Upload
jason-karn
View
461
Download
1
Embed Size (px)
DESCRIPTION
HIPAA Presentation for CAHU Expo in Columbus, OH.
Citation preview
HIPAA Privacy and Security 2.0 for Health Insurance Agents and Brokers
Jason Karn, Director of IT Total HIPAA Compliance, LLC
[email protected] www.twi?er.com/TotalHIPAA
800-‐344-‐6381
Topics for Today
• HIPAA 2.0 – Privacy – Security – Breach – PenalNes
• Marketplace Privacy Rules
Types of Protected Informa@on
NPPI PHI PII
PHI: health informaNon about a person in a health insurance plan
PII: medical, educaNonal, financial, and employment
informaNon about a person in connecNon with sale of product
in Marketplaces only
NPPI: non-‐public informaNon that an agent has about a
potenNal or exisNng insured, regardless of line of coverage
When Did the New HIPAA Regula@ons Go Into Effect?
Requirements for the updated 2013 Omnibus Rules went into effect September 23, 2013
Non compliance is potenNally very expensive
HIPAA Compliance is Required for: • Medical – Medicare Supplement – Drug Coverage
• Dental • Vision • Long Term Care Insurance
Only selling a liNle bit of these insurances nor the size of your agency exempts you
HIPAA is Not Required for: • Short-‐term and long-‐term disability
• AD&D (Accidental Death and Dismemberment)
• Life insurance • Worker's CompensaNon • Auto medical insurance • Fitness-‐for-‐duty exams (DOT or OSHA exams)
• Drug tesNng • Work-‐life benefits (on-‐site clinics; fitness center)
• Family Medical Leave Act (FMLA)
• Americans with DisabiliNes Act (ADA)
Best Business Prac@ces If you’re coming in contact with Protected Health InformaNon (PHI), no ma?er what type of insurance you are selling, you should be trained! • In order to share informaNon in a mulNline agency
• Reduces potenNal liability
Key HIPAA Groups
Changes in HIPAA 2.0? • Business Associates’ Subcontractors and BAs must meet the same requirements as Covered EnNNes
• Increases in fines and penalNes for breaches of health informaNon
• EncrypNon required for all Protected Health InformaNon (PHI) files and emails
• Implement new Policies and Procedures for Security and Privacy
• Staff needs to be trained on both the HIPAA rules and your Policies and Procedures
HIPAA Privacy
HIPAA Privacy Regula@ons General Rule: Covered EnNNes, their Business Associates and their Subcontractors may not use or disclose an individual's Protected Health InformaNon (PHI) without the authorizaNon of the individual unless specifically required or allowed by the privacy regulaNon Protects PHI in ANY form (oral, wri?en, electronic)
Protected Health Informa@on (PHI)
• Individually idenNfiable health informaNon that can be linked to a parNcular person
• Common idenNfiers linking health informaNon to a person include names, social security numbers, addresses, credit card numbers and birth dates
Protected Health Informa@on (PHI)
Specifically, PHI informaNon can relate to: • An individual's past, present or future physical or mental health condiNon
• The provision of health care to the individual • The past, present, or future payment for the provision of health care to an individual
PermiNed Uses for PHI
• Treatment • Payment • Health Care OperaNons – AudiNng, credenNaling, obtaining reinsurance, etc
• Certain Public Policy ExcepNons • All other uses require an individual’s wri?en or verbal authorizaNon
Subcontractors 2013 RegulaNons expand rules to include Subcontractors Why so important? • Your agency could have direct liability for subcontractor’s mistakes
• Could jeopardize not only your business relaNonships but also expose you to penalNes
Subcontractors What must you do? – Have them sign a Subcontractor Business Associate Agreement
– Ensure they train their employees, and implement policies and procedures concerning HIPAA Privacy and Security
Subcontractors
If your Subcontractors are NOT compliant, this could be a liability issue for your agency. In accordance with the Federal Common law of Agency, it is now YOUR responsibility to make sure that your Subcontractors are implemenNng and following HIPAA.
HIPAA Security
Why a Security Rule? • Important with increased use of technology for data transmission – Emails – Electronic enrollments – Storage of data Electronic informaNon has different guidelines for handling and protecNng
Descrip@on of the Security Rule Requires protecNons for electronic Protected Health InformaNon (ePHI) in three ways: • ConfidenNality – ePHI concealed from people who do not have the right to see the informaNon
• Integrity – InformaNon not improperly changed or deleted
• Availability – InformaNon can be accessed whenever it is needed
Protect the Business Do a Risk Assessment: • Analysis of computer systems • How do you protect paper and electronic files • How do you encrypt documents for storage and transmission (such as email)?
• Password protecNon, and Nme-‐outs on ALL electronic devices
• Have you encrypted all hard drives and/or storage devices?
• How are you backing up your computers?
Specific Staff Expecta@ons • Manage passwords – Have staff members choose and remember – Change passwords regularly – NoNfy informaNon security officer if concerned that password is being improperly used by someone else
• IdenNfy and keep out malicious solware • Use workstaNons properly • Know sancNon policies • Learn and follow agency Privacy and Security Policies and Procedures
Specific Staff Expecta@ons Cont’d • Limit use of external devices that might introduce viruses into the system: CDs, iPods, USB drives, tablet compuNng device, smart phones
• Establish policies on use of personal compuNng devices in the agency’s network (BYOD)
• Restrict family members or friends using the computers in off-‐site locaNons that could introduce viruses and expose to inadvertent ePHI disclosure
• Implement strict controls on web surfing for personal enjoyment or downloading free programs or music from the Internet to office machines
Breach
What Is a Breach?
PHI that has been accessed, used, acquired or disclosed to an unauthorized person
Breach
These rules apply to PHI in any format • ePHI (electronic PHI) • Paper • Oral
Breach occurs InformaNon Encrypted?
Yes: No Breach
No: Presumed Breach
Breach Process
Presumed Breach
Wri?en NoNce Calls (if imminent threat)
500 or More Affected?
Yes: NoNfy Media, HHS immediately
No: NoNfy HHS annually
NoNce on Website
When There Is a Breach
Any impermissible use or disclosure of PHI is presumed to be a breach, unless…
29
One can demonstrate that there is a low probability that the PHI has been compromised
Excep@ons • UnintenNonal access by employees • Inadvertent disclosure of PHI from one covered enNty or business associate employee authorized to access PHI to a co-‐employee who is also authorized to access PHI
• Unauthorized access to PHI by a third party who cannot reasonably use the informaNon in its current format, or be able to retain the disclosed informaNon
Breach No@fica@on NoNce Requirements: • NoNfy without unreasonable delay and at least within 60-‐day Nmeframe
• This starts the date one knew, or reasonably should have known about the breach
Penal@es
Enforcement Results for 2012
Enforcement Results for 2013
Recent HIPAA Fines • Stanford Hospital se?led a state lawsuit for $4 Million (March 2014)
– The business associate is paying $3.3 Million of the se?lement • Triple S-‐Management recently was fined $6.8 Million
– Mishandled medical records for 70k individuals(February 2014) • WellPoint Agreed to Pay HHS $1.7 Million to Se?le HIPAA Case (July
2013) – On-‐line database lel the ePHI of 612,402 individuals unprotected
• Shasta Regional Medical Center Se?les Privacy Breach for $275,000 (June 2013) – The CEO sent an email to 800 Employees disclosing the confidenNal
details of diabetes paNents • Blue Cross Blue Shield Tennessee Se?led for $1.5 million (March
2012) – 57 unencrypted computer hard drives were stolen with ePHI of over a
million individuals
Penal@es from Omnibus Ruling
Viola@on Category 1176(a)(1)
Each Viola@on Maximum fine for an iden@cal viola@on in a calendar year
(A) Did Not Know $100-‐$50,000 $1,500,000
(B) Reasonable Cause $1,000-‐$50,000 $1,500,000
(C)(i) Willful Neglect-‐Corrected
$10,000-‐$50,000 $1,500,000
(C)(ii) Willful Neglect-‐Not Corrected
$50,000 $1,500,000
Criminal Penalties Viola@on Penal@es Knowingly obtaining or disclosing PHI
$50,000 + one year prison
Offenses conducted under false pretenses
Up to $100,000 + 5 years
Intent to sell, $ gain, harm Up to $250,000 + 10 years
GLB Penal@es • You will lose your license to pracNce • You can be fined up to $100,000 per violaNon • Officers and directors can be fined up to $10,000 per violaNon
• Fines will be doubled If GLB is violated along with another Federal Law, or pa?ern of any illegal acNvity involving more than $100,000 within a 12-‐month period, he or she can be imprisoned for up to 10 years
• Criminal PenalNes include imprisonment for up to 5 years, a fine, or both
Marketplace Privacy Rules
Marketplace Privacy Rules One of the big surprises in the agent/broker training for the Federally Facilitated Marketplace (FFM) • New obligaNons to protect Personally Iden@fiable Informa@on (PII) within the marketplaces
Personally Iden@fiable Informa@on(PII) Any informaNon about an individual maintained, used, transmi?ed or store by an agent/broker related to Marketplace transacNons:
Any informa@on that can be used to dis@nguish or trace an individual‘s iden@ty Examples: name, social security number, date and place of birth, mother‘s maiden name, or biometric records
Any other informa@on that is linked or linkable to an individual Examples: medical, educaNonal, financial, and employment informaNon
How Did I Get Here?
If you have completed training for the Federally-‐Facilitated Marketplaces, and “signed” the Agreements… • You agreed to protect PII that you obtain in the course of selling or supporNng individuals who purchase through the Marketplaces
What exactly did I agree to do? Protect any PII that is: • Created, collected, disclosed, accessed, maintained, stored, and used to perform any of the various Marketplace funcNons within the FFM such as: – AssisNng with applicaNons for QHP eligibility – SupporNng QHP selecNon and enrollment – AssisNng with plan selecNon and plan comparisons – Transmiwng informaNon about decisions regarding QHP enrollment
– FacilitaNng payment of the iniNal premium amount to appropriate QHP
What Exactly Did I Agree to Do? Provide a Privacy NoNce to all prospects and buyers in the Marketplace • Similar requirements to the Privacy NoNces under HIPAA and GLB
What Am I Required to Do? • Must do the following:
– If you have a website, prominently and conspicuously display NoNce of Privacy PracNces
– Review and Revise as necessary but at least annually • Meet data quality and integrity standards for PII
– IdenNcal to requirements within HIPAA Security
• Breach noNficaNon – Broadly similar to HIPAA Breach rules but… – Must noNfy CMS if there is a breach within one hour of becoming aware of it • Telephone at (410) 786-‐2580 or 1-‐800-‐562-‐1963 • Email noNficaNon at [email protected]
What Are the Penal@es?
For any violaNon of PII protecNons – $25,000 per person per violaNon
• These are in addiNon to HIPAA and GLB PenalNes – TerminaNon of your authority to do business through the Marketplace
QUESTIONS
Jason Karn, Director of IT Total HIPAA Compliance, LLC
[email protected] www.twi?er.com/TotalHIPAA
800-‐344-‐6381