HIPAA Compliance: What Medical Practices and Their Business Associates Need to Know


Published on

Most medical practices are aware of the HIPAA HITECH requirements that affect their organizations, and the fines that they face if they are not compliant in the ways they handle patient health information (PHI).

What a lot of professionals don’t know is that HIPAA HITECH regulations also hold business associates, (i.e. other professionals from other companies who could also have access to PHI) just as responsible for protecting the data as the medical practices who own that information.

1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

HIPAA Compliance: What Medical Practices and Their Business Associates Need to Know

  1. 1. HIPAA Compliance: What Medical Practices & Their Business Associates Need to Know August 29, 2013
  2. 2. PRESENTER Brian Rosenfelt, CPA Skoda Minotti Risk Advisory Services • Former controller, CFO and operations executive in a variety of industries • Served as business process engineer with Kaiser Permanente • Leads Skoda Minotti’s HIPAA consulting practice • Deep understanding of accounting, technology and compliance
  3. 3. AGENDA • • • • • • • HIPAA History Definitions Major Provisions 2013 Omnibus Rules Compliance and Enforcement Risk Assessment Policies & Procedures
  4. 4. WHAT IS HIPAA? • HIPAA: Health Insurance Portability & Accountability Act • Signed into law in 1996 • Federal law protecting the privacy of Protected Health Information (PHI) • The overall purpose is to ensure the security and privacy of individual health information
  5. 5. HIPAA HITECH ACT OF 2009 Origins • Prior to 2009, HIPAA regulations were not being enforced consistently (if at all) • New act was meant to:  Strengthen controls and oversight of PHI  Improve breach notification requirements  Expand the definition of covered entities and business associates • Built on the heels of providing incentives for doctors and hospitals to implement Electronic Medical Record (EMR) systems
  6. 6. DEFINITIONS • Protected Health Information (PHI) • Covered Entity • Business Associate
  7. 7. PROTECTED HEALTH INFORMATION (PHI) What is PHI? • Oral or written information created by a healthcare provider or other entity that relates to someone’s health or condition, healthcare received, or healthcare payment • Unsecured PHI is data that is not encrypted Examples of PHI • • • • Medical information and records Billing information and records Medical insurance forms Lab results
  8. 8. COVERED ENTITY VS. BUSINESS ASSOCIATE Covered Entities • Health Care Provider (dentist, doctor, nursing home, pharmacy) • Health Plan (HMO, company health plan, health insurance companies) • Health Care Clearinghouse
  9. 9. COVERED ENTITY VS. BUSINESS ASSOCIATE Business Associates • • • • Attorneys Accountants Consultants Third Party Administrator (claims processing, etc.) • Anyone who does, or could come into contact with PHI • Others  Document shredding company  Cleaning company  Software company Business associates can be anyone with access to or potential access to health information.
  10. 10. MAJOR PROVISIONS • • • • • Privacy Rule Security Rule Breach Notification Rule Enforcement Rule Unique Identifiers Rule
  11. 11. PRIVACY RULE • Applies to use and disclosure of PHI • Reason for HIPAA language and forms you sign at your doctor’s office • Requires patient authorization for certain disclosures (release of medical information to employer, relative, etc.) • Disclosure permitted for treatment and/or payment purposes
  12. 12. SECURITY RULE • Applies to the securing of ePHI (electronic protected health information) • Requires implementation of three types of safeguards:  Administrative (policies and procedures)  Physical (access to server room, access to patient paper records)  Technical (email encryption, password policies, technical auditing)
  13. 13. BREACH NOTIFICATION RULE • Risk of Harm evaluation (old rule) • Risk Assessment and “Low Probability” (new rule) • What should the Risk Assessment look for?     Type of PHI compromised Who compromised the PHI Was the PHI actually viewed How was the breach/violation mitigated
  14. 14. A LONG TIME COMING … • Health Information Technology for Economic and Clinical Health (HITECH) Act was enacted on February 17, 2009 • Proposed Regulations: July 14, 2010 • Final “Omnibus” HIPAA Regulations: January 25, 2013  Effective Date: March 26, 2013  Compliance Date: September 23, 2013 • Copy of final regulations: http://1.usa.gov/Wl60lE  138 pages
  15. 15. MAJOR CHANGES WITH THE NEW RULES Business Associate Liability Increased • Business Associates are now covered DIRECTLY under HIPAA (same rules and regulations as Covered Entities) • Security and privacy rules now apply to Business Associates • Information can only be used per contract language • Penalties now apply to Business Associates • Business Associates are now responsible for sub-Business Associates
  17. 17. KEY CHANGES DUE TO HIPAA HITECH Breach Notification Rules • Requires Covered Entities and Business Associates to provide notification following a breach of unsecured PHI • Similar breach notification rules for vendors of personal health records and their 3rd party service providers • Covered Entities must notify affected individuals within 60 calendar days of the discovery • If the breach effects more than 500 individuals, the media and Department of Health and Human Services must be notified • Business Associates are obligated to report breaches to Covered Entity
  18. 18. KEY CHANGES DUE TO HIPAA HITECH Business Associate Responsibilities • Must implement applicable privacy provisions • Must implement all of the HITECH security provisions • Now subject to the same civil and criminal penalties as Covered Entities • Contracts between Covered Entities and Business Associates must be amended to include new HITECH provisions
  19. 19. HIPAA COMPLIANCE & ENFORCEMENT Original Rule • U.S. Department of Health & Human Services regulates and enforces HIPAA through its Office of Civil Rights (OCR) • Civil penalties: Fines start at $100 and can increase up to $25,000 • Criminal penalties: Could include up to 10 years in prison and $250,000 HIPAA HITECH ACT of 2009 • State Attorneys General can also bring civil action in federal court if the interest of residents has been threatened or affected by a HIPAA violation
  20. 20. HIPAA COMPLIANCE & ENFORCEMENT Potential Civil Penalties Violation Category Section 1176(a)(1) Each Violation All such violations of an identical provision in a calendar year $100-$50,000 Up to $1,500,000 (B) Reasonable cause $1,000-$50,000 Up to $1,500,000 (C)(i) Willful neglect – Corrected $10,000-$50,000 Up to $1,500,000 (C)(ii) Willful neglect – Not Corrected $50,000 or more Up to $1,500,000 (A) Did not know SUMMARY: Fines are mandatory when failure to have training and reasonable procedures on proper disposal is discovered. HHS goes on to say that had they found proper training in the same case, the same incident would not have been deemed a case of willful neglect.
  21. 21. HIPAA COMPLIANCE & ENFORCEMENT Potential Criminal Penalties Type of Violation Potential Jail Sentence Unknowingly, or with reasonable cause Up to one year Under false pretenses Up to five years For personal gain or malicious reasons Up to ten years
  22. 22. HIPAA COMPLIANCE & ENFORCEMENT Consequences • October 26, 2009: (Little Rock, Arkansas) sentencing of three healthcare workers who pled guilty to misdemeanor HIPAA violations based on accessing patient records without any reason • April 27, 2010: (California) press release entitled “Ex-UCLA Healthcare Employee Sentenced to Federal Prison for Illegally Peeking at Patient Records” – first person to be convicted and imprisoned for HIPAA offenses based only on unauthorized access of PHI
  23. 23. HIPAA COMPLIANCE & ENFORCEMENT Consequences • January 9, 2012: Minnesota Attorney General brought action against Accretive Health, Inc. (a business associate, NOT a covered entity), in the wake of the theft of a company laptop computer that contained over 23,500 patient records • April 17, 2012: Phoenix Cardiac Surgery, P.C. agreed to pay $100,000 and take corrective action after they were found to have posted a patient appointment calendar online
  24. 24. HOW TO GET COMPLIANT Begin with a thorough RISK ASSESSMENT • Essential component of HIPAA compliance • Can help your organization identify its most critical areas of vulnerability • The Risk Assessment will form the basis of determining how risks should be managed and/or minimized • This is a necessary strategy to identify potential gaps in your security environment (physical and electronic) • Required by HIPAA
  25. 25. HOW TO GET COMPLIANT • Risk exposure decreases significantly when an organization knows where its PHI is stored and what procedures are in place to access it • A complete risk assessment examines four critical areas:     Process Governance People Technology
  26. 26. UPDATING POLICIES & PROCEDURES • Assess the current policies and procedures (if they exist)  Breach notification requirements  Incident management procedures  Training requirements and procedures • Prior to HITECH, Business Associates did not need to produce documentation
  27. 27. UPDATING POLICIES & PROCEDURES • Update documentation – address high risk areas first • A strong disciplinary policy is a necessity  Training without enforcement is of little value  Establish consequences for violation of HIPAA security policies  Take strong action against employees who violate policies and procedures (especially those that relate to security policies)
  28. 28. UPDATING POLICIES & PROCEDURES • Training on policies and procedures is critical  Train based on the highest risk area according to your assessment  Regular, ongoing training for the entire workforce (no exceptions) is a must  Training focus on remote access and removable media is important (movement of ePHI)
  29. 29. UPDATING POLICIES & PROCEDURES • Require all those with remote access or who use portable media of any type, to sign an attestation stating they:  Received the education  Agree to abide by the policies of the organization  Understand the risk to ePHI inherent in electronic use  Know the degree of discipline they face for violating the policies
  30. 30. UPDATING POLICIES & PROCEDURES • HIPAA requires documentation to be retained for six years • The organization must be able to show that the documentation was available to the persons responsible for implementing the procedure • A procedure is required for reviewing documentation and ensuring it remains up-todate • Evidence of employee training and an acknowledgement of policies and procedures are also required
  31. 31. INVOLVE EVERYONE • Interview department directors to understand their risk concerns and controls in place • Including them in the HIPAA security processes helps to ensure they will be educated and “on-board” with the controls you recommend • People are the most important component of an effective security program
  32. 32. QUESTIONS? For additional information about Skoda Minotti’s HIPAA consulting and compliance services, contact us at: Brian Rosenfelt, CPA Skoda Minotti Technology Partners brosenfelt@skodaminotti.com (440) 449-6800 Website: www.skodaminotti.com Other Services: • Audit • Tax • IT Consulting • Phone Systems • Marketing • Investments • Security