Raymond: Beyond Basic HIPAA - GSHA Convention HIPAA HIPAA HIPAA. Financial. Carol Ann Raymond, MBA, Ed.S., CCC-SLP

Transcription

1 Carol Ann Raymond, MBA, Ed.S., CCC-SLP Associate Clinical Professor/Clinic Director Department of Communication Sciences and Disorders Financial o Employed by the University of Georgia o Non-Financial o Member, GSHA Convention and Finance Committees The University of Georgia February 28, GSHA Convention 2 Type of provider and organization Your responsibility related to HIPAA o Healthcare provider o HIPAA Privacy or Security Officer o Administrator o Other Knowledge level about HIPAA on a scale of PHI means Private Health Information. 2. A written authorization is required to use and disclose PHI unless it is for treatment, payment, or healthcare operations (TPO). 3. A covered entity and business associate must enter into a Business Associate Agreement ( BAA ). 4. The HIPAA Privacy Rule applies only to electronic PHI. 5. Patient rights are stated in the Notice of Privacy Practices. 6. A risk assessment is a required standard under the HIPAA Security Rule. 7. Providers must notify the media when there is a breach affecting more than 500 individuals 3 4 HIPAA HIPAA HIPAA Health Insurance Portability and Accountability Act of 1996 Administration Simplification (Title II) Electronic Data Transactions and Code Sets 2002 Privacy Rule 2003 Electronic Data National Provider Identifier Security Rule 2005 HITECH ACT OMNIBUS American Recovery and Reinvestment Act of 2009 (ARRA) Health Information Technology for Economic and Clinical Health (HITECH) HIPAA Omnibus Final Rule - 9/23/13 Strengthens privacy, security and patient rights Regulated by the U.S. Department of Health and Human Services 5 6 Raymond: Beyond Basic HIPAA - GSHA Convention

2 138 percent increase in breaches Breaches since 2009: o 35 % - theft or loss of encrypted devices or computers o 22 % - unauthorized access o 6 % - hacking Since 6/2013, OCR has levied more than $10M in fines As for 1/31/2015 OCR enforcement: Privacy (since 4/2003) o OCR has received over 109,722 complaints o 1,191 initiated compliance reviews o 23, 366 cases resolved by requiring changes, and corrective actions, and technical assistance Security (since 2009) o 940 complaints o 689 investigated and closed after corrective action o 316 under review as of 8/31/14 percent 7 8 HIPAA Penalties Civil Penalties Up to $100/person/violation, up to $25,000/year Criminal Penalties Knowing misuse of PHI - up to $50,000 and/or up to one year imprisonment Under false pretenses - up to $100,000 and/or up to five years imprisonment Personal gain/malicious harm - up to $250,000 and/or up to 10 years imprisonment Tiers A HITECH /Omnibus Penalties Description Minimum / Violation Maximum*/ violation Did not know (would have known by reasonable diligence) $100 $50,000 B Reasonable cause - not willful neglect C Willful neglect - corrected w/in required time period $1,000 $50,000 $10,000 $50,000 D Willful neglect - not corrected w/in required period $50,000 $50,000 *$1.5 million annual max 9 Required to take corrective action to achieve voluntary compliance (in order of frequency): o Private Practices o General Hospitals o Outpatient Facilities o Pharmacies o Health Plans (group health plans and health insurance issuers) 10 In order of frequency o Impermissible uses and disclosures of protected health information; o Lack of safeguards of protected health information; o Lack of patient access to their protected health information; o Lack of administrative safeguards of electronic protected health information; and o Use or disclosure of more than the minimum necessary protected health information. 11 HIPAA Settlement Underscores the Vulnerability of Unpatched and Unsupported Software Anchorage Community Mental Health Services - $150,000 $800,000 HIPAA Settlement in Medical Records Dumping Case Parkview, 6/23/14 Data Breach Results in $4.8 Million HIPAA Settlements New York & Presbyterian Hospital, 5/7/14 Concentra Settles HIPAA Case for $1,725,220, 4/22/14 QCA Settles HIPAA Case for $250,000, 4/22/14 County Government Settles Potential HIPAA Violations - $215,000, 3/7/14 Resolution Agreement with Adult & Pediatric Dermatology, P.C. of Massachusetts - $150,000, 12/20/13 HHS Settles with Health Plan in Photocopier Breach Case - $1,215,780, 8/14/13 12 Raymond: Beyond Basic HIPAA - GSHA Convention

3 WellPoint Settles HIPAA Security Case for $1,700,000, 7/11/13 Shasta Regional Medical Center Settles HIPAA Privacy Case for $275,000, 6/13/13 Idaho State University Settles HIPAA Security Case for $400,000, 5/21/13 HHS announces first HIPAA breach settlement involving less than 500 patients (Hospice)- $50,000, 12/31/12 Massachusetts Provider Settles HIPAA Case for $1.5 Million September 17, 2012 Alaska DHSS Settles HIPAA Security Case for $1,700,000 June 26, 2012 HHS Settles Case with Phoenix Cardiac Surgery for Lack of HIPAA Safeguards - April 13, 2012 HHS settles HIPAA case with BCBST for $1.5 million - March 13, 2012 The $50,000 settlement with a non-profit Hospice of North Idaho, which involved the theft of an unencrypted laptop computer from the non-profit Hospice of North Idaho. A $1.7 million settlement with the Alaska Department of Health and Human Services related to a stolen USB storage drive containing data on possibly 500 or more Medicaid beneficiaries, which led to OCR finding a variety of other HIPAA non-compliance issues at the agency, including insufficient risk management A $1.5 million settlement with Massachusetts Eye and Ear Infirmary after the theft of an unencrypted laptop containing data on about 3,500 patients. HIPAA non-compliance issues included failure to conduct a thorough risk analysis for protecting information stored on mobile devices. A $1.5 settlement with Blue Cross Blue Shield of Tennessee related to the theft of 57 unencrypted disk drives containing data on about 1 million patients. The corrective action plan as part of the settlement instructed Blue Cross Blue Shield of Tennessee, among other things, to conduct thorough assessment or risks involved when data is created, received, maintained, used or transmitted on-site or off-site. A $100,000 settlement with Phoenix Cardiac Surgery. That case involved the posting of clinical and surgical appointments for an unspecified number of its patients on an Internet-based calendar that was publicly accessible. Other non-compliance issues discovered by OCR during its investigation include insufficient staff training. 15 Covered Entity (CE) Business Associate (BA) Workforce Protected Health Information (PHI) Treatment, Payment, Healthcare Operations (TPO) Minimum Necessary Written Authorization o Required to use and disclose PHI if not for TPO purposes Notice of Privacy Practices (NPP) Privacy Rule Security Rule 16 Are you a covered entity or do you work for a covered entity? 1. Health care provider who transmits any health information in electronic form in connection with a covered transaction Directly or through a business associate Covered transaction - Insurance claims, eligibility, etc. 2. Health plans 3. Health care clearinghouses Hybrid Entity CE that does both covered and non-covered functions Organization designates Health Care Component (HCC) - perform CE functions Disclosures from HCC to others in organization that are not part of HCC are treated as outside disclosure 45 CFR , Provide services on behalf of the covered entity, involving the use or disclosure of protected health information (PHI) o E.g., consultants, legal services, etc. Requires contract between CE and BA o BA must sign agreement to comply with HIPAA o Includes subcontractors of BA HITECH Act - Must now comply same as CE and also subcontractors 45 CFR (e), (e), (d) and (e) 18 Raymond: Beyond Basic HIPAA - GSHA Convention

4 Protected Health Information (PHI) Persons whose conduct, in the performance of work for the CE, is under the direct control of the CE o Regardless of whether they are paid by the CE Includes: o Employees o Volunteers o Students CE is required to train all members of its workforce, appropriate for the level of staff and their duties on all existing and new policies o Must keep records for six years Individually identifiable health information Identifies the individual (on a reasonable basis) Relates to any physical or mental health or condition in the past, present, or future Oral, electronic or paper records Received, created, or transmitted by provider Exception FERPA education and employment records Social Security number Health plan beneficiary numbers and other identifying information Account numbers Certificate of license numbers Vehicle identifiers and serial numbers to include license plate numbers Device identifiers and serial numbers Web Universal Resource Locators (URLs) Internet Protocol (IP) address numbers Full face photographic images and other comparable images Name Medical record numbers Geographic subdivision smaller than a state, including street address, city, county, precinct, zip code Any and all dates (except the year), including birth date, encounter date, and date of death Ages greater than 89 Telephone numbers Fax numbers Electronic mail addresses Any other unique identifying number, characteristic or codes Includes - relatives, employers, household members identifiers 21 Provider Requirements: o Inform patients of rights and provider s privacy practices for use and disclosure of PHI (in plain language) o Provide to clients at first date of service delivery (or as soon as reasonable for emergencies) o Make good faith effort to obtain written acknowledgement of receipt of notice Or document efforts and reason why not Except in emergencies o State effective date o Post in clear and prominent location and on web-site o Must have been updated as of September 23, 2013 See free, customizable templates at o 45 CFR To receive written notice of the covered entity's duties with respect to PHI, the uses and disclosures it may make or be required to make, and the individual's rights (i.e., NPP); To receive PHI by alternative means or at alternative locations to protect confidentiality; To review and obtain a copy of their protected health information; To request amendments of protected health information; To request that uses and disclosures of health information be restricted; and To request an accounting of certain disclosures of their PHI for purposes other than TPO. Privacy Rule Restricts the use & disclosure of All PHI Electronic, Paper, & Oral What will be kept confidential Includes patient s rights Security Rule Applies only to Electronic PHI (ephi) How PHI will be kept confidential 23 Enforced by the Office of Civil Rights 24 Raymond: Beyond Basic HIPAA - GSHA Convention

5 Privacy Rule Privacy Officer Policies and Procedures Safeguards Security Rule Security Officer Policies and Procedures Safeguards Enforced by the Office of Civil Rights 25 Requires administrative, physical, and technical safeguards to ensure confidentiality, integrity, and availability of ephi Must protect against any reasonably anticipated threats or hazards to the security or integrity of ephi Must protect against any reasonably anticipated uses or disclosures that are not permitted by privacy rules Must have designated security officer Must include all standards in policies and procedures Must ensure compliance with workforce 45 CFR 160, 162, and Required o Specification must be implemented as stated Addressable (Does not mean optional ) o Covered entity must assess whether each specification is reasonable and appropriate for its environment to protect ephi. Must: A. Implement specification as stated, if reasonable and appropriate; or B. If not reasonable and appropriate, Document rationale, and Implement an equivalent alternative measure, if reasonable and appropriate Raymond: Beyond Basic HIPAA - GSHA Convention

6 Identify, evaluate, and eliminate or reduce risk. Address administrative, physical, and technical safeguards o Asset inventory and prioritization o Threat and vulnerability identification o Examination of existing security controls associated with addressing identified threats and vulnerabilities o Determining the likelihood of exposure to identified threats and vulnerabilities o Determining the impact (fiscal, workflow, etc.) associated with the exercise of a threat or vulnerability exploitation o Determining, prioritizing, and mitigating identified risks p?ddocname=bok1_ CFR (a)(1)(ii)(A Security Risk Assessment Tool Downloadable SRA Tool at HealthIT.gov o Developed by he Office of the National Coordinator for Health Information Technology (ONC) with the HHS Office for Civil Rights (OCR) and the HHS Office of the General Counsel (OGC), o Not required to use this tool; does not guarantee compliance o 156 Questions to guide you through process o Data stored locally (does not go to HHS) Some experts do not think it is adequate! NIST National Institute of Standards and Technology o Voluntary guidelines and best practices/hhs used for HIPAA o Guide for Conducting Risk Assessments rev1 HIPAA Security Rule Toolkit o Sample HIPAA Security Risk Assessment For a Small Physician Practice o - ask permission - see copyright HIPAA COW Risk Analysis & Risk Management Toolkit (uses NIST and SRA Toolkit) can use if provide reference o HIPAA Survival Guide o Clearwater Compliance o 35 Risk of misdirected , hacking, unauthorized disclosure o Use business account no free for healthcare use o Use encryption whenever possible o Avoid PHI in unless encrypted or with written permission from patient o Obtain written consent to use electronic communications state risks in consent o Use confidentiality statement after auto signature 36 Raymond: Beyond Basic HIPAA - GSHA Convention

7 Passwords o Use strong passwords o Unique user ID and login - No group logins o Change on regular basis o Don t use same password for all accounts o Don t post near PC Auto Log off of PC with PHI Encryption for any PHI at rest or in motion - laptops, PCs, tablets, etc. o 37 Breach notification Business associate requirements Accounting of disclosures (2016 deadline) Performance measures for electronic health record EHR (TBA) Incentives for EHR systems among providers Patient's right to restrict disclosures to health plans Limited data set as satisfying the minimum necessary standard Patient's right to electronic access to, and an electronic copy of, health record Prohibition on sale of PHI without authorization Marketing communications restrictions Opt-out for fund raising communications o Same as for HIPAA Periodic audits of business associates and covered entities 38 Unauthorized uses and disclosures of unsecured PHI o Unsecured PHI - PHI that is not secured through: 1) Encryption; and/or 2) Destruction as provided by HHS guidance Shredding o Secured - Methods must render PHI unusable, unreadable, or indecipherable to unauthorized individuals 13402(h) Affects data in motion, at rest, in use, disposed 39 Breach notification required except when CE or BA demonstrates a low probability that the PHI has been compromised. To determine if there is a low probability that PHI has been compromised, risk assessment: The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification. The unauthorized person who used the PHI or to whom the disclosure was made. Whether the PHI was actually acquired or viewed. The extent to which the risk to the PHI has been mitigated. 40 Breach of electronic unsecured PHI o Triggers HITECH Act Breach Requirements If more than 500 affected Must notify HHS immediately Posting will be on HHS Public Website Must notify prominent media outlets If less than 500 affected Annual notification to HHS U.S. Department of Health & Human Services o As required by section 13402(e)(4) of the HITECH Act, the Secretary must post a list of breaches of unsecured protected health information affecting 500 or more individuals. o See list at o Raymond: Beyond Basic HIPAA - GSHA Convention

8 Develop policies and procedures to comply with regulations regarding a breach of unsecured PHI. Sample policies: o ms/general/breachnotificationpolicy.pdf o o ncident_response_plan_procedures_ pdf Patients may now opt to restrict disclosure of the PHI to health plans Must pay out-of-pocket for goods or services Providers must provide this option to patients Patients have a right to see and obtain a copy of their record o Includes electronic records held in EHR o Within 30 days of request o Certain parts may not be made available, like psychotherapy notes Providers must make available all patient information in the record, including materials from other providers o Providers may charge for printing or mailing records Georgia state law sets a threshold for printing fees o May not charge for search or retrieval o May not withhold access because of nonpayment Can require use of provider s mobile media (not patient s flashdrive) 45 OCR Audits o Pilot audit program for 115 audits of CEs completed 11% were issue free o Plans to audit 200 CEs10, then 400 audits of BAs Web portal for pre-audit survey first o Focus on device encryption, media controls, data transmission security protocols, privacy: safeguards, staff training, policy implementation, risk analysis See Sample Interview and Document Request for HIPAA Security Onsite Investigations and Compliance Reviews Compliance-Audit-checklist_document-by-DHHS.pdf 46 Requires modifications to, and redistribution of, a covered entity's notice of privacy practices. o Must inform patients will be notified if PHI is subject to breach o Must inform that CE may contact them to raise funds and the individual has right to opt out Business Associate agreements must also include these expanded rights Penalties for noncompliance based on levels of negligence o Maximum penalty $1.5 million / violation 47 Makes business associates of covered entities directly liable for compliance with certain of the HIPAA Privacy and Security Rules' requirements. Strengthens the limitations on the use and disclosure of protected health information for marketing and fundraising purposes o Prohibits sale of protected health information without individual authorization. Expands individuals' rights to receive electronic copies of their health information Restricts disclosures to a health plan concerning treatment for which the individual has paid out of pocket in full. 48 Raymond: Beyond Basic HIPAA - GSHA Convention

9 Electronic Health Records Cloud Vendors Mobile Devices BYOD Encryption Cloud file sharing Google Drive, Dropbox, Evernote, etc. Social Media Teleconferencing HHS Audits Increase in cyber attacks Increase in breaches Increase in fines and penalties Cyber insurance 1. PHI means Private Health Information. 2. A written authorization is required to use and disclose PHI unless it is for treatment, payment, or healthcare operations (TPO). 3. A covered entity and business associate must enter into a Business Associate Agreement ( BAA ). 4. The HIPAA Privacy Rule applies only to electronic PHI. 5. Patient rights are stated in the Notice of Privacy Practices. 6. A risk assessment is a required standard under the HIPAA Security Rule. 7. Providers must notify the media when there is a breach affecting more than 500 individuals HIPAA Privacy Rule o HIPAA Security Rule (45 CFR Part 160 & Subparts A and C of Part 164) o HITECH Act (Div. A, Title XIII and Div. B, Title IV of ARRA) o o Rodriguez, L., & Johnson, M. (n.d.). Patient Privacy: A Guide for Providers. Medscape. Retrieved from CMS HIPAA Information - Medicaid and Medicare HIPAA Complaints HIPAA Survival Guide National Institutes of Standards & Technology (NIST) Research Regulations Lions Publishing, Inc: 001pRmNkNNhb3_e7PkDwKFTAQ%3D%3D Bridgefront: a.php Clearwater Compliance: HCPro: (HIM-HIPAA Insider) 54 Raymond: Beyond Basic HIPAA - GSHA Convention

10 Healthcare Info Security: lthcareinfosecurity.com/myaccount&utm_source=silverpopmailing&utm_medium= &utm_campaig n=enews-his %20(1)&utm_content=&spMailingID= &spUserID=NTQ5M zm0mzy3mzys1&spjobid= &spreportid=ndgxmtkxnjqys0 HHS: o HHS.gov updates o HHS Health care Blog o Stop Medicare Fraud o HHS-OIG News McGuire Woods: News-Registration.aspx The information provided in this presentation is for educational purposes only. Please consult an attorney for specific legal advice related to HIPAA, HITECH, or Omnibus Rule regulations Carol Ann Raymond, MBA, Ed.S., CCC-SLP Associate Clinical Professor Speech and Hearing Clinic Director HIPAA Privacy Officer raymond1@uga.edu Department of Communication Sciences & Special Education 57 Raymond: Beyond Basic HIPAA - GSHA Convention