Module 1 state attorneys general enforcement of federal health privacy law

467 views
376 views

Published on

HIPAA training

Published in: Technology, Education
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
467
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
12
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Module 1 state attorneys general enforcement of federal health privacy law

  1. 1. Module 1: State Attorneys General Enforcement of Federal Health Privacy Law HIPAA Enforcement Training for State Attorneys General
  2. 2. Module IntroductionModule 1: IntroductionThis module of the HIPAA Enforcement Training for State Attorneys General (SAG) provides an overview ofoverview of:• ARRA/ HITECH’s impact on SAG• HIPAA rules and terminology HIPAA rules and terminology• Identifying potential HIPAA violations• Investigating potential HIPAA violations Investigating potential HIPAA violations HIPAA Enforcement Training for State Attorneys General 2
  3. 3. Module ObjectivesModule 1: ObjectivesAfter completing this module, you will be able to:• Discuss your authority under ARRA/HITECH• Define terminology and the premise of the Privacy Rule• Explain the purpose of the Security Rule• Identify potential HIPAA violations and your role in  investigating alleged violations HIPAA Enforcement Training for State Attorneys General 3
  4. 4. Lesson 1: ARRA/HITECH’s Impact on State Attorneys General Module 1Lesson 1: ObjectivesAfter completing this lesson, you will be able to:• Describe SAG authority for enforcement of  HIPAA under ARRA/HITECH HIPAA d ARRA/HITECH• Discuss the effect of ARRA/HITECH on how  HIPAA applies to business associates and breach  HIPAA li t b i i t db h notifications HIPAA Enforcement Training for State Attorneys General 4
  5. 5. Lesson 1: ARRA/HITECH’s Impact on State Attorneys General Module 1Topic 1: Overview of ARRA/HITECH RequirementsARRA addresses health information technology:• Title XIII and Title IV of Division B are known  as the Health Information Technology for  th H lth I f ti T h l f Economic and Clinical Health (HITECH) Act• S btitl D f HITECH dd Subtitle D of HITECH addresses health information privacy h lth i f ti i• Effective Date: February 17, 2009  HIPAA Enforcement Training for State Attorneys General 5
  6. 6. Lesson 1: ARRA/HITECH’s Impact on State Attorneys General Module 1Topic 2: Overview of SAG Role in HIPAA Enforcement Under ARRA/HITECH• Subtitle D § 13410 ‐ Improved  Enforcement• SAG may bring civil actions for alleged  violations of HIPAA Privacy and Security  on behalf of state residents• ARRA/HITECH instituted federal breach  notification requirements• Extended liability under HIPAA Rules to  Business Associates of Covered Entities HIPAA Enforcement Training for State Attorneys General 6
  7. 7. Lesson 1: ARRA/HITECH’s Impact on State Attorneys General Module 1Topic 3: SAG HIPAA Enforcement ActionActivity 1: State of Connecticut case• Take about 10 minutes to read paragraphs I‐ IV• Located on page 1 of your Appendix• p Keep in mind the various elements HIPAA Enforcement Training for State Attorneys General HIPAA Enforcement Training for State Attorneys General 7
  8. 8. Lesson 1: ARRA/HITECH’s Impact on State Attorneys General Module 1Lesson 2: ObjectivesAfter completing this lesson, you will be able to:• Describe the HIPAA statute and regulations• Explain the purpose and function of the  HIPAA Privacy Rule• Discuss the purpose and function of the  HIPAA Security Rule HIPAA Enforcement Training for State Attorneys General 8
  9. 9. Lesson 2: HIPAA Overview Module 1Topic 1 OverviewTopic 1 will address these questions:• Why HIPAA• What is HIPAA• Who is regulated and protected• What information• How – rule making How  rule making HIPAA Enforcement Training for State Attorneys General 9
  10. 10. Lesson 2: HIPAA Overview Module 1Topic 1: Why HIPAA?• The potential consequences of not  protecting privacy or security can  be severe be severe• In 1996, Congress passed HIPAA,  which includes provisions calling  which includes provisions calling for privacy and security  protections HIPAA Enforcement Training for State Attorneys General 10
  11. 11. Lesson 2: HIPAA Overview Module 1Topic 2: What is HIPAA? HIPAA Enforcement Training for State Attorneys General 11
  12. 12. Lesson 2: HIPAA Overview Module 1Topic 2: What is HIPAA? (continued)Title II: Subtitle F – Administrative Simplification• Encourages efficiencies in exchange of health information• Requires HHS to adopt standards for electronic transmission  of certain health informationTitle II, Subtitle F, Section 264, Recommendations with Respect to Privacy of Certain Health Information:• Requires Secretary of HHS to establish standards with  respect to privacy of individually identifiable health  information if Congress does not do so in 3 years i f ti if C d td i 3 HIPAA Enforcement Training for State Attorneys General 12
  13. 13. Lesson 2: HIPAA Overview Module 1Topic 2: What is HIPAA? (continued)Title II: Preventing Health Care Fraud and Abuse; Title II: Preventing Health Care Fraud and Abuse;Administrative Simplification HIPAA Enforcement Training for State Attorneys General 13
  14. 14. Lesson 2: HIPAA Overview Module 1Topic 2: What is HIPAA? (continued)Standard Transactions:• Health care claims or equivalent encounter  information• Referral certification and authorization• Health care claim status• Health care payment and remittance Health care payment and remittance  advice• Eligibility for a health plan• E ll Enrollment and disenrollment in a health plan t d di ll t i h lth l• Health plan premium payments• Coordination of benefitsReference: 45 CFR § 162.1101 HIPAA Enforcement Training for State Attorneys General 14
  15. 15. Lesson 2: HIPAA Overview Module 1Topic 3: HIPAA RulesCovered EntitiesCovered EntitiesA covered entity is:• A health plan A health plan• A health care clearinghouse p y• A health care provider who transmits any health information  in electronic form in connection with a covered transaction— one for which the HHS Secretary has adopted standardsExamples: l• Requesting payment• Inquiring regarding the status of a health care claim Inquiring regarding the status of a health care claimReference:  45 CFR §160.103 HIPAA Enforcement Training for State Attorneys General 15
  16. 16. Lesson 2: HIPAA Overview Module 1Topic 3: HIPAA Rules (continued)More Information on Health PlansA Health Plan includes:• Health insurance companies • Health Maintenance Organizations (HMOs) • Group health plans  (e.g. employer‐sponsored health plans) • Government programs that pay for health care: – Medicare & Medicaid – Military & veterans health care programs HIPAA Enforcement Training for State Attorneys General 16
  17. 17. Lesson 2: HIPAA Overview Module 1Topic 3: HIPAA Rules (continued)More Information on Health Care ClearinghousesHealth care clearinghouses:• Receive health information  from other entities• Process or facilitate the  processing of health  information to or from non standard  information to or from non‐standard formats to or from standard formats HIPAA Enforcement Training for State Attorneys General 17
  18. 18. Lesson 2: HIPAA Overview Module 1Topic 3: HIPAA Rules (continued)Individually Identifiable Health Information (IIHI) ( )As defined in HIPAA & the Privacy Rule, IIHI is:R l IIHI iHealth information (including  demographic information demographic informationcollected from an individual) if it is created or received by a health care provider, health plan, employer, or health care clearinghouse... HIPAA Enforcement Training for State Attorneys General 18
  19. 19. Lesson 2: HIPAA Overview Module 1Topic 3: HIPAA Rules (continued)Individually Identifiable Health Information (IIHI) (continued) ( )…and relates to the: • Past, present, or future  physical or mental health or  condition of an individual condition of an individual• Provision of health care to an  individual• Past, present, or future payment  for the provision of health care to an individual  p HIPAA Enforcement Training for State Attorneys General 19
  20. 20. Lesson 2: HIPAA Overview Module 1Topic 3: HIPAA Rules (continued)Individually Identifiable Health Information (IIHI) (continued) ( )Information categorized as IIHI must also satisfy the criteria of identifying the individual or providing a reasonable basis to id tif i th i di id l idi bl b i tbelieve it can be used to identify the individual.A patient s name, contact information, and account numbers are A patient’s name contact information and account numbers aregenerally considered to be individual identifiers and if created or received by a covered entity would be IIHI.Reference: 45 CFR § 160.103 HIPAA Enforcement Training for State Attorneys General 20
  21. 21. Lesson 2: HIPAA Overview Module 1Topic 3: HIPAA Rules (continued)Protected Health Information (PHI) ( )Protected health information means individually identifiable health information:i di id ll id tifi bl h lth i f ti(1) Except as provided in paragraph (2) of this definition, that is: (i)  Transmitted by electronic media; (ii) Maintained in any medium described in the definition of    electronic media at 45 CFR § 160.103 of this subchapter; or f (iii) Transmitted or maintained in any other form or medium. HIPAA Enforcement Training for State Attorneys General 21
  22. 22. Lesson 2: HIPAA Overview Module 1Topic 3: HIPAA Rules (continued)Protected Health Information (PHI) (continued) ( )(2) Protected health information excludes individually  identifiable health information in: id tifi bl h lth i f ti i (i)  Education records covered by the Family Educational  Rights and Privacy Act (FERPA), as amended, 20 U.S.C.  Rights and Privacy Act (FERPA) as amended 20 U S C 1232g; and records described at 20 U.S.C.  1232g(a)(4)(B)(iv) (ii) Employment records held by covered entities in their role  as employerReference: 45 CFR §160.103 HIPAA Enforcement Training for State Attorneys General 22
  23. 23. Lesson 2: HIPAA Overview Module 1Topic 3: HIPAA Rules (continued)Examples of PHI• Medical records of patients that  visit a covered provider’s office  i it d id ’ ffi• Billing records• Other records that contain enough information to identify  the individualReference: 45 CFR § 160.103 HIPAA Enforcement Training for State Attorneys General 23
  24. 24. Lesson 2: HIPAA Overview Module 1Topic 3: HIPAA Rules (continued)Electronic Protected Health Information (ePHI) ( )ePHI is protected health information that is maintained in, or th t i i t i ditransmitted in electronic media by a covered entity.media by a covered entity. HIPAA Enforcement Training for State Attorneys General 24
  25. 25. Lesson 2: HIPAA Overview Module 1Topic 3: HIPAA Rules (continued)Business Associates• A business associate is a person or entity that performs a  function or activity on behalf of a covered entity, or provides  f ti ti it b h lf f d tit id certain services to a covered entity that involve the use or  disclosure of PHI disclosure of PHI• Covered entities are generally required to execute a written  g / g contract or other written agreement/arrangement with each  of their business associates HIPAA Enforcement Training for State Attorneys General 25
  26. 26. Lesson 2: HIPAA Overview Module 1Topic 3: HIPAA Rules (continued)Business Associates (continued)Business associates include individuals or organizations that conduct:th t d t – Legal services – Quality assurance – Accounting services Accounting services – Billi Billing  – Claims processing or  – Benefits management  administration – Practice management Practice management – Data analysis – Repricing – Utilization review HIPAA Enforcement Training for State Attorneys General 26
  27. 27. Lesson 2: HIPAA Overview Module 1Topic 3: HIPAA Rules (continued)Business Associates (continued)• Not every entity that a covered entity does business with is a  business associate: b i i t – A member of the covered entity’s workforce is not a  business associate business associate – A conduit of PHI (e.g., U.S. Postal Service or a messenger  service) is not a business associate• A covered entity can be a business associate of another  covered entityReference: 45 CFR § 160.103 HIPAA Enforcement Training for State Attorneys General 27
  28. 28. Lesson 2: HIPAA Overview Module 1Topic 4: HIPAA Privacy RulePrivacy RuleFull citation: “Standards for the Privacy of Individually Identifiable Health Information; Final Rule.” I f ti Fi l R l ”65 Federal Register (FR) 82462 ((December 28, 2000)  , ) HIPAA Enforcement Training for State Attorneys General 28
  29. 29. Lesson 2: HIPAA Overview Module 1Topic 4: HIPAA Privacy Rule (continued)Privacy Rule (continued)Modified by:• “Technical Corrections to the Standards for  Privacy of Individually Identifiable Health  Information,” 65 FR 82944 (December 29, 2000)• “Standards for Privacy of Individually Identifiable Health Information,”  67 FR 53182 (August 14, 2002)• “Civil Money Penalties: Procedures for Investigations, Imposition of  Penalties, and Hearings,” 68 FR 18895 (April 17, 2003)• “HIPAA Administrative Simplification: Enforcement,” 71 FR 8390  (February 16, 2006)• “HIPAA Administrative Simplification: Enforcement,” 74 FR 56123  (October, 30, 2009) HIPAA Enforcement Training for State Attorneys General 29
  30. 30. Lesson 2: HIPAA Overview Module 1Topic 4: HIPAA Privacy Rule (continued)Privacy Rule (continued)Incorporated at:• 45 Code of Federal Regulations (CFR),  Part 160 – Includes definitions, preemption provisions,  compliance and investigations, imposition of civil money  compliance and investigations imposition of civil money penalties and procedures for hearings for all Administrative  Simplification provisions• 45 CFR, Part 164, titled “Security and Privacy”• Subpart A – Includes general provisions, such as definitions  p g p , that apply to both the Privacy and Security Rules HIPAA Enforcement Training for State Attorneys General 30
  31. 31. Lesson 2: HIPAA Overview Module 1Topic 4: HIPAA Privacy Rule (continued)Privacy Rule (continued)45 CFR, Part 164, titled “Security and Privacy”• Subpart E, among other things: – Establishes standards for use and disclosure of PHI by covered  entities – Establishes individuals’ rights with regard to their PHI – Sets out general rule that covered entities/business associates  may only use and disclose PHI as permitted or required by the  may only use and disclose PHI as permitted or required by the HIPAA Privacy Rule – Provides standards explaining permitted and required uses and  disclosures – Outlines administrative requirements for covered entities  HIPAA Enforcement Training for State Attorneys General 31
  32. 32. Lesson 2: HIPAA Overview Module 1Topic 5: HIPAA Security RuleSecurity RuleFull citation: • “Health Insurance Reform: Security  Standards; Final Rule.” 68 FR 8334 (February 20, 2003). Incorporated at: , , p• 45 CFR , Part 160, and Subpart C of Part 164 HIPAA Enforcement Training for State Attorneys General 32
  33. 33. Lesson 2: HIPAA Overview Module 1Topic 5: HIPAA Security Rule (continued) Security Rule (continued)45 CFR, Part 164, Subparts A and C:• Address security standards and implementation  specifications to protect electronic PHI (ePHI) from  unauthorized disclosure or access unauthorized disclosure or access• Define three types of safeguards that covered entities are  required to have in place to protect ePHI: q p p – Administrative – Physical – Technical h l HIPAA Enforcement Training for State Attorneys General 33
  34. 34. Lesson 2: HIPAA Overview Module 1Lesson 2: RecapHealth Insurance Portability and Accountability Act:• Title I – HIPAA provides protection against loss of  health insurance due to job loss (“portability”) and  h lth i d t j bl (“ t bilit ”) d addresses fraud and abuse.• Title II Establishes standards for transmission of Title II ‐ Establishes standards for transmission of  electronic health information – Subtitle F ‐ Recommendations for protection of the  privacy of health information HIPAA Enforcement Training for State Attorneys General 34
  35. 35. Lesson 2: HIPAA Overview Module 1Lesson 2: Recap (continued)Privacy Rule• Establishes standards for covered entities to  protect PHI t t PHI• Establishes individuals’ rights with regard to their PHISecurity Rule• Establishes security safeguards covered entities are required to  have in place to protect ePHI from unauthorized access or  disclosure HIPAA Enforcement Training for State Attorneys General 35
  36. 36. Lesson 3: Identifying Potential HIPAA Violations HIPAA Enforcement Training for State Attorneys General
  37. 37. Lesson 1: ARRA/HITECH’s Impact on State Attorneys General Module 1Lesson 3: ObjectivesAfter completing this lesson, you will be able to:• Discuss how to identify potential HIPAA violations• Describe what constitutes a violation of the HIPAA Rules• Recognize whether or not other cases under SAG  investigation may also raise issues under the HIPAA Rules HIPAA Enforcement Training for State Attorneys General 37
  38. 38. Lesson 3: Identifying Potential HIPAA Violations Module 1Topic 1: Identifying Potential HIPAA Violations How SAG may learn about violations of HIPAA:• Monitor local news outlets • Receive complaints directly• Whistleblowers• Referred cases from other  agencies  HIPAA Enforcement Training for State Attorneys General 38
  39. 39. Lesson 3: Identifying Potential HIPAA Violations Module 1Topic 2: Events and Conditions Constituting HIPAA ViolationsInappropriate use or disclosure:• May be the first indicator of May be the first indicator of  a HIPAA Privacy or Security  Rule violation• Not required for proving the  existence of a HIPAA Privacy  or Security Rule violation• Upon investigation, further HIPAA Privacy or Security  violations may be present i l i b HIPAA Enforcement Training for State Attorneys General 39
  40. 40. Lesson 3: Identifying Potential HIPAA Violations Module 1Topic 2: Events and Conditions Constituting HIPAA Violations (continued)Once a violation is suspected or detected, a SAG investigator will want to determine what provision or provisions of the Rules were violated. or provisions of the Rules were violated.Investigators should keep in mind that the HIPAA Rule requires documentation of the covered entity’s policies and procedures for all standards.  Investigators can look at both whether the policies Investigators can look at both whether the policiesand procedures met the requirements of the Rules and whether the policies and procedures themselves were followed.  Also consider whether themselves were followed Also consider whetheror not other related standards may be implicated. HIPAA Enforcement Training for State Attorneys General 40
  41. 41. Lesson 3: Identifying Potential HIPAA Violations Module 1Topic 3: Determining Whether Other Investigations by SAG May Have HIPAA ImplicationsSAG May Have HIPAA ImplicationsMay uncover violations of HIPAA by re‐examining existing cases.Examples:• Health care fraud• Labor and employment• Adherence to state laws involving  health care access and licensure HIPAA Enforcement Training for State Attorneys General 41
  42. 42. Lesson 3: Identifying Potential HIPAA Violations Module 1Lesson 3: RecapLocal new stories, residents’ complaints, or current                civil or criminal caseloads may reveal a HIPAA                 violation.violationA public exposure of PHI may sometimes, but not always, indicate a failure to comply withnot always, indicate a failure to comply withthe HIPAA Privacy and Security Rules. HIPAA Enforcement Training for State Attorneys General 42
  43. 43. Lesson 4: Investigating Potential HIPAA Violations HIPAA Enforcement Training for State Attorneys General
  44. 44. Lesson 4: Investigating Potential HIPAA Violations Module 1Lesson 4: ObjectivesAfter completing this lesson, you will be able to:• Recognize when multiple violations of HIPAA  result from a single incident lt f i l i id t• Describe the interrelationship of violations of  the  th Privacy and Security Rules HIPAA Enforcement Training for State Attorneys General 44
  45. 45. Lesson 4: Investigating Potential HIPAA Violations Module 1Topic 1: Multiple Violations Resulting from Single Incidents or Programs gMultiple violations of the various aspects of the Privacy Rule could be uncovered during the investigation of one incident. HIPAA Enforcement Training for State Attorneys General 45
  46. 46. Lesson 4: Investigating Potential HIPAA Violations Module 1Topic 2: Relationship of Security Violations to Privacy Violations• A violation of the Security Rule  can lead to a violation of the  Privacy Rule• If confidentiality is not protected,  privacy can be violated HIPAA Enforcement Training for State Attorneys General 46
  47. 47. Module Knowledge CheckModule 1: Knowledge CheckQuestion 1: Which Act extends enforcement of HIPAA to SAG?Question 2: What rule says that PHI may be used Q ti 2 Wh t l th t PHI b dor disclosed for certain purposes?Question 3: What must covered entities have in Q estion 3 Wh t t d titi h iplace to protect PHI?Question 4:  What are some ways that you might Question 4: What are some ways that you mightlearn of HIPAA violations in your state? HIPAA Enforcement Training for State Attorneys General 47
  48. 48. Module RecapModule 1: Recap• ARRA/HITECH ARRA/HITECH gave authority to SAG for HIPAA  th it t SAG f HIPAA enforcement at the state level• ARRA/HITECH established new breach notification  / requirements• ARRA/HITECH extended the Privacy and Security  Rules to business associates of covered entities Rules to business associates of covered entities• HIPAA Title II, Subtitle F, required the Secretary  of HHS to establish security standards, and health  privacy standards if Congress did not do so• The result was the Privacy and Security Rules,  which apply to covered entities  which apply to covered entities HIPAA Enforcement Training for State Attorneys General 48
  49. 49. Module RecapModule 1: Recap (continued)• N News reports may reveal potential HIPAA  t l t ti l HIPAA violations due to a breach• An investigator may establish a fact pattern by  g y p y determining what requirements were not met• An investigation may reveal multiple violations of  both the Privacy Rule and Security Rule both the Privacy Rule and Security Rule HIPAA Enforcement Training for State Attorneys General 49
  50. 50. Module SummaryModule 1: SummaryHaving completed this module, you are able to:• Discuss your authority under ARRA/HITECH• Define terminology and the premise of the Privacy Rule• Explain the purpose of the Security Rule• Identify potential HIPAA violations and your role in  investigating alleged violations HIPAA Enforcement Training for State Attorneys General 50

×