Western Asset Protection
HIPAA REVIEW
Compliance Statement
At Western Asset Protection, we are committed to building and maintaining
respectful and productive relationships between our agencies, brokers, insurance
carriers and staff. We enable our brokers to develop the knowledge and skills
necessary to achieve their professional goals, while promoting and elevating
compliance education and support. Western Asset Protection is committed to full
compliance with all applicable laws and regulations. Adherence to compliance and
ethical standards is part of the job performance evaluation criteria for all Western
Asset Protection personnel and partners. The main objective of our compliance
training is to ensure that measures are taken by our staff and our representatives
to identify and minimize compliance risk. Western Asset Protection stands for and
by our ethical obligations to our staff and partners.
COMPLIANCE MAKES A DIFFERENCE!
As an individual who provides health or administrative services for Medicare
enrollees, every action you take potentially affects Medicare enrollees, the
Medicare program, or the Medicare trust fund.
What is PHI - ePHI/ PII ?
PHI – Protected Health Information
ePHI-electronic Personal Health Information
PII –Personally Identifiable information
Western Asset Protection is required by law to protect all PHI/ PHI / ePHI at all cost.
Some of our standard practices are:
 ALWAYS lock your computer when leaving your station ( Alt/Ctrl/Del or Window&L – will lock your screen)
 ALWAYS make sure you turn over any papers on your desk that contain any personal information if you leave
your station.
 ALWAYS lock all documents that contain PHI/PII in your cabinets each evening.
 NEVER email any PHI/PII without encryption, use your Sharefile or ZIX.
 ALWAYS forward emails from agents that contain PHI/PII to the compliance inbox – this will allow our
compliance officer the opportunity for coaching and training.
Examples of PHI/ePHI/ PII
*Name *Address *Date of Birth *Telephone numbers *Fax numbers
*Email addresses *Social security number *Medical record number
*Certificate / license numbers *Account number *IP addresses * HIC# =Medicare ID#
*National Provider ID# * Web URLS * Finger Prints * Full face photos /comparable images
*Any other unique identifying number, characteristic or code
CAN YOU IDENTIFY?
The History of HIPAA
HIPAA
 Stands for Health Insurance Portability and Accountability Act
 Enacted by the US Congress and signed into law by President Bill Clinton on August
21,1996
 Enforced by the US Department of Health and Human Services (DHHS).
 Revised December 2000 to include the Privacy Rule - standards for PHI
 Revised in February 2003 to include the Security Rule – Standards for EPHI
 NIST (National Institute of Standards and Technology published “Best Practices and
Guidelines” for healthcare organizations to have security programs in place.
HIPAA is a federal law that requires the protection of Personal Identifiable Information /
Personal Health Information and recognizes the rights to relevant medical information of
family caregivers and others directly involved in providing or paying for care.
HITECH ACT
 Health Information Technology for Economic and Clinical Health Act
 President Obama signed HITECH into law on February 17, 2009 as part of
the Recovery and Reinvestment Act
 Gave Office of Civil Rights (OCR) the ability to enforce HIPAA requirements
and the ability to levy fines
The HITECH Act was created to stimulate the adoption of electronic health
records (EHR) and supporting technology in the United States.
OMNIBUS RULE
 “Omnibus”
by definition means two or more independent matters, a term
frequently used in reference to a legislative bill comprised of two or more
general subjects.
Created in January 25, 2013 to include changes to the Security Rule and
Breach Notification portions of the HITECH Act
Expanded and clarified the Business Associate’s (BA)’s role
The Omnibus Rule created a set of final regulations modifying the HIPAA
privacy, Security and Enforcement Rules to implement various provisions
of the HITECH Act.
ARE YOU 100% Compliant?
The HIPAA Privacy Rule governs the privacy and security of Protected Health
Information records and transactions. The HIPAA Security Rule applies to
individual identifiable health information in electronic form or electronic Protected
Health Information (ePHI). It is intended to protect the confidentiality, integrity,
and availability of ePHI when it is stored, maintained, or transmitted.
Most Common HIPAA violations in the independent broker community:
 Unprotected transmission of Protected Health Information; you must encrypt
/password protect all PHI that is electronically transmitted.
 Unprotected storage of Protected Health Information: stolen laptop, flash drive,
or mobile device.
 Improper disposal of Protected Health Information; shredding is necessary for
proper disposal of PHI.
What are the penalties for HIPAA violations?
 For violations where a covered entity did not know and, by exercising reasonable
diligence, would not have known that the covered entity violated a provision, a penalty
of not less than $100 or more than $50,000 for each violation
 For a violation due to reasonable cause and not willful neglect, a penalty of not less
than $1,000 or more than $50,000 for each violation
 For a violation due to willful neglect that was corrected in a timely manner, a penalty of
not less than $10,000 or more than $50,000 for each violation
 For a violation due to willful neglect that was not timely corrected, a penalty of not less
than $50,000 for each violation; the penalty for violations of the same requirement or
prohibition under any of these categories may not exceed $1.5 million in a calendar
year.
QUESTIONS? Who do you call ?
Your immediate supervisor will always be your first line of contact.
If you identify something that may be of a compliance nature, please do not
hesitate to contact me direct at extension 295 or through email –
compliance@westernasset-us.com or Jean@westernasset-us.com