15. WHAT IS UNSECURED PHI? Unsecured PHI is PHI in paper or electronic form that has not been secured through the use of a technology or methodology specified by the Department of Health and Human Services (HHS), that makes the PHI unusable, unreadable, or indecipherable to unauthorized individuals.
38. WHAT IS A BREACH OF PHI? A “Breach” is defined as the unauthorized acquisition, access, use or disclosure of PHI which compromises the security/privacy of such information, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information.
39.
40. BREACH RISK ASSESSMENT? CEs and BAs are required to perform and document risk assessments on breaches of unsecured PHI to determine if there is a significant risk of harm to the individual as a result of the impermissible use or disclosure.
45. BUSINESS ASSOCIATE BREACH RESPONSIBILITIES? In the instance of a breach, the Business Associate shall, without unreasonable delay and in no case, not later than 60 calendar days after the discovery of a breach, notify the Covered Entity of the breach. The notice shall include the identification of each individual whose unsecured PHI has been, or is reasonably believed by the business associate to have been, accessed, acquired, or disclosed during the breach. The Business Associate’s responsibility under the HITECH Act should be included in the Covered Entity’s business associate agreement (BAA) with the Business Associate.
55. A BASIC HIPAA COMPLIANCE INITIATIVE The project management and communications arrows surround the phases because these activities are continuous for as long as the implementation project is in progress.
HIPAA is a Federal law that sets national standards for how most health care providers must protect the privacy of a patient’s health information. Initial thrust – standardize electronic transactions and Code Sets.
There was a time, when access to your medical records was largely up to your health care provider
Prior to the HIPAA rules, your private health information really was not all that private, this information could legally be sold or accessed. this information could be used to determine your life insurance premiums or even your mortgage rate!
Blood Banking Service versus a Medical transcriptionist
For Example: Medical Record numbers – in a silo, they would have no meaning but this is information that if used in the appropriate setting “could reasonably be expected” to identify an individual. Though not actual health information – the point is that individually identifiable information is information that can be linked back to the individual and their health information.
These are the only two methods that have been approved by the Department of Health and Human services to secure PHI.
When PHI can be used or disclosed along with other legally required purposes (e.g., criminal investigations)
Treatment – a discussion by the Attending physician with a consulting physician about a proposed treatment plan for the patient Health Care Operations – Quality and Process Improvement purposes
How PHI must be used or disclosed
That require prior authorization from the patient or his/her personal representative
Discuss the state pre-emption as it relates to common-law spouses.
Durable Power of Attorney and Health Care Powers of Attorney This designation trumps the marital relationship and why
Best Practice is to develop a standardized authorization to release form that includes the required language.
Earlier I mentioned that as a result of the HIPAA laws a patient had greater access to and control over their PHI, in this section I’d like to detail those rights.
Just as the patient has the right to access his or her PHI he or she has a right to know who else has accessed their PHI. The HIPAA Privacy Compliance date was April 14, 2003
Alcoholism, drug abuse etc.
Additional Burden
Disclosures for payment purposes – can request that out of pocket services not be disclosed to an insurance company for payment evaluations.
The HIPAA Security laws apply specifically to ePHI or electronic PHI Regardless of how it is stored paper, electronic, photographs and radiographic among other things. For Example: Access to the Medical Records Department is locked and restricted to those authorized to enter; or Electronic PHI is encrypted so that if it were inadvertently intercepted it would be useless to the interceptor.
Federal privacy/security laws (HIPAA) were expanded to protect patient health information. HIPAA privacy and security laws now apply directly to business associates of covered entities. Defines actions that constitute a breach of patient health information (including inadvertent disclosures) and requires notification to patients if their health information is breached. Allows patients to pay out of pocket for a health care item or service in full and to request that the claim not be submitted to the health plan. As I mentioned earlier provide patients, upon request, an accounting of disclosures of health information. Prohibits the sale of a patient’s health information without the patient’s written authorization, except in limited circumstances involving research or public health activities. Prohibits covered entities from being paid to use patients’ health information for marketing purposes without patient authorization, except limited communication to a patient about a drug or biologic that the patient is currently being prescribed. Requires personal health record (PHR) vendors to notify individuals of a breach of patient health information. Non-covered HIPAA entities such as Health Information Exchanges, Regional Health Information Organizations, e-Prescribing Gateways, and PHR vendors are required to have business associate agreements with covered entities for the electronic exchange of patient health information. Authorizes increased civil monetary penalties for HIPAA violations. Grants enforcement authority to state attorneys general to enforce HIPAA.
Best Practice includes assembling a data base of all business associate agreements Provide addenda to all existing BAAs and develop a BAA template that includes the new HIPAA HITECH requirements. Blood Bank issue – notice of intent to terminate the business associate agreement.
As a result of the ARRA came the National Breach Notification Rules. Most states have had privacy laws on the books for some time and within these laws were specific procedures for notification subsequent to a breach of private information. For Example: Some states have specific time frames where others follow the federal guidelines of “without unreasonable delay and in no case longer than 60 days”.
The radiology department accidently faxes a patient’s Head CT report to the Dietary Department, this is not a Breach of PHI IF, the Dietary notifies Radiology and then places the PHI in a locked shred box. In this instance, by placing the PHI in the shred box, the Dietary department has ensured that there will be no further use or disclosure of that PHI.
Notably, not all breaches require patient notification. In the event of an alleged breach, a risk assessment must be done regarding the type of information that was improperly used or disclosed. The CE or BA must: Determine whether there has been an impermissible use or disclosure of PHI (as defined by the HIPAA Privacy Rule) Determine and document whether the impermissible use or disclosure compromises the security or privacy of the PHI; and If necessary, determine whether the incident falls under one of the (3) exceptions – where no notification is required. Exceptions: If the PHI is improperly disclosed to another HIPAA CE; If the CE or BA immediately takes steps to mitigate the impermissible use or disclosure; or If the PHI is returned before it can be improperly accessed.
Best Practice is to develop a Breach notification letter template Pre-establish the steps those affected would need to follow in the event of a breach Redemption Codes for Identity theft protection plans or more detailed breach reaction services – on-going services wherein specially trained customer service representatives
Don’t forget the state pre-emption analysis!
Here the requirement is that the BA notify the Covered Entity, as I indicated on the previous slide, it is the responsibility of the CE to notify the affected party. There is nothing to preclude the BA from participating in the notification process. For Example: A contracted dialysis service has a computer stolen from the dialysis lab, this computer contains PHI that belongs to the host hospital but is being used by the dialysis service for treatment purposes. The dialysis service is required to notify the host hospital (CE) of the breach and with the permission of the host hospital, the dialysis service may participate in notifying those affected because of the pre-existing relationship. The BA is not authorized to notify those affected without the permission of the CE or host hospital.
Along with breaches that fall under the risk assessment’s three exceptions, there is also a Safe Harbor from the breach notification requirement.
As we discussed previously, secured ePHI has been encrypted or if in paper format secured by a method consistent with the HIPAA Privacy and Security rules In a locked secure area, protected from unauthorized access, use or disclosure and other recommended methods. Unsecured PHI – the converse Best Practice is to secure PHI
The breach log should also include a summary of the risk assessment performed to determine this is or was a reportable breach.
The HIPAA laws have also resulted in more stringent enforcement and accountability standards.
The April edition of the Guide to Medical Privacy and HIPAA reports that a major insurer has spent 7 million dollars and counting, to mitigate the largest reported data breach in history. 57 company hard drives were stolen from a leased facility, resulting in the largest reported breach since the HITECH notifications requirements took effect. The hard drives contained information that was encoded, but not encrypted. The breached files contained recordings of telephone calls between providers and the company’s customer service representatives relating to eligibility and coordination of care. The 7 million dollars has been spent on credit and identity monitoring services, security audits and the cost of employees to investigate and analyze hundreds of thousands of breached files.
I’d like to leave you with some strategies for HIPAA compliance
at the most basic level compliance strategies must be based upon…
although the HIPAA rules are complicated in their construction, surprisingly most of the laws are based upon common sense and treating the information as if it belonged to you.
Find out or establish where your organization is right now on the Compliance continuum.