Topics In This Module - Kennewick, WA · 2019. 7. 18. · Independent medical transcriptionists...
Transcript of Topics In This Module - Kennewick, WA · 2019. 7. 18. · Independent medical transcriptionists...
Topics In This Module
HIPAA and HITECH
Protected Health Information (PHI)
Using PHI correctly
Breaches
Penalties and sanctions for violation
What can I do?
2
HIPAAThe Health Insurance Portability and Accountability Act of
1996 (HIPAA) was created to:
Provide consistent coverage to people changing jobs Give patients greater control over the use of their health
information Protect the privacy of health information by:
Establishing national standards all healthcare providers must comply with
Limiting the use of health information to minimize inappropriate disclosures
Investigating inappropriate disclosures and holding violators accountable.
3
HITECH
The Health Information Technology for Economic and Clinical Health of 2009 (HITECH) was created to strengthen HIPAA by:
Standardizing data transfer methods
Encouraging the move to electronic health record systems
Imposing stiffer penalties for improper disclosures
4
HIPAA contains Privacy & Security rules to address health care concerns such as:
• Fears that once patients’ records are stored electronically on networks, a couple of clicks could transmit those records worldwide
• Loss of control over personal information
• Potential for undesired marketing
5
HIPAA Privacy & Security Rules
Privacy rule: protects all PHI in any form or media, whether electronic, paper, or spoken
Security rule: specifically protects PHI in electronic format; addressing confidentiality, integrity, and availability using administrative, physical, and technical safeguards
6
What is PHI?
Protected Health Information(PHI) is any information in the medical record or
designated record set that can be used to identify an individual and that was
created, used, or disclosed in the course of providing a health care service
such as diagnosis or treatment.
Is created or received by a health care provider, health plan, public health
authority, employer, life insurer, school, or health care clearinghouse
Relates to the past, present, or future physical or mental health condition of an
individual; the provision of health care to an individual; or the past, present, or
future payment for the provision of health care to an individual
7
PHI is information that can be used to identify, contact, or locate a single person or can be used with other sources to identify a single individual.
There are 18 HIPAA identifiers that are considered personally identifiable information.
8
PHI: The 18 Identifiers1. Names
2. All geographical subdivisions smaller than a state:
Street address
City
County
Precinct
Zip code
3. Dates directly related to an individual: Birth date (including age if over 89)
Admission date
Discharge date
Date of death
4. Phone numbers
5. Fax numbers
6. Email addresses
7. Social Security Numbers
8. Medical record numbers
9. Health plan beneficiary numbers
10. Account numbers
11. Certificate/license numbers
12. Vehicle identifiers and serial numbers, including license plate numbers
9
PHI: The 18 Identifiers13. Device identifiers and serial
numbers
14. Web Universal Resource Locators (URLs)
15. Internet Protocol (IP) addresses
16. Biometric identifiers Fingerprints
DNA
Iris recognition
Voiceprints
17. Full face photographic images
18. Any other unique identifying number, characteristic, or code
10
Organizations Bound by HIPAA Covered Entities
Health Plans (GCBH)
Clearing Houses
Providers
Business Associates
The law refers to Covered Entities (CE) and the work that they perform with PHI as covered functions. Covered functions can be outsourced to business associates.
11
HIPAA Business Associates (BA)
Business Associates: Are contracted to perform a covered function on behalf of a CE
Use PHI to do their job
Are a third party, not direct employees of the Covered Entity they contract with
HIPAA requirements and HITECH penalties are extended to Business Associates, and include forming a Business Associate Agreement (BAA) with the Covered Entity.
BAs require additional oversight due to HIPAA, and it is not a good practice to have them unless required.
12
Common Business Associates
A third party administrator that assists with health plan claims processing
Attorneys
Independent medical transcriptionists serving physicians
Pharmacy benefits managers that manage a health plan’s pharmacist network
CPA firms
13
Use and Disclosure of PHI
GCBH, as a health plan, is permitted by HIPAA to Use
(internally) and Disclose (externally) PHI for the
purposes of TPO:
Treatment – the provision of health care
Payment – the provision of benefits and premium payment
Healthcare Operations – normal business activities
(reporting, data collection, eligibility checks, etc.)
14
HIPAA Authorizations
Written authorization must be obtained from a patient to use or disclose PHI for specific purposes other than TPO, including employment related inquiries, research, or marketing.
An authorization can be revoked at any time in writing.
Must include the name of the patient, the purpose of the disclosure, an expiration date or event, as well as a signature, date, and explanation of how to revoke the authorization.
Unlike other health records, psychotherapy notes are not subject to disclosure to the patient.
15
The Minimum Necessary RuleThe amount of PHI used or disclosed is restricted to the
minimum amount of information necessary. Reasonable efforts must be made not to use, disclose, or request more than is necessary to accomplish a task.
Exceptions are:
Disclosure to a provider for treatment
Release to an individual of their own PHI (psychotherapy notes are exempt from requests)
Disclosures required by law16
The Minimum Necessary Rule
The “minimum necessary” rule does not restrict the information used or disclosed in treatment.
The “minimum necessary” rule does apply to payment and health care operations.
17
Breach
According to section 13400(1)(A) of the HITECH Act, a breach is
defined as: the unauthorized acquisition, access, use, or
disclosure of protected health information which compromises
the security or privacy of the protected health information,
except where an unauthorized person to whom such
information is disclosed would not reasonably have been able
to retain such information.
18
Breach PenaltiesBreaches are taken very seriously, and are punished accordingly
Breaches must be reported to the affected consumers, the Department of Health and Human Services, and, if they affect more than 500 people, the media
Civil penalties – four levels, up to $1,500,000
Criminal penalties – three levels, up to $250,000 and up to 10 years imprisonment
Fines increase with the number of patients affected and amount of neglect
19
Notification Requirements < 500 patients/year
Notify consumers
Notify the Department of Health and Human Services (HHS) annually with list of affected consumers (will be posted on HHS Internet site)
≥ 500 patients/year Notify consumers
Notify HHS with list of affected consumers (will be posted on HHS Internet site)
Notify major media
Breaches affecting 500 or more individuals are listed here: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
20
Civil Violation Tiers Did Not Know: The covered entity or business associate did not know, and
reasonably should not have known of the violation.
Reasonable Cause: The covered entity or business associate knew, or by exercising reasonable diligence would have known, that the act or omission was a violation cut the covered entity or business associate did not act with willful neglect.
Willful Neglect – Corrected: The violation was the result of conscious, intentional failure or reckless indifference to fulfill the obligation to comply with HIPAA. However, the covered entity or business associate corrected the violation within 30 days of discovery.
Willful Neglect – Uncorrected: The violation was the result of conscious, intentional failure or reckless indifference to fulfill the obligation to comply with HIPAA, and the covered entity or business associate did not correct the violation within 30 days of discovery.
21
Civil Violations & PenaltiesViolation Category
HITECH Section 1176(a) (1)Each Violation
All such violations of an identical provision in a calendar year
(A) Did Not Know $100 - $50,000 $1,500,000
(B) Reasonable Cause $1,000 - $50,000 $1,500,000
(C)(i) Willful Neglect - Corrected $10,000 - $50,000 $1,500,000
(C)(ii) Willful Neglect- Not Corrected $50,000 $1,500,000
22
Criminal Violations & PenaltiesViolation Fines Imprisonment
Covered entities and specified individuals who
knowingly obtain or disclose PHI
Up to $50,000 Up to 1 year
Offenses committed under false pretenses
Up to $100,000 Up to 5 years
Offenses committed with the intent to sell, transfer, or use PHI for commercial advantage, personal gain,
or malicious harm
Up to $250,000 Up to 10 years
23
Employer SanctionsCovered Entities and Business Associates are required to develop
and impose sanctions appropriate to the nature of the HIPAA
violations. The type of sanction applied should vary
depending on factors such as the severity of the violation,
whether the violation was intentional or unintentional, and
whether the violation indicated a pattern or practice of
improper use or disclosure of PHI. Sanctions can range from a
warning to termination.
24
Incidental Disclosures
Examples of incidental disclosures:
• A patient seen in a waiting area
• A conversation between a provider and a patient in a semi-private room heard by the other occupant
Incidental Disclosures are not violations if the covered entity has safeguards in place and they are observed by the staff.
25
Hypothetically Speaking
You work in a setting where you and your colleagues use PHI to do work. You are notified that a visitor has arrived to see you. You are currently busy; however, the visitor has come by several times before and knows where you are located. Should the visitor be allowed to enter on their own?
Definitely not! Your visitor may be exposed to PHI. Even if they are familiar with HIPAA, this would be outside of TPO. Follow your company’s rules regarding visitors to protect your patients, your visitor, and yourself.
26
Some HIPAA Breach Trivia
Unencrypted portable data storage devices are the leaders for large breaches of PHI
Laptops
Smart phones
USB drives
Business associates are a growing problem for breaches
Almost two-thirds of data breaches involve a business associate
Some of the largest breaches reported to the Department of Health and Human Services (HHS) have involved business associates
Smaller breaches usually are results of misdirected faxes, emails, or hard copy communications.
27
28
Real Violations and PenaltiesEntity Fined Fine Violation
CIGNET $4,300,000Online database application error, denied patients access to their records
Alaska Department of Health and Human Services
$1,700,000Unencrypted USB hard drive stolen, poor policies and risk analysis
WellPoint $1,700,000Did not have technical safeguards in place to verify the person/entity seeking access to PHI in the database. Failed to conduct a tech evaluation in response to software upgrade
Blue Cross Blue Shield of Tennessee $1,500,000 57 unencrypted hard drives stolen
Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates
$1,500,000Unencrypted laptop stolen, poor risk analysis, weak policies
Affinity Health Plan $1,215,780 Returned photocopiers without erasing the hard drives
South Shore Hospital $750,000 Backup tapes went missing on the way to contractor
Idaho State University $400,000 Breach of unsecured ePHI
Shasta Regional Medical Center $275,000Inadequate safeguarding of PHI from impermissible uses and disclosures
Phoenix Cardiac Surgery $100,000 Internet calendar, poor policies, lack of training
The Hospice of Northern Idaho $50,000Breach of unsecured ePHI. Unencrypted laptop stolen, no risk analysis.
29
Who Protects PHI? Everyone is responsible for protecting PHI
Anyone with access to PHI can breach HIPAA, so it is important to understand how to properly use and protect it (and yourself)
All healthcare organizations require Privacy Officers who: Educate employees on HIPAA practices Implement policies and procedures to ensure adherence to
HIPAA Reviews and monitors agency practices to ensure HIPAA
compliance
30
What Can I Do?
• Don’t tell anyone the building code
• Escort all visitors – offer to help unescorted individuals
• Keep the lobby doors that lead to offices closed during meeting days
• Keep your work area free of PHI when you’re not present
• If necessary, close your door when discussion involves PHI
• Don’t access more PHI than you need to do your job
• Do not take removable media offsite that contains PHI
• Don’t allow anyone at home to access your work
• Report any security incidents immediately
31
What Can I Do?
• Lock your computer when you walk away
• Don’t share your password
• Double check the number you’re dialing and use a cover page with the
GCBH confidentiality statement when faxing out
• Pick up your incoming faxes A.S.A.P.
• Emails containing PHI may only be emailed to GCBH employees’ work email
addresses. If transmitting PHI to a provider, you must use the GCBH
website.
• Dispose of sensitive materials in shredders or locked bins
• If sending a CID/P1 ID, nothing else may be sent – no dates, no initials, etc.
32
Review What is HIPAA, and to whom does it apply?
The Health Insurance Portability and Accountability Act, and it applies to Covered Entities and Business Associates
What is PHI? Protected Health Information: Anything that can be used to identify an
individual directly or through statistics
When are additional authorizations required? Any use or disclosure other than TPO
Who is responsible for protecting PHI? Everyone
What are the penalties/sanctions for violation? Up to termination of employment, $1,500,000 civilly, and $250,000 and 10
years criminally
33