LISA D. SHANNON, RN, JD

Understanding The HIPAA Privacy and Security Laws

OBJECTIVES

2

Provide an Overview of the HIPAA Privacy and Security Rules in the Health Care Setting

Summarize the HITECH Security Enhancements of HIPAA

Define how the HITECH Security enhancements impact your Business Associates

Define Security Breaches and the reporting requirements under the HIPAA HITECH enhancements

Offer strategies for compliance with the HIPAA HITECH enhancements

Questions

WHAT IS HIPAA?

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that is designed to protect the privacy and security of patient health information.

This federal legislation enforces: The portability of health care coverage; The security and privacy of health information;

and Accountings of how individual health care

information is handled and protected.

3

SO, HOW HAS HIPAA CHANGED THE

HEALTH CARE PICTURE?

4

THE HIPAA LAWS HAVE IMPACTED THE HEALTH CARE INDUSTRY BY…

Making broad sweeping changes to the way patient information is handled and the way we do business with our patients:

As a result of the HIPAA Laws:

The patient’s control of and access to their health care information has increased; and

Protections for individually identifiable health information from threats of loss or unauthorized disclosure have increased substantially.

5

THE PRIVACY AND SECURITY OF HEALTH INFORMATION

Prior to the enactment of the HIPAA Rules, your personal health information could legally be sold or even used to determine your life insurance premiums or mortgage rate!

The HIPAA Privacy and Security Rules made these practices illegal.

6

BUT FIRST…A FEW WORKING DEFINITIONS

7

DEFINITION…WHAT IS A COVERED ENTITY?

A covered entity (CE) is a health plan, a health care clearing house; or a health care provider who transmits any health information in electronic form in connection with a transaction covered by the HIPAA Privacy and Security Laws.

8

DEFINITION…WHAT IS A BUSINESS ASSOCIATE? A business associate is a person or entity

that performs certain functions or activities that involve the use or disclosure of PHI on behalf of a covered entity.

An example of a business associate would include an independent medical transcriptionist that provides transcription services to a physician.

9

DEFINITION…PROTECTED HEALTH INFORMATION

Protected Health Information or PHI means the individually identifiable health information that is:

Transmitted by electronic media;Maintained in electronic medium; or Transmitted or maintained in any other

form or medium.

10

EXAMPLES OF PROTECTED HEALTH INFORMATION

11

Names Address Social Security number Family History Telephone number Fax number Account numbers Medical Record numbers Email address Dates (birthday,

admission, discharge

Certificate/license numbers

Vehicle ID Personal Assets Device identifiers Biometric (finger or

voice print) Photographs Any unique identifying

number, code or characteristic

Examples of PHI include but are not limited to the following:

WHAT DOES INDIVIDUALLY IDENTIFIABLE MEAN?

Protected Health Information (PHI) under HIPAA includes any individually identifiable health information.

Identifiable refers not only to data that is explicitly linked to a particular individual, it also includes health information that contains data items which could reasonably be expected to allow for individual identification.

12

WHAT ARE SOME FORMS OF PHI?PHI MUST BE PROTECTED REGARDLESS OF ITS FORM OR

MEDIUM

PHI can be in many forms or types of media. Examples include: Paper copies/printed copies Telephone calls and voice mail Photos /videos Verbal communication Fax transmissions Information transmitted over the Internet Email You must take the appropriate precautions to

protect PHI in any form or medium and report violations to your HIPAA Officer/Liaison. 13

WHAT IS SECURED PHI?

Secured PHI, is PHI that has been rendered unusable, unreadable, or indecipherable to unauthorized individuals by one or more of the following methods:

Encryption - the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key.

Destruction (for paper or film media PHI) – shredding or destroying PHI in a manner in which it cannot be read or otherwise reconstructed.

14

15

WHAT IS UNSECURED PHI?

Unsecured PHI is PHI in paper or electronic form that has not been secured through the use of a technology or methodology specified by the Department of Health and Human Services (HHS), that makes the PHI unusable, unreadable, or indecipherable to unauthorized individuals.

TREATMENT, PAYMENT AND HEALTHCARE

OPERATIONS

TREATMENT, PAYMENT AND HEALTHCARE OPERATIONS

A Covered Entity may access, use, and/or disclose PHI without patient authorization for:

Treatment – The provision, coordination, or management of health care and related services by healthcare provider(s); this includes 3rd party healthcare providers for treatment alternatives and health-related benefits.

Payment – Activities to determine eligibility benefits and to ensure payment for the provision of healthcare services.

Health Care Operations - Activities that manage, monitor, and evaluate the performance of a health care provider or health plan.

17

EXAMPLES OF TPO:TREATMENT, PAYMENTS, HEALTH CARE

OPERATIONS

18

State Auditors are conducting an internal audit.

A therapist at a health care facility discloses PHI to a practitioner when a referral for services is necessary.

PHI is disclosed to insurance companies for the purpose of payment for services

Treatment

Payment

Health Care Operations

Scenario TPO

THE MINIMUM NECESSARY PRINCIPLE

19

DEFINITION…MINIMUM NECESSARY PRINCIPLE

The Privacy Rules require health care providers to take reasonable steps to limit the use or disclosure of, and requests for, protected health information to the minimum necessary to accomplish the intended purpose.

20

MINIMUM NECESSARY

For Example:

The minimum necessary principle should always be applied when sharing a client’s PHI to protect the client’s privacy, even when sharing PHI with co-workers.

AND…

Only those individuals with a need to know should have access to an individual’s protected health information (PHI).

21

22

MINIMUM NECESSARY DISCLOSURES

Under current law, a CE must make reasonable efforts to limit disclosure of PHI to the “minimum necessary” – an exception exists for treatment purposes;

Under ARRA, HHS will develop further guidance defining what constitutes the minimum necessary;

Until further guidance is issued, a CE is required, to the extent practical to limit disclosures of PHI to the “limited data set” or if more information is needed, the “minimum necessary” to accomplish intended purposes of such use, disclosure, or request;

HHS should issue its guidance no later than August 17, 2010.

AUTHORIZED USES AND DISCLOSURES

OF PHI

23

WHO CAN REQUEST AND AUTHORIZE THE RELEASE OF PHI?

24

Hierarchy for the authorizationand release of PHI.

DEFINITION…WHO IS THE PERSONAL REPRESENTATIVE?

A personal representative is a person legally authorized to make health care decisions on an individual’s behalf or to act for a deceased individual or the estate.

The Privacy Rule requires a Covered Entity to treat a “personal representative” the same as the individual, with respect to uses and disclosures of the individual’s PHI, as well as the individual’s rights under the Rule.

25

AUTHORIZATION AND DISCLOSURE A Covered Entity must obtain the patient’s or the

personal representative’s written authorization for any use or disclosure of PHI that is not for treatment, payment or health care operations or as otherwise permitted or required by the Privacy Rule.

The authorization must be written in specific terms.

Authorization must: Be in plain language; Contain specific information regarding the information to

be disclosed or used; Identify who is disclosing and who is receiving the

information The date and/or event that will signal the expiration of

the authorization; and The right to revoke the authorization

26

PHI RIGHTS CREATED BY THE HIPAA PRIVACY

LAWS

27

AN INDIVIDUAL HAS A RIGHT TO…AN ACCOUNTING OF DISCLOSURES

Individuals have a right to an accounting of the disclosures of their PHI by a Covered Entity or the Covered Entity’s Business Associates.

The maximum disclosure accounting period is the six years immediately preceding the accounting request.

A Covered Entity is not obligated to account for any disclosures made before its Privacy Compliance Date. 28

AN INDIVIDUAL HAS A RIGHT TO… REQUEST AN AMENDMENT

The HIPAA Privacy Rule gives the patient the right to request that a Covered Entity amend the information in his or her record set when and if that information is found to be inaccurate or incomplete. 29

AN INDIVIDUAL HAS A RIGHT TO…REQUEST A RESTRICTION

Individuals have the right to request that a Covered Entity restrict the use or disclosure of their PHI for various purposes. The Covered Entity is under no obligation to agree to requests for restrictions.

A Covered that agrees to the restriction, must comply with the agreed restrictions, except for purposes of treating the individual in a medical emergency.

30

31

RESTRICTIONS ON DISCLOSURES OF OUT-OF-

POCKET SERVICE Previously, a patient could request that a CE

restrict certain disclosures of PHI, however, the CE was not obligated to comply;

Effective February 17, 2010, ARRA requires, at the request of the patient, that a provider not disclose PHI to a plan regarding an item or service paid completely out-of-pocket by the patient, except for treatment purposes.

DEFINITION…PHI SECURITY REQUIREMENTS

A facility must maintain reasonable and appropriate administrative, technical, and physical safeguards to prevent intentional or unintentional use or disclosure of PHI in violation of the Privacy Rule and to limit its incidental use and disclosure.

32

“THE AMERICAN RECOVERY &

REINVESTMENT ACT” (ARRA)

OR“THE ACT”

33

HIPAA LAW UPDATE – ARRA“THE AMERICAN RECOVERY AND REINVESTMENT

ACT”

“ARRA” or the “Act” also informally known as the “stimulus bill” was signed into law by President Obama on February 17, 2009.

The Act made significant modifications to the HIPAA Privacy and Security

Rule. Recent and Upcoming Changes: Feb. 17, 2009: Increased Penalty Provisions

Sept. 17, 2009: National Breach Notification Law

Feb. 17, 2010: Business Associates must comply with HIPAA Rules Mandatory Federal Auditing & New and Increased Enforcement

Feb. 2011 Individuals affected by a HIPAA violation will be able to receive a percentage of any civil monetary penalty or monetary settlement collected with respect to such offense.

34

35

ARRA: 2009 HIPAA AMENDMENTS

Within ARRA is the “Health Information Technology and Economic and Clinical Health Act (HITECH).

The HITECH Act contains provisions that significantly

expand the scope of the HIPAA Privacy and Security

requirements.

36

ARRA AND BUSINESS ASSOCIATES

Effective February 17, 2010, HIPAA will treat Business Associates (BA) like Covered Entities (CE) in many respects;

Previously, the HIPAA Privacy and Security Rules only applied to CE’s and the BA’s liability extended only to breach of the business associate contract;

Now, under ARRA, a BA will be required to comply with the HIPAA Privacy and Security Rules, and be subject to the same HIPAA penalties and enforcement as the CE;

Existing business associate agreements (BAA’s) will need to be amended to include the new HIPAA HITECH requirements.

Future BAA’s will need to be drafted include the new HIPAA HITECH requirements.

BREACHES OF PHI

37

38

WHAT IS A BREACH OF PHI?

A “Breach” is defined as the unauthorized acquisition, access, use or disclosure of PHI which compromises the security/privacy of such information, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information.

WHAT IS NOT A BREACH OF PHI

A “Breach” excludes: Any unintentional acquisition, access, or use of PHI by a

workforce member or person acting under the authority of a CE or BA, if the acquisition, access, or use was made in good faith and within the scope and authority and does not result in further impermissible use or disclosure;

Any inadvertent disclosure by a person who is authorized to access PHI at a CE or BA to another person authorized to access PHI at the same CE or BA and the information received is not further, used or disclosed in an impermissible manner; or

Disclosure of PHI where a CE or BA has a good faith belief that an authorized person to whom the disclosure was made would not reasonably have been able to retain the PHI.

39

40

BREACH RISK ASSESSMENT?

CEs and BAs are required to perform and document risk assessments on breaches of unsecured PHI to determine if there is a significant risk of harm to the individual as a result of the impermissible use or disclosure.

41

Risk Assessment Decision Tree

42

NEW SECURITY BREACH NOTIFICATION REQUIREMENT

Under ARRA, a CE is required to notify individuals whose unsecured PHI has been, or is reasonably believed to have been accessed, acquired, or disclosed as a result of a breach.

Before the HITECH Act, a CE was not required to notify patients of an improper disclosure or breach of their PHI.

But, a CE always had a duty to… Mitigate harm; and Account for wrongful disclosures.

WHAT MUST THE NOTICE INCLUDE? ARRA requires that a Breach Notice include:

A brief description of what happened, including the breach date and breach discovery date, if known;

A description of the types of unsecured PHI involved in the breach; The steps individuals should take to protect themselves from potential

harm from the breach;  A brief description of the steps the CE is taking to investigate the

breach, mitigate losses and protect against any further breaches; and Contact procedures for individuals to follow to ask questions or obtain

additional information, including a toll-free telephone number, an email address, Web site or postal address.

If a law enforcement official determines that a notification, notice or posting regarding a PHI breach would impede a criminal investigation or cause damage to national security, the health care provider or business associate must delay all notifications.

43

44

THE NOTICE OF A BREACH OF UNSECURED PHI SHALL…

Provide notice of breach without “unreasonable delay” from date of discovery – not to exceed 60 days;

If more than 500 persons are affected, the CE must notify HHS and other prominent media outlets serving the area;

The CE must maintain a log of all breaches and submit it annually to HHS;

A BA is not required to send those affected, a notice of breach – it is the CE’s responsibility!!!

Oftentimes the BA will participate in the notification process because of an existing relationship with the affected party.

45

BUSINESS ASSOCIATE BREACH RESPONSIBILITIES?

In the instance of a breach, the Business Associate shall, without unreasonable delay and in no case, not later than 60 calendar days after the discovery of a breach, notify the Covered Entity of the breach.

The notice shall include the identification of each individual whose unsecured PHI has been, or is reasonably believed by the business associate to have been, accessed, acquired, or disclosed during the breach.

The Business Associate’s responsibility under the HITECH Act should be included in the Covered Entity’s business associate agreement (BAA) with the Business Associate.

46

EXCEPTIONS TO THE BREACH NOTIFICATION RULE

The breach notification requirements apply only to breaches of “unsecured” PHI.

Secured PHI is not subject to the breach notification rules. (Safe Harbor Rule)

47

SWIMMING IN THE BREACH NOTIFICATION

SAFE HARBOR?

CEs and BAs are not required to follow the Department of Health and Human Services’ guidance on how PHI can be secured.

BUT…

If the CE or BA does follow the HHS guidance, these steps create the functional equivalent of a safe harbor and thus result in the CE and BA not being subject to the Breach Notification Rules.

48

THE BREACH LOG

A CE or BA shall maintain a process to record or log all

breaches of unsecured PHI regardless of the number of

patients affected.

The following information should be collected and/or logged: A description of what happened, including the date

of the breach, the date of the discovery of the breach, and the number of patients affected, if known;

A description of the types of unsecured protected health information that were involved in the breach (such as full name, Social Security number, date of birth, home address, account number, etc.); and

A description of the action taken with regard to notification of patients regarding the breach.

ENFORCEMENT & ACCOUNTABILITY

49

ENFORCEMENT & ACCOUNTABILITY

The HIPAA regulations punish individuals or organizations that fail to keep PHI confidential.

Criminal penalties for knowingly violating the HIPAA rules may include monetary fines as well as imprisonment.

Civil penalties now range from $25,000 to $1.5 million, depending on the intent of the violation

50

INCREASED FINES AND PENALTIES

Tier A (if the offender did not know, and by exercising reasonable diligence would not have known, that he/she violated the law):

$100 for each violation, except that the total amount imposed for all violations of an identical requirement during a calendar year may not exceed $25,000.

Tier B (if the violation was due to a reasonable cause and not willful neglect): $1,000 for each violation, …may not exceed $100,000.

Tier C (if the violation was due to willful neglect but was corrected) $10,000 for each violation, … may not exceed $250,000

Tier D (if the violation was due to willful neglect and was not corrected) $50,000 for each violation, … may not exceed $1.5 million

51

STRATEGIES FOR HIPAA

COMPLIANCE

53

STRATEGIES FOR COMPLIANCE

• Compliance strategies at their core, must be based upon…

• Planning; and • Documentation.

54

THE PRIVACY AND SECURITY OF PHI

It is all about Common Sense; and

Treating all PHI as if it were your own!

55

A BASIC HIPAA COMPLIANCE INITIATIVE

The project management and communications arrows surround the phases because these activities are continuous for as long as the implementation project is in progress.

56

STEP 1. UNDERSTAND HIPAA.

•Read, understand and interpret the HIPAA regulations ;

•Familiarize yourself with the compliance timelines and penalties ;

•Determine what part of your organization is impacted by the regulations;

•Determine if your organization is a covered entity or a hybrid entity under HIPAA;

•Conduct awareness training for all employees ;

•Establish a steering committee to oversee and guide the HIPAA effort; •Organize a team of people to track and manage the HIPAA activities ;

57

STEP 1. UNDERSTAND HIPAA (CONT.).

•Develop a strategic plan so that everyone in the organization understands the mission, goals, and objectives of the effort ;

•Analyze the HIPAA regulations against existing organization specific rules, directives, enterprise policies, etc. ; and

•Analyze the HIPAA regulations against potentially preemptive, superseding, or conflicting State and Federal law.

58

•Identify privacy and security officers in each covered entity, or if using the hybrid entity model, covered health care components; •Develop an assessment method;

•Conduct assessment activities;

•Identify your business associates and PHI electronic trading partners;

•Document potential impacts (gaps); and

•Refine your budget estimates.

STEP 2. BASELINE THE ORGANIZATION.

59

•Determine what needs to be done to close the gaps;•Document your business compliance strategy; •Document your technical compliance strategy; •Refine your budget estimates as necessary; •Seek additional funding commitment if necessary; •Organize and/or recruit the staff necessary to close the gaps.

STEP 3. PLAN REMEDIATION STRATEGIES.

60

•Conduct appropriate levels of training;

•Establish/amend formal trading partner agreements and business associate contracts as necessary;

•Modify (remediate) business processes, business application systems, and technical infrastructure as necessary to comply; and

• Test and/or pilot modifications.

STEP 4. REMEDIATE THE ORGANIZATION.

61

•Develop and deploy self-verification tools and/or techniques that can be used by sub-sections of the organization to verify that they have met the requirements of HIPAA;

• Determine whether independent validation and verification techniques will be used in any of the regulation areas; and

• Solicit external validation and verification assistance as necessary.

STEP 5. VALIDATE COMPLIANCE.

62

•Develop and implement an ongoing compliance training programs for privacy officers, security officers, new employees, etc. ;

•Determine whether an ongoing HIPAA compliance office is necessary and establish one if necessary; •Develop and implement an audit program to ensure ongoing compliance; and •Establish change management processes so that you are prepared to deal with future changes in the HIPAA law or to individual regulation areas

STEP 6. MAINTAIN COMPLIANCE.

QUESTIONS?

63

THANK YOU FOR YOUR TIME AND ATTENTION

Lisa D. Shannon, RN, JD

Lshanrn_99@sbcglobal.net

64