Upload
chris-lee
View
67
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Introduction to HIPAA2
Citation preview
Introduction to Health Insurance Portability and
Accountability Act (HIPAA)Privacy and Security Rules
Speaker: Chenyu Lee
1
HIPAA Background
• 1996. Health Insurance Portability and Accountability Act (HIPAA), Public Law 104-191.
– Department of Health and Human Services (HHS) adopts national standards for electronic health care transactions and code sets, unique health identifiers, and security.
• 2009. Health Information Technology for Economic and Clinical Health Act (HITECH) enacted as part of the American Recovery and Reinvestment Act of 2009 (ARRA).
• 2010. Patient Protection and Affordable Care Act of 2010 (ACA).• 2013. HIPAA Omnibus Rule makes changes to existing privacy, security and
breach notification requirements.
2
HIPAA Regulations
• CFR 45 PART 160: General administrative requirements• CFR 45 PART 162: Administrative requirements• CFR 45 PART 164: Security and privacy rules
3
DEFINITIONS§ 160.103
4
Business Associate
• Business Associate includes the partners that may provide legal, actuarial, accounting, consulting, data aggregation, management, administration or financial services wherein the services require the disclosure of individually identifiable health information.
• A key concern, among many, is that some software vendors almost certainly will be categorized as Business Associates.
5
Covered Entity & Electronic Media
• Covered Entity means:– A health plan– A health care clearinghouse– A health care provider who transmits any health information in electronic
form in connection with a transaction covered by this subchapter.
• Electronic media means:– Electronic storage material on which data is or may be recorded electronically.– Transmission media used to exchange information already in electronic
storage media.
6
Health Care & Health Care Provider & Health information
• Health care means:– Care, services, or supplies related to the health of an individual.
• Health care provider means:– A provider of medical or health services, and any other person or organization
who furnishes, bills, or is paid for health care in the normal course of business.
• Health information means:– Any information, whether oral or recorded in any form or medium.
7
Individual &Individually Identifiable Health Information &Protected Health Information (PHI)• Individual means:
– The person who is the subject of protected health information.
• Individually identifiable health information that– Identifies the individual– Or with respect to which there is a reasonable basis to believe the information
can be used to identify the individual.
• Protected health information means:– Individually identifiable health information that is
• Transmitted by electronic media• Maintained in electronic media• Transmitted or maintained in any other form or medium
8
PHI Includes One or More of Identifiers (§164.514(b)(2)(i))
– Names– Addresses including Zip
Codes– All Dates– Telephone & Fax Numbers– Email Addresses– Social Security Numbers– Medical Record Numbers– Health Plan Numbers
– License Numbers– Vehicle Identification
Numbers– Account Numbers– Biometric Identifiers– Full Face Photos– Any Other Unique
Identifying Number, Characteristic, or Code
9
Use and Disclosure of PHI
• Use of PHI refers to how PHI is internally accessed, shared and utilized by the covered entity that maintains such information.
• Disclosure of PHI refers to how PHI is shared with individuals or entities externally.
10
Notice of Privacy Practices (NPP)
• Notice of Privacy Practices means:– Providers and Health Plans must have a Notice of Privacy Practices (NPP)
• It provides a detailed description of the various uses and disclosures of PHI that are permissible without obtaining a patient’s authorization.
– In general, anytime you release patient information for a reason unrelated to treatment, payment (e.g., billing) or healthcare operations (TPO), an authorization is required.
11
Treatment, Payment and Operations (TPO)• Treatment: Various activities related to patient care.• Payment: Various activities related to paying for or getting
paid for health care services.• Health Care Operations: Generally refers to day-to-day
activities of a covered entity, such as planning, management, training, improving quality, providing services, and education.
• NOTE: – Research is not considered TPO. – Written patient authorization is required to access PHI for research unless
authorization waiver is approved by the Institutional Review Board (IRB).
12
SECURITY RULES§ 164.3xx
13
General Rule (§164.306)
• General requirements:– Ensure the confidentiality, integrity, and availability of all its ePHI.– Protect against any reasonably anticipated threats or hazards of its ePHI.– Protect against any reasonably anticipated uses or disclosures of ePHI not
permitted.
• Implementation specifications.– Required specifications must be implemented. – Addressable specifications must be assessed and implemented as specified if
reasonable and appropriate to the Covered Entity.
• Maintenance.
14
Administrative Safeguards (§164.308(a))
– Security management process– Assigned security
responsibility– Workforce security– Information access
management
– Security awareness and training
– Security incident procedures– Contingency plan– Evaluation
15
Physical Safeguards (§164.310)
• Facility access controls.• Workstation use.• Workstation security.• Device and media controls.
16
Policies and Procedures and Documentation Requirements. (§164.316(b)(2))
• Time limit.– Retain the documentation required for 6 years from the date of its
creation or the date when it last was in effect, whichever is later.
• Availability• Updates
17
Technical Safeguards (§164.312)
• Access control.• Audit controls.• Integrity.• Person or entity authentication.• Transmission security.
18
PRIVACY RULES§ 164.5xx
19
Required/Addressable Specifications of Security Standards
Standards Specifications SectionsRisk Analysis 164.308(a)(1)(ii)(A)Risk Management 164.308(a)(1)(ii)(B)Sanction Policy 164.308(a)(1)(ii)(C)Information System Activity Review 164.308(a)(1)(ii)(D)
Assigned Security Responsibility
Assigned Security Responsibility 164.308(a)(2)
Authorization and/or Supervision 164.308(a)(3)(ii)(A)Workforce Clearance Procedure 164.308(a)(3)(ii)(B)Termination Procedures 164.308(a)(3)(ii)(C)Isolating Health care Clearinghouse Function 164.308(a)(4)(ii)(A)Access Authorization 164.308(a)(4)(ii)(B)Access Establishment and Modification 164.308(a)(4)(ii)(C)Security Reminders 164.308(a)(5)(ii)(A)Log-in Monitoring 164.308(a)(5)(ii)(B)Protection from Malicious Software 164.308(a)(5)(ii)(C)Password Management 164.308(a)(5)(ii)(D)
Security Incident Procedures Response and Reporting 164.308(a)(6)Data Backup Plan 164.308(a)(7)(ii)(A)Disaster Recovery Plan 164.308(a)(7)(ii)(B)Emergency Mode Operation Plan 164.308(a)(7)(ii)(C)Testing and Revision Procedure 164.308(a)(7)(ii)(D)Applications and Data Criticality Analysis 164.308(a)(7)(ii)(E)
Evaluation Evaluation 164.308(a)(8)Business Associate Contracts and Other Arrangement
Written Contract or Other Arrangement 164.308(b)(3)
Security Management Process
Workforce Security
Information Access Mangement
Security Awareness and Training
Contingency Plan
20
Required/Addressable Specifications of Security Standards
Standards Specifications SectionsContingency Operations 164.310(a)(2)(i)Facility Security Plan 164.310(a)(2)(ii)Access Control and Validation Procedures 164.310(a)(2)(iii)Maintenance Records 164.310(a)(2)(iv)
Workstation Use Workstation Use 164.310(b)Workstation Security Workstation Security 164.310(c)
Disposal 164.310(d)(2)(i)Media Re-use 164.310(d)(1)(2)(ii)Accountability 164.310(d)(2)(iii)Data Backup and Storage 164.310(d)(2)(iv)Unique User Identification 164.312(a)(2)(i)Emergency Access Procedure 164.312(a)(2)(ii)Automatic Logoff 164.312(a)(2)(iii)Encryption and Decryption 164.312(a)(2)(iv)
Audit Controls Audit Controls 164.312(b)Integrity Mechanism to Authenticate Electronic Protecte 164.312(c)(1)Person or Entity Authentication
Person or Entity Authentication 164.312(d)
Integrity Controls 164.312(e)(2)(i)Encryption 164.312(e)(2)(ii)Time Limit 164.316(b)(2)(i)Avilability 164.316(b)(2)(ii)Update 164.316(b)(2)(iii)
Documentation
Device and Media Control
Access Control
Transmission Security
Facility Access Control
21
Minimum Necessary Rule (§164.502(b))
• Generally, the amount of PHI used, shared, accessed or requested must be limited to only what is needed.
• Workers should access or use only the PHI necessary to carry out their job responsibilities.
22
Authorization (§164.508)
• A covered entity may not use or disclose protected health information for reasons generally not related to treatment, payment or healthcare operations without an authorization.
• The Authorization must include:– A detailed description of the PHI to be disclosed, who will make the disclosure,
to whom the disclosure will be made, expiration date, the purpose of the disclosure, and signature.
– The individual's right to revoke, the ability or inability to condition usage, and the potential for information disclosed.
23
Types of Disclosures• No Authorization Required (§ 164.512)• Authorization Required, but Must Give Opportunity to Object
(§ 164.510)• Authorization Required (§ 164.508)
24
Uses and Disclosures for Which An Authorization or Opportunity to Agree or Object Is Not Required
• To disclose PHI to the patient (§ 164.502)• To use or disclose PHI for treatment, payment or healthcare
operations. (§ 164.502)• Certain disclosures required by law (for example, public health
reporting of diseases, child abuse/neglect cases, etc.) (§ 164.512(a)-(l))
25
Uses and Disclosures for Which An Authorization Is Required
• A covered entity may not use or disclose protected health information without an authorization. (§ 164.508(a)(1))
• To access, use or disclose PHI for research (§ 164.512(i)(1)(i))• For marketing activities and sale of PHI (§ 164.508(a)(3))
26
Uses and Disclosures Requiring An Opportunity for The Individual to Agree or to Object
• The Patient must be offered an opportunity to object before discussing PHI with a patient’s family or friends. (§ 164.510(b)(1)(i))
• Limited PHI (e.g., patient’s hospital room/location number) is included in the “Hospital Directory” but patients are offered an “Opt Out” opportunity and certain disclosures to clergy members. (§ 164.510(b)(3))
• Exception: Emergency circumstances (§ 164.510(a)(3))
27
Breach (§164.402(b))
• Breach means the acquisition, access, use, or disclosure of protected health information in a manner not permitted under privacy rules.
• Amount of a civil money penalty.– In the amount of less than $100 or more than $50,000 for each violation– In excess of $1,500,000 for identical violations during a calendar year
• Criminal Liability– Offenses committed with the intent to sell, transfer, or use individually
identifiable health information for commercial advantage, personal gain or malicious harm permit fines of $250,000 and imprisonment for up to tenyears.
28
Companies & FinesEntity Fined Fine Violation
CIGNET (Feb, 2011) $4,300,000 Online database application error.
Alaska Department of Healthand Human Services (June, 2012)
$1,700,000 Unencrypted USB hard drive stolen, poor policies and risk analysis.
WellPoint (Sep, 2012) $1,700,000 Did not have technical safeguards inplace to verify the person/entity seeking access to PHI in the database. Failed to conduct a technical evaluation in response to software upgrade.
Blue Cross Blue Shield ofTennessee (Mar, 2012)
$1,500,000 57 unencrypted hard drives stolen.
Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates (Sep, 2012)
$1,500,000 Unencrypted laptop stolen, poor riskanalysis, policies.
Affinity Health Plan (Aug, 2013) $1,215,780 Returned photocopiers without erasing the hard drives.
South Shore Hospital (May, 2012) $750,000 Backup tapes went missing on the way to contractor.
Idaho State University (May, 2013) $400,000 Breach of unsecured ePHI.
29
THANKS FOR LISTENING
30