FIVE “EASY” STEPS FOR HANDLING NEW HIPAA REQUIREMENTS & MANAGING YOUR ELECTRONIC ...

FIVE “EASY” STEPS FOR HANDLING NEW HIPAA REQUIREMENTS &

MANAGING YOUR ELECTRONIC COMMUNICATIONS

James J. Eischen, Jr., Esq.

October 2013Chicago, Illinois

(c) 2013 James J. Eischen, Jr., Esq.

Partner at Higgs, Fletcher & Mack, LLP

26+ years of experience as an attorney in California

Experience in the healthcare field: medical groups, EHR firms, health coaching enterprises and healthcare products.

Graduated from the University of California at Davis School of Law.

Professional Memberships: San Diego County Bar Association Law & Medicine Section, Attorney-Client Relations Committee, State Bar Of California Section Member, AAPP Corporate Secretary

JAMES J. EISCHEN, JR., ESQ.


STEP ONE

Understand The Purpose Of HIPAA


WHAT IS HIPAA?• The Health Insurance Portability and Accountability Act of 1996 (HIPAA)

required the Secretary of the U.S. Department of Health and Human Services (HHS) to develop regulations protecting the privacy and security of certain health information. To fulfill this requirement, HHS published what are commonly known as the HIPAA Privacy Rule and the HIPAA Security Rule. – The Privacy Rule (Standards for Privacy of Individually Identifiable Health Information)

establishes national standards for the protection of certain health information. – The Security Rule (Security Standards for the Protection of Electronic Protected Health

Information) establishes a national set of security standards for protecting certain health information that is held or transferred in electronic form. The Security Rule operationalizes the protections contained in the Privacy Rule by addressing the technical and non-technical safeguards that organizations called “covered entities” must put in place to secure individuals’ “electronic protected health information” (e-PHI).

– Within HHS, the Office for Civil Rights (OCR) has responsibility for enforcing the Privacy and Security Rules with voluntary compliance activities and civil money penalties.


KEY TERMS• “Unsecured” PHI– PHI that is not rendered unusable, unreadable or

indecipherable to unauthorized persons specified by HHS• Encryption and destruction

• ePHI– Electronic PHI

• Breach– Acquisition, access, use or disclosure of PHI– PHI security or privacy is compromised


STEP TWO

Look At Basic HIPAA Compliance (Privacy And Security Rules)


SECURITY RULE• Prior to HIPAA, no generally accepted federal security standards or general

requirements for protecting health information. • New technologies evolving. Health care industry moves away from paper

processes to electronic information systems to pay claims, answer eligibility questions, provide health information and conduct a host of other administrative and clinically based functions.

• Providers use clinical applications such as computerized physician order entry (COPE) systems, electronic health records (EHR), and radiology, pharmacy, and laboratory systems.

• Security Rule: Protects the privacy of individuals’ health information while allowing covered entities to adopt new technologies to improve the quality and efficiency of patient care.

• Security Rule is designed to be flexible and scalable so a covered entity can implement policies, procedures, and technologies that are appropriate for the entity’s particular size, organizational structure, and risks to consumers’ ePHI.


SECURITY RULE APPLIED

• Security Rule requires covered entities to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting ePHI.

• Specifically, covered entities must:– Ensure the confidentiality, integrity, and availability of all ePHI they create,

receive, maintain or transmit;– Identify and protect against reasonably anticipated threats to the security or

integrity of the information;– Protect against reasonably anticipated, impermissible uses or disclosures; and– Ensure compliance by their workforce.


The Privacy Rule defines “confidentiality” to mean that ePHI is not available or disclosed to unauthorized persons. The Privacy Rule prohibits improper uses and disclosures of ePHI.

PRIVACY RULE: CONFIDENTIALITY


SO, WHAT SECURITY MEASURES MUST BE IMPLEMENTED?

• Security Rule does not dictate measures, but requires the covered entity to consider:– Its size, complexity, and capabilities,– Its technical, hardware, and software infrastructure,– The costs of security measures, and – The likelihood and possible impact of potential risks to e-PHI.

Covered entities must review and modify their security measures to continue protecting e-PHI in a changing environment.


http://www.ama-assn.org/resources/doc/washington/hipaa-phi-encryption.pdf


STEP THREE

Evaluate What Changed With The Omnibus/Final Rule


BEFORE AND AFTER OMNIBUS RULE

• Before– BA regulated through BAAs

• After– BAs and subcontractors regulated directly under

HIPAABAs are CEs, and must comply with Security

Rule


EXPANDED DEFINITION OF CE

• CE: On behalf of a covered entity (CE), creates, receives, maintains or transmits PHI

• Subcontractor of a BARole + responsibilities of BA = CE

BA requirements/exposure not defined simply because it is a party to a BAA


NOT A BA

• Those who simply provide “transmission services”– Digital couriers or “mere conduits”

But if you store personalized ePHI, even if you do not view it, you are a BA/CE


SUBCONTRACTORS

• Contract between the CE’s BA and the BA’s subcontractor must satisfy the BAA requirements

• Subcontractor of a subcontractor of a subcontractor of a subcontractor ALL BAS

HIPAA/HITECH obligations apply to subcontractors


OMNIBUS/FINAL RULE

• All covered entities must review documentation including business associate agreements, notice of privacy practices, and their policies and procedures to ensure compliance with the Final Rule

• BAA and NPP MUST BE UPDATED


PRESUMPTION OF BREACH

• Interim Final Rule– Risk assessment to determine if unauthorized

ePHI access, use or disclosure caused harm– No presumption of a breach

• Final Rule– Unauthorized access, use or disclosure presumed

to be a breach unless CE determines low probability ePHI was compromised


POTENTIAL BREACH EVALUATION

• CE must evaluate– Nature and extent of ePHI– Unauthorized person who used ePHI– Whom disclosure was made– ePHI actually viewed or acquired– How risk was mitigated

DOCUMENT, DOCUMENT, DOCUMENT AND THEN DOCUMENT SOME MORE


BREACH NOTIFICATION

• BA must provide notice of breach– To CE– Breach treated as discovered as of 1st day when

known or would have been known• When by exercising reasonable diligence would have

breach been known?

• Subcontractor BA gives notice to BA


ELECTRONIC ACCESS• “Reasonable” safeguards• If PHI owner wants PHI sent unencrypted, CE

needs to let individual know of risks– DOCUMENT ePHI OWNER’S CONSENT

• Secure mechanism• Electronic “machine readable copy”– Can be used on a computer– PDFs

• If a PHI owner asks for specific format, CE needs to accommodate when possible


FEES CHARGED FOR ELECTRONIC RECORDS?

• Labor costs only– Retrieval costs or capital costs not allowed to be

charged

• Supplies upon request can be chargedBest practice is to list fees on

authorization/consent form itself


ACCESS TO THIRD PARTIES

• Individual can request CE to send ePHI to another individual– In writing• Electronic OK but verification needed

– Identify who is the receiver

• PHI must still be protected when sent to third party


RESTRICTIONS/ACCOUNTING RULE

• Individual can restrict ePHI to health plan when paying out of pocket in full for a service (Accounting Rule)

• CE need to develop how to track restrictions• CEs submit restricted ePHI for required audits

when “required by law”


STEP FOUR

Identify Necessary HIPAA Compliance Steps


Update Your Documentation!


HIPAA COMPLIANCE: BASIC DOCUMENTATION

• Notice of Privacy Practices (NPP)• Business Associate Agreement (BAA)• Internal risk analysis memo

• Practice’s written office procedures and processes must be examined thoroughly

• Evaluate risks and decide how to address those risks


SO, WHAT DO I DO?

• Update BAA• Update NPP• Update internal risk assessment memo• Ensure electronic records access not subject

to unlawful charges


STEP FIVE

Electronic Communications, Scheduling & Records Management


HIPAA/PRIVACY COMPLIANCE WITH ELECTRONIC COMMUNICATIONS

Electronic data storage of any kind = HIPAA


SHOULD MY PHYSICIAN-PATIENT AGREEMENT DEAL WITH ELECTRONIC COMMUNICATIONS

• Not recommended!• Need separate ePHI agreement for risk

management/HIPAA compliance• HIPAA Final Rule: Non-compound ePHI consent


CHECK MARKETING/PRACTICE COMMUNICATION PLATFORMS FOR COMPLIANCE

• Website• Calendar/Scheduling• FAQs• Patient letters• Staff training!!!• Is this all really necessary? (Hint—The correct answer is not “no”)


So What Can Go Wrong Anyway?

Case Study: Arizona Cardiologist Fined $100,000 and ordered to take

corrective action to implement policies and procedures to safeguard the protected health information of

its patients.


WHAT WENT WRONG?

• Inadequate internal risk analysis• Lack of staff training• No BAA with outside IT vendor for web

calendar• Bottom Line: an internal risk analysis memo

and awareness of patient privacy rights can avoid fines/penalties

http://www.healthcareitnews.com/news/phoenix-practice-pay-100000-settle-hipaa-case


QUESTIONS?

James J. Eischen, Jr., Esq.Office: (619) 819-9655Email: [email protected]: jeischenjrhttp://www.assessmentandplan.comhttp://www.higgslaw.com


FIVE “EASY” STEPS FOR HANDLING NEW HIPAA REQUIREMENTS & MANAGING YOUR ELECTRONIC ...

Documents

Transcript of FIVE “EASY” STEPS FOR HANDLING NEW HIPAA REQUIREMENTS & MANAGING YOUR ELECTRONIC ...