HIPAA More Important Than You Realize J. Ira Bedenbaugh Consulting Shareholder February 20, 2015 This material was used by Elliott Davis Decosimo during an oral presentation; it is not a complete record of the discussion. This presentation is for informational purposes and does not contain or convey specific advice. It should not be used or relied upon in regard to any particular situation or circumstances without first consulting the appropriate advisor. No part of the presentation may be circulated, quoted, or reproduced for distribution without prior written approval from Elliott Davis Decosimo. HIPAA More Important Than You Realize Administrative Simplification Privacy Rule Security Rule 1
History of HIPAA In August 1996 Congress passed the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Improve portability and continuity of health insurance. Combat waste, fraud and abuse in health insurance and health care delivery. Promote the use of medical savings accounts. Improve access to long term care. Simplify the administration of health insurance. History of HIPAA February 2009 HITECH Act was signed into law September 2010 Interim Final Rule goes into effect March 2013 Omnibus Final Rule takes effect September 2013 Entities must be in compliance Administrative Simplification HIPAA included administrative simplification rules that were intended to improve the efficiency and effectiveness of the health care delivery system. Standards for electronic health care transactions and code sets. Unique health identifiers. Security. 2
Privacy Set national standards for the protection of individually identifiable health information. Originally published in 2000, and most recently modified with the HITECH Act of 2009 and the Omnibus Rule of 2013. Enforced by the Office of Civil Rights. Privacy Rule Protected Health Information Individually identifiable health information held or transmitted by a covered entity or a business associate in any form or media. Demographic data. Individual s past, present or future physical or mental health or condition. Provision of health care to the individual. Past, present or future payment for the provision of health care to the individual. Privacy Rule Covered Entities Health plans. Health care clearinghouses. Health care providers. Any health care provider who transmits health information in electronic form in connection with transactions for which the Secretary of Health and Human Services has adopted standards under HIPAA. 3
Privacy Rule Business Associate Business Associate is a person or entity, other than the covered entity s workforce, that performs certain functions or activities on behalf of, or provides certain services to, a covered entity that involves the use or disclosure of PHI. Business Associate Agreement is an agreement between the covered entity and the business associate that has specific written safeguards on the PHI used or disclosed by business associates. Privacy Rule Business Associate Business associates are now directly accountable for violations and subject to the same fines and penalties as the covered entity. Business associates are required to notify covered entities of any breach of unsecured protected health information. Business associates must comply with the administrative, physical and technical safeguards. Privacy Rule Business Associate If a business associate becomes aware of a violation by a covered entity, it has the obligation to report the breach if the covered entity does not take steps to remedy. Business associate contracts must be amended to reflect the nature of the relationship, how the business associate is protecting the PHI and the notification policies. 4
Privacy Rule BAA Business associate contracts must be updated to reflect the new requirements that the business associate is required to follow under the HITECH Act. Business associate contracts must be updated to reflect the new beach notification requirements. Who is responsible for notification of the covered entity s patients if a breach occurs. Privacy Rule Disclosure of PHI Required disclosures Individuals requesting access to their PHI. To HHS when it is undertaking an investigation or review. Permitted uses and disclosures Individual. Treatment, payment and health care operations. Opportunity to agree or object. Incident to an otherwise permitted use and disclosure. Public interest and benefit activities. Limited data set. Privacy Rule Disclosure of PHI Authorized Uses and Disclosures A covered entity must obtain the individual s written permission for any use or disclosure of PHI that is not for treatment, payment or health care operations otherwise not permitted or required by the Privacy Rule. Psychotherapy Notes. Marketing. 5
Privacy Rule Notice and Other Rights Privacy Practices Notice Each entity must state the covered entity s duties to protect privacy, provide a notice of privacy practices and abide by the terms. Notices must be distributed to patients. Covered health care providers must make a good faith effort to obtain written acknowledgement from patients of receipt of the privacy practices notices. Privacy Rule Notice and Other Rights Patients have the right to access their PHI. Patients have the right to amend. Patients have a right to an accounting of disclosures for a maximum of six years immediately preceding the request. Patients have the right to request that a covered entity restrict use or disclosure if PHI. Patients have the right to request confidential information be communicated in a specific method. Privacy Rule Notice and Other Rights No accounting required for disclosures if: Treat, payment or health care operations. If to the individual or the individual's representative. Notification of or to the individuals involved in an individual s health care or payment. Pursuant to an authorization. Limited data set. National security. Law enforcement regarding inmates. Incident to otherwise permitted or required disclosures. 6
Privacy Rule Breach Notification Breach is an impermissible use or disclosure under the privacy rule. Exceptions Unintentional access or use by a workforce member acting under an covered entity or business associate. Inadvertent disclosure between two authorized individuals either at a covered entity or business associate. The covered entity or business associate believes in good faith that the unauthorized individual to whom the disclosure was made would not have been able to retain the information. Privacy Rule Breach Notification Individual notice must be made only to affected individuals without reasonable delay following a breach by first class mail or e mail if the affected individual has agreed to such notification. If the covered entity has insufficient contact information on 10 or more people, the covered entity must post notice on its web site or to major print or broadcast media. If the covered entity has insufficient contact information on 10 or fewer people, the covered entity may use alternate form of communication. Privacy Rule Breach Notification Covered entities must report breaches in excess of 500 residents to media in the state or jurisdiction of the 500 residents. Notice to the Secretary of Health and Human Services The Secretary must be notified by electronic report of breaches in excess of 500 individuals within a reasonable time. The Secretary may be notified of breaches less than 500 individuals on an annual basis no later than 60 days after the end of the calendar year. 7
Privacy Rule Administrative Requirements Designated Privacy Officer who is responsible for developing and implementing privacy policies and procedures. Privacy policies and procedures must be in writing. The covered entity must train all workforce members on its privacy policies and procedures. The covered entity must have and apply appropriate sanctions against workforce members. The covered entity must mitigate to the extent practicable any harmful affects of disclosure of PHI. Privacy Rule Administrative Requirements The covered entity must maintain reasonable and appropriate administrative, technical and physical safeguards to prevent intentional or unintentional disclosure of PHI. A covered entity must have procedures for individuals to complain about its compliance with its policies and procedures. A covered entity may not retaliate. A covered entity must maintain privacy policies, et. al. for a period of no less than six years after the last effective date. Privacy Rules Enforcement (HITECH) Reasonable cause means circumstances that would make it unreasonable for the covered entity, despite the exercise of ordinary business care and prudence, to comply with the administrative simplification provision that was violated. Willful neglect means conscious, intentional failure or reckless indifference to the obligation to comply with the administrative simplification provision violated. 8
Privacy Rule Enforcement (HITECH) Violation Category Each Violation All violations in a calendar year Did Not Know $100 $50,000 $1,500,000 Reasonable Cause 1,000 50,000 1,500,000 Willful Neglect Corrected 10,000 50,000 1,500,000 Willful Neglect Not Corrected 50,000 1,500,000 Security Rule Published in February 2003 by the Department of Health and Human Services and most recently modified with the HITECH Act of 2009 and the Omnibus Rule of 2013.. Compliance was required as of April 2005. Set national standards regarding electronic protected health information ( ephi ). Enforced by the Office of Civil Rights. Security Rule Covered Entities Health plans. Health care clearinghouses. Health care providers. Any health care provider who transmits health information in electronic form in connection with transactions for which the Secretary of Health and Human Services has adopted standards under HIPAA. 9
Security Rule Protected Health Information Subset of the privacy rule that does not include information transmitted orally or in writing. Individually identifiable health information in an electronic form that that an entity Creates Receives Maintains Transmits Security Rule General Rules Covered entities must maintain reasonable and appropriate, technical and physical safeguards for protecting e PHI. Ensure the confidentiality, integrity and availability of all e PHI they create, receive, maintain or transmit. Identify and protect against reasonably anticipated threats to the security or integrity of the information. Protect against reasonably anticipated, impermissible uses or disclosures. Ensure compliance by their workforce. Security Rule General Rules The security rule is flexible and scalable to allow covered entities to analyze their own needs and implement solutions appropriate to their specific environments. A covered entity must consider the following when deciding which security measures to use. Its size, complexity and capabilities. Its technical, hardware and software infrastructure. The costs of security measures. The likelihood and possible impact of potential risks to e PHI. 10
Security Rule Administrative Safeguards A covered entity must have a security management process that identifies and analyzes potential risks to e PHI and implements security measures that reduce risks and vulnerabilities to a reasonable and appropriate level. A covered entity must designate a security official who is responsible for developing and implementing security policies and procedures. A covered entity must implement policies and procedures for authorizing access to e PHI. Security Rule Administrative Safeguards A covered entity must train all workforce members regarding its security policies and procedures. A covered entity must perform a periodic risk assessment on how well its security policies and procedures meet the security rule requirements. Annual risk assessments are part of the requirements of meaningful use. Security Rule Risk Assessment Covered entities and business associates must perform a risk assessment as part of their security management process. Identify threats to ephi held. Identify vulnerabilities that can be exploited by threats. Based upon threats and vulnerabilities rate risk exposure. Develop plans to mitigate risk. 11
Security Rule Physical Safeguards A covered entity must limit physical access to its facilities while ensuring access is allowed. A covered entity must implement policies and procedures to specify proper use of and access to workstations and electronic media. A covered entity must have in place policies and procedures regarding the transfer, removal, disposal and re use of electronic media. Encryption is the safe harbor. Security Rule Technical Safeguards A covered entity must implement technical policies and procedures that allow only authorized persons to access e PHI. A covered entity must implement hardware, software, and/or procedural mechanisms to record and examine access and other activity in information systems that contain or use e PHI. A covered entity must implement policies and procedures to ensure that e PHI is not improperly altered or destroyed. A covered entity must implement technical security measures that guard against unauthorized access to e PHI that is being transmitted over an electronic network. Security Rule Compliance The Security Rule categorizes certain implementation specifications within the standards as required or addressable. Required implementation specifications must be implemented. Addressable does not mean optional, rather the covered entity can determine whether it is reasonable and appropriate. 12
HIPAA Privacy & Security Audit Program HITECH Act requires that the Department of Health and Human Services perform periodic audits to ensure covered entities are complying with HIPAA. Phase 1 Audited 115 covered entities. No findings for only 11% of the covered entities. Health care providers were responsible for 65% of the total findings. 60% of findings were related to Security Rule. HIPAA Privacy & Security Audit Program Phase 2 2015 Covered entities and business associates. Desk audits with ten days to respond. General information risks Encryption Cloud storage BAAs Security Mobile devices Privacy Employees HIPAA Case Studies Private Practice Implements Safeguards for Waiting Rooms Covered Entity: Private Practice Issue: Safeguards; Impermissible Uses and Disclosures A staff member of a medical practice discussed HIV testing procedures with a patient in the waiting room, thereby disclosing PHI to several other individuals. Also, computer screens displaying patient information were easily visible to patients. Among other corrective actions to resolve the specific issues in the case, OCR required the provider to develop and implement policies and procedures regarding appropriate administrative and physical safeguards related to the communication of PHI. The practice trained all staff on the newly developed policies and procedures. In addition, OCR required the practice to reposition its computer monitors to prevent patients from viewing information on the screens, and the practice installed computer monitor privacy screens to prevent impermissible disclosures. 13
HIPAA Case Studies Physician Revises Faxing Procedures to Safeguard PHI Covered Entity: Health Care Provider Issue: Safeguards A doctor's office disclosed a patient's HIV status when the office mistakenly faxed medical records to the patient's place of employment instead of to the patient's new health care provider. The employee responsible for the disclosure received a written disciplinary warning, and both the employee and the physician apologized to the patient. To resolve this matter, OCR also required the practice to revise the office's fax cover page to underscore a confidential communication for the intended recipient. The office informed all its employees of the incident and counseled staff on proper faxing procedures Keys to HIPAA Update privacy notices as needed, distribute and get signed acknowledgement. Update Business Associate Agreements and execute when appropriate. Security Officer. Written security policies and procedures. Train staff on practice s privacy and security policies and procedures. Perform risk assessment. Ira Bedenbaugh Email: ibedenbaugh@elliottdavis.com Phone: 864.552.4715 Website: www.elliottdavis.com Elliott Davis Decosimo ranks among the top 50 CPA firms in the U.S. With seventeen offices across seven states, the firm provides clients across a wide range of industries with smart, customized solutions. Elliott Davis Decosimo is an independent firm associated with Moore Stephens International Limited, one of the world's largest CPA firm associations with resources in every major market around the globe. For more information, please visit our website. 14