HIPAA	
  Privacy	
  and	
  Security	
  2.0	
  for	
  	
  
Health	
  Insurance	
  Agents	
  and	
  Brokers	
  
Jason	
  Kar...
Topics	
  for	
  Today	
  
•  HIPAA	
  2.0	
  
– Privacy	
  
– Security	
  
– Breach	
  
– PenalNes	
  
•  Marketplace	
  ...
Types	
  of	
  Protected	
  Informa@on	
  
NPPI	
  PHI	
  PII	
  
PHI:	
  health	
  informaNon	
  about	
  a	
  
person	
 ...
When	
  Did	
  the	
  New	
  HIPAA	
  
Regula@ons	
  Go	
  Into	
  Effect?	
  
Requirements	
  for	
  the	
  updated	
  201...
HIPAA	
  	
  Compliance	
  is	
  Required	
  for:	
  
•  Medical	
  
–  Medicare	
  Supplement	
  
–  Drug	
  Coverage	
  ...
HIPAA	
  is	
  Not	
  Required	
  for:	
  
•  Short-­‐term	
  and	
  long-­‐
term	
  disability	
  	
  
•  AD&D	
  (Accide...
Best	
  Business	
  Prac@ces	
  
If	
  you’re	
  coming	
  in	
  contact	
  with	
  Protected	
  
Health	
  InformaNon	
  ...
Key	
  HIPAA	
  Groups	
  
Changes	
  in	
  HIPAA	
  2.0?	
  
•  Business	
  Associates’	
  Subcontractors	
  and	
  BAs	
  must	
  
meet	
  the	
  s...
HIPAA	
  Privacy	
  
HIPAA	
  Privacy	
  Regula@ons	
  
General	
  Rule:	
  
Covered	
  EnNNes,	
  their	
  Business	
  Associates	
  and	
  
t...
Protected	
  Health	
  Informa@on	
  (PHI)	
  
•  Individually	
  idenNfiable	
  health	
  informaNon	
  
that	
  can	
  be...
Protected	
  Health	
  Informa@on	
  (PHI)	
  
Specifically,	
  PHI	
  informaNon	
  can	
  relate	
  to:	
  
•  An	
  indi...
PermiNed	
  Uses	
  for	
  PHI	
  
•  Treatment	
  
•  Payment	
  
•  Health	
  Care	
  OperaNons	
  	
  
– AudiNng,	
  cr...
Subcontractors	
  
2013	
  RegulaNons	
  expand	
  rules	
  to	
  include	
  
Subcontractors	
  
Why	
  so	
  important?	
...
Subcontractors	
  
What	
  must	
  you	
  do?	
  
– Have	
  them	
  sign	
  a	
  Subcontractor	
  Business	
  
Associate	
...
Subcontractors	
  
If	
  your	
  Subcontractors	
  are	
  NOT	
  compliant,	
  this	
  
could	
  be	
  a	
  liability	
  i...
HIPAA	
  Security	
  
Why	
  a	
  Security	
  Rule?	
  
•  Important	
  with	
  increased	
  use	
  of	
  technology	
  
for	
  data	
  transmis...
Descrip@on	
  of	
  the	
  Security	
  Rule	
  
Requires	
  protecNons	
  for	
  electronic	
  Protected	
  
Health	
  Inf...
Protect	
  the	
  Business	
  
Do	
  a	
  Risk	
  Assessment:	
  
•  Analysis	
  of	
  computer	
  systems	
  
•  How	
  d...
Specific	
  Staff	
  Expecta@ons	
  
•  Manage	
  passwords	
  
–  Have	
  staff	
  members	
  choose	
  and	
  remember	
  
...
Specific	
  Staff	
  Expecta@ons	
  Cont’d	
  
•  Limit	
  use	
  of	
  external	
  devices	
  that	
  might	
  introduce	
 ...
Breach	
  
What	
  Is	
  a	
  Breach?	
  
PHI	
  that	
  has	
  been	
  accessed,	
  used,	
  acquired	
  or	
  
disclosed	
  to	
  a...
Breach	
  
These	
  rules	
  apply	
  to	
  PHI	
  in	
  any	
  format	
  	
  
•  ePHI	
  (electronic	
  PHI)	
  
•  Paper...
Breach	
  occurs	
   InformaNon	
  
Encrypted?	
  
Yes:	
  	
  
No	
  Breach	
  
No:	
  	
  Presumed	
  
Breach	
  
Breach...
Presumed	
  Breach	
  
Wri?en	
  NoNce	
  
Calls	
  (if	
  
imminent	
  
threat)	
  
500	
  or	
  More	
  
Affected?	
  
Ye...
When	
  There	
  Is	
  a	
  Breach	
  
Any	
  impermissible	
  use	
  or	
  disclosure	
  of	
  PHI	
  is	
  
presumed	
  ...
Excep@ons	
  
•  UnintenNonal	
  access	
  by	
  employees	
  	
  
•  Inadvertent	
  disclosure	
  of	
  PHI	
  from	
  on...
Breach	
  No@fica@on	
  
NoNce	
  Requirements:	
  
•  NoNfy	
  without	
  unreasonable	
  delay	
  and	
  at	
  
least	
  ...
Penal@es	
  
Enforcement	
  Results	
  for	
  2012	
  
Enforcement	
  Results	
  for	
  2013	
  
Recent	
  HIPAA	
  Fines	
  
•  Stanford	
  Hospital	
  se?led	
  a	
  state	
  lawsuit	
  for	
  $4	
  Million	
  (March	...
Penal@es	
  from	
  Omnibus	
  Ruling	
  
Viola@on	
  Category	
  
1176(a)(1)	
  	
  
Each	
  Viola@on	
  	
   Maximum	
  ...
Criminal Penalties
Viola@on Penal@es
Knowingly	
  
obtaining	
  or	
  
disclosing	
  PHI	
  
$50,000	
  +	
  one	
  year	
...
GLB	
  Penal@es	
  
•  You	
  will	
  lose	
  your	
  license	
  to	
  pracNce	
  
•  You	
  can	
  be	
  fined	
  up	
  to...
Marketplace	
  Privacy	
  Rules	
  
Marketplace	
  Privacy	
  Rules	
  
One	
  of	
  the	
  big	
  surprises	
  in	
  the	
  agent/broker	
  
training	
  for	...
Personally	
  Iden@fiable	
  Informa@on(PII)	
  
Any	
  informaNon	
  about	
  an	
  individual	
  maintained,	
  used,	
  ...
How	
  Did	
  I	
  Get	
  Here?	
  
If	
  you	
  have	
  completed	
  training	
  for	
  the	
  Federally-­‐
Facilitated	
...
What	
  exactly	
  did	
  I	
  agree	
  to	
  do?	
  
Protect	
  any	
  PII	
  that	
  is:	
  	
  
•  Created,	
  collecte...
What	
  Exactly	
  Did	
  I	
  Agree	
  to	
  Do?	
  
Provide	
  a	
  Privacy	
  NoNce	
  to	
  all	
  prospects	
  and	
 ...
What	
  Am	
  I	
  Required	
  to	
  Do?	
  
•  Must	
  do	
  the	
  following:	
  	
  
–  If	
  you	
  have	
  a	
  websi...
What	
  Are	
  the	
  Penal@es?	
  
For	
  any	
  violaNon	
  of	
  PII	
  protecNons	
  
– $25,000	
  per	
  person	
  pe...
QUESTIONS	
  
Jason	
  Karn,	
  Director	
  of	
  IT	
  
Total	
  HIPAA	
  Compliance,	
  LLC	
  
jason@totalhipaa.com	
  
www.twi?er.co...
Upcoming SlideShare
Loading in...5
×

CAHU EXPO Grove City, OH 2014

481

Published on

HIPAA Presentation for CAHU Expo in Columbus, OH.

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
481
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
1
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "CAHU EXPO Grove City, OH 2014 "

  1. 1. HIPAA  Privacy  and  Security  2.0  for     Health  Insurance  Agents  and  Brokers   Jason  Karn,  Director  of  IT   Total  HIPAA  Compliance,  LLC   jason@totalhipaa.com   www.twi?er.com/TotalHIPAA   800-­‐344-­‐6381  
  2. 2. Topics  for  Today   •  HIPAA  2.0   – Privacy   – Security   – Breach   – PenalNes   •  Marketplace  Privacy  Rules  
  3. 3. Types  of  Protected  Informa@on   NPPI  PHI  PII   PHI:  health  informaNon  about  a   person  in  a  health  insurance  plan   PII:  medical,  educaNonal,   financial,  and  employment   informaNon  about  a  person  in   connecNon  with  sale  of  product   in  Marketplaces  only   NPPI:  non-­‐public  informaNon   that  an  agent  has  about  a   potenNal  or  exisNng  insured,   regardless  of  line  of  coverage  
  4. 4. When  Did  the  New  HIPAA   Regula@ons  Go  Into  Effect?   Requirements  for  the  updated  2013  Omnibus   Rules  went  into  effect    September  23,  2013     Non  compliance  is  potenNally  very  expensive  
  5. 5. HIPAA    Compliance  is  Required  for:   •  Medical   –  Medicare  Supplement   –  Drug  Coverage   •  Dental   •  Vision   •  Long  Term  Care  Insurance   Only  selling  a  liNle  bit  of  these  insurances  nor  the  size   of  your  agency  exempts  you  
  6. 6. HIPAA  is  Not  Required  for:   •  Short-­‐term  and  long-­‐ term  disability     •  AD&D  (Accidental   Death  and   Dismemberment)   •  Life  insurance   •  Worker's  CompensaNon     •  Auto  medical  insurance   •  Fitness-­‐for-­‐duty  exams   (DOT  or  OSHA  exams)   •  Drug  tesNng   •  Work-­‐life  benefits  (on-­‐ site  clinics;  fitness   center)   •  Family  Medical  Leave   Act  (FMLA)   •  Americans  with   DisabiliNes  Act  (ADA)    
  7. 7. Best  Business  Prac@ces   If  you’re  coming  in  contact  with  Protected   Health  InformaNon  (PHI),  no  ma?er  what  type   of  insurance  you  are  selling,  you  should  be   trained!     •  In  order  to  share  informaNon  in  a  mulNline   agency   •  Reduces  potenNal  liability  
  8. 8. Key  HIPAA  Groups  
  9. 9. Changes  in  HIPAA  2.0?   •  Business  Associates’  Subcontractors  and  BAs  must   meet  the  same  requirements  as  Covered  EnNNes   •  Increases  in  fines  and  penalNes  for  breaches  of   health  informaNon   •  EncrypNon  required  for  all  Protected  Health   InformaNon  (PHI)  files  and  emails   •  Implement  new  Policies  and  Procedures  for   Security  and  Privacy   •  Staff  needs  to  be  trained  on  both  the  HIPAA  rules   and  your  Policies  and  Procedures    
  10. 10. HIPAA  Privacy  
  11. 11. HIPAA  Privacy  Regula@ons   General  Rule:   Covered  EnNNes,  their  Business  Associates  and   their  Subcontractors  may  not  use  or  disclose  an   individual's  Protected  Health  InformaNon  (PHI)   without  the  authorizaNon  of  the  individual   unless  specifically  required  or  allowed  by  the   privacy  regulaNon   Protects  PHI  in  ANY  form  (oral,  wri?en,   electronic)  
  12. 12. Protected  Health  Informa@on  (PHI)   •  Individually  idenNfiable  health  informaNon   that  can  be  linked  to  a  parNcular  person   •  Common  idenNfiers  linking  health  informaNon   to  a  person  include  names,  social  security   numbers,  addresses,  credit  card  numbers  and   birth  dates  
  13. 13. Protected  Health  Informa@on  (PHI)   Specifically,  PHI  informaNon  can  relate  to:   •  An  individual's  past,  present  or  future  physical   or  mental  health  condiNon   •  The  provision  of  health  care  to  the  individual   •  The  past,  present,  or  future  payment  for  the   provision  of  health  care  to  an  individual  
  14. 14. PermiNed  Uses  for  PHI   •  Treatment   •  Payment   •  Health  Care  OperaNons     – AudiNng,  credenNaling,  obtaining  reinsurance,  etc   •  Certain  Public  Policy  ExcepNons   •  All  other  uses  require  an  individual’s  wri?en   or  verbal  authorizaNon  
  15. 15. Subcontractors   2013  RegulaNons  expand  rules  to  include   Subcontractors   Why  so  important?   •  Your  agency  could  have  direct  liability  for   subcontractor’s  mistakes   •  Could  jeopardize  not  only  your  business   relaNonships  but  also  expose  you  to  penalNes  
  16. 16. Subcontractors   What  must  you  do?   – Have  them  sign  a  Subcontractor  Business   Associate  Agreement   – Ensure  they  train  their  employees,  and  implement   policies  and  procedures  concerning  HIPAA  Privacy   and  Security  
  17. 17. Subcontractors   If  your  Subcontractors  are  NOT  compliant,  this   could  be  a  liability  issue  for  your  agency.  In   accordance  with  the  Federal  Common  law  of   Agency,  it  is  now  YOUR  responsibility  to  make   sure  that  your  Subcontractors  are  implemenNng   and  following  HIPAA.    
  18. 18. HIPAA  Security  
  19. 19. Why  a  Security  Rule?   •  Important  with  increased  use  of  technology   for  data  transmission   – Emails   – Electronic  enrollments   – Storage  of  data     Electronic  informaNon  has  different  guidelines  for   handling  and  protecNng  
  20. 20. Descrip@on  of  the  Security  Rule   Requires  protecNons  for  electronic  Protected   Health  InformaNon  (ePHI)  in  three  ways:   •  ConfidenNality   –  ePHI  concealed  from  people  who  do  not  have  the   right  to  see  the  informaNon   •  Integrity   –  InformaNon  not  improperly  changed  or  deleted   •  Availability   –  InformaNon  can  be  accessed  whenever  it  is  needed  
  21. 21. Protect  the  Business   Do  a  Risk  Assessment:   •  Analysis  of  computer  systems   •  How  do  you  protect  paper  and  electronic  files   •  How  do  you  encrypt  documents  for  storage  and   transmission  (such  as  email)?     •  Password  protecNon,  and  Nme-­‐outs  on  ALL  electronic   devices   •  Have  you  encrypted  all  hard  drives  and/or  storage   devices?   •  How  are  you  backing  up  your  computers?  
  22. 22. Specific  Staff  Expecta@ons   •  Manage  passwords   –  Have  staff  members  choose  and  remember   –  Change  passwords  regularly   –  NoNfy  informaNon  security  officer  if  concerned  that   password  is  being  improperly  used  by  someone  else   •  IdenNfy  and  keep  out  malicious  solware   •  Use  workstaNons  properly     •  Know  sancNon  policies   •  Learn  and  follow  agency  Privacy  and  Security  Policies   and  Procedures  
  23. 23. Specific  Staff  Expecta@ons  Cont’d   •  Limit  use  of  external  devices  that  might  introduce   viruses  into  the  system:  CDs,  iPods,  USB  drives,  tablet   compuNng  device,  smart  phones   •  Establish  policies  on  use  of  personal  compuNng  devices   in  the  agency’s  network  (BYOD)   •  Restrict  family  members  or  friends  using  the   computers  in  off-­‐site  locaNons  that  could  introduce   viruses  and  expose  to  inadvertent  ePHI  disclosure   •  Implement  strict  controls  on  web  surfing  for  personal   enjoyment  or  downloading  free  programs  or  music   from  the  Internet  to  office  machines  
  24. 24. Breach  
  25. 25. What  Is  a  Breach?   PHI  that  has  been  accessed,  used,  acquired  or   disclosed  to  an  unauthorized  person  
  26. 26. Breach   These  rules  apply  to  PHI  in  any  format     •  ePHI  (electronic  PHI)   •  Paper   •  Oral  
  27. 27. Breach  occurs   InformaNon   Encrypted?   Yes:     No  Breach   No:    Presumed   Breach   Breach  Process  
  28. 28. Presumed  Breach   Wri?en  NoNce   Calls  (if   imminent   threat)   500  or  More   Affected?   Yes:  NoNfy   Media,  HHS   immediately   No:  NoNfy  HHS   annually   NoNce  on   Website  
  29. 29. When  There  Is  a  Breach   Any  impermissible  use  or  disclosure  of  PHI  is   presumed  to  be  a  breach,  unless…   29 One  can  demonstrate  that  there  is  a  low   probability  that  the  PHI  has  been   compromised      
  30. 30. Excep@ons   •  UnintenNonal  access  by  employees     •  Inadvertent  disclosure  of  PHI  from  one  covered   enNty  or  business  associate  employee  authorized   to  access  PHI  to  a  co-­‐employee  who  is  also   authorized  to  access  PHI     •  Unauthorized  access  to  PHI  by  a  third  party  who   cannot  reasonably  use  the  informaNon  in  its   current  format,  or  be  able  to  retain  the  disclosed   informaNon    
  31. 31. Breach  No@fica@on   NoNce  Requirements:   •  NoNfy  without  unreasonable  delay  and  at   least  within  60-­‐day  Nmeframe   •  This  starts  the  date  one  knew,  or  reasonably   should  have  known  about  the  breach  
  32. 32. Penal@es  
  33. 33. Enforcement  Results  for  2012  
  34. 34. Enforcement  Results  for  2013  
  35. 35. Recent  HIPAA  Fines   •  Stanford  Hospital  se?led  a  state  lawsuit  for  $4  Million  (March  2014)   –  The  business  associate  is  paying  $3.3  Million  of  the  se?lement     •  Triple  S-­‐Management  recently  was  fined  $6.8  Million   –  Mishandled  medical  records  for  70k  individuals(February  2014)   •  WellPoint  Agreed  to  Pay  HHS  $1.7  Million  to  Se?le  HIPAA  Case  (July   2013)   –  On-­‐line  database  lel  the  ePHI  of  612,402  individuals  unprotected   •  Shasta  Regional  Medical  Center  Se?les  Privacy  Breach  for  $275,000   (June  2013)   –  The  CEO  sent  an  email  to  800  Employees  disclosing  the  confidenNal   details  of  diabetes  paNents   •  Blue  Cross  Blue  Shield  Tennessee  Se?led  for  $1.5  million  (March   2012)   –  57  unencrypted  computer  hard  drives  were  stolen  with  ePHI  of  over  a   million  individuals  
  36. 36. Penal@es  from  Omnibus  Ruling   Viola@on  Category   1176(a)(1)     Each  Viola@on     Maximum  fine  for  an   iden@cal  viola@on  in  a   calendar  year     (A)  Did  Not  Know   $100-­‐$50,000   $1,500,000   (B)  Reasonable  Cause   $1,000-­‐$50,000   $1,500,000   (C)(i)  Willful  Neglect-­‐ Corrected   $10,000-­‐$50,000   $1,500,000   (C)(ii)  Willful  Neglect-­‐Not   Corrected   $50,000   $1,500,000  
  37. 37. Criminal Penalties Viola@on Penal@es Knowingly   obtaining  or   disclosing  PHI   $50,000  +  one  year  prison Offenses   conducted   under  false   pretenses Up  to  $100,000  +  5  years Intent  to  sell,     $  gain,  harm Up  to  $250,000  +  10  years
  38. 38. GLB  Penal@es   •  You  will  lose  your  license  to  pracNce   •  You  can  be  fined  up  to  $100,000  per  violaNon   •  Officers  and  directors  can  be  fined  up  to  $10,000  per   violaNon   •  Fines  will  be  doubled  If  GLB  is  violated  along  with   another  Federal  Law,  or  pa?ern  of  any  illegal  acNvity   involving  more  than  $100,000  within  a  12-­‐month   period,  he  or  she  can  be  imprisoned  for  up  to  10  years   •  Criminal  PenalNes  include  imprisonment  for  up  to  5   years,  a  fine,  or  both      
  39. 39. Marketplace  Privacy  Rules  
  40. 40. Marketplace  Privacy  Rules   One  of  the  big  surprises  in  the  agent/broker   training  for  the  Federally  Facilitated   Marketplace  (FFM)   •  New  obligaNons  to  protect  Personally   Iden@fiable  Informa@on  (PII)  within  the   marketplaces  
  41. 41. Personally  Iden@fiable  Informa@on(PII)   Any  informaNon  about  an  individual  maintained,  used,   transmi?ed  or  store  by  an  agent/broker  related  to   Marketplace  transacNons:   Any  informa@on  that  can  be   used  to  dis@nguish  or  trace  an   individual‘s  iden@ty     Examples:  name,  social  security   number,  date  and  place  of   birth,  mother‘s  maiden  name,   or  biometric  records   Any  other  informa@on  that  is   linked  or  linkable  to  an   individual     Examples:  medical,  educaNonal,   financial,  and  employment   informaNon  
  42. 42. How  Did  I  Get  Here?   If  you  have  completed  training  for  the  Federally-­‐ Facilitated  Marketplaces,  and  “signed”  the   Agreements…   •  You  agreed  to  protect  PII  that  you  obtain  in   the  course  of  selling  or  supporNng  individuals   who  purchase  through  the  Marketplaces  
  43. 43. What  exactly  did  I  agree  to  do?   Protect  any  PII  that  is:     •  Created,  collected,  disclosed,  accessed,  maintained,   stored,  and  used  to  perform  any  of  the  various   Marketplace  funcNons  within  the  FFM  such  as:   –  AssisNng  with  applicaNons  for  QHP  eligibility   –  SupporNng  QHP  selecNon  and  enrollment     –  AssisNng  with  plan  selecNon  and  plan  comparisons   –  Transmiwng  informaNon  about  decisions  regarding  QHP   enrollment   –  FacilitaNng  payment  of  the  iniNal  premium  amount  to   appropriate  QHP  
  44. 44. What  Exactly  Did  I  Agree  to  Do?   Provide  a  Privacy  NoNce  to  all  prospects  and   buyers  in  the  Marketplace   •  Similar  requirements  to  the  Privacy  NoNces   under  HIPAA  and  GLB  
  45. 45. What  Am  I  Required  to  Do?   •  Must  do  the  following:     –  If  you  have  a  website,  prominently  and  conspicuously  display   NoNce  of  Privacy  PracNces   –  Review  and  Revise  as  necessary  but  at  least  annually   •  Meet  data  quality  and  integrity  standards  for  PII   –  IdenNcal  to  requirements  within  HIPAA  Security   •  Breach  noNficaNon   –  Broadly  similar  to  HIPAA  Breach  rules  but…   –  Must  noNfy  CMS  if  there  is  a  breach  within  one  hour  of   becoming  aware  of  it   •  Telephone  at  (410)  786-­‐2580  or  1-­‐800-­‐562-­‐1963     •  Email  noNficaNon  at  cms_it_service_desk@cms.hhs.gov    
  46. 46. What  Are  the  Penal@es?   For  any  violaNon  of  PII  protecNons   – $25,000  per  person  per  violaNon     •  These  are  in  addiNon  to  HIPAA  and  GLB  PenalNes   – TerminaNon  of  your  authority  to  do  business   through  the  Marketplace  
  47. 47. QUESTIONS  
  48. 48. Jason  Karn,  Director  of  IT   Total  HIPAA  Compliance,  LLC   jason@totalhipaa.com   www.twi?er.com/TotalHIPAA   800-­‐344-­‐6381  
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×