How To Understand The Health Insurance Portability And Accountability Act (Hipaa)

Transcription

1 Common HIPAA Risks & The New HITECH Final Rule Eric W. Humes 1

2 What is HIPAA? The Health Insurance Portability and Accountability Act (HIPAA) was passed by Congress in 1996 to protect the privacy of patient information. 2

3 PHI vs. ephi } Two considerations to keep in mind: } HIPAA Privacy Rule General guidelines relative to Protected Health Information (PHI) } HIPAA Security Rule Specifically regarding electronic PHI (ephi) 3

4 Li6le Known Fact #1 } PHI must be protected in ANY form! } Many people think that HIPAA only applies to PHI in electronic form. While it is true that the Security Rule applies only to electronic PHI, this is covered within the Privacy Rule, which covers PHI in *ALL* forms. } Examples of other forms } Hard copy information } Charts, insurance forms, lab results, etc } Electronic Forms } s, Blogs, Tweets, EPM/EMR Software, Check-in Kiosks, unprotected monitors, etc } Spoken Word 4

5 CE s & BA s Must Comply } Covered Entities: (CE s) } Health Plans } Healthcare Clearinghouses } Any healthcare provider } Business Associates: (BA s) } Anyone who provides legal; actuarial; accounting; consulting; data aggregation; management; administrative; accreditation; or financial services to a Covered Entity. à Must sign a HIPAA Business Associates Agreement ( BA Agreement) 5

6 Li6le Known Fact #2 } Business Associates (BAs) of Covered Entities (CEs) must comply with the terms of HIPAA as outlined within their BA agreement. } Many IT consulting firms do not realize their actions are governed by HIPAA just the same as the practices. } We ALL share in the responsibility of protecting our patient s health information! 6

7 HIPAA ViolaOons } 2 Types of HIPAA Violations } Unintentional } Intentional à Read LHE article on Technology and Common HIPAA Risks hipaa_risk_0112.html 7

8 Examples of UnintenOonal ViolaOons } Improper disposal of old computers and backup tapes } Inadequate physical protecoon of computers or network containing ephi } Leaving detailed PHI in a voic message } Sending unencrypted ephi in an } Blogging/Facebooking/TweeOng about a paoent situaoon even if anonymously doing so } Careless handling of user names and passwords } Inadequate network firewall } Exposing EMR systems to malicious code (malware) when connecong to the Internet } Failure to maintain Business Associate Agreements with vendors } Allowing paoents or visitors to be near una6ended and unlocked computers 8

9 Examples of IntenOonal ViolaOons } Accessing or using ephi without having a legiomate need to do so } Allowing another employee to uolize any systems via your password } Disclosure of PHI to an unauthorized individual } Sale of PHI to any source } Accessing ephi on a website or cloud- based EMR that is not secured* } ConnecOng unapproved devices to the network } Failure to encrypt ephi before transporong (physically or electronically) } Misuse of confidenoal paoent informaoon for personal use } Deliberately compromising EMR security measures * See slide on Cloud CompuOng 9

10 Other ConsideraOons } How does today s technology change the way WE should think about HIPAA? } Social Networking } Cloud Computing } Mobility } What about our patients? } Patient communication } Patient portals } Clinical workflows } HIPAA risks associated with this } Walk the path of the patient 10

11 Social Networking } Social Networking } Facebook } LinkedIn } Twitter } Blogs } Excellent ways to share information, but remember: } Never post anonymously about a patient } Remember the elevator code of conduct when online 11

12 PaOent IdenOfiers } The 18 Health Information Identifiers: 1. Names 2. Geographic locaoon 3. Dates 4. Telephone numbers 5. Fax numbers 6. Electronic mail addresses 7. Social security numbers 8. Medical record numbers 9. Health plan beneficiary numbers 10. Account numbers 11. CerOficate/license numbers 12. Vehicle idenofiers 13. Device idenofiers 14. Web Universal Resource Locator (URL) 15. Internet protocol (IP) address number 16. Biometric idenofiers (including finger or voice prints) 17. Full face photographic images and any comparable images 18. Any other unique idenofying number, characterisoc, or code 12

13 Cloud CompuOng } Current Forecast: cloudy with a good chance of encryption! } New regulations provide answers to common questions about 3 rd party cloud (storage & hosting), and communications providers. } Question: Are cloud-based service providers considered BA s? YES! } Online backup services } Web-based EPM/EMR Hosting Companies } Internet Service Providers Any subcontractor that creates, receives, maintains, or transmits protected health information on behalf of the business associate.

14 Mobility } Mobile Technology } Smart Phones } ipads } Tablets } Laptops } Mobile devices are easily lost, stolen, or compromised } Password protect all devices } Enable Remote Wipe services } Encrypt any ephi on mobile devices } Or better yet, DO NOT store ephi on mobile devices. 14

15 PaOent CommunicaOon } Patient Portals } Real-time access to patient records on-line } Growing in popularity since Meaningful Use } The specific Meaningful Use measures that a paoent portal can help to meet are: } } } } Timely electronic access to changes in health informa2on Electronic copies of their health record Clinical summaries a8er each office visit Pa2ent- specific educa2on resources } Bottom line: Must Be Secure! } } Never ephi unless data is encrypted and password protected. } Discuss this with your IT Provider! 15

16 Clinical Workflow } HIPAA Risks associated with clinical workflow: } Patient left alone in a room with an unlocked computer } } Ctl+Alt+Del then Enter to lock a windows computer Some EMR s have a hot key or button that will automatically lock computer } ephi left exposed on a monitor screen } } Common in Check-in/Check-out areas and nurse stations Cover all public area monitors with Privacy Filters which only allow a limited viewing angle à Walk the path of the patient. What can they see, hear, read, access...? 16

17 HIPAA/HITECH Final Rule

18 HIPAA/HITECH Final Rule - Timeline Announced January 25 th, 2013 EffecOve March 26 th, 2013 Compliance by September 23 rd, 2013

19 HIPAA/HITECH Final Rule Highlights } Business associates of covered enooes now directly liable for compliance. } Business associates may now be liable for up to $1.5 million for noncompliance of privacy regulaoon based on the level of negligence. } Strengthens limitaoons on the use of PHI for markeong purposes. } Prohibits the sale of PHI without individual authorizaoon.

20 HIPAA/HITECH Final Rule Highlights Covered EnOOes must } Assign a designated InformaOon Security Officer } Establish a change control commi6ee and change control process } Conduct an annual informaoon security assessment

21 HIPAA/HITECH Final Rule Highlights } PaOents will now have the ability to request electronic medical records in electronic form. } Companies that transmit and/or store PHI regardless of whether they actually view it are now considered business associates. } Cloud- based backup companies } Cloud- based EMR vendors } Internet Service Providers (AT&T, Charter, Windstream, etc.)

22 HIPAA/HITECH Final Rule Highlights } The new rules require the business associate to ensure that any subcontractors it may engage on a Covered EnOty s behalf that will have access to protected health informaoon agree to the same restricoons and condioons that apply to the business associate with respect to such informaoon. Your IT consul2ng firm / contractor will need BAAs with its subcontractors and vendors.

23 QuesOons soll remain } Should paoents receive a % of penaloes collected for violaoons? } Why should paoents have to wait up to 60 days to receive their ephi if requested?

24 Final Thoughts } Simply put, HIPAA restricts the sharing of PHI. Need to know basis } PHI should be shared with as few individuals as needed to ensure paoent care. } The release of the final rule was a major step forward in creaong the comprehensive framework of privacy and security protecoons in the digital health data ecosystem, but there is more work to be done. 24

25 QuesOons?