Add to collection(s) Add to saved
  1. Science
  2. Health Science

HIPAA HITECH - Wroten & Associates, Inc.

advertisement 
HIPAA/ HITECH: Relief for the
Newest Regulatory Headache
Kippy L. Wroten
Founding Shareholder, Wroten & Associates
Darryl A. Ross
Shareholder, Wroten & Associates
Scope of the Omnibus Rule
• Research uses of data – compound, more general authorizations.
• Patients’ right to restrict data sharing with payors.
• Requirements to modify and redistribute notices of privacy
practices.
• Inclusion of limitations on use of genetic information for
underwriting.
• Clarifies HHS Secretary’s role in enforcement, imposition of civil
money penalties (CMPs) and CMP liability for acts of agents.
What’s Not in the Omnibus Rule
• Accounting of Disclosures – still in process.
• Methodology for giving individuals “harmed” by HIPAA
violations a percentage of any civil monetary penalties or
settlements collected.
• Guidance for implementation of minimum necessary
standard.
• HITECH also mandated study of definition of “psychotherapy
notes” – no specific deadline for the study.
HIPAA - Privacy vs. Security
• HIPAA Privacy Rule
– The need to protect medical records and other health
information in any form (electronic, paper, or out of our
mouths) from being shared, viewed, distributed, etc.
• HIPAA Security Rule
– The need to develop and maintain security of all electronic
health information, including storage and transmission.
Privacy Rule
Privacy
Rule
Notice of
Privacy Practices
Right to
Request Privacy
PHI Protection
Right to Individual
Access to PHI
Administrative
Requirements
Uses & Disclosures
Of PHI
Accounting
For
Disclosures
Security Rule
SECURITY RULE
Administrative
Safeguards
Physical
Safeguards
Technical
Safeguards
Privacy Officer
Access Control
IT Hacking/Intruders
P & Ps
Software Control
Encryption
Access Authorization
PHI Destruction
Password Protection
Business Associates
Work Station Privacy
Written Record of
Network Configuration
Disaster Recovery/
Contingency Plans
Training
Risk Analysis
Documentation
Routine Audits
Risk Management
Documentation
Health Information Technology for Economic and
Clinical Health Act (2009) Expands Protection
Omnibus Rules
Direct Liability for
Business
Associates
Expanded
Individual Rights
Right to Preclude
Disclosure
Genetic Information
Preclusion
Breach Notification
Rules Expanded
Notice of Privacy
Disclosures
Redistribution
Civil Monetary
Penalties
Increased
How Do HIPAA & HITECH Apply to Me?
• Covered Entities
• Hybrid Entities
• Business Associates (Vendors)
Protected Health Information
• What is it?
– Identifies the individual
– Transmitted or maintained by a CE or BA
– Relates to individual's physical or mental health or
payment for health care
– Demographic information
Common
• Names
• SSN
• Medical record #s
• Account numbers
• Dates of treatment
Probably Aware
• Telephone numbers
• Fax numbers
• Electronic mail addresses
• Certificate/license numbers
Did You Know?
• Vehicle ID & Serial Numbers - license
plate numbers
• Device ID & serial numbers
• Universal Resource Locators (URLs)
• Internet Protocol (IP) addresses
• Biometric identifiers, including finger
and voice prints
• Full face photographic images and
any comparable images
• Any other unique identifying number,
characteristic, or code
PHI
Health Plans
Covered Entities
An individual or group plan that provides or pays the cost of medical care
Health care clearinghouses
A public or private entity, including a billing service, re-pricing company, community
health management information system or community health information system, and
“value added” networks and switches that either process or facilitate the processing of
health information
Health care providers
Care, services, or supplies related to the health of an individual, including (1) preventive,
diagnostic, therapeutic, rehabilitative, maintenance, or palliative care, and counseling,
service, assessment, or procedure with respect to the physical or mental condition, or
functional status, of an individual that affects the structure or function of the body; and
(2) sale or dispensing of a drug, device, equipment, or other item in accordance with a
prescription.
+ …who electronically transmit any health information
Hybrid Entities
• A single legal entity that is a covered entity, performs
business activities that include both covered and non-covered
functions, and designates its health care components as
provided in the Privacy Rule. If a covered entity is a hybrid
entity, the Privacy Rule generally applies only to its
designated health care components. However, non-health
care components of a hybrid entity may be affected because
the health care component is limited in how it can share PHI
with the non-health care component. The covered entity also
retains certain oversight, compliance, and enforcement
responsibilities.
Who is a Business Associate?
•
•
•
•
•
•
•
•
•
•
Claims Processing
Data Analysis
Utilization Review
Billing
Legal (including litigation counsel)
Actuarial
Accounting
Consulting
Data Aggregation
Management
•
•
•
•
•
Administrative
Accreditation
Financial Services
E-Discovery Vendors
Copier Technicians (if your
copier has memory)
• Shredding Services
• Computer Support Services
• Records subpoenas/duplication
services
Business Associates
HITECH Expands Privacy and Security
• Expanded definition of "business associate“
- “Business associate” means one who, on behalf of a Covered Entity
• creates, receives, maintains or transmits PHI
• "Business associate" now also means "subcontractor of business
associate“ who creates, receives, maintains or transmits PHI on behalf of a
business associate
– Status as Business Associate based upon role and responsibilities, not upon
who are the parties to the contract
Business Associate Definition
Clarifications
• Rule clarifies definition of "business associate” -- included:
– Patient Safety Organizations
– Health information exchange organizations, e-prescribing gateways,
covered entities' personal health record vendors (not all PHRs)
– Data transmission providers that require access to PHI on a routine
basis
• Not included – those who just provide transmission services,
like digital couriers or “mere conduits.”
• However, those who store PHI, even if they don’t intend to
actually view it, are BAs (implications for cloud model EHRs).
Business Associates
Claims
Processing
Management
Data
Aggregation &
Analysis
Administrative
Support
Utilization
Review
Direct
Liability
Accreditation
Survey
Consults
Billing
Financial
Services
Legal
Actuarial
Accounting
Do They Know Who They Are?
• Implications for subcontractor relationships
• Contract between the covered entity's BA and that
BA's
– Subcontractor must satisfy the BAA requirements
– Subcontractor of subcontractor is also a BA, and so on
• As a result, HIPAA/HITECH obligations that apply to BAs also
directly apply to subcontractors
BAs – Uses of PHI
•
Uses of PHI
–
–
–
BAs may use or disclose PHI only as permitted by BAA or required by law
BAs may not use or disclose PHI in manner that would violate Privacy Rule
Subcontractors subject to limits in initial CE-BA agreement
– Must pass along in subcontracts
– BAs not making a permitted use or disclosure if not
•
•
•
•
•
•
•
Follow minimum necessary rules
BA does not comply if it knows of subcontractor's material noncompliance and does not take
reasonable steps to cure the breach or, if such steps fail, to terminate the relationship
BAs (incl. subcontractors) subject to civil money penalties for HIPAA violations
BA/subs remain liable under contract to CE/BA
Secretary authorized to receive and investigate complaints against BAs (including
subcontractors), and to take action regarding complaints and noncompliance
BAs (incl. subs) required to maintain records and submit compliance reports to Secretary,
cooperate in complaint investigations and compliance reviews, give Secretary access to
information
BAA - Generally, compliance required 180 days following Omnibus Rule’s effective date
(3/26/13), which is 9/23/13
Omnibus Rules
Compliance
Omnibus Rules Compliance Date:
September 23, 2013
Compliance Plan - Step One
•
Have you established an executive/board-level responsibility for HIPAA compliance?
•
Have you designated yourself as a (a hybrid entity, or (b) a single affiliated covered
entity with other legally separate covered entities under common ownership or control?
•
Have you taken the necessary follow-up steps to document?
•
Have you designated responsible persons for Privacy? For Security? Do you have job
descriptions?
•
Have you distributed a Notice of Privacy Practices with the identification of the Privacy
and Security Officers?
•
Have you posted information and trained staff?
•
Has the staff signed confidentiality agreements related to privacy and security?
•
Do you have Business Associate Agreements in place?
Compliance Plan - Step Two
• Is HIPAA privacy and security included in new employee
orientation?
• Is your Governing Body/Board trained?
• Are volunteers and clergy trained?
• How do you facilitate privacy and security awareness?
Risk Assessment
• Administrative Safeguards
• Physical Safeguards
• Technical Safeguards
Risk Assessment - PHI Flow Chart
Fax Transmittal
Admissions
Director of Nurses
Business Office
Written Admissions
Documents
Written Chart
Computer File
Electronic Billing
Security Risk Assessment- Organizational
Requirements
• Business Associates Identified
• Policies & Procedures adopted
• Documentation procedures adopted
Security Risk Assessment
•
•
•
•
•
•
•
•
Security Awareness and Training
Security Incident Procedures
Workstation Use
Device and Media Controls
Access Control
Integrity
Person/Entity Authentication
Transmission Security
Access Controls
• Limit physical access to its electronic information systems,
including facilities where data housed. §164.310(a)(1).
• Workstation Security - physical safeguards for all workstations
that access ePHI. §164.310(c).
• Must assure authorized users have access.
Workstation Security Compliance Practices
• Identify desktop/laptops containing ePHI
• Lock down procedures.
• Policies to prevent unencrypted ePHI from being stored on
portable electronic devices and laptops.
• Encryption practices.
Device Controls and Re-Use
§164.310(d)(1) - Controls
§164.310(d)(2)(ii) - Re-Use
• Movement within facility.
• Removal of hardware from
facility.
• P&Ps to address final
disposition of ePHI and/or
medium where stored
• P&Ps governing removal of ePHI
before device re-used.
• P&Ps to assure ePHI is unusable
and/or inaccessible prior to reusing device.
• All storage devices or all ePHI
records must be overwritten
multiple times, in accordance
with NIST guidelines.
Disposal Compliance Practices
• ePHI on must be rendered unusable and/or
inaccessible prior to disposal.
• When portable media is discarded, it should either
be overwritten multiple times, in accordance with
NIST guidelines.
• Maintain a record of where the hardware is, and the
person responsible for it. §164.310(d)(2)(iii).
Accountability Practices for Compliance
• Identify types of hardware and electronic media that
must be tracked.
• Create record / log to track where devices are.
• Portable devices should not ordinarily contain ePHI
and must be individually identified in the tracking
system in order to contain ePHI.
• Possession of portable device with ePHI must be
consistent with the individual’s position.
• Inventory should be physically confirmed at least
annually.
Data Backup and Storage
• Create a retrievable, exact copy of electronic
protected health information, when needed, before
movement of equipment. §164.310(d)(2)(iv)
• Establish a process for documenting or verifying its
creation.
4 Components of Compliant Technical P&P’s
§164.312(a)(2)(i)
Unique name / identifier
to track users.
§164.312(a)(2)(iii)
Automatic logoff
procedures
§164.312(a)(2)(ii)
Emergency access
procedures.
§164.312(a)(2)(iv)
Encryption and
decryption procedures
Step 1: User ID
• Unique account for each user including unique
username and password if access to ePHI.
• Verification procedures
• P&Ps to map permissions
• Generic or shared accounts are not permitted for
access to ePHI.
Step 2: Emergency Controls
• Protocol should be written
• Do not rely on availability of a single individual.
• Identify roles that may require special access during an
emergency.
• Proper ID of individuals required Access to power or a
network?
• If electronic systems are a copy of the medical record
and access to the system is not necessary for safe
patient care, use of medical records while the systems
is unavailable is acceptable
Do You Know What You Will Do If The Lights Go Out?
Step 3: Auto Logoff Compliance Practices
• Best practice: require electronic to be terminated.
• If terminating session isn’t possible, implement
automatic workstation lockout as a compensating
control.
• What’s an appropriate amount of inactivity before
automatic lockout?
Step 4: Encryption Technical Standards
•
•
•
•
•
HITECH references NIST encryption standards
Enforce complex passwords where possible
Protection from malicious software for details)
Ensure secure remote access
Implement correctly configured firewalls (hardware
and/or software)
Step 4: Encryption – Decryption: P&Ps
• Unique user ID’s
• Frequent changes to ID’s
• Prohibit unencrypted ePHI will not be stored on
portable electronic devices, including laptops.
• Remote wipe procedures
– Incorrect Password
– IT Personnel
Common Sense & Security
•
•
•
•
•
•
•
•
•
Log off your system if you are not in front of it.
Remove patient/resident/employee data from view.
Make sure others cannot see your computer screen.
Don’t place patient/resident/employee data on a flash drive,
CD, diskette, or even your C: drive if you have PC.
Don’t give anyone your password
Any device /laptop used to store/transmit PHI must be
encrypted – don’t store/transmit PHI on personal devices.
“Secure” all PHI when sent outside of secure environment
Emails
Texts
Mobile Devices & Security
• Enterprise issued mobile devices
– Password protected
– Encrypted
– Remote monitoring
– Remote wiping (destruction)
• BYOD
– Are they secure?
• Dealing with physicians who insist on texting
– Difference between sending and receiving
• Education & Training - materials
healthit.gov/providers-professionals/downloadable-materials
Risks Mobile Devices
• Mobile devices produced for consumer use.
• Can store massive amounts of data.
• Lack security and operational controls to enable
management of the device from a centralized
system.
• Easily lost or stolen and pose increased risks to the
confidentiality and security of patient health
information.
• Loss or theft may result in breach notification.
WHERE IS YOUR DATA?
WHAT IS THIS?
SAY HELLO TO YOUR DATA
A
O
N
R
D
T
T
H
H
I
SI
S
ePHI & Text Messaging – P&Ps
• Appropriate use of work-related texting.
• Prohibiting texting of ePHI
• Requiring medical records be updated if ePHI
received via text.
• Identifying retention period for any ePHI received via
text.
• An inventory of all mobile devices used for texting
ePHI (whether provider-owned or personal devices).
Device Ownership. BYOD Considerations
•
•
•
•
Written authorization before storing ePHI.
A clear definition of data ownership.
Define what is acceptable use.
Annual acknowledgment of organization
P&Ps
• Reservation of rights to examine devices
• Procedures during employee or contractor
separation
BYOD Policies To Consider
•
•
•
•
•
Appropriate use of texting
Appropriate use of camera and video
Appropriate use of sensitive information
Requirements for password protection and lock-out features.
Prohibition on altering factory defaults and operating systems
(i.e., jail-breaking)
• Appropriate use of applications and conditions of
downloading software.
Technology Solutions for Mobile Devices
• Password protection and encryption for mobile
devices that create, receive or maintain text
messages with ePHI.
• Enterprise control to oversee communication use
• Enterprise control to wipe information from lost
devices and/or separated employees
• Use of a secure messaging application.
• Audit trail system.
Security
Assessment
Exemplars
Event Management: Breach
• Ready or not, expect there will be a breach
Risk Assessment: Breach
• CE/BA should perform risk assessment post-breach
discovery and must consider at least the following:
– Nature and extent of PHI involved, including types of
• Identifiers and likelihood of re-identification
– Who was the recipient of the PHI
– Was the PHI actually acquired or viewed
– The extent to which the risk to misuse of the PHI has been
• Mitigated
Risk Analysis Criteria
• Likelihood of identification or re-identification:
– a list of patient names – not low probability
– patient discharge data, patient not specified – can patients be re-identified? –
could be low probability (depends on the circumstances)
• Who is the unauthorized recipient:
– a HIPAA covered entity – low probability, as long as you have evidence the risk
has been mitigated
– an employer – may be able to use personnel records to re-identify – not low
probability
• PHI actually acquired or viewed:
– untampered with laptop – low probability
– information mailed to wrong person – not low probability
• Has improper use been mitigated:
– satisfactory assurances of destruction from a known person – low probability
Risk of Harm Analysis
Did the breach pose a significant risk of financial, reputational, or other harm to the individual?
To whom was the PHI disclosed?
RISK EVALUATION
•
•
•
Low risk
Moderate risk
High risk
Another employee/BA?
Wrong fax number/unauthorized family member?
PHI lost or stolen?
In what form was the PHI accessed, used, or disclosed?
•
•
•
Verbal?
Paper?
Electronic?
Low risk
Moderate risk
High risk
What event caused the access, use, or disclosure of PHI?
•
•
•
Unintentional disclosure?
Intentional disclosure?
Hacking/theft?
Low risk
Moderate risk
High risk
What type of PHI was impermissibly accessed, used, or disclosed?
•
•
•
•
•
Limited data set?
Non-sensitive PHI?
Treatment provided?
Substance abuse, mental health, contagious disease?
SSN’s, Tax ID, Account #s, Passwords / Digital Signatures
Low risk
Moderate risk
Potentially higher risk
High risk
Very high risk
What steps were taken to mitigate potential harm related to
the impermissible access, use, or disclosure?
•
•
•
PHI returned before accessed?
PHI properly destroyed?
Recipient signed a confidentiality agreement?
Immediate steps taken to reduce risk of harm?
Low risk
Low risk
Low risk
Low – moderate risk
Definition of “Breach”
• Definition changed from the interim rule
definition
– An impermissible use or disclosure of PHI is
presumed to be a breach unless the covered
entity or business associate demonstrates there is
low probability that the PHI has been
“compromised”
Has A Breach Occurred?
• Is the information unsecured PHI?
– Was the PHI de-identified?
– Was the PHI acquired, accessed, used, or disclosed in
accordance with the Privacy Rule?
– Was the PHI encrypted?
– Was the PHI properly destroyed?
• If any of the above answers is "yes", then the
information is not unsecured PHI therefore no
breach has occurred and notification is not required.
Privacy & Security Exceptions
• Did a CE/BA workforce member unintentionally access or use the PHI while
acting within the scope of their duties?
• Was the impermissible use and/or disclosure stopped before further
disclosure occurred?
• Did a CE/BA workforce member inadvertently disclose PHI to another
workforce member where all were otherwise authorized to access/use PHI?
• Was the use/disclosure of PHI incident to an otherwise permissible use or
disclosure where the minimum necessary requirement was followed?
• Was the PHI impermissibly disclosed to an unauthorized person but there is
a good faith belief exists that the recipient would not be able to retain the
PHI?
If any of the above answers is "yes", then no breach has occurred and
notification is not required.
Breach Decision Tree
Is the information PHI?
No
Yes
Is the PHI unsecured?
No
No Notification under HITECH:
Determine if accounting and
mitigation obligations under
HIPAA
No
No Notification under
HITECH
Yes
Is there an impermissible
acquisition, access, use or
disclosure of PHI?
No Notification under HITECH:
Determine if state breach
notification laws apply
Yes
Does the impermissible acquisition,
access, use or disclosure
compromise the security or privacy
of PHI? Has a written risk
assessment been completed?
Yes
Does an exemption
apply?
No
Notification Required; Determine
methods for notification for affected
individuals, the Secretary of HHS and,
if necessary, media
No
No Notification under
HITECH: Determine if
accounting and
mitigation obligations
under HIPAA
Breach Notification
• Notification of Breach
– Data breach notification requirements imposed for
unauthorized uses and disclosures of "unsecured PHI."
– Patients must be notified of any unsecured breach.
– If a breach impacts 500 patients or more, HHS must also be
notified, and breaching entity's name will be published on
HHS' website.
– Under certain conditions local media will also need to be
notified.
– Notification is triggered whether the unsecured breach
occurred externally or internally.
Notice of Privacy Practices
• Redistribution required!
Notice of Privacy Practices (NPP)
• NPPs must include:
– Statements regarding certain uses and disclosures requiring
authorization
•
•
•
•
•
Psychotherapy notes (where appropriate);
Marketing;
Sales of PHI;
Right to restrict disclosures to health plans (provider only); and
Right to be notified of breach.
– General statement that all uses and disclosures not described in
NPP also require authorization
Notice of Privacy Practices
• Does it contain all the required elements?
– “This notice describes how medical information about you may be used and
disclosed and how you can get access to this information please review it”.
•
•
•
•
•
•
Include examples of types of use and disclosures.
List of uses and disclosures allowed without authorization.
List of individual’s rights.
Privacy Officer contact information.
Do you use PHI for marketing?
Do you use PHI for research?
Covered Entity - Privacy Obligations
• Is NPP posted?
• Has NPP been translated?
• What is your process for delivery?
• What is your process to re-distribute when there are changes
• Is your NPP posted on websites?
Omnibus Rule – NPPs must be Revised
• Changes in rule are material
• For plans that post on website, post revised NPP by effective
date and in next annual mailing
• If no web site, plans must provide within 60 days of material
revision
• For providers, must post and make available upon request;
must provide to (and seek acknowledgement from) new
patients
• Can send by e-mail if individual agrees
Important
Next Steps
•
•
•
•
Review policies, procedures, forms, and update
Train staff on new provisions
Inventory BAs and update BAAs
Update breach response plan; in particular, update risk
assessment and address encryption
Components Of An Effective Security Plan
• Policies & Procedures governing hardware
and software.
• Testing
• Auditing
• Contingency Plans
Compliance Date
September 23, 2013
Related documents
Understanding HIPAA Compliance
Understanding HIPAA Compliance
PS-from-HIPAA-to-Meaningful-Use
PS-from-HIPAA-to-Meaningful-Use
Claudia Allen, General Counsel and Chief Privacy
Claudia Allen, General Counsel and Chief Privacy
hipaa - Optima Health
hipaa - Optima Health
here - Healthcare Law Insights
here - Healthcare Law Insights
Based on a study of 14000 Phi Theta Kappa members
Based on a study of 14000 Phi Theta Kappa members
Phi Coefficient Example
Phi Coefficient Example
hippa - Medical Center Hospital
hippa - Medical Center Hospital
A Guide to Compliant Data Management
A Guide to Compliant Data Management
Computational Physics Finite-Elements mini
Computational Physics Finite-Elements mini
Download
advertisement