- No category
HIPAA Privacy & Security for Health Professionals
advertisement
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) A discussion of privacy and security with a special focus on protecting health information for Health Professionals HIPAA LEARNING EXPERIENCES Administrative Simplification provisions • Understand the difference between privacy and security • Define a covered entity (CE) • Define a business associate (BA) • Identify the changes in HIPAA introduced by HITECH • Describe the two types of security requirements • Define protected health information (PHI)? • List PHI content • Identify organizations or individuals who may need a “bu siness associate agreement” • Identify the government agency responsible for investiga ting and enforcing HIPAA compliance • What information is protected by the HIPAA privacy rule • Describe the difference between using and disclosing PHI. • Explain the situations where PHI may be disclosed without patient authorization HEALTH INFORMATION OVER LAST 25+ YEARS • Before HIPAA, no regulations or safeguard of health information (most information in paper charts and not easily shared). Claims, medical records sent by paper/mail. In 1980-90’s fax machines became popular, then expanded use of computer (HIT)/digital age called for law/regulations • HIPPA (1996) first promoted as a method to allow individual to maintain insurance coverage if they changed or lost their job – continuity and portability of health insurance. HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) • First enacted 1996 (Bill Clinton President as the World begins to enter Information Age (WWW/Internet). • Key legislation toward health information privacy. Becomes the Law. • Government foresaw widespread movement into digital communication and passed HIPAA to help protect privacy of personal health information, including later introduction of security regulations. HIPAA FOR PROFESSIONALS Health Insurance Portability and Accountability Act of 1996 (HIPAA). To improve the efficiency and effectiveness of the health care system. The first step included Administrative Simplification provisions. This involved national standards for: • electronic health care transactions and code sets, • unique health identifiers, and security. • At the same time, Congress recognized that advances in electronic technology could erode the privacy of health information. Consequently, Congress incorporated into HIPAA provisions that mandated the adoption of Federal privacy protections for individually identifiable health information (Protected Health Information). COVERED ENTITIES HIPPA included regulations to make electronic billing and sharing of health information more efficient and secure. HIPPA law applies to: “Covered Entities (CE)” (1) health plans (insurance companies), (2) health care clearinghouses (businesses that help with billing), and (3) health care providers. HIPPA establishes rules these CE’s must follow when dealing with Personal Health Information (PHI). A Health Care Provider A Health Plan This includes provide rs such as: •Doctors •Clinics •Psychologists •Dentists •Chiropractors •Nursing Homes •Pharmacies ...but only if they transmit any info rmation in an electronic form in connection wit h a transaction for which HHS has adopted a standard. This includes: •Health insuranc e companies •HMOs •Company healt h plans •Government pr ograms that pay for health care, such as Medicare, Me dicaid, and the military and vete rans health care programs A Health Care Clearingho use This includes entities that process non standard health i nformation they receive from another entity into a standard (i.e., standard el ectronic format or data content), or vice versa. PRIVACY AND SECURITY OF HEALTH INFORMATION • For many Americans, health information is the most sensitive category of personal information.disclosure can have many benefits, can also lead to • Although embarrassment, social censure, and discrimination. • Confidentiality is key tenet of Provider-Patient relationships. • Today, HIPAA viewed as a framework of evolving regulation in response to expanding biomedical innovation and public health in the digital age. PRIVACY OF PERSONAL HEALTH INFORMATION Coming of digital age pushed HHS (Health & Human Services) to develop regulations protecting privacy and security of Personal Health Information (PHI). Privacy is defined or refers to protected health information about an i ndividual and the determination of who is permitt ed to use, disclose, or access the information. WORKING DEFINITIONS PRIVACY refers to WHAT is protected health information about an individual and the determination of who is permitted to use, disclose, or access the information. SECURITY refers to HOW information is safeguarded --ensuring privacy by controlling access to information and protecting it from in appropriate disclosure and accidental or intentional destruction or loss. Secur ity of PHI is also regulated under HIPAA. PHI AND OTHER TRASH Employees at a pharmacy left the labels and other items in open t rash bins outside stores. The company also did not have adequat e policies for disposing of that information, and did not sufficiently train employees to dispose of the information properly, the agencies say. BREAKING THE LAW BY BEING FRIENDLY A jury in Waukesha, Wisconsin, found that an emergency medical technician (EMT) invaded the privacy of an overdose patient when she told the patient’s co-worker about the overdose. The co-worker then told nurses at West Allis Memorial Hospital, where both she and the patient were nurses. The EMT claimed that she called the patient’s coworker out of concern for the patient. The jury, however, found that regardless of her intentions, the EMT had no right to disclose confidential and sensitive medical information, and directed the EMT and her employer to $3,000 for the invasion of privacy. DEEPEST DARKEST SECRETS REVEALED? The Harvard Community Health Plan, a Bostonbased HMO, admitted to maintaining detailed note s of psychotherapy sessions in computer records t hat were accessible by all clinical employees. Follo wing a series of press reports describing the syste m, the HMO revamped its computer security practi ces. DEFINITIONS “Covered entity” (CE): organization responsible for HIPAA compliance. Protected Health Information (PHI): information generated in the course of providing healthcare that can be uniquely linke d to them Authorized: means that, except as otherwise permitted or required, the entity(CE) may not disclose PHI without a valid req uest to release PHI. Intent is to allow access/use of PHI only for those directly involved with the care process and or billing for services Disclosure: means the release, transfer, provision of access to, or divulging of information outside the covered entity Use: means the sharing, employment, application, utilization, examination, or analysis of individually identifiable information within the health care provider’s organization MORE DEFINITIONS Required Disclosures: means a release of PHI authorized by law; patient authorization is not necessary. Security Incident: means an attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system TREATMENT, PAYMENT AND OPERATIONS PATIENT PRIVACY RIGHTS • Right to know the terms of the covered entity’s Notice of Privacy Practice (NPP) • Right to know what has been disclosed and to whom (permitted or required disclosures); requires written r equest • Right to request an amendment to PHI; requires written request • Right to request restrictions (opt out of directory); requires written request • Right to request confidential communications; requires written request • Right to inspect and request copies of PHI; requires written request • Exception: In some circumstances a request for access or copies of psychotherapy notes may be denied. EXAMPLES OF HEALTH INFORMATION • Paper records and charts • Electronic medical records • Spoken communications • Patient x-rays • EKG’s • MRI • Ultrasound • Patient correspondence • Emails PROTECTED HEALTH INFORMATION Protected Health Information (PHI) is “individually identifiable health information created or maintained by a covered entity, relates to past, present, or future physical or mental condition for provision of health care, and includes demographic information.” 18 PROTECTED HEALTH INFORMATION IDENTIFIERS 1) Name 10) 2) Address -- 11) Certificate/License Number 12) Any vehicle ID number 13) Device serial number 14) Web URL, Internet Protocol (IP) Address 15) Finger or voice prints 16) Photographic images 17) Any other unique identifying number, characteristic, or co street address, city, county, zip code (more than 3 digits) o r other geographic codes 3) Dates directly related to patient 4) Telephone Number 5) Fax Number 6) email addresses 7) Social Security Number 8) Medical Record Number 9) Health Plan Beneficiary Number Account Number de (whether generally available in the public realm or not) 18) Age greater than 89 (due to the 90 year old and over pop ulation is relatively small) ELECTRONIC PHI ePHI: data in an electronic format that contains any of the 18 identifiers This may include but is not limited to the following: • Data stored on the network, internet, or intranet • Data stored on a personal computer or personal digital assistant i.e.. Palm pilot, smart phone, IPAD, etc. • Data stored on “USB keys,” memory cards, • external hard drives, CDs, DVDs, floppy disks, tapes, or digital cameras/camcorders • Data stored on your HOME computer • Data utilized for research DE-IDENTIFIED DATA When all identifiers are removed, the information is no longer considered PHI, and therefore, no longer governed under HIPAA. HIPAA REGULATIONS ALSO APPLY TO BUSINESS ASSOCIATES HIPAA BUSINESS ASSOCIATES ”A ’business associate’ is a person or entity that performs certain functions or activiti es that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity. A member of the covered entity’s workforce is not a business associate. A covered health care provider, health plan, or health car e clearinghouse can be a business associate of another covered entity.” - Health & Human Services A business associate can be an individual or company that provides services to a HIPAA-covered entity which requires them to have access to, store, use, or transmit protected health information. BUSINESS ASSOCIATE AGREEMENT Business Associates • Allows disclosure of PHI to individuals or organizations that are not covered entities • Must describe the permitted use of the information by the BA • BA cannot further disclose the PHI other than as permitted by the contract • BA must use appropriate safeguards to prevent unauthorized disclosure • Under new HIPAA regulations BA are liable for unauthorized disclosure or breach MINIMUM NECESSARY When using or disclosing PHI or when requesting PHI from another covered entity, a covered entity must make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request. MINIMUM NECESSARY • PHI should be seen by only those who are authorized to see it • PHI should be heard by only those who are authorized to hear it • PHI should be transmitted or shared with those who are authorized to receive it EXCEPTION TO MINIMUM NECESSARY REQUIREMENT When release of PHI is for diagnosis or treatment purposes (for example to another provider), anything might be relevant and minimum necessary does not apply. IN SOME SITUATIONS DATA CAN BE RELEASED WITHOUT AUTHORIZATION Health care operations are any of the following activities: • Quality assessment and improvement activities, including case management and care coordination; • Competency assurance activities, including provider or health plan performance evaluation, credentialing, and accreditation; • Conducting or arranging for medical reviews, audits, or legal services, including fraud and abuse detection and compliance programs; • Specified insurance functions, such as underwriting, risk rating, and reinsuring risk; • Business planning, development, management, and administration; and • (Business management and general administrative activities of the entity, including but not limited to: de- identifying protected health information, creating a limited data set, and certain fundraising for the benefit of the covered entity. IN SOME SITUATIONS DATA CAN BE RELEASED WITHOUT AUTHORIZATION Serious Threat to Health or Safety. Covered entities may disclose protected health information that they believe is necessary to prevent or lessen a serious and imminent threat to a person or the public, when such disclosure is made to someone they believe can prevent or lessen the threat (including the target of the threat). Covered entities may also disclose to law enforcement if the information is needed to identify or apprehend an escapee or violent criminal. INCIDENTAL DISCLOSURES Even when reasonable steps to safeguard the privacy of PHI are taken, it must be recognized that certain disclosures may occur. • Calling out a name in the waiting room • During the course of a treatment session, or during a visit to a hospital room, sometimes it is possible to overhear a discussion involving PHI PENALTIES FOR NON-COMPLIANCE CIVIL AND CRIMINAL Tier A includes penalties for HIPAA violations in which the offender didn’t realize he or she violated the Act and would have handled the matter differently if he or she had. The result is a $100 fine for each violation, and the total imposed for such violations cannot exceed $25,000 for the calendar year. Tier B is for violations due to reasonable cause, but willful neglect, but “willful neglect.” The result is a $1,000 penalty for a HIPAA violation, and the fines cannot exceed $100, for a calendar year. Tier C is for violation due to willful neglect that the organization ultimately corrected. The result is a $10,000 fine for each violation, and fines cannot exceed $250,000 for the calendar year. Tier D is for HIPAA violations of willful neglect that the organization did not correct. The result is $50,000 fine for each violation and the $1,500,000 for the calendar year. If state penalties are more severe (like Texas) state law applies. Civil penalties will be dictated by the nature and extent of the violation, the number of individual affected, the h arm that has been caused to those individuals, and the level of culpability. PENALTIES FOR NON-COMPLIANCE CIVIL AND CRIMINAL Date Organization Fine Total Link to OCR Settlement February 7, 2019 Cottage Health $3,000,0 00 Cottage Health Settles Potential Violations of HIPAA Rules for $3 Million May 6, 2019 Touchstone Medical I maging $3,000,0 00 Tennessee Diagnostic Medical Imaging Services Company Pays $3,000,000 to Settle Breach Exposing Over 300,000 Patients’ Protected Health Information May 23, 2019 Medical Informatics E ngineering $100,000 Indiana Medical Records Service Pays $100,000 to Settle HIPAA Breach – May 23, 2019 September 9, 2019 Bayfront Health St. P etersburg $85,000 OCR Settles First Case in HIPAA Right of Access Initiative October 2, 2019 Elite Dental Associat es $10,000 Dental Practice Pays $10,000 to Settle Social Media Disclo sures of Patients’ Protected Health Information October 23, 2019 Jackson Health Syste m $2,150,0 00 OCR Imposes a $2.15 Million Civil Money Penalty against Jackson Health System for HIPAA Violations November 5, 2019 University of Rochest er Medical Center $3,000,0 00 Failure to Encrypt Mobile Devices Leads to $3 Million HIPA A Settlement November 7, 2019 Texas Health and Hu man Services Commi ssion $1,600,0 00 November 27, 2019 Sentara Hospitals $2,175,0 00 OCR Imposes a $1.6 Million Civil Money Penalty against T exas Health and Human Services Commission for HIPAA Violati ons OCR Secures $2.175 Million HIPAA Settlement after Hospi tals Failed to Properly Notify HHS of a Breach of Unsecure d Protected Health Information REVIEW: HIPAA AND PRIVACY Covered entities are entities that generate or transmit protected health information. Business associates are non-employees or a covered entity that has access to PHI There are 18 data elements that define PHI There are severe penalties for HIPAA violations or noncompliance. (Employer discipline, civil penalties, criminal penalties) When the 18 data elements are removed from PHI it is classified as “Deidentified” and HIPAA no longer applies. Patients must give permission to release any PHI (authorization) except for TREATM ENT, PAYMENT AND OPERATIONS. There are recognized situations that do not require authorization such as legal situati ons, public health, safety concerns.
0
advertisement
Download
advertisement
Add this document to collection(s)
You can add this document to your study collection(s)
Sign in Available only to authorized usersAdd this document to saved
You can add this document to your saved list
Sign in Available only to authorized users