HIPAA 101

September 28, 2014

Health Insurance Portability and Accountability Act of

1996

It was designed to:

• Make health insurance portable

• Move health care onto a nationally standardized

electronic billing platform

• Prevent fraud, waste and abuse in the health care

system

There are two parts to HIPAA

• Privacy Rule – What we have to protect

• Security Rule – How we have to protect it

Protected Health Information (PHI) is individually identifiable health information that is: Created or received by a health care provider, health

plan, employer, or health care clearinghouse that Relates to the past, present, or future physical or

mental health or condition of an individual;

Relates to the provision of health care to an individual

The past, present or future payment for the provision of health care to an individual.

PHI is so much more than just the medical

record.

PHI includes information by which the

identity of a patient can be determined with

reasonable accuracy and speed either directly

or by reference to other publicly available

information.

Names Medical Record Numbers Social Security Numbers Account Numbers License/Certification numbers Vehicle Identifiers/Serial numbers/License plate

numbers Internet protocol addresses Health plan numbers Full face photographic images and any

comparable images

Web universal resource locaters (URLs)

Any dates related to any individual (date of birth)

Telephone numbers

Fax numbers

Email addresses

Biometric identifiers including finger and voice

prints

Any other unique identifying number,

characteristic or code

You may ask, what is the risk if someone has

identifiable information

Corruption of the medical record

Identity theft

Quinzella Romer

The Minimum Necessary doctrine seems to trip

up a lot of organizations both in terms of over

disclosing and in “handcuffing”

Use or disclose/release only the minimum

necessary to accomplish intended purposes of

the use, disclosure, or request.

Internal – what information is needed for the

staff member to be able to perform his or her

job?

External – only that information needed to

accomplish the purpose for which the request

was made

HIPAA provides for use/disclosure without

authorization for:

• Treatment – providing care

• Payment – getting paid for that care

• Operations – normal business activities of the health

care provider

Every Covered Entity must have a Privacy

Officer and the designation must be in writing –

board resolution

The designated person to receive and address

all privacy related complaints

Staff HIPAA training

Administrative, physical and technical

Limit intentional or unintentional use or

disclosure of PHI

Even those that occur as a result of a permitted

use ( i.e. conversations in the hallway)

Having policies that comply with the Privacy

and Breach Notification rules is not enough

Without written procedures the policy is not

viewed as being effective

Essential to review policies and procedures

periodically and note the review date on the

document

What is a breach?

An impermissible use or disclosure of

unsecured PHI is presumed to be a breach

unless it can be demonstrated there was a low

probability the PHI was compromised as shown

through a risk assessment

Unsecured – PHI that has not been rendered

unusable, unreadable or indecipherable to

unauthorized persons through the use of

technology or a method required by the rule

Encryption = secured

Pursuant to the Final Rule there is a 4 factor

test:

The nature and extent of the PHI involved

(types of identifiers and likelihood of re-

identification)

To whom was the disclosure made (who saw

the PHI)

Was the PHI actually viewed

How was the risk mitigated

Essential the risk assessment be thorough,

performed in good faith and based on facts

If the risk assessment demonstrates anything

other than a low probability of compromise,

notification of the breach is required

Over 500 individuals affected requires

notification to media and immediate reporting

to OCR

Less than 500 individuals affected does not

require media notification and can be reported

on an annual basis

Both require notice to the individuals affected

Cannot over emphasize the importance of

conducting a Security Risk Assessment

Phase 2 audits by OCR are starting now

Without a Security Risk Assessment you are

behind the 8 ball

Administrative safeguards – policies and

procedures

Technical – firewalls, security patches, etc.

Physical – Where do we put the copier?

Required Specifications

Addressable Specifications

Access audits – regular system of monitoring

activity within the system

• System troubleshooting

• Monitor policy enforcement

• Mitigate risks of a security incident

• Monitor employee activities within the record – click

path audit

Faxes

Automobiles

Mobile devices

• Catholic Health Care Services – lost iPhone resulted

in $600,000 settlement

Paper – locked shred bins. Avoid the copy

paper box top next to the desk

Electronic media – certified shredder or blunt

destruction

Essential to have a policy on how documents or

media containing PHI are disposed of

What is a Business Associate?

Company or person that performs or assists in

the performance of a function or activity

involving the use or disclosure of PHI (could

include legal, accounting, etc.)

VERY important to know who your Business

Associates are

North Memorial Health Care of Minnesota

Unencrypted password protected laptop was

stolen from the locked vehicle of an employee

of a Business Associate with PHI of nearly

10,000 individuals

North Memorial did not have a business

associate agreement in place with the company

yet gave the company access to the information

systems of the hospital

Failed to conduct a system wide risk

assessment to determine the vulnerabilities of

the system

1.55 million dollar settlement

No longer complaint based enforcement, now

affirmative cases brought by OCR

Penalties and settlements are growing

Public is becoming hypersensitive to

impermissible use/disclosure of protected

information as the result of the increase in

cyber crimes

Minimum - $10,000 per violation with an

annual maximum of $250,000 for repeat

violations

Maximum - $50,000 per violation with an

annual maximum of $1.5 million for repeat

violations

New policies – easy to understand, easy to

follow

Risk Assessment – in process

Considering options for addressing identified

risks (encryption, mobile devices, paper record

storage, etc.)

Increased level of awareness

Two kinds of organizations – those who have

had a breach and those who are about to have a

breach

When it comes to HIPAA, the old adage is true,

an ounce of prevention is worth a pound of cure

Gary N. Jones J.D. CHC, CHPC

gjones@garynjones.com

Midwest Compliance Associates, LLC

721 W. 1st Street

Cedar Falls, Iowa 50613