Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

CAHU EXPO Grove City, OH 2014


Published on

HIPAA Presentation for CAHU Expo in Columbus, OH.

  • Be the first to comment

  • Be the first to like this

CAHU EXPO Grove City, OH 2014

  1. 1. HIPAA  Privacy  and  Security  2.0  for     Health  Insurance  Agents  and  Brokers   Jason  Karn,  Director  of  IT   Total  HIPAA  Compliance,  LLC   www.twi?   800-­‐344-­‐6381  
  2. 2. Topics  for  Today   •  HIPAA  2.0   – Privacy   – Security   – Breach   – PenalNes   •  Marketplace  Privacy  Rules  
  3. 3. Types  of  Protected  Informa@on   NPPI  PHI  PII   PHI:  health  informaNon  about  a   person  in  a  health  insurance  plan   PII:  medical,  educaNonal,   financial,  and  employment   informaNon  about  a  person  in   connecNon  with  sale  of  product   in  Marketplaces  only   NPPI:  non-­‐public  informaNon   that  an  agent  has  about  a   potenNal  or  exisNng  insured,   regardless  of  line  of  coverage  
  4. 4. When  Did  the  New  HIPAA   Regula@ons  Go  Into  Effect?   Requirements  for  the  updated  2013  Omnibus   Rules  went  into  effect    September  23,  2013     Non  compliance  is  potenNally  very  expensive  
  5. 5. HIPAA    Compliance  is  Required  for:   •  Medical   –  Medicare  Supplement   –  Drug  Coverage   •  Dental   •  Vision   •  Long  Term  Care  Insurance   Only  selling  a  liNle  bit  of  these  insurances  nor  the  size   of  your  agency  exempts  you  
  6. 6. HIPAA  is  Not  Required  for:   •  Short-­‐term  and  long-­‐ term  disability     •  AD&D  (Accidental   Death  and   Dismemberment)   •  Life  insurance   •  Worker's  CompensaNon     •  Auto  medical  insurance   •  Fitness-­‐for-­‐duty  exams   (DOT  or  OSHA  exams)   •  Drug  tesNng   •  Work-­‐life  benefits  (on-­‐ site  clinics;  fitness   center)   •  Family  Medical  Leave   Act  (FMLA)   •  Americans  with   DisabiliNes  Act  (ADA)    
  7. 7. Best  Business  Prac@ces   If  you’re  coming  in  contact  with  Protected   Health  InformaNon  (PHI),  no  ma?er  what  type   of  insurance  you  are  selling,  you  should  be   trained!     •  In  order  to  share  informaNon  in  a  mulNline   agency   •  Reduces  potenNal  liability  
  8. 8. Key  HIPAA  Groups  
  9. 9. Changes  in  HIPAA  2.0?   •  Business  Associates’  Subcontractors  and  BAs  must   meet  the  same  requirements  as  Covered  EnNNes   •  Increases  in  fines  and  penalNes  for  breaches  of   health  informaNon   •  EncrypNon  required  for  all  Protected  Health   InformaNon  (PHI)  files  and  emails   •  Implement  new  Policies  and  Procedures  for   Security  and  Privacy   •  Staff  needs  to  be  trained  on  both  the  HIPAA  rules   and  your  Policies  and  Procedures    
  10. 10. HIPAA  Privacy  
  11. 11. HIPAA  Privacy  Regula@ons   General  Rule:   Covered  EnNNes,  their  Business  Associates  and   their  Subcontractors  may  not  use  or  disclose  an   individual's  Protected  Health  InformaNon  (PHI)   without  the  authorizaNon  of  the  individual   unless  specifically  required  or  allowed  by  the   privacy  regulaNon   Protects  PHI  in  ANY  form  (oral,  wri?en,   electronic)  
  12. 12. Protected  Health  Informa@on  (PHI)   •  Individually  idenNfiable  health  informaNon   that  can  be  linked  to  a  parNcular  person   •  Common  idenNfiers  linking  health  informaNon   to  a  person  include  names,  social  security   numbers,  addresses,  credit  card  numbers  and   birth  dates  
  13. 13. Protected  Health  Informa@on  (PHI)   Specifically,  PHI  informaNon  can  relate  to:   •  An  individual's  past,  present  or  future  physical   or  mental  health  condiNon   •  The  provision  of  health  care  to  the  individual   •  The  past,  present,  or  future  payment  for  the   provision  of  health  care  to  an  individual  
  14. 14. PermiNed  Uses  for  PHI   •  Treatment   •  Payment   •  Health  Care  OperaNons     – AudiNng,  credenNaling,  obtaining  reinsurance,  etc   •  Certain  Public  Policy  ExcepNons   •  All  other  uses  require  an  individual’s  wri?en   or  verbal  authorizaNon  
  15. 15. Subcontractors   2013  RegulaNons  expand  rules  to  include   Subcontractors   Why  so  important?   •  Your  agency  could  have  direct  liability  for   subcontractor’s  mistakes   •  Could  jeopardize  not  only  your  business   relaNonships  but  also  expose  you  to  penalNes  
  16. 16. Subcontractors   What  must  you  do?   – Have  them  sign  a  Subcontractor  Business   Associate  Agreement   – Ensure  they  train  their  employees,  and  implement   policies  and  procedures  concerning  HIPAA  Privacy   and  Security  
  17. 17. Subcontractors   If  your  Subcontractors  are  NOT  compliant,  this   could  be  a  liability  issue  for  your  agency.  In   accordance  with  the  Federal  Common  law  of   Agency,  it  is  now  YOUR  responsibility  to  make   sure  that  your  Subcontractors  are  implemenNng   and  following  HIPAA.    
  18. 18. HIPAA  Security  
  19. 19. Why  a  Security  Rule?   •  Important  with  increased  use  of  technology   for  data  transmission   – Emails   – Electronic  enrollments   – Storage  of  data     Electronic  informaNon  has  different  guidelines  for   handling  and  protecNng  
  20. 20. Descrip@on  of  the  Security  Rule   Requires  protecNons  for  electronic  Protected   Health  InformaNon  (ePHI)  in  three  ways:   •  ConfidenNality   –  ePHI  concealed  from  people  who  do  not  have  the   right  to  see  the  informaNon   •  Integrity   –  InformaNon  not  improperly  changed  or  deleted   •  Availability   –  InformaNon  can  be  accessed  whenever  it  is  needed  
  21. 21. Protect  the  Business   Do  a  Risk  Assessment:   •  Analysis  of  computer  systems   •  How  do  you  protect  paper  and  electronic  files   •  How  do  you  encrypt  documents  for  storage  and   transmission  (such  as  email)?     •  Password  protecNon,  and  Nme-­‐outs  on  ALL  electronic   devices   •  Have  you  encrypted  all  hard  drives  and/or  storage   devices?   •  How  are  you  backing  up  your  computers?  
  22. 22. Specific  Staff  Expecta@ons   •  Manage  passwords   –  Have  staff  members  choose  and  remember   –  Change  passwords  regularly   –  NoNfy  informaNon  security  officer  if  concerned  that   password  is  being  improperly  used  by  someone  else   •  IdenNfy  and  keep  out  malicious  solware   •  Use  workstaNons  properly     •  Know  sancNon  policies   •  Learn  and  follow  agency  Privacy  and  Security  Policies   and  Procedures  
  23. 23. Specific  Staff  Expecta@ons  Cont’d   •  Limit  use  of  external  devices  that  might  introduce   viruses  into  the  system:  CDs,  iPods,  USB  drives,  tablet   compuNng  device,  smart  phones   •  Establish  policies  on  use  of  personal  compuNng  devices   in  the  agency’s  network  (BYOD)   •  Restrict  family  members  or  friends  using  the   computers  in  off-­‐site  locaNons  that  could  introduce   viruses  and  expose  to  inadvertent  ePHI  disclosure   •  Implement  strict  controls  on  web  surfing  for  personal   enjoyment  or  downloading  free  programs  or  music   from  the  Internet  to  office  machines  
  24. 24. Breach  
  25. 25. What  Is  a  Breach?   PHI  that  has  been  accessed,  used,  acquired  or   disclosed  to  an  unauthorized  person  
  26. 26. Breach   These  rules  apply  to  PHI  in  any  format     •  ePHI  (electronic  PHI)   •  Paper   •  Oral  
  27. 27. Breach  occurs   InformaNon   Encrypted?   Yes:     No  Breach   No:    Presumed   Breach   Breach  Process  
  28. 28. Presumed  Breach   Wri?en  NoNce   Calls  (if   imminent   threat)   500  or  More   Affected?   Yes:  NoNfy   Media,  HHS   immediately   No:  NoNfy  HHS   annually   NoNce  on   Website  
  29. 29. When  There  Is  a  Breach   Any  impermissible  use  or  disclosure  of  PHI  is   presumed  to  be  a  breach,  unless…   29 One  can  demonstrate  that  there  is  a  low   probability  that  the  PHI  has  been   compromised      
  30. 30. Excep@ons   •  UnintenNonal  access  by  employees     •  Inadvertent  disclosure  of  PHI  from  one  covered   enNty  or  business  associate  employee  authorized   to  access  PHI  to  a  co-­‐employee  who  is  also   authorized  to  access  PHI     •  Unauthorized  access  to  PHI  by  a  third  party  who   cannot  reasonably  use  the  informaNon  in  its   current  format,  or  be  able  to  retain  the  disclosed   informaNon    
  31. 31. Breach  No@fica@on   NoNce  Requirements:   •  NoNfy  without  unreasonable  delay  and  at   least  within  60-­‐day  Nmeframe   •  This  starts  the  date  one  knew,  or  reasonably   should  have  known  about  the  breach  
  32. 32. Penal@es  
  33. 33. Enforcement  Results  for  2012  
  34. 34. Enforcement  Results  for  2013  
  35. 35. Recent  HIPAA  Fines   •  Stanford  Hospital  se?led  a  state  lawsuit  for  $4  Million  (March  2014)   –  The  business  associate  is  paying  $3.3  Million  of  the  se?lement     •  Triple  S-­‐Management  recently  was  fined  $6.8  Million   –  Mishandled  medical  records  for  70k  individuals(February  2014)   •  WellPoint  Agreed  to  Pay  HHS  $1.7  Million  to  Se?le  HIPAA  Case  (July   2013)   –  On-­‐line  database  lel  the  ePHI  of  612,402  individuals  unprotected   •  Shasta  Regional  Medical  Center  Se?les  Privacy  Breach  for  $275,000   (June  2013)   –  The  CEO  sent  an  email  to  800  Employees  disclosing  the  confidenNal   details  of  diabetes  paNents   •  Blue  Cross  Blue  Shield  Tennessee  Se?led  for  $1.5  million  (March   2012)   –  57  unencrypted  computer  hard  drives  were  stolen  with  ePHI  of  over  a   million  individuals  
  36. 36. Penal@es  from  Omnibus  Ruling   Viola@on  Category   1176(a)(1)     Each  Viola@on     Maximum  fine  for  an   iden@cal  viola@on  in  a   calendar  year     (A)  Did  Not  Know   $100-­‐$50,000   $1,500,000   (B)  Reasonable  Cause   $1,000-­‐$50,000   $1,500,000   (C)(i)  Willful  Neglect-­‐ Corrected   $10,000-­‐$50,000   $1,500,000   (C)(ii)  Willful  Neglect-­‐Not   Corrected   $50,000   $1,500,000  
  37. 37. Criminal Penalties Viola@on Penal@es Knowingly   obtaining  or   disclosing  PHI   $50,000  +  one  year  prison Offenses   conducted   under  false   pretenses Up  to  $100,000  +  5  years Intent  to  sell,     $  gain,  harm Up  to  $250,000  +  10  years
  38. 38. GLB  Penal@es   •  You  will  lose  your  license  to  pracNce   •  You  can  be  fined  up  to  $100,000  per  violaNon   •  Officers  and  directors  can  be  fined  up  to  $10,000  per   violaNon   •  Fines  will  be  doubled  If  GLB  is  violated  along  with   another  Federal  Law,  or  pa?ern  of  any  illegal  acNvity   involving  more  than  $100,000  within  a  12-­‐month   period,  he  or  she  can  be  imprisoned  for  up  to  10  years   •  Criminal  PenalNes  include  imprisonment  for  up  to  5   years,  a  fine,  or  both      
  39. 39. Marketplace  Privacy  Rules  
  40. 40. Marketplace  Privacy  Rules   One  of  the  big  surprises  in  the  agent/broker   training  for  the  Federally  Facilitated   Marketplace  (FFM)   •  New  obligaNons  to  protect  Personally   Iden@fiable  Informa@on  (PII)  within  the   marketplaces  
  41. 41. Personally  Iden@fiable  Informa@on(PII)   Any  informaNon  about  an  individual  maintained,  used,   transmi?ed  or  store  by  an  agent/broker  related  to   Marketplace  transacNons:   Any  informa@on  that  can  be   used  to  dis@nguish  or  trace  an   individual‘s  iden@ty     Examples:  name,  social  security   number,  date  and  place  of   birth,  mother‘s  maiden  name,   or  biometric  records   Any  other  informa@on  that  is   linked  or  linkable  to  an   individual     Examples:  medical,  educaNonal,   financial,  and  employment   informaNon  
  42. 42. How  Did  I  Get  Here?   If  you  have  completed  training  for  the  Federally-­‐ Facilitated  Marketplaces,  and  “signed”  the   Agreements…   •  You  agreed  to  protect  PII  that  you  obtain  in   the  course  of  selling  or  supporNng  individuals   who  purchase  through  the  Marketplaces  
  43. 43. What  exactly  did  I  agree  to  do?   Protect  any  PII  that  is:     •  Created,  collected,  disclosed,  accessed,  maintained,   stored,  and  used  to  perform  any  of  the  various   Marketplace  funcNons  within  the  FFM  such  as:   –  AssisNng  with  applicaNons  for  QHP  eligibility   –  SupporNng  QHP  selecNon  and  enrollment     –  AssisNng  with  plan  selecNon  and  plan  comparisons   –  Transmiwng  informaNon  about  decisions  regarding  QHP   enrollment   –  FacilitaNng  payment  of  the  iniNal  premium  amount  to   appropriate  QHP  
  44. 44. What  Exactly  Did  I  Agree  to  Do?   Provide  a  Privacy  NoNce  to  all  prospects  and   buyers  in  the  Marketplace   •  Similar  requirements  to  the  Privacy  NoNces   under  HIPAA  and  GLB  
  45. 45. What  Am  I  Required  to  Do?   •  Must  do  the  following:     –  If  you  have  a  website,  prominently  and  conspicuously  display   NoNce  of  Privacy  PracNces   –  Review  and  Revise  as  necessary  but  at  least  annually   •  Meet  data  quality  and  integrity  standards  for  PII   –  IdenNcal  to  requirements  within  HIPAA  Security   •  Breach  noNficaNon   –  Broadly  similar  to  HIPAA  Breach  rules  but…   –  Must  noNfy  CMS  if  there  is  a  breach  within  one  hour  of   becoming  aware  of  it   •  Telephone  at  (410)  786-­‐2580  or  1-­‐800-­‐562-­‐1963     •  Email  noNficaNon  at    
  46. 46. What  Are  the  Penal@es?   For  any  violaNon  of  PII  protecNons   – $25,000  per  person  per  violaNon     •  These  are  in  addiNon  to  HIPAA  and  GLB  PenalNes   – TerminaNon  of  your  authority  to  do  business   through  the  Marketplace  
  47. 47. QUESTIONS  
  48. 48. Jason  Karn,  Director  of  IT   Total  HIPAA  Compliance,  LLC   www.twi?   800-­‐344-­‐6381