HIPAA COMPLIANCE IN YOUR PRACTICEMARIBEL VALENTIN, ESQUIRE

OBJECTIVES To understand the legal requirements

under The Health Insurance and Portability and Accountability Act (HIPAA)

, The Health Information for Economic and Clinical Health Act (HITECH) and

State Law- Special protections.

DEFINITIONS Health care provider means a provider of medical

or health services, and any other person or organization who furnishes, bills, or is paid for health care in the normal course of business.

A business associate includes: a health information organization, e-prescribing gateway, or other person that provides data transmission services with respect to PHI to a covered entity and that requires access on a routine basis to such PHI; and a person that offers a personal health record (PHR) to one or more individuals on behalf of a covered entity.

DEFINITIONS cont. The Standards or Code of Conduct establish

the practices and ethical rules through which an entity implements a culture of compliance and integrity in the handling of Protected Health Information (PHI).

Covered entity means: (1) A health plan.(2) A health care clearinghouse.(3) A health care provider who transmits any health information in electronic form.

THE HEALTH INSURANCE AND ACCOUNTABILITY ACT (HIPAA)

Federal requiremento Privacy- effective since April 14, 2003o Security- effective on April 21, 2005o HITECH- effective on February 11, 2010

Breach Notification Requirementso Requires healthcare organizations to

maintain the privacy and security of Protected Health Information (PHI)

HIPAA vs. State Law

When state law is more restrictive than the federal HIPAA Regulations, then state law prevails.

Requires patient authorization prior to release

State law additional requirements may vary from state to state

UNDERSTANDING PHI PHI is any and all information about a patient’s

health that identifies the patient, or information that could identify the patient.As a rule of thumb, any patient information that you see, hear or say must be kept confidential.

PHI is information that can individually identify a patient. PHI can include: Any type of information found in medical and

billing records, for example: Diagnoses, Test Results, Progress Notes, etc. Name, Address, Phone, Social Security Number,

Photographs,

HIPAA PATIENT PRIVACY RIGHTS

Right to Notice Right to Amend Right to Access Right to an Accounting of Disclosures  Right to Request Restrictions  Right to Request Confidential

Communications Right to Notification of a Security Breach Right to File a Complaint

HIPAA DISCLOSURESHow much PHI can we share?

All disclosures are subject to a determination that PHI disclosed is the MINIMUM NECESSARY for the lawful purpose.

What is Minimum Necessary?

HIPAA allows the use of PHI for these purposes: Payment Insurance companies

TreatmentPhysicians

Providers Nursing and ancillary staff Operations Risk Management Quality Improvement Peer Review

Preventing Unauthorized Disclosures

Discuss patient information in public areas Position computer screens or leave the

computer unattended so that unauthorized persons may view the private data

Leave medical records unattended Remove records containing PHI from the facility Disseminate reports containing PHI via

unsecured methods Use FAX preprogramed settings or redial before

confirming the number

The Security Rule Ensure the confidentiality, integrity and

availability of all electronic Protected Health Information (ePHI)

Confidentiality: that patient information is not made available or disclosed without proper authorization

Integrity: that patient information has not been altered or destroyed

Availability: that patient information is accessible and usable upon demand by an authorized person

Security Safeguards Administrative - Developing information security

programs designed to protect ePHI and to also manage the conduct of the workforce in the relation to the use of the protected information.

Physical - Ensuring the physical protection of information systems including the protection of related buildings and equipment from natural and environmental hazards and unauthorized intrusion.

Technical - Identifying technology to be utilized and ensuring procedures are in place to protect ePHI and to control access to it.

The Health Information Technology for Economic and Clinical Health Act (HITECH)

HITECH amends HIPAA to create new enforcement provisions and expanded civil and criminal penalties ranging from $100 to $50,000 per violation, and calendar year penalty caps ranging from $25,000 to $1.5 million.

Any unauthorized disclosure is a breach unless the Covered Entity can show by objective proof that there is a low probability that the information was compromised.

Anyone that has regular access to PHI to perform a function on behalf of a Covered Entity is a Business Associate.

Monitoring and Enforcement The Compliance Program A compliance program is designed to

develop and ensure effective internal controls that promote best practices and adherence to all applicable Federal and State legal or regulatory requirements, including HIPAA Privacy and Security compliance

Elements of a Compliance Program Standards of Code of Conduct Designation of a Privacy Officer Access to a Compliance Hotline Policies and Procedures (Administrative

Safeguards) Education (training) Monitoring (oversight) Enforcement (cons)

Reporting HIPAA violations should be reported to

the Privacy Officer for investigation. Every covered entity must identify a

Privacy Officer

Investigations If the infraction is confirmed as a

security breach then the following must occur: The patient is notified The Department of Health and Human

Services is notified An action plan is developed to mitigate

harm Policies are enforced

Enforcement Enforcement activities should be

consistent regardless of who is the person involved in the infraction.

Same facts – Same outcome

Who is a Business Associate? Any individual or entity that creates

maintains or transmits PHI on a regular basis when performing a function on behalf of the covered entity is a business associate.

Another covered entity may be a Business Associate

Conduits If the information is delivered by courier,

the courier is not a business associate because they are not accessing the information; they are acting as a mechanism to transfer data or a “conduit”.

Agents A Covered Entity may be liable for the

acts of an agent. Independent contractors may be agentsIf the covered entity has control over the contractor’s activities.

What is a Breach? A breach is an unauthorized disclosure

where the information released is usable, readable and decipherable. This includes data in motion and data at rest.

Breach Notification Procedures The presumption of a breach may only be rebutted if

the covered entity can show through objective evidence that the disclosure posed a low probability that the PHI was compromised.

If you determine that a breach has occurred you must notify, correct the problem, enforce your policies and procedures and make the appropriate notifications.

If the breach involves from 1-499 patients – notify the patient within 60 days and HHS at the end of the calendar year.

If the breach involves 500 or more patients – notify the patient, HHS and the media within 60 days.

Government Enforcement The Office of Civil Rights (OCR) is

charged with the enforcement of the Privacy, Security and HITECH regulations, including investigations of whether a security breach has occurred.

OCR will also conduct random audits of compliance with the Privacy and Security Rules

Penalties 1ST Tier- Did not know -would not have known

at least $100/violation, not to exceed $25,000 per year

2nd Tier- Reasonable cause (not willful neglect) at least $1,000/violation, not to exceed $100,000 per year

3rd Tier- Willful neglect – corrected within 30 days at least $10,000/violation, not to exceed $250,000 per year

4th Tier- Willful neglect- not corrected within 30 days $50,000/violation, not to exceed $1.5 million per year

Questions ?