Compliance HIPAA Training Steve M. McCarty, Esq. General Counsel Sound Physicians 1
Overview of HIPAA HIPAA contains provisions that address: The privacy of protected health information or PHI The security of electronic protected health information or ephi. The security of unsecured PHI and the steps that must be taken in the event of a breach of unsecured PHI. The federal agency responsible for overseeing compliance with HIPAA is the Office for Civil Rights (OCR) of the US Department of Health and Human Services. 2
Overview of HIPAA Sound Physicians is required to comply with HIPAA. To comply with HIPAA, Sound must: Comply with the HIPAA privacy rule Comply with the HIPAA security rule Comply with the unsecured PHI breach notification rule Adopt and implement policies and procedures that address the manner in which Sound will comply with the above rules Provide training to its workforce regarding HIPAA and its policies and procedures 3
Civil Penalties for HIPAA Violations Violations are categorized into 4 tiers, with each tier being assigned a penalty range: Violation Category Penalty 1 st Tier (Unknowing violation) 2 nd Tier (reasonable cause, not willful neglect) 3 rd Tier (willful neglect that s later corrected) 4 th Tier (willful neglect, not corrected) $100 per violation, not to exceed 25k $1,000 per violation, not to exceed 100k $10,000 per violation, not to exceed 250k $50,000 per violation, not to exceed $1.5m Individuals may share in penalties State Attorneys General may also bring a civil action for penalties on behalf of an individual affected by a HIPAA violation 4
Other Penalties for HIPAA Violations Criminal penalties Fines range from $50k - $250k Up to 10 years imprisonment Audits OCR is required to perform periodic audits to ensure persons required to comply with HIPAA are meeting its privacy and security requirements. 5
HIPAA Privacy Enforcement Since April 2003, OCR has received over 51,762 HIPAA Privacy Complaints. Most frequent complaints: Impermissible uses/disclosures Lack of safeguards for PHI Lack of patient access to PHI Uses or disclosures of more than the minimum necessary Lack of or invalid authorizations or notice Of the complaints received, over 16,000 have resulted in OCR investigations. Of those investigated, over 10,700 have resulted in corrective action. Examples of these corrective actions, and other information regarding HIPAA, can be found on OCR s website at www.hhs.gov/ocr Because of recent changes to the penalty provisions of HIPAA, the number of complaints will likely increase, as will the penalties associated with these complaints. 6
Sound s HIPAA Policies and Procedures To comply with HIPAA, Sound has adopted policies and procedures that comply with HIPAA s privacy, security and breach of unsecured PHI notification requirements. These policies designate Mr. Jim Kodjababian as Sound s Privacy Officer. In this role, Mr. Kodjababian is the primary person responsible within Sound for compliance with HIPAA s privacy rule and breach of unsecured PHI notification requirements. These policies designate Mr. Zima Hartz as Sound s Security Officer. In this role, Mr. Hartz is the primary person responsible within Sound for compliance with the HIPAA security rule. 7
Sound s HIPAA Policies and Procedures Sound s policies and procedures apply to Sound s workforce. Sound s workforce includes physicians, non-physician practitioners, nurses and other clinical employees, volunteers and other persons whose conduct is controlled by Sound. The policies and procedures address, in further detail, the concepts that will be discussed in today s presentation. Violation of the policies and procedures could result in disciplinary action, including, but not limited to, the following: Retraining Verbal warnings or written warnings Paid and unpaid suspensions Exclusion from the premises Loss of employee privileges and/or benefits Demotion or termination 8
Sound s HIPAA Policies and Procedures Violations or suspected violations or any other type of complaint relating to HIPAA privacy or relating to a breach of unsecured PHI must be reported to Sound s Privacy Officer, Mr. Jim Kodjababian. Violations or suspected violations or any other type of complaint relating to HIPAA security must be reported to Sound s Security Officer, Mr. Zima Hartz. Sound s management or other staff is prohibited from intimidating, threatening, coercing, discriminating against or taking other retaliatory action against individuals/others who assert their rights under HIPAA. 9
HIPAA Privacy Rule Protects confidentiality when using and disclosing an individual s protected health information ( PHI ) in any form paper, oral, or electronic. The definition of PHI is very broad. Generally, PHI is information that is held by or on behalf of Sound that may identify or be used to identify a patient. 10
General HIPAA Privacy Rule Sound may not use or disclose PHI unless the use or disclosure is: For Treatment, Payment, or Health Care Operations ( TPO ) To the patient As authorized by patient As otherwise allowed by HIPAA 11
Examples In routine conversation, a nurse employed by Sound who works in a client hospital tells her friend that she saw a particular individual in the hospital last week. HIPAA violation? Three people are on an elevator in a client hospital. Two are Sound physicians and the other is a maintenance personnel employed by a third party not affiliated with the hospital. The physicians begin to talk the appropriate plan of care for a patient to whom they each have provided care in a manner that the third party can easily hear their conversation. HIPAA violation? 12
Using/Disclosing PHI for TPO Treatment: Provision, coordination, or management of health care by one or more health care providers, including consultations and referrals. Payment: Activities to obtain payment or be reimbursed for health care services. Health Care Operations: Administrative, financial, legal and quality improvement activities; business planning activities; training and teaching activities; and accreditation, credentialing, licensing, competence, and performance activities; and fraud, abuse, and compliance activities. No consent or authorization required when a use or disclosure is for treatment, payment or health care operations. 13
Treatment Examples A Sound hospitalist sends a copy of individual s medical record to a specialist who needs the information to perform a consultation on the individual. Permissible? Hospitalist sends a copy of a patient s health care instructions to a nursing home to which patient is transferred. Permissible? 14
Payment and Health Care Operations Examples A specialty medical practice wants a copy of the health information that Sound maintains on an individual for quality assurance activities the practice is conducting. Permissible? Sound s compliance officer uses the health information of a patient in reviewing a potential compliance issue. Permissible? 15
Disclosures That Require An Opportunity to Object The HIPAA Privacy Rule allows Sound to make the following disclosures, among others, without patient authorization so long as the patient has an opportunity to object: Sound may disclose PHI to persons involved in care or payment for care The disclosure must be directly relevant to involvement This can be used to allow a spouse or child to pick up a prescription, x-ray, etc. Sound may also disclose patient s location, general condition, or death to responsible persons. 16
Disclosures Without Opportunity to Object The HIPAA Privacy Rule allows Sound to make the following disclosures, among others, without either patient authorization or giving the patient an opportunity to object: Uses or disclosures required by law Uses or disclosures for public health activities Disclosures about victims of neglect, abuse or domestic violence Disclosures for health oversight activities Certain, limited disclosures to Law enforcement Disclosures in court proceedings In each of these instances, certain requirements must be met. 17
Example of disclosures made without an opportunity to object A Sound hospitalist determines that Joe has H1N1. Joe s best friend is Mary. Can the hospitalist tell Mary that she has been exposed to H1N1 through Joe (i.e., can the hospitalist disclose PHI to Mary to inform her of her potential exposure to an infectious disease)? 18
Disclosures to Business Associates HIPAA permits Sound to disclose PHI to a Business Associate ( BA ) of Sound and permits the BA to create or receive PHI on Sound s behalf if Sound has satisfactory assurances that the BA will safeguard the PHI. Satisfactory assurances must be documented through a written contract. Sound has adopted a BA Agreement and a set of BA provisions that must be used in Sound s contracts with its BAs. 19
Disclosures to Business Associates There are some situations where Sound can disclose PHI to a BA without entering into a BA agreement. These include: Disclosures to or requests by provider for treatment Disclosures to patient at his/her request Disclosures to HHS for oversight 20
Authorizations Uses and disclosures that aren t otherwise permitted under HIPAA can only be made in accordance with an individual s authorization. The authorization must satisfy certain specific requirements and contain certain specific statements. Unenforceable if unsigned, expired or combined with other documents. 21
Required Disclosures There are certain instances where Sound is required to make disclosures. These include: To patients To a patient s personal representatives Executor or administrator of estate Parent or guardian of minor child Generally, a parent or guardian may access an unemancipated minor s PHI, unless this is inconsistent with state law. There are three exceptions to this general rule where the parent/guardian is not permitted to access the unemancipated minor s PHI. To OCR in connection with certain investigations or compliance reviews 22
HIPAA Example: Minors Sara, who is 16 years old and sexually active, lives in a state where parents are not considered personal representatives for purposes of certain procedures, including the testing, treatment or care for a STD. While being admitted at the hospital, Sara has a battery of tests, which reveal that she has a STD. Sara s mother inquires about the results of the tests. The Sound hospitalist who is assigned to Sara tells Sara s mother the results of the tests, including that Sara tested positive for a STD. HIPAA violation? 23
Limited Data Set/Minimum Necessary Standard Sound and its BAs must limit its use or disclosure of PHI to a limited data set, to the extent practicable. If more PHI is needed, Sound must limit use or disclosure of PHI to the minimum amount necessary to accomplish the purpose of the use or disclosure. There are few exceptions to this limited data set/minimum necessary standard. These include: Treatment Disclosures to patient at his/her request OCR will issue future guidance on compliance with this minimum necessary standard. 24
Individual s Rights under the HIPAA Privacy Rule Right to Access HIPAA generally provides an individual the right to inspect and obtain a copy of his or her PHI maintained in a designated record set. Right to request restrictions HIPAA allows individuals the right to request Sound to restrict the purposes for which the individual s PHI is disclosed. Sound generally is not required to agree to the restriction. Right to Amend HIPAA generally provides an individual the right to amend PHI maintained in a designated record set. Right to Accounting HIPAA generally provides an individual with a right to obtain an accounting of the disclosures made by Sound. This is discussed in greater detail on the following slides. 25
Accounting / Disclosure Log Except as noted below, Sound must keep a record of all disclosures of PHI. This record must include: Who received the information What information was disclosed When and why The following are instances where Sound does not have to keep a record of its PHI disclosures: Disclosures for TPO Disclosures to the patient Disclosures to persons involved in the patient s care 26
Accounting / Disclosure Log (Cont.) Disclosures for TPO Sound will, in the future, have to account for TPO disclosures made through an electronic health record (EHR) if Sound uses or maintains an EHR This accounting must include TPO disclosures made through an EHR for a period of 3 years prior to the date of the request of the accounting If a BA of Sound is disclosing for TPO, Sound must include those disclosures in the accounting or provide a list of all BAs and their contact information to the individual 27
Unsecured PHI Breach Notification Sound is required to make certain notifications upon discovery of a breach of unsecured PHI if, as a result of the breach, the unsecured PHI of an individual has been, or is reasonably believed to have been, accessed, acquired or disclosed. Breach Unauthorized acquisition, access, use or disclosure of unsecured PHI that compromises the security or privacy of the PHI. Breach does not include unintentional acquisition, access or use that was in good faith and within course and scope of employment/professional relationship. Unsecured PHI PHI that is not encrypted. Notice, which must contain certain items, must be provided within 60 days. In certain circumstances, the media and OCR must be notified about the breach. 28
Unsecured PHI Breach Notification Sound must also maintain a log of unsecured PHI breaches. This log must be submitted to OCR annually. In order to meet Sound s requirements under HIPAA s Unsecured PHI Breach Notification rule, Sound s employees must report any breaches of Unsecured PHI to Sound s privacy officer immediately upon becoming aware of the breach. 29
HIPAA Security Rule The HIPAA Security Rule is designed to ensure that Sound protects the integrity, confidentiality and integrity of the ephi that Sound collects, maintains and uses. It does this through imposing administrative, physical and technical safeguards. 30
Administrative Safeguards Administrative safeguards are administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect ephi. Examples of administrative safeguards implemented through Sound s HIPAA security policies: Having a security management process. For example, Sound applies sanctions against its employees who fail to follow Sound s HIPAA securities policies and procedures Designation of a security official Managing information access. For example: Security officer provides employees access to ephi only if access is required for their job. See slide 35. Sound screens applicants backgrounds prior to hire to ensure that access is not given to an individual that poses a threat to the ephi s security. 31
Administrative Safeguards (Cont.) Periodic training of employees on HIPAA security Process for raising security awareness: Periodic security reminders Processes for protecting against malicious software Log-in monitoring Sound s system locks employees out after three unsuccessful log-in attempts Password management Passwords are changed every 60 days Passwords are not to be shared and should not be written down, printed or stored in an unencrypted format Employees should not log-on the system using another s password Process for reporting security incidents A security incident is the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system. Security Incidents must be reported to your supervisor or the Security Officer. 32
Physical Safeguards Physical safeguards are those that protect IT systems and related equipment and buildings from natural and environmental hazards, and unauthorized intrusion Examples of physical safeguards implemented through Sound s HIPAA security policies: Facility access controls e.g., requiring ID badges and magnetic card readers to access Sound s facilities Workstation security e.g., user IDs and passwords are designed to prevent unauthorized access to workstations and employees are supposed to be aware of their workstation surroundings and report anything suspicious to their supervisor or Sound s security official Device and media controls e.g., Sound will remove any ephi from computers before they are reused 33
Technical Safeguards Technical safeguards is technology and the policy and procedures for its use that protect ephi and controls access to it. Examples of technical safeguards implemented through Sound s HIPAA security policies: Access Controls - Sound limits PHI access based on job function (see chart on following slide) Sound s employees are issued unique User IDs and passwords. Users are expected to lock or log off of workstations when left unattended and should close applications when not in use. SoundConnect - automatically converts to a blank screen after five minutes of inactivity; shuts down after an additional ten minutes of inactivity Users of the general Sound network - automatically logged off or locked after 15 minutes of inactivity. Audit Controls User activity is audited by Sound. Users are accountable for all activity and access that occurs under their logon. 34
Technical Safeguards (Cont.) Mechanisms to maintain integrity of ephi Sound uses anti-virus software to prevent malicious viruses Sound has processes that ensures hardware is appropriately secured Ensuring security during information transmission Transmissions from Sound network to an outside party or network utilize an encryption mechanism between the sending and receiving entities. Sound employees may transmit ephi within Sound s network only where absolutely necessary and only if the minimum necessary amount of ephi is used in the transmission. 35
PHI Access Staff Category PHI Access Justification Individuals who provide any clinical service, including but not limited to, any physician, nonphysician practitioner, nurse or other clinical personnel All records of patients being treated by an individual provider Involvement in patient care Management (including Sound s Compliance Officer) All records, to the extent relevant to an issue being addressed by an individual manager Enabling effective management, including monitoring and improving patient care, addressing complaints, and avoiding or addressing legal issues. Quality Assurance Personnel All records relevant to any billing-related issue being handled by the individual staff member Enabling accurate processing of claims for reimbursement and all inquiries and disputes related thereto. Clerical Personnel interacting with patients or their personal representatives. Records of patients as necessary to assist with services such as scheduling, etc. Enabling efficient performance of services for patients or personal representatives. 36
Specific Sound policies : Email Use Email must be restricted to proper business purposes and must be treated in a confidential manner (including the use of a confidential notation in the email and the attachment of a Sound-approved confidentiality statement). When using email, the information transmitted must be limited to minimum necessary to meet the requester s needs E-mail senders of PHI should routinely check and re-check e-mail addresses of recipients before transmission Before using email to correspond with Sound patients, the patient must provide consent to receiving correspondence via email. Examples of prohibited usage of email: Transmission of information to individuals inside or outside Sound who do not have a legitimate business need for the information. Transmission of highly confidential or sensitive information, such as HIV status, mental illness or chemical dependency Auto forwarding of e-mail 37
Specific Sound policies: Facsimiles Faxes are only to be used when another method of transmission is not feasible. Sensitive PHI (e.g., HIV status, mental health status, drug or alcohol dependency) should only be faxed in emergencies. Procedures relating to location and monitoring of faxes: Fax machines are to be located in low traffic areas Fax machines should be checked frequently (e.g., once an hour) Fax messages should be sorted so that employees do not have to rummage through the messages to find the fax pertaining to them. Fax procedures: Cover sheets should be used and confirmation pages should be attached to the faxed material. Confirm recipient s fax number if used infrequently; program frequently used numbers into fax machine If a fax containing PHI has been misrouted, contact unintended recipient and request return or destruction of the faxed document. Request that the recipient destroy the faxed material after use, unless the material is incorporated into a medical record or other record that is required to be maintained by law. 38
Specific Sound policies: Telephone Use Employees may disclose PHI through telephones in the same manner as they do in person Telephone calls that involve the discussion of PHI should be done in a manner that maintains privacy to the greatest extent possible (e.g., use as low of voice as possible) Telephone callers should verify identity of patient prior to disclosing PHI. Information included in a voicemail message for a patient should be limited to: Name of person for whom the message is left A request that the person return the call Name and number of person making the call 39
QUESTIONS AND CONTACT INFORMATION Questions? Contact Information for Privacy Officer: Mr. Jim Kodjababian Phone: (253) 682-6020 Email: jkodjababian@soundphysicians.com Contact Information for Security Officer: Mr. Zima Hartz Phone: (253) 284-1874 Email: zhartz@soundphysicians.com 40