Understanding HIPAA Regulations and How They Impact Your Organization! Presented by: HealthInfoNet & Systems Engineering! April 25 th 2013!
Introductions! Todd Rogow Director of IT HealthInfoNet Adam Victor Director of Operations Systems Engineering 2!
What is HealthInfoNet?! HealthInfoNet operates Maine s statewide health information exchange (HIE), a secure, standardized electronic system where providers can share important patient health information.! The use of this system:! Saves time and reduces paperwork! Facilitates more informed treatment decision-making! Leads to improved care coordination, higher quality of care, and better health outcomes!
Clinical Exchange Highlights! Hospitals Connected: 34 Hospitals Under Contract: All 38 within Maine Practices Connected: ~400 Others Connected: 2 Long-term Care, 3 Home Health Agencies and 15 Behavioral Health Organizations Individual Lives with Records in the HIE: 1,175,749 Patient s who have opted-out: 1% HIE user accounts: 7,284 User Logins: 1,781 patient lookup & 463 unique users per week Patient Crossover: 64% 4!
HIPAA Trivia! What does HIPAA stand for? ü Health Insurance Portability and Accountability Act When did HIPAA start? ü 1996 What is the maximum penalty for a single HIPAA violation? ü $1.5 million per violation category per calendar year 5!
Agenda! HIPAA Review Compliance Requirements Omnibus Rule Recommendations/Best Practices Q/A 6!
HIPAA Review! The Health Insurance Portability and Accountability Act of 1996 ("HIPAA") and its regulations (the "Privacy Rule" Dec. 2000 and the "Security Rule Feb. 2003) protect the privacy of an individual s health information and govern the way certain health care providers and benefits plans collect, maintain, use and disclose protected health information ( PHI ). 7!
What is the Privacy Rule?! Establishes national standards to protect individuals medical records and other personal health information. Requires safeguards to protect the privacy of personal health information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. Gives patients rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections. 8!
What is the Security Rule?! Requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information. Establishes national standards to protect individuals electronic personal health information that is created, received, used, or maintained by a covered entity. 9!
Personal Health Information (PHI)! PHI includes all individually identifiable health information (including information in research databases and tissue bank samples with identifiers) relating to the:! Past, present, or future physical or mental condition of an individual! Provision of health care to an individual! Past, present or future payment for the provision of health care to an individual! 10!
PHI Eighteen Identifiers! Name! Address -- street address, city, county, zip code (more than 3 digits) or other geographic codes! Dates directly related to patient! Telephone Number! Fax Number! E-mail addresses! Social Security Number! Medical Record Number! Health Plan Beneficiary Number! Account Number! Certificate/License Number! Any vehicle identifier! Any device identifier! Web URL! Internet Protocol (IP) Address! Finger or voice prints! Photographic images! Any other unique identifying number, characteristic, or code (whether generally available in the public realm or not)! 11!
PHI Continued! ephi: Data in an electronic format that contains any of the 18 identifiers! This may include but is not limited to the following:! Data stored on the network, internet, or intranet! Data stored on a personal computer or personal digital assistant (e.g. a smartphone)! Data stored on a USB drive, DVD, or other external media! Data stored on your HOME computer! Data utilized for research! 12!
Recommendations for Compliance! Keep all files containing PHI protected! Place computer screens so they are not readily visible by people passing by! Use of home computers is not a good idea! Ensure your vendors are in compliance with HIPAA regulations! Eliminate all names and other identifiers when doing presentations including PHI! Don t share subject names and other identifiers in conversations with colleagues outside of your department or lab! Don t send PHI by e-mail if at all possible. When necessary, be sure it is encrypted!! 13!
Who Is Systems Engineering?! Maine s largest IT Services provider, with over 100 employees serving hundreds of businesses throughout northern New England, including numerous Maine health organizations.! A provider of technical security that provides HIPAA-compliance services and documentation! 14!
General HIPAA Security Rules! Ensure confidentiality, integrity, and availability of all ephi you create, receive, maintain, or transmit! Identify/Protect against reasonably anticipated threats or hazards to the security or integrity of ephi! Protect against reasonably anticipated uses or disclosures of ephi! Ensure compliance by your workforce! 15!
Risk Analysis/Management! CE s Must Conduct a Risk Analysis as Part of Their Security Management Processes. It includes, but is not limited to:!! Evaluation of likelihood and impact of potential risks to ephi! Implementation of appropriate security measures to address identified risks! Documentation of security measures! Maintenance of continuous, reasonable, and appropriate security protections! 16!
Administrative Safeguards! Security Management Process! Based on Risk Analysis! Assigned official responsibility for developing/implementing security policies/procedures.! Information Access Management Appropriate process for role-based access to ephi.! Workforce Training and Management! Training isn t optional.! Sanctions must exist for policy violations.! Evaluation Periodic assessment of how procedures comply with HIPAA!! 17!
Physical Safeguards! Facility Access and Control! Limit physical access to necessary individuals! Workstation and Device Security! Policies and procedures to specify proper use of and access to workstations and electronic media.! Policies and procedures regarding the transfer, removal, disposal, and reuse of electronic media.! 18!
Technical Safeguards! Access Control Reiterating, only authorized personnel have access to ephi! Audit Controls - CE s must implement hardware, software, and/or procedural mechanisms to record and examine access and other activity in systems that contain or use ephi.! Integrity Controls Policies/procedures, along with electronic measures to ensure that ephi is not improperly altered or destroyed.! Transmission Security CE s must implement technical security measures that guard against unauthorized access to electronically transmitted ephi.! 19!
9/22/2009 to 07/04/2012! Compliance and Safety LLC! 20!
The Omnibus Rule! A volume containing several novels or other items previously published separately.! 21!
HIPAA Omnibus Final Rule! Final modifications to the HIPAA Privacy, Security, and Enforcement Rules:!! Make Business Associates of Covered Entities directly liable for compliance with certain aspects of the HIPAA Privacy and Security Rules requirements.! Strengthen the limitations on the use and disclosure of protected health information for marketing and fundraising purposes, and prohibit the sale of protected health information without individual authorization.! Expand individuals' rights to receive electronic copies of their health information and to restrict disclosures to a health plan concerning treatment for which the individual has paid out of pocket in full.!! 22!
HIPAA Omnibus Final Rule! Require modifications to, and redistribution of, a Covered Entity's notice of privacy practices.! Modify the individual authorization and other requirements to facilitate research and disclosure of child immunization proof to schools, and to enable access to deceased information by family members or others.! Increased and tiered civil money penalty structure provided by the HITECH Act! Course reversal: Guilty until proven innocent for data breaches! Prohibits most health plans from using or disclosing genetic information for underwriting purposes! 23!
The Omnibus Rule! Office of Civil Rights (OCR) Director Leon Rodriguez: These changes not only greatly enhance a patient s privacy rights and protections, but also strengthen the ability of my office to vigorously enforce the HIPAA privacy and security protections 24!
When Does It Take Effect?! The Omnibus Rules are effective as of March 26, 2013! Effective Date: Date on which a rule or regulation becomes law! All CEs and BAs need to be in full compliance by September 23, 2013! Compliance Date: Date by which all affected entities must comply! 25!
Business Associates! Old Rule:! The HIPAA Rules define business associate to mean a person who performs functions or activities on behalf of, or certain services for, a CE that involve the use or disclosure of PHI.! New Rule:! The definition of business associate was modified to include a person who creates, receives, maintains, or transmits PHI on behalf of a CE.! Extends to subcontractors 26!
Patient Empowerment! Old Rule: Individuals could request a CE to restrict uses or disclosures of their PHI. But, CEs were not required to agree to such restrictions. If the CE did agree, however, than they were required to abide by the restriction. New Rule: Individuals can request a restriction on disclosure of PHI to a health plan and the CE must agree if the restriction applies to PHI that pertains solely to a health care item or service for which the health care provider has been paid out of pocket in full (unless such disclosure is otherwise required by law). 27!
Breach Notification! Previously, CEs and BAs were required to perform a risk assessment to determine if there was a significant risk of harm to the individual as a result of the impermissible use or disclosure. Now, an impermissible use or disclosure of PHI is presumed to be a breach unless the CE or BA demonstrates that there is a low probability that the PHI has been compromised. Unless the PHI was unreadable or undecipherable 28!
Enforcement! Largest HIPAA fine: $4.3M against Cignet Health in MD in February 2011 ($3M was for willful neglect)! HIPAA jail time: In April 2010 Dr. Huping Zhou of UCLA Health System was sentenced to 4 months in prison! Smallest provider enforcement: In April 2012, a practice owned by 2 physicians paid $100,000 to settle HIPAA violations! 29!
Enforcement!!!! Violation! Penalty! Max Calendar Year! Did Not Know! $100 - $50,000! $1,500,000! Reasonable Cause! $1,000 - $50,000! $1,500,000! Willful Neglect (Corrected)! Willful Neglect! (Not Corrected)! $10,000 - $50,000! $1,500,000! $50,000! $1,500,000! A CE or BA may be liable for multiple violations of multiple requirements, and a violation of each requirement may be counted separately.! A CE or BA may be subject to multiple violations of up to a $1.5 million cap for each violation, which would result in a total penalty above $1.5 million.! 30!
Suggested Next Steps! Update Notice of Privacy Practices! Review and identify all Business Associates and update Business Associate Agreements! Update breach notification policies and procedures! Develop and train employees on new policies (patient requested PHI restrictions, breach notification, etc.)! Review and update authorization and other forms as necessary! 31!
Recommendations! All EHRs will need to be encrypted at rest to be certified in 2014! Encrypt your office computers using a free software, TrueCrypt: www.truecrypt.org! Evaluate your technology posture, and seek assistance where necessary! 32!
Helpful Resources! For more information on Privacy/Security, go to provider section at: www.healthit.gov! HealthInfoNet s Website:! Sample Risk Assessment! Sample Policy and Procedures Templates! Privacy and Security Guide! Omnibus Press Release: http://www.hhs.gov/news/press/2013pres/01/20130117b.html Omnibus Final Rule: http://www.gpo.gov/fdsys/pkg/fr-2013-01-25/pdf/ 2013-01073.pdf BAA Sample Language: http://www.hhs.gov/ocr/privacy/hipaa/understanding/ coveredentities/contractprov.html 33!
Helpful Webinar! HIT "ASK THE EXPERTS" ROUNDTABLE WEBINAR SERIES! HIPAA Rules Have Changed: Are You Ready?! HIPAA covered entities and business associates have until September 23, 2013, to become compliant with changes to the Privacy and Security Rules.! Join us on Thursday, May 9 at 12N to learn about the modifications to the HIPAA law, including:! What are the Key Changes Under the Omnibus Rule?! Who do the Changes Affect?! What Action is Required?! What's at Stake?! What are the Mechanisms for Minimizing the Risk of HIPAA Liability?! ABOUT OUR SPEAKER: Kathleen Healy, a Partner with the law firm Verrill Dana! 34!
Questions?! 35!
Contact Information! Todd Rogow, Director of IT, HealthInfoNet! trogow@hinfonet.org!!! HealthInfoNet Website: www.hinfonet.org!! Adam Victor, Director of Operations, Systems Engineering, Inc.! avictor@syseng.com!!! Systems Engineering Website: www.syseng.com! 36!