A HIPAA RoadmapA HIPAA Roadmap Past, Present and FuturePast, Present and Future……

A ReviewA Review

LBA Healthcare Consulting Services, LLCLeeAnn Brust, RN, MBA, CPC, CCP, CMPE

(904) 396-4015

                                                

Health Insurance Portability andHealth Insurance Portability and AccountabilityAccountability Act Act

Enacted in 1996. Congress called for the Department of

Health & Human Services to develop standards and requirements for the electronic transmission of health information

Administrative Simplification (AS) Provision

Administrative SimplificationAdministrative Simplification(Part C of Title XI)(Part C of Title XI)

This aspect of the HIPAA law requires the United States Department of Health and Human Services (DHHS) to develop standards and requirements for maintenance and transmission of health information that identifies individual patients.

What are the Standards What are the Standards Designed to do?Designed to do?

Improve the efficiency and effectiveness of the healthcare system by standardizing the interchange of electronic data for administrative & financial transactions.

Protect the security and confidentiality of electronic health information.

Who must Comply with HIPAA?Who must Comply with HIPAA? All healthcare organizations that maintain

or transmit electronic health information must comply.

Including health plans, health care clearinghouses, and health care providers from large integrated systems to individual providers.

Six Key Areas of HIPAASix Key Areas of HIPAA

Standardization of Electronic Transactions & Code Sets

Privacy Security National Provider Identifiers Electronic Signatures Electronic Medical Records

Penalties for Failure to ComplyPenalties for Failure to Comply

$100 per person per violation. May not exceed $25,000 for a violation of a

single standard per calendar year. HHS Office of Civil Rights (OCR) has been

charged with enforcement

Wrongful Disclosure of Wrongful Disclosure of Individually IdentifiableIndividually Identifiable

Health Information Health Information Wrongful disclosure offense: $50,000,

imprisonment of not more than one year, or both.

Offense under false pretenses: $100,000, imprisonment of not more than 5 years, or both.

Wrongful Disclosure of Wrongful Disclosure of Individually Identifiable Individually Identifiable

Health InformationHealth Information

Offense with intent to sell information: $250,000, imprisonment of not more than 10 years, or both.

EDI standards applies to EDI standards applies to Nine specific transactions Nine specific transactions

1. Health Claims or the equivalent encounter information;

2. Pharmacy Transactions: National Council for Prescription Drug Programs (NCPDP);

3. Health Claims attachment;4. Health plan enrollments and dis-

enrollments;

EDI standards applies to EDI standards applies to Nine specific transactions Nine specific transactions

5. Health plan eligibility;6. Health care payment and remittance

advice;7. Health Plan premium payments;8. Health claim status;9. Referral certification and authorization.

Privacy RulePrivacy RuleSection 264 of HIPAASection 264 of HIPAA

DHHS published the final regulations on December 28, 2000.

The legislation with modifications was finalized on August 14, 2002, with a final compliance date of April 2003 (Federal Registry).

Business AssociatesBusiness Associates

Do you have Business Associate contracts from all business relationships where exposure to PHI might be possible?

Government Access to PHIGovernment Access to PHI• Government operated health plans and providers are

subject to the same HIPAA requirements as all other health care organizations

• Office of Civil Rights is granted access to PHI, but only for investigative or enforcement purposes, and the information OCR request will be limited and protected.

• Regulations allow certain disclosures to made for law enforcement purposes but any state law that has tighter limits on such uses and disclosures of PHI will control.

Payment DisclosurePayment Disclosure• Conditions under which PHI may be used

or disclosed for payment purposes:

1. Billing and Collections2. Determining health plan eligibility3. Disclosures to consumer reporting

agencies.

Understanding Incidental Understanding Incidental Use and DisclosureUse and Disclosure

DHHS acknowledges that incidental use and disclosure of confidential information may occur in the course of daily operations.

Incidental use and disclosure will not be considered a violation of the privacy rule if you have taken reasonable safeguards and meet the minimum necessary requirements.

Use and DisclosureUse and Disclosure• The individual who is the subject of the

disclosure must provide authorization.• In the case of a disclosure (phone or in

person) the individual must be verified by obtaining two pieces of identifiable information. This be documented.

• Disable or Deceased individuals (previous employees are also protected. Power of attorney proof is required by the individual who is requesting information

““Minimum Necessary”Minimum Necessary”

Do your policies and procedures support the “minimum necessary”???

Create Protected Health Create Protected Health Information (PHI) “firewalls”Information (PHI) “firewalls”

Establish an “accounting” procedure to track uses and releases of PHI

Limit access to those employees that require it. (“Minimum necessary”)

Create PHI “firewalls”Create PHI “firewalls”“Minimum necessary” use:

Must identify persons or classes of persons who need access to PHI to carry out their duties

Must identify the categories of PHI for each person or class of persons (job descriptions is one of the most common areas).

Maintain DocumentationMaintain Documentation

All necessary policies and procedures Ensure changes to policies and procedures

are not implemented until documented and appropriate persons are notified

Maintain documentation for six years, unless a longer period applies

Maintain DocumentationMaintain Documentation Business Associate contracts Patient Acknowledgement of Privacy Policies Authorization forms Notices and amended notices Training of employees Patient complaints and their disposition (this must

be documented on the complaint form and forwarded to FCCRMC)

SecuritySecurity Rule RuleSection 264 of HIPAASection 264 of HIPAA

Final Rule Published-February 20,

2003. DHHS tried to more closely align the

security regulations with the final privacy regulations

Why a Security Rule?Why a Security Rule?

Protecting PHI becomes more important as business transition to a paperless environment

Purpose of the Security RulePurpose of the Security RuleTo Protect electronic patient health information

(PHI) in three ways:

1. Confidentiality - PHI concealed from people who do not have the right to see the information

2. Integrity - information has not been improperly changed or deleted

3. Availability - healthcare provider can access the information when it is needed

Understanding the Intersection of Privacy and Security

Security encompasses the measures organizations must take to protect information

within their possession from internal and external threats

Privacy is the consumer’s view of the way his/her

information is treated.

• Privacy The privacy rule mandates that entities

safeguard all PHI, no matter what the form.

• Security The security rules focuses on requirements

for safeguarding PHI in the electronic form through policies, procedures, technology in order to preserve confidentiality, integrity, and availability of electronic PHI..

Areas Where the Privacy Rule Areas Where the Privacy Rule Requires Implementation of SecurityRequires Implementation of Security

• Reasonable safe guards

• Limit Information to minimal necessary access.

• Individual accounting of disclosures outside of TPO releases.

SecuritySecurity The proposed security standard is divided

into four categories: 1) Administrative procedures

2) Physical Safeguards 3) Technical data security services

4) Technical Security mechanisms

Administrative ProceduresAdministrative Procedures Ensure that security plans, policies,

procedures, training and contractual agreements exist.

Establish an employee termination policy. Security incident reporting system (report,

respond, repair) Procedures that address staff responsibilities

for protecting data

Physical SafeguardsPhysical Safeguards These safeguards protect physical computer

systems and related buildings and equipment from fire and other environmental hazards, as well as intrusion.

The use of locks, keys, and administrative measures used to control access to computer systems and facilities are also included.

Physical SafeguardsPhysical Safeguards Facility security plan Visitor sign-in Workstation use

Monitor position Log off terminal Screen saver Terminal timeout

Maintenance records

Technical Data Security ServicesTechnical Data Security Services These include the processes used to protect,

control, and monitor information access. Provide specific authentication. Authorization, access and audit controls to

prevent improper access to PHI. Guard data integrity, confidentiality and

availability

Technical Security MechanismsTechnical Security Mechanisms

These include the processes used to prevent unauthorized access to data transmitted over a communications network.

EncryptionSystem alarmsAudit trailsPasswords

Specific Ways Staff Can HelpSpecific Ways Staff Can Help

• Manage their password

• Identify and keep out malicious software

• Use workstations properly

• Know the practices sanction policies

• Learn and follow the practices policies and procedures

Manage Your PasswordManage Your Password•When creating a password use a combination of letters and numbers

– Choose a song, a saying, a poem - something easy to remember

– Do not allow staff to write their password anywhere

– Use a separate password for personal accounts

Manage Your PasswordManage Your Password (cont’d)

• Once your staff members have a password

– Encourage them not to share it with anyone

– Change passwords according to policy (at least every 12 months)

– Encourage staff to use the same password for all of their accounts/programs.

Manage Your PasswordManage Your Password (cont’d)

• Ask your staff to report the following immediately:

– Someone has learned their password (change it immediately)

– Your account has been used by someone other than yourself

Identify and Keep OutIdentify and Keep Out Malicious Software Malicious Software

•Warning signs that indicate a workstation may be infected

– System is running particularly slow

– Storage capacity is suddenly at the maximum

– Activity on the computer at unusual times

– Activity logs erased

– Warnings from monitoring software that you have a virus in the computer

Identify and Keep Out Identify and Keep Out Malicious SoftwareMalicious Software

Safety Measure to teach your staff

• Open email attachments only from known sources

• Clear the use of Instant Messaging Programs with our ISO

• Use desktop firewall settings established by our ISO

• Use office computers only for practice business

• Don’t download or install software without ISO approval

Use Workstations ProperlyUse Workstations Properly• Position monitor so others, especially visitors,

cannot see the screen

• Staff should log off workstations (or activate the password- protected screen saver) when they are:

– Finished with a task – Leaving the area and can’t see the workstation– New user log on with their password

Warning!Warning!

Time outs are a protection systemfor when you forget to logoff.

Do not change the timer!

Use Workstations ProperlyUse Workstations Properly (cont’d)

• Threats to a network– Devices introducing viruses into the system - CDs,

floppies, IPods, USB drives, Palm Pilots – Family members or friends using practice

computers in off-hours can introduce viruses and expose patient data

– Web surfing for personal enjoyment– Downloading free programs or music from the

Internet onto office machines can introduce viruses

Use Workstations ProperlyUse Workstations Properly (cont’d)

• Protect your Private Information -Implement policies about what is allowed in emails and when they are to be deleted -Encrypt documents for storage and transmission as directed by your IT department -Report the loss of any equipment which might contain identifiable health information to your IT department.

Consequences for ViolationsConsequences for Violations•Intentional infractions may lead directly to dismissal.

•Infractions can result in civil and governmental penalties for the violator, as well as for those responsible for implementing and monitoring our security policies

•Knowingly misusing patient information (in electronic form or any form) is a felony under HIPAA

Security Risk are Real Security Risk are Real

1. 24,000 complaints filed2. 18,529 complaints closed3. 362 case sent to the Department of Justice; only

39 accepted4. 32% of the cases opened were closed with no

violations found5. 57% had to implement a corrective action plan

Key Points• Ensure your HIPAA policies and

procedures are updated and that the location is known by all applicable staff.

• Provide initial training at hire and annually thereafter. Use the group attendance log as documentation.

• Maintain a separate employee health files.• Keep all protected information in a limited

access area and under lock and key.