HIPAA 100 Training Manual Table of Contents. V. A Word About Business Associate Agreements 10

Transcription

1 HIPAA 100 Training Manual Table of Contents I. Introduction 1 II. Definitions 2 III. Privacy Rule 5 IV. Security Rule 8 V. A Word About Business Associate Agreements 10

2 CHICAGO DEPARTMENT OF PUBIC HEALTH HIPAA 100 I. Introduction: Under the Health Insurance Portability and Accountability Act (HIPAA), the City of Chicago is a hybrid entity, and has designated as its health care components the following departments: Public Health, Fire, Aging (case management division), Finance (Benefits Management Office), Law, Revenue, and the Office of Emergency Management and Communications. The Chicago Department of Public Health (CDPH) is a hybrid-covered entity as well as the local public health authority as defined under HIPAA. The CDPH has implemented a compliance plan with the federal rules and regulations applicable to the HIPAA Standards for Privacy of Individually Identifiable Health Information, Standards for Electronic Transactions, and the Security Rule. To address compliance with HIPAA, the following three sets of rules have been issued by the United States Department of Health and Human Services (DHHS): The Standards for Electronic Transactions or Transactions and Code Set (TCS) Rule establishes technical specifications for conducting electronic health care transactions using standard formats approved by the Department of Health and Human Services (DHHS). The TCS Rule applies primarily to activities related to billing processes. (Compliance date: October 16, 2003) The Privacy Rule regulates the use and/or disclosure of any individually identifiable health information maintained by health plans, health care clearinghouses, and health Care providers. (Compliance Date: April 14, 2003) The Security and Electronic Signature Standards (Security Rule) is aimed at ensuring the security and integrity of computer systems that store and transmit Protected Health Information (PHI). (Compliance date: April 20, 2005.) The material contained in this training packet should provide CDPH workforce members with a basic understanding of HIPAA rules and how they apply to CDPH. Questions regarding these materials, or other HIPAA queries should be posed to the CDPH HIPAA Compliance Officer a

3 II. HIPAA Definitions: Business associate - A person who: (a) On behalf of a health care component, but other than in the capacity of a member of the workforce of the component, performs, or assists in the performance of: (i) A function or activity involving the use or disclosure of individually identifiable health information, including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, billing, benefit management, practice management, and repricing; or (ii) Any other function or activity regulated by HIPAA; or (b) Provides, other than in the capacity of a member of the workforce of the health care component, legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services to or for the component where the provision of the service involves the disclosure of PHI from such component, or from another business associate of such component, to the person. CMS-Centers for Medicare and Medicaid programs Designated record set - A group of records maintained by or for a health care component that is: (a) The medical records and billing records about individuals maintained by or for a health care component; (b) (c) The enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or Used, in whole or in part, by or for the covered entity to make decisions about individuals. Disclosure - The release, transfer, provision of access to, or divulging in any other manner of information outside the entity holding the information. Health care component - A component or combination of components of a hybrid designated by the hybrid entity in accordance with 45 CFR (c)(3)(iii). The health care components, as designated by the City of Chicago are as follows: Department on Aging (case management division), Department of Public Health (all programs except Epidemiology and Birth/Death Records), Department of Fire, Department of Revenue, and the Department of Law (Municipal Prosecutions, Commercial & Policy Litigation, Torts, Regulatory & Aviation Litigation and Individual Defense divisions). Health care operations - Any of the following activities of the health care component to the extent that the activities are related to covered functions: (a) Conducting quality assessment and improvement activities, including outcome evaluation and development of clinical guidelines, provided that the obtaining of generalizable knowledge is not the primary purpose of any such studies resulting from such activities; population-based activities relating to improving health or reducing health care costs, protocol development, case management and care coordination, contacting of health care providers and patients with information about treatment alternatives; and, related functions that do not include treatment; (b) Reviewing the competence or qualifications of health care professionals, evaluating practitioner and provider performance, health plan performance, conducting training programs in which students, trainees, or practitioners in areas of 3

4 health care learn under supervision to practice or improve their skills as health care providers, and training of non-health care professionals, accreditation, certification, licensing, or credentialing activities; (c) (d) Underwriting, premium rating, and other activities relating to the creation, renewal or replacement of a contract of health insurance or health benefits, and ceding, securing or placing a contract for reinsurance of risk relating to claims for health care (including stop-loss insurance and excess of loss insurance); Conducting or arranging for medical review, legal services, and auditing functions, including fraud and abuse detection and compliance programs; (f) (e) Business planning and development, such as conducting cost-management and planning-related analyses related to managing and operating the entity, including formulary development and administration, development or improvement of methods of payment or coverage policies; and, Business management and general administrative activities of the entity. HHS - United States Department of Health and Human Services. Hybrid entity - A single legal entity: (a) That is a covered entity; (b) (c) Whose business activities include both covered and non-covered functions; and That designates health care components in accordance with 45 CFR (c)(3)(iii). Institutional Review Board (IRB) - A committee group comprised of City of Chicago personnel and community representatives with varying backgrounds and professional experience that review and approve the research protocols involving human subjects. Individually Identifiable Health Information - Information that is a subset of health information, including demographic information collected about an individual, and: (a) Is created or received by a health care provider, health plan, employer or health care clearinghouse; and, (b) Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and, (i) That identifies the individual; or (ii) With respect to which there is a reasonable basis to believe the information can be used to identify the individual. Limited data set - A subset of protected health information that excludes the direct identifiers listed below. All the direct identifiers must be removed for the individual and relatives employers, or household members of the individual. (1) Names; (2) Postal address information, other than town or city, State, and zip code; (3) Telephone numbers; (4) Fax numbers; (5) Electronic mail addresses; (6) Social security number; (7) Medical record numbers; (8) Health plan beneficiary numbers; (9) Account numbers; (10) Certificate/license numbers; (11) Vehicle identifiers and serial numbers, including license plate numbers; 4

5 (12) Device identifiers and serial numbers; (13) Web Universal Resource Locators (URLs); (14) Internet Protocol (IP) address numbers; (15) Biometric identifiers, including finger and voice prints; and (16) Full face photographic images and any comparable images. Payment - The activities undertaken by (1) the health plan to obtain premiums or to determine or fulfill its responsibility for coverage and provision of benefits under the health plan; or (2) a health care component or health plan to obtain or provide reimbursement for the provision of health care. Personal representative - Any adult who has decision-making capacity and who is willing to act on behalf of a patient. A personal representative includes an individual who has authority, by law or by agreement from the individual receiving treatment, to act in the place of the individual. This includes parents, legal guardians or properly appointed agents, like those identified in a Durable Power of Attorney, or individuals designated by state law. Protected health information (PHI) - Individually identifiable health information that is (a) transmitted by electronic media; (b) maintained in any electronic medium; or (c) transmitted or maintained in any other form or medium. Protected health information excludes individually identifiable health information in employment records held by a covered entity in its role as employer. Qualified protective order - An order of a court or of an administrative tribunal or a stipulation by the parties to the litigation or administrative proceeding that: (a) Prohibits the parties from using or disclosing the PHI for any purpose other than the litigation or proceeding for which such information was requested; and (b) Requires the return to the covered entity or destruction of the PHI (including all copies made) at the end of the litigation. Records - Means any item, collection, or grouping of information that includes protected health information and is maintained, collected, used, or disseminated by or for a health care component. TPO - Means treatment, payment or health care operations. Use - With respect to individually identifiable information, the sharing, employment, application, utilization, examination, or analysis of such information within an entity that maintains such information. 5

6 III. THE PRIVACY RULE: The increasing sophistication of information technology continues to make it easier to move patient information from one source to another. This, however, has raised serious concerns about how that information is used and /or disclosed. The Privacy Rule establishes a national standard for protecting an individual s medical records and other PHI. Moreover, the Privacy Rule is intended to give patients greater control over the use of their health information. Importantly, the Privacy Rule not only creates new patient rights with respect to PHI, it also establishes significant civil and criminal sanctions for the misuse or unauthorized disclosure of PHI. A. Protected Health Information: Protected Health Information (PHI) is individually identifiable health information Individually-Identifiable Health Information is any information that is received or created by the health provider that relates to the past, present or future physical or mental health condition of an individual, or the payment of health care services rendered to an individual, or the payment of health care services rendered to an individual, and reasonably identifies the individual. Simply put, any record or form with information that CDPH employees receive or generate, whether electronic, oral or written, that contains health information or information that might reasonably identify the individual constitutes PHI and is covered under the Privacy Rule. PHI excludes any information about employees that are held by the City in its role as an employer. For example, this would exclude individually identifiable information that is collected from an employee by the City about leave requested under the Family and Medical leave Act (FMLA). PHI covers a wide array of oral, written and electronic material. Some examples of PHI in the Chicago Department of Public Health include the following: Medical records Lab reports / requests Logs Billing Forms Referrals Consults The following, alone or in combination with each other, are examples of Patient Identifiers: Name Address Telephone number Fax number address Social Security Number Medical record number Internet Protocol (IP) address numbers Biometric identifiers, including finger and voice prints Full face photographic images Health plan beneficiary numbers Account number Certificate / license number Vehicle identifiers and serial numbers, including license plates numbers Device identifiers and serial numbers Web universal resource locators (URL s) B. Disclosure of PHI: Generally, CDPH may disclose PHI, without patient authorization, for treatment, payment or health care operations. 6

7 Examples: Treatment - No authorization is needed to refer a patient to a specialist or to discuss a patient s treatment with another health care provider. Payment - No authorization is needed to discuss PHI when obtaining payment information from a patient s health plan. Health Care Operations - No authorization is needed to disclose PHI to a CDPH employee who is conducting an audit of patient files. Other examples of permitted disclosures include if a patient requests in writing for a copy of his/her records for him/herself; if a CDPH patient authorizes CDPH to release his/her patient records to a third party, such as a family member, attorney, or other provider; or, if a legally valid subpoena is issued as determined by the CDPH attorney and the Law Department. If, as a member of the CDPH workforce, you are ever in doubt or unclear as whether to release PHI, err on the side of caution, and ask your supervisor or the CDPH HIPAA Compliance Officer for assistance. C. City of Chicago Notice of Privacy Practices: The Privacy Rule mandates that all patients shall be offered a written copy of the City s Notice of Privacy Practices. (See Addendum # 3) This notice describes to the patient how his/her medical information may be used and disclosed. In addition, the patient should sign a form acknowledging that a written copy of the Notice was offered. This completed form is to be placed in the patient s record and maintained for six years. (See Addendum # 4) The following summarizes the contents of the City of Chicago Notice of Privacy Practices.. Patients Rights Regarding Protected Health Information To request restrictions on uses and disclosures To receive confidential communication To access PHI To receive an accounting of disclosures To inspect or copy records To request an amendment of protected health information To receive the City of Chicago Notice of Privacy Practices To file complaints with the City of Chicago Privacy Officer and / or the Office of Civil Rights Other Uses and Disclosures Allowed Without Authorization Public health risks 7

8 Health oversight activities Lawsuits and similar proceedings Law enforcement Deceased patients Research Serious threats to health or safety Military National security Inmates Worker s compensation The Privacy Rule applies to all forms of patients PHI, whether electronic, written, or oral. In adhering to Privacy Rule, CDPH workforce members must always strive to protect the individual patient s health information by promoting appropriate access and use of PHI. 8

9 IV. Security Rule A. The primary objective of the HIPAA Security Rule is to protect the confidentiality, integrity, and availability of ephi (electronic protected health information). Confidentiality ensures that data or information is not made available or disclosed to unauthorized persons or processes. Integrity guarantees that data or information has not been altered or destroyed in an unauthorized manner. Availability provides that data or information is accessible and usable upon demand by an authorized person. The three standards for compliance under the HIPAA Security Rule address administrative, physical, and technical safeguards. Administrative Safeguards: Those actions, policies, an procedures that manage the selection, development, implementation, and maintenance of security measures to protect ephi and to manage the conduct of CDPH s workforce in relations to the protection of that information. Physical Safeguards: Security measures to protect CDPH s electronic information systems and related buildings and equipment from natural and environmental hazards and unauthorized intrusion. Technical Safeguards: The technology and policy and procedures for its use that protect ephi ad control access to it. B. ephi Safeguards: The Administrative, Physical, and Technical safeguards are broad categories with specific implementation requirements under each one. The City of Chicago HIPAA Policies address each Security Rule requirement related to these safeguard. CDPH has implemented its own HIPAA Security Rule policies. The following topics are primary areas of concern for CDPH systems. i. Password Usage and Management: Each user must have and use a unique User Login ID and password that identifies him/her as the user of the information system. The User Login ID is only created upon a written request to CDPH OMIS. The user is responsible for managing their account, using his/her ID and maintaining his/her password Users may not allow anyone for any reason to have access to any information system using another user s unique User Login ID and password. When technically feasible, each information system will automatically require users to change passwords at a pre-determined interval as determined by the program in consultation with OMIS, based on the criticality and sensitivity of the ephi (electronic Protected Health Information) contained within the network, system, application, and/or database. When not technically feasible to automate required password changes, the program supervisor is responsible for implementing manual procedures, with assistance from OMIS as necessary, to ensure that passwords are changed on a regular basis ii. Virus protection: The City of Chicago will install on all workstations anti-virus software to prevent transmission of malicious software. This software will be regularly updated. Portable workstations, e.g., PDAs, laptops, etc., are also 9

10 subject to the same safeguards and protections as stationary (desktop) workstations. iii. Protected Health Information is not to be transmitted via . iv. Incident Response: In the event of an emergency where user workstations at various facilities are unable to access ephi, workstations locally connected to the servers that store ephi shall be provided. As an alternative, to the extent possible, ephi may be copied onto other media and maintained securely at other facilities. If copies are made, they should be digitally encrypted and secured so only authorized users can access the data contained on them. Finally, the City of Chicago has identified an incident response team to respond to critical system issues including, but not limited to, security issues. v. Hand Held Devices: Portable workstations, e.g., PDAs, laptops, etc., are subject to the same safeguards and protections as stationary workstations. Portable workstations shall be maintained in a safe and secure manner when transported. Personally owned computers may not be connected to the business network. Access to and/or the portal is acceptable only with prior OMIS approval. vi. Laptop Security: Only if the portable electronic device has documented, working antivirus software, will it be permitted to connect to the network. Laptops must have log-on or power-on passwords. Laptops that contain PHI, even briefly, should not be shared among programs users. Lost or stolen laptops must be reported to OMIS immediately. vii. Access Control Issues: The level of security assigned to a user of the City s and CDPH s information systems is based on the minimum necessary amount of data access required to carry out legitimate job responsibilities. Blanket access will not be provided for any user. Access categories are rolebased and defined by the importance of the applications running on the information system, the value or sensitivity of the ephi on the information system, security controls on the information system, security controls on the workstation utilized to access the information system, and the extent to which the information system is connected to other information systems. viii. Individual Accountability: The HIPAA Sanction Policy is included as part of the 'Violations and Enforcement of this Policy Section" of the City of Chicago's Information Management Policy located at df. IN addition, HIPAA rules allow for fines at the individual level for violations of the rules. ix. Desktop Security: The City of Chicago maintains an intranet page ( that contains security update information. In addition, the City sends out security reminders on a monthly basis to all users reminding them to make sure their workstations are adequately protected 10

11 V. A Word About Business Associate Agreements: All contracts, including but not limited to intergovernmental agreements, memoranda of understanding, and delegate agency agreements, with business associates related to PHI and/or ephi (electronic Protected Health Information) must include language and requirements regarding adherence to HIPAA standards and rule by the contractor. The CDPH HIPAA Officer will provide current City of Chicago HIPAA Business Associates Agreement language upon request. CDPH programs are responsible for informing the CDPH HIPAA Compliance Officer of any violations of HIPAA by contractors, including delegate agencies and subcontractors. The HIPAA Compliance Officer will work with programs, as appropriate, to ensure that contractors in question have access to HIPAA information. If violations of HIPAA are continuous or frequent, or contractors are resistant to becoming HIPAA compliant, the matter will be brought to the attention of the City of Chicago HIPAA Officers, for inquiry and recommendation. 11