Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
HIPAA in 2021:Overview and Updates
Misti Hill Carter, JD, PhD
A&M Rural & Community Health Institute (ARCHI)
Objectives:
Describe HIPAA provisions and Texas rules
Discuss HIPAA updates for telehealth and COVID
Identify recent examples of HIPAA violations and related fines
Legal ConceptsPrivacy & Confidentiality
� Privacy is a broader term. � Physical seclusion� Protection of personal information� Protection of personal identity� Ability to make choices without interference
� Confidentiality is narrower. Refers to the protection of personal information� Medical context à duty not to disclose
information
Acronyms • CE à Covered Entity
• PHI à Protected Health Information
• TPO à Treatment, payment, health care operations
• EHR à Electronic Health Record
• HHS à U.S. Department of Health & Human Services (“The Secretary”)
• HHSC à Texas Health and Human Services Commission (“The Commission”)
• THSA à Texas Health Services Authority
• AG à Texas Attorney General
Overview of HIPAA
Image: http://rylkov-fond.org/files/2016/04/back-to-basics.jpg
Federal Law:HIPAA (Health Insurance Portability and Accountability Act)
• Privacy Rule� Set standards regarding how we use and disclose
PHI� Covers ALL Protected Health Information (PHI)
• Security Rule� Protects electronic Protected Health Information
(ePHI)� Required ”Covered Entities” (CEs) & their
“Business Associates” (BAs) to ensure that ePHI is secure
• Breach Notification Rule� Requires CEs & BAs to notify consumers and HHS
• Enforcement Rule� Sets enforcement standards & civil penalties
2013 HIPAA Omnibus Rule (the “Final Rule”) –modified the four HIPAA rules
Privacy Rule• Establishes a set of rules to protect all PHI (Protected Health Information)
� Note à De-identified information is not protected
Wha
t is P
HI? All “individually identifiable health
information" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral.
Source: https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html
Privacy Rule• Establishes a set of rules to protect all PHI (Protected Health Information)
� Note à De-identified information is not protected
• Applies to:� Covered Entities (CEs) – Health Plans, Health Care Clearinghouses, & Health Care
Providers� Business Associates (BAs) – individual or entity acting on behalf of a CE (the CE
should have a Business Associates Contract, or BAC, with every BA)
• CEs and BAs may not use or disclose protected information unless:� Permitted Use/Disclosure à for “TPO” or “treatment, payment, or healthcare operations”� Requests à the protected individual authorizes disclosure in writing
• Follows the principle of “minimum necessary” use and disclosure.
• Gives patients rights to their PHI
• Requires notice to patients
Security Rule• Established a national set of security standards for ePHI (Electronic
Protected Health Information)� Goal is to protect the confidentiality, integrity, and availability of
ePHI
• Requires three specific types of safeguards to secure ePHI:� Administrative safeguards� Technical safeguards� Physical safeguard
Texas Law:The Texas Medical Records Privacy Act (or HB 300)
• Effective September 1, 2012
• Broader reach than HIPAA:� Broader definition of “Covered Entity” or CE� New operational requirements:
� Notice & Authorization � Training� Disclosure� Patient Record Requests� Auditing
� Special breach notification rules� Greater enforcement and increased penalties
181.001 –Covered Entity
• CE under HIPAA or under Texas law à you must comply with the Texas Medical Records Privacy Act
• Texas defines CE as “any person who…� (A) for commercial, financial, or professional gain,
monetary fees, or dues, or on a cooperative, nonprofit, or pro bono basis, engages, in whole or in part, and with real or constructive knowledge, in the practice of assembling, collecting, analyzing, using, evaluating, storing, or transmitting protected health information.
The term includes a business associate, health care payer, governmental unit, information or computer management entity, school, health researcher, health care facility, clinic, health care provider, or person who maintains an Internet site;
� (B) comes into possession of protected health information;
� (C) obtains or stores protected health information under this chapter; or
� (d) is an employee, agent, or contractor of a person described by Paragraph (A), (B), or (C) insofar as the employee, agent, or contractor creates, receives, obtains, maintains, uses, or transmits protected health information.”
181.154(a) –Notice
• CEs must provide individuals with general notice that the individual’s PHI may be electronically disclosed.
• Notice may be provided in any of the following ways:� Posted in the CE’s place of business� On the CE’s website� Any other place an individual is
likely to see the notice
181.154(a) –Notice Example
Source: https://www.disabilityrightstx.org/files/HB_300_HIPPA_notice.pdf
181.154(b-c) –Authorization
• General Rule – CEs may not electronically disclose an individual’s PHI to any person without a separate authorization from the individual (or the individual’s legally authorized representative) for eachdisclosure.� Note à authorization may be given:
� In writing,� Electronically, OR� Verbally (*must be documented in
writing by the CE).
• Exceptions – Authorization is not required if:� Disclosure is made to another CE for
purposes of treatment, payment, health care operations or performing an insurance or HMO function; OR
� Otherwise required by state or federal law.
181.154(d-e) –Authorization
The Texas AG has created a standard authorization form
Final Note about CE definitionsThe notice and authorization requirements do not apply to “covered entity” as defined in the Tex. Ins. Code Sec. 602.001; only CEs as defined by HIPAA and Sec. 181 must comply.
Source: https://texasattorneygeneral.gov/files/agency/hb300_auth_form.pdf
181.101 Training• Requires CEs to train employees:
� Content à State & Federal law concerning PHI “as necessary and appropriate for the employees to carry out the employees’ duties for the covered entity”
� Timing à Training must be completed within 90 days of hiring.� Material changes in State or Federal law à employee
must have training within one year of the date the material change takes effect.
� HHS says, “Industry best practices suggest that the entire workforce should be trained at least once every year and any time your practice changes its policies or procedures, systems, location, infrastructure, etc.”
� Proof à Employees must sign a verification (electronically or in writing) to show that they completed the training. CE must keep the verification for 6 years.
Image: http://www.imarketingbiz.net/wp-content/themes/revolution_tech-30/images/chuks/computer-training.jpg
181.153 Disclosure of PHI • General Rule: A CE may not disclose PHI
for direct or indirect remuneration.
• Exceptions: Disclosure of PHI to another CE for remuneration is allowed for:1. “Treatment, Payment, or Health care
operations”2. Performing an insurance or HMO
function; or3. As otherwise authorized by or
required by state or federal law.Note à direct or indirect payments for PHI may not exceed the CE’s “reasonable costs of preparing or transmitting the PHI.”
181.102 Patient Access to Records
• General Rule à offices have 15 business days to provide electronic records (Federal Rule is 30 days).� Office is using an EHR system that is
“capable of fulfilling the request”� Person sends a “written request”� Person can agree to accept another form
• Exceptions: Federal exceptions to release of PHI under HIPAA apply.
• Standard electronic format could be recommended� Health Information Exchange (HIE) Texas
� http://hietexas.org/providers
181.103 –Consumer WebsiteCreated
Source: https://texasattorneygeneral.gov/cpd/texas-health-information-privacy-laws-2013
181.206 Auditing • Texas HHSC may request that the U.S. Secretary of Health and Human Services perform an audit of a CE in Texas to determine HIPAA compliance. HHSC must monitor results of request.
• If Texas HHSC has evidence that a CE has committed violations that are egregious and constitute a pattern or practice, HHSC may:� Require the CE to perform and submit a
risk analysis OR � Texas HHSC may, alternatively, refer a CE
to a licensing agency for an audit
• Texas HHSC must report to the Texas Legislature on the number of federal audits conducted.
Breach Notification
Image: https://upload.wikimedia.org/wikipedia/commons/thumb/9/90/Mail-notification.svg/1024px-Mail-notification.svg.png
HIPAA – Breach Notification Rule
• Definition of Breach à “the acquisition, access, use, or disclosure of [PHI] in a manner not permitted…which compromises the security or privicay of the [PHI].
• Breach Analysis� Breach is presumed UNLESS the CE or BA
can prove that there is a low probability that the PHI has been compromised based on a risk assessment (four parts):� Type or nature and extent of the PHI� Who was the unauthorized person
involved� Whether the PHI was actually acquired
or viewed� Extent to which any risk has been
mitigated
HIPAA – Breach Notification Rule
Notification Rules – required if the breach involved unsecured PHI� Individuals à within 60 days
� HHS Secretary� More than 500 affected à within
60 days� Less than 500 affected à annual
reporting
� Media � More than 500 affected à within
60 days
Enforcement
Image: http://healthinformatics.wikispaces.com/file/view/funny1.jpg/32738200/301x251/funny1.jpg
Civil Penalties
Civil Penalties
HIPAA TEXAS HB 300
$100 per unknowing violation, up to $50,000 $5,000 per negligent violation
$1,000 per violation without willful neglect, up to $50,000 $25,000 per knowing or intentional violation
$10,000 per violation due to willful neglect, up to $50,000 $250,000 per violation made for financial gain
Penalty capped at $1.5 million annually Penalty capped at $250,000 annually if certain mitigatingfactors are met or $1.5 million annually if there is a pattern of violations
Recent Examples
Image: http://illinoisreview.typepad.com/.a/6a00d834515c5469e201bb082b926d970d-500wi
Source: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
Recent HIPAA ViolationsEntity Individuals
AffectedType of Breach Fine
Bayfront Health to Sharp Health
Varied Right to Access Varied ($200,000 to $3,500)
Excellus Health Plan Over 9.3 Million Cyber-attack $5.1 MillionCity Health Department
498 Unauthorized Access $202,400
Aetna 5,002; 11,887; 1,600 Online Disclosure and Mail Disclosures
$1 Million
CHSPSC Over 6 Million Cyber-attack $2.3 MillionAthens Orthopedic 208,557 Cyber-attack $1.5 MillionPremera Blue Cross Over 10.4 Million Cyber-attack $6.85 Million
Source: https://www.hhs.gov/about/news/index.html
Recent HIPAA ViolationsEntity Individuals
AffectedType of Breach Fine
Lifespan 20,431 Stolen Laptop $1.040 MillionDr. Porter Over 3,000 No Risk Analysis $100,000Sentara Hospitals 577 Mail Disclosures $2.175 MillionTX HHSC 6,617 Online Disclosures $1.6 MillionMedical Informatics Engineering
3.5 Million Compromised Employee ID
$100,0000
Touchstone Medical Imaging
Over 300,000 Online Disclosures $3 Million
Allergy Associates 1 Public Disclosure $125,000Boston Medical Center
Varied Public Disclosure $999,000
Source: https://www.hhs.gov/about/news/index.html
COVID-19 Federal Updates• HIPAA Enforcement and COVID
(February 3, March 28, & April 2, 2020)� HIPAA Privacy Rule allows disclosure of PHI for treatment and to
public health authorities. This does not extend to media outlets and the “minimum necessary” rule should be followed.
• Telehealth(March 17 and March 20, 2020)� OCR will not impose penalties for the good faith use of telehealth
during COVID-19 public health emergency. Any “non-public facing remote communication product” can be used. Allowed: Apple FaceTime, Facebook Messenger, and Skype. Not allowed: Facebook Live, Twitch, and TikToc.
• Media Access Limited(May 5, 2020)� Guidance for media outlets regarding capturing patients.
• Using Health Information Exchanges (HIE)(December 18, 2020)� HIPAA permits some disclosure of PHI to an HIE for reporting to a
public health authority engaged in public health activities.
• Enforcement discretion for online scheduling (January 19, 2021)� OCR will not impose penalties for HIPAA violations in connection
with the good faith use of online or web-based scheduling applications for COVID-19 vaccinations.
Source: Source: https://www.hhs.gov/hipaa/for-professionals/special-topics/hipaa-covid19/index.html
• Telehealth(March 14, 2020; updated September 2020)� Phone only encounters may establish a doctor-patient
relationship and be used for continuing care.� Same “standard of care” and “documentation”
requirements apply to telemedicine visits.� Follow HIPAA guidance regarding platforms.
• Chronic Pain RX Refills (March 19, 2020; updated March 1, 2021)� Telephone refills of certain prescriptions to established
chronic pain patients allowed if the patient has been “seen” (in-person or telemedicine using audio and video two-way communication) in the last 90 days.
� TAC 174.5 Update went into effect on March 3, 2021 at 12:01 a.m.
COVID-19 Texas Updates
Source: https://www.tmb.state.tx.us/page/coronavirus
Citations • Giederman, J. M., Moskop, J.C., & Derse, A.R. (2006). Privacy and confidentiality in emergency medicine: Obligations and challenges. Emergency Medicine Clinics of North America, 24, 633-656.
• Kulwicki, B. S. (2015). It’s five o’clock; do you know where your records are? Obligations of individuals and entities to secure protected health information. 18 SMU Sci & Tech. L. Rev. 455.
• U.S. Department of Health and Human Services (HHS). HIPAA for Professionals. http://www.hhs.gov/hipaa/for-professionals/index.html(retrieved 8/8/16).
• HIPAA Basics for Providers: Privacy, Security, and Breach Notification Rules. https://www.cms.gov/Outreach-and-Education/Medicare-Learning-Network-MLN/MLNProducts/Downloads/HIPAAPrivacyandSecurityTextOnly.pdf (retrieved 8/8/16).
• U.S. Department of Health and Human Services (HHS), Office of Civil Rights (OCR) Breach Portal. https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf (retrieved 8/8/16)