HIPAA Compliance Review

Transcription

1 HIPAA Compliance Review For HR and IT Presented by: Linda Railton, PHR HR Consultant Leavitt Group Discussion Points HIPAA Final Rule (effective March 26, 2013) Overview of HIPAA obligations Overview of HIPAA Privacy and Security Rules Breach Notification Requirements Penalties for non-compliance 1

2 HIPAA Legislative History 1996 Health Insurance Portability and Accountability Act 2003 Group Health Plans with premium receipts in excess of $5M subject to Privacy Rules 2004 Group Health Plans with premium receipts less than $5M subject to Privacy Rules 2005 Large Group Health Plans subject to Security Rules 2006 Small Group Health Plan subject to Security Rules 2009 HITECH Act added individual privacy rights, breach notification requirements and increased penalties for violations 2013 Final Rule published regarding HITECH Act Privacy and Security regulations (released January 25, 2013) Effective March 26, 2013 with compliance required by September 23, 2013 HIPAA Final Rule Released January 25,

3 HIPAA Final Rule Expanded types of entities subject to the HIPAA Privacy Rules (i.e. business associates, subcontractors t of business associates, patient safety organizations, and health information exchange organizations) Expanded the definition of business associate to include any entity or individual that creates, receives, maintains, or transmits PHI or ephi on behalf of a group health plan ephi includes: Electronically created or transmitted PHI PHI maintained on a service or storage device such as a computer hard drive, disk, CD, etc ( at rest ) PHI in transit via the internet, dial-up lines, etc. (i.e. , faxes, file transfer protocols [FTP], Electronic data interchanges [EDI], use of cell phones or I-pads) HIPAA Final Rule The expanded definition of business associate includes service providers that t did not previously meet business associate status t such as: Benefits consultants Attorneys CPAs Document storage companies and document shredding companies that maintain PHI for a group health plan Couriers of PHI such as UPS, and Financial institutions that provide loans to the health care industry 3

4 HIPAA Final Rule Changed the definition of a breach no longer focus on harm to the individual id Increased the penalty amounts and included civil penalties Incorporated the provisions of GINA Health plans cannot use or disclose genetic information for determining eligibility, coverage, or payments under the plan HIPAA Final Rule Actions Required Employer Required Actions for Final Rule Compliance: Review and revise HIPAA policies and procedures to comply with Final Rule Review and revise policies and procedures relating to breaches of PHI and ephi (including breach notification policies and procedures) Review and revise Notice of Privacy Practices and distribute revised notices Review and revise Business Associate (BA) agreement templates to comply with Finale Rule use for all new BA relationships Amend current BA agreements and implement revised agreement no later than September 23, 2014 Update HIPAA authorization forms, if applicable Train workforce to include the changes in the Final Rule 4

5 Health Insurance Portability and Accountability Act (HIPAA) What is HIPAA? Health Insurance Portability and Accountability Act of 1996 Title I, Healthcare Portability Protects health insurance coverage for workers and their families when they change jobs Limits restrictions group health plans can place on benefits for preexisting conditions Group plans can refuse to cover preexisting conditions for 12 months after enrollment Group plans must cover preexisting conditions if employee has creditable coverage prior to enrolling in the plan Allows special enrollment periods Requires crediting prior coverage Allows break in coverage for up 63 days 5

6 What is HIPAA? Title II, Privacy and Security Rules Protects the health information of group health plan participants (employees, COBRA participants and family members) Requires national standards for electronic health care transactions and national identifiers for providers, health insurance plans and employers Also addresses the security and privacy of health information and sets civil and criminal penalties for violations Sets limits on the use and release of health records What is a Covered Entity? 6

7 HIPAA Covered Entities Health Care providers who transmit any health information electronically ll Health care provider is any person or organization that furnishes, bills, or is paid for health care in the normal course of business (i.e. medical providers) Insurance companies, HMOs and Business Associates Health Plans and their Business Associates Health Plan is defined as any individual or group plan (or combination) that provides or pays for the cost of medical care (i.e., health insurance issuers, HMOs, employer group health plans, Medicare, Medicaid) and is a separate legal entity from the employer/plan sponsor Employer self-insured health plans HIPAA Business Associate Business Associate is any person or business that performs a function or activity on behalf of, or provides services to, a Covered Entity that involves individually identifiable health information or disclosure of PHI (i.e. brokers, claims administrators, consultants, attorneys) Is not a workforce member of the employer/plan sponsor Should have written contract or agreement that Business Associate will appropriately safeguard PHI and will comply with privacy rule requirements Factors to consider in determining if business associate relationship exists are: The time, place and purpose of a the entity s conduct Whether the entity is engaged in a course of conduct subject to the control of the group health plan (includes a business in a subcontractor relationship) Whether the entity s conduct is commonly done by a business associate to accomplish the service performed on behalf of the group health plan Whether or not the group health plan (or business associate) reasonably expected that a business associate would engage in the conduct (or provide a service) 7

8 HIPAA Covered Entities Health Care Clearing Houses Translates data content or format for another entity from non-standard to standard or vice versa Prescription Drug card sponsors Affiliated Covered Entity Shares information in a way that would otherwise be impermissible (sharing becomes a use not a disclosure ); includes research organizations Research organizations use PHI located in databases or repositories. This includes medical treatment of research participants, such as in clinical trials. HIPAA Privacy Rules 8

9 HIPAA Privacy Rules Applies to employer sponsored health plans, health care clearinghouses and medical service providers that transmit, maintain and store health care data Defines Protected Health Information (PHI) Any information which concerns an individual s health status, medical conditions, provision of health care or payment for health care, including: Name Age Gender Info related to physical or mental health or condition of individual Info related to health care services provided to individual Payment of health care Any information that identifies the individual (i.e. SSN) HIPAA Privacy Rule PHI includes Records created or received by an employer in its capacity as the administrator of a HIPPA covered plan such as: Fully insured or self insured group health plans Dental or vision plans that can be linked to an individual HMOs High deductible health plans Includes records stored electronically (ephi) Also includes long-term care plans (not long-term disability), pharmacy benefits, health care reimbursement flexible spending accounts (health FSA), employee assistance programs (EAP) 9

10 HIPAA Covered Transactions Health care claims information Health care payment and remittance advice Coordination of benefits documentation Health care claim status reports/documents with names, SSN, diagnosis, etc. Health Plan enrollment or disenrollment information and documents, including maintenance of those documents Eligibility for a health plan determination information Health plan premium payments Referral certification and authorization information Any files containing records related to medical, dental, vision or mental health HIPPA Covered Transactions Workplace examples of PHI: Payroll deduction records related to insurance premium payments Employee inquiries related to health care benefit eligibility for themselves or a family member Healthcare eligibility responses from the health care provider or employer Faxes, s, notes or documents related to medical, dental, vision plans or EAP claims or appeals of denied claims Large claim information if it identifies individuals Health plan census information HIPAA authorizations Full-face photos Biometric identifiers such as finger or voice prints 10

11 HIPAA Privacy Rules Covered entities must: Maintain written privacy policies and procedures Implement security policies and procedures regarding PHI in compliance with the privacy rules Implement a contingency plan (i.e. emergency closures, backup of ephi information, etc.) Track and document disclosures of PHI Appoint a Privacy Officer responsible for privacy policies and procedures Appoint a contact person responsible for receiving complaints and Train employees about procedures for protecting PHI train entire workforce and appropriate to their job functions Note: Must include complaint process for individuals to make complaints and should be in written format HIPAA Privacy Rules Privacy practices include: Limiting the use or disclosure of PHI to only those with a need to know Limiting permissible disclosures or requests for disclosure to the very minimum required do not include too much info, only enough required for the purpose of the disclosure 11

12 HIPAA Privacy Rules Notice of Privacy Practices Applies to health plans Must be sent at least once every 3 years May be sent via mail or included in open enrollment materials or in a group health plan newsletter provided to all members Must include statement that the health plan prohibits using or disclosing PHI that is genetic information of an individual Must include the group health plan s privacy practices and the individual s rights with respect to their PHI as well as: Uses and disclosures, including those requiring authorization form the individual such as: Disclosures of psychotherapy notes Disclosures of PHI for marketing purposes and Disclosures that constitute a sale of PHI HIPAA Privacy Rules PHI does not include: Medical records the employer creates or receives related to sick leave requests, reports related to Workers Compensation claims, leave of absence medical certifications, disability plans (STD/LTD) and life insurance Health information that has been de-identified (does not identify individual) Unauthorized access, use, disclosure or acquisition under these situations would not trigger a mandatory notice obligation under HIPAA Note: CA privacy laws protect this information from disclosure Note: Summary Health Information (SHI) that summarizes type of claims, claim history and claim expenses that is disclosed for the purpose of obtaining premium bids from prospective carriers or to modify, amend or terminate carrier contract is not covered under Privacy Rules but may be covered under Security Rules 12

13 HIPAA Security Rules HIPAA Security Rules Requires three types of security safeguards: Administrative Physical Technical (ephi) 13

14 HIPAA Security Rules Administrative Safeguards: Covered entities must adopt written privacy procedures and designate a privacy officer to be responsible for implementing the policies and procedures The policies and procedures must clearly identify employees (or classes of employees) who will have access to PHI Access must be restricted to only those who have a need to know HIPAA Security Rules Administrative Safeguards (cont.): The procedures must outline steps to control access authorization, modification and terminating access (i.e. computer pass words for electronic records, locked files for paper records) Training programs on protecting PHI must be given to all employees performing health plan administrative functions All third-party administrators must comply with all HIPAA rules Contracts with these vendors should include HIPAA clauses 14

15 HIPAA Security Rules Administrative Safeguards (cont.): A contingency plan should be in place for responding to emergencies back up electronic data and have disaster recovery procedures in place Internal audits should be conducted periodically to identify potential security violations Procedures should include instructions for addressing and responding to security breaches HIPAA Security Rules Administrative Safeguards (cont.): When using to transmit PHI the security standards for access control, integrity and transmission security must be met Policies and procedures must be in place: To restrict access Protect the information contained in the (i.e., use of encryption) Guard against unauthorized access Implementation of physical safeguards for electronic information systems housed on the premises or at another location 15

16 HIPAA Security Rules Physical Safeguards Employer must control physical access against inappropriate access to PHI The controls must include policy and procedure for removal of hardware and software from the network Especially important when computer equipment is retired or disposed of HIPAA Security Rules Physical Safeguards (cont.): Access to equipment containing health information should be carefully controlled and monitored Access to hardware and software must be limited to properly authorized individuals Access controls should include facility security plans, maintenance records, visitor sign-in and escorts Workstations (and monitors) with PHI should not be in high traffic areas or in direct view of the public 16

17 HIPAA Security Rules Technical Safeguards: Requires protection of communications containing PHI transmitted electronically (i.e., via ) over open networks from being intercepted by anyone other than the intended recipient Use of encryption must be utilized if systems/networks are not closed networks Requires protection of PHI stored on computers and workstations Procedures must be in place so that the employer can confirm that PHI data has been changed or erased by an authorized individual How to Encrypt Files Microsoft Click the Microsoft Office button in the top-left corner of the page 2. Click Prepare 3. Click Encrypt document 2 4. dialog box opens 5. Type in the password in the dialogue box 6. Type it again 7. Don t forget it!

18 How to Encrypt Files Microsoft Click File in the top-left corner of the page 2. Next to Info click Protect Workbook 3. Click Encrypt with Password 2 4. A dialog box opens 5. Type in the password in the dialogue box 6. Type it again 3 7. Don t forget it! HIPAA Security Rules Do not transmit ephi that is not encrypted over the internet Do not include ephi in the body of the unless: You send the securely (receiving party has a secure website for receipt of messages) You have password-protected the PHI documents attached to the 18

19 HIPAA Security Rules Technical Safeguards (cont.): When electronic communications occur between entities, authentication that the receiving entity is who it claims to be must be confirmed by using a password system, two or three-way handshakes, telephone callback or token systems The IT department should keep written records of all configuration settings for all networks and workstations used to transmit or store PHI HIPAA Security Breaches 19

20 HIPAA Security Breach Definition of Breach (new Final Rule Regulations): Breach notification is necessary in all situations except those in which the covered entity or business associate demonstrates that there is a low probability that the PHI has been compromised (or one of the exceptions applies) Three exceptions: Unintentional acquisition, access or use of PHI by an employee or business associate that was used in good faith and did not result in further use or disclosure in an unpermitted manner Inadvertent disclosure of PHI by covered entity or business associate if the covered entity or business associate has a good faith belief that the unauthorized individual that received the PHI would not have been able to retain the information Inadvertent disclosure from a person who is authorized to access PHI to another person at the same entity HIPAA Security Breach Risk assessment of breach must consider: The nature of the PHI The unauthorized person who received the disclosure Whether the PHI was actually acquired or viewed, and The extent to which the risk has been mitigated (corrected) 20

21 Security Breach Notification Notice must occur without unreasonable delay, but no later than 60 calendar days after breach is detected to notify affected individuals via first class mail to last known address Applicable to both the employer and any business associate such as a third party administrator Employers should have business associate agreements in place with all third party administrators requiring them to notify the employer ASAP of a breach because 60 day clock starts on day breach is detected Note: notification okay if effected individual has agreed to receive notices electronically. Security Breach Notification Notification to affected individuals must include: Brief description of what happened Date the breach was discovered Date the breach occurred (if known) Identification of what type of PHI was compromised (SSN, Diagnosis, DOB, etc.) Information on how individuals may protect themselves against possible harm resulting from the breach 21

22 Security Breach Notification Notification to affected individuals must include: (cont.) A brief description of the investigation All efforts taken to mitigate any harm Steps taken to prevent further breaches Contact info for person that affected individuals are to contact to ask questions or obtain additional information Security Breach Notification If the employer cannot identify or has insufficient information (i.e., unknown home address) to provide notice to ten or more affected individuals, the employer must provide a substitute notice on their Web page or post a notice in the media Must include toll free number to call and name of individual to contact If less than 10 individuals are affected, the substitute notice may be written, by telephone or other means 22

23 Security Breach Notification Breaches involving less than 500 individuals must be recorded by the employer and submitted annually to the HHS no later than 60 days after the end of the calendar year in which the breaches occurred. Maintain a log Security Breach Notification Breaches involving more than 500 individuals will be investigated by HHS and will require notification using prominent media outlets serving a State or jurisdiction as well as the individual notifications The information will also be listed on the HHS Web site Note: California Senate Bill 24 (SB24) effective January 1, 2012 applies to notices sent to California residents If employer is required to notify more than 500 CA residents about a single security breach, employer must also submit a sample copy of the notice to the California Office of the Attorney General (submittal can be done electronically) 23

24 HIPAA Violations And Penalties HIPAA Violations Any person or organization may file a complaint with the HHS Office of Civil il Rights (OCR) by mail or thru website within 180 days after complainant knew of violation HSS/OCR informal review of circumstances may resolve issue without formal investigation If not, HSS/OCR investigation will be initiated Note: If preliminary review indicates a possible violation due to willful neglect the HHS must initiate an investigation (new requirement in Finale Rule) 24

25 Penalties for Noncompliance Final Rule Violation Category Each Violation Maximum for Each Did not know * $100 - $50,000/ violation $1.5 million Reasonable Cause * $1,000 - $50,000/violation $1.5 million Willful Neglect Corrected Willful Neglect Not Corrected Business Associates $10,000 - $50,000/ violation $50,000/violation Same as for covered entities $1.5 million $1.5 million Same as for covered entities HIPAA Documentation Documentation (written or electronic) must be kept for six (6) years Includes: Policies and Procedures Training provided, Privacy Official, Contact Person Complaints to Covered Entity and their disposition, if any Notice of Privacy Practices, Acknowledgement, and Good Faith efforts to obtain Acknowledgments Authorizations Business Associate Contracts Designated records that are subject to access by the individual, access contact persons, requests, and responses Certification of Group Health Plan document amendments 25

26 HIPAA Documentation Includes (continued): Amendment contact persons, requests, denials, disagreements and rebuttals Information required to be in accounting, accounting contact person, requests and accountings provided to individual Restriction Request Agreements IRB/Privacy Board Waivers (applicable to research organizations) HCC Designations Affiliated Covered Entity Designations HIPAA Questions? U.S. Health and Human Services (HHS) Toll free National Institute of Standards and Technology (NIST)

27 Genetic Information Nondiscrimination Act (GINA) GINA Genetic Nondiscrimination Act (GINA) This act makes it illegal to discriminate against employees or applicants because of genetic information, including diseases of employees and their family members Genetic information is defined as any information about an individual s genetic tests and the genetic tests of an individual s family members as well as any information about an individuals family medical history 27

28 GINA GINA prohibits the disclosure of genetic information about applicants or employees Genetic information/phi disclosure must be limited to only those that have need to know Recommended disclosure should be limited to: Highest ranking official in the company Highest ranking financial person in the company Human Resources Immediate supervisors/managers only if a bona fide safety issue exists Genetic information must be kept in a separate medical file (may be same file where LOA medical certifications are stored) GINA Workplace examples of genetic information include: Drug and alcohol testing Employer sponsored wellness programs where family medical history is obtained Leave of Absence requests and medical certifications 28

29 GINA Add safe harbor language to your medical certification requests The Genetic Information Nondiscrimination i i Act of 2008 (GINA) prohibits employers and other entities covered by GINA Title II from requesting or requiring genetic information of an individual or family member of the individual, except as specifically allowed by this law. To comply with this law, we are asking that you not provide any genetic information when responding to this request for medical information. Genetic Information, as defined by GINA, includes an individual s family medical history, the results of an individual s or family member s genetic tests, the fact that an individual or an individual s family member sought or received genetic services, and genetic information of a fetus carried by an individual or an individual s family member or an embryo lawfully held by an individual or family member receiving assistive reproductive services. GINA Questions? EEOC 29