Influencing policy (training slides from Fast Track Impact)
CAHU EXPO Grove City, OH 2014
1. HIPAA
Privacy
and
Security
2.0
for
Health
Insurance
Agents
and
Brokers
Jason
Karn,
Director
of
IT
Total
HIPAA
Compliance,
LLC
jason@totalhipaa.com
www.twi?er.com/TotalHIPAA
800-‐344-‐6381
3. Types
of
Protected
Informa@on
NPPI
PHI
PII
PHI:
health
informaNon
about
a
person
in
a
health
insurance
plan
PII:
medical,
educaNonal,
financial,
and
employment
informaNon
about
a
person
in
connecNon
with
sale
of
product
in
Marketplaces
only
NPPI:
non-‐public
informaNon
that
an
agent
has
about
a
potenNal
or
exisNng
insured,
regardless
of
line
of
coverage
4. When
Did
the
New
HIPAA
Regula@ons
Go
Into
Effect?
Requirements
for
the
updated
2013
Omnibus
Rules
went
into
effect
September
23,
2013
Non
compliance
is
potenNally
very
expensive
5. HIPAA
Compliance
is
Required
for:
• Medical
– Medicare
Supplement
– Drug
Coverage
• Dental
• Vision
• Long
Term
Care
Insurance
Only
selling
a
liNle
bit
of
these
insurances
nor
the
size
of
your
agency
exempts
you
6. HIPAA
is
Not
Required
for:
• Short-‐term
and
long-‐
term
disability
• AD&D
(Accidental
Death
and
Dismemberment)
• Life
insurance
• Worker's
CompensaNon
• Auto
medical
insurance
• Fitness-‐for-‐duty
exams
(DOT
or
OSHA
exams)
• Drug
tesNng
• Work-‐life
benefits
(on-‐
site
clinics;
fitness
center)
• Family
Medical
Leave
Act
(FMLA)
• Americans
with
DisabiliNes
Act
(ADA)
7. Best
Business
Prac@ces
If
you’re
coming
in
contact
with
Protected
Health
InformaNon
(PHI),
no
ma?er
what
type
of
insurance
you
are
selling,
you
should
be
trained!
• In
order
to
share
informaNon
in
a
mulNline
agency
• Reduces
potenNal
liability
9. Changes
in
HIPAA
2.0?
• Business
Associates’
Subcontractors
and
BAs
must
meet
the
same
requirements
as
Covered
EnNNes
• Increases
in
fines
and
penalNes
for
breaches
of
health
informaNon
• EncrypNon
required
for
all
Protected
Health
InformaNon
(PHI)
files
and
emails
• Implement
new
Policies
and
Procedures
for
Security
and
Privacy
• Staff
needs
to
be
trained
on
both
the
HIPAA
rules
and
your
Policies
and
Procedures
11. HIPAA
Privacy
Regula@ons
General
Rule:
Covered
EnNNes,
their
Business
Associates
and
their
Subcontractors
may
not
use
or
disclose
an
individual's
Protected
Health
InformaNon
(PHI)
without
the
authorizaNon
of
the
individual
unless
specifically
required
or
allowed
by
the
privacy
regulaNon
Protects
PHI
in
ANY
form
(oral,
wri?en,
electronic)
12. Protected
Health
Informa@on
(PHI)
• Individually
idenNfiable
health
informaNon
that
can
be
linked
to
a
parNcular
person
• Common
idenNfiers
linking
health
informaNon
to
a
person
include
names,
social
security
numbers,
addresses,
credit
card
numbers
and
birth
dates
13. Protected
Health
Informa@on
(PHI)
Specifically,
PHI
informaNon
can
relate
to:
• An
individual's
past,
present
or
future
physical
or
mental
health
condiNon
• The
provision
of
health
care
to
the
individual
• The
past,
present,
or
future
payment
for
the
provision
of
health
care
to
an
individual
14. PermiNed
Uses
for
PHI
• Treatment
• Payment
• Health
Care
OperaNons
– AudiNng,
credenNaling,
obtaining
reinsurance,
etc
• Certain
Public
Policy
ExcepNons
• All
other
uses
require
an
individual’s
wri?en
or
verbal
authorizaNon
15. Subcontractors
2013
RegulaNons
expand
rules
to
include
Subcontractors
Why
so
important?
• Your
agency
could
have
direct
liability
for
subcontractor’s
mistakes
• Could
jeopardize
not
only
your
business
relaNonships
but
also
expose
you
to
penalNes
16. Subcontractors
What
must
you
do?
– Have
them
sign
a
Subcontractor
Business
Associate
Agreement
– Ensure
they
train
their
employees,
and
implement
policies
and
procedures
concerning
HIPAA
Privacy
and
Security
17. Subcontractors
If
your
Subcontractors
are
NOT
compliant,
this
could
be
a
liability
issue
for
your
agency.
In
accordance
with
the
Federal
Common
law
of
Agency,
it
is
now
YOUR
responsibility
to
make
sure
that
your
Subcontractors
are
implemenNng
and
following
HIPAA.
19. Why
a
Security
Rule?
• Important
with
increased
use
of
technology
for
data
transmission
– Emails
– Electronic
enrollments
– Storage
of
data
Electronic
informaNon
has
different
guidelines
for
handling
and
protecNng
20. Descrip@on
of
the
Security
Rule
Requires
protecNons
for
electronic
Protected
Health
InformaNon
(ePHI)
in
three
ways:
• ConfidenNality
– ePHI
concealed
from
people
who
do
not
have
the
right
to
see
the
informaNon
• Integrity
– InformaNon
not
improperly
changed
or
deleted
• Availability
– InformaNon
can
be
accessed
whenever
it
is
needed
21. Protect
the
Business
Do
a
Risk
Assessment:
• Analysis
of
computer
systems
• How
do
you
protect
paper
and
electronic
files
• How
do
you
encrypt
documents
for
storage
and
transmission
(such
as
email)?
• Password
protecNon,
and
Nme-‐outs
on
ALL
electronic
devices
• Have
you
encrypted
all
hard
drives
and/or
storage
devices?
• How
are
you
backing
up
your
computers?
22. Specific
Staff
Expecta@ons
• Manage
passwords
– Have
staff
members
choose
and
remember
– Change
passwords
regularly
– NoNfy
informaNon
security
officer
if
concerned
that
password
is
being
improperly
used
by
someone
else
• IdenNfy
and
keep
out
malicious
solware
• Use
workstaNons
properly
• Know
sancNon
policies
• Learn
and
follow
agency
Privacy
and
Security
Policies
and
Procedures
23. Specific
Staff
Expecta@ons
Cont’d
• Limit
use
of
external
devices
that
might
introduce
viruses
into
the
system:
CDs,
iPods,
USB
drives,
tablet
compuNng
device,
smart
phones
• Establish
policies
on
use
of
personal
compuNng
devices
in
the
agency’s
network
(BYOD)
• Restrict
family
members
or
friends
using
the
computers
in
off-‐site
locaNons
that
could
introduce
viruses
and
expose
to
inadvertent
ePHI
disclosure
• Implement
strict
controls
on
web
surfing
for
personal
enjoyment
or
downloading
free
programs
or
music
from
the
Internet
to
office
machines
25. What
Is
a
Breach?
PHI
that
has
been
accessed,
used,
acquired
or
disclosed
to
an
unauthorized
person
26. Breach
These
rules
apply
to
PHI
in
any
format
• ePHI
(electronic
PHI)
• Paper
• Oral
27. Breach
occurs
InformaNon
Encrypted?
Yes:
No
Breach
No:
Presumed
Breach
Breach
Process
28. Presumed
Breach
Wri?en
NoNce
Calls
(if
imminent
threat)
500
or
More
Affected?
Yes:
NoNfy
Media,
HHS
immediately
No:
NoNfy
HHS
annually
NoNce
on
Website
29. When
There
Is
a
Breach
Any
impermissible
use
or
disclosure
of
PHI
is
presumed
to
be
a
breach,
unless…
29
One
can
demonstrate
that
there
is
a
low
probability
that
the
PHI
has
been
compromised
30. Excep@ons
• UnintenNonal
access
by
employees
• Inadvertent
disclosure
of
PHI
from
one
covered
enNty
or
business
associate
employee
authorized
to
access
PHI
to
a
co-‐employee
who
is
also
authorized
to
access
PHI
• Unauthorized
access
to
PHI
by
a
third
party
who
cannot
reasonably
use
the
informaNon
in
its
current
format,
or
be
able
to
retain
the
disclosed
informaNon
31. Breach
No@fica@on
NoNce
Requirements:
• NoNfy
without
unreasonable
delay
and
at
least
within
60-‐day
Nmeframe
• This
starts
the
date
one
knew,
or
reasonably
should
have
known
about
the
breach
35. Recent
HIPAA
Fines
• Stanford
Hospital
se?led
a
state
lawsuit
for
$4
Million
(March
2014)
– The
business
associate
is
paying
$3.3
Million
of
the
se?lement
• Triple
S-‐Management
recently
was
fined
$6.8
Million
– Mishandled
medical
records
for
70k
individuals(February
2014)
• WellPoint
Agreed
to
Pay
HHS
$1.7
Million
to
Se?le
HIPAA
Case
(July
2013)
– On-‐line
database
lel
the
ePHI
of
612,402
individuals
unprotected
• Shasta
Regional
Medical
Center
Se?les
Privacy
Breach
for
$275,000
(June
2013)
– The
CEO
sent
an
email
to
800
Employees
disclosing
the
confidenNal
details
of
diabetes
paNents
• Blue
Cross
Blue
Shield
Tennessee
Se?led
for
$1.5
million
(March
2012)
– 57
unencrypted
computer
hard
drives
were
stolen
with
ePHI
of
over
a
million
individuals
36. Penal@es
from
Omnibus
Ruling
Viola@on
Category
1176(a)(1)
Each
Viola@on
Maximum
fine
for
an
iden@cal
viola@on
in
a
calendar
year
(A)
Did
Not
Know
$100-‐$50,000
$1,500,000
(B)
Reasonable
Cause
$1,000-‐$50,000
$1,500,000
(C)(i)
Willful
Neglect-‐
Corrected
$10,000-‐$50,000
$1,500,000
(C)(ii)
Willful
Neglect-‐Not
Corrected
$50,000
$1,500,000
37. Criminal Penalties
Viola@on Penal@es
Knowingly
obtaining
or
disclosing
PHI
$50,000
+
one
year
prison
Offenses
conducted
under
false
pretenses
Up
to
$100,000
+
5
years
Intent
to
sell,
$
gain,
harm
Up
to
$250,000
+
10
years
38. GLB
Penal@es
• You
will
lose
your
license
to
pracNce
• You
can
be
fined
up
to
$100,000
per
violaNon
• Officers
and
directors
can
be
fined
up
to
$10,000
per
violaNon
• Fines
will
be
doubled
If
GLB
is
violated
along
with
another
Federal
Law,
or
pa?ern
of
any
illegal
acNvity
involving
more
than
$100,000
within
a
12-‐month
period,
he
or
she
can
be
imprisoned
for
up
to
10
years
• Criminal
PenalNes
include
imprisonment
for
up
to
5
years,
a
fine,
or
both
40. Marketplace
Privacy
Rules
One
of
the
big
surprises
in
the
agent/broker
training
for
the
Federally
Facilitated
Marketplace
(FFM)
• New
obligaNons
to
protect
Personally
Iden@fiable
Informa@on
(PII)
within
the
marketplaces
41. Personally
Iden@fiable
Informa@on(PII)
Any
informaNon
about
an
individual
maintained,
used,
transmi?ed
or
store
by
an
agent/broker
related
to
Marketplace
transacNons:
Any
informa@on
that
can
be
used
to
dis@nguish
or
trace
an
individual‘s
iden@ty
Examples:
name,
social
security
number,
date
and
place
of
birth,
mother‘s
maiden
name,
or
biometric
records
Any
other
informa@on
that
is
linked
or
linkable
to
an
individual
Examples:
medical,
educaNonal,
financial,
and
employment
informaNon
42. How
Did
I
Get
Here?
If
you
have
completed
training
for
the
Federally-‐
Facilitated
Marketplaces,
and
“signed”
the
Agreements…
• You
agreed
to
protect
PII
that
you
obtain
in
the
course
of
selling
or
supporNng
individuals
who
purchase
through
the
Marketplaces
43. What
exactly
did
I
agree
to
do?
Protect
any
PII
that
is:
• Created,
collected,
disclosed,
accessed,
maintained,
stored,
and
used
to
perform
any
of
the
various
Marketplace
funcNons
within
the
FFM
such
as:
– AssisNng
with
applicaNons
for
QHP
eligibility
– SupporNng
QHP
selecNon
and
enrollment
– AssisNng
with
plan
selecNon
and
plan
comparisons
– Transmiwng
informaNon
about
decisions
regarding
QHP
enrollment
– FacilitaNng
payment
of
the
iniNal
premium
amount
to
appropriate
QHP
44. What
Exactly
Did
I
Agree
to
Do?
Provide
a
Privacy
NoNce
to
all
prospects
and
buyers
in
the
Marketplace
• Similar
requirements
to
the
Privacy
NoNces
under
HIPAA
and
GLB
45. What
Am
I
Required
to
Do?
• Must
do
the
following:
– If
you
have
a
website,
prominently
and
conspicuously
display
NoNce
of
Privacy
PracNces
– Review
and
Revise
as
necessary
but
at
least
annually
• Meet
data
quality
and
integrity
standards
for
PII
– IdenNcal
to
requirements
within
HIPAA
Security
• Breach
noNficaNon
– Broadly
similar
to
HIPAA
Breach
rules
but…
– Must
noNfy
CMS
if
there
is
a
breach
within
one
hour
of
becoming
aware
of
it
• Telephone
at
(410)
786-‐2580
or
1-‐800-‐562-‐1963
• Email
noNficaNon
at
cms_it_service_desk@cms.hhs.gov
46. What
Are
the
Penal@es?
For
any
violaNon
of
PII
protecNons
– $25,000
per
person
per
violaNon
• These
are
in
addiNon
to
HIPAA
and
GLB
PenalNes
– TerminaNon
of
your
authority
to
do
business
through
the
Marketplace