HIPAA  Privacy  and  Security  2.0  for    Health  Insurance  Agents  and  Brokers  

Jason  Karn,  Director  of  IT  Total  HIPAA  Compliance,  LLC  

jason@totalhipaa.com  www.twi?er.com/TotalHIPAA  

800-­‐344-­‐6381  

Topics  for  Today  

•  HIPAA  2.0  – Privacy  – Security  – Breach  – PenalNes  

•  Marketplace  Privacy  Rules  

Types  of  Protected  Informa@on  

NPPI  PHI  PII  

PHI:  health  informaNon  about  a  person  in  a  health  insurance  plan  

PII:  medical,  educaNonal,  financial,  and  employment  

informaNon  about  a  person  in  connecNon  with  sale  of  product  

in  Marketplaces  only  

NPPI:  non-­‐public  informaNon  that  an  agent  has  about  a  

potenNal  or  exisNng  insured,  regardless  of  line  of  coverage  

When  Did  the  New  HIPAA  Regula@ons  Go  Into  Effect?  

Requirements  for  the  updated  2013  Omnibus  Rules  went  into  effect    September  23,  2013  

 Non  compliance  is  potenNally  very  expensive  

HIPAA    Compliance  is  Required  for:  •  Medical  – Medicare  Supplement  – Drug  Coverage  

•  Dental  •  Vision  •  Long  Term  Care  Insurance  

Only  selling  a  liNle  bit  of  these  insurances  nor  the  size  of  your  agency  exempts  you  

HIPAA  is  Not  Required  for:  •  Short-­‐term  and  long-­‐term  disability    

•  AD&D  (Accidental  Death  and  Dismemberment)  

•  Life  insurance  •  Worker's  CompensaNon    •  Auto  medical  insurance  •  Fitness-­‐for-­‐duty  exams  (DOT  or  OSHA  exams)  

•  Drug  tesNng  •  Work-­‐life  benefits  (on-­‐site  clinics;  fitness  center)  

•  Family  Medical  Leave  Act  (FMLA)  

•  Americans  with  DisabiliNes  Act  (ADA)  

 

Best  Business  Prac@ces  If  you’re  coming  in  contact  with  Protected  Health  InformaNon  (PHI),  no  ma?er  what  type  of  insurance  you  are  selling,  you  should  be  trained!    •  In  order  to  share  informaNon  in  a  mulNline  agency  

•  Reduces  potenNal  liability  

Key  HIPAA  Groups  

Changes  in  HIPAA  2.0?  •  Business  Associates’  Subcontractors  and  BAs  must  meet  the  same  requirements  as  Covered  EnNNes  

•  Increases  in  fines  and  penalNes  for  breaches  of  health  informaNon  

•  EncrypNon  required  for  all  Protected  Health  InformaNon  (PHI)  files  and  emails  

•  Implement  new  Policies  and  Procedures  for  Security  and  Privacy  

•  Staff  needs  to  be  trained  on  both  the  HIPAA  rules  and  your  Policies  and  Procedures  

 

HIPAA  Privacy  

HIPAA  Privacy  Regula@ons  General  Rule:  Covered  EnNNes,  their  Business  Associates  and  their  Subcontractors  may  not  use  or  disclose  an  individual's  Protected  Health  InformaNon  (PHI)  without  the  authorizaNon  of  the  individual  unless  specifically  required  or  allowed  by  the  privacy  regulaNon  Protects  PHI  in  ANY  form  (oral,  wri?en,  electronic)  

Protected  Health  Informa@on  (PHI)  

•  Individually  idenNfiable  health  informaNon  that  can  be  linked  to  a  parNcular  person  

•  Common  idenNfiers  linking  health  informaNon  to  a  person  include  names,  social  security  numbers,  addresses,  credit  card  numbers  and  birth  dates  

Protected  Health  Informa@on  (PHI)  

Specifically,  PHI  informaNon  can  relate  to:  •  An  individual's  past,  present  or  future  physical  or  mental  health  condiNon  

•  The  provision  of  health  care  to  the  individual  •  The  past,  present,  or  future  payment  for  the  provision  of  health  care  to  an  individual  

PermiNed  Uses  for  PHI  

•  Treatment  •  Payment  •  Health  Care  OperaNons    – AudiNng,  credenNaling,  obtaining  reinsurance,  etc  

•  Certain  Public  Policy  ExcepNons  •  All  other  uses  require  an  individual’s  wri?en  or  verbal  authorizaNon  

Subcontractors  2013  RegulaNons  expand  rules  to  include  Subcontractors  Why  so  important?  •  Your  agency  could  have  direct  liability  for  subcontractor’s  mistakes  

•  Could  jeopardize  not  only  your  business  relaNonships  but  also  expose  you  to  penalNes  

Subcontractors  What  must  you  do?  – Have  them  sign  a  Subcontractor  Business  Associate  Agreement  

– Ensure  they  train  their  employees,  and  implement  policies  and  procedures  concerning  HIPAA  Privacy  and  Security  

Subcontractors  

If  your  Subcontractors  are  NOT  compliant,  this  could  be  a  liability  issue  for  your  agency.  In  accordance  with  the  Federal  Common  law  of  Agency,  it  is  now  YOUR  responsibility  to  make  sure  that  your  Subcontractors  are  implemenNng  and  following  HIPAA.    

HIPAA  Security  

Why  a  Security  Rule?  •  Important  with  increased  use  of  technology  for  data  transmission  – Emails  – Electronic  enrollments  – Storage  of  data    Electronic  informaNon  has  different  guidelines  for  handling  and  protecNng  

Descrip@on  of  the  Security  Rule  Requires  protecNons  for  electronic  Protected  Health  InformaNon  (ePHI)  in  three  ways:  •  ConfidenNality  –  ePHI  concealed  from  people  who  do  not  have  the  right  to  see  the  informaNon  

•  Integrity  –  InformaNon  not  improperly  changed  or  deleted  

•  Availability  –  InformaNon  can  be  accessed  whenever  it  is  needed  

Protect  the  Business  Do  a  Risk  Assessment:  •  Analysis  of  computer  systems  •  How  do  you  protect  paper  and  electronic  files  •  How  do  you  encrypt  documents  for  storage  and  transmission  (such  as  email)?    

•  Password  protecNon,  and  Nme-­‐outs  on  ALL  electronic  devices  

•  Have  you  encrypted  all  hard  drives  and/or  storage  devices?  

•  How  are  you  backing  up  your  computers?  

Specific  Staff  Expecta@ons  •  Manage  passwords  –  Have  staff  members  choose  and  remember  –  Change  passwords  regularly  –  NoNfy  informaNon  security  officer  if  concerned  that  password  is  being  improperly  used  by  someone  else  

•  IdenNfy  and  keep  out  malicious  solware  •  Use  workstaNons  properly    •  Know  sancNon  policies  •  Learn  and  follow  agency  Privacy  and  Security  Policies  and  Procedures  

Specific  Staff  Expecta@ons  Cont’d  •  Limit  use  of  external  devices  that  might  introduce  viruses  into  the  system:  CDs,  iPods,  USB  drives,  tablet  compuNng  device,  smart  phones  

•  Establish  policies  on  use  of  personal  compuNng  devices  in  the  agency’s  network  (BYOD)  

•  Restrict  family  members  or  friends  using  the  computers  in  off-­‐site  locaNons  that  could  introduce  viruses  and  expose  to  inadvertent  ePHI  disclosure  

•  Implement  strict  controls  on  web  surfing  for  personal  enjoyment  or  downloading  free  programs  or  music  from  the  Internet  to  office  machines  

Breach  

What  Is  a  Breach?  

PHI  that  has  been  accessed,  used,  acquired  or  disclosed  to  an  unauthorized  person  

Breach  

These  rules  apply  to  PHI  in  any  format    •  ePHI  (electronic  PHI)  •  Paper  •  Oral  

Breach  occurs   InformaNon  Encrypted?  

Yes:    No  Breach  

No:    Presumed  Breach  

Breach  Process  

Presumed  Breach  

Wri?en  NoNce  Calls  (if  imminent  threat)  

500  or  More  Affected?  

Yes:  NoNfy  Media,  HHS  immediately  

No:  NoNfy  HHS  annually  

NoNce  on  Website  

When  There  Is  a  Breach  

Any  impermissible  use  or  disclosure  of  PHI  is  presumed  to  be  a  breach,  unless…  

29

One  can  demonstrate  that  there  is  a  low  probability  that  the  PHI  has  been  compromised      

Excep@ons  •  UnintenNonal  access  by  employees    •  Inadvertent  disclosure  of  PHI  from  one  covered  enNty  or  business  associate  employee  authorized  to  access  PHI  to  a  co-­‐employee  who  is  also  authorized  to  access  PHI    

•  Unauthorized  access  to  PHI  by  a  third  party  who  cannot  reasonably  use  the  informaNon  in  its  current  format,  or  be  able  to  retain  the  disclosed  informaNon    

Breach  No@fica@on  NoNce  Requirements:  •  NoNfy  without  unreasonable  delay  and  at  least  within  60-­‐day  Nmeframe  

•  This  starts  the  date  one  knew,  or  reasonably  should  have  known  about  the  breach  

Penal@es  

Enforcement  Results  for  2012  

Enforcement  Results  for  2013  

Recent  HIPAA  Fines  •  Stanford  Hospital  se?led  a  state  lawsuit  for  $4  Million  (March  2014)  

–  The  business  associate  is  paying  $3.3  Million  of  the  se?lement    •  Triple  S-­‐Management  recently  was  fined  $6.8  Million  

–  Mishandled  medical  records  for  70k  individuals(February  2014)  •  WellPoint  Agreed  to  Pay  HHS  $1.7  Million  to  Se?le  HIPAA  Case  (July  

2013)  –  On-­‐line  database  lel  the  ePHI  of  612,402  individuals  unprotected  

•  Shasta  Regional  Medical  Center  Se?les  Privacy  Breach  for  $275,000  (June  2013)  –  The  CEO  sent  an  email  to  800  Employees  disclosing  the  confidenNal  

details  of  diabetes  paNents  •  Blue  Cross  Blue  Shield  Tennessee  Se?led  for  $1.5  million  (March  

2012)  –  57  unencrypted  computer  hard  drives  were  stolen  with  ePHI  of  over  a  

million  individuals  

Penal@es  from  Omnibus  Ruling  

Viola@on  Category  1176(a)(1)    

Each  Viola@on     Maximum  fine  for  an  iden@cal  viola@on  in  a  calendar  year    

(A)  Did  Not  Know   $100-­‐$50,000   $1,500,000  

(B)  Reasonable  Cause   $1,000-­‐$50,000   $1,500,000  

(C)(i)  Willful  Neglect-­‐Corrected  

$10,000-­‐$50,000   $1,500,000  

(C)(ii)  Willful  Neglect-­‐Not  Corrected  

$50,000   $1,500,000  

Criminal Penalties Viola@on Penal@es Knowingly  obtaining  or  disclosing  PHI  

$50,000  +  one  year  prison

Offenses  conducted  under  false  pretenses

Up  to  $100,000  +  5  years

Intent  to  sell,    $  gain,  harm Up  to  $250,000  +  10  years

GLB  Penal@es  •  You  will  lose  your  license  to  pracNce  •  You  can  be  fined  up  to  $100,000  per  violaNon  •  Officers  and  directors  can  be  fined  up  to  $10,000  per  violaNon  

•  Fines  will  be  doubled  If  GLB  is  violated  along  with  another  Federal  Law,  or  pa?ern  of  any  illegal  acNvity  involving  more  than  $100,000  within  a  12-­‐month  period,  he  or  she  can  be  imprisoned  for  up  to  10  years  

•  Criminal  PenalNes  include  imprisonment  for  up  to  5  years,  a  fine,  or  both    

 

Marketplace  Privacy  Rules  

Marketplace  Privacy  Rules  One  of  the  big  surprises  in  the  agent/broker  training  for  the  Federally  Facilitated  Marketplace  (FFM)  •  New  obligaNons  to  protect  Personally  Iden@fiable  Informa@on  (PII)  within  the  marketplaces  

Personally  Iden@fiable  Informa@on(PII)  Any  informaNon  about  an  individual  maintained,  used,  transmi?ed  or  store  by  an  agent/broker  related  to  Marketplace  transacNons:  

Any  informa@on  that  can  be  used  to  dis@nguish  or  trace  an  individual‘s  iden@ty    Examples:  name,  social  security  number,  date  and  place  of  birth,  mother‘s  maiden  name,  or  biometric  records  

Any  other  informa@on  that  is  linked  or  linkable  to  an  individual    Examples:  medical,  educaNonal,  financial,  and  employment  informaNon  

How  Did  I  Get  Here?  

If  you  have  completed  training  for  the  Federally-­‐Facilitated  Marketplaces,  and  “signed”  the  Agreements…  •  You  agreed  to  protect  PII  that  you  obtain  in  the  course  of  selling  or  supporNng  individuals  who  purchase  through  the  Marketplaces  

What  exactly  did  I  agree  to  do?  Protect  any  PII  that  is:    •  Created,  collected,  disclosed,  accessed,  maintained,  stored,  and  used  to  perform  any  of  the  various  Marketplace  funcNons  within  the  FFM  such  as:  –  AssisNng  with  applicaNons  for  QHP  eligibility  –  SupporNng  QHP  selecNon  and  enrollment    –  AssisNng  with  plan  selecNon  and  plan  comparisons  –  Transmiwng  informaNon  about  decisions  regarding  QHP  enrollment  

–  FacilitaNng  payment  of  the  iniNal  premium  amount  to  appropriate  QHP  

What  Exactly  Did  I  Agree  to  Do?  Provide  a  Privacy  NoNce  to  all  prospects  and  buyers  in  the  Marketplace  •  Similar  requirements  to  the  Privacy  NoNces  under  HIPAA  and  GLB  

What  Am  I  Required  to  Do?  •  Must  do  the  following:    

–  If  you  have  a  website,  prominently  and  conspicuously  display  NoNce  of  Privacy  PracNces  

–  Review  and  Revise  as  necessary  but  at  least  annually  •  Meet  data  quality  and  integrity  standards  for  PII  

–  IdenNcal  to  requirements  within  HIPAA  Security  

•  Breach  noNficaNon  –  Broadly  similar  to  HIPAA  Breach  rules  but…  –  Must  noNfy  CMS  if  there  is  a  breach  within  one  hour  of  becoming  aware  of  it  •  Telephone  at  (410)  786-­‐2580  or  1-­‐800-­‐562-­‐1963    •  Email  noNficaNon  at  cms_it_service_desk@cms.hhs.gov    

What  Are  the  Penal@es?  

For  any  violaNon  of  PII  protecNons  – $25,000  per  person  per  violaNon    

•  These  are  in  addiNon  to  HIPAA  and  GLB  PenalNes  – TerminaNon  of  your  authority  to  do  business  through  the  Marketplace  

QUESTIONS  

Jason  Karn,  Director  of  IT  Total  HIPAA  Compliance,  LLC  

jason@totalhipaa.com  www.twi?er.com/TotalHIPAA  

800-­‐344-­‐6381