The benefits you need...
at the price you can afford...
from the name you know and trust
Privacy and Security Best Practices Guide
22
The Independence Blue Cross (IBC) Privacy and Security Best Practices
Guide highlights important information for Business Associates about
the HITECH Act and HIPAA requirements. IBC Business Associates
should review this guide to help prevent the unnecessary and costly
disclosure of IBC members’ protected health information. This
guide does not replace the terms of your HIPAA Business Associate
Agreement with IBC.
Questions? Contact the IBC Privacy Office
Mail:
P.O. Box 41762
Philadelphia, PA 19101-1762
Call: 215-241-4735 or (888) 678-7005 Fax: 215-241-4023 or (888) 678-7006 Email: [email protected]
111 What is HIPAA?
HIPAA is an acronym for the Health Insurance Portability and Accountability Act of 1996. It is an important law that protects patients’ health care information. This law sets out standards of privacy and security that everyone in the health care industry must follow to ensure patient confidentiality.
What is the HIPAA Privacy Rule?
The HIPAA Privacy Rule establishes national standards to protect individuals’ medical records and other personal health information and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically. The Rule requires appropriate safeguards to protect the privacy of personal health information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization.
The Rule also gives patients rights over their health information, including rights to examine and obtain a copy of their health records and to request corrections.
What is the HIPAA Security Rule?
The HIPAA Security Rule establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.
What is the HITECH Act?
The Health Information Technology for Economic and Clinical Health Act (HITECH Act) is part of the American Recovery and Reinvestment Act of 2009 (ARRA). ARRA contains incentives related to health care information technology in general (e.g., creation of a national health care infrastructure) and contains specific incentives designed to accelerate the adoption of electronic health record (EHR) systems among providers. The HITECH Act also substantially expands the HIPAA Privacy and Security Rules and increases the penalties for violations of HIPAA, including applying the HIPAA privacy and security requirements directly to Business Associates.
What is a covered entity?
A covered entity, as defined by The Administrative Simplification standards, is one or more of the following:
• a health care provider that conducts certain transactions in electronic form (called here a “covered health care provider”);
• a health care clearinghouse;
• a health plan.
What is a Business Associate?
A Business Associate is a person who performs a function or activity on behalf of, or provides services to, a Covered Entity that involves Protected Health Information (PHI).
What is PHI?
Protected Health Information (PHI) is individually identifiable health information transmitted or maintained in any form or medium (including written, spoken, or electronic) related to:
• Health care. The provision of health care to an individual, or
• Health conditions. The past, present or future physical or mental health or condition of an individual, or
• Payment for care. The payment for the provision of health care to an individual, AND
• Identity. The individual’s identity (the information identifies the individual or there is a reasonable basis to believe it can be used to identify the individual).
What is a breach?
A breach is an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information such that the use or disclosure poses a significant risk of financial, reputational, or other harm to the affected individual.
Important
Definitions
2
Privacy & Security
Best Practices
Privacy and security policies and procedures
All Business Associates should develop, implement, and maintain policies and procedures concerning the use and protection of PHI.
Why is this important to me?
Your privacy and security policies and procedures are the foundation of your Privacy and Security program. They not only provide valuable information for your employees on how to protect IBC member PHI, they also show your company’s commitment to protecting our members’ PHI. In addition, there is also a requirement under your Business Associate Agreement with IBC that Business Associates
“will develop, document, implement, maintain, and use appropriate administrative, technical and physical safeguards to preserve the integrity and confidentiality of, and to prevent non-permitted use or disclosure of, PHI created or received for or from IBC.”
Workforce training and management
All Business Associates should train their workforce members on their privacy and security policies and procedures. Business Associates must also develop and apply appropriate sanctions against workforce members who violate their privacy and security policies and procedures.
Why is this important to me?
As a Business Associate of IBC, you agreed to comply with the requirements of the HIPAA Privacy and Security Rules, both of which contain requirements regarding the training of workforce and management. Your workforce members include your employees,
volunteers, trainees, and other persons whose conduct may be under the direct control of IBC (such as your employees working on-site at IBC).
For example, if a Business Associate sends one of their employees to work on-site at an IBC location, this individual is still an employee of the Business Associate and it is the responsibility of the Business Associate to ensure that his employee has received training on the HIPAA Privacy and Security Rules and the HITECH Act.
The training of your workforce members is important to ensure their ongoing accountability for the security and privacy of IBC member PHI. It also makes them aware of the sanctions that may be taken in the event they fail to adhere to your company’s privacy and security policies and procedures.
Use and disclosure of PHI
All Business Associates should limit the use and disclosure of PHI they receive to those permitted under their Business Associate Agreement.
Why is this important to me?
The Business Associate Agreement you signed with IBC requires that you limit your use or disclosure of the IBC member PHI you create or receive to only those functions, activities and services to be performed on IBC’s behalf or as required by law. You are also required to notify IBC if any disclosures of IBC member PHI is made pursuant to the Permitted Uses and Disclosures section of your Business Associate Agreement.
Failing to monitor and limit your company’s use or disclosure of IBC member PHI could potentially result in a breach of our members’
PHI which could result in significant civil and criminal penalties and fines being assessed against you, the Business Associate.
2
The Minimum Necessary Standard
All Business Associates should take reasonable steps to limit the use or disclosure of, and requests for, PHI to the minimum necessary to accomplish the intended purpose.
Why is this important to me?
As a Business Associate of IBC, you agreed to comply with the Minimum Necessary Standard in that your use, disclosure, or request of PHI shall utilize only the minimum necessary PHI to accomplish the intended purpose of the use, disclosure, or request. This means that not only will you use only the minimum amount of data necessary to complete the task, but that IBC will only send the minimum amount of data to complete the task.
If you believe that IBC is sending more data than is necessary to complete the intended task, please report this information to the IBC Privacy Office at [email protected].
Data safeguards
All Business Associates should maintain reasonable and appropriate administrative, technical, and physical safeguards to prevent intentional or unintentional use or disclosure of protected health information in violation of the Privacy Rule and to limit its incidental use and disclosure pursuant to an otherwise permitted or required use or disclosure.
Why is this important to me?
As a Business Associate of IBC, you agreed to implement administrative, physical, and technical safeguards consistent with (and as required by) the Security Standards that reasonably protect the confidentiality, integrity, and availability of Electronic PHI that any other Business Associate creates, receives, maintains, or transmits on behalf of IBC. Examples of these administrative, physical, and technical safeguards include, but are not limited to:
• All Business Associate systems used for support or connectivity that contain IBC member PHI must meet or exceed IBC Security Standards.
• IBC member PHI must be adequately segmented on the Business Associate’s network to limit external and internal vendor access to appropriately authorized individuals.
• Business Associates must have effective perimeter controls such as firewalls in place for network segments that house IBC member PHI.
• There must not be any trusted host relationships between computers connected to any Business Associate systems and subcontractors.
• Business Associates must encrypt all IBC member PHI on their systems (at rest) using an industry-standard encryption mechanism.
• Business Associate transmission of IBC member PHI (data in-flight) must be encrypted or transmitted both to and from IBC and to subcontractors via a secure communication channel. Unencrypted email, CDs, tapes, thumb drives, or other storage media must not be used to send or distribute IBC member PHI to IBC or subcontractors.
• For physical data, (i.e., paper-based data or data on tapes or other removable media) physical security controls commensurate with the sensitivity of the data must be implemented to protect data from loss or theft. For example, clearing desks and working areas so that all IBC member data is properly secured outside of regular working hours and when support for IBC systems is finished.
3
4
• Protect information used to access computers, networks, or systems, including complying with IBC Password Standards when supporting or accessing IBC systems. Protecting information used to access computers ultimately protects your company as well as IBC.
• In addition to any other specific contractual requirements, whenever Business Associates provide services onsite at any IBC location, Business Associates must conduct themselves in accordance and comply with all IBC policies and procedures, including, but not limited to, policies addressing the confidentiality of all visible and audible IBC member PHI and the policy prohibiting the sending of IBC member PHI to personal email accounts.
• Business Associates entering IBC processing facilities, operating centers, data storage areas, wiring areas, or other areas that allow access to IBC proprietary/sensitive data must obtain prior written approval from IBC and must be accompanied at all times by an appropriately authorized IBC employee.
Mitigation
All Business Associates should mitigate, to the extent practicable, any harmful effect it learns was caused by the use or disclosure of PHI by its workforce or its Business Associates in violation of its privacy policies and procedures or the Privacy Rule.
Why is this important to me?
As a Business Associate of IBC you agreed to mitigate, to the extent practicable, any harmful effect resulting from a use or disclosure of PHI (regardless of form) by your company in violation of the requirements of your Business Associate Agreement.
If the steps taken to mitigate the material breach or violation are unsuccessful, IBC has the right to terminate the agreement with your company and may report the violation to the Department of Health and Human Services.
Breach reporting
All Business Associates are required to report any access, use, or disclosure of PHI not permitted under their Business Associate Agreement.
Why is this important to me?
As a covered entity, IBC is required to comply with numerous federal and state regulations regarding the reporting of disclosures of our members’ PHI. As a Business Associate of IBC you are required to notify the IBC Privacy Office within two business days of any access, use or disclosure of PHI that is not permitted under your Business Associate Agreement so that we can comply with our state and federal reporting requirements.
In addition, the HITECH Act also requires that if a breach of unsecured PHI occurs at or by a Business Associate, the Business Associate must notify the covered entity following the discovery of the breach.
Subcontractors
Any agent, including a subcontractor, or other downstream entity that works at the direction of or on behalf of a Business Associate and handles PHI is also required to comply with the applicable Privacy and Security Rule provisions in the same manner as the first tier Business Associate, and, likewise, would incur liability for acts of noncompliance.
Why is this important to me?
As a Business Associate of IBC, you have agreed that all of your subcontractors or agents will comply with the same restrictions and
4
conditions that apply to your company under your Business Associate Agreement with IBC.
You have also agreed to notify IBC of any plan to use offshore subcontractors or offshore locations and receive prior written approval by IBC prior to any disclosure of PHI to that subcontractor/location.
It is important that subcontractor and offshore location information be provided to IBC in order for IBC to meet the requirements set by outside entities such as the Center for Medicare and Medicaid Services.
Privacy and security obligations after contract ends
In the event a contract with a Business Associate is terminated, cancelled, expires, or concludes for any reason, the Business Associate is required to continue to protect the privacy and security of the PHI created, received, maintained, or transmitted pursuant to its agreement with IBC.
Why is this important to me?
As a Business Associate of IBC, your obligation to protect the privacy and security of the PHI you created, received, maintained, or transmitted in connection with services you provided under your Arrangement/Agreement with IBC will survive termination, cancellation, expiration, or other conclusion of the Arrangement/Agreement.
Any breach of these obligations is to be reported to IBC immediately upon discovery.
Additional Information Regarding HIPAA and the Privacy and Security Rules
For more information regarding HIPAA and the Privacy and Security Rules, please visit the Office of Civil Rights website at:
http://www.hhs.gov/ocr/privacy/hipaa/understanding/index.html
5
Questions? Contact the IBC Privacy Office
Mail:
P.O. Box 41762
Philadelphia, PA 19101-1762
Call: 215-241-4735 or (888) 678-7005 Fax: 215-241-4023 or (888) 678-7006 Email: [email protected]
2012-0257 (08/2012) Independence Blue Cross is an independent licensee of the Blue Cross and Blue Shield Association.
