hipaa health insurance portability & accountability act overview
TRANSCRIPT
OMNIBUS FINAL RULE Issued January 23, 2013 Effective March 26, 2013 Modified HIPAA privacy and security rule HITECH modified to strengthen HIPAA and implemented breach
notification rule and raised the civil monetary penalties. Included Genetic Information Nondiscrimination Act of 2008 (GINA)
Genetic information can’t be used for underwriting Is treated like PHI
TERMINOLOGY
HIPAA
HIPAA –Health insurance Portability & Accountability Act. Enacted in 1996 so health insurance would be
portable Compliance by October 16, 2002 for EMR/EHR Compliance by April 14, 2003 for privacy rules
Establishes national standard for protection of PHI Addresses the use/disclosure of an individual’s PHI Gives individuals rights with respect to their PHI Policies and procedures must be in place to ensure
that reasonable steps are taken to protect individual PHI.
PRIVACY RULE
Establishes national standard for protection of PHI that is held or transferred in electronic form.
Address the technical and non-technical safeguards Implement three safeguards:
1. Administrative – assignment of individual to train and be responsible for security.
2. Physical – how the electronic systems are protected in the environment.
3. Technical – password protections; encryption
SECURITY RULE
HITECH – Health Information Technology for Economic & Clinical Health Act Provision under the Social Security Act Modified to strengthen HIPAA Modifications made significant changes
HITECH
Applies the same requirements and penalties for Covered Entities and Business Associates.
Establishes mandatory federal privacy and security breach reporting requirements
Creates new privacy requirements including new accounting disclosure requirements.
Establishes new criminal and civil penalties for non-compliance and new enforcement methods.
All these apply equally to Covered Entities and Business Associates
HOW HITECH AFFECTS HIPAA
PROTECTED HEALTH INFORMATIONProtected Health Information - PHIIdentifiable health informationIncludes written, verbal or electronic form used in records,
social media, internet, intranet
ELECTRONIC MEDIA – revised definitionhard drives, tapes, disks, memory cards, removable mediuminternet, intranet, private networksdoes not include fax, telephone as electronic media transmission
This is the information that requires protection: Name and address including zip code or other geographic codes Date of birth and age Telephone number, fax number, e-mail address Social security number, medical record number Health plan beneficiary number Account number Certificate/license number; license plate number Web URL; IP address Finger or voice prints Photographs Any other unique identifying characteristic
PHI IDENTIFIERS
When the identifiers are removed from a patient’s information, it is considered “de-identified.”
No longer considered PHI No restrictions on the use/disclosure There is no information that could easily
identify the individual.
DE-IDENTIFICATION
Minimum Necessary Standard Only the minimum necessary PHI is to be used, disclosed
and requested to accomplish the intended purpose.
Breach PHI has been used in a manner that compromises the
security or privacy of the PHI.
MINIMUM NECESSARY
Person/entity, other than a member of the workforce, who performs functions/activities on behalf of or for a Covered Entity that involves the use/disclosure of PHI.
A BA is also a subcontractor that creates, receives, transmits, or maintains PHI on behalf of another BA.
BAs and subcontractors have to safeguard PHI “down the stream.”
Typical BAs: billing service, collection agencies, answering service, EMR software vendor, labs, transcription
BUSINESS ASSOCIATE
An agreement between a Covered Entity and Business Associate or between two BAs.
Clarifies and limits permissible use/disclosure of PHI.
BAs and subcontractors have the same liability as the Covered Entity and must protect PHI the same as the Covered Entity.
BUSINESS ASSOCIATE AGREEMENT
Health care providers concerning treatment of individual. Doctor to doctor; nurse to nurse; referrals
Banking and financial institutions Government agencies
determining eligibility, enrollment or benefitsMedicare, Medicaid, VA
Pharmacies
BUSINESS ASSOCIATE EXCEPTIONS
Health Care Providers Conduct transactions in electronic form Physicians, clinics, dentists, nursing homes
Health Care Clearinghouses Entities that process non-standard health information
Health Plans Health insurance companies, HMOs Government health programs
COVERED ENTITY
Statements set out in a written document for patients regarding the use/disclosure of PHI that is allowed without authorization and that which requires authorization.
Has to be displayed in a clear and prominent location Must be provided to new patients and a hardcopy has to be
provided to anyone who asks for one. Has to be posted on Covered Entity’s website, if applicable. Established patients must be made aware of changes. Requires a signed acknowledgement of receipt.
NOTICE OF PRIVACY PRACTICE
Under the Final Rule and stated in the NPP: Right to request a restriction of uses/disclosures
CE may consider which restrictions to honor Right to access PHI
Only if maintained in electronic form Do not have right to direct access to system Can copy onto external device
PATIENT RIGHTS
Right to have an accounting of disclosures An accounting is a record of each disclosure of each
patient’s PHI for purposes other than treatment, payment or health care operations.
Can include 6 years prior to the date of which the accounting is requested and not before 2003.
Disclosures that do not need to be recorded: treatments, payments, disclosures made to the patient
PATIENT RIGHTS
Right to ask for a change in their medical record
If the individual believes there is an error or disagrees with what is in their EMR, they may ask for a change.
The Covered Entity, upon investigation, may or may not agree with the change.
Communication of the decision must be made in writing to the individual. If there is a change, the original is notdestroyed, but an addendum is made.
PATIENT RIGHTS
DECEDENT’S PHI: The healthcare provider may disclose PHI to family
members/others involved in care prior to death using minimum necessary standard.
After 50 years, PHI is no longer protected. Arkansas: spouse or parent may receive autopsy report
Student Immunizations to Schools Only require verbal authorization for release
Public Health Activities May report for the public health and safety. E.g., communicable diseases
AUTHORIZED PHI DISCLOSURES
Must have valid written authorization for: Use/disclosure of psychotherapy notes. Use/disclosure for marketing purposes. The sale of PHI
AUTHORIZATION REQUIRED
An acquisition, access, use or disclosure of PHI in a manner not permitted.
And is presumed to be a breach, unless the CE can demonstrate that there is a low probability that the PHI has been compromised.
What is a Breach?
Only secured PHI is involved – no breach. Secured PHI has been encrypted or destroyed
(shredded). E.g., a lost laptop with encrypted PHI is not a
breach. If the unauthorized use or disclosure did not
violate the Privacy Rule – no breach.
What is Not a Breach?
If the unintended recipient of the information would not reasonably have been able to retain the information (the information was recovered before it could have been seen).
If unauthorized disclosures within a CE or BA is not further used or disclosed (an employee accidentally receives and opens an e-mail that was intended for someone else).
Not a Breach
If a breach occurs, a Risk Assessment has to be performed to determine if there was a low probability of compromised PHI.
The risk of harm to the individual is not part of the assessment. Affected individuals have to be notified of the breach within
60 days from discovery of the breach. If more than 500 individuals have been affected, notice
through prominent media outlets must occur; this is in additions to individual notices.
HHS has to be notified if > 500 involved or PHI has been compromised.
BREACH NOTIFICATION RULE
Notifications to individuals are to be sent via first class mail to last known address.
Can be sent via e-mail or telephone if address is out of date. Parents of minors, personal representatives of adults without
capacity and next of kin of deceased patients may be notified. If there is insufficient information for 10 or more individuals,
the CE must put up a notice on their web site or major print or broadcast media where the individuals reside.
BA has same requirements and must notify CE.
Breach Notification
The CE and BA have to demonstrate there is a low probability that the information used/disclosed was compromised.
If it cannot clearly make this determination, it is treated as a breach.
CE and BA must also demonstrate that all notifications were made.
BURDEN OF PROOF
Office of Civil Rights (OCR) under the Department of Health and Human Services (HHS) enforces HIPAA.
OCR is required to formally investigate a complaint. Complaint has to be filed within 180 days of alleged violation. If the preliminary investigation indicates a possible violation
further investigation will expand into a compliance investigation.
OCR tries to determine whether willful neglect is indicated.
INVESTIGATION OF BREACH
The entity has 30 days to respond to OCR. If a violation or willful neglect is found, a civil
monetary penalty for each violation can be imposed.
INVESTIGATION (CON’T)
Failure to comply with HIPAA can result in civil and criminal penalties.
The HITECH Act: significantly increased the amount of civil monetary penalties (CMP); Reduced the number of available affirmative defenses; and Required imposition of CMPs for all violations due to willful neglect
under a tiered liability structure. Prior to February 18, 2009, HIPAA violations were $100/each
violation and the most in one year for same violation was $25,000. Now up to $50,000/each violation and$1.5 million in one year for same violation.
CIVIL MONETARY PENALTIES
Unknowing: The CE or BA did not know and reasonably should not know of the violation
Reasonable Cause: The CE or BA knew, or by exercising reasonable diligence would have known, that the act or omission was a violation, but the CE or BA did not act with willful neglect.
Willful Neglect: Corrected. The violation was the result of conscious, intentional failure or reckless indifference to fulfill the obligation to comply with HIPAA. However, the CE or BA corrected the violation within 30 days of discovery.
Willful Neglect: Uncorrected. The violation was the result of conscious, intentional failure or reckless indifference to fulfill the
obligation to comply with HIPAA, and the CE or BA did not correct the violation within 30 days of discovery.
TIERED LIABILITY STRUCTURE
Violation Category Each ViolationNot less than – Or more than
Total CMP for Violations of an Identical Provision in a Calendar Year
Unknowing
$100 - $50,000
$1,500,000
Reasonable Cause
$1,000 - $50,000
$1,500,000
Willful Neglect -
Corrected
$10,000 - $50,000
$1,500,000
Willful Neglect – Uncorrected
At least $50,000
$1,500,000
MONETARY PENALTIES
TOP 5 HIPAA VIOLATIONSYear Issue 1 Issue 2 Issue 3 Issue 4 Issue 5
2013 Impermissible Uses & Disclosures
Safeguards Access Minimum Necessary
Mitigation
2012 Impermissible Uses & Disclosures
Safeguards Access Minimum Necessary
Mitigation
2011 Impermissible Uses & Disclosures
Safeguards Access Minimum Necessary
Mitigation
2010 Impermissible Uses & Disclosures
Safeguards Access Complaints Minimum Necessary
2009 Impermissible Uses & Disclosures
Safeguards Access Minimum Necessary
Complaints to Covered Entity
Written policies and procedures to comply with the administrative requirements must include:1. A designated contact person to handle complaints and provide further information about the Notice of Privacy Practice.2. A designated privacy officer who is responsible for development and implementation of the policies and procedures.3. Required annual training of all workforce members with documentation of the training.4. Safeguards to protect the privacy of PHI and limit incidental uses or disclosures.5. Procedures for individuals to submit complaints regarding HIPAA compliance.
ADMINISTRATIVE REQUIREMENTS
6. Must have and apply appropriate sanctions against workforce members who violate privacy policies and procedures.7. Must document sanctions that are applied, if any.8. Must mitigate to the extent practicable any harmful effect due to violation.9. Cannot take intimidating or retaliatory acts against any individual for filing a complaint or exercising his/her right.10. Must retain policies and procedures, NPPs, disposition of complaints and other actions/activities for 6 years after the later of the date of their creation or last effective date.11. Maintain documentation sufficient to meet the burden of proof.
ADMINISTRATIVE REQUIREMENTS
Impermissible Use/Disclosure An outpatient facility supervisor accessed, examined and
disclosed an employee’s medical record. OCR’s investigation confirmed that the use and disclosure of
PHI by the supervisor was not authorized by the employee and was protected by the Privacy Rule.
Employment records held by a CE in its role as employer may be accessed.
Corrective action: written reprimand in supervisor’s file, additional training.
Accessing Celebrity Records Researcher at UCLA School of Medicine received
notice of termination. In retaliation, he accessed superior and co-workers
medical records. Over the next 4 weeks, he accessed UCLA patient
records including many celebrities – a total of 323. Penalty: sentenced to 4 years in prison.
Accessing PHI Without Legitimate Purpose
AR. M.D. and 2 hospital employees accessed records of slain Arkansas TV reporter.
Details of the attack were leaked to the media. The 3 pled guilty in federal court to misdemeanors. Federal judge fined all 3 and sentenced them to 1 year of
probation. Hospital suspended M.D.’s privileges for 2 weeks and
terminated the 2 employees + an account rep. and Emergency Department coordinator.
Accessing & Leaking PHI to Media
Small Phoenix surgery practice group (5 doctors) posted clinical and surgical appointments for its patients on Internet-based calendar that was publicly accessible. OCR began investigation and noted the following violations: Failure to:
Implement adequate policies and procedures; Document employee training; Identify clinic security officer and conduct risk analysis, and Obtain BAA with the internet-based email and calendar services.
OCR fined practice $100,000 and required implementation of corrective action plan that included compliance with
violations listed above.
Lack of HIPAA Safeguards
First of its kind joint investigation by OCR and Federal Trade Ccommission over allegations that CVS Pharmacy was disposing of PHI such as prescription bottle labels and old prescriptions in public dumpsters.
Joint investigation revealed the following violations: Failure to: Implement adequate policies and procedures to protect PHI during disposal; Adequately train employees on proper disposal methods; Have a sanctions policy.
CVS entered into a Resolution Agreement that required CVS to: Revise and distribute its policies and procedures regarding disposal of PHI; Train employees; sanction those that did not follow policies; Engage a third party assessor to conduct assessments and submit reports to Health and Human Services.
Improper Disposal of PHI
Create new internal reporting procedures requiring employees to report all violations of the new policies and procedures
Submit compliance reports to HHS for 3 years AND CVS was fined $2.5 million. CVS is required to submit to 3rd part audits every 2
years for 20 years (part of its agreement with the FTC).
Improper Disposal of PHI
Arkansas LPN accessed PHI for personal gain. While working in an Arkansas clinic the LPN accessed a patient’s medical
record and gave the information to her husband. Husband called the patient and said he intended to use the information
against him/her in “an upcoming legal proceeding.” Upon discovery, the clinic fired the LPN. A federal indictment charged her with wrongful disclosure of individually
identifiable health information for personal gain and malicious harm. Charges were dropped against her and husband for guilty plea. Faced a maximum of 10 years in prison and a fine of up to $250,000 Sentenced to 2 years probation 100 hours of community service Revocation of nursing license.
Willful Intent