What do you need to know?
DISCLAIMER
Please note that the information provided is to inform
our clients and friends of recent HIPAA and HITECH
act developments. It is not intended, nor should it be
used, as a substitute for specific legal advice
HIPAA Regula,ons
What do you need to know?
Rate your practice’s current compliance.
Are you HIPAA Compliant right now?
Privacy Rule compliance requirements
Security Rule compliance requirements
Breach notifications requirements
Documentation
Audits
Recent Breaches in the News
Recent Breaches and their Costs!
Experts: Lack of HIPAA basics cost BCBST $18.5 million
Basic compliance 101—policies, training, monitoring, and risk
assessments—may have saved Blue Cross Blue Shield of Tennessee (BCBST) millions, experts say.
Instead, the health insurer agreed to a $1.5 million settlement with the Office for Civil Rights (OCR) over potential HIPAA security violations and spent another $17 million in breach response costs.
In the fall of 2009, BCBST reported to OCR that 57 unencrypted computer hard drives were stolen from a leased facility in
Tennessee. The hard drives contained protected health
information (PHI) for more than one million individuals, including member names, Social Security numbers, diagnosis codes,
birthdates, and health plan identification numbers.
WHY SHOULD I CARE?
OCR's investigation of Phoenix Cardiac Surgery PC (2 physician practice)
http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/
pcsurgery_agreement.pdf
failed to implement adequate policies and procedures to appropriately safeguard patient information;
failed to document that it trained any employees on its policies and procedures on the Privacy and Security Rules;
failed to identify a security official and conduct a risk analysis
failed to obtain business associate agreements with Internet-‐based email and calendar services where the provision of the service
included storage of and access to its ePHI.
Corrective Action Plan required
Penalty -‐ $100,000
Reputation Impact?
OCR Findings from 2005-‐2010
Does your practice have a Designated HIPAA Privacy
Officer?
Failure to demonstrate adequate policies and
procedures or safeguards to address response and
reporting of security incidents
Security awareness and training
Access controls
Information access management
Work station security
HIPAA Privacy Rule
45 CFR Part 160 and Part 164, Subparts A and E.
Designate a HIPAA Privacy Officer
Update your Notice of Privacy Practices
http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html
New additional patient rights related to Privacy of their
information and their access to it.
Conduct Compliance Audits
Conduct Annual Training of Staff on Privacy Rule
policies and procedures
Document all disclosures according to the Privacy Rule.
HIPAA Security Rule
45 CFR Part 160 and Part 164, Subparts A and E.
Accountability, Penalty, and Persecution for disclosure
of/access to ePHI
Protecting ePHI at rest, in transit, and in destruction.
Breach Reporting
Auditing
3 sets of Safeguards (standards)
Administrative
Physical
Technical
BREACH NOTIFICATION RULE
HITECH ACT SECTION 13402
Definition of a “Breach”.
A breach is, generally, an impermissible use or disclosure under the
Privacy Rule that compromises the security or privacy of the protected health information such that the use or disclosure poses a significant risk of financial, reputational, or other harm to the affected individual.
Requirements
Following a breach of unsecured protected health information covered entities must provide notification of the breach to affected individuals, the Secretary of HHS and, in certain circumstances, to the media. In addition, Business Associates must now notify covered entities of a breach if it occurred due to their actions or processes.
BREACH NOTIFICATION RULE
Individual Notice -‐ within 60 days of breach
First class mail
Include description of the breach, description of the data involved, Protective steps for individuals, an action plan to resolve, mitigate and prevent further breaches.
For unknown or out of date information on affected
individuals. Notification should be done via an
announcement on Covered Entities Website or in local
media where the affected individual resides.
Media Notice -‐ within 60 days of breach
For Breaches of more than 500 patients
Include description of the breach, description of the data involved, Protective actions for individuals, Action plan to resolve, mitigate and prevent further breaches.
BREACH NOTIFICATION RULE
Notice to Secretary of Health and Human Services
For breaches of less than 500 individuals
File a report on HHS website annually
For breaches of more than 500 individuals
File a report on the HHS website within 60 of the breach.
Notification by Business Associates
Business Associates required to notify the Covered Entity
upon discovery of any breach within 60 days
Business associate should provide the covered entity with
the identification of each individual affected by the breach as
well as any information required to be provided by the
covered entity in its notification to affected individuals
DocumentaUon
HIPAA Privacy Rule Policies and Procedures
Accounting of disclosures
Notice of Privacy Practices
Record of periodic workforce training
HIPAA Security Rule Policies and Procedures
Documentation of periodic risk assessments
Record of Security Audits
Record of periodic workforce training
AudiUng
Need to have written policies and procedures stating
how often and what you will be monitoring, reviewing
Audit Logs
Access Reports
Security incident tracking reports.
Documentation of user access roles and granting/
revocation of access upon termination or change in
user role.
HIPAA Audits Protocol
http://www.hhs.gov/ocr/privacy/hipaa/enforcement/
audit/protocol.html
78 Privacy Rule Audit protocols
77 Security Rule Audit protocols
10 Breach Notification Rule Audit protocols
A Few Last Thoughts
Form a TEAM at your practice, Include one member
from each area, Providers, Nursing, Billing, front desk
Perform a Risk Assessment to identify how ePHI is
created, used, transmitted, and disposed of.
Designated a HIPAA Privacy and Security Officer
Create and Maintain Updated policies and procedures
Develop and document your practice’s Breach
Notification procedures
Periodically monitor your systems (Audit)
Consider Email encryption if you need to email ePHI
Resources
HIPAA Privacy Rule
http://www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/
index.html
HIPAA Security Rule
http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/
index.html
HIPAA Breach Notification Rule
http://www.hhs.gov/ocr/privacy/hipaa/administrative/
breachnotificationrule/index.html
HIPAA Audit Protocols
http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/
protocol.html
HIPAA Consultants (education, training, consulting)
HCPRO Blogs -‐http://blogs.hcpro.com/hipaa/
ecFirst -‐ http://www.ecfirst.com/
Clearwater Compliance -‐ http://clearwatercompliance.com/