Western Asset Protection HIPAA REVIEW Compliance Statement At Western Asset Protection, we are committed to building and maintaining respectful and productive relationships between our agencies, brokers, insurance carriers and staff. We enable our brokers to develop the knowledge and skills necessary to achieve their professional goals, while promoting and elevating compliance education and support. Western Asset Protection is committed to full compliance with all applicable laws and regulations. Adherence to compliance and ethical standards is part of the job performance evaluation criteria for all Western Asset Protection personnel and partners. The main objective of our compliance training is to ensure that measures are taken by our staff and our representatives to identify and minimize compliance risk. Western Asset Protection stands for and by our ethical obligations to our staff and partners. COMPLIANCE MAKES A DIFFERENCE! As an individual who provides health or administrative services for Medicare enrollees, every action you take potentially affects Medicare enrollees, the Medicare program, or the Medicare trust fund. What is PHI - ePHI/ PII ? PHI – Protected Health Information ePHI-electronic Personal Health Information PII –Personally Identifiable information Western Asset Protection is required by law to protect all PHI/ PHI / ePHI at all cost. Some of our standard practices are: ALWAYS lock your computer when leaving your station ( Alt/Ctrl/Del or Window&L – will lock your screen) ALWAYS make sure you turn over any papers on your desk that contain any personal information if you leave your station. ALWAYS lock all documents that contain PHI/PII in your cabinets each evening. NEVER email any PHI/PII without encryption, use your Sharefile or ZIX. ALWAYS forward emails from agents that contain PHI/PII to the compliance inbox – this will allow our compliance officer the opportunity for coaching and training. Examples of PHI/ePHI/ PII *Name *Address *Date of Birth *Telephone numbers *Fax numbers *Email addresses *Social security number *Medical record number *Certificate / license numbers *Account number *IP addresses * HIC# =Medicare ID# *National Provider ID# * Web URLS * Finger Prints * Full face photos /comparable images *Any other unique identifying number, characteristic or code CAN YOU IDENTIFY? The History of HIPAA HIPAA Stands for Health Insurance Portability and Accountability Act Enacted by the US Congress and signed into law by President Bill Clinton on August 21,1996 Enforced by the US Department of Health and Human Services (DHHS). Revised December 2000 to include the Privacy Rule - standards for PHI Revised in February 2003 to include the Security Rule – Standards for EPHI NIST (National Institute of Standards and Technology published “Best Practices and Guidelines” for healthcare organizations to have security programs in place. HIPAA is a federal law that requires the protection of Personal Identifiable Information / Personal Health Information and recognizes the rights to relevant medical information of family caregivers and others directly involved in providing or paying for care. HITECH ACT Health Information Technology for Economic and Clinical Health Act President Obama signed HITECH into law on February 17, 2009 as part of the Recovery and Reinvestment Act Gave Office of Civil Rights (OCR) the ability to enforce HIPAA requirements and the ability to levy fines The HITECH Act was created to stimulate the adoption of electronic health records (EHR) and supporting technology in the United States. OMNIBUS RULE “Omnibus” by definition means two or more independent matters, a term frequently used in reference to a legislative bill comprised of two or more general subjects. Created in January 25, 2013 to include changes to the Security Rule and Breach Notification portions of the HITECH Act Expanded and clarified the Business Associate’s (BA)’s role The Omnibus Rule created a set of final regulations modifying the HIPAA privacy, Security and Enforcement Rules to implement various provisions of the HITECH Act. ARE YOU 100% Compliant? The HIPAA Privacy Rule governs the privacy and security of Protected Health Information records and transactions. The HIPAA Security Rule applies to individual identifiable health information in electronic form or electronic Protected Health Information (ePHI). It is intended to protect the confidentiality, integrity, and availability of ePHI when it is stored, maintained, or transmitted. Most Common HIPAA violations in the independent broker community: Unprotected transmission of Protected Health Information; you must encrypt /password protect all PHI that is electronically transmitted. Unprotected storage of Protected Health Information: stolen laptop, flash drive, or mobile device. Improper disposal of Protected Health Information; shredding is necessary for proper disposal of PHI. What are the penalties for HIPAA violations? For violations where a covered entity did not know and, by exercising reasonable diligence, would not have known that the covered entity violated a provision, a penalty of not less than $100 or more than $50,000 for each violation For a violation due to reasonable cause and not willful neglect, a penalty of not less than $1,000 or more than $50,000 for each violation For a violation due to willful neglect that was corrected in a timely manner, a penalty of not less than $10,000 or more than $50,000 for each violation For a violation due to willful neglect that was not timely corrected, a penalty of not less than $50,000 for each violation; the penalty for violations of the same requirement or prohibition under any of these categories may not exceed $1.5 million in a calendar year. QUESTIONS? Who do you call ? Your immediate supervisor will always be your first line of contact. If you identify something that may be of a compliance nature, please do not hesitate to contact me direct at extension 295 or through email – compliance@westernasset-us.com or Jean@westernasset-us.com