HIPAA Audio Presentation

6,153 views

Published on

HIPAA in the Health Care Setting

Published in: Health & Medicine, Technology
0 Comments
8 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
6,153
On SlideShare
0
From Embeds
0
Number of Embeds
31
Actions
Shares
0
Downloads
297
Comments
0
Likes
8
Embeds 0
No embeds

No notes for slide
  • HIPAA is a Federal law that sets national standards for how most health care providers must protect the privacy of a patient’s health information. Initial thrust – standardize electronic transactions and Code Sets.
  • There was a time, when access to your medical records was largely up to your health care provider
  • Prior to the HIPAA rules, your private health information really was not all that private, this information could legally be sold or accessed. this information could be used to determine your life insurance premiums or even your mortgage rate!
  • Blood Banking Service versus a Medical transcriptionist
  • For Example: Medical Record numbers – in a silo, they would have no meaning but this is information that if used in the appropriate setting “could reasonably be expected” to identify an individual. Though not actual health information – the point is that individually identifiable information is information that can be linked back to the individual and their health information.
  • These are the only two methods that have been approved by the Department of Health and Human services to secure PHI.
  • When PHI can be used or disclosed along with other legally required purposes (e.g., criminal investigations)
  • Treatment – a discussion by the Attending physician with a consulting physician about a proposed treatment plan for the patient Health Care Operations – Quality and Process Improvement purposes
  • How PHI must be used or disclosed
  • That require prior authorization from the patient or his/her personal representative
  • Discuss the state pre-emption as it relates to common-law spouses.
  • Durable Power of Attorney and Health Care Powers of Attorney This designation trumps the marital relationship and why
  • Best Practice is to develop a standardized authorization to release form that includes the required language.
  • Earlier I mentioned that as a result of the HIPAA laws a patient had greater access to and control over their PHI, in this section I’d like to detail those rights.
  • Just as the patient has the right to access his or her PHI he or she has a right to know who else has accessed their PHI. The HIPAA Privacy Compliance date was April 14, 2003
  • Alcoholism, drug abuse etc.
  • Additional Burden
  • Disclosures for payment purposes – can request that out of pocket services not be disclosed to an insurance company for payment evaluations.
  • The HIPAA Security laws apply specifically to ePHI or electronic PHI Regardless of how it is stored paper, electronic, photographs and radiographic among other things. For Example: Access to the Medical Records Department is locked and restricted to those authorized to enter; or Electronic PHI is encrypted so that if it were inadvertently intercepted it would be useless to the interceptor.
  • Federal privacy/security laws (HIPAA) were expanded to protect patient health information. HIPAA privacy and security laws now apply directly to business associates of covered entities. Defines actions that constitute a breach of patient health information (including inadvertent disclosures) and requires notification to patients if their health information is breached. Allows patients to pay out of pocket for a health care item or service in full and to request that the claim not be submitted to the health plan. As I mentioned earlier provide patients, upon request, an accounting of disclosures of health information. Prohibits the sale of a patient’s health information without the patient’s written authorization, except in limited circumstances involving research or public health activities. Prohibits covered entities from being paid to use patients’ health information for marketing purposes without patient authorization, except limited communication to a patient about a drug or biologic that the patient is currently being prescribed. Requires personal health record (PHR) vendors to notify individuals of a breach of patient health information. Non-covered HIPAA entities such as Health Information Exchanges, Regional Health Information Organizations, e-Prescribing Gateways, and PHR vendors are required to have business associate agreements with covered entities for the electronic exchange of patient health information. Authorizes increased civil monetary penalties for HIPAA violations. Grants enforcement authority to state attorneys general to enforce HIPAA.
  • Best Practice includes assembling a data base of all business associate agreements Provide addenda to all existing BAAs and develop a BAA template that includes the new HIPAA HITECH requirements. Blood Bank issue – notice of intent to terminate the business associate agreement.
  • As a result of the ARRA came the National Breach Notification Rules. Most states have had privacy laws on the books for some time and within these laws were specific procedures for notification subsequent to a breach of private information. For Example: Some states have specific time frames where others follow the federal guidelines of “without unreasonable delay and in no case longer than 60 days”.
  • The radiology department accidently faxes a patient’s Head CT report to the Dietary Department, this is not a Breach of PHI IF, the Dietary notifies Radiology and then places the PHI in a locked shred box. In this instance, by placing the PHI in the shred box, the Dietary department has ensured that there will be no further use or disclosure of that PHI.
  • Notably, not all breaches require patient notification. In the event of an alleged breach, a risk assessment must be done regarding the type of information that was improperly used or disclosed. The CE or BA must: Determine whether there has been an impermissible use or disclosure of PHI (as defined by the HIPAA Privacy Rule) Determine and document whether the impermissible use or disclosure compromises the security or privacy of the PHI; and If necessary, determine whether the incident falls under one of the (3) exceptions – where no notification is required. Exceptions: If the PHI is improperly disclosed to another HIPAA CE; If the CE or BA immediately takes steps to mitigate the impermissible use or disclosure; or If the PHI is returned before it can be improperly accessed.
  • Best Practice is to develop a Breach notification letter template Pre-establish the steps those affected would need to follow in the event of a breach Redemption Codes for Identity theft protection plans or more detailed breach reaction services – on-going services wherein specially trained customer service representatives
  • Don’t forget the state pre-emption analysis!
  • Here the requirement is that the BA notify the Covered Entity, as I indicated on the previous slide, it is the responsibility of the CE to notify the affected party. There is nothing to preclude the BA from participating in the notification process. For Example: A contracted dialysis service has a computer stolen from the dialysis lab, this computer contains PHI that belongs to the host hospital but is being used by the dialysis service for treatment purposes. The dialysis service is required to notify the host hospital (CE) of the breach and with the permission of the host hospital, the dialysis service may participate in notifying those affected because of the pre-existing relationship. The BA is not authorized to notify those affected without the permission of the CE or host hospital.
  • Along with breaches that fall under the risk assessment’s three exceptions, there is also a Safe Harbor from the breach notification requirement.
  • As we discussed previously, secured ePHI has been encrypted or if in paper format secured by a method consistent with the HIPAA Privacy and Security rules In a locked secure area, protected from unauthorized access, use or disclosure and other recommended methods. Unsecured PHI – the converse Best Practice is to secure PHI
  • The breach log should also include a summary of the risk assessment performed to determine this is or was a reportable breach.
  • The HIPAA laws have also resulted in more stringent enforcement and accountability standards.
  • The April edition of the Guide to Medical Privacy and HIPAA reports that a major insurer has spent 7 million dollars and counting, to mitigate the largest reported data breach in history. 57 company hard drives were stolen from a leased facility, resulting in the largest reported breach since the HITECH notifications requirements took effect. The hard drives contained information that was encoded, but not encrypted. The breached files contained recordings of telephone calls between providers and the company’s customer service representatives relating to eligibility and coordination of care. The 7 million dollars has been spent on credit and identity monitoring services, security audits and the cost of employees to investigate and analyze hundreds of thousands of breached files.
  • I’d like to leave you with some strategies for HIPAA compliance
  • at the most basic level compliance strategies must be based upon…
  • although the HIPAA rules are complicated in their construction, surprisingly most of the laws are based upon common sense and treating the information as if it belonged to you.
  • Find out or establish where your organization is right now on the Compliance continuum.
  • HIPAA Audio Presentation

    1. 1. LISA D. SHANNON, RN, JD Understanding The HIPAA Privacy and Security Laws
    2. 2. OBJECTIVES <ul><li>Provide an Overview of the HIPAA Privacy and Security Rules in the Health Care Setting </li></ul><ul><li>Summarize the HITECH Security Enhancements of HIPAA </li></ul><ul><li>Define how the HITECH Security enhancements impact your Business Associates </li></ul><ul><li>Define Security Breaches and the reporting requirements under the HIPAA HITECH enhancements </li></ul><ul><li>Offer strategies for compliance with the HIPAA HITECH enhancements </li></ul><ul><li>Questions </li></ul>
    3. 3. WHAT IS HIPAA? <ul><li>The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that is designed to protect the privacy and security of patient health information. </li></ul><ul><li>This federal legislation enforces: </li></ul><ul><ul><li>The portability of health care coverage; </li></ul></ul><ul><ul><li>The security and privacy of health information; and </li></ul></ul><ul><ul><li>Accountings of how individual health care information is handled and protected. </li></ul></ul>
    4. 4. SO, HOW HAS HIPAA CHANGED THE HEALTH CARE PICTURE?
    5. 5. THE HIPAA LAWS HAVE IMPACTED THE HEALTH CARE INDUSTRY BY… <ul><li>Making broad sweeping changes to the way patient information is handled and the way we do business with our patients: </li></ul><ul><li>As a result of the HIPAA Laws: </li></ul><ul><ul><li>The patient’s control of and access to their health care information has increased; and </li></ul></ul><ul><ul><li>Protections for individually identifiable health information from threats of loss or unauthorized disclosure have increased substantially. </li></ul></ul>
    6. 6. THE PRIVACY AND SECURITY OF HEALTH INFORMATION <ul><li>Prior to the enactment of the HIPAA Rules, your personal health information could legally be sold or even used to determine your life insurance premiums or mortgage rate! </li></ul><ul><ul><li>The HIPAA Privacy and Security Rules made these practices illegal. </li></ul></ul>
    7. 7. BUT FIRST… A FEW WORKING DEFINITIONS
    8. 8. DEFINITION… WHAT IS A COVERED ENTITY? <ul><li>A covered entity (CE) is a health plan, a health care clearing house; or a health care provider who transmits any health information in electronic form in connection with a transaction covered by the HIPAA Privacy and Security Laws. </li></ul>
    9. 9. DEFINITION… WHAT IS A BUSINESS ASSOCIATE? <ul><li>A business associate is a person or entity that performs certain functions or activities that involve the use or disclosure of PHI on behalf of a covered entity. </li></ul><ul><ul><li>An example of a business associate would include an independent medical transcriptionist that provides transcription services to a physician. </li></ul></ul>
    10. 10. DEFINITION … PROTECTED HEALTH INFORMATION <ul><li>Protected Health Information or PHI means the individually identifiable health information that is: </li></ul><ul><ul><li>Transmitted by electronic media; </li></ul></ul><ul><ul><li>Maintained in electronic medium; or </li></ul></ul><ul><ul><li>Transmitted or maintained in any other form or medium. </li></ul></ul>
    11. 11. EXAMPLES OF PROTECTED HEALTH INFORMATION <ul><li>Names </li></ul><ul><li>Address </li></ul><ul><li>Social Security number </li></ul><ul><li>Family History </li></ul><ul><li>Telephone number </li></ul><ul><li>Fax number </li></ul><ul><li>Account numbers </li></ul><ul><li>Medical Record numbers </li></ul><ul><li>Email address </li></ul><ul><li>Dates (birthday, admission, discharge </li></ul><ul><li>Certificate/license numbers </li></ul><ul><li>Vehicle ID </li></ul><ul><li>Personal Assets </li></ul><ul><li>Device identifiers </li></ul><ul><li>Biometric (finger or voice print) </li></ul><ul><li>Photographs </li></ul><ul><li>Any unique identifying number, code or characteristic </li></ul>Examples of PHI include but are not limited to the following:
    12. 12. WHAT DOES INDIVIDUALLY IDENTIFIABLE MEAN? <ul><li>Protected Health Information (PHI) under HIPAA includes any individually identifiable health information. </li></ul><ul><li>Identifiable refers not only to data that is explicitly linked to a particular individual, it also includes health information that contains data items which could reasonably be expected to allow for individual identification. </li></ul>
    13. 13. WHAT ARE SOME FORMS OF PHI? PHI MUST BE PROTECTED REGARDLESS OF ITS FORM OR MEDIUM <ul><li>PHI can be in many forms or types of media. Examples include: </li></ul><ul><ul><li>Paper copies/printed copies </li></ul></ul><ul><ul><li>Telephone calls and voice mail </li></ul></ul><ul><ul><li>Photos /videos </li></ul></ul><ul><ul><li>Verbal communication </li></ul></ul><ul><ul><li>Fax transmissions </li></ul></ul><ul><ul><li>Information transmitted over the Internet </li></ul></ul><ul><ul><li>Email </li></ul></ul><ul><ul><li>You must take the appropriate precautions to protect PHI in any form or medium and report violations to your HIPAA Officer/Liaison. </li></ul></ul>
    14. 14. WHAT IS SECURED PHI? <ul><li>Secured PHI, is PHI that has been rendered unusable, unreadable, or indecipherable to unauthorized individuals by one or more of the following methods: </li></ul><ul><li>Encryption - the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key. </li></ul><ul><li>Destruction ( for paper or film media PHI ) – shredding or destroying PHI in a manner in which it cannot be read or otherwise reconstructed. </li></ul>
    15. 15. WHAT IS UNSECURED PHI? Unsecured PHI is PHI in paper or electronic form that has not been secured through the use of a technology or methodology specified by the Department of Health and Human Services (HHS), that makes the PHI unusable, unreadable, or indecipherable to unauthorized individuals.
    16. 16. TREATMENT, PAYMENT AND HEALTHCARE OPERATIONS
    17. 17. TREATMENT, PAYMENT AND HEALTHCARE OPERATIONS <ul><li>A Covered Entity may access, use, and/or disclose PHI without patient authorization for: </li></ul><ul><ul><li>Treatment – The provision, coordination, or management of health care and related services by healthcare provider(s); this includes 3 rd party healthcare providers for treatment alternatives and health-related benefits. </li></ul></ul><ul><ul><li>Payment – Activities to determine eligibility benefits and to ensure payment for the provision of healthcare services. </li></ul></ul><ul><ul><li>Health Care Operations - Activities that manage, monitor, and evaluate the performance of a health care provider or health plan. </li></ul></ul>
    18. 18. EXAMPLES OF TPO: TREATMENT, PAYMENTS, HEALTH CARE OPERATIONS <ul><li>State Auditors are conducting an internal audit. </li></ul><ul><li>A therapist at a health care facility discloses PHI to a practitioner when a referral for services is necessary. </li></ul><ul><li>PHI is disclosed to insurance companies for the purpose of payment for services </li></ul><ul><li>Treatment </li></ul><ul><li>Payment </li></ul><ul><li>Health Care Operations </li></ul><ul><li>Scenario </li></ul><ul><li>TPO </li></ul>
    19. 19. THE MINIMUM NECESSARY PRINCIPLE
    20. 20. DEFINITION… MINIMUM NECESSARY PRINCIPLE <ul><li>The Privacy Rules require health care providers to take reasonable steps to limit the use or disclosure of, and requests for, protected health information to the minimum necessary to accomplish the intended purpose. </li></ul>
    21. 21. MINIMUM NECESSARY <ul><li>For Example: </li></ul><ul><li>The minimum necessary principle should always be applied when sharing a client’s PHI to protect the client’s privacy, even when sharing PHI with co-workers. </li></ul><ul><li>AND… </li></ul><ul><li>Only those individuals with a need to know should have access to an individual’s protected health information (PHI). </li></ul>
    22. 22. MINIMUM NECESSARY DISCLOSURES <ul><li>Under current law, a CE must make reasonable efforts to limit disclosure of PHI to the “minimum necessary” – an exception exists for treatment purposes; </li></ul><ul><li>Under ARRA, HHS will develop further guidance defining what constitutes the minimum necessary; </li></ul><ul><li>Until further guidance is issued, a CE is required, to the extent practical to limit disclosures of PHI to the “limited data set” or if more information is needed, the “minimum necessary” to accomplish intended purposes of such use, disclosure, or request; </li></ul><ul><li>HHS should issue its guidance no later than </li></ul><ul><li>August 17, 2010. </li></ul>
    23. 23. AUTHORIZED USES AND DISCLOSURES OF PHI
    24. 24. WHO CAN REQUEST AND AUTHORIZE THE RELEASE OF PHI? Hierarchy for the authorization and release of PHI.
    25. 25. DEFINITION… WHO IS THE PERSONAL REPRESENTATIVE? <ul><li>A personal representative is a person legally authorized to make health care decisions on an individual’s behalf or to act for a deceased individual or the estate. </li></ul><ul><li>The Privacy Rule requires a Covered Entity to treat a “personal representative” the same as the individual, with respect to uses and disclosures of the individual’s PHI, as well as the individual’s rights under the Rule. </li></ul>
    26. 26. AUTHORIZATION AND DISCLOSURE <ul><li>A Covered Entity must obtain the patient’s or the personal representative’s written authorization for any use or disclosure of PHI that is not for treatment, payment or health care operations or as otherwise permitted or required by the Privacy Rule. </li></ul><ul><li>The authorization must be written in specific terms. </li></ul><ul><li>Authorization must: </li></ul><ul><ul><li>Be in plain language; </li></ul></ul><ul><ul><li>Contain specific information regarding the information to be disclosed or used; </li></ul></ul><ul><ul><li>Identify who is disclosing and who is receiving the information </li></ul></ul><ul><ul><li>The date and/or event that will signal the expiration of the authorization; and </li></ul></ul><ul><ul><li>The right to revoke the authorization </li></ul></ul>
    27. 27. PHI RIGHTS CREATED BY THE HIPAA PRIVACY LAWS
    28. 28. AN INDIVIDUAL HAS A RIGHT TO… AN ACCOUNTING OF DISCLOSURES <ul><li>Individuals have a right to an accounting of the disclosures of their PHI by a Covered Entity or the Covered Entity’s Business Associates. </li></ul><ul><li>The maximum disclosure accounting period is the six years immediately preceding the accounting request. </li></ul><ul><ul><li>A Covered Entity is not obligated to account for any disclosures made before its Privacy Compliance Date. </li></ul></ul>
    29. 29. AN INDIVIDUAL HAS A RIGHT TO… REQUEST AN AMENDMENT <ul><li>The HIPAA Privacy Rule gives the patient the right to request that a Covered Entity amend the information in his or her record set when and if that information is found to be inaccurate or incomplete. </li></ul>
    30. 30. AN INDIVIDUAL HAS A RIGHT TO… REQUEST A RESTRICTION <ul><li>Individuals have the right to request that a Covered Entity restrict the use or disclosure of their PHI for various purposes. The Covered Entity is under no obligation to agree to requests for restrictions. </li></ul><ul><li>A Covered that agrees to the restriction, must comply with the agreed restrictions, except for purposes of treating the individual in a medical emergency. </li></ul>
    31. 31. RESTRICTIONS ON DISCLOSURES OF OUT-OF-POCKET SERVICE <ul><li>Previously, a patient could request that a CE restrict certain disclosures of PHI, however, the CE was not obligated to comply; </li></ul><ul><li>Effective February 17, 2010, ARRA requires, at the request of the patient, that a provider not disclose PHI to a plan regarding an item or service paid completely out-of-pocket by the patient, except for treatment purposes . </li></ul>
    32. 32. DEFINITION… PHI SECURITY REQUIREMENTS <ul><li>A facility must maintain reasonable and appropriate administrative, technical, and physical safeguards to prevent intentional or unintentional use or disclosure of PHI in violation of the Privacy Rule and to limit its incidental use and disclosure. </li></ul>
    33. 33. “ THE AMERICAN RECOVERY & REINVESTMENT ACT” (ARRA) OR “THE ACT”
    34. 34. HIPAA LAW UPDATE – ARRA “ THE AMERICAN RECOVERY AND REINVESTMENT ACT” <ul><li>“ ARRA” or the “Act” also informally known as the “stimulus bill” was signed into law by President Obama on February 17, 2009. </li></ul><ul><ul><li>The Act made significant modifications to the HIPAA Privacy and Security </li></ul></ul><ul><ul><li>Rule. Recent and Upcoming Changes: </li></ul></ul><ul><ul><ul><li>Feb. 17, 2009: Increased Penalty Provisions </li></ul></ul></ul><ul><ul><ul><li>Sept. 17, 2009: National Breach Notification Law </li></ul></ul></ul><ul><ul><ul><li>Feb. 17, 2010: Business Associates must comply with HIPAA Rules Mandatory Federal Auditing & New and Increased Enforcement </li></ul></ul></ul><ul><ul><ul><li>Feb. 2011 Individuals affected by a HIPAA violation will be able to receive a percentage of any civil monetary penalty or monetary settlement collected with respect to such offense. </li></ul></ul></ul>
    35. 35. ARRA: 2009 HIPAA AMENDMENTS <ul><li>Within ARRA is the “Health Information Technology and Economic and Clinical Health Act (HITECH). </li></ul><ul><ul><li>The HITECH Act contains provisions that significantly </li></ul></ul><ul><ul><li>expand the scope of the HIPAA Privacy and Security </li></ul></ul><ul><ul><li>requirements. </li></ul></ul>
    36. 36. ARRA AND BUSINESS ASSOCIATES <ul><li>Effective February 17, 2010, HIPAA will treat Business Associates (BA) like Covered Entities (CE) in many respects; </li></ul><ul><li>Previously, the HIPAA Privacy and Security Rules only applied to CE’s and the BA’s liability extended only to breach of the business associate contract; </li></ul><ul><li>Now, under ARRA, a BA will be required to comply with the HIPAA Privacy and Security Rules, and be subject to the same HIPAA penalties and enforcement as the CE; </li></ul><ul><li>Existing business associate agreements (BAA’s) will need to be amended to include the new HIPAA HITECH requirements. </li></ul><ul><li>Future BAA’s will need to be drafted include the new HIPAA HITECH requirements. </li></ul>
    37. 37. BREACHES OF PHI
    38. 38. WHAT IS A BREACH OF PHI? A “Breach” is defined as the unauthorized acquisition, access, use or disclosure of PHI which compromises the security/privacy of such information, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information.
    39. 39. WHAT IS NOT A BREACH OF PHI <ul><li>A “Breach” excludes: </li></ul><ul><ul><li>Any unintentional acquisition, access, or use of PHI by a workforce member or person acting under the authority of a CE or BA, if the acquisition, access, or use was made in good faith and within the scope and authority and does not result in further impermissible use or disclosure; </li></ul></ul><ul><ul><li>Any inadvertent disclosure by a person who is authorized to access PHI at a CE or BA to another person authorized to access PHI at the same CE or BA and the information received is not further, used or disclosed in an impermissible manner; or </li></ul></ul><ul><ul><li>Disclosure of PHI where a CE or BA has a good faith belief that an authorized person to whom the disclosure was made would not reasonably have been able to retain the PHI. </li></ul></ul>
    40. 40. BREACH RISK ASSESSMENT? CEs and BAs are required to perform and document risk assessments on breaches of unsecured PHI to determine if there is a significant risk of harm to the individual as a result of the impermissible use or disclosure.
    41. 41. Risk Assessment Decision Tree
    42. 42. NEW SECURITY BREACH NOTIFICATION REQUIREMENT <ul><li>Under ARRA, a CE is required to notify individuals whose unsecured PHI has been, or is reasonably believed to have been accessed, acquired, or disclosed as a result of a breach. </li></ul><ul><li>Before the HITECH Act, a CE was not required to notify patients of an improper disclosure or breach of their PHI. </li></ul><ul><li>But, a CE always had a duty to… </li></ul><ul><ul><li>Mitigate harm; and </li></ul></ul><ul><ul><li>Account for wrongful disclosures. </li></ul></ul>
    43. 43. WHAT MUST THE NOTICE INCLUDE? <ul><li>ARRA requires that a Breach Notice include: </li></ul><ul><ul><li>A brief description of what happened, including the breach date and breach discovery date, if known; </li></ul></ul><ul><ul><li>A description of the types of unsecured PHI involved in the breach; </li></ul></ul><ul><ul><li>The steps individuals should take to protect themselves from potential harm from the breach; </li></ul></ul><ul><ul><li>  A brief description of the steps the CE is taking to investigate the breach, mitigate losses and protect against any further breaches; and </li></ul></ul><ul><ul><li>Contact procedures for individuals to follow to ask questions or obtain additional information, including a toll-free telephone number, an email address, Web site or postal address. </li></ul></ul><ul><li>If a law enforcement official determines that a notification, notice or posting regarding a PHI breach would impede a criminal investigation or cause damage to national security, the health care provider or business associate must delay all notifications. </li></ul>
    44. 44. THE NOTICE OF A BREACH OF UNSECURED PHI SHALL… <ul><li>Provide notice of breach without “unreasonable delay” from date of discovery – not to exceed 60 days; </li></ul><ul><li>If more than 500 persons are affected, the CE must notify HHS and other prominent media outlets serving the area; </li></ul><ul><li>The CE must maintain a log of all breaches and submit it annually to HHS; </li></ul><ul><li>A BA is not required to send those affected, a notice of breach – it is the CE’s responsibility!!! </li></ul><ul><ul><li>Oftentimes the BA will participate in the notification process because of an existing relationship with the affected party. </li></ul></ul>
    45. 45. BUSINESS ASSOCIATE BREACH RESPONSIBILITIES? In the instance of a breach, the Business Associate shall, without unreasonable delay and in no case, not later than 60 calendar days after the discovery of a breach, notify the Covered Entity of the breach. The notice shall include the identification of each individual whose unsecured PHI has been, or is reasonably believed by the business associate to have been, accessed, acquired, or disclosed during the breach. The Business Associate’s responsibility under the HITECH Act should be included in the Covered Entity’s business associate agreement (BAA) with the Business Associate.
    46. 46. EXCEPTIONS TO THE BREACH NOTIFICATION RULE <ul><li>The breach notification requirements apply only to breaches of “ unsecured ” PHI. </li></ul><ul><li>Secured PHI is not subject to the breach notification rules. (Safe Harbor Rule) </li></ul>
    47. 47. SWIMMING IN THE BREACH NOTIFICATION SAFE HARBOR? <ul><li>CEs and BAs are not required to follow the Department of Health and Human Services’ guidance on how PHI can be secured . </li></ul><ul><li>BUT… </li></ul><ul><li>If the CE or BA does follow the HHS guidance, these steps create the functional equivalent of a safe harbor and thus result in the CE and BA not being subject to the Breach Notification Rules. </li></ul>
    48. 48. THE BREACH LOG <ul><li>A CE or BA shall maintain a process to record or log all </li></ul><ul><li>breaches of unsecured PHI regardless of the number of </li></ul><ul><li>patients affected. </li></ul><ul><li>The following information should be collected and/or logged: </li></ul><ul><ul><li>A description of what happened, including the date of the breach, the date of the discovery of the breach, and the number of patients affected, if known; </li></ul></ul><ul><ul><li>A description of the types of unsecured protected health information that were involved in the breach (such as full name, Social Security number, date of birth, home address, account number, etc.); and </li></ul></ul><ul><ul><li>A description of the action taken with regard to notification of patients regarding the breach. </li></ul></ul>
    49. 49. ENFORCEMENT & ACCOUNTABILITY
    50. 50. ENFORCEMENT & ACCOUNTABILITY <ul><li>The HIPAA regulations punish individuals or organizations that fail to keep PHI confidential. </li></ul><ul><li>Criminal penalties for knowingly violating the HIPAA rules may include monetary fines as well as imprisonment. </li></ul><ul><li>Civil penalties now range from $25,000 to $1.5 million, depending on the intent of the violation </li></ul>
    51. 51. INCREASED FINES AND PENALTIES <ul><li>Tier A (if the offender did not know, and by exercising reasonable diligence would not have known, that he/she violated the law): </li></ul><ul><ul><li>$100 for each violation, except that the total amount imposed for all violations of an identical requirement during a calendar year may not exceed $25,000. </li></ul></ul><ul><li>Tier B (if the violation was due to a reasonable cause and not willful neglect): </li></ul><ul><ul><li>$1,000 for each violation, …may not exceed $100,000. </li></ul></ul><ul><li>Tier C (if the violation was due to willful neglect but was corrected) </li></ul><ul><ul><li>$10,000 for each violation, … may not exceed $250,000 </li></ul></ul><ul><li>Tier D (if the violation was due to willful neglect and was not corrected) </li></ul><ul><ul><li>$50,000 for each violation, … may not exceed $1.5 million </li></ul></ul>
    52. 52. STRATEGIES FOR HIPAA COMPLIANCE
    53. 53. STRATEGIES FOR COMPLIANCE <ul><li>Compliance strategies at their core, must be based upon… </li></ul><ul><ul><li>Planning; and </li></ul></ul><ul><ul><li>Documentation. </li></ul></ul>
    54. 54. <ul><li>It is all about Common Sense ; and </li></ul><ul><li>Treating all PHI as if it were your own! </li></ul>THE PRIVACY AND SECURITY OF PHI
    55. 55. A BASIC HIPAA COMPLIANCE INITIATIVE The project management and communications arrows surround the phases because these activities are continuous for as long as the implementation project is in progress.
    56. 56. STEP 1. UNDERSTAND HIPAA. <ul><li>Read, understand and interpret the HIPAA regulations ; </li></ul><ul><li>Familiarize yourself with the compliance timelines and penalties ; </li></ul><ul><li>Determine what part of your organization is impacted by the regulations; </li></ul><ul><li>Determine if your organization is a covered entity or a hybrid entity under HIPAA; </li></ul><ul><li>Conduct awareness training for all employees ; </li></ul><ul><li>Establish a steering committee to oversee and guide the HIPAA effort; </li></ul><ul><li>Organize a team of people to track and manage the HIPAA activities ; </li></ul>
    57. 57. STEP 1. UNDERSTAND HIPAA (CONT.). <ul><li>Develop a strategic plan so that everyone in the organization understands the mission, goals, and objectives of the effort ; </li></ul><ul><li>Analyze the HIPAA regulations against existing organization specific rules, directives, enterprise policies, etc. ; and </li></ul><ul><li>Analyze the HIPAA regulations against potentially preemptive, superseding, or conflicting State and Federal law. </li></ul>
    58. 58. <ul><ul><li>Identify privacy and security officers in each covered entity, or if using the hybrid entity model, covered health care components; </li></ul></ul><ul><ul><li>Develop an assessment method; </li></ul></ul><ul><ul><li>Conduct assessment activities; </li></ul></ul><ul><ul><li>Identify your business associates and PHI electronic trading partners; </li></ul></ul><ul><ul><li>Document potential impacts (gaps); and </li></ul></ul><ul><ul><li>Refine your budget estimates. </li></ul></ul>STEP 2. BASELINE THE ORGANIZATION.
    59. 59. <ul><li>Determine what needs to be done to close the gaps; </li></ul><ul><li>Document your business compliance strategy; </li></ul><ul><li>Document your technical compliance strategy; </li></ul><ul><li>Refine your budget estimates as necessary; </li></ul><ul><li>Seek additional funding commitment if necessary; </li></ul><ul><li>Organize and/or recruit the staff necessary to close the gaps. </li></ul>STEP 3. PLAN REMEDIATION STRATEGIES.
    60. 60. <ul><li>Conduct appropriate levels of training; </li></ul><ul><li>Establish/amend formal trading partner agreements and business associate contracts as necessary; </li></ul><ul><li>Modify (remediate) business processes, business application systems, and technical infrastructure as necessary to comply; and </li></ul><ul><li>Test and/or pilot modifications. </li></ul>STEP 4. REMEDIATE THE ORGANIZATION.
    61. 61. <ul><li>Develop and deploy self-verification tools and/or techniques that can be used by sub-sections of the organization to verify that they have met the requirements of HIPAA; </li></ul><ul><li>Determine whether independent validation and verification techniques will be used in any of the regulation areas; and </li></ul><ul><li>Solicit external validation and verification assistance as necessary. </li></ul>STEP 5. VALIDATE COMPLIANCE.
    62. 62. <ul><li>Develop and implement an ongoing compliance training programs for privacy officers, security officers, new employees, etc. ; </li></ul><ul><li>Determine whether an ongoing HIPAA compliance office is necessary and establish one if necessary; </li></ul><ul><li>Develop and implement an audit program to ensure ongoing compliance; and </li></ul><ul><li>Establish change management processes so that you are prepared to deal with future changes in the HIPAA law or to individual regulation areas </li></ul>STEP 6. MAINTAIN COMPLIANCE.
    63. 63. QUESTIONS?
    64. 64. THANK YOU FOR YOUR TIME AND ATTENTION <ul><li>Lisa D. Shannon, RN, JD </li></ul><ul><li>[email_address] </li></ul>

    ×