George Bailey, MS, CISSP, GCIH LuAnn Keyton, MBA, · PDF fileGeorge Bailey, MS, CISSP, GCIH LuAnn Keyton, MBA, CRISC, CHP, HCISPP Purdue Healthcare Advisors
Post on 17-Feb-2018
220 Views
Preview:
Transcript
What is HIPAA?Health Insurance Portability &
Accountability Act of 1996 (45 C.F.R. parts
160 & 164).
Provides a framework for establishment of
nationwide protection of patient
confidentiality, security of electronic
systems, and standards and requirements for
electronic transmission of health
information.
Why care about HIPAA??
• 2016 HIPAA Audits by the OCR
• To Protect your Practice
• To Protect your Clients’ Information
• To Avoid Fines
• Compliance is not an option, it is required
Type of Violation CIVIL Penalty (min) CIVIL Penalty (max)
Individual did not know (and by
exercising reasonable diligence would
not have known) that he/she violated
HIPAA
$100 per violation, with an annual
maximum of $25,000 for repeat
violations
$50,000 per violation, with an annual
maximum of $1.5 million
HIPAA violation due to reasonable
cause and not due to willful neglect
$1,000 per violation, with an annual
maximum of $100,000 for repeat
violations
$50,000 per violation, with an annual
maximum of $1.5 million
HIPAA violation due to willful neglect
but violation is corrected within the
required time period
$10,000 per violation, with an annual
maximum of $250,000 for repeat
violations
$50,000 per violation, with an annual
maximum of $1.5 million
HIPAA violation is due to willful
neglect and is not corrected
$50,000 per violation, with an annual
maximum of $1,000,000
$50,000 per violation, with an annual
maximum of $1.5 million
Type of Violation CRIMINAL Penalty
Covered entities and specified
individuals who "knowingly" obtain
or disclose individually identifiable
health information
A fine of up to $50,000
Imprisonment up to 1 year
Offenses committed under false
pretensesA fine of up to $100,000
Imprisonment up to 5 years
Offenses committed with the intent
to sell, transfer, or use individually
identifiable health information for
commercial advantage, personal gain
or malicious harm
A fine of up to $250,000
Imprisonment up to 10 years
Is a person, business, or agency a covered health care entity?
Does the person,
business, or agency
furnish, bill or receive
payment for, health care in
the normal course of
business (1)?
No
STOP!
The person,
business, or
agency is NOT
a covered
health care
entity.
STOP!
The person,
business, or
agency is a
covered health
care entity.
YesDoes the person, business
or agency transmit(send)
any covered transactions
electronically? (2)
Yes
NAME/TYPE NUMBER
Claims submission X12-837
Enrollment and disenrollment in a health plan
X12-834
Eligibility X12-270 and X12-271
Health care payment to provider (with remittance advice)
X12-835
Premium payment to health insurance plans
X12-820
Claim status request and response X12-276 and X12-277
Referral certification and authorization X12-278
Use of these Transaction Standards cause an clinic to become a HIPAA Covered Entity
HIPAA Regulations
HIPAA Regulations require we protect our patients’ PHI in all media including, but not limited to, PHI created, stored, or transmitted in/on the following media:
It is the responsibility of every employee to protect the privacy and security of sensitive information
in ALL forms.
Privacy Rule
* Effective April 14, 2003
* Privacy refers to protection of an individual’s health care data
* Defines how patient information is used and disclosed
* Gives patients privacy rights and more control over their own health information
* Outlines ways to safeguard Protected Health Information (PHI)
HIPAA Privacy Requirements
• Designated and defined Privacy Officer
• Workforce members who handle PHI require training
• Create a method for patients to submit privacy
complaints
• Develop a sanctions policy/procedure for non-
compliance of workforce members
• Follow minimum necessary for data access
• Mitigate harmful effects of a violation
• Create policies and procedures as required
The HIPAA Privacy Rule requires health plans
and covered health care providers to develop
and distribute a notice that provides a clear, user
friendly explanation of individuals rights with
respect to their personal health information and
the privacy practices of health plans and health
care providers.
Notice of Privacy Practices
HIPAA allows Use and/or Disclosure of PHI for purpose
of:
Treatment – providing care to patients.
Payment – the provision of benefits and premium
payment.
Health Care Operations – normal business
activities (i.e. reporting, quality improvement,
training, auditing, customer service and resolution of
grievances data collection and eligibility checks and
accreditation).
Minimum Necessary – the covered entity must limit access to protected health information to those who need access to the information to do their jobs.
Privacy Violations
The following activities occurring in the absence of patient authorization are considered misuse of protected health information (PHI):
◦ Access◦ Using◦ Taking◦ Possession ◦ Release ◦ Editing ◦ Destruction
Security Rule
Effective April 21, 2005
Security means controlling:*Confidentiality of electronic protected health
information (ePHI)*Storage of electronic protected health
information (ePHI)*Access into electronic information
Security Safeguards
ExamplesAdministrative
Policies and procedures fostering privacy & confidentiality of PHI – including an annual risk assessment.
Awareness training
Auditing of data access
Physical
Alarm systems
Enforcing restricted access to chart rooms and data processing areas
Physically securing equipment or devices storing ePHI (e.g., tethering)
Technical
Data encryption
Strong authentication (e.g. unique usernames & robust passwords)
Anti-virus software
Protected Health Information
IdentifiersThe 18 Identifiers Defined by HIPAA are:
Names
Medical Record Numbers
Social Security Numbers
Account Numbers
License/Certification numbers
Vehicle Identifiers/Serial numbers/License plate numbers
Internet protocol addresses
Health plan numbers
Full face photographic images and any comparable images
Web universal resource locaters (URLs)
Any dates related to any individual (date of birth)
Telephone numbers
Fax numbers
Email addresses
Biometric identifiers including finger and voice prints
Any other unique identifying number, characteristic or code
Breach Notification Rule
Effective September 23, 2009
Breach means the acquisition, access, use, or disclosure of
protected health information in a manner not permitted
which compromises the security or privacy of the protected
health information.
By the Numbers
1544 breaches of >500 reported to HHS (through May 9,
2016)
Half are due to theft
Laptops & portable devices responsible for 1/3 of
cases
20% involve business associates
222,430 breaches of <500 (through April 17, 2016)
313,602,491
The Breach Notification Rule Requirements
Must notify affected individuals
Must notify HHS of all breaches on an annual basis,
or immediately if impacting more than 500 patients
Individual notification must be provided no later
than 60 days following the discovery of a breach
Notification to the media if impacting more than 500
patients
Business Associates are required to notify covered
entities of breaches at or by the BA
Breach Identification
Risk Assessment Factors
1. Documenting the nature and extent of PHI
involved, emphasis on the type of identifiers and
the likelihood of re-identification
2. The unauthorized person who accessed PHI, or to
who the disclosure was made
3. Whether or not the PHI was actually acquired or
viewed
4. The extent to which the risk to the PHI has been
mitigated
Breach Preparation
Develop a breach investigation & response policy
Will you provide identity protection services?
When will you get law enforcement involved?
When does Indiana (or other States) Attorney
General need to be notified?
Familiarize yourself with HHS reporting process
Draft example notification letters
Consider Cyber Security insurance coverage
Tabletop scenarios
Discuss with legal counsel
How to get your practice aligned with HIPAA
1. https://www.healthit.gov/sites/default/files/pdf/
privacy/privacy-and-security-guide.pdf
2. Written Policies and Procedures
3. Staff Training
4. Inventory of ePHI
5. Business Associates Agreements
6. Risk Analysis
7. Monitoring/auditing
8. Remediation
9. Documentation
1. Violating the HIPAA Privacy rule can result in
A. Civil penalties
B. Criminal penalties
C. Both a and b
D. None of the above
2. Patient’s personal health information may be released without authorization to:
A. Local newspapers
B. Employers in worker's compensation cases
C. Social workers
D. Family and friends
3. A vendor such as a software firm that does business with a covered entity is
called a:
A. HIPAA firm
B. Business associate
C. HIPAA vendor
D. provider
4. HIPAA was designed to:
A. Create standards for electronic transmission but not uncover fraud and abuse
B. Uncover fraud and abuse and has nothing to do with protecting PHI
C. Protect PHI, create standards, uncover fraud and abuse
D. Ensure health insurance coverage, protect PHI, but did not create standards for
electronic transmission
5. An important part of a compliance plan is a commitment to keep both physicians
and medical office staff current by providing:
A. External audits
B. Ongoing training
C. OIG fraud advisories
D. Practice work plans
6. The provider owns the medical record, but the information contained in the
record belongs to:
A. The provider
B. The patient
C. The payer
D. None of the above
“Our office has an all in one printer/fax
machine on the network that breaks down daily.
We’re trading it in on a newer one. The vendor
will handle anything that needs to be done to
the old machine. Is that a problem? “
George and his family have chosen a new dentist.
George’s wife Amy calls the former dentist and
asks that the records be transferred to the new
dentist for the entire family. Is that acceptable?
Resources/Reference Materials
1. Toolkit
i. Template of Policies
ii. Security Risk Assessment tools
iii. Walkthrough Checklists
iv. HIPAA Summary info
v. Notice of Privacy Practices examples
vi. http://engr.purdue.edu/people/baileyga/D
ownloads/IDA_toolkit_May2016
2. Health IT Website
i. www.healthit.gov
top related