FIVE EASY STEPS FOR HANDLING NEW HIPAA REQUIREMENTS & MANAGING YOUR ELECTRONIC COMMUNICATIONS James J. Eischen, Jr., Esq. October 2013 Chicago, Illinois
JAMES J. EISCHEN, JR., ESQ. Partner at Higgs, Fletcher & Mack, LLP 26+ years of experience as an attorney in California Experience in the healthcare field: medical groups, EHR firms, health coaching enterprises and healthcare products. Graduated from the University of California at Davis School of Law. Professional Memberships: San Diego County Bar Association Law & Medicine Section, Attorney-Client Relations Committee, State Bar Of California Section Member, AAPP Corporate Secretary
STEP ONE Understand The Purpose Of HIPAA
WHAT IS HIPAA? The Health Insurance Portability and Accountability Act of 1996 (HIPAA) required the Secretary of the U.S. Department of Health and Human Services (HHS) to develop regulations protecting the privacy and security of certain health information. To fulfill this requirement, HHS published what are commonly known as the HIPAA Privacy Rule and the HIPAA Security Rule. The Privacy Rule (Standards for Privacy of Individually Identifiable Health Information) establishes national standards for the protection of certain health information. The Security Rule (Security Standards for the Protection of Electronic Protected Health Information) establishes a national set of security standards for protecting certain health information that is held or transferred in electronic form. The Security Rule operationalizes the protections contained in the Privacy Rule by addressing the technical and non-technical safeguards that organizations called covered entities must put in place to secure individuals electronic protected health information (e-phi). Within HHS, the Office for Civil Rights (OCR) has responsibility for enforcing the Privacy and Security Rules with voluntary compliance activities and civil money penalties.
Unsecured PHI KEY TERMS PHI that is not rendered unusable, unreadable or indecipherable to unauthorized persons specified by HHS ephi Encryption and destruction Electronic PHI Breach Acquisition, access, use or disclosure of PHI PHI security or privacy is compromised
STEP TWO Look At Basic HIPAA Compliance (Privacy And Security Rules)
SECURITY RULE Prior to HIPAA, no generally accepted federal security standards or general requirements for protecting health information. New technologies evolving. Health care industry moves away from paper processes to electronic information systems to pay claims, answer eligibility questions, provide health information and conduct a host of other administrative and clinically based functions. Providers use clinical applications such as computerized physician order entry (COPE) systems, electronic health records (EHR), and radiology, pharmacy, and laboratory systems. Security Rule: Protects the privacy of individuals health information while allowing covered entities to adopt new technologies to improve the quality and efficiency of patient care. Security Rule is designed to be flexible and scalable so a covered entity can implement policies, procedures, and technologies that are appropriate for the entity s particular size, organizational structure, and risks to consumers ephi.
SECURITY RULE APPLIED Security Rule requires covered entities to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting ephi. Specifically, covered entities must: Ensure the confidentiality, integrity, and availability of all ephi they create, receive, maintain or transmit; Identify and protect against reasonably anticipated threats to the security or integrity of the information; Protect against reasonably anticipated, impermissible uses or disclosures; and Ensure compliance by their workforce.
PRIVACY RULE: CONFIDENTIALITY The Privacy Rule defines confidentiality to mean that ephi is not available or disclosed to unauthorized persons. The Privacy Rule prohibits improper uses and disclosures of ephi.
SO, WHAT SECURITY MEASURES MUST BE IMPLEMENTED? Security Rule does not dictate measures, but requires the covered entity to consider: Its size, complexity, and capabilities, Its technical, hardware, and software infrastructure, The costs of security measures, and The likelihood and possible impact of potential risks to e-phi. Covered entities must review and modify their security measures to continue protecting e-phi in a changing environment.
http://www.ama-assn.org/resources/doc/washington/hipaa-phi-encryption.pdf
STEP THREE Evaluate What Changed With The Omnibus/Final Rule
BEFORE AND AFTER OMNIBUS RULE Before BA regulated through BAAs After BAs and subcontractors regulated directly under HIPAA BAs are CEs, and must comply with Security Rule
EXPANDED DEFINITION OF CE CE: On behalf of a covered entity (CE), creates, receives, maintains or transmits PHI Subcontractor of a BA Role + responsibilities of BA = CE BA requirements/exposure not defined simply because it is a party to a BAA
NOT A BA Those who simply provide transmission services Digital couriers or mere conduits But if you store personalized ephi, even if you do not view it, you are a BA/CE
SUBCONTRACTORS Contract between the CE s BA and the BA s subcontractor must satisfy the BAA requirements Subcontractor of a subcontractor of a subcontractor of a subcontractor ALL BAS HIPAA/HITECH obligations apply to subcontractors
OMNIBUS/FINAL RULE All covered entities must review documentation including business associate agreements, notice of privacy practices, and their policies and procedures to ensure compliance with the Final Rule BAA and NPP MUST BE UPDATED
PRESUMPTION OF BREACH Interim Final Rule Risk assessment to determine if unauthorized ephi access, use or disclosure caused harm No presumption of a breach Final Rule Unauthorized access, use or disclosure presumed to be a breach unless CE determines low probability ephi was compromised
POTENTIAL BREACH EVALUATION CE must evaluate Nature and extent of ephi Unauthorized person who used ephi Whom disclosure was made ephi actually viewed or acquired How risk was mitigated DOCUMENT, DOCUMENT, DOCUMENT AND THEN DOCUMENT SOME MORE
BREACH NOTIFICATION BA must provide notice of breach To CE Breach treated as discovered as of 1 st day when known or would have been known When by exercising reasonable diligence would have breach been known? Subcontractor BA gives notice to BA
ELECTRONIC ACCESS Reasonable safeguards If PHI owner wants PHI sent unencrypted, CE needs to let individual know of risks DOCUMENT ephi OWNER S CONSENT Secure mechanism Electronic machine readable copy Can be used on a computer PDFs If a PHI owner asks for specific format, CE needs to accommodate when possible
FEES CHARGED FOR ELECTRONIC Labor costs only RECORDS? Retrieval costs or capital costs not allowed to be charged Supplies upon request can be charged Best practice is to list fees on authorization/consent form itself
ACCESS TO THIRD PARTIES Individual can request CE to send ephi to another individual In writing Electronic OK but verification needed Identify who is the receiver PHI must still be protected when sent to third party
RESTRICTIONS/ACCOUNTING RULE Individual can restrict ephi to health plan when paying out of pocket in full for a service (Accounting Rule) CE need to develop how to track restrictions CEs submit restricted ephi for required audits when required by law
STEP FOUR Identify Necessary HIPAA Compliance Steps
Update Your Documentation!
HIPAA COMPLIANCE: BASIC DOCUMENTATION Notice of Privacy Practices (NPP) Business Associate Agreement (BAA) Internal risk analysis memo Practice s written office procedures and processes must be examined thoroughly Evaluate risks and decide how to address those risks
SO, WHAT DO I DO? Update BAA Update NPP Update internal risk assessment memo Ensure electronic records access not subject to unlawful charges
STEP FIVE Electronic Communications, Scheduling & Records Management
HIPAA/PRIVACY COMPLIANCE WITH ELECTRONIC COMMUNICATIONS Electronic data storage of any kind = HIPAA
SHOULD MY PHYSICIAN-PATIENT AGREEMENT DEAL WITH ELECTRONIC COMMUNICATIONS Not recommended! Need separate ephi agreement for risk management/hipaa compliance HIPAA Final Rule: Non-compound ephi consent
CHECK MARKETING/PRACTICE COMMUNICATION PLATFORMS FOR COMPLIANCE Website Calendar/Scheduling FAQs Patient letters Staff training!!! Is this all really necessary? (Hint The correct answer is not no )
So What Can Go Wrong Anyway? Case Study: Arizona Cardiologist Fined $100,000 and ordered to take corrective action to implement policies and procedures to safeguard the protected health information of its patients.
WHAT WENT WRONG? Inadequate internal risk analysis Lack of staff training No BAA with outside IT vendor for web calendar Bottom Line: an internal risk analysis memo and awareness of patient privacy rights can avoid fines/penalties http://www.healthcareitnews.com/news/phoenix-practice-pay-100000- settle-hipaa-case
QUESTIONS? James J. Eischen, Jr., Esq. Office: (619) 819-9655 Email: eischenj@higgslaw.com Skype: jeischenjr http://www.assessmentandplan.com http://www.higgslaw.com