HIPAA HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT.

HIPAA

HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT

OMNIBUS FINAL RULE

HITECH

GINA

HIPAA

OMNIBUS FINAL RULE Issued January 23, 2013 Effective March 26, 2013 Modified HIPAA privacy and security rule HITECH modified to strengthen HIPAA and implemented breach

notification rule and raised the civil monetary penalties. Included Genetic Information Nondiscrimination Act of 2008 (GINA)

Genetic information can’t be used for underwriting Is treated like PHI

TERMINOLOGY

TERMINOLOGY

HIPAA –Health insurance Portability & Accountability Act. Enacted in 1996 so health insurance would be

portable Compliance by October 16, 2002 for EMR/EHR Compliance by April 14, 2003 for privacy rules

Establishes national standard for protection of PHI Addresses the use/disclosure of an individual’s PHI Gives individuals rights with respect to their PHI Policies and procedures must be in place to ensure

that reasonable steps are taken to protect individual PHI.

PRIVACY RULE

Establishes national standard for protection of PHI that is held or transferred in electronic form.

Address the technical and non-technical safeguards Implement three safeguards:

1. Administrative – assignment of individual to train and be responsible for security.

2. Physical – how the electronic systems are protected in the environment.

3. Technical – password protections; encryption

SECURITY RULE

HITECH – Health Information Technology for Economic & Clinical Health Act Provision under the Social Security Act Modified to strengthen HIPAA Modifications made significant changes

TERMINOLOGY

Applies the same requirements and penalties for Covered Entities and Business Associates.

Establishes mandatory federal privacy and security breach reporting requirements

Creates new privacy requirements including new accounting disclosure requirements.

Establishes new criminal and civil penalties for non-compliance and new enforcement methods.

All these apply equally to Covered Entities and Business Associates

HOW HITECH AFFECTS HIPAA

TERMINOLOGYPHI – Protected Health Information

Identifiable health informationIncludes written, verbal or electronic form used in

records, social media, internet, intranet

This is the information that requires protection: Name and address including zip code or other geographic codes Date of birth and age Telephone number, fax number, e-mail address Social security number, medical record number Health plan beneficiary number Account number Certificate/license number; license plate number Web URL; IP address Finger or voice prints Photographs Any other unique identifying characteristic

PHI IDENTIFIERS

When the identifiers are removed from a patient’s information, it is considered “de-identified.”

No longer considered PHI No restrictions on the use/disclosure There is no information that could easily

identify the individual.

DE-IDENTIFICATION

Minimum Necessary Standard Only the minimum necessary PHI is made to use, disclose

and request PHI to accomplish the intended purpose.

Breach PHI has been used in a manner that compromises the

security or privacy of the PHI.

TERMINOLOGY

Incidental Use and Disclosure The use/disclosure of PHI that is a result of or

“incident to” permitted use of PHI.

ELECTRONIC MEDIA – revised definitionhard drives, tapes, disks, memory cards, removable

mediuminternet, intranet, private networksdoes not include fax, telephone as electronic media transmission

TERMINOLOGY

Person/entity, other than a member of the workforce, who performs functions/activities on behalf of or for a Covered Entity that involves the use/disclosure of PHI.

A BA is also a subcontractor that creates, receives, transmits, or maintains PHI on behalf of another BA.

BAs and subcontractors have to safeguard PHI “down the stream.”

Typical BAs: billing service, collection agencies, answering service, EMR software vendor, labs, transcription

BUSINESS ASSOCIATE

An agreement between a Covered Entity and Business Associate or between 2 BAs.

Clarifies and limits permissible use/disclosure of PHI.

Deadlines: If currently have a BAA as of 1/25/13 and not due

for renewal by 9/23/13, have until 9/23/14.. Otherwise, update by 9/23/13

BUSINESS ASSOCIATE AGREEMENT

Health care providers concerning treatment of individual. Doctor to doctor; nurse to nurse; referrals

Banking and financial institutionsGovernment agencies

determining eligibility, enrollment or benefitsMedicare, Medicaid, VA

Pharmacies

BUSINESS ASSOCIATE EXCEPTIONS

Health Care Providers Conduct transactions in electronic form Physicians, clinics, dentists, nursing homes

Health Care Clearinghouses Entities that process non-standard health information

Health Plans Health insurance companies, HMOs Government health programs

COVERED ENTITY

Statements set out in a written document for patients regarding the use/disclosure of PHI that is allowed without authorization and that which requires authorization.

Has to be displayed in a clear and prominent location Must be provided to new patients and a hardcopy has to be

provided to anyone who asks for one. Has to be posted on Covered Entity’s website, if applicable. Established patients must be made aware of changes. Requires a signed acknowledgement of receipt.

NOTICE OF PRIVACY PRACTICE

Under the Final Rule and stated in the NPP: Right to request a restriction of uses/disclosures

CE may consider which restrictions to honor Right to access PHI

Only if maintained in electronic form Do not have right to direct access to system Can copy onto external device

PATIENT RIGHTS

Right to have an accounting of disclosures An accounting is a record of each disclosure of each

patient’s PHI for purposes other than treatment, payment or health care operations.

Can include 6 years prior to the date of which the accounting is requested and not before 2003.

Disclosures that do not need to be recorded: treatments, payments, disclosures made to the patient

PATIENT RIGHTS

Right to ask for a change in their medical record

If the individual believes there is an error or disagrees with what is in their EMR, they may ask for a change.

The Covered Entity, upon investigation, may or may not agree with the change.

Communication of the decision must be made in writing to the individual. If there is a change, the original is notdestroyed, but an addendum is made.

PATIENT RIGHTS

DECEDENT’S PHI: The healthcare provider may disclose PHI to family

members/others involved in care prior to death using minimum necessary standard.

After 50 years, PHI is no longer protected. Arkansas: spouse or parent may receive autopsy report

Student Immunizations to Schools Only require verbal authorization for release

Public Health Activities May report for the public health and safety. E.g., communicable diseases

AUTHORIZED PHI DISCLOSURES

Must have valid written authorization for: Use/disclosure of psychotherapy notes. Use/disclosure for marketing purposes. The sale of PHI

AUTHORIZATION REQUIRED

This Rule did not exist prior to the HITECH Act. If a breach occurs, a Risk Assessment has to be performed to

determine if there was a low probability of compromised PHI. The risk of harm to the individual is not part of the assessment.

Affected individuals have to be notified of the breach within 60 days from discovery of the breach.

If more than 500 individuals have been affected, notice through prominent media outlets must occur; this is in additions to individual notices.

HHS has to be notified if > 500 involved.

BREACH NOTIFICATION RULE

Notifications to individuals are to be sent via first class mail to last known address.

Can be sent via e-mail or telephone if address is out of date. Parents of minors, personal representatives of adults without

capacity and next of kin of deceased patients may be notified. If there is insufficient information for 10 or more individuals,

the CE must put up a notice on their web site or major print or broadcast media where the individuals reside.

BA has same requirements and must notify CE.

Breach Notification

The CE and BA have to demonstrate there is a low probability that the information used/disclosed was compromised.

If it cannot clearly make this determination, it is treated as a breach.

CE and BA must also demonstrate that all notifications were made.

BURDEN OF PROOF

Office of Civil Rights (OCR) under the Department of Health and Human Services (HHS) enforces HIPAA.

OCR is required to formally investigate a complaint. Complaint has to be filed within 180 days of alleged violation. If the preliminary investigation indicates a possible violation

further investigation will expand into a compliance investigation.

OCR tries to determine whether willful neglect is indicated.

INVESTIGATION OF BREACH

The entity has 30 days to respond to OCR. If a violation or willful neglect is found, a civil

monetary penalty for each violation can be imposed.

INVESTIGATION (CON’T)

Failure to comply with HIPAA can result in civil and criminal penalties.

The HITECH Act: significantly increased the amount of civil monetary penalties (CMP); Reduced the number of available affirmative defenses; and Required imposition of CMPs for all violations due to willful neglect

under a tiered liability structure. Prior to February 18, 2009, HIPAA violations were $100/each

violation and the most in one year for same violation was $25,000. Now up to $50,000/each violation and$1.5 million in one year for same violation.

CIVIL MONETARY PENALTIES

Unknowing: The CE or BA did not know and reasonably should not know of the violation

Reasonable Cause: The CE or BA knew, or by exercising reasonable diligence would have known, that the act or omission was a violation, but the CE or BA did not act with willful neglect.

Willful Neglect: Corrected. The violation was the result of conscious, intentional failure or reckless indifference to fulfill the obligation to comply with HIPAA. However, the CE or BA corrected the violation within 30 days of discovery.

Willful Neglect: Uncorrected. The violation was the result of conscious, intentional failure or reckless indifference to fulfill the

obligation to comply with HIPAA, and the CE or BA did not correct the violation within 30 days of discovery.

TIERED LIABILITY STRUCTURE

Violation Category Each ViolationNot less than – Or more than

Total CMP for Violations of an Identical Provision in a Calendar Year

Unknowing

$100 - $50,000

$1,500,000

Reasonable Cause

$1,000 - $50,000

$1,500,000

Willful Neglect -

Corrected

$10,000 - $50,000

$1,500,000

Willful Neglect – Uncorrected

At least $50,000

$1,500,000

MONETARY PENALTIES

Year #1 Violation #2 Violation #3 Violation #4 Violation #5 Violation

2010 Impermissible Uses & Disclosure

Safeguards Access Minimum Necessary

Notice



Complaints to Covered Entity



Complaints to Covered Entity



Notice

TOP 5 HIPAA VIOLATIONS

Written policies and procedures to comply with the administrative requirements must include:1. A designated contact person to handle complaints and provide further information about the Notice of Privacy Practice.2. A designated privacy officer who is responsible for development and implementation of the policies and procedures.3. Required annual training of all workforce members with documentation of the training.4. Safeguards to protect the privacy of PHI and limit incidental uses or disclosures.5. Procedures for individuals to submit complaints regarding HIPAA compliance.

ADMINISTRATIVE REQUIREMENTS

6. Must have and apply appropriate sanctions against workforce members who violate privacy policies and procedures.7. Must document sanctions that are applied, if any.8. Must mitigate to the extent practicable any harmful effect due to violation.9. Cannot take intimidating or retaliatory acts against any individual for filing a complaint or exercising his/her right.10. Must retain policies and procedures, NPPs, disposition of complaints and other actions/activities for 6 years after the later of the date of their creation or last effective date.11. Maintain documentation sufficient to meet the burden of proof.

ADMINISTRATIVE REQUIREMENTS

Impermissible Use/Disclosure

Removal and Loss of Medical Records A Massachusetts hospital employee took work home, and accidentally left

192 billing records – containing detailed PHI – on the subway. Even though an accident, severe penalties were imposed on hospital:

$1 million fine 3 year corrective action plan with oversight by OCR. Requirements to develop comprehensive policies and

procedures using encryption. Implementation of a comprehensive training program and

written certification from all staff.

Accessing Celebrity Records Researcher at UCLA School of Medicine received

notice of termination. In retaliation, he accessed superior and co-workers

medical records. Over the next 4 weeks, he accessed UCLA patient

records including many celebrities – a total of 323. Penalty: sentenced to 4 years in prison.

Accessing PHI Without Legitimate Purpose

AR. M.D. and 2 hospital employees accessed records of slain Arkansas TV reporter.

Details of the attack were leaked to the media. The 3 pled guilty in federal court to misdemeanors. Federal judge fined all 3 and sentenced them to 1 year of

probation. Hospital suspended M.D.’s privileges for 2 weeks and

terminated the 2 employees + an account rep. and Emergency Department coordinator.

Accessing & Leaking PHI to Media

Small Phoenix surgery practice group (5 doctors) posted clinical and surgical appointments for its patients on Internet-based calendar that was publicly accessible. OCR began investigation and noted the following violations: Failure to:

Implement adequate policies and procedures; Document employee training; Identify clinic security officer and conduct risk analysis, and Obtain BAA with the internet-based email and calendar services.

OCR fined practice $100,000 and required implementation of corrective action plan that included compliance with

violations listed above.

Lack of HIPAA Safeguards

First of its kind joint investigation by OCR and Federal Trade Ccommission over allegations that CVS Pharmacy was disposing of PHI such as prescription bottle labels and old prescriptions in public dumpsters.

Joint investigation revealed the following violations: Failure to: Implement adequate policies and procedures to protect PHI during disposal; Adequately train employees on proper disposal methods; Have a sanctions policy.

CVS entered into a Resolution Agreement that required CVS to: Revise and distribute its policies and procedures regarding disposal of PHI; Train employees; sanction those that did not follow policies; Engage a third party assessor to conduct assessments and submit reports to Health and Human Services.

Improper Disposal of PHI

Create new internal reporting procedures requiring employees to report all violations of the new policies and procedures

Submit compliance reports to HHS for 3 years AND CVS was fined $2.5 million. CVS is required to submit to 3rd part audits every 2

years for 20 years (part of its agreement with the FTC).

Improper Disposal of PHI

Arkansas LPN accessed PHI for personal gain. While working in an Arkansas clinic the LPN accessed a patient’s medical

record and gave the information to her husband. Husband called the patient and said he intended to use the information

against him/her in “an upcoming legal proceeding.” Upon discovery, the clinic fired the LPN. A federal indictment charged her with wrongful disclosure of individually

identifiable health information for personal gain and malicious harm. Charges were dropped against her and husband for guilty plea. Faced a maximum of 10 years in prison and a fine of up to $250,000 Sentenced to 2 years probation 100 hours of community service Revocation of nursing license.

Willful Intent

Malpractice insurance does not cover HIPAA violations.

General liability insurance does not cover HIPAA violations.

May purchase cyber liability insurance for HIPAA.

INSURANCE

HIPAA HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT.

Documents

Transcript of HIPAA HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT.