Slide 1

HIPAA Privacy & Security Compliance DONNA R. BURN COMPLIANCE AND PRIVACY OFFICER OHIO DEPARTMENT OF VETERANS SERVICES Slide 2 Objectives History and Context of Privacy in the U.S. Enforcement Overview HIPAAs Privacy Rule Slide 3 Historical Look Back The modern version of the Hippocratic Oath: I will respect the privacy of my patients, for their problems are not disclosed to me that the world may know. While Hippocrates, the so-called father of medicine, lived in the early 5th century B.C., the famous oath that bears his name emerged a century later. No one knows who first penned it Slide 4 Privacy Defined United States 1890 U.S. Supreme Court justices Samuel Warren and Louis Brandeis publish The Right to Privacy in Harvard Law Review Defined as the right to be left alone U.S. Constitution does not specifically provide Right to Privacy Slide 5 HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA) Pub. L. No. 104-191, 110 Stat. 1936 (1996) Established, for the first time, a set of national standards for the protection of certain health information Slide 6 Two Objectives of HIPAA Portability Ensure that individuals would be able to maintain their health insurance between jobs Accountability Combat fraud & abuse Establish national, uniform baseline of privacy and security protections for individuals health information Mandate uniform standards for electronic data transmission of administrative and financial data relating to patient health information Slide 7 Health Information Technology for Economic & Clinical Health Act (HITECH) 2009 Enacted as part of American Recovery and Reinvestment Act of 2009 (ARRA) signed into law February 17, 2009 Goal - to promote adoption and meaningful use of health information technology (HIT) to improve efficiency & effectiveness of health care system Subtitle D - addresses privacy and security concerns with electronic transmission of health information Strengthened and broadened HIPAAs Enforcement & Privacy Rules Added Breach Notification requirements (Breach Rule) Did Not change Security Rule; however, increased penalties for not being in compliance with it Slide 8 HIPAA Omnibus Final Rule Components Implementing HITECH - 2013 HITECH Privacy & Security Business associates Marketing & Fundraising Sale of PHI Right to request restrictions Electronic access HITECH Breach Notification HITECH Enforcement GINA Privacy Other non-statutory Modifications Research authorizations Notice of privacy practices updates Decedents Student immunizations Slide 9 Still to Come HITECH Rulemaking: Accounting of Disclosures Method for sharing Penalty Amounts With Harmed Individuals National Instant Criminal Background Check System (NICS) Final Rule Guidance: Breach Safe Harbor Update Breach Risk Assessment Tool Minimum Necessary More on Marketing More Fact sheets on other provisions Online versions of other guidance Security Rule Guidance Updates Slide 10 HIPAA Regulation Text Unofficial Version, as amended through March 26, 2013 http://www.hhs.gov/ocr/privacy/hipaa/administrative/combined/hipaa-simplification-201303.pdf No new regulations have been issued since March 26, 2013 Slide 11 Enforcement of HIPAA Civil Actions By: Office for Civil Rights (OCR) of Dept. of Health & Human Services (HHS) State Attorneys General Office Types: Settlements Resolution Agreements w/Corrective Action Plan Criminal Actions Referred by OCR to U.S. Department Of Justice (DOJ) Against organizations subject to HIPAA Against individuals Slide 12 Civil Enforcement of HIPAA Key Terms Reasonable diligence - the business care and prudence expected from a person seeking to satisfy a legal requirement under similar circumstances Reasonable cause - an act or omission in which a covered entity or business associate knew, or by exercising reasonable diligence would have known, that the act or omission violated an administrative simplification provision, but in which the covered entity or business associate did not act with willful neglect Willful neglect - conscious, intentional failure or reckless indifference to the obligation to comply with the administrative simplification provision violated. Slide 13 Civil Money Penalty Structure Violation Category Each Violation All such violations of identical provision in Calendar Year Did Not Know $100 - $50,000 $1.5 M Reasonable Cause $1,000 - $50,000 $1.5 M Willful Neglect - Corrected $10,000 - $50,000 $1.5 M Willful Neglect - NOT Corrected $50,000 $1.5 M Slide 14 Enforcement of HIPAA As of July 2015; HHS has entered into over 25 resolution agreements and recently issued CMPs to several covered entities http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/index.htmlhttp://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/index.html Since April 2003 OCR has referred 495 cases of potential criminal violations to DOJ OCR Slide 15 Enforcement of HIPAA OCR resolved more than 9,500 complaints of alleged HIPAA violations in FY 2013. OCRs HIPAA responsibilities continue to expand. The HITECH Act authorized OCR to impose civil monetary penalties for HIPAA Privacy and Security Rule violations. OCR collected $4 million in FY 2013 and anticipates $5.5 million in FY 2014. OCR uses collections to support HIPAA enforcement activities. OCR Slide 16 HIPAA COMPLIANCE AUDITS Slide 17 OCR - Audit Program HITECH Act Sec. 13411 Periodic audits to ensure covered entities and business associates comply with requirements of HIPAA and HITECH Audit Objectives Examine mechanisms for compliance Identify best practices Discover risks and vulnerabilities that may not have come to light through complaint investigations and compliance reviews Renew attention of covered entities to health information privacy and security compliance activities OCR Slide 18 OCR Pilot Audits Completed Pilot Process Tiered approach for snapshot of compliance across covered entity types, sizes, complexity Sample of 115 covered entities selected spread across 4 tiers All audits were completed by December 2012 OCR published audit protocol Issued final reports to entities audited in pilot OCR Slide 19 All Covered Entities - 4 Tier Size Approach Level 1 Entities Large Provider / Payer Extensive use of HIT complicated HIT enabled clinical/business work streams Revenues and or assets greater than $1 billion Level 2 Entities Large regional hospital system (3-10 hospitals/region)/Regional Insurance Company Paper and HIT enabled work flows Revenues and or assets between $300 million and $1 billion OCR Slide 20 All Covered Entities - 4 Tier Size Approach Level 3 Entities Community hospitals, outpatient surgery, regional pharmacy/All Self- Insured entities that dont adjudicate their claims Some but not extensive use of HIT mostly paper based workflows Revenues between $50 million and $300 million Level 4 Entities Small Providers (10 to 50 Provider Practices, Community or rural pharmacy) Little to no use of HIT almost exclusively paper based workflows Revenues less than $50 million OCR Slide 21 OCR Pilot Audit Observations Completed Audits of 115 entities 61 Providers, 47 Health Plans, 7 Clearinghouses No findings or negative observations for 13 entities (11%) 2 Providers, 9 Health Plans, 2 Clearinghouses Total 979 audit findings and observations 293 Privacy 592 Security 94 Breach Notification Percentage of Security Rule findings and observations was double what would have been expected based on the protocol Smaller entities (Level 4) struggled with all three areas OCR Slide 22 Compliance and Enforcement Audit Whats Ahead Phase 2 has begun! Phase 2 has begun! OCR has begun conducting a second round of compliance audits starting in May, 2015 with a limited number of entities selected. OCR selected from a very large data base an oversupply of 1200 organizations as possible subjects of the new round of audits. OCR is currently making determinations about the listed organizations to determine their suitability for audit. Roughly 800 of the organizations are covered entities and 400 are business associates. OCR Slide 23 New Issues Likely to be Covered in Audits OCR is to revise its 2012 audit protocol to include changes brought by the Omnibus Regulations. http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/protocol.html OCR found the lack of any and/or adequate risk analysis to be very high in the 2012 audits therefore OCR will intensify focus on organizations analysis of potential risks and vulnerabilities involving the PHI which they generate and which comes into their custody. OCR to target organizations Risk Analysis and Risk Management policies and procedures! OCR Slide 24 PRIVACY RULE Slide 25 Part 164 Parts SECURITY RULE Protects ELECTRONIC health information (EPHI) Organizations must ensure the availability, confidentiality and integrity of that information PRIVACY RULE Identifies what is to be protected Regulates what entities subject to HIPAA (covered entities) must do to safeguard information Outlines individuals Rights regarding their Protected Health Information (PHI) BREACH NOTIFICATION RULE Requires WRITTEN NOTIFICATION to affected individual and federal government (and the media if >500 individuals affected) if a breach of unsecured PHI occurs Slide 26 What is Protected? Protected Health Information (PHI): Refers to individually identifiable health information maintained by certain entities Relates to the past, present, or future health condition, treatment, or payment of a client Identifies the individual, or could be used to identify the individual Can be transmitted or maintained in any form or medium Paper, electronic, verbal Slide 27 The Many Forms of PHI Paper copies / printed copies Telephone calls and voice mail Photos / videos Verbal communication and conversations Fax transmissions CDs, thumb drives E-mail Tattoos? Slide 28 Individual Identifiers of PHI Name Address Social Security number Family History Telephone number Fax number Account numbers Medical record number E-mail address Dates Medicaid Client ID # Drivers license numbers Vehicle ID Pharmacy ID # Personal Assets Device identifiers and serial numbers Biometric (finger or voice print) Photographs Geographic indicators Any unique identifying number, code or characteristic Slide 29 WHAT IT TAKES TO MAKE PHI Examples: A list of health care identification numbers A list of residents names and dates of service at a physicians office A list of residents names and dates of birth A list of medical codes A list of residents names and email addresses Full-face identifiable photograph of resident Slide 30 Know who and what you are under HIPAA Slide 31 Who Are You under HIPAA Covered Entity Providers Hospitals, physicians, Nursing Homes, allied health providers, mental health practitioners, etc. WHO ELECTRONICALLY BILL A STANDARD TRANSACTION REGULATED BY HIPAA Medicare, Medicaid, Tricare, etc. Health plan Health care clearinghouse Business Associate And their subcontractors who handle PHI Slide 32 Are you a Covered Entity? http://www.cms.gov/Regulations-and-Guidance/HIPAA-Administrative- Simplification/HIPAAGenInfo/Downloads/CoveredEntitycharts.pdf You may also be one of these: Organized Health Care Arrangement (OHCA) Affiliated Covered Entities (ACE) More than likely you are a Hybrid Covered Entity organization that contains both covered and non-covered components. KNOW YOUR STRUCTURE UNDER HIPAA IT DOES MAKE A DIFFERENCE! Slide 33 Are you a Business Associate (BA)? Do you create, receive, maintain, or transmit PHI on behalf of a Covered Entity (CE), or another Business Associate (BA) for a function or activity regulated by the HIPAA Rules? Note: Does not include disclosures to health care providers concerning treatment of an individual! where the provision of the service involves the disclosure of PHI Slide 34 Business Associates & the Privacy Rule BA is a BA is a BA - determined by definition not by existence of contract Directly liable for: Uses and disclosures of PHI not in accord with its Business Associate Agreement (BAA) or Privacy Rule Failing to disclose PHI when required by Secretary to investigate and determine BAs compliance with HIPAA Failing to disclose PHI to CE, individual, or individuals designee as necessary to satisfy CEs obligations with respect to individuals request for electronic copy of PHI Failing to make reasonable efforts to limit PHI to minimum necessary to accomplish intended purpose Failing to enter into BAA with subcontractors that create/receive PHI Contractually liable for these and all other Privacy Rule obligations included in their contracts with CEs Slide 35 Business Associates & the Security Rule BA Must comply with ALL of the Security Rule Must review and modify security measures as needed and update security measures accordingly Must enter into contract with any subcontractors to protect electronic PHI Must report breaches of unsecured PHI to CE (or upstream BA) Requirements of BAAs apply to BAs and their subcontractors in the SAME MANNER as between CEs and BAs Subcontractor a person to whom a BA delegates a function, activity, or service, other than in the capacity of a member of the BAs workforce. Slide 36 Written Requirement Between CEs and BAs & BAs and Subcontractor BAs Must enter into an Agreement to ensure Business Associate will appropriately and adequately safeguard PHI Commonly referred to as: Business Associate Agreement (BAA) or Business Associate Contract (BAC) or between State Agencies Memorandum of Understanding (MOU) BAs have specific requirements under the Privacy, Security, Breach and Enforcement Rules Slide 37 How HIPAA Works Slide 38 Basic Tenets of HIPAA Patients have a right to access their health information and to control where it goes (with exceptions); otherwise require Authorization Covered entities may use patient information for certain Treatment and business operations Payment, health care Operations = TPO They must tell patients how they will use the information and implement safeguards to protect it = Notice of Privacy Practices Slide 39 Key concept: Use vs. Disclosure Use : Sharing Employing Applying Utilizing Examining Analyzing Used when it moves within an organization Disclosure : Releasing Transferring Providing access to Divulging in any manner Disclosed when it is transmitted outside an organization Slide 40 Key Concept: Required Disclosures To the Federal government when they are investigating an Entitys compliance with HIPAA To the Individual when he/she requests it HIPAA requires disclosure of PHI in only two Instances Every other disclosure is permissible, but under specific conditions! Slide 41 Key Concept: Minimum Necessary Principle Requires Covered Entities to always limit any use, disclosure or request of PHI to the minimum necessary to accomplish the intended purpose Handle PHI specific to your daily job functions on a need-to-know basis Always consider minimum necessary when sharing individuals PHI, even with coworkers Slide 42 PHI Treatment, Payment, Healthcare Operations - TPO Uses & Disclosures (45 C.R.R. 164.506) Uses & Disclosures with an Opportunity for Individual to Agree or Object (45 C.R.R. 164.510) Uses & Disclosures in the Public Interest (45 C.F.R. 164.512) Authorization (45 C.F.R. 164.508) And.incidental uses & disclosures (45 CFR 164.502(a)(1)(iii)) KEYS TO UNLOCK PHI Slide 43 TPO: Treatment, Payment, Health Care Operations (45 C.F.R. 164.506) Treatment: the provision, coordination or management of health care for an individual by providers Payment: activities of a health care provider to obtain payment or be reimbursed for the provision of health care to an individual Health Care Operations: activities of a covered entity that are related to the functions they perform Slide 44 Opportunity for Individual to Agree or Object (45 C.F.R. 164.510) Facility directories For involvement in the individuals care and notification purposes With individual present When individual is not present For disaster relief purposes About decedents to family members and others involved in care Care or payment for care in the exercise of professional judgment Slide 45 Allowable Public Interest Disclosures (45 C.F.R. 164.512) CE may use or disclose PHI without written authorization or opportunity for individual to agree or object under narrowly defined exceptions: a.Required by Law b.For public health activities c.About victims of abuse, neglect or domestic violence d.For health oversight activities e.For judicial and administrative proceedings Slide 46 Allowable Public Interest Disclosures (45 C.F.R. 164.512) Continued g.For law enforcement purposes h.About Decedents i.For Cadaveric Organ, Eye or Tissue Donation j.For Research Purposes k.To avert a serious threat to health and safety l.For specialized government functions m.For workers compensation Slide 47 Incidental use or disclosure Defined : a secondary use or disclosure that cannot reasonably be prevented, is limited in nature, and that occurs as a result of another use or disclosure that is permitted by HIPAA HIPAA permits certain incidental uses and disclosures IF: You have put in place: reasonable safeguards minimum necessary standard policies, procedures & training 164.502(a)(1)(iii) An incidental use or disclosure is not permitted if it is a byproduct of an underlying use or disclosure which violates the Privacy Rule Slide 48 HIPAA Required Authorizations Any Disclosure not specifically identified as permissible under HIPAA requires a valid written authorization from the individual Specific Authorizations are required for the following: Psychotherapy Notes Marketing Sale of PHI Fundraising Research Slide 49 Authorization Checklist Example AUTHORIZATIONS MUST INCLUDE ALL REQUIRED ELEMENTS TO BE CONSIDERED VALID UNDER HIPAA: WHO, WHAT, WHEN, WHERE AND WHY Slide 50 Psychotherapy Notes Specific definition know it if you think you deal with these notes Almost always require special Authorization to release and cannot be combined with any other Authorization. Right of access to these notes by the individual (patient) is NOT REQUIRED by HIPAA HIPAA does NOT restrict disclosure of these notes to individuals/patients CE has discretion as to whether to disclose or withhold from an individual Slide 51 Marketing to make a communication about a product or service that encourages recipients of the communication to purchase or use the product or service Must be a communication (written or verbal) Must involve use of PHI Slide 52 Marketing Requires Written Authorization Must obtain valid authorization before using/disclosing PHI for marketing Authorization must disclose if CE is receiving financial remuneration, direct or indirect payment from 3 rd party whose product or service is being described If individual signs authorization to receive such communications, CE may send them until individual revokes it If individual doesnt sign authorization, CE may not send these types of communications Slide 53 PHOTOGRAPHS, VIDEO/AUDIO RECORDINGS Pictures of the patient (resident) are considered part of their health record. You are able to disclose them in the same manner as other types of PHI. A patient's photograph that identifies him/her cannot be posted in public areas, such as hallways, without specific authorization from the patient. A patient's photograph that identifies him/her cannot be used in any form of publication without the patient's specific authorization. If the patient is not identifiable from the image, it is not considered to be PHI. Slide 54 Sale of PHI Definition: a disclosure of PHI by a CE where the CE directly or indirectly receives remuneration from or on behalf of the recipient of the PHI in exchange for the PHI Note: any remuneration, not just financial Exceptions: Treatment and Payment Public health purposes Transfer, merger or consolidation of CE & related due diligence Required by Law To Business Associates for their contracted activities Exceptions with RESTRICTIONS: Research To the individual Reasonable costbased remuneration to cover cost to prepare and transmit PHI CONSULT LEGAL ADVICE FOR MORE GUIDANCE Slide 55 Fund Raising May use or disclose to Business Associate or institutionally related foundation: for the purpose of raising funds for its own benefit, without an Authorization Requirements for All Other Fund Raising: Include statement in Notice of Privacy Practices Provide individual with clear & conspicuous opportunity to opt out of further fundraising communications with each communication Optout method may not cause individual undue burden or more than nominal cost May not condition treatment or payment on individuals choice May not make fundraising communications to an individual who has opted out Slide 56 Research under HIPAA Defined: a systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge. Requires: 1. Written Authorization from the individual OR 2. Documented approval from an Institutional Review Board (IRB) or Privacy Board OR 3. Only sharing of a Limited Data Set (LDS) of data with valid Data Use Agreement (DUA) for research, public health or health care operations only Slide 57 De-identified Data Health information can be de-identified De-identified data is not subject to HIPAA Two Methods: 1. Safe Harbor approach Remove 18 identifiers AND have no knowledge that remaining information could be used alone or with other information to identify an individual 2. Statistical approach Qualified statistical or scientific expert concludes that risk of re- identification is very small http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/Deidentification/guidance.html Slide 58 Patients Rights Slide 59 Patients Rights under HIPAA Notice of Privacy Practices (NPP) The right to access, copy, and inspect their health-care information The right to request an amendment to their healthcare information The right to obtain an accounting of certain disclosures of their health-care information Rights to request privacy protections for PHI The right to complain about alleged violations of the regulations and the entity's own information policies The right to be notified when a breach of an individuals unsecured PHI occurs Slide 60 Notice of Privacy Practices Applies to providers and health plans Specific Content Requirements: How an entity may use and disclose PHI about an individual Individuals Rights and how the individual may exercise these Rights Entitys legal duties with respect to the information, including statement that the entity is required by law to maintain privacy of PHI Whom individuals can contact for further information about an entitys privacy policies An effective date Slide 61 Providing the notice to individuals PROVIDERS All Providers On request If maintain a website, must be posted there Providers with direct treatment relationship By date of first service delivery If have physical service delivery site: Have available at the site for individuals to request to take with them Post Notice in clear and prominent location HEALTH PLANS To new enrollees at time of enrollment At least every 3 years - must notify individuals currently covered of the availability of Notice and how to obtain a copy Must make good faith effort to obtain written acknowledgment of receipt of Notice Slide 62 Key Concept: HIPAAs Designated Record Set (DRS) It is what a patient gets when they request access or a copy of their PHI Organizations need to define this Should contain the information that an organization uses to make decisions about an individual Examples: The patients medical record A list of claims information (from a health plan) The anesthesia record from an operation (from an anesthesia provider) A radiological image with associated notes (from a radiologist) Slide 63 Right to Access, Copy, and Inspect Health Care Information Right to inspect and obtain copy of PHI about individual in CEs designated record set (DRS) Form and format requested by individual, if readily producible Exceptions Exist (psychotherapy notes, prepared for litigation) CE may deny access (unreviewable & reviewable reasons) Manner of Access (individual may direct CE to send DRS to 3 rd party) Any fees must be reasonable and cost-based Must provide within 30 days (one 30 day extension possible) Slide 64 Right to Amendment Right to amend information in CEs DRS CE has right to deny amendment under certain circumstances Was not created by CE (unless originator no longer available) Isnt part of DRS Restricted from right to access Is accurate and complete CE has 60 days to respond; can extend 30 more if necessary If CE agrees to amend, CE has duty to inform others Persons identified by individual and business associates Slide 65 Right to Request Privacy Protections Right to Request Restriction of Uses and Disclosures Must permit individuals to request restrictions for: Uses or disclosures of PHI to carry out TPO Disclosures for involvement in individual's care and notification purposes CE does not have to agree but if CE does agree, bound by that restriction Right to Confidential Communications Must permit individuals to request confidential communication Must accommodate reasonable requests to receive communications of PHI by alternative means or at alternative locations. CE Provider may not ask why! If requested, must restrict information to insurer if item/service is paid for in full Slide 66 Right to Obtain Accounting of Disclosures prior 6 years Right to receive an accounting of disclosures of PHI made by Covered Entity in prior 6 years Exceptions: Treatment, payment and health care operations To individuals of PHI about them Incident to a use/disclosure otherwise permitted or required by HIPAA Pursuant to an Authorization For facility's directory To persons involved in individual's care or notification purposes For national security or intelligence To correctional institutions or law enforcement officials Slide 67 Right to Complain about alleged violations of the regulations and CEs own policies CE must provide a process for individuals to make complaints CE must document all complaints received, and their disposition, if any Slide 68 Right to be Notified when a Breach Occurs Notice of Privacy Practices must state that CE will notify affected individuals following a breach of unsecured PHI SUBPART DNOTIFICATION IN THE CASE OF BREACH OF UNSECURED PROTECTED HEALTH INFORMATION 45 C.F.R. 164.400 45 C.F.R. 164.414 Slide 69 Genetic information Non- Discrimination Act of 2008 (GINA) GINA required Secretary of HHS to revise Privacy Rule Genetic information is health information HIPAA prohibits all health plans that are CEs under HIPAA from using or disclosing PHI that is genetic information for underwriting purposes Note: an authorization CANNOT be used to permit a use or disclosure of genetic information for underwriting purposes ! Slide 70 Policies and Procedures Musts Implement policies and procedures to comply with standards, implementation specifications, or other requirements Be reasonably designed to ensure compliance Change as necessary and appropriate to comply with changes in the law Document it all Slide 71 Key to Compliance: Training Must train: All workforce members on policies and procedures regarding PHI safeguards in order for them to carry out their duties Each new workforce member within a reasonable period of time after he/she joins the entity Each workforce member whose functions are affected by material change in policies or procedures within a reasonable period of time after the material change Slide 72 Key to Compliance: Sanctions Required that you have them and apply them to workforce members who violate your policies and procedures Must train workforce to understand sanctions may apply Must document sanctions taken One of the first things you may be asked for in an audit! Slide 73 Key to Compliance: Non- Retaliation Privacy Rule: CE may not intimidate, threaten, coerce, discriminate against, or take other retaliatory action against any individual for the exercise by the individual of any Right established under HIPAA Enforcement Rule: CE may not threaten, intimidate, coerce, harass, discriminate against, or take any other retaliatory action against any individual or other person for Testifying, assisting, or participating in an investigation, compliance review, proceeding, or hearing under this part Opposing any act or practice made unlawful by HIPAA provided individual has good faith belief that practice opposed is unlawful, and manner of opposition is reasonable and does not involve a disclosure of PHI in violation of HIPAA Slide 74