A HIPAA RoadmapA HIPAA Roadmap Past, Present and FuturePast, Present and Future……
A ReviewA Review
LBA Healthcare Consulting Services, LLCLeeAnn Brust, RN, MBA, CPC, CCP, CMPE
(904) 396-4015
Health Insurance Portability andHealth Insurance Portability and AccountabilityAccountability Act Act
Enacted in 1996. Congress called for the Department of
Health & Human Services to develop standards and requirements for the electronic transmission of health information
Administrative Simplification (AS) Provision
Administrative SimplificationAdministrative Simplification(Part C of Title XI)(Part C of Title XI)
This aspect of the HIPAA law requires the United States Department of Health and Human Services (DHHS) to develop standards and requirements for maintenance and transmission of health information that identifies individual patients.
What are the Standards What are the Standards Designed to do?Designed to do?
Improve the efficiency and effectiveness of the healthcare system by standardizing the interchange of electronic data for administrative & financial transactions.
Protect the security and confidentiality of electronic health information.
Who must Comply with HIPAA?Who must Comply with HIPAA? All healthcare organizations that maintain
or transmit electronic health information must comply.
Including health plans, health care clearinghouses, and health care providers from large integrated systems to individual providers.
Six Key Areas of HIPAASix Key Areas of HIPAA
Standardization of Electronic Transactions & Code Sets
Privacy Security National Provider Identifiers Electronic Signatures Electronic Medical Records
Penalties for Failure to ComplyPenalties for Failure to Comply
$100 per person per violation. May not exceed $25,000 for a violation of a
single standard per calendar year. HHS Office of Civil Rights (OCR) has been
charged with enforcement
Wrongful Disclosure of Wrongful Disclosure of Individually IdentifiableIndividually Identifiable
Health Information Health Information Wrongful disclosure offense: $50,000,
imprisonment of not more than one year, or both.
Offense under false pretenses: $100,000, imprisonment of not more than 5 years, or both.
Wrongful Disclosure of Wrongful Disclosure of Individually Identifiable Individually Identifiable
Health InformationHealth Information
Offense with intent to sell information: $250,000, imprisonment of not more than 10 years, or both.
EDI standards applies to EDI standards applies to Nine specific transactions Nine specific transactions
1. Health Claims or the equivalent encounter information;
2. Pharmacy Transactions: National Council for Prescription Drug Programs (NCPDP);
3. Health Claims attachment;4. Health plan enrollments and dis-
enrollments;
EDI standards applies to EDI standards applies to Nine specific transactions Nine specific transactions
5. Health plan eligibility;6. Health care payment and remittance
advice;7. Health Plan premium payments;8. Health claim status;9. Referral certification and authorization.
Privacy RulePrivacy RuleSection 264 of HIPAASection 264 of HIPAA
DHHS published the final regulations on December 28, 2000.
The legislation with modifications was finalized on August 14, 2002, with a final compliance date of April 2003 (Federal Registry).
Business AssociatesBusiness Associates
Do you have Business Associate contracts from all business relationships where exposure to PHI might be possible?
Government Access to PHIGovernment Access to PHI• Government operated health plans and providers are
subject to the same HIPAA requirements as all other health care organizations
• Office of Civil Rights is granted access to PHI, but only for investigative or enforcement purposes, and the information OCR request will be limited and protected.
• Regulations allow certain disclosures to made for law enforcement purposes but any state law that has tighter limits on such uses and disclosures of PHI will control.
Payment DisclosurePayment Disclosure• Conditions under which PHI may be used
or disclosed for payment purposes:
1. Billing and Collections2. Determining health plan eligibility3. Disclosures to consumer reporting
agencies.
Understanding Incidental Understanding Incidental Use and DisclosureUse and Disclosure
DHHS acknowledges that incidental use and disclosure of confidential information may occur in the course of daily operations.
Incidental use and disclosure will not be considered a violation of the privacy rule if you have taken reasonable safeguards and meet the minimum necessary requirements.
Use and DisclosureUse and Disclosure• The individual who is the subject of the
disclosure must provide authorization.• In the case of a disclosure (phone or in
person) the individual must be verified by obtaining two pieces of identifiable information. This be documented.
• Disable or Deceased individuals (previous employees are also protected. Power of attorney proof is required by the individual who is requesting information
““Minimum Necessary”Minimum Necessary”
Do your policies and procedures support the “minimum necessary”???
Create Protected Health Create Protected Health Information (PHI) “firewalls”Information (PHI) “firewalls”
Establish an “accounting” procedure to track uses and releases of PHI
Limit access to those employees that require it. (“Minimum necessary”)
Create PHI “firewalls”Create PHI “firewalls”“Minimum necessary” use:
Must identify persons or classes of persons who need access to PHI to carry out their duties
Must identify the categories of PHI for each person or class of persons (job descriptions is one of the most common areas).
Maintain DocumentationMaintain Documentation
All necessary policies and procedures Ensure changes to policies and procedures
are not implemented until documented and appropriate persons are notified
Maintain documentation for six years, unless a longer period applies
Maintain DocumentationMaintain Documentation Business Associate contracts Patient Acknowledgement of Privacy Policies Authorization forms Notices and amended notices Training of employees Patient complaints and their disposition (this must
be documented on the complaint form and forwarded to FCCRMC)
SecuritySecurity Rule RuleSection 264 of HIPAASection 264 of HIPAA
Final Rule Published-February 20,
2003. DHHS tried to more closely align the
security regulations with the final privacy regulations
Why a Security Rule?Why a Security Rule?
Protecting PHI becomes more important as business transition to a paperless environment
Purpose of the Security RulePurpose of the Security RuleTo Protect electronic patient health information
(PHI) in three ways:
1. Confidentiality - PHI concealed from people who do not have the right to see the information
2. Integrity - information has not been improperly changed or deleted
3. Availability - healthcare provider can access the information when it is needed
Understanding the Intersection of Privacy and Security
Security encompasses the measures organizations must take to protect information
within their possession from internal and external threats
Privacy is the consumer’s view of the way his/her
information is treated.
• Privacy The privacy rule mandates that entities
safeguard all PHI, no matter what the form.
• Security The security rules focuses on requirements
for safeguarding PHI in the electronic form through policies, procedures, technology in order to preserve confidentiality, integrity, and availability of electronic PHI..
Areas Where the Privacy Rule Areas Where the Privacy Rule Requires Implementation of SecurityRequires Implementation of Security
• Reasonable safe guards
• Limit Information to minimal necessary access.
• Individual accounting of disclosures outside of TPO releases.
SecuritySecurity The proposed security standard is divided
into four categories: 1) Administrative procedures
2) Physical Safeguards 3) Technical data security services
4) Technical Security mechanisms
Administrative ProceduresAdministrative Procedures Ensure that security plans, policies,
procedures, training and contractual agreements exist.
Establish an employee termination policy. Security incident reporting system (report,
respond, repair) Procedures that address staff responsibilities
for protecting data
Physical SafeguardsPhysical Safeguards These safeguards protect physical computer
systems and related buildings and equipment from fire and other environmental hazards, as well as intrusion.
The use of locks, keys, and administrative measures used to control access to computer systems and facilities are also included.
Physical SafeguardsPhysical Safeguards Facility security plan Visitor sign-in Workstation use
Monitor position Log off terminal Screen saver Terminal timeout
Maintenance records
Technical Data Security ServicesTechnical Data Security Services These include the processes used to protect,
control, and monitor information access. Provide specific authentication. Authorization, access and audit controls to
prevent improper access to PHI. Guard data integrity, confidentiality and
availability
Technical Security MechanismsTechnical Security Mechanisms
These include the processes used to prevent unauthorized access to data transmitted over a communications network.
EncryptionSystem alarmsAudit trailsPasswords
Specific Ways Staff Can HelpSpecific Ways Staff Can Help
• Manage their password
• Identify and keep out malicious software
• Use workstations properly
• Know the practices sanction policies
• Learn and follow the practices policies and procedures
Manage Your PasswordManage Your Password•When creating a password use a combination of letters and numbers
– Choose a song, a saying, a poem - something easy to remember
– Do not allow staff to write their password anywhere
– Use a separate password for personal accounts
Manage Your PasswordManage Your Password (cont’d)
• Once your staff members have a password
– Encourage them not to share it with anyone
– Change passwords according to policy (at least every 12 months)
– Encourage staff to use the same password for all of their accounts/programs.
Manage Your PasswordManage Your Password (cont’d)
• Ask your staff to report the following immediately:
– Someone has learned their password (change it immediately)
– Your account has been used by someone other than yourself
Identify and Keep OutIdentify and Keep Out Malicious Software Malicious Software
•Warning signs that indicate a workstation may be infected
– System is running particularly slow
– Storage capacity is suddenly at the maximum
– Activity on the computer at unusual times
– Activity logs erased
– Warnings from monitoring software that you have a virus in the computer
Identify and Keep Out Identify and Keep Out Malicious SoftwareMalicious Software
Safety Measure to teach your staff
• Open email attachments only from known sources
• Clear the use of Instant Messaging Programs with our ISO
• Use desktop firewall settings established by our ISO
• Use office computers only for practice business
• Don’t download or install software without ISO approval
Use Workstations ProperlyUse Workstations Properly• Position monitor so others, especially visitors,
cannot see the screen
• Staff should log off workstations (or activate the password- protected screen saver) when they are:
– Finished with a task – Leaving the area and can’t see the workstation– New user log on with their password
Warning!Warning!
Time outs are a protection systemfor when you forget to logoff.
Do not change the timer!
Use Workstations ProperlyUse Workstations Properly (cont’d)
• Threats to a network– Devices introducing viruses into the system - CDs,
floppies, IPods, USB drives, Palm Pilots – Family members or friends using practice
computers in off-hours can introduce viruses and expose patient data
– Web surfing for personal enjoyment– Downloading free programs or music from the
Internet onto office machines can introduce viruses
Use Workstations ProperlyUse Workstations Properly (cont’d)
• Protect your Private Information -Implement policies about what is allowed in emails and when they are to be deleted -Encrypt documents for storage and transmission as directed by your IT department -Report the loss of any equipment which might contain identifiable health information to your IT department.
Consequences for ViolationsConsequences for Violations•Intentional infractions may lead directly to dismissal.
•Infractions can result in civil and governmental penalties for the violator, as well as for those responsible for implementing and monitoring our security policies
•Knowingly misusing patient information (in electronic form or any form) is a felony under HIPAA
Security Risk are Real Security Risk are Real
1. 24,000 complaints filed2. 18,529 complaints closed3. 362 case sent to the Department of Justice; only
39 accepted4. 32% of the cases opened were closed with no
violations found5. 57% had to implement a corrective action plan
Key Points• Ensure your HIPAA policies and
procedures are updated and that the location is known by all applicable staff.
• Provide initial training at hire and annually thereafter. Use the group attendance log as documentation.
• Maintain a separate employee health files.• Keep all protected information in a limited
access area and under lock and key.