by perpetrators out for financial gain or trade secrets.
Data Security Risks Continued…
• Pretexting is when an individual lies or tells a phony story to obtain privileged data. Pretexting often involves a scam where the liar pretends to need information. After
establishing trust with the targeted individual, the
pretexter might ask a series of questions designed to confirm key individual identifiers such as the individual’s Social Security Number, mother’s maiden name, place or date of birth, or account number.
• Trojan Horse is a program in which malicious or harmful code is contained inside apparently harmless
Consequences of HIPAA Breaches
• The Department of Health and Human Services Officer of Civil Rights health information privacy rights of members who
participate in Federal Healthcare Programs. Their duties
include: investigations, voluntary dispute resolution, technical assistance, and enforcement.
• New York and Presbyterian Hospital and Columbia University- Data breach results in $4.8 million HIPAA settlements:
disclosure of the ePHI of 6,800 individuals, including patient status, vital signs, medications, and laboratory results.
• QCA Health Plan, Inc., of Arkansas- Stolen Laptops Lead to Important HIPAA Settlements in the amount of $1,725,220.
• Affinity Health Plan, Inc. settlement agreement resulted in a payment of $1,215,780 for impermissibly disclosing the PHI of up to 344,579 individuals when it returned multiple
photocopiers to a leasing agent without erasing the data contained on the copier hard drives.
40
Consequences of HIPAA Breaches
OCR compliance issues investigated most are, in order of frequency:
1. Impermissible uses and disclosures of protected health information;
2. Lack of safeguards of protected health information;
3. Lack of patient access to their protected health information;
4. Lack of administrative safeguards of electronic
Consequences of HIPAA Breaches
The OCR may impose Civil Monetary Penalties for violations in the amount of:
1. Covered entity or individual did not know (and by exercising reasonable diligence would not have known) the act was a HIPAA violation.
$100-$50,000 for each violation, up to a maximum of $1.5 million for identical provisions during a calendar year.
2. The HIPAA violation had a reasonable cause and was not due to willful neglect.
$1,000-$50,000 for each violation, up to a maximum of $1.5 million for identical
provisions during a calendar year.
3. The HIPAA violation was due to willful neglect but the violation was corrected within the required time period.
$10,000-$50,000 for each violation, up to a maximum of $1.5 million for identical
provisions during a calendar year.
4. The HIPAA violation was due to willful neglect and was not corrected.
$50,000 or more for each violation, up to a maximum of $1.5 million for identical
provisions during a calendar year.
Consequences of HIPAA Breaches
Criminal penalties:
Tier Potential jail sentence
Unknowingly or with
reasonable cause Up to one year
Under false pretenses Up to five years