California Orthopaedic Association Annual Meeting April 18, 2013 Don St. Jacques SVP, Business Development/Client Services

Transcription

1 Tips for Keeping Electronic Medical Records Secure s/Communications with Claims Adjusters/Electronic Claims and Update for Electronically Submitting Workers Compensation Claims California Orthopaedic Association Annual Meeting April 18, 2013 Don St. Jacques SVP, Business Development/Client Services

2 Jopari Solutions, Inc. A technology leader in establishing end to end connectivity for the Workers Compensation industry, including ebilling, epayment, and Portal solutions Actively involved in standards and regulatory development on a State and Federal level Supporting advocacy programs such as today, to assist the medical community with education and planning to engage in ebilling Well-established partnerships with many of the leading Practice and Revenue Cycle Management Systems and Clearinghouses, Portal Systems, as well as most of the major WC payers and Bill Review platforms

3 Agenda topics Summary Overview HIPAA Security and Privacy Top 2012 Security Breaches HITECH Penalties & Fines Key HIPAA PHI Access and Transmission Requirements HIPAA Compliance Tips for Secure s/ Medical Records Communications with Claims Adjusters/Electronic Claims Update for Electronically Submitting Workers Compensation Claims Questions

4 What are the Major HIPAA Compliance Areas? Privacy Requirements Notices, Authorizations and Consents Accounting of Disclosures Business Associates Breach Notification Security Requirements Physical, Technical and Administrative Safeguards Business Associates Risk Assessment and Compliance Programming Business Associate Changes Breach Notification Other Requirements

5

6 HIPAA in the News Feds Go to Court to Collect First-Ever Fine for HIPAA Violations Featured in Health Business Daily, Aug. 18, 2011, and in Government News of the Week, In February, the Office for Civil Rights imposed a $4.3 million fine on a Maryland medical group that had refused to honor 41 patients requests for their medical records Text Message Use Among Providers Raise HIPAA Concerns Written by Joyce McLaughlin, JD, Senior Counsel, Davis & Wilkerson,August 11, 2011, As the possibilities for electronic communication continue to expand with great speed, use of the technology by hospital employees and physicians without adequate security can expose your facility to HIPAA violations. The increasing use of cell phones and texting Medical Billing Firm Says Personal Information Leaked to Theft Ring December 3, 2012 Advanced Data Processing said that an employee improperly accessed individual account data in the company's ambulance billing system and leaked the information to a theft ring. The worker has admitted to the crime and has been fired 9 Patients' Identities Stolen in Emory Read Healthcare Data Breach Written by Sabrina more: Rodak October 25, les/2012/12/3/medical-billing-firm- Nine patients says-personal-information-leaked-to- theft-ring.aspx#ixzz2lmpz9bx2 of Emory Healthcare's orthopedic clinic in Tucker, Ga., have had fraudulent tax returns filed in their name, according to a Channel 2 report. The nine patients were among 32 Emory orthopedic clinic patients whose hospital bills were stolen in April

7 Source: urenow.com/index.p hp/blog/

8 Location of Breach September December % 16% 16% 1% 2% 25% Computer Electronic Medical Record Laptop Network Server Other Other Portable Devices Paper 7% 8 10%

9 Top 2012 Data Breaches Source: health-data-breach-report-breakdown/

10 HITECH s New Fines and Civil Penalties Significant increase to the penalties for noncompliance of HIPAA s Privacy and Security Rules as well as HITECH provisions. New penalties are effective for violations that occur after February 17, There is no overall cap on civil monetary penalties under HITECH. 10

11 HITECH New Civil Penalties Under HIPAA, criminal penalties are defined as wrongful disclosure of individually identifiable health information. The definition was enhanced to state that an individual may be subject to criminal penalties if a person knowingly obtains and discloses PHI in violation of HIPAA and/or the HITECH privacy and security provisions. Penalties are the following: Tier Fine Imprisonment Knowing Misuse Up to $50,000 Up to 1 year Knowing Misuse under false pretenses Knowing Misuse with intent to sell, transfer, or use PHI for commercial advantage, personal gain or malicious intent Up to $100,000 Up to $250,000 Up to 5 years Up to 10 years

12 ECH Fines for Breaches Tiers Tier A Did not know Per Violation Minimum Per Violation Maximum Max per Calendar Year per Violation $100 $50,000 $1,500,000 Tier B Reasonable Cause Tier C Willful Neglect Corrected Tier D Willful Neglect Not Corrected $1,000 $50,000 $1,500,000 $10,000 $50,000 $1,500,000 $50,000 $1,500,000 $1,500,000

13 Social Networking The Need to Control is Now

14

15 What s the Focus of the Security Rule There are 4 distinct parts to the Security Rule: 1. Administrative Safeguards are administrative actions, including the establishment of policies and procedures, to manage the activities needed to establish security measures that protect ephi. 2. Physical Safeguards are physical measures and policies and procedures, including policies and procedures, to protect electronic information systems and related buildings and equipment from natural and environmental hazards and unauthorized intrusion. 3. Technical Safeguards are the technology, including policies and procedures for its use, that protect ephi and control access to it. 4. Organizational Safeguards are arrangements made between organizations to protect ephi, including Business Associate Agreements.

16 Access Control 45 C.F.R (a)(1) Standard: Access Control. (i)access Control -Section (a)(1) -Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in Sec (a)(4). : Implementation Specifications : (iv)encryption and Decryption. (Addressable). Implement a mechanism to encrypt and decrypt electronic protected health information.

17 Transmission Security 45 C.F.R (e)(1)Standard: Transmission Security. (i)transmission Security -Section (e)(1) -Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network. Implementation Specifications: (ii)encryption (Addressable). Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate.

18 HHS & OCR Compliance Guidelines Two methodologies to secure PHI by making it unusable, unreadable or indecipherable to unauthorized persons: - Encryption -Destruction May be used to secure data in four commonly recognized data states: - data in motion -data at rest - data in use - data disposed

19 Encryption Guidance Based on NIST and FIPS For data at rest NIST Special Publication , Guide to Storage Encryption Technologies for End User Devices. For data in motion Federal Information Processing Standards NIST Website Reference:

20 HIPAA Compliant Checklist Do you ever Patients? Y /N Do you ever patients PHI ( protected health information )? Y/N Do your patients sign a consent form before you send them ?

21 HIPAA Checklist You need a patient's written consent before sending them . A good consent form will (1) explain the risks of communicating via , (2) explain how and why the provider will use , (3) explain what a patient should do to safeguard his or her computer, and (4) get the patient's signature by way of approval The AMA, OCR and other resources provider " consent form" templates that you can customize for your practice. It also can't hurt to have your lawyer review the form before you start using it. Also, be sure that you have a documented procedure to follow to add/remove patients from your system when they give you (or revoke) consent.

22 HIPAA Checklist Do you other healthcare providers about treatments, diagnoses, test results, or other PHI? Y/N Do you have a written policy that tells employees what they are allowed to send via ? Y/N

23 HIPAA Checklist You need to have a policy about appropriate staff use of . Your policy should define which addresses and devices should be used to send PHI, what information should never be sent via (e.g., mental health and substance abuse info), and who they are allowed to (patients, other providers, etc.).

24 HIPAA Checklist Do you have a privacy message that is appended to the bottom of every outgoing ? Y/N You need to have a privacy statement that is automatically appended to the end of every outgoing . Your statement reminds recipients that is inherently insecure, states that the is privileged and confidential, and tells the recipient who to contact if they are not the right person. Speak with your / IT provider - they should be able to set this up for you

25 HIPAA Checklist How do you send and receive s that contain sensitive info like diagnoses, treatments, and tests? From within our Electronic Health Records (EHR) system Using Microsoft Outlook Using another program installed on my computer (e.g., Thunderbird, Windows Mail ) Using my iphone, ipad, Android device, etc. By logging on to an online service like Gmail, Yahoo Mail, Hotmail, etc. By using a dedicated secure service Other:

26 HIPAA Checklist Does your system automatically scan outgoing s for PHI and then send them securely? If you're using to send and receive PHI, you need to consider adding a Data Loss Prevention (DLP) system. Data Loss Prevention systems automatically scan your outbound for things like social security numbers, member ID numbers, and medical information. When it finds these, it either alerts the sender or sends the message via secure . We strongly recommend that you train your staff aggressively on the proper use of secure . Without the second-check of a DLP system in place, you're taking it on faith that everyone is sending PHI via secure .

27 HIPAA References HIPAA Academy HHS Health Information Privacy: Breach Notification Final Rule Update. update.html Federal Register August 24, CFR Parts 160 and 164 Breach Notification for Unsecured Protected Health Information; Interim Final Rule HHS Health Information Privacy: Breach Notification Rule ml HHS HIPAA Enforcement AHIMA E-Alert October 20 - OIG releases HIPAA compliance Target areas

28 Status Update Workers Compensation ebilling California DWC regulations required Employers to be able to accept medical bills and attachments electronically as of October 18, 2012 Payer participation has been relatively high, albeit smaller payers or employers handling their own WC claims may still not be ready Overall provider traffic has been steadily increasing

29 WC Industry Medical EDI Perception Electronic Data Interchange d i g i t a l Health Care Provider Insurance Carrier Used with permission from the Texas DWC s 2008 ebill Stakeholder Meeting 29

30 Medical EDI Connectivity - Reality Provider /PMS/Billing Services Payers ebill Agents Clearinghouses Used with permission from the Texas DWC s 2008 ebill Stakeholder Meeting 30

31 ebill / eremit / EFT compliance activities All lines Legislation EFT Pending Activity No Activity Confidential and Proprietary Mitchell International, Inc.

32 Regulatory/Jurisdictional Adoption Jurisdictions Adopted IAIABC Guidelines Workers compensation e- bill legislation Workers compensation e- bill activity/discussions- Jurisdiction EDI Health Care Discussion-* Illinois X X-Effective Date 6/30/2012 Louisiana X X-Effective Date 7/1/2013 North Carolina X X Oregon X X X X California X X-Effective Date 10/18/2012 Texas X- Revised 2011 X Effective Date 1/1/2008 Minnesota X Effective Date 7/1/2009 Georgia X X Effective Date 7/1/2011 New Mexico X X Effective Date 1/1/14 X South Carolina X New Mexico X X Effective Date 1/1/14 X Tennessee X Florida X New Jersey X- P&C-auto Connecticut X X New Hampshire X X Utah X X Colorado X X Delaware X X Kentucky X Maine X Nebraska X-HIE effort to include WC X Additional States that are engaged in HIE activity are looking at initiatives to include WC- will follow up with information. * The list is based on state survey information from the IAIABC, AMA as well as from State HealthCare Information Exchanges that have presented at WEDI.

33

34 Resources and Contacts American Medical Association (AMA) Workers Compensation ebill Toolkit Jopari Solutions: or Don St. Jacques, SVP-Business Development & Client Services Jennifer Nereu, Manager, Provider and Remittance Management Products

35 Questions

36 Thank you!