Introduction to Health Insurance Portability and

Accountability Act (HIPAA)Privacy and Security Rules

Speaker: Chenyu Lee

1

HIPAA Background

• 1996. Health Insurance Portability and Accountability Act (HIPAA), Public Law 104-191.

– Department of Health and Human Services (HHS) adopts national standards for electronic health care transactions and code sets, unique health identifiers, and security.

• 2009. Health Information Technology for Economic and Clinical Health Act (HITECH) enacted as part of the American Recovery and Reinvestment Act of 2009 (ARRA).

• 2010. Patient Protection and Affordable Care Act of 2010 (ACA).• 2013. HIPAA Omnibus Rule makes changes to existing privacy, security and

breach notification requirements.

2

HIPAA Regulations

• CFR 45 PART 160: General administrative requirements• CFR 45 PART 162: Administrative requirements• CFR 45 PART 164: Security and privacy rules

3

DEFINITIONS§ 160.103

4

Business Associate

• Business Associate includes the partners that may provide legal, actuarial, accounting, consulting, data aggregation, management, administration or financial services wherein the services require the disclosure of individually identifiable health information.

• A key concern, among many, is that some software vendors almost certainly will be categorized as Business Associates.

5

Covered Entity & Electronic Media

• Covered Entity means:– A health plan– A health care clearinghouse– A health care provider who transmits any health information in electronic

form in connection with a transaction covered by this subchapter.

• Electronic media means:– Electronic storage material on which data is or may be recorded electronically.– Transmission media used to exchange information already in electronic

storage media.

6

Health Care & Health Care Provider & Health information

• Health care means:– Care, services, or supplies related to the health of an individual.

• Health care provider means:– A provider of medical or health services, and any other person or organization

who furnishes, bills, or is paid for health care in the normal course of business.

• Health information means:– Any information, whether oral or recorded in any form or medium.

7

Individual &Individually Identifiable Health Information &Protected Health Information (PHI)• Individual means:

– The person who is the subject of protected health information.

• Individually identifiable health information that– Identifies the individual– Or with respect to which there is a reasonable basis to believe the information

can be used to identify the individual.

• Protected health information means:– Individually identifiable health information that is

• Transmitted by electronic media• Maintained in electronic media• Transmitted or maintained in any other form or medium

8

PHI Includes One or More of Identifiers (§164.514(b)(2)(i))

– Names– Addresses including Zip

Codes– All Dates– Telephone & Fax Numbers– Email Addresses– Social Security Numbers– Medical Record Numbers– Health Plan Numbers

– License Numbers– Vehicle Identification

Numbers– Account Numbers– Biometric Identifiers– Full Face Photos– Any Other Unique

Identifying Number, Characteristic, or Code

9

Use and Disclosure of PHI

• Use of PHI refers to how PHI is internally accessed, shared and utilized by the covered entity that maintains such information.

• Disclosure of PHI refers to how PHI is shared with individuals or entities externally.

10

Notice of Privacy Practices (NPP)

• Notice of Privacy Practices means:– Providers and Health Plans must have a Notice of Privacy Practices (NPP)

• It provides a detailed description of the various uses and disclosures of PHI that are permissible without obtaining a patient’s authorization.

– In general, anytime you release patient information for a reason unrelated to treatment, payment (e.g., billing) or healthcare operations (TPO), an authorization is required.

11

Treatment, Payment and Operations (TPO)• Treatment: Various activities related to patient care.• Payment: Various activities related to paying for or getting

paid for health care services.• Health Care Operations: Generally refers to day-to-day

activities of a covered entity, such as planning, management, training, improving quality, providing services, and education.

• NOTE: – Research is not considered TPO. – Written patient authorization is required to access PHI for research unless

authorization waiver is approved by the Institutional Review Board (IRB).

12

SECURITY RULES§ 164.3xx

13

General Rule (§164.306)

• General requirements:– Ensure the confidentiality, integrity, and availability of all its ePHI.– Protect against any reasonably anticipated threats or hazards of its ePHI.– Protect against any reasonably anticipated uses or disclosures of ePHI not

permitted.

• Implementation specifications.– Required specifications must be implemented. – Addressable specifications must be assessed and implemented as specified if

reasonable and appropriate to the Covered Entity.

• Maintenance.

14

Administrative Safeguards (§164.308(a))

– Security management process– Assigned security

responsibility– Workforce security– Information access

management

– Security awareness and training

– Security incident procedures– Contingency plan– Evaluation

15

Physical Safeguards (§164.310)

• Facility access controls.• Workstation use.• Workstation security.• Device and media controls.

16

Policies and Procedures and Documentation Requirements. (§164.316(b)(2))

• Time limit.– Retain the documentation required for 6 years from the date of its

creation or the date when it last was in effect, whichever is later.

• Availability• Updates

17

Technical Safeguards (§164.312)

• Access control.• Audit controls.• Integrity.• Person or entity authentication.• Transmission security.

18

PRIVACY RULES§ 164.5xx

19

Required/Addressable Specifications of Security Standards

Standards Specifications SectionsRisk Analysis 164.308(a)(1)(ii)(A)Risk Management 164.308(a)(1)(ii)(B)Sanction Policy 164.308(a)(1)(ii)(C)Information System Activity Review 164.308(a)(1)(ii)(D)

Assigned Security Responsibility

Assigned Security Responsibility 164.308(a)(2)

Authorization and/or Supervision 164.308(a)(3)(ii)(A)Workforce Clearance Procedure 164.308(a)(3)(ii)(B)Termination Procedures 164.308(a)(3)(ii)(C)Isolating Health care Clearinghouse Function 164.308(a)(4)(ii)(A)Access Authorization 164.308(a)(4)(ii)(B)Access Establishment and Modification 164.308(a)(4)(ii)(C)Security Reminders 164.308(a)(5)(ii)(A)Log-in Monitoring 164.308(a)(5)(ii)(B)Protection from Malicious Software 164.308(a)(5)(ii)(C)Password Management 164.308(a)(5)(ii)(D)

Security Incident Procedures Response and Reporting 164.308(a)(6)Data Backup Plan 164.308(a)(7)(ii)(A)Disaster Recovery Plan 164.308(a)(7)(ii)(B)Emergency Mode Operation Plan 164.308(a)(7)(ii)(C)Testing and Revision Procedure 164.308(a)(7)(ii)(D)Applications and Data Criticality Analysis 164.308(a)(7)(ii)(E)

Evaluation Evaluation 164.308(a)(8)Business Associate Contracts and Other Arrangement

Written Contract or Other Arrangement 164.308(b)(3)

Security Management Process

Workforce Security

Information Access Mangement

Security Awareness and Training

Contingency Plan

20

Required/Addressable Specifications of Security Standards

Standards Specifications SectionsContingency Operations 164.310(a)(2)(i)Facility Security Plan 164.310(a)(2)(ii)Access Control and Validation Procedures 164.310(a)(2)(iii)Maintenance Records 164.310(a)(2)(iv)

Workstation Use Workstation Use 164.310(b)Workstation Security Workstation Security 164.310(c)

Disposal 164.310(d)(2)(i)Media Re-use 164.310(d)(1)(2)(ii)Accountability 164.310(d)(2)(iii)Data Backup and Storage 164.310(d)(2)(iv)Unique User Identification 164.312(a)(2)(i)Emergency Access Procedure 164.312(a)(2)(ii)Automatic Logoff 164.312(a)(2)(iii)Encryption and Decryption 164.312(a)(2)(iv)

Audit Controls Audit Controls 164.312(b)Integrity Mechanism to Authenticate Electronic Protecte 164.312(c)(1)Person or Entity Authentication

Person or Entity Authentication 164.312(d)

Integrity Controls 164.312(e)(2)(i)Encryption 164.312(e)(2)(ii)Time Limit 164.316(b)(2)(i)Avilability 164.316(b)(2)(ii)Update 164.316(b)(2)(iii)

Documentation

Device and Media Control

Access Control

Transmission Security

Facility Access Control

21

Minimum Necessary Rule (§164.502(b))

• Generally, the amount of PHI used, shared, accessed or requested must be limited to only what is needed.

• Workers should access or use only the PHI necessary to carry out their job responsibilities.

22

Authorization (§164.508)

• A covered entity may not use or disclose protected health information for reasons generally not related to treatment, payment or healthcare operations without an authorization.

• The Authorization must include:– A detailed description of the PHI to be disclosed, who will make the disclosure,

to whom the disclosure will be made, expiration date, the purpose of the disclosure, and signature.

– The individual's right to revoke, the ability or inability to condition usage, and the potential for information disclosed.

23

Types of Disclosures• No Authorization Required (§ 164.512)• Authorization Required, but Must Give Opportunity to Object

(§ 164.510)• Authorization Required (§ 164.508)

24

Uses and Disclosures for Which An Authorization or Opportunity to Agree or Object Is Not Required

• To disclose PHI to the patient (§ 164.502)• To use or disclose PHI for treatment, payment or healthcare

operations. (§ 164.502)• Certain disclosures required by law (for example, public health

reporting of diseases, child abuse/neglect cases, etc.) (§ 164.512(a)-(l))

25

Uses and Disclosures for Which An Authorization Is Required

• A covered entity may not use or disclose protected health information without an authorization. (§ 164.508(a)(1))

• To access, use or disclose PHI for research (§ 164.512(i)(1)(i))• For marketing activities and sale of PHI (§ 164.508(a)(3))

26

Uses and Disclosures Requiring An Opportunity for The Individual to Agree or to Object

• The Patient must be offered an opportunity to object before discussing PHI with a patient’s family or friends. (§ 164.510(b)(1)(i))

• Limited PHI (e.g., patient’s hospital room/location number) is included in the “Hospital Directory” but patients are offered an “Opt Out” opportunity and certain disclosures to clergy members. (§ 164.510(b)(3))

• Exception: Emergency circumstances (§ 164.510(a)(3))

27

Breach (§164.402(b))

• Breach means the acquisition, access, use, or disclosure of protected health information in a manner not permitted under privacy rules.

• Amount of a civil money penalty.– In the amount of less than $100 or more than $50,000 for each violation– In excess of $1,500,000 for identical violations during a calendar year

• Criminal Liability– Offenses committed with the intent to sell, transfer, or use individually

identifiable health information for commercial advantage, personal gain or malicious harm permit fines of $250,000 and imprisonment for up to tenyears.

28

Companies & FinesEntity Fined Fine Violation

CIGNET (Feb, 2011) $4,300,000 Online database application error.

Alaska Department of Healthand Human Services (June, 2012)

$1,700,000 Unencrypted USB hard drive stolen, poor policies and risk analysis.

WellPoint (Sep, 2012) $1,700,000 Did not have technical safeguards inplace to verify the person/entity seeking access to PHI in the database. Failed to conduct a technical evaluation in response to software upgrade.

Blue Cross Blue Shield ofTennessee (Mar, 2012)

$1,500,000 57 unencrypted hard drives stolen.

Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates (Sep, 2012)

$1,500,000 Unencrypted laptop stolen, poor riskanalysis, policies.

Affinity Health Plan (Aug, 2013) $1,215,780 Returned photocopiers without erasing the hard drives.

South Shore Hospital (May, 2012) $750,000 Backup tapes went missing on the way to contractor.

Idaho State University (May, 2013) $400,000 Breach of unsecured ePHI.

29

THANKS FOR LISTENING

30