Uploaded byrobint2125
PPTX, PDF696 views

Hipaa overview 073118

This document provides an overview of HIPAA compliance requirements. It discusses the Health Insurance Portability and Accountability Act (HIPAA), which established national standards for protecting sensitive patient health information. It also discusses the HITECH Act, which strengthened HIPAA and incentivized adoption of electronic health records. Key aspects of HIPAA covered include privacy rules, security rules, breach notification requirements, penalties for noncompliance, and definitions of protected health information and covered entities. The document also provides an overview of 42 CFR Part 2 regulations regarding confidentiality of substance abuse treatment records.

Embed presentation

Downloaded 15 times
HIPAA Compliance Overview
HIPAA • Health Insurance Portability and Accountability Act • Federal Law, enacted 1996 • National standards for security of health data • Administrative Guidelines for: o Privacy o Security o Standard Transactions
HITECH • Health Information Technology for Economic and Clinical Health Act (HITECH) • Included in the American Recovery and Reinvestment Act (ARRA) of 2009 – Contains incentives related to healthcare technology in general and specific incentives designed to accelerate the adoption of electronic health records – Meaningful Use – Added “teeth” to HIPAA • Wall of Shame: https://ocrportal.hhs.gov/ocr/breach/breach_re port.jsf
HIPAA Always Changing Omnibus Rule (2013) included: • Notice of Privacy Practices (NPP) – Must be given to all clients • Business Associate (BA) Agreements – BAs now just as responsible and accountable • Policies and Procedures • Training Requirements • Audits
Additional Mandates • Mandated Breach Notification • Expanded Privacy and Patient Rights • Expanded and Mandated Security • Enforcements and enhanced monetary penalties • Office of Civil Rights (OCR) enforcement authority • State Attorneys General enforcement
Important Definitions Covered Entity A Covered Entity is a healthcare delivery option that includes doctors, clinics, hospitals, dentists, nursing homes and pharmacies that transmit data, health plan and healthcare clearinghouses Business Associate A Business Associate is any person or organization that functions on behalf of a covered entity that involves use or disclosure of identifiable health information. Examples include billing and coding vendors
Security Roles • Security Roles are established to provide governance of the HIPAA program – Security Compliance Officer – Privacy Officer – Workforce Security Manager – IT Security Manager – Incident/Breach Manager – Physical Security Manager • CIBHS Compliance Officers are: – Robin Texeira - Security Compliance Officer, Privacy Officer, Incident/Breach and Physical/IT Security Manager – Hope Alvidrez –Workforce Security Manager
What is Protected Health Information (PHI)? • Name • Address • Dates directly related to patient • Telephone number • Fax Number • Email addresses • Social Security Number • Medical Record Number • Health Plan Beneficiary Number • Account Number • Certification/License Number • Any vehicle license number • Any device serial number • Web URL, IP address • Finger or voice prints • Photographic images • Any other unique number, characteristic or code • Age greater than 89
PHI Details What is Protected? All Medical Records and Other Individually Identifiable Health Information (PHI) Used or Disclosed by a Covered Entity in any Form; Electronic, on Paper or Orally What is Included? Individually Identifiable Information that was provided by the client, created by you, created by another and forwarded to you and forwarded to you for payment, treatment or healthcare operations
Covered Entities Permitted Uses and Disclosures • A CE is permitted, but not required, to use and disclose PHI without an authorization, for the following purposes: – To the individual – Treatment, Payment and Health Care Operations (TPO) – Opportunity to Agree (having someone in the room during the session) – Incident to an otherwise permitted use – Limited Data Set for purposes of research, public health or health care operations
Patient Rights under HIPAA • To see their medical record • Obtain a copy of their medical record • Request amendments to their medical record • Request disclosure restrictions – Private Pay – Certain other disclosures, including research and marketing
Patient Rights under HIPAA • To receive a Notice of Privacy Practices • To have an accounting of disclosures (not TPO) • To authorize disclosures • Timely notification of any breaches • Secure Communications • Confidential communications when requested
California Specific Regulations California Laws that protect Medical Information: • The Confidentiality of Medical Information Act (CMIA) • The Information Practices Act (IPA) • The Patient Access to Health Records Act (PAHRA) • The Insurance Information and Privacy Protection Act (IPPA)
Now, the Rules
Security and Privacy Rules • According to the Department of Health and Human Services, the HIPAA Security Rule outlines national standards designed to protect individual’s electronic PHI (ePHI) • The HIPAA Privacy Rule set a national standard for the protection of certain health information that addresses the use and disclosure of PHI and standards for privacy rights for patients to understand and control how their health information is used
Security Rules • In May 2005, the Security Rule was implemented. Some of what it covers: – Access Control-who can access PHI – Computer protections against viruses, malware – Strong Passwords – Remote Access – Technical Security – Back up and Recovery
Physical Security • Environment – Physical security: locks on doors and file cabinets – Is there a networked printer or fax machine that is out in the open? – Awareness of who is allowed into the area with PHI – How is your computer monitor positioned? • Can others see the data on the screen? – What paper charts/forms are left out on your desk? – Stay alert, stay safe
Computer Security • Your devices – Do you have a smart phone, tablet or laptop that accesses your email or your Electronic Health Record? – Is your desktop computer secure and safe from someone removing it from your office? • Passwords – Make sure your passwords are complex, using letters, numbers and special characters – Be sure to change it often (every 90 days or per your agency policy) and after an incident – Never write your password down or give to others
What Can I Do? • Follow your agency’s P&Ps • Computers – Make sure your monitor is not visible to others – Lock your workstation when you leave your desk • Mobile Devices – Password protect your devices – Don’t save PHI to your mobile device – Lock up your devices to reduce theft • Passwords – Change every 90 days or after an incident – Don’t write down or share with others • Be Careful with emails – Phishing attempts – Don’t click on links or Download now buttons – Be suspicious and think before you take any actions – Confirm that the email was sent from your friend/co-worker if there are links included • Stop, Think and Don’t click the Link! • Report anything suspicious to your security compliance officer
Communicating with Clients • Communications with clients must be secure • Includes emails and texting – Yahoo and Gmail are insecure – Texting is insecure unless you have a technology that securely sends your texts • 3 issues with texting • Have to manage the requests from clients that may put you at risk of a breach – Portals – Request a release of information to allow insecure communications if there is no other option • Discuss using secure emails and texting solutions with your IT group – TigerText – OhMD – DocHalo – Cortext by Imprivata
Security Incidents • A security incident is the attempted or successful unauthorized access, use, disclosure, modification or destruction of information or interference with system operations in an information system. – Includes access to the client’s record - minimum necessary – Includes loss of a device that has access to PHI – You must report anything you do yourself, you observe or that you are concerned about – IT will initiate monitoring tools to assist • You should report anything suspicious to your Security Compliance Officer
Privacy Rules The goal of the HIPAA Privacy Rule is to properly protect individual’s health information and to use PHI appropriately while protecting the privacy of people who seek care and healing
What’s covered in Privacy? • Privacy covers paper, oral communication and electronic data • When PHI is used and/or disclosed and when you need an authorization • Notice of Privacy Practices • Administrative requirements
The Office of Civil Rights enforces HIPAA. This is an example of a YouTube video that instructs patients on their rights. https://www.youtube.com/watch?v=3- wV23_E4eQ&sns=em
Breaches Breach Definition An impermissible use or disclosure under the Privacy Rule of PHI is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the PHI has been compromised Breaches of more than 500 patient records must be reported to the news media and are posted on the Wall of Shame
Breaches Recent Breaches Kern County Mental Health reported a breach of PHI that occurred during relocation of admin dept in April 2016. A limited amount of PHI of patients who received from KCMH from 9/1-30/2006 was exposed. A single document was left in offices and potentially viewed by construction workers. It contained patient names; internal record numbers; service codes and unit where service provided. They have notified the media, patients and updated P&P to avoid a similar breach in the future. This isn’t listed on the Wall of Shame as it is unclear how any patients were affected.
Breaches Recent Breaches In May, San Juan County, NM, announced a hacker had gained access to it’s computer system and potentially viewed PHI of patients enrolled in its drug and alcohol abuse programs. Patients name, health assessments, treatment methods and detail of medications was potentially revealed. San Juan County was alerted to intrusion within 30 minutes of accessed being gained. They hired a cybersecurity firm to conduct an investigation. Patients were offered a year of credit monitoring services free. The county is protected by a $50,000 data breach insurance policy that will likely cover costs associated with the breach.
Largest data breach settlements/fines  New York-Presbyterian Hospital and Columbia University (New York City) May 2014 Deactivation of a network server resulted in the protected health information of more than 6,800 individuals being accessible online. $4.8 million HIPAA fine  Alaska HHS (Anchorage) June 2012 A portable storage device containing electronic patient data was stolen from an HHS employee. $1.7 million HIPAA fine  Concentra Health Services (Addison, Texas) April 2014 An unencrypted laptop containing patient data was stolen. $1.7 million HIPAA fine  UCLA Health (Los Angeles) July 2011 Complaints were filed against UCLA Health that from 2005-2008, unauthorized employees repeatedly accessed the protected health information of patients. $865,000 HIPAA fine
Reporting Requirements • Following a breach of unsecured PHI, Covered Entities must provide notification of the breach to the affected individual, the Secretary, and in certain circumstances, to the media • Business Associates must notify the Covered Entity of a breach • Provided without unreasonable delay, no later than 60 days following the discovery of the breach. – CA requires a 15 day maximum • You will follow your agency policy and procedures for incident/breach reporting
Penalties • Criminal Penalties: Covered Entities and specified individuals that “knowingly” obtain or disclose PHI can face up to $50,000 fine, as well as up to one year in prison. • Offenses committed under false pretenses allow penalties to be increased to a $100,000 fine and up to five years in prison • Offenses committed with the intent to sell, transfer or use info for personal gain has fines up to $250,000 and up to 10 years in prison
Penalty Descriptions HIPAA Violation Minimum Penalty Maximum Penalty Individual did not know (and by exercising reasonable diligence would not have known) that he/she violated HIPAA $100 per violation, with an annual maximum of $25,000 for repeat violations (Note: maximum that can be imposed by State Attorneys General regardless of the type of violation) $50,000 per violation, with an annual maximum of $1.5 million HIPAA violation due to reasonable cause and not due to willful neglect $1,000 per violation, with an annual maximum of $100,000 for repeat violations $50,000 per violation, with an annual maximum of $1.5 million HIPAA violation due to willful neglect but violation is corrected within the required time period $10,000 per violation, with an annual maximum of $250,000 for repeat violations $50,000 per violation, with an annual maximum of $1.5 million HIPAA violation is due to willful neglect and is not corrected $50,000 per violation, with an annual maximum of $1.5 million $50,000 per violation, with an annual maximum of $1.5 million
42 CFR Part 2
42 CFR Part 2  42 CFR Part 2 are the federal regulations governing the confidentiality of drug and alcohol abuse treatment and prevention records • Privacy protections afforded to alcohol and drug abuse patient records • Motivated by the understanding that stigma and fear of prosecution might dissuade persons from seeking treatment
Who is Covered? • 42 CFR Part 2 applies to any individual or entity that is federally assisted and provides alcohol or drug abuse treatment or referral for treatment (42 CFR § 2.11) • Consider funding, treatment provided and clinical licenses that are at the federal level (DEA license)
Regulations • Restrict the disclosure and use of alcohol and drug client records • Any information disclosed by a covered program that “would identify a patient as an alcohol or drug abuser” (42 CFR §2.12(a) (1) • With limited exceptions, 42 CFR Part 2 requires client consent for disclosures of PHI even for the purposes of TPO. Consent must be in writing
US Government Publishing Office • Includes the electronic codes of federal regulations • Introduction, General Provisions, Disclosures with Patient Consent, Disclosures without Patient Consent, Court Orders Authorizing Disclosure and Use • http://www.ecfr.gov/cgi-bin/text- idx?rgn=div5;node=42%3A1.0.1.1.2 • 42 CFR Changes coming • https://www.federalregister.gov/articles/2016/02/09 /2016-01841/confidentiality-of-substance-use- disorder-patient-records
Written Consent The primary way in which patient substance abuse information may be disclosed is with a patient’s written consent. Substance abuse programs and providers must give patients a written summary of the federal laws and regulations that protect the confidentiality of patient substance abuse records and a description of the circumstances when the patient’s information may be disclosed without his/her consent.
Consent Forms For all other disclosures, consent must be obtained using a written consent form. A single consent form may authorize disclosure to multiple parties or for multiple purposes. Consent forms must contain specific elements (see right column) • Patient Name • Agency making disclosure • agency name of the person or agency to which disclosure is made • nature and amount of information to be disclosed (minimum necessary), • purpose of the disclosure (as specific as possible), • effective and expiration dates and event or condition upon which the consent expires • language explaining the consent process and may include a statement about possible denial of services if not signed for purposes of treatment, payment or healthcare operations • and signatures of client, authorized representative and description of authority to sign on the client’s behalf
Exceptions-Always work with Privacy Officer • Program Communications • To communicate with Qualified Service Organizations (QSO) – Similar to other covered entities or business associates • Medical Emergencies • Response to a crime against program personnel or on program premises • Research activities (approved by IRB) • Audit and Evaluation • Report suspected child abuse or neglect • Circumstances involving certain minors or incompetent patients • Response to a valid court order • Cause of death
HIPAA and 42 CFR Part 2 • Substance use programs must comply with both HIPAA 45 CFR and 42 CFR Part 2 • If there is a conflict, the more stringent rule applies • You begin to see that addiction treatment providers fall under the more stringent laws of 42 CFR, Part 2, in most cases. • However, there are requirements of HIPAA that must be put into place on specific forms that previous laws didn’t address or mandate.
SAMHSA • The Substance Abuse and Mental Health Services Administration (SAMHSA) provides great information and support on 42 CFR Part 2 • Spearheading efforts to change 42 CFR Part 2 to accommodate sharing info in EHRs/HIEs • http://www.samhsa.gov/about-us/who-we- are/laws/confidentiality-regulations-faqs
Policies and Procedures • Must be current and reference 45 CFR for both privacy and security • Agency must have an interconnected set of polices, plans, procedures and security roles assigned to have the end result be a secure, compliant and auditable environment
Agency Policies • CIBHS has approved policies that include HIPAA regulations • You can find the policies and procedures on the Public Drive

More Related Content

PPTX
HIPPA-Health Insurance Portability and Accountability Act
byHarshit Trivedi
 
PPTX
HIPAA AND INFORMATION TECHNOLOGY
bymariaradziminski
 
PPTX
Presentation hippa
bymaggie_Platt
 
PDF
HIPAA and How it Applies to You
byWinston & Strawn LLP
 
PPTX
HIPAA
byAlanoud Alqoufi
 
PPTX
HIPAA - Understanding the Basics of Compliance
byJay Hodes
 
PPT
Hitech Act
byDeborah Obasogie
 
PPTX
Health Insurance and Portability and Accountability Act
byসারন দাস
 
HIPPA-Health Insurance Portability and Accountability Act
byHarshit Trivedi
 
HIPAA AND INFORMATION TECHNOLOGY
bymariaradziminski
 
Presentation hippa
bymaggie_Platt
 
HIPAA and How it Applies to You
byWinston & Strawn LLP
 
HIPAA
byAlanoud Alqoufi
 
HIPAA - Understanding the Basics of Compliance
byJay Hodes
 
Hitech Act
byDeborah Obasogie
 
Health Insurance and Portability and Accountability Act
byসারন দাস
 

What's hot

PPT
HIPAA Privacy & Security
byNational Pharmacy Technician Association
 
PPS
HIPAA Basics
byKarna *
 
PPTX
The Basics of HIPAA
byDamianKnowles1
 
PPTX
HIPAA & PHI Training
byHatch Compliance, Inc.
 
PPTX
Hipaa
byMehak AggarwAl
 
PPTX
HIPAA Complaince
byFarhatParveen10
 
PPT
Hipaa
byJason Wrench
 
PPTX
HIPPA Security Presentation
byRebecca Norman
 
PDF
Hipaa ppt june 6 2014
byLyndon Godsall
 
PDF
Keys To HIPAA Compliance
byCBIZ, Inc.
 
PPT
HIPAA Compliance
byManny Oliverez
 
PPT
HIPAA
bybelziebub
 
PPT
Hippa
bycameonicole
 
PDF
Welcome to HIPAA Training
byJonathan Montes
 
PPTX
Annual HIPAA Training
byCynthia Holland
 
PPTX
Privacy and confidentiality
byjohnzinn
 
PPTX
HIPPA COMPLIANCE (SANJEEV.S.BHARWAN)
bySanjeev Bharwan
 
PPT
Data Protection (Download for slideshow)
byAndrew Sharpe
 
PDF
Personal Data Protection Act - Employee Data Privacy
bylegalPadmin
 
PDF
HIPAA for Dummies
byhipaacompliance
 
HIPAA Privacy & Security
byNational Pharmacy Technician Association
 
HIPAA Basics
byKarna *
 
The Basics of HIPAA
byDamianKnowles1
 
HIPAA & PHI Training
byHatch Compliance, Inc.
 
Hipaa
byMehak AggarwAl
 
HIPAA Complaince
byFarhatParveen10
 
Hipaa
byJason Wrench
 
HIPPA Security Presentation
byRebecca Norman
 
Hipaa ppt june 6 2014
byLyndon Godsall
 
Keys To HIPAA Compliance
byCBIZ, Inc.
 
HIPAA Compliance
byManny Oliverez
 
HIPAA
bybelziebub
 
Hippa
bycameonicole
 
Welcome to HIPAA Training
byJonathan Montes
 
Annual HIPAA Training
byCynthia Holland
 
Privacy and confidentiality
byjohnzinn
 
HIPPA COMPLIANCE (SANJEEV.S.BHARWAN)
bySanjeev Bharwan
 
Data Protection (Download for slideshow)
byAndrew Sharpe
 
Personal Data Protection Act - Employee Data Privacy
bylegalPadmin
 
HIPAA for Dummies
byhipaacompliance
 

Similar to Hipaa overview 073118

PPTX
HIPAA presentation GAHU v7
byJason Karn
 
PPTX
2017 HIPAA Clinical Research Training
byCynthia Holland
 
PPT
Training on confidentiality MHA690 Hayden
byhaydens
 
PPT
Technologies and procedures for HIPAA compliance
byJack Shaffer
 
PDF
Hipaa basics
byMichaelRodriguesdosS1
 
PPTX
Hippa training 2017
byAshley Valenzuela
 
PPTX
how to really implement hipaa presentation
byProvider Resources Group
 
PPTX
HIPAA Training - 2011
bydarichardson
 
PPTX
HIPAA Compliance Email
byL Andersen
 
PPT
Securing health information
byDarla Moore
 
PPTX
Hippa final JU nursing informatics
bykmcanty
 
PPT
HIPAA Volunteer Training - for awareness
byRicha Goel
 
PPT
Annual HIPAA Education
byDirkRhodes
 
PPTX
What is HIPAA and How it is important to all
byNatashaDanielleHudso
 
PDF
Hipaa training new_staff_december 2018 - compatibility mode
byrobint2125
 
PDF
CAHU EXPO Grove City, OH 2014
byJason Karn
 
PPTX
PACT Cybersecurity Series Event, speaker Gregory M. Fliszar, Esq. of Cozen O'...
byeringold
 
PPTX
The Health Insurance Portability and Accountability Act 
byKartheek Kein
 
PPT
Hippa
byRoderickLaino
 
PPTX
Hipaa-2015
bypssurgery
 
HIPAA presentation GAHU v7
byJason Karn
 
2017 HIPAA Clinical Research Training
byCynthia Holland
 
Training on confidentiality MHA690 Hayden
byhaydens
 
Technologies and procedures for HIPAA compliance
byJack Shaffer
 
Hipaa basics
byMichaelRodriguesdosS1
 
Hippa training 2017
byAshley Valenzuela
 
how to really implement hipaa presentation
byProvider Resources Group
 
HIPAA Training - 2011
bydarichardson
 
HIPAA Compliance Email
byL Andersen
 
Securing health information
byDarla Moore
 
Hippa final JU nursing informatics
bykmcanty
 
HIPAA Volunteer Training - for awareness
byRicha Goel
 
Annual HIPAA Education
byDirkRhodes
 
What is HIPAA and How it is important to all
byNatashaDanielleHudso
 
Hipaa training new_staff_december 2018 - compatibility mode
byrobint2125
 
CAHU EXPO Grove City, OH 2014
byJason Karn
 
PACT Cybersecurity Series Event, speaker Gregory M. Fliszar, Esq. of Cozen O'...
byeringold
 
The Health Insurance Portability and Accountability Act 
byKartheek Kein
 
Hippa
byRoderickLaino
 
Hipaa-2015
bypssurgery
 

Recently uploaded

PPTX
Emergency care in the streets chapter 43
byJustinYarnell
 
PPTX
School improvement Plan Crafting workshop
bykhristinirishrontas4
 
PDF
Item # 10 - Coral Studios Public Park proposed design development
byahcitycouncil
 
PPTX
Tracking Progress on Monitoring, Evaluation, and Learning for National Adapta...
byNAP Global Network
 
PPTX
Granite State Independent Living How a Bill Becomes Law.pptx
bymbaxley1
 
PDF
Item # 9 - Chpt. ED 380 Agreement with Ridgemont Properties, Inc.
byahcitycouncil
 
PDF
PPT Item # 9 - Chpt. ED 380 Agmnt with Ridgemont Properties, Inc.
byahcitycouncil
 
PDF
UNEP Global Environment Outlook_7 - Full Report
byEnergy for One World
 
PPTX
Enhanced_Future_Ready_Workforce_Viksit_Bharat_PPT.pptx
byp9745542
 
PDF
PPT Item # 13 - Financial & Inv. Report 4th Qtr
byahcitycouncil
 
PDF
Mind over matter: Attention’s capture, & retention as new battlespace
bySanjana Hattotuwa
 
PDF
UNEP Global Environment Outlook : GEO7-Key-Messages
byEnergy for One World
 
PPTX
Granite State Independent Living Effective Systems Advocacy.pptx
bymbaxley1
 
PDF
PPT Item # 11 - Notice of Intent (NOI) 6900 Broadway
byahcitycouncil
 
PPTX
Did America’s GDP Improve After Trump Returned?
byKritika Chauhan
 
PDF
CREA China Climate Transition Outlook2025
byEnergy for One World
 
PDF
Lista de ciudadanos bolivianos registrados como postulantes para vocales del ...
bygyapura1
 
PDF
PPT Item # 10 - Coral Studio Public Park proposed design development
byahcitycouncil
 
PDF
UNDP World Inequality Report 2026 Full Report
byEnergy for One World
 
PDF
Commentary by Dutch NewsPaper on the Trump administration National Security v...
byEnergy for One World
 
Emergency care in the streets chapter 43
byJustinYarnell
 
School improvement Plan Crafting workshop
bykhristinirishrontas4
 
Item # 10 - Coral Studios Public Park proposed design development
byahcitycouncil
 
Tracking Progress on Monitoring, Evaluation, and Learning for National Adapta...
byNAP Global Network
 
Granite State Independent Living How a Bill Becomes Law.pptx
bymbaxley1
 
Item # 9 - Chpt. ED 380 Agreement with Ridgemont Properties, Inc.
byahcitycouncil
 
PPT Item # 9 - Chpt. ED 380 Agmnt with Ridgemont Properties, Inc.
byahcitycouncil
 
UNEP Global Environment Outlook_7 - Full Report
byEnergy for One World
 
Enhanced_Future_Ready_Workforce_Viksit_Bharat_PPT.pptx
byp9745542
 
PPT Item # 13 - Financial & Inv. Report 4th Qtr
byahcitycouncil
 
Mind over matter: Attention’s capture, & retention as new battlespace
bySanjana Hattotuwa
 
UNEP Global Environment Outlook : GEO7-Key-Messages
byEnergy for One World
 
Granite State Independent Living Effective Systems Advocacy.pptx
bymbaxley1
 
PPT Item # 11 - Notice of Intent (NOI) 6900 Broadway
byahcitycouncil
 
Did America’s GDP Improve After Trump Returned?
byKritika Chauhan
 
CREA China Climate Transition Outlook2025
byEnergy for One World
 
Lista de ciudadanos bolivianos registrados como postulantes para vocales del ...
bygyapura1
 
PPT Item # 10 - Coral Studio Public Park proposed design development
byahcitycouncil
 
UNDP World Inequality Report 2026 Full Report
byEnergy for One World
 
Commentary by Dutch NewsPaper on the Trump administration National Security v...
byEnergy for One World
 

Hipaa overview 073118

  • 1.
  • 2.
    HIPAA • Health InsurancePortability and Accountability Act • Federal Law, enacted 1996 • National standards for security of health data • Administrative Guidelines for: o Privacy o Security o Standard Transactions
  • 3.
    HITECH • Health InformationTechnology for Economic and Clinical Health Act (HITECH) • Included in the American Recovery and Reinvestment Act (ARRA) of 2009 – Contains incentives related to healthcare technology in general and specific incentives designed to accelerate the adoption of electronic health records – Meaningful Use – Added “teeth” to HIPAA • Wall of Shame: https://ocrportal.hhs.gov/ocr/breach/breach_re port.jsf
  • 4.
    HIPAA Always Changing OmnibusRule (2013) included: • Notice of Privacy Practices (NPP) – Must be given to all clients • Business Associate (BA) Agreements – BAs now just as responsible and accountable • Policies and Procedures • Training Requirements • Audits
  • 5.
    Additional Mandates • MandatedBreach Notification • Expanded Privacy and Patient Rights • Expanded and Mandated Security • Enforcements and enhanced monetary penalties • Office of Civil Rights (OCR) enforcement authority • State Attorneys General enforcement
  • 6.
    Important Definitions Covered Entity ACovered Entity is a healthcare delivery option that includes doctors, clinics, hospitals, dentists, nursing homes and pharmacies that transmit data, health plan and healthcare clearinghouses Business Associate A Business Associate is any person or organization that functions on behalf of a covered entity that involves use or disclosure of identifiable health information. Examples include billing and coding vendors
  • 7.
    Security Roles • SecurityRoles are established to provide governance of the HIPAA program – Security Compliance Officer – Privacy Officer – Workforce Security Manager – IT Security Manager – Incident/Breach Manager – Physical Security Manager • CIBHS Compliance Officers are: – Robin Texeira - Security Compliance Officer, Privacy Officer, Incident/Breach and Physical/IT Security Manager – Hope Alvidrez –Workforce Security Manager
  • 8.
    What is ProtectedHealth Information (PHI)? • Name • Address • Dates directly related to patient • Telephone number • Fax Number • Email addresses • Social Security Number • Medical Record Number • Health Plan Beneficiary Number • Account Number • Certification/License Number • Any vehicle license number • Any device serial number • Web URL, IP address • Finger or voice prints • Photographic images • Any other unique number, characteristic or code • Age greater than 89
  • 9.
    PHI Details What isProtected? All Medical Records and Other Individually Identifiable Health Information (PHI) Used or Disclosed by a Covered Entity in any Form; Electronic, on Paper or Orally What is Included? Individually Identifiable Information that was provided by the client, created by you, created by another and forwarded to you and forwarded to you for payment, treatment or healthcare operations
  • 10.
    Covered Entities PermittedUses and Disclosures • A CE is permitted, but not required, to use and disclose PHI without an authorization, for the following purposes: – To the individual – Treatment, Payment and Health Care Operations (TPO) – Opportunity to Agree (having someone in the room during the session) – Incident to an otherwise permitted use – Limited Data Set for purposes of research, public health or health care operations
  • 11.
    Patient Rights underHIPAA • To see their medical record • Obtain a copy of their medical record • Request amendments to their medical record • Request disclosure restrictions – Private Pay – Certain other disclosures, including research and marketing
  • 12.
    Patient Rights underHIPAA • To receive a Notice of Privacy Practices • To have an accounting of disclosures (not TPO) • To authorize disclosures • Timely notification of any breaches • Secure Communications • Confidential communications when requested
  • 13.
    California Specific Regulations CaliforniaLaws that protect Medical Information: • The Confidentiality of Medical Information Act (CMIA) • The Information Practices Act (IPA) • The Patient Access to Health Records Act (PAHRA) • The Insurance Information and Privacy Protection Act (IPPA)
  • 14.
  • 15.
    Security and PrivacyRules • According to the Department of Health and Human Services, the HIPAA Security Rule outlines national standards designed to protect individual’s electronic PHI (ePHI) • The HIPAA Privacy Rule set a national standard for the protection of certain health information that addresses the use and disclosure of PHI and standards for privacy rights for patients to understand and control how their health information is used
  • 16.
    Security Rules • InMay 2005, the Security Rule was implemented. Some of what it covers: – Access Control-who can access PHI – Computer protections against viruses, malware – Strong Passwords – Remote Access – Technical Security – Back up and Recovery
  • 17.
    Physical Security • Environment –Physical security: locks on doors and file cabinets – Is there a networked printer or fax machine that is out in the open? – Awareness of who is allowed into the area with PHI – How is your computer monitor positioned? • Can others see the data on the screen? – What paper charts/forms are left out on your desk? – Stay alert, stay safe
  • 18.
    Computer Security • Yourdevices – Do you have a smart phone, tablet or laptop that accesses your email or your Electronic Health Record? – Is your desktop computer secure and safe from someone removing it from your office? • Passwords – Make sure your passwords are complex, using letters, numbers and special characters – Be sure to change it often (every 90 days or per your agency policy) and after an incident – Never write your password down or give to others
  • 19.
    What Can IDo? • Follow your agency’s P&Ps • Computers – Make sure your monitor is not visible to others – Lock your workstation when you leave your desk • Mobile Devices – Password protect your devices – Don’t save PHI to your mobile device – Lock up your devices to reduce theft • Passwords – Change every 90 days or after an incident – Don’t write down or share with others • Be Careful with emails – Phishing attempts – Don’t click on links or Download now buttons – Be suspicious and think before you take any actions – Confirm that the email was sent from your friend/co-worker if there are links included • Stop, Think and Don’t click the Link! • Report anything suspicious to your security compliance officer
  • 20.
    Communicating with Clients •Communications with clients must be secure • Includes emails and texting – Yahoo and Gmail are insecure – Texting is insecure unless you have a technology that securely sends your texts • 3 issues with texting • Have to manage the requests from clients that may put you at risk of a breach – Portals – Request a release of information to allow insecure communications if there is no other option • Discuss using secure emails and texting solutions with your IT group – TigerText – OhMD – DocHalo – Cortext by Imprivata
  • 21.
    Security Incidents • Asecurity incident is the attempted or successful unauthorized access, use, disclosure, modification or destruction of information or interference with system operations in an information system. – Includes access to the client’s record - minimum necessary – Includes loss of a device that has access to PHI – You must report anything you do yourself, you observe or that you are concerned about – IT will initiate monitoring tools to assist • You should report anything suspicious to your Security Compliance Officer
  • 22.
    Privacy Rules The goalof the HIPAA Privacy Rule is to properly protect individual’s health information and to use PHI appropriately while protecting the privacy of people who seek care and healing
  • 23.
    What’s covered inPrivacy? • Privacy covers paper, oral communication and electronic data • When PHI is used and/or disclosed and when you need an authorization • Notice of Privacy Practices • Administrative requirements
  • 24.
    The Office ofCivil Rights enforces HIPAA. This is an example of a YouTube video that instructs patients on their rights. https://www.youtube.com/watch?v=3- wV23_E4eQ&sns=em
  • 25.
    Breaches Breach Definition An impermissibleuse or disclosure under the Privacy Rule of PHI is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the PHI has been compromised Breaches of more than 500 patient records must be reported to the news media and are posted on the Wall of Shame
  • 26.
    Breaches Recent Breaches Kern CountyMental Health reported a breach of PHI that occurred during relocation of admin dept in April 2016. A limited amount of PHI of patients who received from KCMH from 9/1-30/2006 was exposed. A single document was left in offices and potentially viewed by construction workers. It contained patient names; internal record numbers; service codes and unit where service provided. They have notified the media, patients and updated P&P to avoid a similar breach in the future. This isn’t listed on the Wall of Shame as it is unclear how any patients were affected.
  • 27.
    Breaches Recent Breaches In May,San Juan County, NM, announced a hacker had gained access to it’s computer system and potentially viewed PHI of patients enrolled in its drug and alcohol abuse programs. Patients name, health assessments, treatment methods and detail of medications was potentially revealed. San Juan County was alerted to intrusion within 30 minutes of accessed being gained. They hired a cybersecurity firm to conduct an investigation. Patients were offered a year of credit monitoring services free. The county is protected by a $50,000 data breach insurance policy that will likely cover costs associated with the breach.
  • 28.
    Largest data breach settlements/fines New York-Presbyterian Hospital and Columbia University (New York City) May 2014 Deactivation of a network server resulted in the protected health information of more than 6,800 individuals being accessible online. $4.8 million HIPAA fine  Alaska HHS (Anchorage) June 2012 A portable storage device containing electronic patient data was stolen from an HHS employee. $1.7 million HIPAA fine  Concentra Health Services (Addison, Texas) April 2014 An unencrypted laptop containing patient data was stolen. $1.7 million HIPAA fine  UCLA Health (Los Angeles) July 2011 Complaints were filed against UCLA Health that from 2005-2008, unauthorized employees repeatedly accessed the protected health information of patients. $865,000 HIPAA fine
  • 29.
    Reporting Requirements • Followinga breach of unsecured PHI, Covered Entities must provide notification of the breach to the affected individual, the Secretary, and in certain circumstances, to the media • Business Associates must notify the Covered Entity of a breach • Provided without unreasonable delay, no later than 60 days following the discovery of the breach. – CA requires a 15 day maximum • You will follow your agency policy and procedures for incident/breach reporting
  • 30.
    Penalties • Criminal Penalties:Covered Entities and specified individuals that “knowingly” obtain or disclose PHI can face up to $50,000 fine, as well as up to one year in prison. • Offenses committed under false pretenses allow penalties to be increased to a $100,000 fine and up to five years in prison • Offenses committed with the intent to sell, transfer or use info for personal gain has fines up to $250,000 and up to 10 years in prison
  • 31.
    Penalty Descriptions HIPAA ViolationMinimum Penalty Maximum Penalty Individual did not know (and by exercising reasonable diligence would not have known) that he/she violated HIPAA $100 per violation, with an annual maximum of $25,000 for repeat violations (Note: maximum that can be imposed by State Attorneys General regardless of the type of violation) $50,000 per violation, with an annual maximum of $1.5 million HIPAA violation due to reasonable cause and not due to willful neglect $1,000 per violation, with an annual maximum of $100,000 for repeat violations $50,000 per violation, with an annual maximum of $1.5 million HIPAA violation due to willful neglect but violation is corrected within the required time period $10,000 per violation, with an annual maximum of $250,000 for repeat violations $50,000 per violation, with an annual maximum of $1.5 million HIPAA violation is due to willful neglect and is not corrected $50,000 per violation, with an annual maximum of $1.5 million $50,000 per violation, with an annual maximum of $1.5 million
  • 32.
  • 33.
    42 CFR Part2  42 CFR Part 2 are the federal regulations governing the confidentiality of drug and alcohol abuse treatment and prevention records • Privacy protections afforded to alcohol and drug abuse patient records • Motivated by the understanding that stigma and fear of prosecution might dissuade persons from seeking treatment
  • 34.
    Who is Covered? •42 CFR Part 2 applies to any individual or entity that is federally assisted and provides alcohol or drug abuse treatment or referral for treatment (42 CFR § 2.11) • Consider funding, treatment provided and clinical licenses that are at the federal level (DEA license)
  • 35.
    Regulations • Restrict thedisclosure and use of alcohol and drug client records • Any information disclosed by a covered program that “would identify a patient as an alcohol or drug abuser” (42 CFR §2.12(a) (1) • With limited exceptions, 42 CFR Part 2 requires client consent for disclosures of PHI even for the purposes of TPO. Consent must be in writing
  • 36.
    US Government Publishing Office •Includes the electronic codes of federal regulations • Introduction, General Provisions, Disclosures with Patient Consent, Disclosures without Patient Consent, Court Orders Authorizing Disclosure and Use • http://www.ecfr.gov/cgi-bin/text- idx?rgn=div5;node=42%3A1.0.1.1.2 • 42 CFR Changes coming • https://www.federalregister.gov/articles/2016/02/09 /2016-01841/confidentiality-of-substance-use- disorder-patient-records
  • 37.
    Written Consent The primaryway in which patient substance abuse information may be disclosed is with a patient’s written consent. Substance abuse programs and providers must give patients a written summary of the federal laws and regulations that protect the confidentiality of patient substance abuse records and a description of the circumstances when the patient’s information may be disclosed without his/her consent.
  • 38.
    Consent Forms For allother disclosures, consent must be obtained using a written consent form. A single consent form may authorize disclosure to multiple parties or for multiple purposes. Consent forms must contain specific elements (see right column) • Patient Name • Agency making disclosure • agency name of the person or agency to which disclosure is made • nature and amount of information to be disclosed (minimum necessary), • purpose of the disclosure (as specific as possible), • effective and expiration dates and event or condition upon which the consent expires • language explaining the consent process and may include a statement about possible denial of services if not signed for purposes of treatment, payment or healthcare operations • and signatures of client, authorized representative and description of authority to sign on the client’s behalf
  • 39.
    Exceptions-Always work with PrivacyOfficer • Program Communications • To communicate with Qualified Service Organizations (QSO) – Similar to other covered entities or business associates • Medical Emergencies • Response to a crime against program personnel or on program premises • Research activities (approved by IRB) • Audit and Evaluation • Report suspected child abuse or neglect • Circumstances involving certain minors or incompetent patients • Response to a valid court order • Cause of death
  • 40.
    HIPAA and 42CFR Part 2 • Substance use programs must comply with both HIPAA 45 CFR and 42 CFR Part 2 • If there is a conflict, the more stringent rule applies • You begin to see that addiction treatment providers fall under the more stringent laws of 42 CFR, Part 2, in most cases. • However, there are requirements of HIPAA that must be put into place on specific forms that previous laws didn’t address or mandate.
  • 41.
    SAMHSA • The SubstanceAbuse and Mental Health Services Administration (SAMHSA) provides great information and support on 42 CFR Part 2 • Spearheading efforts to change 42 CFR Part 2 to accommodate sharing info in EHRs/HIEs • http://www.samhsa.gov/about-us/who-we- are/laws/confidentiality-regulations-faqs
  • 42.
    Policies and Procedures •Must be current and reference 45 CFR for both privacy and security • Agency must have an interconnected set of polices, plans, procedures and security roles assigned to have the end result be a secure, compliant and auditable environment
  • 43.
    Agency Policies • CIBHShas approved policies that include HIPAA regulations • You can find the policies and procedures on the Public Drive

Editor's Notes

  • #2 Welcome to the HIPAA Compliance Overview for CIBHS class. This class will cover, at a high level, the basics of the HIPAA 45 CFR regulations as of January 2016, what you will need to do to meet compliance and future planning needs.
  • #3 HIPAA was enacted in 1996 to address the different standards noted in the slide. This class will cover the security and privacy sections of the law. HIPAA set a national standard for accessing and handling medical information. It was started by President Clinton, AKA the Kennedy Kassenbaum Act. Click on the orange bubble for more info on HITECH. 8/21/96 Included a number of titles but we are concerned with Title II, Administrative Simplification.
  • #4 The Health Information Technology for Economic and Clinical Health Act, or HITECH, was included in the American Recovery and Reinvestment Act of 2009. The focus here was the move to the electronic health record implementations, so much of HITECH is around healthcare technology, Meaningful Use and penalties for organizations that do not comply. HITECH added the teeth to HIPAA so healthcare providers are required to comply with the regulations or be forced to pay penalties and even be put on the Wall of Shame for all to see any reported breaches that affected 500 or more individuals. The Wall of Shame website is https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf if you would like to take a look sometime.
  • #5 The federal government reviews and addresses HIPAA and updates the regulations as required. The last change occurred in 2013 (Omnibus Rule) and included: 1. new regulations about providing the Notice of Privacy practices, or NPPs, to the clients so they understand their rights. 2. mandated Business Associates to follow the same rules as healthcare providers – 3. made changes to the P&Ps and staff training requirements. 4. Audits are now given more priority and additional funding has been made available to confirm healthcare agency’s HIPAA compliance. - If County audited, CIBHS would likely be audited. 5. Applied HIPAA to subcontractors (businesses that perform activities on behalf of BAs).
  • #6 Additional changes made to the 45 CFRs expanded the mandated breach notification rules, the patient privacy and patient rights requirements, and increased the penalties for breaches. The enforcement authorities are now the Office of Civil Rights (OCR) and the State Attorneys General departments. Bottom line, the federal government is stressing to all that HIPAA is required and it is serious to meet the regulations. Click on the orange bubble to find out more about definitions for some important hipaa terms
  • #7 We mentioned a Business Associate earlier in the class. That is one of the important definitions you will need to remember as you work on your compliance efforts. A Business Associate is a person or organization that functions on behalf of the covered entity. CIBHS is considered a Business Associate to our customers who are covered entities. A covered entity is a healthcare delivery option that includes doctors, clinics, hospitals, nursing homes and pharmacies that transmit data. Also includes health plans and healthcare clearinghouses (billing services, medical reviewers). Show BAA example.
  • #8 Security Roles are part of the HIPAA regulations and were created to establish responsibility and accountability for security functions and activities. HIPAA requires overall responsibility reside in a single person. This way the organizational activities are monitored by the single person, but other responsibilities and roles can be given to others to share in the work. For example, the Security Compliance Officer is responsible for developing and implementing the security P&Ps. They are also responsible for establishing and maintaining an official repository of all security docs including P&Ps, plans, staff assignments, implementation data, test results and data required by regulation. The other roles assist across the functional areas. Privacy Officer is responsible for ensuring the organization’s compliance with the HIPAA privacy rule and other applicable privacy regulations. The Workforce Security Manager has overall responsibility for workforce security and training including Background checks, Security and access roles assignment, Security training and the Sanctions process. The IT Security Manager has overall responsibility for implementing and operating technical IT security. The Incident/Breach Manager is responsible for creating and implementing the security incident / privacy breach response plan. And, the physical security manager is responsible for ensuring that the facility is secured from unauthorized access to restricted areas, devices, files and sensitive information 24/7/365. It is permissible for one person to be assigned multiple roles if needed. Do you know who your security compliance and your privacy officers are? If not, ask and understand what they do at your agency and when you need to report concerns to them.
  • #9 There are 18 types of identifiers that if used alone or in combination are considered PHI. Review the list and see if you are surprised by any item. The last item, Age greater than 89, relates to a possible identification of someone just based on their age. For example, Mr. Jones is 99 and receiving services at the local MH agency. The agency has an article in the local paper talking about their services and mentions their 99 y/o client who loves coming in for services. Mr. Jones is the only 99 y/o in the town. He could be identified and his privacy breached by that remark. Mr. Jones should have signed a release of information to allow his information to be used.
  • #10 All medical records and other individually identifiable health information used or disclosed by a CE in any form (electronic, paper and oral) is protected. You have to consider all of the information you have on the client; information that was provided by the client, created by you, created by another, forwarded to you for any reason including TPO.
  • #11 There are some instances where a covered entity is permitted to disclose PHI without an authorization. You can use and disclose PHI to the individual, for Treatment, Payment and Healthcare Operations (TPO), and other areas noted here that may or may not come up at your agency. The government understands you have to treat your client, work together with others at your agency and receive payment for services delivered without undue hardship. Remember that any other use or disclosure falls under privacy rules.
  • #12 The latest 45 CFR* regulations expanded patient rights. Patient’s have the right to see their medical record, obtain a copy of their medical record and request amendments to their medical record. They also have the right to authorize disclosures, to request disclosure restrictions if they are private pay clients and other types of disclosures, including research and marketing and to have an accounting of non-TPO disclosures. Clients have a right to receive the notice of privacy practices (NPP), timely notification of breaches, and secure and confidential communications when requested. *Code of Federal Regulations. The Privacy Rule is located at 45 CFR Part 160 and Subparts A and E of Part 164. 
  • #13 The latest 45 CFR* regulations expanded patient rights. Patient’s have the right to see their medical record, obtain a copy of their medical record and request amendments to their medical record. They also have the right to authorize disclosures, to request disclosure restrictions if they are private pay clients and other types of disclosures, including research and marketing and to have an accounting of non-TPO disclosures. Clients have a right to receive the notice of privacy practices (NPP), timely notification of breaches, and secure and confidential communications when requested. *Code of Federal Regulations. The Privacy Rule is located at 45 CFR Part 160 and Subparts A and E of Part 164. 
  • #14 Each state has their own privacy laws that may be lower, match or exceed HIPAA requirements. The most stringent rule should apply. In California, there are other Acts that have regulations related to PHI privacy. Review this list and determine if you are referencing these laws at your organization. Confidentiality of Medical Information Act (CMIA) is in the California Civil Code and regulates the privacy of medical information.  (Cal. Civ. Code §§ 56-56.37)  See the California Office of Health Information Integrity (CalOHII) website for a list of both who and what the CMIA covers. 1798. This chapter shall be known and may be cited as the Information Practices Act of 1977. 1798.1. The Legislature declares that the right to privacy is a personal and fundamental right protected by Section 1 of Article I of the Constitution of California and by the United States Constitution and that all individuals have a right of privacy in information pertaining to them. The Legislature further makes the following findings: (a) The right to privacy is being threatened by the indiscriminate collection, maintenance, and dissemination of personal information and the lack of effective laws and legal remedies. (b) The increasing use of computers and other sophisticated information technology has greatly magnified the potential risk to individual privacy that can occur from the maintenance of personal information. (c) In order to protect the privacy of individuals, it is necessary that the maintenance and dissemination of personal information be subject to strict limits. California Health & Safety Code Section 123100 et seq. establishes a patient's right to see and receive copies of his or her medical records, under specific conditions and/or requirements. The purpose of this article is to establish standards for the collection, use and disclosure of information gathered in connection with insurance transactions by insurance institutions, agents or insurance-support organizations; to maintain a balance between the need for information by those conducting the business of insurance and the public’s need for fairness in insurance information practices, including the need to minimize intrusiveness; to establish a regulatory mechanism to enable natural persons to ascertain what information is being or has been collected about them in connection with insurance transactions and to have access to such information for the purpose of verifying or disputing its accuracy; to limit the disclosure of information collected in connection with insurance transactions; and to enable insurance applicants and policyholders to obtain the reasons for any adverse underwriting decision.
  • #15 Now is a good time to take a break, we will move onto the Rules!
  • #16 The HIPAA security rule outline national standards designed to protect the individuals ePHI. The Privacy rule set a national standard for the protection of certain health information that addresses the use and disclosure of PHI. There are also standards for patients to understand and control how their health information is used. The Privacy Rule is the longest and most complex HIPAA rule. The intent is to provide high level PHI protection without impacting delivery of care.
  • #17 The security rule was final in 2005 and covers the more technical, or IS department standards and rules. It covers Access Control (who can access PHI), anti-virus and anti-malware procedures to keep hardware safe, Password standards for all users to have strong passwords (meaning 8 characters, including alpha-numeric and special characters), standards for secure remote access, secure physical security on doors and locks. There are other technical security standards that address Contingency planning, back up and recovery from the back ups, and a risk analysis that includes testing for secure networks and servers.
  • #18 How does Physical Security apply to you? Think about your office environment; are you in a locked area or are the doors open? Is there a receptionist to greet visitors or can people just walk in? Is there a secure space for file cabinets that contain PHI and are there locks that are used? Now look at your desk space; is your computer monitor positioned to protect others from viewing your screen or can someone walk up or look around and view the data? Do you have paper charts/forms that contain PHI out when you are not in your office? Your agency may have a facilities manager that governs your physical set up, but that doesn’t prevent you from assisting and identifying issues that need to be resolved to reduce risk. Stay alert so both you and your client’s PHI are safe.
  • #19 We need to think about our electronic devices and how we access PHI. Do you have a smart phone, tablet or laptop that has access to PHI? Is it encrypted? Is your desktop computer protected from being stolen? Passwords are included in the security rule. Users must have strong passwords that are more difficult to figure out. Letters, numbers and special characters help make your password strong. Changing your password often helps to protect your data. A good standard is changing every 90 days or after an incident. Refer to your IT Password policy and procedures so you understand your agencies standards. Remember, never write your password down, put in under your keyboard or give to others. Your identity is part of your login/password and anyone that uses that combination looks like you in the system. If you allow someone to use your login/password and something happens, you will be held responsible.
  • #20 We are always being challenged at work and at home with identify theft and the risk is high that you will experience some sort of hardware or data vulnerabilities. Your security compliance officer is doing what they can to help protect your agency’s data, and you need to help by understanding the risks and what you can do to help. First, make sure you understand and follow your agency’s P&Ps regarding security. Ask if you don’t understand something or need assistance. Then, think about your computer and your office/cubbie space. Try to turn your monitor so people walking by can’t easily see your screen. Ask for a privacy screen if turning the monitor isn’t possible. Be sure to lock your workstation when you leave. It’s easy for someone else to quickly sit down at your desk and do something that exposes your client’s PHI. If you use mobile devices that have work emails or access to other systems, make sure you password protect those and that you keep them safe. Always know where your mobile device is. Take the additional step to never save PHI to your device. Change your password at a regular interval and never write it down or share with others unless your IT support person requests per policy. Emails are full of attempts to get your identity, your passwords, to install malware or Trojans on your server-basically hackers know the tricks to get what they want. We can be alert and help reduce risks. Phishing means any attempt designed to get your information and it happens all the time. Be careful when you receive an email from someone you know that doesn’t look right or includes a link to a great website they found. Be a detective before you click anything; are things misspelled, do they look like it goes to a website that has a different name included? Be very suspicious if you see a website with a Download here button (usually green!). You have to make sure you are dealing with the actual website and not a clone. Say to yourself “Stop, Think and Don’t Click the Link!” Bottom line, report anything suspicious to your security compliance officer. It might not be anything, but better to know that sooner than when it’s too late.
  • #21 Communication is our job, and now with new technologies we are faced with new questions about emailing and texting with our customers. This slide has a clinical focus, but the content is the same. Communications with your customers or with CIBHS staff that includes PHI needs to be secure. Many prefer email to the telephone for scheduling appointments, requesting copies of their records, test results and it does provide a documented record of the communication. Unfortunately, emails are not secure by default and there are no assurances of privacy and security in the chain of communication. Texting is fast, can be more discreet and private than a phone call but is insecure. 3 issues with texting; possible risk to privacy, lack of med record documentation of the communication and safety issues if a client texts during off hours or to the wrong person.
  • #22 There are standards that cover how we are to respond to a security incident. The definition of a security incident is the attempted or successful unauthorized access, use, disclosure, modification or destruction of information or interference with system operations in an information system. Areas addressed here include your access rights in the EHR, includes the loss of any device that accesses or includes PHI and anything you do or observe happening that isn’t appropriate. IT has monitoring tools to assist with access issues, but you are also responsible to report anything to Robin, your Security Compliance Officer, that you see that is suspicious.
  • #23 Privacy rules are more focused on the individual’s health information and how we protect it. The goal of the privacy rule is to properly protect the client’s health information and use PHI appropriately while protecting the privacy of people who seek care and healing. June 13, 2016 Obama Administration Temporarily Waives HIPAA:  But Did It Have To Be? In the aftermath of the shootings in Orlando late Saturday night, President Obama applied a unique waiver to HIPAA -- allowing family and friends of the victims to gain quicker access to information about their loved ones.  In most situations, information about an individual's condition would not be released to anyone but a spouse or next of kin absent a consent from the patient  In normal circumstances this is a valuable protection on an individual's privacy.  However, the situation this weekend was anything but normal. Family and friends were unable to obtain any information on the condition of their loved ones, and a consent was simply not possible in many circumstances. Section 1135 of the Social Security Act which was invoked allows healthcare providers flexibility in sharing protected health information ("PHI") with loved ones in emergency situations. The only other time this provision had been enacted was in the aftermath of Hurricane Katrina.  For this waiver to be applied the president must declare a national emergency and the secretary of the Department of Health and Human Services must declare a public health emergency.  Both of which were declared for Orlando on Sunday.  The waiver applying during an "emergency period" may be no more than 72 hours, which is how long this waiver is in effect.  This is also not a complete waiver of HIPAA, but only a temporary suspension on requiring patient consent before releasing PHI to loved ones who are not a spouse or next of kin.   There is a question whether Section 1135 had to be invoked.  The Office of Civil Rights has published opinions stating that health care providers can release PHI to loved ones if a person is incapacitated "if, in their professional judgment, doing so is in the patient's best interest."  Arguably that would be the end of the discussion.  However, invoking Section 1135 unequivocally insulated health care providers from even the potential of fines or sanctions for non-compliance.  Absolutely necessary or not, temporarily waiving limited portions of HIPAA  allowed providers to focus on the important tasks at hand rather than worrying about potential HIPAA violations.  
  • #24 The privacy rule covers paper, oral communication and electronic data. There are regulations about when you can use your client’s PHI without an authorization (treatment, payment and healthcare operations), when you need to track disclosures and when you need an authorization to use or release information. The Notice of Privacy Practices is the information about what privacy is, where the client can report a complaint (at your agency, at the state and at the federal level) and their right to view their records, to amend their records and to get a copy of their records. The regulation also includes that you need to document the client received the NPP and signed as such. There are other administrative requirements included that can be referenced in the 45 CFR, parts 160 and 164.
  • #26 An impermissible use or disclosure under the privacy rule of PHI is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates there is low probability that the PHI has been compromised. There is now a rule that breaches of more than 500 patient records must be reported to the news media and the breach is added to the Wall of Shame. Breaches at CIBHS – CPS packages arriving ripped. We have taken steps to correct the problem. In case of ripped CPS data: notified county, conducted risk assessment, changed procedures for receiving packages at front desk. Breach Examples: Rite Aid disposed of empty labeled pill bottles in dumpster - $1 million fine Well Point online database was not protected and accessible via Internet - $1.7 million fine Employees at UCLA Health System were looking at patient records of celebrities – Paid $865,000 settlement
  • #27 An impermissible use or disclosure under the privacy rule of PHI is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates there is low probability that the PHI has been compromised. There is now a rule that breaches of more than 500 patient records must be reported to the news media and the breach is added to the Wall of Shame. Breaches at CIBHS – CPS packages arriving ripped. We have taken steps to correct the problem. In case of ripped CPS data: notified county, conducted risk assessment, changed procedures for receiving packages at front desk. Breach Examples: Rite Aid disposed of empty labeled pill bottles in dumpster - $1 million fine Well Point online database was not protected and accessible via Internet - $1.7 million fine Employees at UCLA Health System were looking at patient records of celebrities – Paid $865,000 settlement
  • #28 An impermissible use or disclosure under the privacy rule of PHI is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates there is low probability that the PHI has been compromised. There is now a rule that breaches of more than 500 patient records must be reported to the news media and the breach is added to the Wall of Shame. Breaches at CIBHS – CPS packages arriving ripped. We have taken steps to correct the problem. In case of ripped CPS data: notified county, conducted risk assessment, changed procedures for receiving packages at front desk. Wall of Shame – for San Juan County: sort by state, go to page 10 – about halfway down page – first NM listing.
  • #29 An impermissible use or disclosure under the privacy rule of PHI is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates there is low probability that the PHI has been compromised. There is now a rule that breaches of more than 500 patient records must be reported to the news media and the breach is added to the Wall of Shame. Breaches at CIBHS – CPS packages arriving ripped. We have taken steps to correct the problem. In case of ripped CPS data: notified county, conducted risk assessment, changed procedures for receiving packages at front desk. Wall of Shame – for San Juan County: sort by state, go to page 10 – about halfway down page – first NM listing.
  • #31 Criminal penalties apply to Covered Entities, Business Associates and individuals.
  • #32 Most current penalties. What’s important to take away here is that there are monetary and possible jail time for violations. These are imposed on the agency as well as the person who was responsible for the violation. Fines are not mandatory, it’s up to HHS what to fine. Ex: surveys in parking lot. 100 surveys could be fined at $100 EACH survey.
  • #33 Now we’ll discuss 42 CFR. You are aware of these regulations if you work in a substance abuse program. These regulations were developed to reduce stigma while receiving substance abuse treatment and to help address the privacy concerns client’s may have.
  • #34 Read slide
  • #35 Read slide
  • #36 Read slide. Ask if they remember what TPO is.
  • #37 For your information, here is the link to the 42 CFR regulation.
  • #38 Must get a written consent-read slide
  • #39 Lots of content on this slide, but the consent form is very prescribed and MUST include these data elements.
  • #40 Read slide
  • #41 Both HIPAA (45 CFR) and 42 CFR Part 2 are about client privacy. The most stringent rule will apply. Here is a reference to a comparison between HIPAA and 42 CFR. In most cases, 42 CFR will be followed. There are some HIPAA requirements for form language that also must be met.
  • #42 Click on the Samhsa logo to take you to their site.
  • #43 Let’s talk about Policies and Procedures.
  • #44 CIBHS has developed polices that include our HIPAA requirements, found on the public drive. Those policies cover privacy and security items. There are two additional webinar classes to take that go over “How to report a breach” and Workforce Security items. Please take these classes and exams in the next two weeks so it is fresh in your mind.