1 © 2018, Satinsky Consulting, LLC.
HIPAA PRIVACY 101, PART 1
Margie Satinsky, MBA, President
Satinsky Consulting, LLC
August 13, 2018
2
PRESENTATION GOALS
• Legislative history: 1996 legislation and Title II, Subtitle F,
Administrative Simplification; HITECH Act of 2009;
Omnibus Final Rule, recent clarifications
• Goals/purpose, enforcement/penalties, audit program,
state and federal laws
• Comparison between Privacy and Security Rules
• Key components of HIPAA Privacy
• Questions and Answers
© 2018, Satinsky Consulting, LLC.
3
TAKE HIPAA SERIOUSLY!
• First HIPAA Settlement of 2018: Fresnius Medical
Care North America to pay $3.5 million to OCR to
resolve multiple potential HIPAA violations that
contributed to 5 data breaches in 2012.
© 2018, Satinsky Consulting, LLC.
4
Administrative Simplification
(Accountability)
Insurance Reform
(Portability)
Health Insurance
Portability and Accountability Act
(HIPAA)
HIPAA OVERVIEW
Transactions,
Code Sets, &
Identifiers
Compliance Date:
10/16/2002
and 10/16/2003
Privacy
Compliance Date:
4/14/2003
Security
Compliance Date:
4/20/2005
Fraud and Abuse
(Accountability)
HITECHHealth Information
Technology for
Economic and
Clinical Health
Compliance Date:
9/18/2009
Omnibus
Final Rule
Compliance Date:
9/23/2013
5
Legislative History
© 2018, Satinsky Consulting, LLC.
6
LEGISLATIVE HISTORY
• Legislative mandate – 1996
• 4 sets of standards: our focus – Privacy and
Security
• HITECH Act of 2009
• 2013 Final Omnibus Rule including Breach
Notification
• Clarifications and other rules
© 2018, Satinsky Consulting, LLC.
Legislative History Purpose/Stds/Enforcement Security Rule Comparison Key Components
7
2013 OMNIBUS FINAL RULE
• Modifies Privacy, Security, Breach Notification,
and Enforcement Rule
• Implements statutory amendments under
HITECH Act of 2009
• Strengthens privacy and security protection for
individuals’ health information
© 2018, Satinsky Consulting, LLC.
Legislative History Purpose/Stds/Enforcement Security Rule Comparison Key Components
8
OMNIBUS FINAL RULE (cont’d)
• Clarifies relationship/responsibility/liability of
Covered Entities, Business Associates,
Subcontractors
• Makes Business Associates directly liable for
certain requirements
• Strengthens protection for genetic information
© 2018, Satinsky Consulting, LLC.
Legislative History Purpose/Stds/Enforcement Security Rule Comparison Key Components
9
OMNIBUS FINAL RULE (cont’d)
• Strengthens individual protections for use and
disclosure of PHI
• Requires modifications of NPP, BAA
• Modifies individual authorization and other
requirements to facilitate research and disclosure
of child immunization proof to schools
© 2018, Satinsky Consulting, LLC.
Legislative History Purpose/Stds/Enforcement Security Rule Comparison Key Components
10
OMNIBUS FINAL RULE (cont’d)
• Enables access to decedent information by family
members and others
• Adopts additional HITECH enhancements to enforcement
– i.e. increased and tiered civil monetary penalties (4 tiers)
• Revises Breach Notification Rule, adding new requirement
for risk assessment and determination of probability of
PHI’s being compromised
© 2018, Satinsky Consulting, LLC.
Legislative History Purpose/Stds/Enforcement Security Rule Comparison Key Components
11
OMNIBUS FINAL RULE (cont’d)
• Modifies HIPAA Privacy Rule as required by
Genetic Information Nondiscrimination Act
(GINA) to prohibit most health plans from
using or disclosing genetic information for
underwriting purposes
© 2018, Satinsky Consulting, LLC.
Legislative History Purpose/Stds/Enforcement Security Rule Comparison Key Components
12
CLARIFICATIONS AND OTHER
RULES
• Conduit exception rule for certain
communications channels (e.g. telecom
companies and internet service providers but
not cloud storage services) that don’t need
Business Associate Agreements
• Related SAMHSA rule on data sharing for
substance abuse records
• General Data Protection Regulation (GDPR)
© 2018, Satinsky Consulting, LLC.
Legislative History Purpose/Stds/Enforcement Security Rule Comparison Key Components
13
RELATIONSHIP BETWEEN FEDERAL
AND STATE LAWS
• HIPAA preempts contrary state laws except if state law
‒ Is necessary to prevent fraud and abuse
‒ Regulates insurance or health plans
‒ Serves compelling physical safety or welfare need
‒ Regulates controlled substance
• State law preempts HIPAA if law
‒ Relates to PHI and is more protective than HIPAA
‒ Relates to disease reporting, child abuse, or public health
‒ Authorizes or prohibits disclosure of PHI about a minor to a
parent or guardian
© 2018, Satinsky Consulting, LLC.
Legislative History Purpose/Stds/Enforcement Security Rule Comparison Key Components
14
Goals/Purpose,
Enforcement/Penalties,
Audit Program
© 2018, Satinsky Consulting, LLC.
15
GOALS AND PURPOSE
• Two goals
Administrative simplification (applies to transaction and code
sets standards)
Insurance portability
• Purpose of legislation
Improve efficiency of healthcare delivery
Protect privacy and security of IIHI/PHI
Empower patients by giving them new rights with respect to
their PHI
© 2018, Satinsky Consulting, LLC.
Legislative History Purpose/Stds/Enforcement Security Rule Comparison Key Components
16
ENFORCEMENT AND PENALTIES
• DHHS Office of Civil Rights (OCR): complaint
investigation within 180 days of occurrence
• Department of Justice (DOJ): investigation of
criminal violations
• States’ Attorneys General: civil actions on
behalf of state residents; civil monetary
penalties
• Usually state preemption of federal law
© 2018, Satinsky Consulting, LLC.
Legislative History Purpose/Stds/Enforcement Security Rule Comparison Key Components
17
ENFORCEMENT AND PENALTIES
• Civil penalties: $100 - $50,000 per violation
depending on culpability
• Criminal penalties: up to $250,000
• Imprisonment: up to 10 years
© 2018, Satinsky Consulting, LLC.
Legislative History Purpose/Stds/Enforcement Security Rule Comparison Key Components
18
HITECH ACT AUDIT PROGRAM
• Focus on compliance with Privacy, Security and Breach
Notification Rules
• Applies to Covered Entities and Business Associates selected by
OCR with “wide a range of types and sizes as possible”
• Goal: identify and correct compliance deficiencies, not penalize
• Nobody’s under the radar screen
• Most common problems: no risk assessments, unacceptable
controls on user access, inadequate incident response, no
contingency planning, media reuse and destruction, encryption,
user activity monitoring, authentication/integrity, physical access
controls, Business Associate Agreements, missing policies and
procedures
© 2018, Satinsky Consulting, LLC.
Legislative History Purpose/Stds/Enforcement Security Rule Comparison Key Components
19
Comparison Between
Privacy and Security Rules
© 2018, Satinsky Consulting, LLC.
20
COMPARISON OF PRIVACY AND
SECURITY RULES
• PHI (Privacy) and ePHI (Security): ePHI includes
electronic data transactions, e-mail communications,
PDAs, text pagers, web site portals, computer-generated
faxes, computer-based voice response units.
• Similarities
• Differences: scope (administrative, technical, physical)
and means for addressing (required or addressable)
© 2018, Satinsky Consulting, LLC.
Legislative History Purpose/Stds/Enforcement Security Rule Comparison Key Components
21
Key Components of
HIPAA Privacy
© 2018, Satinsky Consulting, LLC.
22
IMPORTANT PRIVACY
COMPONENTS• Covered Entity, Business Associate, Agent
• Protected Health Information (PHI)
• Treatment, Payment and Operations (TPO)
• Patient Rights
• Workforce
• Privacy Official
• Notice of Privacy Practices (NPP)
• Authorization to Use and Disclose PHI
• Minimum Necessary
• Limited Data Set
© 2018, Satinsky Consulting, LLC.
Legislative History Purpose/Stds/Enforcement Security Rule Comparison Key Components
23
COVERED ENTITY
• Healthcare provider: medical or dental practice, hospital,
pharmacy
• All healthcare providers that transmit healthcare
information in electronic form
• Health plan or payer
• Healthcare clearinghouse or billing service
© 2018, Satinsky Consulting, LLC.
Legislative History Purpose/Stds/Enforcement Security Rule Comparison Key Components
24
BUSINESS ASSOCIATE AND AGENT
• Outside entity that routinely (not randomly) uses or
discloses PHI in order to carry out certain functions or
activities on behalf of covered entity
• Now required to comply with most Privacy and all Security
requirements
• Obligations extend to Agents (i.e. Subcontractors)
• Examples: CPA and/or attorney with access to PHI, cloud
data provider, healthcare clearinghouse, accreditation
agency, IT support and EHR/PMS vendors
© 2018, Satinsky Consulting, LLC.
Legislative History Purpose/Stds/Enforcement Security Rule Comparison Key Components
25
PROTECTED HEALTH INFORMATION
(PHI)
• All individually identifiable health information that
personally identifies a patient that is transmitted or
maintained in any form or medium and is created or
received by a covered entity
• Requirements for obtaining authorization to use or
disclose PHI
• Circumstances when authorization is not required
© 2018, Satinsky Consulting, LLC.
Legislative History Purpose/Stds/Enforcement Security Rule Comparison Key Components
26
TREATMENT, PAYMENT,
OPERATIONS (TPO)
• TREATMENT: provision, coordination, or management of
healthcare and related services by one or more healthcare
providers or the referral of a patient for healthcare from
one provider to another
• PAYMENT: activities conducted by the practice to obtain
reimbursement for healthcare services. Examples are
billing, claims management, collection activities,
verification of insurance coverage, and pre-certification of
services
© 2018, Satinsky Consulting, LLC.
Legislative History Purpose/Stds/Enforcement Security Rule Comparison Key Components
27
TPO
• OPERATIONS
‒ Activities related to the business, clinical management,
and administrative duties of the practice
‒ Activities related to the sale, transfer, merger,
consolidation of all or part of the covered entity to or
with another covered entity that will become a covered
entity as a result of the transaction, including due
diligence activities
© 2018, Satinsky Consulting, LLC.
Legislative History Purpose/Stds/Enforcement Security Rule Comparison Key Components
28
PATIENT RIGHTS
• Right to review and copy PHI
• Right to request that PHI be sent to patient electronically
• Right to request amendment/modification of PHI
• Right to request alternative method of communication
• Right to request limitation and restriction of PHI
• Right to request accounting of disclosures of PHI
• Right to request information not be sent to payer if patient pays
out-of-pocket in full
• Right to opt out of fund-raising and approve use and disclosure of
PHI for marketing and sales purposes
• Practice retains right to deny requests in most cases
© 2018, Satinsky Consulting, LLC.
Legislative History Purpose/Stds/Enforcement Security Rule Comparison Key Components
29
WORKFORCE
• All full time, part time, and temporary employees,
volunteers, students/residents
• Suggestions for workforce compliance
• Workforce confidentiality statements and checklists
‒ Insertion of HIPAA language into all job descriptions
and employee handbook
• Disciplinary action for continuing and deliberate violation
of HIPAA and Privacy Rule requirements (but not
“incidental disclosure of PHI”)
© 2018, Satinsky Consulting, LLC.
Legislative History Purpose/Stds/Enforcement Security Rule Comparison Key Components
30
PRIVACY OFFICIAL
• Individual responsible for developing,
implementing, and monitoring Privacy Rule
requirements
• Practice or office manager or designee
• Point person in each location if multiple sites
© 2018, Satinsky Consulting, LLC.
Legislative History Purpose/Stds/Enforcement Security Rule Comparison Key Components
31
NOTICE OF PRIVACY PRACTICES
• Requirement to post and make available to patients
• Good places to post NPP: waiting area and back
• Distribution to patients/parents at front desk
• Availability on organization Website
• Indication in medical record that patient reviewed or
declined to review NPP
• New language must comply with HITECH Act of 2009 and
Omnibus Rule
© 2018, Satinsky Consulting, LLC.
Legislative History Purpose/Stds/Enforcement Security Rule Comparison Key Components
32
AUTHORIZATION TO USE AND
DISCLOSE PHI• Description of what information will be used and/or disclosed
and how use/disclosure will occur
• Name/signature of person(s) that may use/disclose
information
• Patient/representative ability to limit/restrict use/disclosure of
specific information (e.g. substance abuse, pregnancy)
• Patient/representative ability to modify or revoke
• Description of purpose of use/disclosure
• Signature and date
• Expiration date
© 2018, Satinsky Consulting, LLC.
Legislative History Purpose/Stds/Enforcement Security Rule Comparison Key Components
33
MINIMUM NECESSARY
• Requirement to use or disclose only the information
needed
• Exceptions:
– Disclosures to or requests by providers for treatment
– Disclosures to individuals
– Uses/disclosures with an authorization
– Disclosures to DHHS/OCR for enforcement
© 2018, Satinsky Consulting, LLC.
Legislative History Purpose/Stds/Enforcement Security Rule Comparison Key Components
34
LIMITED DATA SET
• For research, public health and healthcare operations
• Required removal of direct identifiers
• Allowable use of ZIP codes, ZIP+ 4, dates and ages
• Required data use agreement
• Limited data set still qualifies as PHI
© 2018, Satinsky Consulting, LLC.
Legislative History Purpose/Stds/Enforcement Security Rule Comparison Key Components
35
Questions and Answers
© 2018, Satinsky Consulting, LLC.
36
COMMONLY ASKED QUESTIONS
• Employees who are also patients: appointment
scheduling, changing information in chart, employee
checking appointment time for family member who forgot,
making appointment for family member if not listed on
HIPAA form
• Provision of info on delivery to insurance company without
patient written consent
• Provision of medical records and test results generated by
someone other than practice – i.e. redisclosure
• Provision of information to generic “driver”
© 2018, Satinsky Consulting, LLC.
37
MORE QUESTIONS
• Inactive patient with outstanding balance – handling
requests for prescription refills
• Minors and HIPAA forms
• Calls to schedule and confirm appointments
© 2018, Satinsky Consulting, LLC.
38
Margie Satinsky, MBA, President
Satinsky Consulting, LLC
919 383-5998 919 309-0109 (FAX)
www.satinskyconsulting.com
© 2018, Satinsky Consulting, LLC.