Keys To HIPAA Compliance

KEYS TO HIPAA COMPLIANCE for CAAP Practice Managers

Amy Wasdin, RN, MBA, CPHRM Patient Safety Risk Manager II, Dept. of Patient Safety and Risk Management The Doctors Company March 17, 2016

DISCLOSURE STATEMENT

The Doctors Company would like to disclose that no one in a position to control or influence the content of this activity has reported relevant financial relationships with commercial interests.

The information and guidelines contained in this activity are generalized and may not apply to all practice situations. The faculty recommends that legal advice be obtained from a qualified attorney for specific application to your practice. The information is intended for educational purposes and should be used as a reference guide only.

2 KEYS TO HIPAA COMPLIANCE for Practice Managers

OBJECTIVES

After completing this activity, learners will be able to:

Review the purpose of the HIPAA Privacy and Security Rules Discuss the 2013 Omnibus Rule and its impact on: − Disclosures of Protected Health Information, − Patient Rights, and − Business Associates

Describe the notifications necessary for a breach of PHI. Outline the steps necessary for HIPAA compliance in a medical practice.

KEYS TO HIPAA COMPLIANCE for Practice Managers 3

I never had a policy; I have just tried to do my very best each

and every day. --Abraham Lincoln

1809-1865

How HIPAA compliant are you? Select one: A. I am 100% confident that our practice is HIPAA

compliant. B. I am fairly certain that our practice is HIPAA

compliant but I’m not sure. C. Our practice is not HIPAA compliant. D. What’s HIPAA?


KEY CONCEPTS UNDER HIPAA Protected Health Information (PHI) − All individually identifiable health information − Held or transmitted by a covered entity or its business associate − In any form or media, whether electronic, paper, or oral

Covered Entity (CE) − Health plan or health care clearinghouse − Health care provider

Business Associates (BA) − Persons or organizations that perform certain functions on behalf of a

CE (billing, claims processing, data analysis)


OVERVIEW OF HIPAA Healthcare Insurance Portability and Accountability Act:

the Privacy Rule and the Security Rule Protects privacy and confidentiality of PHI

Assures security of electronic information

The overall idea: − Assure information is properly protected, but still promote flow and use

of technology to facilitate care

Some state laws are more stringent than HIPAA − If so, state law takes precedent over federal HIPAA


HIPAA VIOLATIONS ON THE RISE…

Total complaints received thru Dec 31, 2015:

125,4451

2014 saw a 25% increase in HIPAAA breaches2

− 2013: Loss and theft of laptops and portable devices.

− 2014: “The year of the hacker” - CHS: 4.5 million patients

Paper records are as vulnerable, or more, than electronic records3

[1] HHS Compliance and Enforcement Numbers at a Glance. Mar 11 2016. www.hhs.gov [2] 2014 Saw 25% Increase in HIPAA Breaches. Mar 11 2016. www.hipaajournal.com [3] HIPAA in a HITECH World: HIPAA Violations on the Rise. Smart Data Collective, March 25, 2013


http://www.hhs.gov/

http://www.hipaajournal.com/

HIPAA FINES… Alaska DHHS fined $1.7 million

− USB device stolen from employee vehicle

Cignet Health fined $4.3 million − Failure to provide medical records to 41 patients

UCLA fined $865,500 − Snooping employees

CVS fined $2.25 million − Disposal of PHI in trashcans

Blue Cross of Tennessee fined $1.5 million − Unencrypted laptops stolen


DATA BREACH: GEORGIA HOSPICE GROUP

Unencrypted company laptop containing personal health information was stolen from an employee's car in 2013. Nearly 2,000 patients affected by the breach. Officials say the laptop contained patient names, addresses, phone numbers, dates of birth, Social Security numbers, insurance numbers, clinical diagnoses and provider names.

Healthcare IT News - February 2013


CARDIAC SURGERY PRACTICE April 2012–Phoenix Cardiac Surgery $100,000 with Corrective Action Plan Failed to implement policies to safeguard PHI Failed to document training of employees on Privacy

and Security Rules Failed to identify a security official and conduct

risk analysis Failed to have BA agreements with Internet based

e-mail and calendar services where provision of the service included storage of and access to its PHI


PHI 18 IDENTIFIERS Name Medical record number Health plan beneficiary number Device identifiers and serial

numbers Vehicle identifiers and serial

numbers Biometric identifiers

(i.e., finger and voice prints)

Full face photos and other comparable images

Any other unique identifying number, code, or characteristic

Postal address All elements of dates except year Telephone number Fax number E-mail address URL address (Uniform Resource

Locator or web address) IP security (Internet Protocol

address numbers) Social Security number Account numbers License numbers


Patient consent not required for…

Use in treatment, payment, or operations (TPO)

When records are subpoenaed − Check with MPL carrier for subpoena validity

Public interest or public health activities–required by law: − Mandated report of abuse to proper agencies − Preventing and controlling disease–CDC reports − FDA

AUTHORIZED USE AND DISCLOSURE


AUTHORIZED USE AND DISCLOSURE

Most of the time… Valid Authorization is required to release records to

another party

Specific consent required for… Psychotherapy notes Alcohol and drug abuse treatment program notes Participation in research studies −Even for re-disclosure of any of the above


(continued)

SECURITY SAFEGUARDS Administrative

– Security Risk Assessment

– Designated Privacy Officer

– Policies and Procedures

– Staff training

Physical Technical


THE FINAL OMNIBUS HIPAA RULE

Effective March 26, 2013

Enforcement began September 23, 2013

−HITECH Modification

−HIPAA Enforcement Rule

−Breach Notification Rule


WHO DID THE CHANGES AFFECT?

HIPAA Covered Entities: − Healthcare providers, health systems, health plans, clearinghouses

HIPAA Business Associates and subcontractors: − Vendors who contract with Covered Entities and access protected

health information (PHI) −Examples: Technology vendors, service organizations,

accountable care organizations, third party administrators


OMNIBUS RULE - HITECH

Holds BA’s directly liable for compliance; Strengthens limitation on use and disclosure

of PHI; Expands individual’s rights

How does this impact practice? …

Notice of Privacy Practices (NPP)


NPP MODIFICATIONS

Prohibition on the sale of PHI without authorization

Duty of CE to notify affected individuals of a breach of unsecured PHI

Right to restrict disclosures of PHI to health plan for care that was paid out of pocket in full

For CE that stated intent to fundraise in NPP, must also advise individual of the right to opt out of receiving fundraising communications from CE


NPP NOTIFICATION TO PATIENTS

Must make the NPP available upon request on or after the effective date of the revision

Must make the NPP available at the service delivery site and post the NPP in a clear and prominent location

A health care provider is required to give a copy of its NPP only to new patients—and not all individuals seeking treatment


OMNIBUS – HIPAA ENFORCEMENT RULE

Modifies privacy, security, and enforcement rule of HIPAA

How does this impact the practice? ...

Penalties


OMNIBUS – BREACH NOTIFICATION RULE

Establishes a process for notifying patients and HHS when there is a breach of unsecured PHI.

How does this impact the practice? ...

CE’s are required to notify patients.


BREACH OF PHI

Any acquisition, access, use or disclosure

not permitted is a Breach…

UNLESS

the CE or BA demonstrates

a low probability of PHI compromise.


BREACH NOTIFICATION OF UNSECURED PHI

Applies to breach of unsecured PHI

Applies to covered entities and business associates

Business Associates notify Covered Entity

Covered entity has burden to notify patient (unencrypted)

Must notify each individual affected by the breach (written notification within 60 days of discovery)

Discovery date = first date known


BREACH EXCEPTIONS

Unintentional acquisition, access, or use by workforce member with no further impermissible use

Inadvertent disclosure from one authorized person to another or CE or BA and no further impermissible use

Recipient could not reasonably have retained the PHI

Encrypted data per OCR guidance


BREACH NOTIFICATION REQUIREMENTS

Individual − Contact by phone if urgent − Written breach notification – first class mail unless e-mail preferred

HHS − <500 = Annual log report − >500 = Media notice and immediate notice HHS Secretary

Annual report to HHS of all breaches

Media − <500 residents of a state or jurisdiction − Insufficient contact information for 10 or more individuals


BREACH NOTIFICATION REQUIREMENTS

What happened?

What information was breached?

What steps the patient should take for protection?

What the CE is doing to investigate, mitigate and prevent future incidents?

CE contact information

Adhere to HIPAA Compliance plan for breach


(continued)

BREACH RESPONSE –WHAT IS YOUR PLAN?

Determine root cause of breach

Identify gaps in compliance that led to breach

Provide evidence that root cause has been addressed and gaps corrected


TOP FIVE ISSUES IN INVESTIGATED CASES

OCR took corrective action most often on… Impermissible use and disclosure

Safeguards − Not in place–fax, email, computer accessibility, etc.

Access − Access to records was granted or not granted improperly

Minimum necessary − More information than needed was disclosed (e.g., phone message)

Notice of privacy practices – Not given


BUSINESS ASSOCIATES

AGREEMENTS

Business Associate Agreements must be updated to include specific new provisions

Existing agreements, entered before January 25, 2013, may operate until agreement is amended / renewed, or until September 22, 2014, whichever is earlier

Covered Entities and Business Associates will need to modify agreements and allocate risk through use of insurance requirements and indemnity provisions


PUTTING IT ALL TOGETHER

WHAT ACTIONS ARE REQUIRED? Perform risk assessment. Establish risk management plan to address and manage

areas of vulnerability. Designate a HIPAA Security officer. Encrypt all devices that contact PHI Have written policies on Sanctions and Breach Notification Train staff on how to protect PHI and ensure your policies

are compliance with HIPAA Audit/Test physical and electronic security policies and

procedures regularly Documentation


IF NOT ALREADY ADDRESSED…

Update Notice of Privacy Practices

Revise all Business Associates Agreements


Testing Your Compliance

Select One: A. I am 100% confident that our practice is HIPAA

compliant. B. I am fairly certain that our practice is HIPAA

compliant but I’m not sure. C. Our practice is not HIPAA compliant. D. What’s HIPAA?


TIPS FOR

PRIVACY AND SECURITY Limit access to a “need to know” basis Do not conduct discussion in elevators, waiting area, or

other public areas If you see a patient in a public place, be careful in greeting

him/her Obtain patient’s permission before discussing

care/treatment if there is someone with him/her Keep voices down when discussing PHI Log off computer when done


TIPS FOR PRIVACY AND SECURITY

Use password protected or encrypted systems Never share your password Protect zip drives, laptop, PDA from loss Never leave documents unattended Do not put PHI in the trash Avoid taking records out of the office if possible Obtain written permission before leaving voicemail

messages or emailing Confirm fax numbers before sending and use a

confidentiality statement on your cover sheet


(continued)

RESOURCES Security Risk Assessment – HealthIT.gov

www.healthit.gov/providers-professionals/security-risk-assessment

Sample Notice of Privacy Practices-English www.hhs.gov/ocr/privacy/hipaa/npp_fullpage_hc_provider.pdf

Sample Business Associates Agreement www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html

Take Steps to Protect and Secure Information When Using a Mobile Device www.healthit.gov/sites/default/files/fact-sheet-take-steps-to-protect-information.pdf

Security Rule Educational Paper Series http://www.hhs.gov/hipaa/for-professionals/security/guidance/index.html


http://www.healthit.gov/providers-professionals/security-risk-assessment

http://www.hhs.gov/ocr/privacy/hipaa/npp_fullpage_hc_provider.pdf

http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html

http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html

http://www.healthit.gov/sites/default/files/fact-sheet-take-steps-to-protect-information.pdf

http://www.healthit.gov/sites/default/files/fact-sheet-take-steps-to-protect-information.pdf

http://www.hhs.gov/hipaa/for-professionals/security/guidance/index.html

The key to wisdom is knowing all the right questions.

--John Simone, Sr. --

Contact Information

For additional Patient Safety information,

please visit our Web site at: www.thedoctors.com

Amy Wasdin, RN, MBA, CPHRM Patient Safety Risk Manager II, Southeast

Department of Patient Safety and Risk Management 800-421-2368, ext 6728

Email: [email protected] ----------------------------------------------------------------------------------------------------------------

Nelson Guzman, CIC, CRM President, CBIZ Trinity

Southeast Regional Healthcare Director, CBIZ Insurance Services Mobile: 404-791-8822

Email: [email protected]

Evan Orvis, Sales Executive Mobile: 770-712-3903 Direct: 470-282-2536

Email: [email protected]

Kathy Alba, CISR, CLCS Senior Account Manager

Direct: 678-389-7858 Email: [email protected]


THANK YOU We relentlessly defend, protect, and reward

the practice of good medicine.