Health Insurance Portability and Accountability Act HIPAA passed by Congress in 1996 to lower healthcare costs by encouraging electronic transactions HIPAA gave Congress until August 21, 1999 to pass a comprehensive health privacy legislation. Congress failed in November 1999. A final rule took effect on April 14, 2001. The rule contains three parts a. Privacy b. Code Sets c. Security Privacy broken into four parts a. Administrative Procedures b. Physical Safeguards c. Technical Security Services (“data at rest”) d. Technical Security Mechanisms (“data in transmission”) Established to protect patient privacy and allow greater access to own records HIPAA covered Entities a. Health plans b. Clearinghouses c. Healthcare providers who conduct financial and administrative transactions HIPAA specifically addresses patient’s Protected Health Information (PHI) Covered entity must receive permission from patient to share PHI Any set of set of codes used for encoding data elements. Includes tables of terms, medical concepts, medical diagnosis codes, and procedure codes. Required for data elements in administrative and financial transaction standards Protection of PHI Contains four parts: a. Administrative b. Physical safeguards c. Technical security services and mechanisms d. Technical security mechanisms Title 1 a. Protects health insurance coverage for workers and their families when they change or lose their jobs. Title 3 b. Certain deductions for medical insurance and makes other changes to health insurance law. Title 4 c. Conditions for group health plans Title 5 d. Provisions related to company-owned life insurance, treatment of individuals who lose U.S. Citizenship for income tax purposes and repeals the financial institution rule to interest allocation rules. Preventing Health Care Fraud a. Preventing Health Care Fraud b. Medical Liability Reform c. Administrative Simplification Civil Liability – Tiered Criminal Liability Recent Breaches and Fines “Congress passed the Administrative Simplification provisions of HIPAA, among other things, to protect the privacy and security of certain health information and promote efficiency in the health care industry through the use of standardized electronic transactions.” Security: Applies only to Electronic Patient Health Information (EPHI) Privacy: Applies to Patient Health Information (PHI) in all forms (paper and electronic). Electronic Data Interchange: Standardization of the format in which PHI is transmitted electronically (ePHI) to the American National Standards Institute (ANSI) standard. Why: CIA – Confidentiality (prevent unauthorized access); Integrity (prevent unauthorized changes/destruction; Availability (ensure authorized access when needed) of electronic protected health information (EPHI). What: “The provisions of Security Rule apply to EPHI.” Who: All covered entities (Health Care Plans, Health Care Providers, and Health Care Clearing Houses) must comply. How: Realizing that the Security Standards provide flexible guidelines, covered entities select appropriate security measures to satisfy Required implementation specifications and make appropriate determination on Addressable implementation specifications by taking into account its size, capabilities, the costs of the specific security measures and the operational impact. Security Standards: General Rules Organizational Requirements Patient sign-in sheet does not include PHI Patient schedules not in areas viewable by patients/non-staff. Confidential conversations take place in areas where it cannot be overheard by others. Patients/non-staff cannot gain access to computers, fax machines, or view computer screens Each staff computer user has personal computer password, passwords change on a regular basis, and passwords of terminated employees get deleted immediately. Patients/non-staff cannot access patient medical records, lab reports, and faxes. Formal documented procedures for acceptance of confidential patient info. Confidentiality statements in place, patients are aware of confidentiality policies. Formal privacy and security procedures with regards to: access to confidential info to computer information, and access to areas that may contain confidential info The return of all keys and other items that allow access to office and computer files, when an individual is no longer authorized access. Formal privacy/security policies and documented training, for office personnel. Laptops and other portable equipment that contain PHI, are secure and can only be accessed by authorized personnel. Policies and procedures to ensure patient confidentiality by off-site contractors, such as billing and accounting services. Comprehensive survey of all computer systems, including all software. Disaster plan to protect patient information, contingency plans in the event of a computer system failure, and regular virus checks are performed. Both paper and electronic PHI is stored with appropriate safeguards. Secure internet transmissions including emails, and telephone conversations. Consent forms are used and signed by patients. Confidentiality statements on all faxes and email sent by staff. Protect your user ID and password. Do not share, write down, or post your password under any circumstances! Commit your password to memory. At a minimum, when creating your password, incorporate a combination of letters and numbers. Avoid dictionary words and personal information. Immediately change your password if it is accidentally exposed or compromised. Report all password exposures to your department supervisor or manager. Always keep computers password-protected and locked or logged off when not in use. Log off or lock access to computers when you leave, even if only for a moment. Keep computer systems up-to-date with current operating system security patches and antivirus definitions. Ensure that computer systems meet minimum security standards. Ensure that computer screens and displays with access to ePHI are not visible to unauthorized individuals or passersby. Keep confidential or sensitive information locked away when not in use. File documents in locked cabinets or drawers when you have finished with them. Be alert to recognize and report all privacy and security incidents to your department supervisor or manager. Transactions – HIPAA calls for a standard in the way health information is transferred and in the use of standard codes to identify each disease, illness, and other patient health problems. Identifiers a. The standard Unique Employer Identifier is the standard employer identification number (EIN) that appears on an employee’s federal IRS form W-2, Wage and Tax Statement received from their employer. b. The National Provider Identifier (NPI) is a unique identification number for covered health care providers. c. The National Health Plan Identifier (NHI) is a proposed identifier to uniquely identify health plans and payers that is under consideration. d. The National Individual Identifier is no longer being pursued, as the government is not allotting funding for its development. Stimulus Package a. Allows health care providers who demonstrate meaningful use of certified electronic health records will receive incentive payments through Medicaid and Medicare. States can receive a 90% federal funding match for incentive payments distributed to Medicaid providers who adopt EHRs under the meaningful use criteria. Notification of Breach a. The HITECH Act now imposes data breach notification requirements for unauthorized uses and disclosures of unsecured PHI. Electronic Health Record Access a. In the case where a provider has implemented an HER system, the Act provides individuals with a right to obtain their PHI in an electronic format (i.e. ePHI). Business Associates and Business Associate Agreements a. Under the HITECH Act, business associates are now directly required to comply with the safeguards contained in the HIPAA Security Rule (SR). Basic Check List for Meaningful Use 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. Use Computerized Provider Order Entry (CPOE) for medication orders Implement drug-drug and drug-allergy interaction checks Maintain an up-to-date problem list of current and active diagnosis Generate and transmit permissible prescriptions electronically (eRx) Maintain active medication list Maintain active medication allergy list Record Demographics Record Vital Signs Record smoking status for patients 13 years old or older Report ambulatory clinical quality measures to CMS Implement one clinical decision support rule Provide patients with an electronic copy of their health information upon request Provide clinical summaries for patients for each office visit 14. 15. 16. 17. 18. 19. 20. 21. 22. 23. 24. 25. Exchange key clinical information electronically Protect electronic health information Implement drug formulary checks Incorporate clinical lab-test results as structured data Generate patient lists by specific conditions Send patient reminders for preventive or follow-up care Provide patients with timely electronic access to their health information Provide patient-specific education resources Perform medication reconciliation Provide summary of care record for each transition of care of referral Submit electronic data to immunization registries Submit electronic syndromic surveillance data to public health agen Covered entities and specified individuals whom “knowingly” obtain or disclose individually identifiable health information in violation of the Administrative Simplification Regulations face a fine of up to $50,000, as well as imprisonment up to one year. Offenses committed under false pretenses allow penalties to be increased to a $100,000 fine, with up to five years in prison. Finally, offenses committed with the intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain or malicious harm permit fines of $250,000, and imprisonment for up to 10 years. 49% Physical Theft, 16% Unauthorized Access, 14% Physical Loss, 9% Combination, 6% Hacking/IT, 5% Improper Disposal, 1% Other/Unknown 1. Howard University Hospital – Over a 17 month period, Laurie Napper used her position at the hospital to gain access to patient’s names, addresses and Medicare numbers in order to sell their information. If convicted, Napper faces up to 10 years in prison. 2. Another Howard University incident – The hospital notified more than 34,000 patients that their medical data had been compromised. A contractor working with the hospital had downloaded the patient’s files onto a personal laptop, which was stolen from the contractor’s car. The data on the laptop was password-protected but unencrypted, which means anyone who guessed the password could have accessed the patient files. 3. A jury in Waukesha, Wisconsin, found that an emergency medical technician invaded the privacy of an overdose patient when she told the patient’s co-worker about the overdose. The co-worker then told the nurses at West Allis Memorial Hospital, where both she and the patient were nurses. The EMT claimed that she called the patient’s co-worker out of concern for the patient. The jury, however, found that regardless of her intentions, the EMT had no right to confidential and sensitive medical information, and directed the EMT and her employer to pay $3,000 for the invasion of privacy. 4. March 13, 2012 Blue Cross Blue Shield of Tennessee (BCBST) has agreed to pay the U.S. Department of Health and Human Services (HHS) $1,500,000 to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules, Leon Rodriguez, Director of the HHS Office for Civil Rights (OCR), announced today. BCBST has also agreed to a corrective action plan to address gaps in its HIPAA compliance program. The enforcement action is the first resulting from a breach report required by the Health Information Technology for Economic and Clinical Health (HITECH) Act Breach Notification Rule. The investigation followed a notice submitted by BCBST to HHS reporting that 57 unencrypted computer hard drives were stolen from a leased facility in Tennessee. The drives contained the protected health information (PHI) of over 1 million individuals, including member names, social security numbers, diagnosis codes, dates of birth, and health plan identification numbers. OCR’s investigation indicated BCBST failed to implement appropriate administrative safeguards to adequately protect information remaining at the leased facility by not performing the required security evaluation in response to operational changes. In addition, the investigation showed a failure to implement appropriate physical safeguards by not having adequate facility access controls; both of these safeguards are required by the HIPAA Security Rule. If you are a covered entity, you are subject to OCR Audits! • • Overview: The American Recovery and Reinvestment Act of 2009, in Section 13411 of the HITECH Act, requires HHS to provide for periodic audits to ensure covered entities and business associates are complying with the HIPAA Privacy and Security Rules and Breach Notification standards. To implement this mandate, OCR is piloting a program to perform up to 150 audits of covered entities to assess privacy and security compliance. Audits conducted during the pilot phase will begin November 2011 and conclude by December 2012. Program Objectives: The audit program serves as a new part of OCR’s health information privacy and security compliance program. OCR will use the audit program to assess HIPAA compliance efforts by a range of covered entities, Audits present a new opportunity to examine mechanisms for compliance, identify best practices and discover risks and vulnerabilities that may not have come to light through OCR’s ongoing complaint investigations and compliance reviews. OCR will broadly share best practices gleaned through the audit process and guidance targeted to observed compliance challenges via this web site and other outreach portals. http://www.hhs.gov/ocr/ How Will the Audit Program Work? The privacy and security performance audit process will include generally familiar audit mechanisms. Entities selected for an audit will be informed by OCR of their selection and asked to provide documentation of their privacy and security compliance efforts. In this pilot phase, every audit will include a site visit and result in an audit report. During site visits, auditors will interview key personnel and observe processes and operations to help determine compliance. Following the site visit, auditors will develop and share with the entity a draft report; audit reports generally describe how the audit was conducted, what the findings were and what actions the covered entity is taking in response to those findings. Prior to finalizing the report, the covered entity will have the opportunity to discuss concerns and describe corrective actions implemented to address concerns identified. The final report submitted to OCR will incorporate the steps the entity has taken to resolve any compliance issues identified by the audit, as well as describe any best practices of the entity. When Will Audits Begin? The pilot audit program is a three step process. The first step entailed developing the audit protocols. Next, a limited number of audits will be conducted in an initial wave to test these protocols. OCR expects the initial audits to begin in November 2011.The results of the initial audits will inform how the rest of the audits will be conducted. The last step will include conducting the full range of audits using revised protocol materials. All audits in this pilot will be completed by the end of December, 2012. Who Will Be Audited? Every covered entity and business associate is eligible for an audit. Selections in the initial round will be designed to provide a broad assessment of a complex and diverse health care industry. OCR is responsible for selection of the entities that will be audited. OCR will audit as wide a range of types and sizes of covered entities as possible; covered individual and organizational providers of health services, health plans of all sizes and functions, and health care clearinghouses may all be considered for an audit. We expect covered entities to provide the auditors their full cooperation and support and remind them of their cooperation obligations under the HIPAA Enforcement Rule. Business Associates will be included in future audits. What is the General Timeline for an Audit? When a covered entity is selected for an audit, OCR will notify the covered entity in writing. The OCR notification letter will introduce the audit contractor, explain the audit process and expectations in more detail, and describe initial document and information requests. It will also specify how and when to return the requested information to the auditor. OCR expects covered entities and business associates who are the subject of the audit to provide requested information within 10 business days of the request for information. OCR expects to notify selected covered entities between 30 and 90 days prior to the anticipated onsite visit. Onsite visits may take between 3 and 10 business days depending upon the complexity of the organization and the auditor’s need to access materials and staff. After fieldwork is completed, the auditor will provide the covered entity with a draft final report; a covered entity will have 10 business days to review and provide written comments back to the auditor. The auditor will complete a final audit report within 30 business days after the covered entity’s response and submit it to OCR. What Happens After an Audit? Audits are primarily a compliance improvement activity. OCR will review the final reports, including the findings and actions taken by the audited entity to address findings. The aggregated results of the audits will enable OCR to better understand compliance efforts with particular aspects of the HIPAA Rules. Generally, OCR will use the audit reports to determine what types of technical assistance should be developed, and what types of corrective action are most effective. Should an audit report indicate a serious compliance issue, OCR may initiate a compliance review to address the problem. OCR will not post a listing of audited entities or the findings of an individual audit which clearly identifies the audited entity. How will Consumers Be Affected? The audit program represents one more avenue by which OCR ensures compliance with HIPAA protections of health information to the benefit of consumers. For example, the audit program may uncover reasons many health information breaches are occurring and help OCR create tools for covered entities to better protect individually identifiable health information. Concerns about compliance identified and corrected by an audit will serve to improve the privacy and security of health records. The technical assistance and best practices that OCR generates will also assist covered entities and business associates in improving their efforts to keep health records safe and secure. OCR continues to accept complaints from individuals and covered entities continue to have the obligation to accept complaints from persons about their HIPAA Rule activities. Resources http://lawmedconsultant.com/645/hipaa-violations-not-a-cause-of-action-for-alawsuit http://www.emrandhipaa.com/administrator/2006/06/21/examples-of-hipaa-privacyviolations-more-hipaa-lawsuits-coming/ http://www.aafp.org/fpm/2002/1100/p35.html Recent Breaches & Fines What can we do for you? ◦ Initial assessment of compliance HITECH and Basic Meaningful Use Guide ◦ Independent Audit based on the NIST SP 800-66 Revision 1.