HIPAA PRIVACY
AND SECURITY TRAINING
State of Delaware Statewide Benefits Office
& Participating groups in the Group Health Insurance Program
January 2012
Health Insurance Portability & Accountability Act
First Enacted in 1996 Function - To improve portability and continuity of health insurance coverage in the
group and individual markets, to combat waste, fraud, and abuse in health insurance and health care delivery, to promote the use of medical savings accounts, to improve access to long-term care services and coverage, to simplify the administration of health insurance, and for other purposes (http://www.cms.hhs.gov/hippageninfo/downloads).
Amendments/Additions Interim Final Regulations under the American Reinvestment and
Recovery Act released August 17, 2009
WHAT IS HIPAA
OVERVIEW OF HIPAA
HIPAA
Title I — Health
Care Access, Portability and
Renewability
Title II —
Preventing Health Care
Fraud and Abuse
Title III — Tax- Related Health
Provisions
Title IV — Group Health Plan
Requirements
Title V — Revenue Offsets
Subtitle F — Administrative Simplification
Privacy Electronic
Transactions
Unique
Identifiers
Information
Security
Employer Identifier Code Sets
Employer
Identifier
Personal Health Information (PHI) is
information relating to past, present or future physical or mental health of an individual (sometimes referred to as Protected Heath Information).
Individually Identifiable PHI is that which identifies an individual. This could include: name, address, DOB, SS number, telephone number, email address, account number, GHP beneficiary number, or any other unique identifying number including Empl ID#, characteristic or code.
PERSONAL HEALTH INFORMATION (PHI) & INDIVIDUALLY IDENTIFIABLE HEALTH
INFORMATION
Applies to Personal Healthcare Information (PHI) and Individually Identifiable Information.
Does not Prohibit the Exchange of PHI for Treatment, Payment or Healthcare Operations (TPO).
Deals with What needs to be protected. New Guidelines state an accounting of all disclosures must be
maintained when someone’s information is given to another party. Additional information will be given regarding your role and
responsibilities.
HIPAA PRIVACY RULE
The HIPAA Security Rule establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.
HIPAA SECURITY RULE
Covered Entities - Must Comply
1 - Group health plans (fully or self-insured employer sponsored plans & health insurance issuers)
2 – Health care providers 3 – Clearinghouses (i.e., billing firms)
Business Associate – MUST Comply
4 – Firms working with covered entities. Examples include Brokers, Agents, Third Party Administrators (i.e. Blue Cross & Aetna) and Utilization Review companies.
WHO DOES HIPAA IMPACT?
Individually Identifiable Health Information: Transmitted by electronic media Maintained in electronic media
WHAT IS ELECTRONIC PHI?
Stored
Hard drives, thumb drives, networks Magnetic tape or disk Optical disk (CDs, CDRWs, DVDs) Digital memory card
Transmitted Internet Extranet Leased / dial-up lines VPN (private networks) E-mails Physical movement of removable/transportable Storage media.
ELECTRONIC MEDIA DEFINED
Electronic Media does not include:
Paper-to-paper faxes Person-to-person telephone calls
Why? Because the exchanged data did not exist in electronic form prior to the transmission.
NON ELECTRONIC MEDIA
MN – NTK
Minimum Necessary – Need to Know Basis Only those that need access
Physical access Technical access
The plan is responsible for the confidentiality, integrity and availability of EPHI.
Internal safeguards are the first line of defense.
SECURITY STANDARDS MN-NTK!
!
Privacy Official – Brenda Lakeman, Director, Statewide
Benefits Office, Office of Management and Budget.
Security Official – Jim Sills, Chief Information Officer, Department of Technology and Information (DTI). Responsibilities:
Selecting Privacy and Security Official Designees Implementing Policies and Procedures Ongoing review Periodic evaluations
PRIVACY & SECURITY OFFICIALS
Risk Analysis Risk Management Sanction Policy Information System Activity Review
SECURITY MANAGEMENT PROCESS
Workforce security Information access Facility Security plan Workstation use Device & Media controls Access controls (technical)
SAFEGUARDS
Authorization & Supervision Workforce clearance Termination procedures
WORKFORCE
Access authorization Access establishment and modification
INFORMATION ACCESS
Contingency operations Security plan Control and validation Maintenance records
FACILITY SECURITY
Acceptable Uses:
Passwords not shared Business purposes only Information use
WORKSTATION USE
Disposal Re-use Accountability Backup and storage
DEVICE AND MEDIA CONTROLS
Unique User-ID/Password Strong Password
Emergency access Automatic logoff Encryption
Due to the sensitive nature of information being received and sent by the Statewide Benefits Office, it is IMPERATIVE that emails containing PHI are transmitted using the state’s secure email application, “IRONPORT”.
ACCESS CONTROL - TECHNICAL
Inventory of hardware devices Inventory of applications Audits of: Logon attempts List of valid users
AUDIT CONTROLS
Virus protection Periodic reviews of system usage
INTEGRITY
Training Security reminders Protection against malicious software Password management
SECURITY AWARENESS
Who When New employees or contractors Due to changes
WHEN SHOULD WORKFORCE BE
TRAINED?
Violations will be investigated Subject to disciplinary actions Disciplinary actions will be documented
SANCTIONS - VIOLATIONS
WHY COMPLY?
Problem General Penalty Person Did NOT Intentionally Release Information
At least $100/offense but not exceeding $50,000 for each violation and $1,500,000 during a calendar year
Reasonable Cause At least $1,000/ offense but not exceeding $100,000 per year
Willful Neglect If the action is corrected – At least $10,000 per offense but not exceeding $250,000 per year
If the action is NOT Corrected – At least $50,000 per offense but not exceeding $1.5 million per year
Imprisonment
Personal Lawsuits
Termination
Under new provisions of HIPAA by the American Reinvestment and Recovery Act (ARRA), the U.S. Department of Health and Human Services will conduct periodic reviews of covered entities to ensure correct measures are being taken.
AUDITS
Covered Entities
State of Delaware Statewide Benefits Office Your Employing Organization!
Business Associates Contractors/Vendors Sub-Contractors
WHO CAN BE AUDITED?
Non-covered entity that regularly obtains, processes or transmits
protected health information or creates, uses or discloses PHI on behalf of covered entities.
Agencies/companies must have a Business Associate Agreement (BAA) with all contractors as applicable to ensure their dedication to protecting PHI from the state.
Example – if you are an employee of a school district or agency that deals with contractors, a BAA may be appropriate.
BUSINESS ASSOCIATES
Now directly subject to HIPAA Security Regulations
Includes Administrative, Physical, Technical, and Additional Security Requirements Under the Hi-Tech Act
Additional requirements as they relate to the Privacy Rule must now be followed.
Directly subject to civil and criminal penalties for non-compliance. Provisions apply to a BA in the same manner as a Covered Entity.
BUSINESS ASSOCIATES NEW GUIDELINES AND REGULATIONS
Step 1 – Business Associates need to be notified of the impending
changes. Step 2 – If you don’t already have a Business Associate Agreement
in place – Get One! Step 3 - If you do have a BAA with the company notify them of
your intent to revise it to reflect the new HIPAA changes under ARRA. Business Associates are now responsible for enforcing and adhering to the same regulations as Covered Entities. Make sure the BAA says so!
WHAT DOES THIS MEAN FOR MY BUSINESS ASSOCIATES?
Business Associate must implement administrative, physical and technical safeguards that will reasonably and appropriately protect the confidentiality, integrity and availability of the electronic protected health information that it creates, maintains or transmits on behalf of the covered entity.
Ensure that any agent, including a subcontractor, to whom the business
associate provides such information also agrees to implement reasonable and appropriate safeguards to protect the electronic PHI that the agent creates, receives, stores and transmits on the business associate’s behalf; and
Report to the covered entity any security incident of which the business
associate becomes aware.
SECURITY CHANGES TO THE BUSINESS ASSOCIATE CONTRACT
HOW CAN I PROTECT PHI & ENFORCE THE HIPAA REGULATIONS?
1. Do NOT Share your password with anyone!
2. Lock file cabinets that contain sensitive information.
3. Think before your click “send”.
4. Use secure email when/if available.
5. Keep it “quiet”.
HOW CAN I PROTECT PHI & ENFORCE THE HIPAA REGULATIONS?
6. Laptops – Don’t store PHI and encrypt them to avoid breaches
if stolen. 7. Don’t access emails or documents containing PHI from mobile
devices (PDA’s, Cell Phones, Blackberries, etc.). 8. Shred trash containing PHI instead of throwing away/placing in
recycle bin. 9. Erase/Sanitize electronic media containing PHI before reuse. 10. Employees should be referred directly to the Statewide
Benefits Office for assistance with all claim inquiries and/or questions. Do not act as a “middle” person!
A breach is defined as the unauthorized acquisition, access, use or disclosure of protected health information which compromises the security or privacy of such information.
BREACHES?
NOTIFICATION REQUIREMENTS
Notification obligations begin on the first day a breach is made known to Covered Entities or Business Associate.
Covered Entities such as the State of Delaware must notify individuals without reasonable delay, but in no case more than 60 days.
Business Associates such as Aetna must notify Covered Entities without reasonable delay, but in no case more than 60 days.
It is the Covered Entity’s responsibility to notify the employee and or member who’s information has been breached.
Individuals can be notified by written correspondence via
first class mail or by email (only if requested as preference of individual).
Notification must be posted on Agency/State’s website or in major print (newspaper) if ten or more individuals don’t have contact information.
The Secretary of the U.S. Department of Health & Human Services is to be notified –
Immediately if greater than 500 individuals are affected Via an annual log – if less than 500 individuals are affected
NOTIFICATION REQUIREMENTS
This concludes the presentation for this course.
THANK YOU!
QUESTIONS?