OCTOBER 2013 PART 1. Keeping Data in Motion: How HIPAA affects electronic transfer of protected health information



Similar documents
Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc.

HIPAA Compliance Guide

White Paper THE HIPAA FINAL OMNIBUS RULE: NEW CHANGES IMPACTING BUSINESS ASSOCIATES

HIPAA Compliance and the Protection of Patient Health Information

HIPAA Compliance Guide

HIPAA Omnibus Rule Overview. Presented by: Crystal Stanton MicroMD Marketing Communication Specialist

FIVE EASY STEPS FOR HANDLING NEW HIPAA REQUIREMENTS & MANAGING YOUR ELECTRONIC COMMUNICATIONS

Data Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, :15pm 3:30pm

My Docs Online HIPAA Compliance

Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

HIPAA Security Rule Compliance

Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions

HIPAA In The Workplace. What Every Employee Should Know and Remember

HIPAA Omnibus Rule Practice Impact. Kristen Heffernan MicroMD Director of Prod Mgt and Marketing

Business Associate Management Methodology

HHS Issues New HITECH/HIPAA Rule: Implications for Hospice Providers

This presentation focuses on the Healthcare Breach Notification Rule. First published in 2009, the final breach notification rule was finalized in

HIPAA and the HITECH Act Privacy and Security of Health Information in 2009

Why Lawyers? Why Now?

What is HIPAA? The Health Insurance Portability and Accountability Act of 1996

Health Information Privacy Refresher Training. March 2013

HIPAA PRIVACY AND SECURITY AWARENESS

12/19/2014. HIPAA More Important Than You Realize. Administrative Simplification Privacy Rule Security Rule

HIPAA COMPLIANCE AND DATA PROTECTION Page 1

Trust 9/10/2015. Why Does Privacy and Security Matter? Who Must Comply with HIPAA Rules? HIPAA Breaches, Security Risk Analysis, and Audits

New HIPAA regulations require action. Are you in compliance?

Welcome to ChiroCare s Fourth Annual Fall Business Summit. October 3, 2013

Updated HIPAA Regulations What Optometrists Need to Know Now. HIPAA Overview

M E M O R A N D U M. Definitions

CREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy

Data Breach, Electronic Health Records and Healthcare Reform

SaaS. Business Associate Agreement

OCR UPDATE Breach Notification Rule & Business Associates (BA)

Datto Compliance 101 1

University Healthcare Physicians Compliance and Privacy Policy

HIPAA, HIPAA Hi-TECH and HIPAA Omnibus Rule

Page 1. NAOP HIPAA and Privacy Risks 3/11/2014. Privacy means being able to have control over how your information is collected, used, or shared;

Local public health options. Legal Update for NC Public Health Nurse Administrators LOCAL PUBLIC HEALTH IN NORTH CAROLINA 12/6/2013

NCHICA HITECH Act Breach Notification Risk Assessment Tool. Prepared by the NCHICA Privacy, Security & Legal Officials Workgroup

Health Partners HIPAA Business Associate Agreement

HIPAA Changes Mike Jennings & Jonathan Krasner BEI For MCMS 07/23/13

Business Associates, HITECH & the Omnibus HIPAA Final Rule

NEW PERSPECTIVES. Professional Fee Coding Audit: The Basics. Learn how to do these invaluable audits page 16

Privacy Compliance Health Occupations Students

What Health Care Entities Need to Know about HIPAA and the American Recovery and Reinvestment Act

HIPAA Compliance: Are you prepared for the new regulatory changes?

Answering to HIPAA. Who Answers Your Phone? Prepared by Kenneth E. Rhea, MD, FASHRM. Brought to you by.

HIPAA COMPLIANCE AND

COMPLIANCE ALERT 10-12

The Basics of HIPAA Privacy and Security and HITECH

FEDERAL AND STATE BREACH NOTIFICATION LAWS FOR CALIFORNIA

Building Trust and Confidence in Healthcare Information. How TrustNet Helps

The benefits you need... from the name you know and trust

what your business needs to do about the new HIPAA rules

Understanding Health Insurance Portability Accountability Act AND HITECH. HIPAA s Privacy Rule

HIPAA Privacy and Security Rules: A Refresher. Marilyn Freeman, RHIA California Area HIPAA Coordinator California Area HIM Consultant

HIPAA 101. March 18, 2015 Webinar

Am I a Business Associate?

Preparing for the HIPAA Security Rule Again; now, with Teeth from the HITECH Act!

Meeting the HIPAA Training and Business Associate Requirements Questions and Answers, with HIPAA Security Expert Mike Semel

Patient Privacy and Security. Presented by, Jeffery Daigrepont

HIPAA OMNIBUS RULE: EXPANDED COMPLIANCE REQUIREMENTS

HIPAA/HITECH: A Guide for IT Service Providers

HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant

HIPAA and HITECH Compliance for Cloud Applications

REPRODUCTIVE ASSOCIATES OF DELAWARE (RAD) NOTICE OF PRIVACY PRACTICES PLEASE REVIEW IT CAREFULLY.

Meaningful Use and Security Risk Analysis

HIPAA Business Associate Contract. Definitions

BUSINESS ASSOCIATE AGREEMENT. Business Associate. Business Associate shall mean.

HIPAA Omnibus Compliance How A Data Loss Prevention Solution Can Help

Preparing for the HIPAA Security Rule Again; now, with Teeth from the HITECH Act!

Isaac Willett April 5, 2011

BUSINESS ASSOCIATE AGREEMENT

Joseph Suchocki HIPAA Compliance 2015

Welcome to the Privacy and Security PowerPoint presentation in the Data Analytics Toolkit. This presentation will provide introductory information

Preparing for the HIPAA Security Rule

SAMPLE BUSINESS ASSOCIATE AGREEMENT

Compliance HIPAA Training. Steve M. McCarty, Esq. General Counsel Sound Physicians

Ethics, Privilege, and Practical Issues in Cloud Computing, Privacy, and Data Protection: HIPAA February 13, 2015

The Impact of HIPAA and HITECH

Joe Dylewski President, ATMP Solutions

HIPAA Refresher. HIPAA Health Insurance Portability & Accountability Act

Shipman & Goodwin LLP. HIPAA Alert STIMULUS PACKAGE SIGNIFICANTLY EXPANDS HIPAA REQUIREMENTS

Implications of HIPAA Requirements on Healthcare Payment Processing

Texas House Bill 300 & HIPAA. A MainNerve Whitepaper

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)

UNDERSTANDING THE HIPAA/HITECH BREACH NOTIFICATION RULE 2/25/14

Healthcare Insurance Portability & Accountability Act (HIPAA)

Sunday March 30, 2014, 9am noon HCCA Conference, San Diego

SECURITY RISK ASSESSMENT SUMMARY

What Virginia s Free Clinics Need to Know About HIPAA and HITECH

Legislative & Regulatory Information

Overview of the HIPAA Security Rule

HIPAA initially went into effect April 14, HIPAA is a set of rules that is to be followed by doctors, hospitals and other health care providers.

Covered Entities and Business Associates: An Evolving Relationship

HHS Finalizes HIPAA Privacy and Data Security Rules, Including Stricter Rules for Breaches of Unsecured PHI

OCR/HHS HIPAA/HITECH Audit Preparation

HIPAA DATA SECURITY & PRIVACY COMPLIANCE

HIPAA BUSINESS ASSOCIATE AGREEMENT

Transcription:

OCTOBER 2013 PART 1 Keeping Data in Motion: How HIPAA affects electronic transfer of protected health information

Part 1: How HIPAA affects electronic transfer of protected health information It is difficult to overestimate the impact that the Health Insurance Portability and Accountability Act (HIPAA) has had on healthcare organizations. Patients have no doubt benefited from its security and privacy provisions, but the HIPAA regulations have also posed significant challenges and risks for hospitals, insurers, medical practices, individual clinicians and a variety of related businesses. In order for an organization to meet those challenges and reduce the risk of penalties, it has to fully understand how the HIPAA law impacts the transfer of protected health information (PHI) during day-to-day operations. Establishing clear definitions A discussion of patient data transfer has to start with the HIPAA definition of PHI, which refers to any information held by a covered entity that concerns health status, provision of healthcare or payment for health care that can be linked to an individual. This is interpreted rather broadly and includes any part of an individual s medical record or payment history. Originally a covered entity included healthcare clearinghouses, employer-sponsored health plans, health insurers and medical service providers that engage in certain transactions. HIPAA addresses two aspects of PHI management: data security and data privacy. The security component of the law applies specifically to electronic PHI and outlines a series of security safeguards to ensure that a patient s data is protected while in transit. The privacy component of HIPAA requires covered entities to disclose patients data within 30 days of their request for that data, whether in paper or electronic form. The law specifies how covered healthcare companies can use a patient s medical records, to whom they can disclose those records and when and how patients can have access to this data. The rules cover personally identifiable data in oral, electronic and written form. Privacy rules require a physician to get your permission to share your PHI even with other physicians. More specifically, the privacy rules allow patients to inspect and copy their PHI. The rules also require that employees be trained in the appropriate procedures needed to protect this information. Covered entities also need to establish procedures to ensure that only staffers with a legitimate reason for gaining access to PHI actually have access to it. In recent years, that requirement has sometimes been difficult to enforce as curious hospital staff have on occasion snooped into the records of celebrity patients when they had no business or clinical justification for viewing the information. Of course, hospitals are not the only healthcare-related entity that are accountable for the way they manager PHI. 2

Healthcare clearinghouses are equally accountable. The term includes any organization that takes health information from an entity, converts it into a different format and sends it to another entity for some sort of processing, according to Rebecca Herold, an expert on information security and privacy, at Rebecca Herold & Associates, LLC. Examples would include billing services and many financial institutions. The term medical service provider, on the other hand, would include not only hospitals and physician practices but pharmacies and contract research organizations, explained Herold. While HIPAA regulations present profound challenges for any organization responsible for handling PHI, these regulations only tell half the story. In 2010, the federal government put into effect a variety of related rules through implementation of the Health Information Technology for Economic and Clinical Health Act (HITECH). Now BAs must also comply with not only all the HIPAA Security Rule and HITECH Act requirements, but they must also comply with the Privacy Rule requirements applicable to their services. Rebecca Herold Herold & Associates, LLC Herold points out that the HITECH Act specifically addresses the security and privacy of electronically transmitted PHI. This second set of rules expands and clearly outlines the requirements that business associates (BAs) must meet to protect such data. The sanctions for non-compliance that used to only really apply to covered entities now also apply to BAs, said Herold. These sanctions, and BA responsibilities, were significantly expanded under the implementation of the Omnibus Rule on September 23, 2013. Now BAs must also comply with not only all the HIPAA Security Rule and HITECH Act requirements, but they must also comply with the Privacy Rule requirements applicable to their services. They must also ensure any subcontractors they use are also in compliance with all these requirements. Of course, that begs the question: What exactly is a BA? HIPAA defines it as a person or organization that performs some type of activity on behalf of a covered entity or provides a service to the covered entity in the provisioning of healthcare transactions, payments or operations that involves access to PHI, explained Herold. That would include transcription services, backup and archiving, even cloud services involving PHI. A Closer look at HITECH One of the principal goals of the HITECH Act is to foster the implementation of electronic health records among U.S. hospitals and medical practices. To that end, it has established a long list of regulations to establish what it refers to as Meaningful Use of EHRs in providing patient care. The program is being rolled out in three stages, with Stage 2 officially taking effect in 2014. The HITECH Act includes regulations on electronic exchange of PHI. In addition to specific criteria on how this data should be transmitted across covered entities, the 3

law requires organizations to self-report data breaches that affect 500 or more individuals to the Department of Health and Human Services, the media and individuals who have been affected by said breach. Ignoring this requirement can result not only in large financial penalties, but criminal penalties, including jail time. HIPAA and HITECH regulations also require covered entities to protect against any reasonably anticipated threats to the security or integrity of PHI, explained Herold. Similarly the rules require covered entities to establish breach response plans. That includes an assessment for the probability that the PHI was compromised. The following four factors must be considered in assessing the probability of compromise: n The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification; n The unauthorized person who used the PHI or to whom the disclosure was made; n Whether the PHI was actually acquired or viewed; and n The extent to which the risk of harm to the affected individuals has been mitigated. Covered entities would then need to notify the involved insureds and/or patients about the breach based upon that probability. HIPAA and HITECH regulations also require covered entities to protect against any reasonably anticipated threats to the security or integrity of PHI. Herold All these rules and regulations are enforced by the federal Office of Civil Rights, which is part of the Department of Health and Human Services, and also by state attorneys general offices. The Federal Trade Commission also gets into the act because it enforces HIPAA and HITECH for non-covered entities and non-business associates that possess repositories of patient information in personal health records. Examples include online personal health records and applications or devices that track health information like blood pressure or exercise and upload them into a personal health record. Lastly MU and HIPAA regulations include security requirements that apply to the movement of PHI sent by fax transmission. How rules apply to fax transmissions Inherent risks involved in transmitting PHI over the Internet require providers to encrypt this data to reduce the threat of interception by unauthorized users. But unlike the Internet, where everything is basically interceptable, to intercept a fax phone call, one would have to have a phone connection at the premises that the document is being sent from or sent to. Thus the difference between Internet and phone technology makes the latter mode of transmission inherently less risky, at least from a technological perspective. 4

HIPAA rules also govern the physical protection of PHI. In situations where any sort of paper document containing patient data exists, the Department of Health and Human Services expects covered entities to apply reasonable safeguards when making these communications to protect the information from inappropriate use or disclosure, according to the agency s web site. For example, the HIPAA regulations allow a laboratory to fax a patient s medical test results to a physician, and allow a physician to fax a copy of a patient s medical record to a specialist. But HHS makes it clear that when faxing protected health information to a telephone number that is not regularly used, a reasonable safeguard may involve a provider first confirming the fax number with the intended recipient. Similarly, a covered entity may pre-program frequently used numbers directly into the fax machine to avoid misdirecting the information. In situations where any sort of paper document containing patient data exists, the DHHS expects covered entities to apply reasonable safeguards when making these communications to protect the information from inappropriate use or disclosure. U.S. Department of Health and Human Services However, if a fax containing PHI is sent to a nurse s station in a hospital and the nurse is not physically present to immediately retrieve the document as it comes in, the HIPAA rules will likely have been violated. Some healthcare providers are coping with this data threat by putting all their fax machines in a locked room and only giving authorized staffers access to the room. Unfortunately that approach defeats the convenience of fax technology, which traditionally has offered easy, immediate access to paper documents that in the past took days to arrive from the post office. Clearly, the privacy and security rules spelled out by HIPAA, HITECH and Meaningful Use have created a series of challenges and risks for healthcare organizations. Exploring the consequences of not adequately protecting PHI and finding costeffective ways to protect it will be the topics of parts 2 and 3 in our Keeping Data in Motion series. About OpenText OpenText is the leader in Enterprise Information Management (EIM). EIM enables organizations to grow the business, lower costs of operations, and reduce information governance and security related risks. OpenText focuses on the key drivers of business success to improve business insight, strengthen business impact, accelerate process velocity, address information governance and provide security. OpenText Information Exchange solutions help organizations integrate and extend their information exchange systems and processes in order to improve their efficiency, decrease security risk, and lower their transaction cost for internal and external information exchange. For more information visit: faxsolutions.opentext.com. Produced in partnership with HIMSS Media www.himssmedia.com 2013 5

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information