1 HIPAA and Medicare for Chiropractors
2 Disclaimer None of the CCS employees are healthcare attorneys. All advice given by CCS is for educational purposes only and should not be considered a legal opinion. The information that follows has been obtained from the Federal Register and other associated government documents. Now on with the show
3 Dr. Jeff Sandquist Chiropractor and Consultant Director of Program Development for CCS CertiGied Chiropractic Professional Coder (CCPC) CertiGied Professional Compliance OfGicer (CPCO)
6 How Do We Cross the Chasm?
7 The successful person has the habit of doing things failures don t like to do. They don t like doing them either necessarily. But their disliking is subordinated to the strength of their purpose. Albert Gray
8 What is HIPAA? h"ps://www.youtube.com/watch?v=1yjqtn0on8g
9 HIPAA History Objective Improve efgiciency and effectiveness of health care by standardizing electronic exchange of administrative, Ginancial and clinical data Encompasses Transactions standards, electronic signatures, unique identigiers (NPI), privacy, security, breach notigication, coding, and more
10 HIPAA History Developed by the US Department of Health and Human Services (HHS) and enforced by the OfGice of Civil Rights (OCR) Health Insurance Portability and Accountability Act of 1996 HIPAA Administration SimpliGication in 2006 (HIPAA II) Mandated national standards for electronic health care transactions, required national identigiers for providers (NPI number), mandated security and privacy of health data
12 HIPAA History Updated in 2009 with HITECH Act Finalized in 2013 with Omnibus Final Rule Original HIPAA law consisted of less than 20 pages HIPAA Omnibus Final Rule law consisted of over 500 pages NOT including HITECH Act!!!
13 HITECH Health Information Technology for Economic and Clinical Health Act Part of American Recovery and Reinvestment Act (ARRA) stimulus package of 2009 Focused on leveraging INFORMATION (technology) to achieve better health care outcomes
14 HITECH Promoted adoption of EHR technology Expanded existing Privacy and Security standards BA subject to direct enforcement of Security and Privacy Rules New breach notigication requirements Enhanced enforcement Increased penalties, proactive audits, etc. Gave HIPAA teeth
15 Omnibus Final Rule The U.S. Department of Health and Human Services (HHS) Of=ice for Civil Rights announces a =inal rule that implements a number of provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009, to strengthen the privacy and security protections for health information established under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
16 What Changed? The changes in the =inal rulemaking provide the public with increased protection and control of personal health information. HHS News Release, January 17, 2013
17 What Changed? Finalized/implemented many changes from HITECH Act Business Associate and subcontractor liability Breach NotiGication requirements Notice of Privacy Practices requirements Increased penalties for noncompliance Use and disclosure of Protected Health Information (PHI) Expanded individuals rights
18 New HIPAA Deadlines Jan 25, 2013 Published in Federal Register Mar 26, 2013 Effective Date Sept 23, 2013 Compliance Date
19 HIPAA Compliance Privacy Rule since 2003 Security Rule since 2005 HITECH Interim Rule 2009 Meaningful Use in 2011 (Security Risk Analysis) HIPAA Omnibus Final Rule September 23, 2013
21 Penalty Factors Nature and extent of violation Number affected, time period Nature and extent of harm resulting from violation History of prior noncompliance Financial condition of covered entity Other factors
22 HIPAA Compliance HIPAA compliance is MANDATORY even if you do NOT utilize EHR HIPAA laws do NOT fall under Obamacare (can t blame that) Can blame HIPAA (in part) for ICD- 10
23 HIPAA Compliance REQUIRED for all Covered Entities (YOU!) Been around but rarely enforced until NOW!
24 HIPAA Noncompliance agreeing to a $150,000 payment. APDerm will also be required to implement a corrective action plan to correct de=iciencies in its HIPAA compliance program. This case marks the =irst settlement with a covered entity for not having policies and procedures in place to address the breach noti=ication provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act, passed as part of American Recovery and Reinvestment Act of 2009 (ARRA).
25 HIPAA Noncompliance The investigation revealed that APDerm had not conducted an accurate and thorough analysis of the potential risks and vulnerabilities to the con=identiality of ephi as part of its security management process. Further, APDerm did not fully comply with requirements of the Breach Noti=ication Rule to have in place written policies and procedures and train workforce members.
26 HIPAA Noncompliance As we say in health care, an ounce of prevention is worth a pound of cure, said OCR Director Leon Rodriguez. That is what a good risk management process is all about identifying and mitigating the risk before a bad thing happens. Covered entities of all sizes need to give priority to securing electronic protected health information. In addition to a $150,000 resolution amount, the settlement includes a corrective action plan requiring APDerm to develop a risk analysis and risk management plan to address and mitigate any security risks and vulnerabilities, as well as to provide an implementation report to OCR.
27 ACTIVE Compliance PROCESS 8 HIPAA Compliance Elements
28 HIPAA Compliance Elements 1. Develop and implement WRITTEN policies and procedures, including changes and updates as necessary; NPP, BAA, Use and Disclosure, Privacy and Security, etc. 2. Designate a Privacy and Security OfGicer; Compliance OfGicer
29 HIPAA Compliance Elements 3. Workforce training for ALL employees; Who, What, When (at least annually and ASAP when hired) 4. Maintain reasonable and appropriate administrative, technical and physical safeguards to prevent intentional or unintentional use or disclosure of PHI; Security Rule = ELECTRONIC PHI (ephi) Perform a Risk Analysis and Risk Management (SRA Tool)
30 HIPAA Compliance Elements 5. Mitigate harmful effects of use or disclosure of PHI by staff or Business Associates in violation of policies and procedures; Breach, Sanctions, etc. 6. Privacy complaint procedures contained in Notice of Privacy Practices and identify how to and who to make complaints;
31 HIPAA Compliance Elements 7. NEVER retaliate against staff or patients for exercising their rights for assisting in an investigation or for opposing an act or practice that the person believes violates the Privacy Rule; and 8. Record retention of HIPAA related items for 6 YEARS after their effective date
32 Privacy Rule What is it? How to comply with it?
33 Privacy Rule The HIPAA Privacy Rule provides federal protection for individually identi=iable health information held by covered entities. At the same time, the Privacy Rule is balanced so that it permits the disclosure of health information needed for patient care and other important purposes.
34 Privacy Rule Portion of HIPAA law that pertains to interaction between patient and health care professionals and other entities Final ruling effective as of April, 2003
35 Protected Health Information (PHI) all individually identi=iable health information that is held or transmitted by a covered entity or its business associates, in any form, whether electronic, paper, or oral.
36 Individually IdentiGiable Health Info information, including demographic data, that relates to: the individual s past, present or future physical or mental health or condition, the provision of health care to the individual, or the past, present, or future payment for the provision of health care to the individual, and that identi=ies the individual or for which there is a reasonable basis to believe can be used to identify the individual. e.g., name, address, birth date, social security number
37 PHI Contains health information that identigies individual including but not limited to demographic information Relates to individual s health or the provision of, or payment for health care
38 PHI Excludes Educational records covered by Family Educational Rights and Privacy Act (FERPA) Employment records held by covered entity in its role as an employer Persons deceased for more than 50 years
39 PHI De- IdentiGication Health information that does not identify an individual and with respect to which there is no reasonable basis to believe that the information can be used to identify an individual and is not individually identi=iable health information. The following identigiers of the individual, relatives, employers or household members are REMOVED
40 PHI De- IdentiGication Names All geographic subdivisions smaller than state All elements of dates (except year, unless 89years old and over) Phone numbers Fax number addresses Social security numbers Medical record numbers Health plan beneficiary numbers Account numbers CerGficate/license numbers Vehicle idengfiers and serial numbers Device numbers and serial numbers Web Universal Resource Locators (URLs) Internet Protocol (IP) address numbers Biometric idengfiers (finger and voice prints) Full face photos and comparable images Any other unique idengfying number, characterisgc, or code
41 Use The sharing, employment, application, utilization, examination, or analysis of such information within an entity that maintains such information. i.e. information used INSIDE your practice
42 Disclosure The release, transfer, provision of access to, or divulging in any manner of information outside the entity holding the information. i.e. information you share OUTSIDE to others
43 Authorization A covered entity must obtain the individual s written authorization for any use or disclosure of protected health information that is not for treatment, payment or health care operations or otherwise permitted or required by the Privacy Rule.
44 Authorization Requirements DescripGon of the informagon to be used or disclosed Name or other specific idengficagon of the person(s), or class of persons, authorized to make the requested use or disclosure Name or other specific idengficagon of the person(s), or class of persons, to whom the covered engty may make the requested use or disclosure A descripgon of each purpose of the requested use or disclosure An expiragon date or an expiragon event that relates to the individual or the purpose of the use or disclosure Signature of the individual and date If the authorizagon is signed by a personal representagve of the individual, a descripgon of such representagve s authority to act for the individual must also be provided
45 Authorization Requirements REQUIRED STATEMENTS The individual s right to revoke the authorizagon in wrigng, and either: The excepgons to the right to revoke and a descripgon of how the individual may revoke the authorizagon; or A reference to the covered engty s nogce The ability or inability to condigon treatment, payment, enrollment or eligibility for benefits on the authorizagon, by stagng either: The covered engty may not condigon treatment, payment, enrollment or eligibility for benefits on whether the individual signs the authorizagon when the prohibigon on condigon of authorizagons; or The consequences to the individual of a refusal to sign the authorizagon the covered engty can condigon treatment, enrollment in the health plan, or eligibility for benefits on failure to obtain such authorizagon
46 Authorization Requirements The potengal for informagon disclosed pursuant to the authorizagon to be subject to re- disclosure by the recipient and no longer be protected by this subpart. Plain language requirement. The authorizagon must be wri"en in plain language. Copy to the individual. If a covered engty seeks an authorizagon from an individual for a use or disclosure of protected health informagon, the covered engty must provide the individual with a copy of the signed authorizagon.
47 Minimum Necessary A covered entity must make reasonable efforts to use, disclose, and request only the minimum amount of protected health information needed to accomplish the intended purpose of the use, disclosure, or request.
48 Min Nec Does NOT Apply To or by health care provider for treatment To the individual With a valid authorization To the Secretary and required by law
49 Monday Morning Action Steps Address understanding and implementation of Use and Disclosure PHI and de- identigied PHI Minimum necessary Determine if valid authorization is in use
50 Security Rule What is it? How to comply with it?
51 Security Rule The Security Rule speci=ies a series of administrative, physical, and technical safeguards for covered entities and their business associates to use to assure the con=identiality, integrity, and availability of electronic protected health information.
52 Security Rule SpeciGic to ELECTRONIC protected health information AKA ephi Requires specigic Risk Analysis to determine security Administrative safeguards Training/Management Physical Safeguards Facility Access/Security Technical Safeguards Access/Transmission Security
53 Security Measures Takes into consideration Size, complexity, capabilities Technical, hardware and software infrastructure Cost of security measures Likelihood/possible impact of potential risks to ephi
54 Required vs. Addressable Required = must be implemented Addressable = does NOT mean optional Determine if reasonable and appropriate OR Adopt alternative measure to achieve purpose of standard if reasonable and appropriate OR DOCUMENT why it was NOT implemented
55 Risk Analysis Forms the FOUNDATION upon which an entity s necessary security activities are built.
56 Risk Analysis Part of Administrative Safeguards Security Rule requires you to implement policies and procedures to prevent, detect, contain, and correct security violations.
57 Threat The potential for a person or thing to exercise (accidentally trigger or intentionally exploit) a speci=ic vulnerability. Natural threats Gloods, earthquakes, tornadoes, etc. Human threats intentional (unauthorized access, theft) or unintentional (incidental) Environmental threats power failure, water, Gire, etc.
58 Vulnerability A =law or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system s security policy. Can be technical (technology) OR non- technical (administrative, physical, policies and procedures, staff, etc.)
59 Threats and Vulnerabilities ephi = Chickens Threat = Fox, Wolf, Coyote, Hawk, etc. Vulnerability = Hole in fence, tunnel under fence, gate left open, improper shelter, etc.
60 Risk Function of the likelihood of a given threat triggering or exploiting a particular vulnerability and the resulting impact on the organization. Threat + Vulnerability + Likelihood + Impact
61 Risk Analysis Overview Evaluate likelihood and impact of potential risks to ephi Implement appropriate security measure to address risks identigied Document chosen security measures and rationale Maintain continuous, reasonable and appropriate security protections ONGOING PROCESS update annually and with major changes
62 Administrative Safeguards Administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect ephi and to manage the conduct of the CE s workforce in relation to the protection of that information.
63 Administrative Safeguards Security management process including Security OfGicer designation and implementing various Policies and Procedures Information access management policies and procedures Workforce training and management including sanctions Periodic evaluation
64 In Other Words What are the threats, vulnerabilities and risks to ephi and how are they managed? Who is in charge (CO) and involved (TEAM)? Who has access to ephi? Is there authorization, supervision and training? Are there periodic evaluations and assessments?
65 Physical Safeguards Physical measures, policies and procedures, to protect a covered entity s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.
66 Physical Safeguards Facility access and control Workstation and device security Policies and procedures for use and access to workstations and electronic media Policies and procedures regarding transfer, removal, disposal, reuse and protection of electronic media
67 In Other Words Where are the facilities? Who has access to the facilities? How is access to the facilities granted/ controlled? What is the security of workstations and technology? How is transfer, removal, disposal and re- use handled?
68 Technical Safeguards The technology and the policies and procedures for its use that protect ephi and control access to it.
69 Technical Safeguards Policies and procedures allow access to authorized users only Hardware, software, procedures to record and examine access Policies and procedures to ensure ephi is not improperly altered or destroyed Technical security to guard against unauthorized access to ephi transmitted
70 In Other Words ONLY authorized personnel has access to ephi? Audit controls to track and evaluate ephi access/use? What s in place to assure proper destruction and prevent improper destruction or alteration of ephi? What s in place to secure transmission of ephi?
71 Unsecured PHI PHI that is NOT rendered unusable, unreadable or indecipherable to unauthorized individuals according to NIST guidelines (National Institute of Standards and Technology) or by physical destruction
72 Encryption Method of converting original message of regular text into encoded text Encrypted by means of algorithm (formula) Done according to National Institute of Standards and Technology (NIST) guidelines
73 Encryption and Destruction PHI at Rest NIST PHI in Motion NIST , , PHI Disposed Physical Shredded or destroyed so cannot be read or reconstructed Electronic NIST PHI in Use No specigic guidelines other than standard access control technologies (and common sense)
76 PHI at Rest NIST STORED PHI in some capacity (e.g. desktop, laptop, phone, Glash drive, memory care, external hard drive, CDs, DVDs, etc.)
77 PHI in Motion NIST PHI MOVING across the wire (i.e. internet or intranet) Transport Layer Security (TLS) recommended Provides authentication, congidentiality, data integrity
78 PHI Disposed NIST Sanitized PHI Use approved techniques/methods Not easily retrieved and reconstructed Track and document sanitation and destruction actions
79 Sanitation/Destruction Methods Clearing Can not simply delete Overwrite technology Purging Degaussing Destroying ULTIMATE form Disintegration, incineration, pulverizing, shredding, melting, etc.
80 Disaster Plan LONG- term recovery plan to get you back to where you where before disaster HIPAA REQUIRES access and security of data in the event of a disaster
81 Contingency Plan AKA Business Continuity Plan SHORT- term temporary resumption of critical business operations, helps business survive during Disaster Recovery HIPAA REQUIRES access and security of data
82 Contingency Plan Disaster Risk Analysis Access to critical contact info Info about facility (water, gas, electrical shut- offs) Planned steps for various applicable disasters (natural disasters, equipment failure, power failure, communications failure, burst water pipe, loss of key employee, loss of facility access, etc.)
83 Risk Management REQUIRED under Administrative Safeguards Implement security measures suf=icient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with the Security Rule.
84 Where is YOUR ephi? At the ofgice? At home? In your pocket? Another ofgice?
85 Monday Morning Action Steps Perform a Risk Analysis to determine vulnerabilities, threats, and risks Address Administrative, Physical, and Technical Safeguards Perform a Risk Management to implement, revise and monitor
86 Business Associates Who is involved? What changed? What are the requirements?
87 Covered Entity A health care provider who transmits any health information in electronic form YOU!!! (also includes healthcare clearing houses and health plans)
88 Business Associate A person or entity, other than a member of the workforce of a covered entity, who performs functions or activities on behalf of, or provides certain services to, a covered entity that involves access by the business associate to protected health information.
89 Workforce Employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity or business associate, is under direct control of such covered entity or business associate, whether or not they are paid by the covered entity or business associate.
90 Business Associate An entity that creates, receives, maintains, or transmits protected health information on behalf of a covered entity (YOU)
91 Subcontractor An entity that creates, receives, maintains, or transmits protected health information on behalf of another business associate i.e. Your BA s business associate
92 Business Associate Examples Billing Services EHR Vendor Accounting Consulting Practice Management Transcriptionist Collection Agency Administrative Financial* Accreditation Attorneys Data Aggregation Computer Repair/ Technician Cloud Storage*
93 Cloud Storage
95 Business Associate Exceptions Other Healthcare Providers Health Insurance Carriers Financial Institutions for care payment Conduits (USPS, FedEx, UPS, ISP, etc.) Janitor, Electrician, OfGice Repair, Cleaning Service, etc. (NEVER a Business Associate)
97 BA Exceptions
98 BA Exceptions
99 Business Associate or Not? Role or activity based Do they create, receive, maintain or transmit PHI on your behalf? Do they have access to PHI as part of their role or activity? Even if not routinely; need only be POTENTIALLY
100 What Changed? Revised deginition of a Business Associate Added entities that fall under BA deginition Increased liability and compliance requirements for BA and subcontractors NEW/UPDATED BA Agreements REQUIRED
101 BA Liability DIRECTLY liable for violations of HIPAA Contractually liable However, liable whether or not they have agreement in place with CE Liable for actions of subcontractors
102 Business Associate Agreement Contract between you and each of your BA outlining the following: NOTE: Do NOT need BAA w/ subcontractors Permitted uses of PHI Restricted uses of PHI Appropriate safeguards Breach procedures Terms and termination
103 BAA Requirements Establish permitted/required uses/ disclosures of PHI BA will not use/disclose PHI other than permitted/required BA will implement appropriate safeguards consistent with HIPAA security rule
104 BAA Requirements BA will report to CE any uses or disclosures not covered in contract, including breaches BA will make PHI available for individuals requests, amendments and accountings BA will comply with applicable HIPAA Privacy Rule requirements
105 BAA Requirements BA will make available internal practices/ books/records to HHS Termination requires BA to destroy/return PHI received/created BA ensures subcontractors agree to same requirements; may be more but NOT less strict Authorize termination by CE if BA violates terms
106 Monday Morning Action Steps Make a list of all Business Associates Get an updated and signed Business Associate Agreement from all BAs
107 Notice of Privacy Practices What is it? Who gets it? Where does it go?
108 What is in the NPP? Describes how medical information about patient may be used and disclosed and how patients can get access to this information Patient Rights Patient Choices Uses and disclosures
109 State vs. Federal Usually Federal Laws are more strict HIPAA takes precedence HOWEVER if State Laws are more strict State Law takes precedence
110 OK Records Request
111 Patient Rights Receive electronic OR paper copy of medical records Ask to correct medical records Request congidential or alternative communications Ask to limit what we use or share Ex. Insurance carriers for care paid for out of pocket
112 Patient Rights Get list of those with whom we ve shared info Get copy of this privacy notice Choose someone to act for you File a complaint if you feel your rights are violated WITHOUT fear of retaliation
113 Patient Choices In these cases, you have both the right and choice to tell us to: Share info with your family, close friends, or others involved in your care
114 Patient Choices In these cases we NEVER share your info UNLESS you give us WRITTEN permission: Marketing purposes* Sale of your information
115 Marketing REQUIRES written signed authorization To make a communication about a product or service that encourage the recipient of the communication to purchase or use the product or service.
116 Marketing An arrangement between a covered entity and any other entity whereby the covered entity discloses PHI to the other entity in exchange for REMUNERATION, for the other entity or its af=iliate to make communication about its own product or service that encourage recipients of the communication to purchase or use that product or service. Financial remuneration means direct or indirect payment from or on behalf of a third party whose product or service is being described. Direct or indirect payment does not include any payment for treatment of an individual.
117 Marketing EXCEPTIONS Face- to- face communications Promotional gift of nominal value* UNLESS Ginancial REMUNERATION takes place Treatment of patient (i.e. case management, care coordination, alternative treatments, therapies, providers or settings) Health- related products or services as part of a plan of benegits (health care provider/plan network) Case management or care coordination, treatment alternatives that do NOT fall under treatment deginition
118 Uses and Disclosures Allowed or required to share patient info Treatment Bill for patient services and receive payments Run your organization (practice) Public health and safety issues Conduct research Comply with law
119 Treatment Provision, coordination, or management of health care and related services among health care providers or by a health care provider with a third party, consultation between health care providers regarding a patient, or the referral of a patient from one health care provider to another.
120 Payment Encompasses the various activities of health care providers to obtain payment or be reimbursed for their services and of a health plan to obtain premiums, to ful=ill their coverage responsibilities and provide bene=its under the plan, and to obtain or provide reimbursement for the provision of health care.
121 Health Care Operations Certain administrative, =inancial, legal, and quality improvement activities of a covered entity that are necessary to run its business and to support core functions of treatment and payment.
122 Uses and Disclosures Allowed or required to share patient info Respond to organ and tissue donation requests Work with medical examiner or funeral director Address workers compensation, law enforcement and other government request Respond to lawsuits and legal actions (against you)
123 Decedents NOT PHI 50 years following death of person CAN disclose to decedents family members and others involved in care or payment for care prior to death
124 Provider Responsibilities Required by law to maintain privacy and security of PHI Inform patient promptly if a breach occurs that may compromise the privacy or security of the patient PHI Follow the duties and privacy practices in the NPP and give a copy to the patient Not to use or share info other than described in NPP unless told in writing; can be revoked in writing as well
125 Who Gets the NPP? ALL NEW patients during initial paperwork Obtain written acknowledgment Placed in patient Gile Anyone else who asks for it (NOT likely)
126 Where to Post the NPP? Post in, clear and prominent location and have copies of the NPP at the delivery sight for individuals to request to take with them. May post a summary, as long as the full notice is IMMEDIATELY available. (i.e. should NOT have to ask for full notice) Full notice posted on the ofgice website
127 Monday Morning Action Steps Update NPP Give to all new patients Post in prominent location Post on website
128 Breach NotiGications What is a Breach? What Changed? What is a Breach NotiGication?
129 What is a Breach? Acquisition, access, use or disclosure of protected health information in a manner not permitted which compromises the security or privacy of the protected health information. Basically someone has PHI who should NOT have it (NOT authorized or allowed)
130 Guilty Until Proven Innocent Harm standard REMOVED PRESUMED to be a breach UNLESS covered entity demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment of at least the following factors
131 4 Risk Assessment Factors 1. Nature and extent of PHI involved, types of identigiers, likelihood of re- identigication 2. Unauthorized person who used PHI or who the disclosure was made to 3. Whether PHI was actually acquired or viewed 4. Extent to which risk to PHI was mitigated
132 Breach NotiGications Treated as discovered on FIRST day it was known or should have been known Notify EACH individual affected SpeciGic requirements of info included Have 60 days from discovery to do so Business Associates have obligation to notify the Covered Entity (YOU!) about a breach
133 Individual Breach NotiGications Brief description of what happened Including date of breach and date of discovery Description of types of unsecured PHI involved Steps individual should take to protect themselves Brief description of what you are doing to investigate and mitigate harm and protect in the future Contact procedures Including toll- free number, address, website or postal address
134 Breach NotiGications NotiGication to media More than 500 individuals affected NotiGication to Secretary More than 500 individuals affected within 60 days Less than 500 individuals affected by end of year