Embed Size (px)
Citation preview
8/19/2013
1
Welcome toWelcome to
HIPAA Training for Office Staff:How to Comply with the New Rules
Presenter:
John Paul Hessburg, General Counsel, IHSKitch Drutchas Wagner Valitutti & Sherbrook
Fran VincentMarketing Manager
Carrie PedersenProfessional Development Administrator
IHS Organizers:
Housekeeping
This presentation is being recorded
CE credit and a Certificate of Compliance is available! Visit ihsinfo.org for details.
The webinar slides are available at ihsinfo.orgon the webinar page. This presentation will move fast, so please download the slideshow now so you can follow along!
8/19/2013
2
Disclaimer
These materials have been prepared by Kitch Drutchas WagnerThese materials have been prepared by Kitch Drutchas Wagner Valitutti & Sherbrook PC, for informational purposes only and are not legal advice. This information is not intended to create, and receipt of it does not constitute, an attorney‐client relationship. Readers should not act upon this information without seeking professional counsel. Photographs, articles, records, pleadings,
etc., are for dramatization purposes only. , p p y
Purpose of Today’s Presentation
Provide you with the educational component f HIPAA t i iof your HIPAA training program.
Supplement your organization’s training, which is customized to your particular business and your job position.
Promote a culture of compliance with HIPAA Promote a culture of compliance with HIPAA HITECH.
8/19/2013
3
Training Is Mandatory
A covered entity must train all workforce b di it it li i dmembers regarding its security policies and
procedures, and must have and apply appropriate sanctions against workforce members who violate its policies and procedures.
45 CFR 164.308(a)(1)(II)(C)
Agenda
HIPAA Overview HIPAA
HITECH
Privacy Rule
Security Rule
Enforcement
How This Applies to You How This Applies to You
Q&A (enter your questions in the Question Box any time)
8/19/2013
4
HIPAA OVERVIEW
Health Insurance Portability & Accountability Act of 1996
8/19/2013
5
Health Insurance Portability & Accountability Act of 1996
Also known by the acronym HIPAA.
E t d t i th ffi i Enacted to improve the efficiency and effectiveness of the health care system.
Before HIPAA, most of the privacy laws protected only parts of personal information such aspersonal information, such as financial information.
i.e. Fair Credit Reporting Act, Right to Financial Privacy Act, Identity Theft and Assumption Deterrence Act.
HIPAA
In its original form, HIPAA’s purpose was to provide consumers with patient privacy protections toconsumers with patient privacy protections, to secure health care data, and to promote the standardization of health information collection and exchange.
Over the years HIPAA has been updated to adapt to technology advances and to other changes in healthtechnology advances and to other changes in health care.
These updates include increased penalties for HIPAA violations.
8/19/2013
6
HIPAA ‐ 17 Years OldA Brief Timeline
August 21, 1996 – HIPAA was signed into law.
April 14, 2003 – Deadline to comply with the Privacy Rule.p p y y
April 20, 2005 – Deadline to comply with Security Rule.
February 17, 2009 – The American Recovery and Reinvestment Act of 2009 was signed into law. It includes the Health Information Technology for Economic and Clinical Health (HITECH) Act, which mandates HHS to develop new regulations related to HIPAA.
January 17, 2013 – HHS released the Omnibus Final Rule, implementing changes required by HITECH Act of 2009.g q y
March 26, 2013 – The Omnibus Final Rule took effect.
September 23, 2013 – Compliance deadline for the Omnibus Rule.
What is HIPAA?
• The Health Insurance Portability d A t bilit A t f 1996and Accountability Act of 1996
(HIPAA)
• HIPAA required the U.S. Department of Health and Human Services to develop regulations to p gprotect the privacy and security of certain health information.
– The HIPAA Privacy Rule.
– The HIPAA Security Rule.
8/19/2013
7
What Is HITECH?
Due to increased privacy and security th H lth I f ti T h lconcerns, the Health Information Technology
for Economic and Clinical Health (HITECH) Act was enacted years later.
To promote the adoption and use of health information technology and electronic health gyrecords.
HITECH Act
HITECH expanded the scope of HIPAA’s security and privacy provisions. The changes include:and privacy provisions. The changes include:
Requiring business associates to comply with HIPAA;
Imposing new notification requirements in the event of a breach of protected health information;
Strengthening enforcement procedures and Strengthening enforcement procedures and penalties;
Limiting disclosure of protected health information to the minimum necessary to accomplish the intended purpose.
8/19/2013
8
What Is the Omnibus Rule?
“The new rule will help protect patient privacy and safeguard patients’ health information in an ever expanding digital age.”
HHS Secretary, Kathleen Sebelius
Implements a number of provisions of Implements a number of provisions of the HITECH Act to strengthen the privacy and security protections for health information established under HIPAA.
Omnibus Rule – HIPAA HITECH
Penalties are increased for noncompliance b d th l l f libased on the level of negligence.
Maximum penalty of $1.5 million per violation.
Clarified breach notification requirements.
When breaches of unsecured health information must be reported to U.S. Dept. of Health & Human p pServices.
Individual rights expanded. Patients can ask for their electronic medical record in electronic form.
8/19/2013
9
HIPAA
PRIVACY RULE
SECURITY RULE
HITECHOMNIBUS RULE
Who Must Comply with These Laws?
Covered Entities;
Business Associates;
You.
8/19/2013
10
Covered Entity
A covered entity, as defined under 45 C.F.R. 160 103160.103, means:
1. A health plan.
2. A health care clearinghouse.
3. A health care provider who transmits any health information in electronic form in connection with certain transactions.
Covered Entity
A Health Care Provider: This may include providers such as:
Hearing healthcare professionals;
Doctors;
Clinics;
Psychologists;
D i Dentists;
Chiropractors;
Nursing homes; and
Pharmacies.
8/19/2013
11
Business Associates
A person or entity to whom a covered entity di l t t d h lth i f ti tdiscloses protected health information, to perform a function on behalf of or to provide services to a covered entity.
Includes lawyers, accountants, consultants, debt collection agencies, and accrediting g , gagencies.
Privacy Rule
Requires safeguards to protect the privacy of l h lth i f tipersonal health information.
Sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization.
Gives patients rights over their health Gives patients rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections.
8/19/2013
12
What Information Is Protected?
The Privacy Rule protects all “individually id tifi bl h lth i f ti ” h ldidentifiable health information” held or transmitted by a covered entity or its business associate.
In any form or media, whether electronic, paper, or oral.p p ,
Also known as Protected Health Information (PHI).
PHI
Demographic data relating to
I di id l’ f h i l Individual’s past, present, or future physical or mental health or condition;
The provision of health care to the individual;
The past, present, or future payment for the provision of health care to the individualprovision of health care to the individual.
Anything that identifies the individual, or for which there is a reasonable basis to believe it can be used to identify the individual.
8/19/2013
13
Examples of Common Identifiers
Name
Address
Birth date
Social security number
Medical record numbers
Phone number
E‐mail address
License numbers
What Information Is Excluded?
Protected Health Information under the P i R l d t i l d l tPrivacy Rule does not include employment records that a covered entity maintains in its capacity as an employer and other certain records subject to, or defined in, the Family Educational Rights and Privacy Act.
8/19/2013
14
When to Disclose PHI
A Covered Entity may only use or disclose PHI:
With notice to the individual and acknowledgement of how thatWith notice to the individual and acknowledgement of how that information will be used (“Notice of Privacy Practices”) but only for treatment, payment or healthcare operations (TPO);
Without Notice of Privacy Practices under certain circumstances, such as per subpoena, to avert serious threat to health or safety;
With a specific written authorization for disclosure for use permitted for other than TPO.
Even with Notice of Privacy Practices, a Covered Entity must make reasonable efforts to limit use or disclosure of PHI to the “minimum necessary” amount to accomplish the intended purpose of the use or disclosure of PHI.
Minimum Necessary Standard
When HIPAA permits use or disclosure of PHI, a covered entity must use or disclose only theminimum necessary PHImust use or disclose only the minimum necessary PHI required to accomplish the purpose of the use or disclosure.
The only exceptions to the minimum necessary standard are those times when a covered entity is disclosing PHI for the following reasons:
Treatment;
Purposes for which an authorization is signed Purposes for which an authorization is signed;
Disclosures required by law;
Sharing information to the patient about himself/herself.
8/19/2013
15
The Security Rule
Establishes standards to protect individuals’ l t i l h lth i f ti th t ielectronic personal health information that is created, received, used, or maintained by a covered entity.
Requires appropriate administrative, physical and technical safeguards to ensure the gconfidentiality, integrity, and security of electronic protected health information.
The Security Rule
Specifically, covered entities must:
1. Ensure the confidentiality, integrity, and availability of all PHI they create, receive, maintain or transmit.
2. Identify and protect against reasonably anticipated threats to the security or integrity of th i f tithe information.
3. Protect against reasonably anticipated, impermissible uses or disclosures.
4. Ensure compliance by their workforce.
8/19/2013
16
State Laws
Be aware of state privacy laws.
Some state laws provide greater privacy protections or privacy rights with respect to health information.
ENFORCEMENT
8/19/2013
17
Breach
The unauthorized acquisition, access, use, or disclosure of unsecured PHI which compromises the security or privacy of the information.
Breach Exceptions
Unintentional acquisition, access, or use of PHI by an employee or individual acting under thean employee or individual acting under the authority of a covered entity.
Inadvertent disclosure of PHI from one person authorized to access PHI at a covered entity to another person authorized to access PHI at the covered entity.
Unauthorized disclosures in which an unauthorized person to whom PHI is disclosed would not reasonably have been able to retain the information.
8/19/2013
18
Penalties
Violation Category Each Violation All violations of an Identical Provision in aIdentical Provision in a
Calendar Year
Did Not Know $100‐$50,000 $1.5 million
Reasonable Cause $1,000‐$50,000 $1.5 million
Willful Neglect, Corrected within 30 days
$10,000‐$50,000 $1.5 million
Willful Neglect, Not Corrected within 30 Days
$50,000 $1.5 million
Enforcement
Between April 14, 2003 and June 30, 2013 The Department of Health & Human Service has received over 82,564 HIPAA complaints.
The compliance issues most investigated are: Impermissible uses and disclosures of PHI;
Lack of safeguards of PHI;
Lack of patient access to their PHI;
Uses or disclosures of more than the minimum necessary PHI; and
Lack of administrative safeguards of electronic PHI.
8/19/2013
19
$4.3 Million Civil Money Penalty
Referrals to the Department of Justice
The Office of Civil Rights refers HIPAA violation tt t th D t t f J ti (DOJ) fmatters to the Department of Justice (DOJ) for
criminal investigation where cases involve the knowing disclosure or obtaining of protected health information in violation of the rules.
As of June 30, 2013, 516 referrals were made , ,to the DOJ.
8/19/2013
20
Public Notice
As required by section 13402(e)(4) of the HITECH A t th S t t t li t fHITECH Act, the Secretary must post a list of breaches of unsecured protected health information affecting 500 or more individuals.
The following breaches are excerpts of those posted by the Secretary:p y y
Breached Information
8/19/2013
21
HOW THIS ALL APPLIES TO YOU
Privacy Breach from Lost, Stolen, or Misdirected Information
A privacy breach can occur when information is:Ph i ll l t t l Physically lost or stolen Paper copies, laptops, other electronic devices; Anytime, anywhere ‐ even while on public transportation, crossing the street, in the building, in your office.
Misdirected to others Mislabeled mail, misdirected email;V b l t t l ft th i il Verbal messages sent to or left on the wrong voicemail or sent to or left for the wrong person; Wrong fax number, wrong phone number; On the internet, websites, including social media sites; Unsecure email.
8/19/2013
22
Examples of Privacy Breaches
Talking in public areas, talking too loudly, talking to the wrong person;
Lost/stolen or improperly disposed of paper records;
Lost/stolen laptops, cell phones, media devices (video and audio recordings);
Lost/stolen CDs, flash drives, memory drives;
Hacking of unprotected computer systems;
Mail, email or faxes sent to the wrong destination;
User not logging off of computer systems, allowing others access.
Discipline Policy
Know your employer’s discipline or sanction lipolicy.
Employees who do not follow privacy and security policies and related workplace rules may be subject to disciplinary action, up to and including dismissal.g
Type of sanction will depends on severity of violation, intent, pattern/practice of improper activity, etc.
8/19/2013
23
HIPAA Forms
HIPAA compliance documents that youdocuments that you may encounter include
Notice of Privacy Practices;
Authorization for Use or Disclos re ofor Disclosure of Information;
Business Associate Agreement.
Notice of Privacy Practices Form
The Notice is the primary document that all covered entities must provide to their patientsentities must provide to their patients.
The Notice contains very specific language that informs a patient of how you will be using or disclosing his or her PHI and a statement of the patient’s rights and how to exercise those rights.
The Notice must also be posted in a clear and The Notice must also be posted in a clear and prominent location at each practice, as well as on your web site, if applicable.
8/19/2013
24
Notice of Privacy Practices
Patients may request a copy the Notice of P i P tiPrivacy Practices;
Patients can ask their health care provider or pharmacy not to tell their health insurance company about the care they receive or medication they take, if the patient pays out‐y , p p yof‐pocket in full for the care/medication;
Patients may request a copy of their medical record.
Use and Disclosure Authorization Form
Other than for treatment, payment and health care operations and certain other uses and disclosures, you are required to obtain a patient’s authorization before using and disclosing his or her PHI. Some examples of where a HIPAA authorization might be necessary include using or disclosing PHI for:
Certain marketing activities;
b f f l l Requests by attorneys for information relating to a civil suit involving the patient;
Requests by a patient’s life insurance carrier.
8/19/2013
25
Business Associate Agreement
When a covered entity uses an outside party t f i ti iti it b h lfto perform services or activities on its behalf, the Privacy Rule requires the covered entity to have a Business Associate Agreement that includes specified written safeguards on the protected health information used by its business associates.
On The Job
Use information only when necessary to f j b d tiperform your job duties.
Use only the minimum necessary to perform your job duties.
Confidentiality is the number one priority!
8/19/2013
26
Know Where You Left Your Paperwork
Check printers, faxes, copier machines when d i thyou are done using them.
Ensure paper charts are returned to applicable areas in stations, medical records, or designated file rooms.
Do not leave hard copies of PHI laying on your Do not leave hard copies of PHI laying on your desk; lock it up in your desk at the end of the day.
Seal envelopes when mailing.
Disposal of Paper Documents
Shred or destroy PHI before throwing it away.
Dispose of paper and other records with PHI in secured shredding bins.
Recycling and trash bins are NOT secure.
8/19/2013
27
Ask Yourself
“What if it was my information being discussed like this?”
Portable Device Security
Always encrypt portable devices and media ith fid ti l i f ti thwith confidential information on them
(laptops, flash drives, memory sticks, external drives, CDs, etc.)
Best Practice: Do not keep confidential data on portable devices unless absolutely p ynecessary. And if necessary, the information must be encrypted
8/19/2013
28
Computer Security
Ensure your computer and data are physically secured by using lockdown cables, locked drawers, and other methods.using lockdown cables, locked drawers, and other methods.
Create a strong password and do not share your username or password with anyone.
Log off your computer when you are done, or even if you walk away for a few moments.
Ensure information on computer screens is not visible to passersby Use a privacy screen; Use a password to start up or wake‐up your computer.
Ensure your system has anti‐virus and all necessary security patches and updates.
HIPAA Violation
A former UCLA Health System employee received jail time for a misdemeanor HIPAA offensetime for a misdemeanor HIPAA offense
Four month sentence; and
$2,000 fine.
Accessed and read the confidential medical records of his supervisors and high‐profile celebrities.
Abused his access over three week period and Abused his access over three week period and accessed the record system 323 times.
8/19/2013
29
Social Media
A tweet results in a woman resigning from her job
The state Governor tweeted: “Looking forward to hearing [the Legislature’s] ideas on how to trim expenses.”
Woman, who was an administrative assistant at a University Medical Center, tweeted a reply to the Governor: “Schedule regular medical exams like everyone else instead of paying employees over time to do it when clinics are usually closed.”
Referring to an incident when the Governor apparently specially staffed a closed clinic with people on a Saturday for his check‐up visit
According to the woman, she was “strongly encouraged” to resignJulie Straw, Woman out of a job after sending tweet to Governor Barbour, MS NEWS NOW (Dec. 21, 2009), http://www.msnewsnow.com/Global/story.asp?S=11713360
Social Media
Status updates;
Tweets;
Commenting/replying to other peoples posts/tweets;
Posting pictures of patients Posting pictures of patients;
Posting pictures of medical records.
8/19/2013
30
Reporting Security Incidents
Security Officer
Gi ti f l i i i id t Give notice of unusual or suspicious incidents
Security incidents include, but are not limited to, the following:
Theft of or damage to equipment;
Unauthorized use of a password;
Unauthorized use of a system;y ;
Violations of standards or policy;
Computer hacking attempts;
Malicious software;
Security weaknesses;
Breaches to patient or employee privacy.
References
• U.S. Department of Health & Human Services, Understanding Health Information Privacy, HHS.GOV, http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/index.html
• 78 Fed. Reg. 5566 (Jan. 25, 2013) (to be codified at 45 C.F.R. pts. 160, 164).
8/19/2013
31
Questions
Enter yourEnter your questions in the Question Box on your webinar dashboarddashboard
Contact John Paul Hessburg:
Visit www.kitch.com
k h@kitchLTC
For more info on obtaining a CE credit for this webinar, visit www.ihsinfo.org
THANK YOU FOR ATTENDING!
