HIPAA: Protecting Your. Ericka L. Adler. Practice and Your Patients

Transcription

1 HIPAA: Protecting Your Ericka L. Adler Practice and Your Patients Rachel V. Rose

2 Fallout from the Omnibus Rule

3 Compliance strategies for medical practices

4 1. Know / manage your business associates and subcontractors

5 CE, BA, SC Definitions Covered Entity Healthcare providers who transmit any health information electronically in connection with certain transactions, health plans, and health clearinghouses. (45 CFR , ). Business Associates A person who creates, receives, maintains, or transmits (emphasis added) protected health information. 78 Fed. Reg (Jan. 25, 2013). Subcontractors A person who acts on behalf of a business associate, other than in the capacity of a member of the workforce of such business associate. This definition applies to an agent or other person who acts on behalf of the business associate, even if the business associate has failed to enter into a business associate agreement. 78 Fed. Reg (Jan. 25, 2013).

6 BA or No BA A Crucial Question Business Associate Document storage companies maintaining protected health information (PHI). (viewing not necessary) An entity that requires access to PHI in order to perform a service, such as a Health Information Organization. Downstream entities: i.e. a shredding company would be directly required to comply with the applicable requirements of the HIPAA Security Rule and Privacy Rule. Non-Business Associate Personal health record (PHR) vendor (fact specific) If with authorization from patient, then no; however, if CE and PHR agree to data exchange or manage a PHR service the entity wants to offer patients or enrollees, then BA. Random access to PHI when reviewing whether the data arrived at the intended destination. Those that DO NOT create, receive, maintain or transmit PHI.

7 Risk Assessment Components Due diligence by assessing PHI through the continuum of care and billing. Define and confine the circumstances where PHI may be used or disclosed by covered entities, business associates, and subcontractors. National Institute of Technology Standards Have you identified the ephi within your organization? What are the external sources of PHI/ePHI? OCR s Guidance on HIPAA Risk Analysis Requirements

8 2. Have policies in place / ensure staff know them

9 Policies Privacy Security Technical Data Disposal Business Associate Agreements Disaster Recovery & Contingency Plan Medical Record Retention Breach Notification

10 3. PHI: Know when to keep it / when to let it go (properly)

11 PHI vs. not PHI PHI Individually identifiable health information. Demographic information. Information related to the physical or mental health or the provision of or payment for healthcare information identifying an individual. Photographs of the individual. Name or other identifying information. Not PHI Employment records of a covered entity. Family Education Rights and Privacy Act (FERPA) records. Information that does not identify a specific patient or make that patient identifiable (e.g. de-identified).

12 What is De-identified Information? Remove identifiers so the individual who is subject to PHI may no longer be identified. Application of statistical method. Remove listed identifiers such as names, geography, dates, social security numbers, etc. Examples: Results of a patient survey Medical notes which include no way to identify a patient (blacked out) Patient X

13 When You May Properly Disclose PHI To individuals when requested. To help HHS investigate or determine compliance with the privacy rule. To patients (their own PHI). Covered entities may always use / disclose PHI to carry out essential healthcare functions. Payment: Activities of healthcare providers who obtain payment or reimbursement for services, activities of health plans to obtain premiums, fulfill coverage responsibilities, or provide reimbursement for provision of healthcare.

14 When You May Properly Disclose PHI Healthcare operations Fraud and abuse detection Business planning and development Family, friends, and advocates Refusal to honor authorizations Public policy purposes, including: As required by law For public health About victims of abuse, neglect, or domestic violence About accidents For workers compensation

15 Can PHI be faxed? Transfer of PHI by fax is recommended only when original paper records or mail-delivered copies don t meet the needs of immediate patient care. Disclosure of information should be limited to the minimum necessary to meet the requester s needs. Disclosure should be documented in the medical record. Beware of misdirected transmissions. Use pre-programmed numbers whenever possible.

16 Can PHI be ed? must be properly encrypted for a covered entity to be able to use it for PHI. Patients can send PHI to a provider using their own if they choose. Follow appropriate guidelines if is sent from mobile devices that could be lost or stolen.

17 4. Managing your medical practice s IT

18 HIPAA requires protection from malicious software as of April 8, Many hospitals, practices still running Windows XP; still have legacy software systems, lab equipment that depends on it. Microsoft has issued security patches, but will stop on April 8. After April 8, it will be hard for legal counsel to argue a provider took reasonable and appropriate measures to protect PHI if system is attacked. Only option is to upgrade immediately. 1/3 of the world s PCs still running this program.

19 Mobile phones / tablets Have policies in place on user authentication, password protection, secure Wi-Fi, etc. Solutions for texting: Encryption covering all levels. Must work on iphone, Android, and desktop PCs. Data storage on a secured private server w/backup. Remote mobile app wipe option. Automatic logout after inactivity period. Functioning on every spectrum to avoid dead zone. Tracking of message delivery and maximum message data life of 30 days.

20 Bring Your Own Device (BYOD) Policies for BYOD Must state what the workforce member and the employer can do with a BYOD; including securing the device, its acceptable use. Define BYOD management processes, including normal use and if the device is lost, stolen, misplaced or replaced. Set forth what technology can be used for BYOD including secured operating systems, networks, and applications. Address consequences if violation of the policy. Train workforce on the BYOD policy. Communicate relevant information across departments. BYOD must be managed for the entire duration that the device and the workforce members are associated with the organization.

21 General questions regarding HIPAA compliance on all devices owned by covered entities: Who owns the devices? Are personal devices used at work registered? Are you using a virtual privacy network to exchange information? Do you back up PHI from mobile devices on servers? Can you remotely wipe-off devices? Do your policies and procedures address mobile devices? Is your workforce properly trained?

22 5. EHRs: How they can help and hurt HIPAA compliance

23 EHRs Meaningful Use Stage 2 HHS Office of the Inspector General Report Cutting and pasting Deletion of audit logs Over documentation

24 Unsecured PHI and Exceptions Unsecured PHI a new term created in the HITECH Act. PHI that is vulnerable while using technologies or methodologies that render PHI unusable, unreadable, or indecipherable to unauthorized individuals. Examples: Good faith, unintentional acquisition, access or use of PHI: A billing employee receives and opens an containing PHI about a patient, which was mistakenly sent. The billing employee notices that he is not the intended recipient, alerts the nurse of the misdirected then deletes it. Inadvertent disclosure to another authorized person within the entity: Physician participating in an organized healthcare arrangement. Recipient could not have reasonably retained the data: Explanation of benefits sent to the wrong individuals. Some of the EOBs are returned by the post office, unopened. Conclusion is that the information could not have been reasonably retained.

25 FTC Actions Comply with the rules, rather than worrying about who has the authority to nail you when you don t. Authority to address private companies/ data security practices under Section 5(a)(1) of the Federal Trade Commission Act, 15 U.S.C. 45(a)(1) LabMD Administrative Proceeding Penalty = $16,000 per violation

26 WHY Header Conclusion PATIENT PORTALS? For more information: PhysiciansPractice.com/HIPAA