HIPAA Privacy and Security

Copyright© 2010 WeComply, Inc. All rights reserved.

04/20/23

HIPAA Privacy and Security


In the news…

Copyright© 2010 WeComply, Inc. All rights reserved.8/11/2010 4

What Is HIPAA?

Among HIPAA's primary purposes are —

•Privacy and security of healthcare information

•Standardization of healthcare data

•Simplification of healthcare operations to help reduce costs

•Insurance portability for individuals who change jobs or become unemployed

•Preventing discrimination against applicants or businesses

•Preventing fraud through stiffer penalties and tighter controls We must also comply with more restrictive state laws regarding privacy and security of healthcare information


What Is HIPAA?









What Is HIPAA? (Cont’d)









Who Is Subject to HIPAA?

Covered entities include hospitals, insurance companies, self-insured employers and small physician practices

Three categories of covered entities:

•Healthcare plans

•Health providers

•Clearinghouses

HIPAA applies to companies that offer healthcare and treatment to their employees on-site


Who Is Subject to HIPAA? (cont’d)

Business associates are individuals and businesses that help covered entities carry out healthcare activities and functions

•Auditors, consultants, lawyers

•Claims-processing firms, pharmacy benefit managers

Business associates are subject to HIPAA in two ways:

They must provide written assurance that they will use information only for proper purposes, safeguard information from misuse, and help covered entity comply with HIPAA privacy duties

They must comply directly with HIPAA regulations requiring administrative, physical and technical safeguards for security of protected information


Pop Quiz!

What happens if a business associate of a covered entity violates HIPAA?

A.The business associate will be subject to the same HIPAA penalties as the covered entity.

B.The business associate will be liable to the covered entity only for breach of contract.

C.Nothing – business associates aren't subject to HIPAA.


Protected Health Information (PHI)

Protected health information includes any part of an individual's medical record or payment history

PHI concerns —

•Any past, present or future physical or mental health of an individual

•Providing healthcare to an individual

•Payment for healthcare of an individual

Any identifiable health information becomes PHI under HIPAA

Privacy Rule covers PHI in all forms, while the Security Rule covers only electronic PHI


HIPAA Privacy

A covered entity may use or disclose an individual's PHI only under these conditions:

•To communicate directly with the individual about his/her PHI

•With the individual's written authorization or other legal agreement

•Without the individual's authorization for treatment, payment and operations

When using or disclosing PHI we must try to limit our use or disclosure as much as possible


HIPAA Privacy (Cont’d)

A covered entity may use or disclose an individual's PHI only under these conditions:

•To communicate directly with the individual about his/her PHI

•With the individual's written authorization or other legal agreement

•Without the individual's authorization for treatment, payment and operations

When using or disclosing PHI we must try to limit our use or disclosure as much as possible


Notice of Privacy Practices

Covered entity must furnish Notice of Privacy Practices to individuals with whom it has direct treatment relationship

•At enrollment, within 60 days of material revision, and at least every three years

•To anyone who requests it

• On any website it maintains for customer-service or benefits information

• Covered entity must document compliance by retaining copies of issued notices

• Covered entity must make good-faith effort to obtain patient's written acknowledgment of receiving NPP


Notice of Privacy Practices (cont’d)








Reasonable Safeguards

Covered entity must use reasonable safeguards to protect confidentiality of PHI

•Speaking softly when discussing PHI in public spaces

• Not using name of individual whose PHI is being discussed

• Reminding employees to keep PHI secure at workstations and in public spaces

• Isolating and locking filing cabinets containing PHI

• Equipping computers with password-protected screensavers


Using PHI for Marketing

Covered entities may not disclose PHI for marketing purposes without patient's written authorization

Covered entity does not need written authorization to communicate —

•To describe product or service provided by the covered entity

•For treatment purposes

•For case-management, care-coordination, or to recommend alternative therapies/providers

•For face-to-face communications

•For other communications that promote health in general manner


Pop Quiz!

PHI may be disclosed without the patient's written authorization in which of the following situations?

A.Sending marketing literature about healthcare-related products to the patient.

B.Sending marketing literature about non-healthcare-related products to the patient.

C.Recommending any products to the patient in a face-to-face conversation.


HIPAA Security

Security Rule addresses creation, receipt, maintenance and transmission of electronic PHI by covered entities and their business associates

Primary goals:

•To maintain confidentiality of stored and transmitted electronic PHI

•To protect electronic PHI from unauthorized creation, modification and deletion

• To ensure that electronic PHI is available to authorized individuals/entities when needed

Requires administrative, physical and technical safeguards


Administrative Safeguards

Administrative safeguards:

•Security Officer responsible for the development and implementation of security policies

•Workforce Security plan for granting employees varying levels of access to PHI

•Contingency Plan for responding to emergencies and natural disasters

•Business Associate Contracts to protect confidentiality of PHI exchanged

•Termination Procedures to prevent terminated employee from having access to confidential information


In the news…


Physical Safeguards

Physical safeguards:

•Facility Access Controls that allow only authorized access to places where PHI is kept

• Workstation Use procedures for PHI displayed on computer screens

• Workstation Security — secured rooms, curtains, partitions or user IDs/passwords for workstations on which PHI is processed

• Device and Media Controls for handling computer hardware and software, including proper disposal and storage


Technical Safeguards

Technical safeguards:

•Access Controls limiting PHI access on need-to-know basis based on roles and context

• Audit Controls for recording and examining system activity to eliminate unnecessary access to PHI

• Person or Entity Authentication using passwords, PIN numbers, biometrics or tokens to ensure only authorized access to PHI

• Transmission Security to protect PHI during transmission over electronic networks, including encryption, firewalls, SSL/TLS protocol and S/MIME support


Pop Quiz!

A pharmaceutical company set up a service to send regular e-mail messages to remind people to take their anti-depressant medication. Due to a programming error, each of the people who received an e-mail message could see the names and e-mail addresses of all of the others to whom reminder messages were sent. Does this present a HIPAA problem?

A.Yes.

B.Maybe, if the e-mail messages were not encrypted.

C.No, because it was due to a programming error — not a breach of security.


Handling PHI

Follow these guidelines when handling PHI:

•Access PHI only to extent necessary to perform job-related functions

•Obtain authorization whenever using PHI for marketing purposes

•Destroy PHI once it is no longer needed

•Take steps to verify proper receipt of transmitted PHI

• Secure work areas by keeping documents containing PHI in locked cabinet and maintaining strong passwords on electronic systems

• Take special precautions while working in field or at home to ensure PHI is secured in laptop computers and briefcases


Security Breach

Secure PHI is information that is —

•Protected by a technology or methodology specified by HHS

•Rendered "unusable, unreadable, or indecipherable" to unauthorized persons

•Shredded/destroyed so that it cannot be read or reconstructed

If there is a security breach involving unsecured PHI:

•Notice must be given to affected individuals

•If breach affects 500 or more individuals, notice must also be given Government and media

Report security breach to your supervisor or Privacy Officer immediately


Security Breach (Cont’d)

Secure PHI is information that is —

•Protected by a technology or methodology specified by HHS

•Rendered "unusable, unreadable, or indecipherable" to unauthorized persons

•Shredded/destroyed so that it cannot be read or reconstructed

If there is a security breach involving unsecured PHI:

•Notice must be given to affected individuals

•If breach affects 500 or more individuals, notice must also be given Government and media

Report security breach to your supervisor or Privacy Officer immediately


PHI Rights of Individuals

Individuals have these rights over use and disclosure of their PHI:

•Covered entities must abide by individual's request not to divulge PHI if he/she is paying for full service cost

•Individuals are entitled to copies of records that covered entity keeps electronically

• Individuals have right to request that covered entity correct inaccurate PHI

• Covered entities maintaining electronic health records must provide accounting of all PHI disclosures during prior three years upon request

• Fundraisers must notify individuals of right to opt out of future fundraising solicitations


Enforcement

Failure to comply with HIPAA can lead to significant penalties:

•Civil fines from $100 to $50,000 for each violation up to $1.5 million per year

•Criminal penalties for basic offense may include fine of up to $50,000 and/or imprisonment for up to one year

• Criminal penalties for offense committed with intent to use PHI for commercial advantage may include fine up to $250,000 and/or imprisonment for up to ten years


Enforcement (cont’d)

Failure to comply with HIPAA can lead to significant penalties:

•Civil fines from $100 to $50,000 for each violation up to $1.5 million per year

•Criminal penalties for basic offense may include fine of up to $50,000 and/or imprisonment for up to one year

• Criminal penalties for offense committed with intent to use PHI for commercial advantage may include fine up to $250,000 and/or imprisonment for up to ten years


04/20/23

Final Quiz


04/20/23

Questions?


04/20/23

Thank you for participating!

This course and the related materials were developed by WeComply, Inc. and the Association of Corporate Counsel.

HIPAA Privacy and Security

Documents

Transcript of HIPAA Privacy and Security