HIPAA PRIVACY

AND SECURITY TRAINING

State of Delaware Statewide Benefits Office

& Participating groups in the Group Health Insurance Program

January 2012

Health Insurance Portability & Accountability Act

First Enacted in 1996 Function - To improve portability and continuity of health insurance coverage in the

group and individual markets, to combat waste, fraud, and abuse in health insurance and health care delivery, to promote the use of medical savings accounts, to improve access to long-term care services and coverage, to simplify the administration of health insurance, and for other purposes (http://www.cms.hhs.gov/hippageninfo/downloads).

Amendments/Additions Interim Final Regulations under the American Reinvestment and

Recovery Act released August 17, 2009

WHAT IS HIPAA

OVERVIEW OF HIPAA

HIPAA

Title I — Health

Care Access, Portability and

Renewability

Title II —

Preventing Health Care

Fraud and Abuse

Title III — Tax- Related Health

Provisions

Title IV — Group Health Plan

Requirements

Title V — Revenue Offsets

Subtitle F — Administrative Simplification

Privacy Electronic

Transactions

Unique

Identifiers

Information

Security

Employer Identifier Code Sets

Employer

Identifier

Personal Health Information (PHI) is

information relating to past, present or future physical or mental health of an individual (sometimes referred to as Protected Heath Information).

Individually Identifiable PHI is that which identifies an individual. This could include: name, address, DOB, SS number, telephone number, email address, account number, GHP beneficiary number, or any other unique identifying number including Empl ID#, characteristic or code.

PERSONAL HEALTH INFORMATION (PHI) & INDIVIDUALLY IDENTIFIABLE HEALTH

INFORMATION

Applies to Personal Healthcare Information (PHI) and Individually Identifiable Information.

Does not Prohibit the Exchange of PHI for Treatment, Payment or Healthcare Operations (TPO).

Deals with What needs to be protected. New Guidelines state an accounting of all disclosures must be

maintained when someone’s information is given to another party. Additional information will be given regarding your role and

responsibilities.

HIPAA PRIVACY RULE

The HIPAA Security Rule establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.

HIPAA SECURITY RULE

Covered Entities - Must Comply

1 - Group health plans (fully or self-insured employer sponsored plans & health insurance issuers)

2 – Health care providers 3 – Clearinghouses (i.e., billing firms)

Business Associate – MUST Comply

4 – Firms working with covered entities. Examples include Brokers, Agents, Third Party Administrators (i.e. Blue Cross & Aetna) and Utilization Review companies.

WHO DOES HIPAA IMPACT?

Individually Identifiable Health Information: Transmitted by electronic media Maintained in electronic media

WHAT IS ELECTRONIC PHI?

Stored

Hard drives, thumb drives, networks Magnetic tape or disk Optical disk (CDs, CDRWs, DVDs) Digital memory card

Transmitted Internet Extranet Leased / dial-up lines VPN (private networks) E-mails Physical movement of removable/transportable Storage media.

ELECTRONIC MEDIA DEFINED

Electronic Media does not include:

Paper-to-paper faxes Person-to-person telephone calls

Why? Because the exchanged data did not exist in electronic form prior to the transmission.

NON ELECTRONIC MEDIA

MN – NTK

Minimum Necessary – Need to Know Basis Only those that need access

Physical access Technical access

The plan is responsible for the confidentiality, integrity and availability of EPHI.

Internal safeguards are the first line of defense.

SECURITY STANDARDS MN-NTK!

!

Privacy Official – Brenda Lakeman, Director, Statewide

Benefits Office, Office of Management and Budget.

Security Official – Jim Sills, Chief Information Officer, Department of Technology and Information (DTI). Responsibilities:

Selecting Privacy and Security Official Designees Implementing Policies and Procedures Ongoing review Periodic evaluations

PRIVACY & SECURITY OFFICIALS

Risk Analysis Risk Management Sanction Policy Information System Activity Review

SECURITY MANAGEMENT PROCESS

Workforce security Information access Facility Security plan Workstation use Device & Media controls Access controls (technical)

SAFEGUARDS

Authorization & Supervision Workforce clearance Termination procedures

WORKFORCE

Access authorization Access establishment and modification

INFORMATION ACCESS

Contingency operations Security plan Control and validation Maintenance records

FACILITY SECURITY

Acceptable Uses:

Passwords not shared Business purposes only Information use

WORKSTATION USE

Disposal Re-use Accountability Backup and storage

DEVICE AND MEDIA CONTROLS

Unique User-ID/Password Strong Password

Emergency access Automatic logoff Encryption

Due to the sensitive nature of information being received and sent by the Statewide Benefits Office, it is IMPERATIVE that emails containing PHI are transmitted using the state’s secure email application, “IRONPORT”.

ACCESS CONTROL - TECHNICAL

Inventory of hardware devices Inventory of applications Audits of: Logon attempts List of valid users

AUDIT CONTROLS

Virus protection Periodic reviews of system usage

INTEGRITY

Training Security reminders Protection against malicious software Password management

SECURITY AWARENESS

Who When New employees or contractors Due to changes

WHEN SHOULD WORKFORCE BE

TRAINED?

Violations will be investigated Subject to disciplinary actions Disciplinary actions will be documented

SANCTIONS - VIOLATIONS

WHY COMPLY?

Problem General Penalty Person Did NOT Intentionally Release Information

At least $100/offense but not exceeding $50,000 for each violation and $1,500,000 during a calendar year

Reasonable Cause At least $1,000/ offense but not exceeding $100,000 per year

Willful Neglect If the action is corrected – At least $10,000 per offense but not exceeding $250,000 per year

If the action is NOT Corrected – At least $50,000 per offense but not exceeding $1.5 million per year

Imprisonment

Personal Lawsuits

Termination

Under new provisions of HIPAA by the American Reinvestment and Recovery Act (ARRA), the U.S. Department of Health and Human Services will conduct periodic reviews of covered entities to ensure correct measures are being taken.

AUDITS

Covered Entities

State of Delaware Statewide Benefits Office Your Employing Organization!

Business Associates Contractors/Vendors Sub-Contractors

WHO CAN BE AUDITED?

Non-covered entity that regularly obtains, processes or transmits

protected health information or creates, uses or discloses PHI on behalf of covered entities.

Agencies/companies must have a Business Associate Agreement (BAA) with all contractors as applicable to ensure their dedication to protecting PHI from the state.

Example – if you are an employee of a school district or agency that deals with contractors, a BAA may be appropriate.

BUSINESS ASSOCIATES

Now directly subject to HIPAA Security Regulations

Includes Administrative, Physical, Technical, and Additional Security Requirements Under the Hi-Tech Act

Additional requirements as they relate to the Privacy Rule must now be followed.

Directly subject to civil and criminal penalties for non-compliance. Provisions apply to a BA in the same manner as a Covered Entity.

BUSINESS ASSOCIATES NEW GUIDELINES AND REGULATIONS

Step 1 – Business Associates need to be notified of the impending

changes. Step 2 – If you don’t already have a Business Associate Agreement

in place – Get One! Step 3 - If you do have a BAA with the company notify them of

your intent to revise it to reflect the new HIPAA changes under ARRA. Business Associates are now responsible for enforcing and adhering to the same regulations as Covered Entities. Make sure the BAA says so!

WHAT DOES THIS MEAN FOR MY BUSINESS ASSOCIATES?

Business Associate must implement administrative, physical and technical safeguards that will reasonably and appropriately protect the confidentiality, integrity and availability of the electronic protected health information that it creates, maintains or transmits on behalf of the covered entity.

Ensure that any agent, including a subcontractor, to whom the business

associate provides such information also agrees to implement reasonable and appropriate safeguards to protect the electronic PHI that the agent creates, receives, stores and transmits on the business associate’s behalf; and

Report to the covered entity any security incident of which the business

associate becomes aware.

SECURITY CHANGES TO THE BUSINESS ASSOCIATE CONTRACT

HOW CAN I PROTECT PHI & ENFORCE THE HIPAA REGULATIONS?

1. Do NOT Share your password with anyone!

2. Lock file cabinets that contain sensitive information.

3. Think before your click “send”.

4. Use secure email when/if available.

5. Keep it “quiet”.

HOW CAN I PROTECT PHI & ENFORCE THE HIPAA REGULATIONS?

6. Laptops – Don’t store PHI and encrypt them to avoid breaches

if stolen. 7. Don’t access emails or documents containing PHI from mobile

devices (PDA’s, Cell Phones, Blackberries, etc.). 8. Shred trash containing PHI instead of throwing away/placing in

recycle bin. 9. Erase/Sanitize electronic media containing PHI before reuse. 10. Employees should be referred directly to the Statewide

Benefits Office for assistance with all claim inquiries and/or questions. Do not act as a “middle” person!

A breach is defined as the unauthorized acquisition, access, use or disclosure of protected health information which compromises the security or privacy of such information.

BREACHES?

NOTIFICATION REQUIREMENTS

Notification obligations begin on the first day a breach is made known to Covered Entities or Business Associate.

Covered Entities such as the State of Delaware must notify individuals without reasonable delay, but in no case more than 60 days.

Business Associates such as Aetna must notify Covered Entities without reasonable delay, but in no case more than 60 days.

It is the Covered Entity’s responsibility to notify the employee and or member who’s information has been breached.

Individuals can be notified by written correspondence via

first class mail or by email (only if requested as preference of individual).

Notification must be posted on Agency/State’s website or in major print (newspaper) if ten or more individuals don’t have contact information.

The Secretary of the U.S. Department of Health & Human Services is to be notified –

Immediately if greater than 500 individuals are affected Via an annual log – if less than 500 individuals are affected

NOTIFICATION REQUIREMENTS

This concludes the presentation for this course.

THANK YOU!

QUESTIONS?