HIPAA Basics Brian Fleetham Dickinson Wright PLLC HIPAA Overview General prohibition: a “covered entity” cannot disclose “protected health information” unless an exception applies. HIPAA Overview Translation: treat patient information as confidential. HIPAA Overview Two main parts: privacy rule and security rule. HIPAA – Key Definitions “Covered Entity” means (1) health plans, (2) healthcare clearinghouses, and (3) health care providers that transmit protected health information in an electronic format. HIPAA – Key Definitions “Protected Health Information” or “PHI” means individually identifiable information that is transmitted by electronic media; maintained in any electronic media; or transmitted or maintained in any other form or medium. HIPAA – Key Definitions “Individually Identifiable Health Information” means information collected from an individual that (1) is created or received by a health plan, a health provider, an employer, or a health care clearinghouse; HIPAA – Key Definitions “Individually Identifiable Health Information” (continued) (2) relates to the past, present, or future mental or physical health of an individual, the care provided to an individual, or the past, present, or future payment for the care of an individual; and HIPAA – Key Definitions “Individually Identifiable Health Information” (continued) (3) identifies the individual or there is a reasonable belief that the information could be used to identify the individual. HIPAA – Key Definitions Common identifiers of health information include names, social security numbers, addresses, and birth dates. HIPAA – Key Definitions A key concept under HIPAA is “minimum necessary.” Most uses and disclosures of PHI, even internally, must use or disclose PHI only as minimally necessary to accomplish the use or disclosure. HIPAA – Privacy Standards The HIPAA Privacy Standards generally prohibit a covered entity from using or disclosing PHI, unless the use or disclosure fits within a particular exception. HIPAA – Key Exceptions to the Privacy Standards Among other uses or disclosures, covered entities may use or disclose PHI: • For payment, treatment, or healthcare operations. HIPAA – Key Exceptions to the Privacy Standards (continued) • To the individual that the PHI pertains to or to his or her designated representative. • As directed by an individual’s written authorization. • As required by law. • To a business associate. HIPAA – Business Associates A business associate is a person or entity that performs services for a covered entity which involve PHI. HIPAA - Business Associates PHI can be provided to a “business associate” only if the PHI is a necessary component of the services provided by the business associate to the covered entity and an appropriate business associate agreement is in place. HIPAA - Business Associates Business associates can include billing companies, IT providers, consultants, attorneys, etc. Other covered entities are not business associate unless non-clinical services are involved. HIPAA – Business Associates With the HITECH Act, business associates now have direct liability under HIPAA. Covered entities remain liable for the actions of their business associates. HIPAA – Individual Rights The HIPAA Privacy Standards establish several individual rights relating to PHI, such as the following: • Notice of privacy practices from a covered entity • Request for restrictions on use of PHI HIPAA – Individual Rights (continued) • Request for reasonable handling of the manner of communications • Access and amendments to PHI • Accounting of disclosures of PHI HIPAA – Security Standards The HIPAA Security Standards apply to all PHI maintained or used electronically (known as “ePHI”). A covered entity must evaluate each Security Standard and determine the extent to which each must be implemented, based on various factors. HIPAA – Risk Assessment This process is known as conducting a risk assessment. • Must be performed regularly. • Also a “core requirement” for meaningful use payments. HIPAA – Risk Assessment (continued) • A covered entity risks a mandatory repayment or loss of future meaningful use payments if it cannot produce written risk assessments for each year that meaningful use payments are claimed. HIPAA – Security Standards The Security Standards fall under three main categories: • Administrative Safeguards (e.g., plans, policies, protocols, training, etc.) HIPAA – Security Standards (continued) • Physical Safeguards (e.g., media and physical access controls, workstation requirements, etc.) • Technical Safeguards (e.g., data and entity authentication, network control, etc.) HIPAA – Data Breaches A data breach consists of the impermissible acquisition, access, use, or disclosure of unprotected (i.e., unencrypted) PHI (whether electronic or otherwise). HIPAA – Data Breach The prior harm standard has been replaced with a test of whether PHI has been “compromised.” The regulations create a general presumption that the data has been compromised. HIPAA – Data Breach Upon a suspected data breach, a covered entity must, within 60 days, either immediately notify affected individuals and DHHS (and possibly the media) or undertake an analysis of whether an actual breach has occurred and then notify as necessary. HIPAA – State Law Preemption State law provisions that are more stringent preempt applicable HIPAA requirements. HIPAA – Applicable Michigan Law Under Michigan law, physicians are broadly prohibited from disclosing treatment information. Disclosure thus requires consent, court order, or a specific legal mandate. HIPAA - Enforcement Prior to HITECH, enforcement was complaint-driven with limited penalties except for intentional violations, with the main goal being compliance. HITECH authorized HIPAA enforcement audits and increased the amount of fines for violations. HIPAA - Penalties Penalties for HIPAA violations fall under four tiers: • Tier A – Did not know of the violation – fines between $100 and $50,000 for each violation HIPAA – Penalties (continued) • Tier B – Reasonable cause for violation rather than willful neglect – fines between $1,000 and $50,000 for each violation HIPAA – Penalties (continued) • Tier C – Violation due to willful neglect but corrected – fines between $10,000 and $50,000 for each violation • Tier D – Violations due to willful neglect but not corrected – fines of $50,000 for each violation. HIPAA – Penalties (continued) Cap of $50,000 fine per violation and $1.5 million annually for the same type of violation. HIPAA – Main Compliance Steps • Updated notice of privacy practices • Updated business associate agreements in place • Appropriate policies and procedures • Regular workforce education HIPAA – Main Compliance Steps (continued) • Encryption protection for electronic PHI • Other electronic and physical safeguards • Risk assessment • Appointment of HIPAA privacy and security officer HIPAA - Resources • Model privacy notice from DHHS: http://www.hhs.gov/ocr/privacy/hip aa/modelnotices.html • Sample business associate agreement provision from DHHS: http://www.hhs.gov/ocr/privacy/hip aa/understanding/coveredentities/c ontractprov.html HIPAA – Resources (continued) • AMA toolkit: http://www.amaassn.org/ama/pub/physicianresources/solutions-managingyour-practice/coding-billinginsurance/hipaahealth-insuranceportability-accountability-act.page HIPAA – Resources (continued) • DHHS risk assessment tool: http://www.healthit.gov/providersprofessionals/security-riskassessment-tool