HIPAA 101
September 28, 2014
Health Insurance Portability and Accountability Act of
1996
It was designed to:
• Make health insurance portable
• Move health care onto a nationally standardized
electronic billing platform
• Prevent fraud, waste and abuse in the health care
system
There are two parts to HIPAA
• Privacy Rule – What we have to protect
• Security Rule – How we have to protect it
Protected Health Information (PHI) is individually identifiable health information that is: Created or received by a health care provider, health
plan, employer, or health care clearinghouse that Relates to the past, present, or future physical or
mental health or condition of an individual;
Relates to the provision of health care to an individual
The past, present or future payment for the provision of health care to an individual.
PHI is so much more than just the medical
record.
PHI includes information by which the
identity of a patient can be determined with
reasonable accuracy and speed either directly
or by reference to other publicly available
information.
Names Medical Record Numbers Social Security Numbers Account Numbers License/Certification numbers Vehicle Identifiers/Serial numbers/License plate
numbers Internet protocol addresses Health plan numbers Full face photographic images and any
comparable images
Web universal resource locaters (URLs)
Any dates related to any individual (date of birth)
Telephone numbers
Fax numbers
Email addresses
Biometric identifiers including finger and voice
prints
Any other unique identifying number,
characteristic or code
You may ask, what is the risk if someone has
identifiable information
Corruption of the medical record
Identity theft
Quinzella Romer
The Minimum Necessary doctrine seems to trip
up a lot of organizations both in terms of over
disclosing and in “handcuffing”
Use or disclose/release only the minimum
necessary to accomplish intended purposes of
the use, disclosure, or request.
Internal – what information is needed for the
staff member to be able to perform his or her
job?
External – only that information needed to
accomplish the purpose for which the request
was made
HIPAA provides for use/disclosure without
authorization for:
• Treatment – providing care
• Payment – getting paid for that care
• Operations – normal business activities of the health
care provider
Every Covered Entity must have a Privacy
Officer and the designation must be in writing –
board resolution
The designated person to receive and address
all privacy related complaints
Staff HIPAA training
Administrative, physical and technical
Limit intentional or unintentional use or
disclosure of PHI
Even those that occur as a result of a permitted
use ( i.e. conversations in the hallway)
Having policies that comply with the Privacy
and Breach Notification rules is not enough
Without written procedures the policy is not
viewed as being effective
Essential to review policies and procedures
periodically and note the review date on the
document
What is a breach?
An impermissible use or disclosure of
unsecured PHI is presumed to be a breach
unless it can be demonstrated there was a low
probability the PHI was compromised as shown
through a risk assessment
Unsecured – PHI that has not been rendered
unusable, unreadable or indecipherable to
unauthorized persons through the use of
technology or a method required by the rule
Encryption = secured
Pursuant to the Final Rule there is a 4 factor
test:
The nature and extent of the PHI involved
(types of identifiers and likelihood of re-
identification)
To whom was the disclosure made (who saw
the PHI)
Was the PHI actually viewed
How was the risk mitigated
Essential the risk assessment be thorough,
performed in good faith and based on facts
If the risk assessment demonstrates anything
other than a low probability of compromise,
notification of the breach is required
Over 500 individuals affected requires
notification to media and immediate reporting
to OCR
Less than 500 individuals affected does not
require media notification and can be reported
on an annual basis
Both require notice to the individuals affected
Cannot over emphasize the importance of
conducting a Security Risk Assessment
Phase 2 audits by OCR are starting now
Without a Security Risk Assessment you are
behind the 8 ball
Administrative safeguards – policies and
procedures
Technical – firewalls, security patches, etc.
Physical – Where do we put the copier?
Required Specifications
Addressable Specifications
Access audits – regular system of monitoring
activity within the system
• System troubleshooting
• Monitor policy enforcement
• Mitigate risks of a security incident
• Monitor employee activities within the record – click
path audit
Faxes
Automobiles
Mobile devices
• Catholic Health Care Services – lost iPhone resulted
in $600,000 settlement
Paper – locked shred bins. Avoid the copy
paper box top next to the desk
Electronic media – certified shredder or blunt
destruction
Essential to have a policy on how documents or
media containing PHI are disposed of
What is a Business Associate?
Company or person that performs or assists in
the performance of a function or activity
involving the use or disclosure of PHI (could
include legal, accounting, etc.)
VERY important to know who your Business
Associates are
North Memorial Health Care of Minnesota
Unencrypted password protected laptop was
stolen from the locked vehicle of an employee
of a Business Associate with PHI of nearly
10,000 individuals
North Memorial did not have a business
associate agreement in place with the company
yet gave the company access to the information
systems of the hospital
Failed to conduct a system wide risk
assessment to determine the vulnerabilities of
the system
1.55 million dollar settlement
No longer complaint based enforcement, now
affirmative cases brought by OCR
Penalties and settlements are growing
Public is becoming hypersensitive to
impermissible use/disclosure of protected
information as the result of the increase in
cyber crimes
Minimum - $10,000 per violation with an
annual maximum of $250,000 for repeat
violations
Maximum - $50,000 per violation with an
annual maximum of $1.5 million for repeat
violations
New policies – easy to understand, easy to
follow
Risk Assessment – in process
Considering options for addressing identified
risks (encryption, mobile devices, paper record
storage, etc.)
Increased level of awareness
Two kinds of organizations – those who have
had a breach and those who are about to have a
breach
When it comes to HIPAA, the old adage is true,
an ounce of prevention is worth a pound of cure
Gary N. Jones J.D. CHC, CHPC
Midwest Compliance Associates, LLC
721 W. 1st Street
Cedar Falls, Iowa 50613