Embed Size (px)
Citation preview
Welcome to ChiroCare’s Fourth Annual Fall
Business Summit
October 3, 2013
HIPAA Compliance Regulatory Overview & Implementation Tips for Providers
Agenda
Green packet
Overview of general HIPAA terms and concepts o Privacy
o Security
o Breach Notification
Important changes in the Final Omnibus Rule (effective 9/23/13)
Implementing the rules in a small provider office
Top 10 list for implementation
Covered Entity
Business Associate
Protected Health Information
Treatment, Payment, Health Care Operations
Permissive Disclosures
Minimum Necessary
Individual Rights (notice of privacy practices, access, amendment, accounting of disclosures,)
HIPAA Privacy Rule: Concepts
4
HIPAA protects Protected Health Information (PHI)
PHI is:
o Health information that identifies an individual or could be reasonably used to identify an individual;
o Is created or received by a Covered Entity; and
o Relates to the past, present or future health condition of an individual. This includes
The provision of health care services; and
Payment for the provision of services.
HIPAA Privacy Rule: PHI Refresher
5
Examples of PHI include:
o Treatment notes and other clinical documentation
o Names, addresses, telephone numbers
o Date (e.g., birth dates, treatment dates)
o Email addresses
o SSNs, medical record numbers, health plan ID numbers
o Biometric identifies
o Photographs of the individual
HIPAA Privacy Rule: PHI Refresher
6
Permissive disclosures without authorization include: o Treatment: The provision, coordination or management of
health care by one or more health care providers
o Payment: Activities of health care providers to obtain payment or be reimbursed for services; or activities of health plans to obtain premiums, fulfill coverage responsibilities, or provide reimbursement for the provision of health care
o Health Care Operations: Activities necessary to run the business and to support the core functions of treatments and payment (e.g., administrative, financial, legal, quality improvement activities, credentialing/licensing, fraud and abuse detection)
HIPAA Privacy Rule – Uses and Disclosures
7
HIPAA limits uses and disclosures of PHI
Three general categories of uses and disclosures:
oUses and disclosures that do not require authorization
oUses and disclosures that require the opportunity to agree or object
oUses and disclosures that require authorization
Types of Disclosures
8
The following disclosures may be made without patient authorization, provided that all requirements in the Privacy Rule are met prior to release:
o Public health activities
o Health oversight activities
o Law enforcement
o Organ & tissue donation
o Averting serious threats to public safety
o Workers’ compensation
o Reporting abuse & neglect
o Legal proceedings
o Information about decedents
o Research
o Specialized government functions
Uses/Disclosures without Authorization
9
Notice of Privacy Practices – update to reflect uses/disclosures
Business Associate (BA) Agreements – update to reflect BA direct liability
Individual Access – electronic access, off-site record storage
Breach Notification – changes to breach “standard”
Restrictions on disclosing PHI to health plans when requested for private pay services
Changes in the Final Omnibus Rule that Impact Providers
10
Marketing and fundraising
Requesting restrictions – communication and private pay services
Requesting electronic records
Inform patients of breach notification
Limit on use of genetic information
Updates to Notice of Privacy Practices
11
Breach notification applies to Unsecured PHI
Risk of harm standard eliminated!
New standard: presume breach of unsecured PHI unless the entity is able to demonstrate and document a low probability that the PHI has been compromised.
Must use 4-factor risk assessment:
o Nature and extent of PHI involved.
o The unauthorized person who received the PHI.
o Whether the PHI was actually acquired or viewed.
o The extent to which the risk to the PHI has been mitigated.
o Other factors may be added to the assessment based on facts of suspected breach.
Breach Notification Changes
12
Document the risk assessment!
Determine if a breach has occurred.
If so, make proper individual notification.
Log breach for annual report to HHS.
If breach affects 500+ patients, fulfill additional media and government notification requirements immediately.
Breach Notification Changes (cont’d)
13
Security Rule Compliance is becoming increasingly important.
Threats to electronic data are increasing (laptops, smartphones, additional data stored electronically, use of vendors).
Risk Assessment must be conducted to comply with the rule:
o Physical safeguards
o Technical safeguards
o Administrative safeguards
Security Rule Overview
14
HIPAA Enforcement Overview
15
Individuals, not just CEs, can be subject to criminal penalties for wrongful disclosure of PHI.
State attorney general (AG) can bring civil actions (no State action if Health and Human Services [HHS] has instituted an action for the same violation).
Civil monetary penalties were increased:
First audits occurred 2011-2012.
115 have been performed (health plans, providers, and clearing houses)
Scope of audits includes:
o Privacy
o Security
o Breach Notification
HIPAA Audits
16
Audit Findings:
o 60 percent of findings were security based
58 of 59 provider entities had at least one finding
No risk assessment in 2/3 of entities
o 30 percent of findings were privacy-based
o 10 percent of findings were breach-based
o Providers had a greater proportion of total findings
o Small entities struggled with all three review areas.
HIPAA Audits
17
Causes of the findings –
o In 30 percent of findings the entities were unaware of the requirement
o Other causes included the following:
Lack of application of sufficient resources
Incomplete implementation
Complete disregard
HIPAA Audits
18
Privacy administrative findings
HIPAA Audits
19
Source: DHHS OCR, “ Lessons Learned from OCR Privacy and Security Audits,”
Presentation at IAPP Global Privacy Summit (03/07/13)
Privacy uses and disclosures
HIPAA Audits
20
Source: DHHS OCR, “ Lessons Learned from OCR Privacy and Security Audits,”
Presentation at IAPP Global Privacy Summit (03/07/13)
Security elements
HIPAA Audits
21
Source: DHHS OCR, “ Lessons Learned from OCR Privacy and Security Audits,”
Presentation at IAPP Global Privacy Summit (03/07/13)
1. Develop privacy policies.
Document policies and procedures, including steps to take when a breach occurs.
Consider “how” PHI is used in office when developing policies (sign in sheets, using names in waiting room, photographs of patients in office, etc.)
2. Appoint privacy and security officers.
Could be the same or different individuals.
This person should be conversant in all HIPAA regulations and policies.
Top 10 Implementation Steps
22
3. Conduct regular security risk assessments. Identify vulnerabilities
Take steps to minimize risk
4. Adopt email policies. HIPAA does not prohibit the use of email for transmitting
PHI, and it does not require that the email be encrypted… however, encryption is a “safe harbor”/best practice
If unable to encrypt email, make sure your patients are aware of the risks they are facing by asking for health information over email
Top 10 Implementation Steps
23
5. Adopt mobile device policies.
Adopt strict policies regarding storage of PHI on portable electronic devices
Regulate the removal of these devices from the premises
OCR Guidance – Risk Assessments, Policies, Training, etc.:
http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/remoteuse.pdf
Top 10 Implementation Steps
24
6. Conduct training.
Train all employees who use or disclose PHI (initial and annual)
Document the training
7. Develop Notice of Privacy Practices.
Publish and distribute to all patients
Display on the organization’s website
Obtain acknowledgment of receipt from all patients
Top 10 Implementation Steps
25
8. Enter into valid business associate agreements.
9. Adopt suspected breach protocols.
Document the investigation
Conduct the required risk assessment to determine if a breach has occurred
Notify the appropriate parties
Top 10 Implementation Steps
26
10. Implement policies.
Don’t just have policies, use them!
Create a culture of compliance.
Sanction employees who violate policies.
Top 10 Implementation Steps
27
Thank you!
Questions?
28
