WHAT IS HIPAA?
HBR Training – New Rules
May 15, 2013
Overview of HIPAA: The HIPAA Act of 1996
Important information about the Health Insurance Portability and
Accountability Act of 1996 (HIPAA)
•Title I of HIPAA protects health insurance coverage for workers and
their families when they change or lose their jobs.
•Title II of HIPAA, known as the Administrative Simplification provisions,
requires the establishment of national standards for electronic health
care transactions and national identifiers for providers, health insurance
plans, and employers. These provisions also address the security and
privacy of health data. The standards are meant to improve the
efficiency and effectiveness of the nation's health care system.
The “Privacy and Security Rules” fall under Title II.
2
Overview of HIPAA: The HIPAA Act of 1996 (cont’d)
•The American Recovery and Reinvestment Act of 2009 (ARRA)
strengthened HIPAA.
•The Health Information Technology for Economic and Clinical
Health Act (HITECH) was enacted as part of the ARRA to promote the
adoption and meaningful use of health information technology.
•Subtitle D of the HITECH Act addresses privacy and security
concerns associated with the electronic transmission of health
information through several provisions that strengthen civil and criminal
enforcement of the HIPAA rules.
•The Final Omnibus Rule became effective on March 26, 2013, and
requires compliance for most provisions by September 23, 2013.
Omnibus modifies HIPAA regulations concerning privacy, security,
enforcement and breach notification.
3
Department of Health and Human Services
The Department of Health and Human Services (HHS) issues
regulations and through the Office for Civil Rights (OCR), handles
HIPAA violations.
OCR enforces the HIPAA Privacy Rule, which protects the privacy of
individually identifiable health information (IIHI) and the HIPAA Security
Rule, which sets national standards for the security of electronic
protected health information (ePHI).
 Enforcement of the Privacy Rule began April 14, 2003, for most
HIPAA covered entities.
 HIPAA covered entities were required to comply with the Security
Rule beginning on April 20, 2005. OCR became responsible for
enforcing the Security Rule on July 27, 2009.
4
Why might HIPAA apply to you as a DST employee?
 On January 1, 2012, the State Health Plan for Teachers and State
Employees (State Health Plan) became a division of the Department
of State Treasurer.
 With State Health Plan’s transfer, DST now performs business
activities that include both functions that are and functions that are not
covered by HIPAA and DST has been designated as a “hybrid entity”
for HIPAA compliance purposes.
 As a result of this designation, the following divisions must be trained
in HIPAA rules and regulations: The State Health Plan for Teachers
and State Employees, Information Technology Services, Legal
Services, Internal Audit Services, the Office of State Treasurer,
and Financial Operations Division.
 These divisions are collectively referred to as “Covered Healthcare
Components” or “CHCs.”
5
Who Must Comply With HIPAA?
 All CHC employees, whether or not their job requires them to access an
individual’s PHI, must comply with HIPAA.
 All temporary employees, volunteers, students, interns and trainees of
the CHCs must comply with HIPAA.
 All contract workers who work onsite or whose work is under the direct
control of the CHCs must comply with HIPAA.
 All Covered Entities and Business Associates must comply with HIPAA.
 SHP-POL-1001-All HIPAA Privacy Policy
6
Protecting Your Health Care Information
What is protected health care information or PHI?
 Any health information that can be used to identify an
individual, whether living or deceased, or which relates to the
individual’s past, present, or future physical or mental health or
condition, including health care services provided and the
payment for those services.
 Individually identifiable health information that’s transmitted or
maintained in any form or medium including oral
communications, electronically, or written (on paper).
7
How to Identify PHI: 18 Identifiers
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
18.
Name
Address (street address, city, county, ZIP code (more than 3 digits) or other geographic codes)
Dates directly related to patient
Telephone number
Fax number
E-mail addresses
Social Security number
Medical record number
Health Plan beneficiary number
Account number
Certificate/License number
Any vehicle or device serial number
Web URL
Internet Protocol (IP) address
Finger or voice prints
Photographic images
Any other unique identifying number, characteristic, or code (whether generally available in the
public realm or not)
Age greater than 89 (due to the ‘90 year old and over’ population being relatively small)
8
Permitted Disclosures of PHI
 When the disclosure is to the individual to whom the PHI pertains.

For treatment, payment, or health care operations (TPO) as permitted by and in
compliance with HIPAA. [45 C.F.R. § 164.506]

An incidental use or disclosure that could not have been prevented, was limited in
nature, and occurred as a by-product of an otherwise permitted use or disclosure.
 For example, when a provider talks with an administrative staff member about
billing a patient for a particular procedure and is overheard by one or more persons
in the waiting room.

When the Covered Entity receives a valid authorization as permitted by HIPAA. [45
C.F.R. § 164.508]

When the Covered Entity has obtained the individual’s oral agreement or is otherwise
permitted under HIPAA. [45 C.F.R. § 164.510]

When the Covered Entity is permitted to use or disclose PHI without the written
consent or authorization of the individual, or when an opportunity for the individual to
object or agree to the use or disclosure is not required. [45 C.F.R. § 164.512]
9
When Authorization Is Not Required for Disclosure of
PHI
The following exceptions don’t require an individual’s authorization or opportunity to
agree or object to a use or disclosure (such exceptions still must be reviewed by the
HIPAA Privacy and Security Officer prior to disclosure):
As required by law
For judicial and administrative proceedings
To correctional institutions and other law enforcement entities in custodial situations
For uses and disclosures about victims of abuse, neglect, or domestic violence
For specialized government functions
For public health activities
For health oversight activities
To avert a serious threat to health or safety
For disaster relief (such as to the American Red Cross)
To other health plans or health care providers for treatment, payment, or health care
operations (TPO)
To Business Associates
For research purposes
When PHI has been de-identified (to create a collection of information that can no
longer be traced back to the individual)
For uses and disclosures about decedents
For cadaveric organ, eye, or tissue donation
For workers’ compensation
10
How the Plan Handles Data Requests…
• The SHP has a Data Use and Disclosure Committee (DUDC) whose
primary function is to ensure that PHI is disclosed in accordance with
HIPAA Privacy Rules, DST Policies and Procedures and NC State Law.
DUDC meets every other week at the SHP Building. SHP data cannot be
released without prior approval of the DUDC.
• DUDC is responsible for the following:
 Review all data requests for SHP data from third parties;
 Formally approve, reject or modify requests for SHP data;
 Provide quarterly reports on data requests and ongoing releases of
data to the Plan’s Executive Committee;
 Maintain documentation related to data requests and the Plan’s
response for six years.
• Procedures for DUDC review may be found in Section X.E. of the HIPAA
Privacy Manual (pg. 40).
• SHP-POL-5001-SHP is the Plan’s policy regarding third party data
requests.
11
What is a Breach?
• HIPAA defines a “breach” as the “unauthorized acquisition, access, use,
•
•
•
•
or disclosure of PHI which compromises the security or privacy of such
information, except where there is a low probability that the PHI has been
compromised.” This is a new definition under the Omnibus Final
Rule.
Presumes a breach and that PHI has been compromised unless shown
otherwise based on a 4 factor risk assessment approach
Four (4) factors to consider by the CE or BA:
1. The nature and extent of the PHI involved, including the types of
identifiers and the likelihood of re-identification;
2. The unauthorized person who used the PHI or to whom the
disclosure was made;
3. Whether the PHI was actually viewed or acquired; and
4. The extent to which the risk to the PHI has been mitigated.
A risk assessment must be thorough and completed in good faith and
come to a reasonable conclusion.
Safe Harbor: PHI that is encrypted.
12
What Do We Do If We Have a Suspected Breach?
• Under the terms of our Privacy Manual, when I am notified there is a
suspected breach, I will conduct a thorough risk assessment using
the 4 factors outlined above. My findings are documented on a
Breach Response Form and retained for six (6) years.
• When I am notified by a Business Associate that there is a suspected
breach, depending on the terms of our Business Associate
Agreement, I will either request that the Business Associate
investigate the incident further or will conduct the investigation on my
own (with the assistance of either Internal Audit, Information Security
Officer or Director of Healthcare Analytics and the HIPAA Team).
• If it is determined that a breach has occurred, affected individuals will
be notified as well as the media (if the breach is over 500 individuals)
and the Office of Civil Rights (OCR).
• We are required to report breaches on an annual basis to the OCR.
13
Applied Penalties For Breaches
Violation Category
Civil Monetary Penalties
Cap for Identical Violations
per Calendar Year
The Covered Entity did not
know of the violation.
$100-$50,000
$1,500,000
The violation was due to
reasonable cause* and not
willful neglect.
$1,000-$50,000
$1,500,000
The violation was due to willful
neglect but was corrected
within 30 days of discovery.
$10,000-$50,000
$1,500,000
The violation was due to willful
neglect but was not corrected
within 30 days of discovery.
$50,000
$1,500,000
Such breaches may result in civil and criminal penalties. DST, as an employer, may impose
sanctions against its employees. Under the HITECH Act, DST is required to notify potentially
affected individuals of breaches involving their PHI either directly or through its Business Associates.
Additionally, the North Carolina Identity Theft Protection Act requires the DST to notify individuals of
breaches involving their Social Security numbers.
*“Reasonable Cause” has been clarified to mean “when the covered entity or business associate
knew, or by exercising reasonable diligence would have known, that the act or omission is a violation,
but did not act with the conscious intent associated with willful neglect.”
14
North Carolina Identity Theft Protection Act of 2005
 This Act is a restriction on the collection, use, and safekeeping of a
consumer's Social Security number and consumer financial information.
 The Act requires businesses, charities and government to notify
individuals if a security breach has compromised any personal
information and placed them at risk of identity theft.
 Consumers were given the right to obtain a freeze on their credit reports.
Placing a security freeze on a credit report would prohibit credit reporting
agencies from releasing any information about you to new creditors,
making it difficult for an identity thief to open an account or obtain credit
in your name.
 Further the Act gave the right to sue for civil damages in the event of
identity fraud/theft. The Act applies to any entity (financial institutions,
charities, government, businesses, etc.).
 Companies located in and out of state that conduct business in state or
keep personal information of state residents are required to comply.
15
New Rule – “Omnibus Final Rule” made changes in the
following areas:
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Business Associate definition
Electronic Media
Civil Monetary Penalties
Business Associates must comply with Security Rule
Marketing
Business Associate changes under Privacy Rule
• Permitted and Required Uses and Disclosures
• Minimum Necessary
• Business Associate Agreements
• Transition Provisions
Authorizations
• Sale of PHI
• Compound Authorizations for Research Activities
• Authorizing Future Research Use or Disclosure
Decedents
Student Immunizations Records
Fundraising
NPP
Right to Request Restrictions
Right to Access
Breach Notification
Genetic Information Nondiscrimination Act of 2008 (GINA)
16
What is the “Omnibus Final Rule?”
• The Department of Health and Human Services (HHS) finally has
released its “Omnibus” Health Insurance Portability and Accountability
Act (HIPAA)/Health Information Technology for Economic and Clinical
Health (HITECH) Act regulation, implementing changes to the HIPAA
Privacy, Security and Enforcement Rules, as well as the interim final
regulation on breach notification and certain changes to the Privacy
Rule as required by the Genetic Information Nondiscrimination Act
(GINA). The regulation was published in the Federal Register on
January 25, 2013. See 78 Fed. Reg. 5566 (Jan. 25, 2013).
• The Omnibus Final Rule was effective March 26, 2013, with 180 days
for compliance (September 23, 2013).
17
Business Associate Re-defined
• Health and Human Services expanded the definition of “business
associate” 45 CFR §160.103 to include patient safety organizations
(PSOs), health information organizations (HIOs) and subcontractors
of business associates as well as to change the definition.
• Business Associate: An individual or corporate “person” that creates,
receives, maintains, or transmits PHI on behalf of the Hybrid Entity.
• A business associate must now obtain satisfactory assurances from
its HIPAA-covered subcontractor, in the form of a written agreement,
that the subcontractor will appropriately safeguard PHI.
18
Electronic Media Re-defined
• The definition for electronic media has also been modified in 45
C.F.R. § 160.103 to reflect technological advances. Principally, the
new definition:
1. Replaces the term “electronic storage media” with “electronic
storage material,”
2. Expands the definition to include intranets; and
3. Incorporates voice transmissions that were electronically stored
prior to transmission.
• In addition, the preamble stated that devices that store PHI are
subject to the Privacy and Security Rules regardless of whether such
storage was intentional or not.
19
Compliance and Enforcement
• HHS will now (as opposed to “may”) investigate all complaints when
evidence indicates possible violation due to willful neglect.
• In addition, HHS removed the requirement that it first attempt informal
resolution of investigations and can now proceed directly to imposition
of civil monetary penalties (CMP).
• Changed the definition of “reasonable cause” to mean “when the
covered entity or business associate knew, or by exercising
reasonable diligence would have known, that the act or omission is a
violation, but did not act with the conscious intent associated with
willful neglect.”
• Lastly, and perhaps the most concerning, covered entities and
business associates are now liable for the activities of their
agents, regardless of their own compliance.
20
Business Associates Must Comply with Security Rule
• HHS did this to ensure any subcontractors entered into a contract or
other arrangment to protect the security of e-PHI and report covered
entity breaches of unsecured PHI.
• Security Rule BAA requirements applicable to arrangements involving
a business associate and a subcontractor of that BA in the same
manner as the requirement apply to arrangements between covered
entities and BAs.
• Covered entities are not required to obtain satisfactory assurances
from (or enter into a BAA with) a business associate that is a
subcontractor; rather this is the obligation of the business associate
that has engaged the subcontractor.
• The Plan will be asking potential BAs regarding their subcontractor
arrangements and will be placing language in our contracts regarding
this rule but our BAA has always held the BA liable for the acts of any
and all subcontractors.
21
Business Associates Must Comply with the Privacy Rule
• Business associates are permitted to use or disclose PHI only as permitted or required by their
BAAs or other arrangements, or as required by law. They are prohibited from using or disclosing PHI
in a manner that would violate the Privacy Rule if done by the covered entity (with exceptions for the
proper management and administration of the business associate and to provide data aggregation
services for the covered entity, if permitted by the BAA). Business associates are also directly
required to:
1.
Provide breach notification to the covered entity;
2.
Provide access to a copy of ePHI to either the covered entity, the individual or the individual’s
designee (whichever is specified in the BAA);
3.
Disclose PHI where required by the Secretary to investigate or determine the business
associate’s compliance with the HIPAA Rules;
4.
Provide an accounting of disclosures; and
5.
Comply with the requirements of the Security Rule.
• Business Associates may only disclose the “minimum necessary” when using or disclosing PHI or
when requesting PHI from another covered entity or another Business Associate.
• Omnibus now allows Business Associates to disclose PHI to a business associate that is a
subcontractor, and to allow the subcontractor to create or receive PHI on its behalf, if the business
associate obtains satisfactory written assurances that the subcontractor will appropriately safeguard
the information. Importantly, a covered entity is not required to obtain satisfactory assurances from
business associates that are subcontractors, but the burden is instead placed on the business
associate to obtain such assurances.
22
Changes to When an Authorization is Required
• Currently, an authorization must be obtained from an individual for
must uses and disclosures of psychotherapy notes and uses and
disclosures for purposes of marketing. Now, you must obtain an
authorization for the sale of PHI. This changes the general prohibition
on sale of PHI. In addition, HHS has defined what constitutes “sale of
PHI.”
• The Privacy Rule now permits an authorization for the use or
disclosure of PHI for a research study to be combined with any other
type of written permission for the same or another research study,
including combining such an authorization with an authorization for
the creation/maintenance of a research database or repository or with
a consent to participate in research.
• Authorizations used to be “study specific.” Now, an authorization for
participation in a study may include language that the PHI may be
used or disclosed in future research.
23
Decedents
• The Privacy Rule is now limited to 50 years – meaning that a
decedent’s information is no longer protected and can be disclosed
50 years after their death… we all can look at JFK’s medical records
come November of this year!
• The Privacy Rule now expressly permits covered entities to disclose a
decedent's PHI to family members and others who were involved in
the care or payment for care of the decedent prior to death, unless
doing so would be inconsistent with the individuals' prior expressed
preference, which is known to the covered entity.
24
Changes to Notice of Privacy Practices
Omnibus made five (5) changes to Notice of Privacy Practices (NPP):
1.
NPP must now contain a statement indicating that most uses and disclosures
of psychotherapy notes (where appropriate), uses and disclosures of PHI for
marketing purposes, and disclosures that constitute a sale of PHI require
authorization.
2.
NPP must state that other uses and disclosures not described in the NPP will
be made only with authorization from the individual.
3.
If a covered entity intends to contact the individual for fundraising purposes,
the NPP must now contain a statement informing the individual of this intention
and of his or her right to opt out of receiving such fundraising communications.
4.
The NPP must now contain a statement informing the individual of his or her
right to restrict disclosures of PHI to a health plan if the disclosure is for
payment or health care operations and pertains to a health care item or service
for which the individual has paid out of pocket in full; however, HHS noted this
new NPP requirement would only apply to health care providers’ NPPs.
5.
The NPP must now contain a statement explaining the right of affected
individuals to be notified following a breach of unsecured PHI. HHS confirmed
that a simple statement set forth in an NPP (e.g., an individual has a right to or
will receive notifications of breaches of his or her unsecured PHI), will
sufficiently comply with this new requirement.
25
Changes to Breach Notification Rule
• Changed the definition of “breach” and outlined 4 factors to consider
•
•
•
•
in a risk assessment of a suspected breach as discussed above.
Notification to Individuals – covered entities remain ultimately
responsible but may delegate the notification duty to the BA that
caused the breach.
Notification to Media – clarified that a covered entity need not incur a
cost to print or run a media notification, media outlets are not required
by law to print or run information about the breach, and publication of
a press release on the CE’s website is not media notification.
Notification to the Secretary – “immediate reporting” of breaches of
over 500 individuals to the HHS is determined to be
“contemporaneous with notice to those affected individuals.”
Notification by a BA – if a BA is deemed to be an “agent” of a CE, the
BA’s discovery of the breach will be attributed to the CE.
26
Questions?
Please feel free to contact me:
Martha K. Wewer, JD, CHPSE
HIPAA Privacy and Security Officer
4901 Glenwood Ave., Suite 300
Raleigh, NC 27612
(919) 420-7913
Martha.wewer@nctreasurer.com
27
Thank You!
www.shpnc.org
www.nctreasurer.com