HIPPA Compliance Information

advertisement
Health Insurance Portability and Accountability Act






HIPAA passed by Congress in 1996 to lower healthcare costs by encouraging
electronic transactions
HIPAA gave Congress until August 21, 1999 to pass a comprehensive health
privacy legislation.
Congress failed in November 1999.
A final rule took effect on April 14, 2001.
The rule contains three parts
a. Privacy
b. Code Sets
c. Security
Privacy broken into four parts
a. Administrative Procedures
b. Physical Safeguards
c. Technical Security Services (“data at rest”)
d. Technical Security Mechanisms (“data in transmission”)
Established to protect patient privacy and allow
greater access to own records
 HIPAA covered Entities
a. Health plans
b. Clearinghouses
c. Healthcare providers who conduct financial and
administrative transactions
 HIPAA specifically addresses patient’s Protected Health
Information (PHI)
 Covered entity must receive permission from patient
to share PHI

 Any
set of set of codes used for encoding
data elements. Includes tables of terms,
medical concepts, medical diagnosis codes,
and procedure codes.
 Required for data elements in
administrative and financial transaction
standards
 Protection
of PHI
 Contains four parts:
a. Administrative
b. Physical safeguards
c. Technical security services and mechanisms
d. Technical security mechanisms
Title 1
a. Protects health insurance coverage for workers and their families
when they change or lose their jobs.
 Title 3
b. Certain deductions for medical insurance and makes other
changes to health insurance law.
 Title 4
c. Conditions for group health plans
 Title 5
d. Provisions related to company-owned life insurance, treatment
of individuals who lose U.S. Citizenship for income tax purposes and
repeals the financial institution rule to interest allocation rules.


Preventing Health Care Fraud
a. Preventing Health Care Fraud
b. Medical Liability Reform
c. Administrative Simplification



Civil Liability – Tiered
Criminal Liability
Recent Breaches and Fines
“Congress passed the Administrative Simplification provisions of
HIPAA, among other things, to protect the privacy and security of
certain health information and promote efficiency in the health care
industry through the use of standardized electronic transactions.”
 Security: Applies only to Electronic Patient Health Information (EPHI)
 Privacy: Applies to Patient Health Information (PHI) in all forms
(paper and electronic).
 Electronic Data Interchange: Standardization of the format in which
PHI is transmitted electronically (ePHI) to the American National
Standards Institute
(ANSI) standard.






Why: CIA – Confidentiality (prevent unauthorized access); Integrity (prevent
unauthorized changes/destruction; Availability (ensure authorized access
when needed) of electronic protected health information (EPHI).
What: “The provisions of Security Rule apply to EPHI.”
Who: All covered entities (Health Care Plans, Health Care Providers, and
Health Care Clearing Houses) must comply.
How: Realizing that the Security Standards provide flexible guidelines,
covered entities select appropriate security measures to satisfy Required
implementation specifications and make appropriate determination on
Addressable implementation specifications by taking into account its size,
capabilities, the costs of the specific security measures and the operational
impact.
Security Standards: General Rules
Organizational Requirements

Patient sign-in sheet does not include PHI

Patient schedules not in areas viewable by patients/non-staff.

Confidential conversations take place in areas where it cannot be overheard by others.

Patients/non-staff cannot gain access to computers, fax machines, or view computer screens

Each staff computer user has personal computer password, passwords change on a regular basis, and
passwords of terminated employees get deleted immediately.

Patients/non-staff cannot access patient medical records, lab reports, and faxes.

Formal documented procedures for acceptance of confidential patient info.

Confidentiality statements in place, patients are aware of confidentiality policies.







Formal privacy and security procedures with regards to: access to confidential info to computer information, and
access to areas that may contain confidential info
The return of all keys and other items that allow access to office and computer files, when an individual is no
longer authorized access.
Formal privacy/security policies and documented training, for office personnel.
Laptops and other portable equipment that contain PHI, are secure and can only be accessed by authorized
personnel.
Policies and procedures to ensure patient confidentiality by off-site contractors, such as billing and accounting
services.
Comprehensive survey of all computer systems, including all software.
Disaster plan to protect patient information, contingency plans in the event of a computer system failure, and
regular virus checks are performed.

Both paper and electronic PHI is stored with appropriate safeguards.

Secure internet transmissions including emails, and telephone conversations.

Consent forms are used and signed by patients.

Confidentiality statements on all faxes and email sent by staff.






Protect your user ID and password. Do not share, write down, or post your
password under any circumstances!
Commit your password to memory.
At a minimum, when creating your password, incorporate a combination of
letters and numbers. Avoid dictionary words and personal information.
Immediately change your password if it is accidentally exposed or
compromised.
Report all password exposures to your department supervisor or manager.
Always keep computers password-protected and locked or logged off when
not in use.






Log off or lock access to computers when you leave, even if only for
a moment.
Keep computer systems up-to-date with current operating system
security patches and antivirus definitions.
Ensure that computer systems meet minimum security standards.
Ensure that computer screens and displays with access to ePHI are
not visible to unauthorized individuals or passersby.
Keep confidential or sensitive information locked away when not in
use. File documents in locked cabinets or drawers when you have
finished with them.
Be alert to recognize and report all privacy and security incidents to
your department supervisor or manager.


Transactions – HIPAA calls for a standard in the way health information is transferred
and in the use of standard codes to identify each disease, illness, and other patient
health problems.
Identifiers
a. The standard Unique Employer Identifier is the standard employer identification
number (EIN) that appears on an employee’s federal IRS form W-2, Wage and Tax
Statement received from their employer.
b. The National Provider Identifier (NPI) is a unique identification number for covered
health care providers.
c. The National Health Plan Identifier (NHI) is a proposed identifier to uniquely identify
health plans and payers that is under consideration.
d. The National Individual Identifier is no longer being pursued, as the government is
not allotting funding for its development.




Stimulus Package
a. Allows health care providers who demonstrate meaningful use of certified electronic
health records will receive incentive payments through Medicaid and Medicare.
States can receive a 90% federal funding match for incentive payments distributed
to Medicaid providers who adopt EHRs under the meaningful use criteria.
Notification of Breach
a. The HITECH Act now imposes data breach notification requirements for
unauthorized uses and disclosures of unsecured PHI.
Electronic Health Record Access
a. In the case where a provider has implemented an HER system, the Act provides
individuals with a right to obtain their PHI in an electronic format (i.e. ePHI).
Business Associates and Business Associate Agreements
a. Under the HITECH Act, business associates are now directly required to comply
with the safeguards contained in the HIPAA Security Rule (SR).

Basic Check List for Meaningful Use
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
Use Computerized Provider Order Entry (CPOE) for medication orders
Implement drug-drug and drug-allergy interaction checks
Maintain an up-to-date problem list of current and active diagnosis
Generate and transmit permissible prescriptions electronically (eRx)
Maintain active medication list
Maintain active medication allergy list
Record Demographics
Record Vital Signs
Record smoking status for patients 13 years old or older
Report ambulatory clinical quality measures to CMS
Implement one clinical decision support rule
Provide patients with an electronic copy of their health information upon request
Provide clinical summaries for patients for each office visit
14.
15.
16.
17.
18.
19.
20.
21.
22.
23.
24.
25.
Exchange key clinical information electronically
Protect electronic health information
Implement drug formulary checks
Incorporate clinical lab-test results as structured data
Generate patient lists by specific conditions
Send patient reminders for preventive or follow-up care
Provide patients with timely electronic access to their health information
Provide patient-specific education resources
Perform medication reconciliation
Provide summary of care record for each transition of care of referral
Submit electronic data to immunization registries
Submit electronic syndromic surveillance data to public health agen

Covered entities and specified individuals whom “knowingly” obtain
or disclose individually identifiable health information in violation of
the Administrative Simplification Regulations face a fine of up to
$50,000, as well as imprisonment up to one year. Offenses
committed under false pretenses allow penalties to be increased
to a $100,000 fine, with up to five years in prison. Finally, offenses
committed with the intent to sell, transfer, or use individually
identifiable health information for commercial advantage, personal
gain or malicious harm permit fines of $250,000, and imprisonment
for up to 10 years.
49% Physical Theft, 16% Unauthorized Access, 14% Physical Loss, 9% Combination,
6% Hacking/IT, 5% Improper Disposal, 1% Other/Unknown
1. Howard University Hospital – Over a 17 month period, Laurie Napper used her position
at the hospital to gain access to patient’s names, addresses and Medicare numbers
in order to sell their information. If convicted, Napper faces up to 10 years in prison.
2. Another Howard University incident – The hospital notified more than 34,000 patients
that their medical data had been compromised. A contractor working with the hospital
had downloaded the patient’s files onto a personal laptop, which was stolen from the
contractor’s car. The data on the laptop was password-protected but unencrypted,
which means anyone who guessed the password could have accessed the patient files.
3. A jury in Waukesha, Wisconsin, found that an emergency medical technician invaded
the privacy of an overdose patient when she told the patient’s co-worker about the
overdose. The co-worker then told the nurses at West Allis Memorial Hospital, where
both she and the patient were nurses. The EMT claimed that she called the patient’s
co-worker out of concern for the patient. The jury, however, found that regardless of
her intentions, the EMT had no right to confidential and sensitive medical information,
and directed the EMT and her employer to pay $3,000 for the invasion of privacy.
4. March 13, 2012
Blue Cross Blue Shield of Tennessee (BCBST) has agreed to pay the U.S. Department of
Health and Human Services (HHS) $1,500,000 to settle potential violations of the Health
Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules,
Leon Rodriguez, Director of the HHS Office for Civil Rights (OCR), announced today.
BCBST has also agreed to a corrective action plan to address gaps in its HIPAA
compliance program. The enforcement action is the first resulting from a breach report
required by the Health Information Technology for Economic and Clinical Health
(HITECH) Act Breach Notification Rule.
The investigation followed a notice submitted by BCBST to HHS reporting that 57
unencrypted computer hard drives were stolen from a leased facility in Tennessee. The
drives contained the protected health information (PHI) of over 1 million individuals,
including member names, social security numbers, diagnosis codes, dates of birth, and
health plan identification numbers. OCR’s investigation indicated BCBST failed to
implement appropriate administrative safeguards to adequately protect information
remaining at the leased facility by not performing the required security evaluation in
response to operational changes. In addition, the investigation showed a failure to
implement appropriate physical safeguards by not having adequate facility access
controls; both of these safeguards are required by the HIPAA Security Rule.
If you are a covered entity, you are subject to OCR Audits!
•
•
Overview: The American Recovery and Reinvestment Act of 2009, in
Section 13411 of the HITECH Act, requires HHS to provide for periodic
audits to ensure covered entities and business associates are complying
with the HIPAA Privacy and Security Rules and Breach Notification
standards. To implement this mandate, OCR is piloting a program to
perform up to 150 audits of covered entities to assess privacy and
security compliance. Audits conducted during the pilot phase will begin
November 2011 and conclude by December 2012.
Program Objectives: The audit program serves as a new part of OCR’s
health information privacy and security compliance program. OCR will
use the audit program to assess HIPAA compliance efforts by a range of
covered entities, Audits present a new opportunity to examine
mechanisms for compliance, identify best practices and discover risks
and vulnerabilities that may not have come to light through OCR’s
ongoing complaint investigations and compliance reviews. OCR will
broadly share best practices gleaned through the audit process and
guidance targeted to observed compliance challenges via this web site
and other outreach portals.
http://www.hhs.gov/ocr/
How Will the Audit Program Work?
The privacy and security performance audit process will include generally
familiar audit mechanisms. Entities selected for an audit will be informed by
OCR of their selection and asked to provide documentation of their privacy
and security compliance efforts. In this pilot phase, every audit will include a
site visit and result in an audit report. During site visits, auditors will
interview key personnel and observe processes and operations to help
determine compliance. Following the site visit, auditors will develop and
share with the entity a draft report; audit reports generally describe how the
audit was conducted, what the findings were and what actions the covered
entity is taking in response to those findings. Prior to finalizing the report,
the covered entity will have the opportunity to discuss concerns and describe
corrective actions implemented to address concerns identified. The final
report submitted to OCR will incorporate the steps the entity has taken to
resolve any compliance issues identified by the audit, as well as describe any
best practices of the entity.
When Will Audits Begin?
The pilot audit program is a three step process. The first step entailed developing the audit protocols.
Next, a limited number of audits will be conducted in an initial wave to test these protocols. OCR
expects the initial audits to begin in November 2011.The results of the initial audits will inform how
the rest of the audits will be conducted. The last step will include conducting the full range of audits
using revised protocol materials. All audits in this pilot will be completed by the end of December,
2012.
Who Will Be Audited?
Every covered entity and business associate is eligible for an audit. Selections in the initial round will be
designed to provide a broad assessment of a complex and diverse health care industry. OCR is
responsible for selection of the entities that will be audited. OCR will audit as wide a range of types and
sizes of covered entities as possible; covered individual and organizational providers of health services,
health plans of all sizes and functions, and health care clearinghouses may all be considered for an
audit. We expect covered entities to provide the auditors their full cooperation and support and remind
them of their cooperation obligations under the HIPAA Enforcement Rule.
Business Associates will be included in future audits.
What is the General Timeline for an Audit?
When a covered entity is selected for an audit, OCR will notify the covered entity in writing. The OCR
notification letter will introduce the audit contractor, explain the audit process and expectations in
more detail, and describe initial document and information requests. It will also specify how and when
to return the requested information to the auditor. OCR expects covered entities and business
associates who are the subject of the audit to provide requested information within 10 business days of
the request for information.
OCR expects to notify selected covered entities between 30 and 90 days prior to the anticipated onsite
visit. Onsite visits may take between 3 and 10 business days depending upon the complexity of the
organization and the auditor’s need to access materials and staff. After fieldwork is completed, the
auditor will provide the covered entity with a draft final report; a covered entity will have 10 business
days to review and provide written comments back to the auditor. The auditor will complete a final
audit report within 30 business days after the covered entity’s response and submit it to OCR.
What Happens After an Audit?
Audits are primarily a compliance improvement activity. OCR will review the final reports, including the
findings and actions taken by the audited entity to address findings. The aggregated results of the
audits will enable OCR to better understand compliance efforts with particular aspects of the HIPAA
Rules. Generally, OCR will use the audit reports to determine what types of technical assistance should
be developed, and what types of corrective action are most effective. Should an audit report indicate a
serious compliance issue, OCR may initiate a compliance review to address the problem. OCR will not
post a listing of audited entities or the findings of an individual audit which clearly identifies the
audited entity.
How will Consumers Be Affected?
The audit program represents one more avenue by which OCR
ensures compliance with HIPAA protections of health information
to the benefit of consumers. For example, the audit program
may uncover reasons many health information breaches are
occurring and help OCR create tools for covered entities to better
protect individually identifiable health information. Concerns
about compliance identified and corrected by an audit will serve
to improve the privacy and security of health records. The
technical assistance and best practices that OCR generates will
also assist covered entities and business associates in improving
their efforts to keep health records safe and secure. OCR
continues to accept complaints from individuals and covered
entities continue to have the obligation to accept complaints
from persons about their HIPAA Rule activities.
Resources



http://lawmedconsultant.com/645/hipaa-violations-not-a-cause-of-action-for-alawsuit
http://www.emrandhipaa.com/administrator/2006/06/21/examples-of-hipaa-privacyviolations-more-hipaa-lawsuits-coming/
http://www.aafp.org/fpm/2002/1100/p35.html
Recent Breaches & Fines

What can we do for you?
◦ Initial assessment of compliance
 HITECH and Basic Meaningful Use Guide
◦ Independent Audit based on the NIST SP 800-66
Revision 1.
Download