HIPAA PRIVACY 101, PART 1 - NCHICA · 2018-08-11 · HIPAA PRIVACY 101, PART 1 Margie Satinsky,...

1 © 2018, Satinsky Consulting, LLC.

HIPAA PRIVACY 101, PART 1

Margie Satinsky, MBA, President

Satinsky Consulting, LLC

August 13, 2018

2

PRESENTATION GOALS

• Legislative history: 1996 legislation and Title II, Subtitle F,

Administrative Simplification; HITECH Act of 2009;

Omnibus Final Rule, recent clarifications

• Goals/purpose, enforcement/penalties, audit program,

state and federal laws

• Comparison between Privacy and Security Rules

• Key components of HIPAA Privacy

• Questions and Answers

© 2018, Satinsky Consulting, LLC.

3

TAKE HIPAA SERIOUSLY!

• First HIPAA Settlement of 2018: Fresnius Medical

Care North America to pay $3.5 million to OCR to

resolve multiple potential HIPAA violations that

contributed to 5 data breaches in 2012.


4

Administrative Simplification

(Accountability)

Insurance Reform

(Portability)

Health Insurance

Portability and Accountability Act

(HIPAA)

HIPAA OVERVIEW

Transactions,

Code Sets, &

Identifiers

Compliance Date:

10/16/2002

and 10/16/2003

Privacy

Compliance Date:

4/14/2003

Security

Compliance Date:

4/20/2005

Fraud and Abuse

(Accountability)

HITECHHealth Information

Technology for

Economic and

Clinical Health

Compliance Date:

9/18/2009

Omnibus

Final Rule

Compliance Date:

9/23/2013

5

Legislative History


6

LEGISLATIVE HISTORY

• Legislative mandate – 1996

• 4 sets of standards: our focus – Privacy and

Security

• HITECH Act of 2009

• 2013 Final Omnibus Rule including Breach

Notification

• Clarifications and other rules


Legislative History Purpose/Stds/Enforcement Security Rule Comparison Key Components

7

2013 OMNIBUS FINAL RULE

• Modifies Privacy, Security, Breach Notification,

and Enforcement Rule

• Implements statutory amendments under

HITECH Act of 2009

• Strengthens privacy and security protection for

individuals’ health information



8

OMNIBUS FINAL RULE (cont’d)

• Clarifies relationship/responsibility/liability of

Covered Entities, Business Associates,

Subcontractors

• Makes Business Associates directly liable for

certain requirements

• Strengthens protection for genetic information



9


• Strengthens individual protections for use and

disclosure of PHI

• Requires modifications of NPP, BAA

• Modifies individual authorization and other

requirements to facilitate research and disclosure

of child immunization proof to schools



10


• Enables access to decedent information by family

members and others

• Adopts additional HITECH enhancements to enforcement

– i.e. increased and tiered civil monetary penalties (4 tiers)

• Revises Breach Notification Rule, adding new requirement

for risk assessment and determination of probability of

PHI’s being compromised



11


• Modifies HIPAA Privacy Rule as required by

Genetic Information Nondiscrimination Act

(GINA) to prohibit most health plans from

using or disclosing genetic information for

underwriting purposes



12

CLARIFICATIONS AND OTHER

RULES

• Conduit exception rule for certain

communications channels (e.g. telecom

companies and internet service providers but

not cloud storage services) that don’t need

Business Associate Agreements

• Related SAMHSA rule on data sharing for

substance abuse records

• General Data Protection Regulation (GDPR)



13

RELATIONSHIP BETWEEN FEDERAL

AND STATE LAWS

• HIPAA preempts contrary state laws except if state law

‒ Is necessary to prevent fraud and abuse

‒ Regulates insurance or health plans

‒ Serves compelling physical safety or welfare need

‒ Regulates controlled substance

• State law preempts HIPAA if law

‒ Relates to PHI and is more protective than HIPAA

‒ Relates to disease reporting, child abuse, or public health

‒ Authorizes or prohibits disclosure of PHI about a minor to a

parent or guardian



14

Goals/Purpose,

Enforcement/Penalties,

Audit Program


15

GOALS AND PURPOSE

• Two goals

Administrative simplification (applies to transaction and code

sets standards)

Insurance portability

• Purpose of legislation

Improve efficiency of healthcare delivery

Protect privacy and security of IIHI/PHI

Empower patients by giving them new rights with respect to

their PHI



16

ENFORCEMENT AND PENALTIES

• DHHS Office of Civil Rights (OCR): complaint

investigation within 180 days of occurrence

• Department of Justice (DOJ): investigation of

criminal violations

• States’ Attorneys General: civil actions on

behalf of state residents; civil monetary

penalties

• Usually state preemption of federal law



17

ENFORCEMENT AND PENALTIES

• Civil penalties: $100 - $50,000 per violation

depending on culpability

• Criminal penalties: up to $250,000

• Imprisonment: up to 10 years



18

HITECH ACT AUDIT PROGRAM

• Focus on compliance with Privacy, Security and Breach

Notification Rules

• Applies to Covered Entities and Business Associates selected by

OCR with “wide a range of types and sizes as possible”

• Goal: identify and correct compliance deficiencies, not penalize

• Nobody’s under the radar screen

• Most common problems: no risk assessments, unacceptable

controls on user access, inadequate incident response, no

contingency planning, media reuse and destruction, encryption,

user activity monitoring, authentication/integrity, physical access

controls, Business Associate Agreements, missing policies and

procedures



19

Comparison Between

Privacy and Security Rules


20

COMPARISON OF PRIVACY AND

SECURITY RULES

• PHI (Privacy) and ePHI (Security): ePHI includes

electronic data transactions, e-mail communications,

PDAs, text pagers, web site portals, computer-generated

faxes, computer-based voice response units.

• Similarities

• Differences: scope (administrative, technical, physical)

and means for addressing (required or addressable)



21

Key Components of

HIPAA Privacy


22

IMPORTANT PRIVACY

COMPONENTS• Covered Entity, Business Associate, Agent

• Protected Health Information (PHI)

• Treatment, Payment and Operations (TPO)

• Patient Rights

• Workforce

• Privacy Official

• Notice of Privacy Practices (NPP)

• Authorization to Use and Disclose PHI

• Minimum Necessary

• Limited Data Set



23

COVERED ENTITY

• Healthcare provider: medical or dental practice, hospital,

pharmacy

• All healthcare providers that transmit healthcare

information in electronic form

• Health plan or payer

• Healthcare clearinghouse or billing service



24

BUSINESS ASSOCIATE AND AGENT

• Outside entity that routinely (not randomly) uses or

discloses PHI in order to carry out certain functions or

activities on behalf of covered entity

• Now required to comply with most Privacy and all Security

requirements

• Obligations extend to Agents (i.e. Subcontractors)

• Examples: CPA and/or attorney with access to PHI, cloud

data provider, healthcare clearinghouse, accreditation

agency, IT support and EHR/PMS vendors



25

PROTECTED HEALTH INFORMATION

(PHI)

• All individually identifiable health information that

personally identifies a patient that is transmitted or

maintained in any form or medium and is created or

received by a covered entity

• Requirements for obtaining authorization to use or

disclose PHI

• Circumstances when authorization is not required



26

TREATMENT, PAYMENT,

OPERATIONS (TPO)

• TREATMENT: provision, coordination, or management of

healthcare and related services by one or more healthcare

providers or the referral of a patient for healthcare from

one provider to another

• PAYMENT: activities conducted by the practice to obtain

reimbursement for healthcare services. Examples are

billing, claims management, collection activities,

verification of insurance coverage, and pre-certification of

services



27

TPO

• OPERATIONS

‒ Activities related to the business, clinical management,

and administrative duties of the practice

‒ Activities related to the sale, transfer, merger,

consolidation of all or part of the covered entity to or

with another covered entity that will become a covered

entity as a result of the transaction, including due

diligence activities



28

PATIENT RIGHTS

• Right to review and copy PHI

• Right to request that PHI be sent to patient electronically

• Right to request amendment/modification of PHI

• Right to request alternative method of communication

• Right to request limitation and restriction of PHI

• Right to request accounting of disclosures of PHI

• Right to request information not be sent to payer if patient pays

out-of-pocket in full

• Right to opt out of fund-raising and approve use and disclosure of

PHI for marketing and sales purposes

• Practice retains right to deny requests in most cases



29

WORKFORCE

• All full time, part time, and temporary employees,

volunteers, students/residents

• Suggestions for workforce compliance

• Workforce confidentiality statements and checklists

‒ Insertion of HIPAA language into all job descriptions

and employee handbook

• Disciplinary action for continuing and deliberate violation

of HIPAA and Privacy Rule requirements (but not

“incidental disclosure of PHI”)



30

PRIVACY OFFICIAL

• Individual responsible for developing,

implementing, and monitoring Privacy Rule

requirements

• Practice or office manager or designee

• Point person in each location if multiple sites



31

NOTICE OF PRIVACY PRACTICES

• Requirement to post and make available to patients

• Good places to post NPP: waiting area and back

• Distribution to patients/parents at front desk

• Availability on organization Website

• Indication in medical record that patient reviewed or

declined to review NPP

• New language must comply with HITECH Act of 2009 and

Omnibus Rule



32

AUTHORIZATION TO USE AND

DISCLOSE PHI• Description of what information will be used and/or disclosed

and how use/disclosure will occur

• Name/signature of person(s) that may use/disclose

information

• Patient/representative ability to limit/restrict use/disclosure of

specific information (e.g. substance abuse, pregnancy)

• Patient/representative ability to modify or revoke

• Description of purpose of use/disclosure

• Signature and date

• Expiration date



33

MINIMUM NECESSARY

• Requirement to use or disclose only the information

needed

• Exceptions:

– Disclosures to or requests by providers for treatment

– Disclosures to individuals

– Uses/disclosures with an authorization

– Disclosures to DHHS/OCR for enforcement



34

LIMITED DATA SET

• For research, public health and healthcare operations

• Required removal of direct identifiers

• Allowable use of ZIP codes, ZIP+ 4, dates and ages

• Required data use agreement

• Limited data set still qualifies as PHI



35

Questions and Answers


36

COMMONLY ASKED QUESTIONS

• Employees who are also patients: appointment

scheduling, changing information in chart, employee

checking appointment time for family member who forgot,

making appointment for family member if not listed on

HIPAA form

• Provision of info on delivery to insurance company without

patient written consent

• Provision of medical records and test results generated by

someone other than practice – i.e. redisclosure

• Provision of information to generic “driver”


37

MORE QUESTIONS

• Inactive patient with outstanding balance – handling

requests for prescription refills

• Minors and HIPAA forms

• Calls to schedule and confirm appointments


38

Margie Satinsky, MBA, President

Satinsky Consulting, LLC

919 383-5998 919 309-0109 (FAX)

[email protected]

www.satinskyconsulting.com


mailto:[email protected]

http://www.satinskyconsulting.com/

Date post:	17-Jul-2020
Category:	Documents
Upload:	others
View:	2 times
Download:	0 times

HIPAA PRIVACY 101, PART 1 - NCHICA · 2018-08-11 · HIPAA PRIVACY 101, PART 1 Margie Satinsky,...

Documents