HIPAA COMPLIANCE FOR MTSOs

Transcription

1 HIPAA COMPLIANCE FOR MTSOs HIPAA regulatins affect ur industry in many ways. The tw main areas f impact are privacy and security. The privacy regulatins address many areas with the mst pertinent being electrnic transactins, use and disclsure f prtected health infrmatin, written plicies and prcedures, written business assciate agreements and emplyee/staff training. The security regulatins require administrative, physical and technical safeguards, as well as rganizatinal requirements that cver the written plicies and prcedures, dcumentatin, and risk analysis/management. There are many frms f prtected health infrmatin (PHI) that we must be cautius abut circulating t freely. Security regulatins thrugh HIPAA require prtectin f thse elements. Sme examples are: Names Gegraphic subdivisins Dates, except year Birth date Phne # Fax # and/r web addresses Device identifiers SS # MRN Health plan # Accunt # DL # Vehicle serial # IP address Bimetric identifiers Phtgraphic images Other unique identifiers As a medical transcriptin cmpany yu are cnsidered a Business Assciate (BA) which perfrms functins fr Cvered Entities (CEs) and wrk directly with them. Accrding t the new HIPAA regulatins yu are held t the same regulatins and laws as thse cvered entities. Medical transcriptinists fall under the classificatin f Business Assciates. Changes Effective n September 23, 2009, requiring cmpliance include the fllwing: Ntificatin Of Breach f unprtected persnal data (unencrypted) t cvered entities by business assciates. (BA) BAs ntify CE f the data that has been breached CE must ntify the individual f the breach r CE can chse t have the BA cntact the individual. Patient is ntified withut undue delay but n later than 60 days; state laws may require faster ntificatin. CE ntifies HHS in its annual reprt If the breach invlves mre than 500 peple, the majr media utlets have t be ntified and the HHS is immediately ntified. i.e.: a technical glitch allwed an unencrypted stream f PHI BAs are als subject t civil and criminal penalties. State privacy laws wuld als apply bth in actin taken and in penalties; including a prvisin that allws individuals t seek financial cmpensatin fr damages fr a vilatin f their infrmatin. Example: Cpies f a reprt are requested t be sent t Dr. David Smith per the dictating dctr; ut f the multiple Dr. David Smiths, the MT inadvertently chses the incrrect ne. The PHI is sent t the wrng dctr. The fllwing steps must take place: Ntify the BA Ntify HHS Write a reprt Make an accunting f disclsures fr the patient s recrds

2 Ntify the patient/individual f the breach. Yu re reprt was faxed t the wrng Dr. David Smith. Must d a Risk Analysis t check fr pssible breaches. What is a Breach? Unencrypted is Unprtected! Any CE r BA that accesses, maintains, retains, mdifies, recrds, stres, destrys, r therwise hlds, uses r disclses unsecured PHI must ntify individuals whse unsecured PHI has been (r is reasnably believed t have been) accessed, acquired, r disclsed as a result f a breach. Unsecured PHI means PHI that is nt secured per HHS guidance (which will be issued annually) Harm Threshld Pses a significant risk f financial, reputatinal, r ther harm t the individual. ADA guidelines Ntificatin must accmmdate thse with disabilities. i.e.: blind patients. Nt Reprtable if it is an. Unintentinal access by a member f the wrkfrce acting under authrity f a CE r BA, thus it is frgivable prvided the PHI was reviewed in gd faith, under the wrkfrce umbrella and was nt further disclsed. i.e.: MT picked the wrng patient clicked n them and then gt ut and chse the crrect patient. Reprtable if it is. Unprtected persnal data in any media (paper, CDs, cmputer hard drive, , etc.) Electrnic media must be cleared, purged, r destryed accrding t the guidelines in the NIST publicatin n Guidelines fr Media Sanitizatin. Delivery methds, addresses, fax numbers and ther infrmatin shuld be kept current r be remved frm address bks. i.e.: Dr. David Smith mved and the fax # is nw a gas statin. The level f significant risk is a full breach. Sanctin Plicies fr Breaches CEs and BAs need t develp written sanctin plicies fr crrective, active, and remediatin steps if a breach ccurs. Sanctins may be adjusted depending n the fllwing: Multiple ffenses Harm t the breach victim(s) Breach f specially prtected infrmatin such as HIV-related, psychiatric, substance abuse, and genetic data. High vlume f peple r data affected. High expsure fr the rganizatin. Large rganizatin expense incurred, such as breach ntificatins Hampering f the investigatin Negative influence f actins n thers Victim(s) suffered n harm Offender vluntarily admitted the breach and cperated with the investigatin Offender shwed remrse Actin was taken under pressure frm an individual in a psitin f authrity Emplyee was inadequately trained.

3 Breach Sanctin Categries Categry 1: Unintentinal breach f privacy r security that may be caused by carelessness, lack f knwledge, r lack f judgement, such as a registratin errr that causes a patient billing statement t be mailed t the wrng guarantr. Categry 2a: Deliberate unauthrized access t PHI withut PHI disclsure. Example: snpers accessing cnfidential infrmatin f a VIP, cwrker, relative, r neighbr withut legitimate business reasn; Example: failure t fllw plicy withut legitimate reasn, such as passwrd sharing. Categry 2b: Deliberate unauthrized disclsure f PHI r deliberate tampering with data withut malice r persnal gain. Example: snper access and re-disclsure t the news media Example: unauthrized mdificatin f an electrnic dcument t expedite a prcess. Categry 3: Deliberate unauthrized disclsure f the PHI fr malice r persnal gain. Example: selling infrmatin t the tablids Example: stealing individually identifiable health infrmatin t pen credit card accunts. Changes that are effective February 17, 2010 cver even mre liability fr BAs. They include the fllwing: Emplyees r ther staff (cntractrs) wh wrk fr BAs r CEs will be individually subject t civil penalties. BAs are required t have a frmal cmpliance prgram (training) with sanctins fr their wrkfrce. BAs will need t have a cmplete audit trail fr access f the data. Audit Trail = the chrnlgical set f recrds that prvides evidence f infrmatin system activity. Data are cllected abut every system event (lg-in, lg-ut, file access, etc.) and used t facilitate the determinatin f security vilatins. Fr MTs: Yur system activity will be tracked by the audit trail system. Lg-in Access Time spent Actins perfrmed These activities can be matched t the actins needed t perfrm yur duties. Remember it is NOT a reprtable breach if: It is unintentinal access by a member f the wrkfrce acting under authrity f a CE r BA, thus it is frgivable prvided the PHI was reviewed in gd faith, under the wrkfrce umbrella, and was nt further disclsed. Audit trails can prvide the prf needed t cnfirm that a breach was unintentinal r nt! Remember yu are nt allwed t use r disclse PHI fr any purpse beynd the scpe f yur duties. This purpse is defined within the BA agreement. The audit trail will be the prf needed t verify that yu acted apprpriately within the scpe f yur duties r the evidence needed t prve that yu did nt.

4 BAs are subject t peridic audits by HHS. Targeted sner t make sure BAs are n track There is specific mney budgeted fr these audits and all mney frm fines stay in the department t add t the auditing resurces. BAs are required t appint a security fficial. All stred and transmitted data will need t be encrypted -- sme states already require this. New BA agreements will need t be crafted with these changes and executed between the MT service and the CE. An amendment can be used fr current clients when BA agreements are already in place. BAs will be required t cnduct a thrugh security rick analysis. This dcumentatin must be available fr investigatrs if audited. BAs will need administrative and technical safeguards established, implemented, and written Plicy & Prcedures fr each. If the BA finds that the CE is vilating the federal privacy/security rules, the BA is bligated under the law t Try t get the CE t cure the vilatin and if that des nt ccur If cure des nt ccur, reprt the CE t HHS. Terminatin f the cntract is als an ptin. NOTE: The CE has this same respnsibility (and steps t fllw) if it is the BA that is vilating the law. The dctr can t take away yur respnsibilities with the law. N mre it s n me stuff. SECURITY RISK ANAYLSIS: (things t include) Cntrlling access: Sanctins Wrkfrce cmpliance Wrkfrce security Making sure the persn n the system is the persn they say they are. (India?) Terminatin prcess Taken ut f the system: HR & IT Access authrizatin Lg-in mnitring Passwrd management Changes peridically Peridic evaluatin Physical Safeguards Facility remte wrkplace security Wrkstatins thers use PC? Device Media Cntrls any persnal data needs t be encrypted Accuntability Technical Safeguards Unique user ID Autmatic lgff Audit cntrl Use f authenticatin tls Data strage with encryptin Transmissin security with encryptin New Laws Bring New Risks t MTs and MT Cmpanies

5 Any PHI n yur PC will need t be encrypted bth at rest (stred) and in mtin (transmitted) Be alert t avid breaches Cpies f reprts Faxes nt encrypted, s it is a breach if it is sent t the wrng place if it cmes frm yur system yu are liable regardless f wh sent it. Sending cntrl f faxing back t the CE is the best way t avid liability fr misdirected faxes. s Training fr the wrkfrce is required There is a new tiered system f civil mnetary penalties based n the categry f the vilatin. Patients can sue MT cmpanies and/r individuals fr damages using HIPAA as the standard fr care f their PHI. Be Alert t Risks De-identify reprts whenever pssible (i.e. sample reprts, reprts used fr the QA prcess) Prtect backup media frm unauthrized access thrugh physical security measures and encryptin D nt keep PHI (even audi) stred any lnger than necessary t minimize risks fr a ptential breach. D it nw! Minimum f 6 mnths/1 year Prvide data n CD t CE if needed. Implement tight security within yur (hme) ffice. Restrict thers frm using yur PC Prtect materials with PHI frm viewing and accessing by thers. DO NOT PARTICIPATE in unsafe security practices. Use the HIPAA ntice f cnfidentiality n the fax cversheet when fax is necessary. Shred all paper that cntains any PHI. D nt put any paper with PHI in trash bins. D nt leave any materials with PHI in unattended areas where unauthrized individuals may have access t it. Lcate printers and fax machines in a secured area away frm access by thers. Abide by established Plicy &Prcedures that prtect privacy and security f PHI D nt disclse PHI fr any purpse beynd the scpe f yur current respnsibilities. Reprt t yur supervisr (r client) when dictatin is perfrmed in a public lcatin. This practice culd be a breach s it needs t be reprted. Be practive fr ways t prevent ptential breaches. OVERVIEW OF SPECIAL CHALLENGES FOR THE MT INDUSTRY: Large amunts f data generated, transmitted, and stred Data centers Access and security practices Reprt distributin t multiple lcatins (Must be secure but is subject t breach ntificatin) Fax Aut-faxing Remte printing (internal and external) better with encrypted attachments and use nly jb #s and n patient infrmatin if pssible. Electrnic transmissin (Ging back t clients handling the distributin f reprts will result in less liability)

6 Laptps and ther prtable media Shuld have encryptin sftware Theft and security practices Off-site strage Access and security practices Netwrk Remte accesses fr wrkfrce Security practices identify and authenticate; passwrd r duble encryptin Fingerprint scans a pssibility Remte accesses fr clients (status reprts, retrieving reprts) Security practices passwrds; apprpriate clearances Hme-based (remte) wrkfrce Emplyees Training and prf f it Security practices PHI n their PC Delete by end f day all PHI Delete after use Access t their PC Restricted t MTs nly is suggested Usage restrictins utlined Sme cmpanies prvide the PCs fr mre cntrl. cmmunicatins Cntractrs Training and prf f it Security practices PHI n their PC Access t their PC cmmunicatins Key Driving Factrs fr Dcumentatin Cmpliance Legal risks related t fraud and malpractice, and the penalties assciated with them. Prf f services fr apprpriate (ptimal) reimbursement. (CEs) The Red Flags Rule is a federal law created t prtect cnsumers frm identity theft and medical identity theft. It will becme effective n June 1, 2010 and will be enfrced by the FTC (Federal Trade Cmmissin). These rules will als ptentially affect BAs as well as CEs. Sme things t be aware f invlving the Rule are as fllws: Red Flags Rule requires: Staff training including healthcare prviders Rutine mnitring fr peple accessing patient files and nting any suspicius activity in patient accunts Frmal risk assessment Written Plicies &Prcedures Regular review f the prgram t assess its effectiveness Dcumented prf f the prgram s implementatin and administratin What des this mean t MTs and MT Cmpanies? Limit the type f patient data received frm CEs t nly what is needed t perfrm the duties described within the BA agreement. Fr example: never accept credit card infrmatin frm the CE

7 Depending n the client requirements fr patient demgraphics cnsider restricting ther items. Scial security number Address Driver s license number Other unnecessary unique identifiers Can and prbably shuld restrict the infrmatin that is in the MT distributin N patient addresses unless it is required in a letter. Organizatins can be penalized as high as $2,500 fr each Red Flags Rule vilatin. TERMINOLOGY: HIPAA Health Insurance Prtability and accuntability Act PHI Prtected health infrmatin (infrmatin in any frm r medium that is individually identifiable) CE (Cvered Entity) healthcare prvider r facility, insurance plan, HMO BA (Business Assciate) Business r Individual wh wrks directly with and perfrms functins fr a CE ARRA American Recvery and Reinvestment Act, aka The Stimulus Plan HITECH Health Infrmatin Technlgy fr Ecnmic and Clinical Health (title XIII f ARRA) HHS Health and Human Services OCR Office f Civil Rights AHIMA American Health Infrmatin Management Assciatin POA Present n Admissin RAC Recvery Audit Cntractrs E/M Evaluatin and Management CMS Centers fr Medicare and Medicaid Services References: Brenda J. Hurley, CMT, AHDI-F, ROSe Intrductry Cmpliance Class Health Insurance Prtability and Accuntability Act f 1996 (HIPAA) Infrmatin Technlgy Fr Ecnmic And Clinical Health Act (Hitech)