Post on 20-Dec-2015
-ANANT VYAS PRIVACY IN DATA MANAGEMENT: CS295D
UNIVERSITY OF CALIFORNIA,IRVINE
CS295d:Privacy in Data Management University of California, Irvine 1
Why HIPAA?Why HIPAA?
More than 25 cents of every health-care dollar is spent on administration
More than 450 billing forms National changes requested by
providers Increasing public concern around
privacy Highly public breaches of privacy
CS295d:Privacy in Data Management University of California, Irvine 2
Health Insurance Health Insurance Portability & Portability & Accountability Act (HIPPAAccountability Act (HIPPA)) In August 1996, President Clinton signed
into law the Public Law 104-91, Health Insurance Portability and Accountability Act (HIPAA).
The Act included provisions for health insurance portability, fraud and abuse control, tax related provisions, group health plan requirements, revenue offset provisions, and administrative simplification requirements.
CS295d:Privacy in Data Management University of California, Irvine 3
HIPAA’s IntentHIPAA’s Intent
Improve efficiency and effectiveness of health care system
The HIPAA Privacy Rule for the first time creates national standards to protect the privacy of individuals’ medical records and other personal health information.
Creates standards for the security of health information
Creates standards for electronic exchange of health information
CS295d:Privacy in Data Management University of California, Irvine 4
What HIPAA Doesn't doWhat HIPAA Doesn't do
It doesn't: force your employer to offer or pay for health insurance coverage.
guarantee that all those in the workforce will get health coverage.
control how much an insurance company can charge for group coverage.
force group health plans to offer specific benefits.
allow you to keep the exact same health insurance plan that you had at your old job when you go to a new job.
eliminate the use of pre-existing condition exclusions.
replace your specific state as the primary regulator of health insurance.
CS295d:Privacy in Data Management University of California, Irvine 5
HIPAA SPEAKHIPAA SPEAK
Individually Identifiable Health Information(IIHI) Related to an individual; the provision of
health care to an individual; or payment for health care
and that identifies the individual or a reasonable basis to believe the
information can be used to identify the individual
Health information + Identifiers (18 defined) = IIHI
CS295d:Privacy in Data Management University of California, Irvine 6
HIPAA SPEAK(contd.)HIPAA SPEAK(contd.)18 Identifiers:18 Identifiers:
(1) Names;(2) All geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code(3) All elements of date (except year) for dates directly related to an individual, including birth date etc(4) Telephone numbers;(5) Fax numbers;(6) Electronic mail addresses;(7) Social security numbers;(8) Medical record numbers;(9) Health plan beneficiary numbers;unique identifying number, characteristic, or code.
(10) Account numbers;(11) Certificate/license numbers;(12) Vehicle identifiers and serial numbers, including license plate numbers;(13) Device identifiers and serial numbers;(14) Web Universal Resource Locators (URLs);(15) Internet Protocol (IP) address numbers;(16) Biometric identifiers, including finger and voice prints;(17) Full face photographic images and any comparable images; and(18) Any other
CS295d:Privacy in Data Management University of California, Irvine 7
HIPAA SPEAK (contd.)HIPAA SPEAK (contd.)
Use (of IIHI)Sharing within the entity. For example, when members of the covered entity’s workforce share IIHI.
Disclosure (of IIHI)Sharing outside the entity. For example, sharing IIHI with someone who is not a member of the covered entity’s workforce. CS295d:Privacy in Data Management University of California, Irvine 8
HIPAA SPEAK (contd.)HIPAA SPEAK (contd.)
Protected Health Information (PHI) Individually Identifiable Health
Information maintained by CE Electronic, paper, oral Created or received by a health care
provider, public health authority, employer, school or university
CS295d:Privacy in Data Management University of California, Irvine 9
HIPAA SPEAK (contd.)HIPAA SPEAK (contd.)
Covered Entity Health care provider/Health Plan/Health
care clearing house who transmits any health information in electronic form in connection with HIPAA regulations
CS295d:Privacy in Data Management University of California, Irvine 10
HI vs. IIHI vs. PHI: Difference?HI vs. IIHI vs. PHI: Difference?
CS295d:Privacy in Data Management University of California, Irvine 11
HIPAA: Title IHIPAA: Title I
Health Care Access, Portability, and Renewability
Protects health insurance coverage for workers and their families when they change or lose their jobs
It amended the Employee Retirement Income Security Act, the Public Health Service Act, and the Internal Revenue Code.
CS295d:Privacy in Data Management University of California, Irvine 12
HIPAA : Title IIHIPAA : Title II
Standards for Electronic Transactions Implementation of a national standard
for electronic health care transactions All transactions to be processed using
the same electronic format Unique Identifiers Standards
All health car providers, plans and clearinghouses to use NPI(national provider identifier)
CS295d:Privacy in Data Management University of California, Irvine 13
HIPAA : Title II RulesHIPAA : Title II Rules
Administrative Simplification rules 5 rules:
Privacy Rule, Transactions and Code Sets Rule, Security Rule, Unique Identifiers Rule, Enforcement Rule.
CS295d:Privacy in Data Management University of California, Irvine 14
HIPAA Privacy RuleHIPAA Privacy Rule
The Privacy Rule took effect on April 14, 2003
Establishes regulations for the use and disclosure of Protected Health Information (PHI)
CS295d:Privacy in Data Management University of California, Irvine 15
What does the HIPAA What does the HIPAA Privacy Rule do?Privacy Rule do? It gives patients more control over
their health information. It sets boundaries on the use and
release of health records. It establishes appropriate safeguards
that health care providers and others must achieve to protect the privacy of health information.
CS295d:Privacy in Data Management University of California, Irvine 16
It holds violators accountable, with civil and criminal penalties that can be imposed if they violate patients’ privacy rights.
And it strikes a balance when public responsibility supports disclosure of some forms of data – for example, to protect public health.
CS295d:Privacy in Data Management University of California, Irvine 17
HIPAA Security Rule:HIPAA Security Rule:
Issued on February 20, 2003. It took effect on April 21, 2003.
Deals specifically with Electronic Protected Health Information (EPHI) i.e. individually identifiable information that is in electronic form.
CS295d:Privacy in Data Management University of California, Irvine 18
HIPAA Security HIPAA Security Rule(contd.):Rule(contd.):
Confidentiality? Integrity? Availability?
CS295d:Privacy in Data Management University of California, Irvine 19
HIPAA Security HIPAA Security Rule(contd.):Rule(contd.):
“ To ensure reasonable and appropriate administrative, technical, and physical safeguards that insure the integrity, availability and confidentiality of health care information, and protect against reasonably foreseeable threats to the security or integrity of the information.”
CS295d:Privacy in Data Management University of California, Irvine 20
Security Rule: 4 Security Rule: 4 CategoriesCategories
Administrative Procedures Physical Safeguards Technical data security services Technical security mechanisms
CS295d:Privacy in Data Management University of California, Irvine 21
Administrative Procedures:Administrative Procedures:12 Requirements12 Requirements
1.Certification2.Chain of Trust Agreements3.Contingency Plan4.Mechanism for processing records5.Information Access Control6.Internal Audit7.Personnel Security8.Security Configuration Management9.Security Incident Procedures10.Security Management Process11.Termination Procedures12.Training
CS295d:Privacy in Data Management University of California, Irvine 22
Physical Safeguards:Physical Safeguards:6 Requirements6 Requirements
1.Assigned Security Responsibility2.Media Controls3.Physical Access Controls4.Policy on Workstation Use5.Secure Workstation Location6.Security Awareness Training
CS295d:Privacy in Data Management University of California, Irvine 23
Technical Data Security Technical Data Security Services: 4 RequirementsServices: 4 Requirements
1.Access Control2.Audit Controls4.Data Authentication5.Entity Authentication
CS295d:Privacy in Data Management University of California, Irvine 24
Guiding principlesGuiding principles
The Security Rule is based on several important principles.
Scalability Comprehensiveness Technology neutral Internal and external security threats Risk analysis
CS295d:Privacy in Data Management University of California, Irvine 25
Non ComplianceNon Compliance
CEs that do not comply with the Security Rule requirements are subject to a number of penalties.
Civil penalties are $100 per violation, up to $25,000 per year for each requirement violated. Criminal penalties range from $50,000 in fines and one year in prison up to $250,000 in fines and 10 years in jail.
CS295d:Privacy in Data Management University of California, Irvine 26
Transaction RuleTransaction Rule
July 1, 2005 The transaction rule covers several
key ED transactions Although many companies were
already developing standardized EDI’s, there still wasn’t an industry standard before the rule was put in place.
CS295d:Privacy in Data Management University of California, Irvine 27
Transaction and Code Set Transaction and Code Set Rule: “Speak the Same Rule: “Speak the Same Language”Language” Health Care Claim or Encounter (837) Health Care Claim Payment and Remittance (835) Health Care Claim Status Inquiry/Response (276,
277) Health Care Eligibility Inquiry/Response(270, 271) Enrollment and Disenrollment in a Health Plan
(834) Referral Certification and Authorization (278) Health Plan Premium Payments (820) Health Care Claim Attachments (delayed) First Report of Injury (delayed)
CS295d:Privacy in Data Management University of California, Irvine 28
Compliance Deadlines:Compliance Deadlines:
Privacy: April 14, 2003 Security: Fall 2004 Transactions & Code Sets:
October 16 2005 Identifiers : Fall 2004
CS295d:Privacy in Data Management University of California, Irvine 29
Some common reactionsSome common reactions
HIPAA is an unfunded mandate. It’s an IT issue (like Y2K) It is someone else’s problem
(State’s, Health’s, ITs) Local agencies are waiting for
direction from State, County, Fed…
Compliance issues
CS295d:Privacy in Data Management University of California, Irvine 30
Compliance is Compliance is Increasingly an IssueIncreasingly an Issue
CS295d:Privacy in Data Management University of California, Irvine 31
The number of HIPAA Privacy Rule compliance and enforcement complaintshave continually increased over the years1.
Complaints Are Complaints Are Consistently Related to Consistently Related to Data PrivacyData Privacy Three of the top five Privacy Rule
Complaints are data privacy issues: Impermissible uses and disclosures
– e.g. providing PHI to external partners Safeguards – e.g. PHI is not
protected in computer systems Access - e.g. PHI is accessible to
those without a need to know
CS295d:Privacy in Data Management University of California, Irvine 32
Examples of PHI Leaking Examples of PHI Leaking OutOut Example 1: Safeguards A flaw in a national health maintenance organization’s
computer system sent explanation of benefits to a patient’s unauthorized family member. This flaw put the PHI of approximately 2000 families at risk in violation of the Privacy Rule.
Example 2: Impermissible Disclosures and Safeguard A municipal social service agency disclosed protected
health information while processing Medicaid applications by sending consolidated data to computer vendors who were not business associates. This flaw was putting PHI in the hands of an uncovered entity who could have used it for a variety of harmful purposes
These examples ended with minimal public impact and were remedied with improved security procedures and controls.
But, what if this PHI had gotten into the wrong hands?CS295d:Privacy in Data Management University of California, Irvine 33
Worst Case Scenario: HIPAA Worst Case Scenario: HIPAA Data TheftData Theft The owner of a Florida claims handling
system, Fernando Ferrer, Jr, was convicted of illegally buying PHI from a clinic employee and then submitting fraudulent claims to collect on the resulting payouts. The clinic employee downloaded the PHI of more than 1,100 patients and sold the information to Ferrer.
This theft resulted in the submission of more than $7 million in fraudulent Medicare claims with $2.5 million paid to providers and suppliers.
The risk for such a scenario increases substantially without the necessary controls in place to lock down and minimize the PHI in an enterprise
CS295d:Privacy in Data Management University of California, Irvine 34
Conclusion?Conclusion?
HIPAA has had a large effect on the industry today
The type of health information being recorded is changing.
In the end a great act!
CS295d:Privacy in Data Management University of California, Irvine 35