HIPAA 101 March 18, 2015 Webinar
Agenda Acronyms to Know HIPAA Basics What is HIPAA and to whom does it apply? What is protected by HIPAA? Privacy Rule Security Rule HITECH Basics Breaches and Responses What is a breach? How should I respond to a breach? Enforcement Anthem Data Breach 2
Acronyms HIPAA Health Insurance Portability and Accountability Act HITECH Health Information Technology for Economic and Clinical Health Act BA Business Associate CE Covered Entity PHI Protected Health Information ephi Electronic PHI HHS U.S. Department of Health and Human Services OCR Office for Civil Rights 3
HIPAA: Who is covered? Enacted in 1996 and administered by the Department of Health and Human Services (HHS) Applies to covered entities Healthcare Providers Healthcare Clearinghouses Health Plans Health Plan: employee welfare benefit plan that provides medical care to employees or dependents Includes governmental health plans Does not include: disability plans, life insurance, or workers compensation plans Self-Funded Employers = Health Plans And to business associates of covered entities Performs services for or assists covered entities with functions that involve the use or disclosure of PHI Billing, claims processing, data analysis, benefit management, etc. Provides legal, actuarial, accounting, consulting, management, financial or other advice for a covered entity where PHI is involved 4
HIPAA: Business Associates Covered entities may disclose PHI to business associates if they obtain satisfactory assurances that the PHI will be appropriately safeguarded BA Agreement must be in writing and contain magic language Describe permitted and required uses of PHI by BA Forbid BA from further disclosing PHI absent permission or legal requirement Require BA to use appropriate safeguards to protect PHI BA Agreement may also shift burden of providing breach notices Sample provided on HHS website 5
HIPAA: What does it do? 2 main components of HIPAA: Privacy Security Regulates the disclosure, sharing and storage of PHI, which is information relating to: An individual s past, present or future physical or mental health or condition; The provision of health care to the individual; or The past, present or future payment for the provision of health care. PHI either identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual. 6
PHI: What is it? Names Addresses Zip codes Dates (except year) DOB Admission date Discharge date Treatment date Telephone #s Fax #s Email addresses SSNs IP addresses Fingerprints Full face photos Medical record #s Health plan Beneficiary #s Account #s Certificate / license #s Vehicle IDs (plates, VINs) Device identifiers / SSNs 7
PHI: What isn t? Employment records In what capacity did you receive the record? When submitting doctor s note or return to work certification to employer, information becomes part of the employment record, and, as such, is no longer protected health information. Distinguish between role as employer and role as plan administrator (if self-funded) Certain education records covered by the Family Educational Rights and Privacy Act College student s medical records 8
HIPAA: Privacy Rule Purpose: define and limit circumstances in which PHI may be used or disclosed All uses or disclosures must either: 1) comport with privacy rule or 2) authorized by individual in writing Privacy rule required disclosures: To individual upon request To HHS as part of investigation or enforcement action 9
HIPAA: Privacy Rule Permitted uses and disclosures (no authorization needed): To the individual For purposes of Treatment, Payment or health care Operation T: provision of care, including consultation between providers P: obtaining premiums, determining coverage, providing benefits, reimbursement O: quality assessment, peer reviews, legal / accounting services, insurance underwriting, business planning, business management Individual given opportunity to agree or object (informal permission) Facility directories, notification to families, picking up spouse s prescriptions, etc. Incidental use (sign in sheets, doctor/patient convos in waiting rooms) Public Interest (reporting abuse, controlling diseases, court proceedings, criminal investigations, research, decedents) Limited Data Set (direct identifiers removed for research or health care operation purposes) 10
HIPAA: Privacy Rule Minimum Necessary Rule component of the privacy rule Must make reasonable efforts to use, disclose, and request only the minimum amount of PHI needed Must develop and implement policies to reasonably limit uses and disclosures to minimum necessary Do I need this information to do my job? Exceptions: Disclosure to health care provider for treatment Disclosure to an individual of his or her own PHI Use or disclosure pursuant to an authorization Disclosure to HHS for investigation, review or enforcement Disclosure required by law 11
HIPAA: Security Rule Purpose: create standard protocol for transmitting and storing ephi Ensure Confidentiality, Integrity and Security of ephi ephi: data stored in electronic form: Computers, laptops, phones, Blackberries, CD/ DVD, thumb drive, networks, clouds, etc. 5 categories of safeguards in regs: Administrative Physical Technical Organizational Documentation CE: must comply with all safeguards. BA: must comply with Administrative, Technical and Physical Key to compliance with Security Rule: document processes and procedures 12
HIPAA: Security Rule Some best administrative, organizational and documentation requirements to consider: Risk Analysis conduct assessment of potential risks. Risk Management implement security measures to reduce risks. Sanctions Policy set penalties for employees who fail to comply. Security Officer identify a person responsible for implementing policies and ensuring security of ephi. System Review regularly review records of system activity and access. Response and Reporting develop procedures for responding to suspected or known security incidents. Data Backup establish and implement backup copies of ephi. Disaster Recovery establish procedures to restore loss of data. Emergency Mode establish procedures for ensuring security during an emergency. Business Associate Agreements create and use compliant BAA. 13
HIPAA Amendment: HITECH Enacted in 2009. Expanded HIPAA to cover business associates Heightened Enforcement HHS investigates complaints Increased penalties up to $1.5 million per year Expanded definition of breach Revised breach notification procedures 14
Data Breaches: What are they? Before HITECH: significant risk of financial or reputational harm required. Now, a breach is acquisition, access or use or disclosure of PHI in an impermissible manner which compromises the Security or Privacy of PHI. Presumea breach unlessthere is a low probability that PHI has been compromised, based on: Nature of the PHI and likelihood of re-identification Unauthorized person who accessed PHI Whether PHI was actually acquired or viewed Extent to which risk to PHI has been mitigated 15
Data Breaches: Exceptions 3 Exceptions to the definition of breach : Unintentional, good-faith, access of PHI by employee of same entity Inadvertent disclosure of PHI to authorized person at same entity or BA Good-faith belief the unauthorized person would not be able to retain the information Burden of proving exception falls on person claiming it, so construe it narrowly. 16
Data Breaches: Encryption If ephiis unusable, unreadable and indecipherable to unauthorized individuals, then no notification required. Encryption must be consistent with National Institute of Standards and Technology (NIST) Encryption keys must be kept on a separate device from the data Destroying data: redaction is not enough! Clear, purge or destroy consistent with NIST guidelines for sanitizing media. 17
Data Breaches: Notification If risk analysis reveals breach occurred, covered entity must notify affected persons within 60 days after discovering it. If BA discovered = CE deemed to have discovered the same day Notification must include: A brief description of what occurred, including the date of breach and date of discovery A description of the type of PHI involved Steps affected individuals should take to protect themselves What the covered entity is doing to mitigate the harm Contact information for covered entity If BA has a breach = BA must notify the CE; CEultimately responsible BUT: CEs may delegate responsibility of providing notices to BAs 18
Data Breaches: Notification If fewer than 500 individuals effected: Notify individuals Record breach on annual breach log (report to HHS by March of following year) If more than 500 individuals effected: Notify individuals Notify HHS immediately Notify media 19
HIPAA Enforcement HHS Office of Civil Rights (OCR) OCR investigates complaints. 69,369 investigations since 2003. 23,366 resulted in corrective action. Since October 2009 689 investigations into Security Rule complaints. Penalties can be enforced by OCR or State Attorneys General $100 per violation ($25,000 cap per year) if violations unknown and offender would not have known by exercising reasonable diligence. $100 per violation ($100,000 cap per year) for reasonable violation not caused by deliberate neglect. Fine waived if corrected within 30 days. $10,000 per violation ($250,000 cap per year) for corrected violation caused by deliberate neglect. $50,000 per violation ($1.5 M cap per year) for uncorrected violations caused by deliberate neglect. 20
Best Practices Documented policies and procedures (that are followed!) Annual risk assessment Annual workforce training Evaluate possible encryption solution Pay particular attention to portable ephi(laptops, phones, jump drives, etc.) Investigate all suspicious activity (and document your efforts) Access control Who needs access to PHI to do their job? What PHI do they need to access? How can you restrict access? (by employee, by data point, etc.) User authentication? How do you monitor use and access? 21
Anthem Data Breach Anthem discovered breach on January 29, 2015 Suspicious activity began December 2014 Unauthorized disclosure of ephi Names, DOBs, SSNs, health IDs, home and email addresses No medical information Info back to 2004, possibly affecting 80 million individuals Affected fully insured and TPA or ASO clients What does it mean for employers? Depends on their relationship to Anthem 22
Anthem Data Breach Fully Insured Plans limited responsibility Anthem has primary responsibility for breach response Communicate with Anthem regarding their response and ensure employees are receiving communications from Anthem Supplement Anthem communications where necessary Identity theft protection, updates on status https://www.anthemfacts.com/ Self-Insured Plans primary responsibility as CE BUT: check BA / ASO / TPA agreement. Likely that Anthem assumed responsibility for breach notification Review Plan s HIPAA policies and procedures Communicate with employees and Anthem early and often What plan participants were effected, distribute notices regarding Anthem s efforts and breach notification responsibility (if appropriate) 23
Reform: Stay Connected Stay on top of changing landscape of health care reform and other employment laws through J.W. Terrill s Seminar Series and TerrillConnect. Subscribe to TerrillConnect for weekly email Updates. 24
Health Care Reform Update: Q&A Marcus Wilbers Senior Compliance Attorney Manager Compliance Consulting mwilbers@jwterrill.com (314) 594-2526 25