3. This program is educational and does not
constitute, and may not be construed as,
legal advice to, or creating an attorney-client
relationship with any person or entity.
The materials referenced here are subject to change, so
frequent review of the source material is suggested.
Housekeeping
4. Topics for Today
HIPAA 2.0
o Privacy
o Security
o Breach
o Penalties
Gramm-Leach-Bliley
Marketplace Privacy Rules
6. When Did the New HIPAA Regulations
Go Into Effect?
Requirements for the updated 2013 Omnibus
Rules went into effect September 23, 2013
Non-compliance is potentially very expensive
7. HIPAA Compliance is Required for:
o Medical
o Medicare Supplement
o Drug Coverage
o Dental
o Vision
o Long-Term Care Insurance
Only selling a little bit of these insurances or the size of
your agency does not exempt you
8. HIPAA is Not Required for:
o Short-term and long-
term disability
o Accidental Death and
Dismemberment
(AD&D)
o Life insurance
o Worker's Compensation
o Auto medical insurance
o Fitness-for-duty exams
(DOT or OSHA exams)
o Drug testing
o Work-life benefits (on-
site clinics; fitness
center)
o Family Medical Leave
Act (FMLA)
o Americans with
Disabilities Act (ADA)
9. Best Business Practices
If you’re coming in contact with Protected
Health Information (PHI), no matter what type
of insurance you are selling, you should be
trained!
o Share information in a multiline agency
o Reduce potential liability
11. Changes in HIPAA 2.0?
o BAs and BA Subcontractors must meet the
same requirements as Covered Entities
o Increases in fines and penalties for Breaches
of health information
o Encryption required for all Protected Health
Information (PHI) files and emails
o Implement Policies and Procedures for
Security and Privacy
o Staff needs to be trained on both the HIPAA
Rules and your Policies and Procedures
13. HIPAA Privacy Regulations
General Rule:
Covered Entities, their Business Associates and
their Subcontractors may not use or disclose an
individual's Protected Health Information (PHI)
without the authorization of the individual
unless specifically required or allowed by the
privacy regulation
Protects PHI in ANY form (oral, written,
electronic)
15. Protected Health Information (PHI)
Specifically, PHI can relate to:
o An individual's past, present or future physical
or mental health condition
o The provision of health care to the individual
o The past, present, or future payment for the
provision of health care to an individual
16. Permitted Uses for PHI
o Treatment
o Payment
o Health Care Operations
o Auditing, credentialing, obtaining reinsurance, etc.
o Certain public policy exceptions
o All other uses require an individual’s written
or verbal authorization
17. Subcontractors
2013 Regulations expand Rules to include
Subcontractors
Why so important?
o Your agency could have direct liability for
Subcontractors’ mistakes
o Could jeopardize not only your business
relationships but also expose you to penalties
18. Subcontractors
If your Subcontractors are NOT compliant, this
could be a liability issue for your agency. In
accordance with the Federal Common law of
Agency, it is now YOUR responsibility to make
sure that your Subcontractors are implementing
and following HIPAA.
19. +
Business Associate Agreements
Identify Your Business Associates/BA
Subcontractors
These are vendors who have access to your PHI
Review their compliance plans
The 2013 HIPAA Omnibus penalizes BAs for Breaches
Their Breaches could become your Breaches
Review the Subcontractors they use
Collect signed Business Associate Agreements
Be sure the Agreement conforms to HIPAA’s requirements
Be wary of extra provisions that could compromise your
agency or business
21. Why a Security Rule?
o Increased use of technology for data
transmission
o Emails
o Electronic enrollments
o Storage of data
Electronic information has different guidelines for
handling and protecting
22. Description of the Security Rule
Requires protections for electronic Protected Health
Information (ePHI) in three ways:
o Confidentiality
o ePHI concealed from people who do not have the
right to see the information
o Integrity
o Information not improperly changed or deleted
o Availability
o Information can be accessed whenever it is needed
23. Protect the Business
Do a Risk Assessment:
o How are your computer systems protected?
o How do you protect paper and electronic files?
o How do you encrypt documents for storage and
transmission (such as email)?
o Do you have password protection and time-outs
on ALL electronic devices?
o Have you encrypted all hard drives and/or
storage devices?
o How are you backing up your computers?
24. Specific Staff Expectations
o Manage passwords
o Have staff members choose and remember
o Change passwords regularly
o Notify Information Security Officer if concerned that
password is being improperly used by someone else
o Identify and keep out malicious software
o Use workstations properly
o Know sanction policies
o Learn and follow agency Privacy and Security
Policies and Procedures
25. Specific Staff Expectations, cont’d
o Limit use of external devices that might introduce
viruses into the system: CDs, iPods, USB drives, tablets,
smart phones
o Establish policies on use of personal computing devices
in the agency’s network (BYOD)
o Restrict family members or friends from using the
computers in off-site locations that could introduce
viruses and expose to inadvertent ePHI disclosure
o Implement strict controls on web surfing for personal
enjoyment or downloading free programs or music
from the Internet to office machines
27. What Is a Breach?
PHI that has been accessed, used or acquired by,
or disclosed to, an unauthorized person
HIPAA Rules apply to PHI in any format
o ePHI (electronic PHI)
o Paper
o Oral
29. Presumed Breach
Written Notice
Calls (if
imminent
threat)
500 or More
Affected?
Notify Media
& HHS
immediately
Notify HHS
annually
Notice on
Website
Yes
No
30. When There Is a Breach
Any impermissible use or disclosure of PHI is
presumed to be a Breach, unless…
30
One can demonstrate that there is a low
probability that the PHI has been
compromised
31. Exceptions
o Unintentional access by employees
o Inadvertent disclosure of PHI from one
covered entity or Business Associate employee
authorized to access PHI to a co-employee
who is also authorized to access PHI
o Unauthorized access to PHI by a third party
who cannot reasonably use the information in
its current format, or be able to retain the
disclosed information
32. Breach Notification
Notice Requirements:
o Notify without unreasonable delay and at
least within 60-day timeframe
(The 60 days start the date one knew, or
reasonably should have known about the
Breach)
34. Enforcement Results for 2012
"Annual Report to Congress on HIPAA Privacy, Security, and Breach
Notification Rule Compliance." 1 Jan. 2013. Web.
http://www.hhs.gov/ocr/privacy/hipaa/enforcement/compliancereport201
1-2012.pdf>.
35. Enforcement Results for 2013
"Annual Report to Congress on HIPAA Privacy, Security, and Breach
Notification Rule Compliance." 1 Jan. 2013. Web.
http://www.hhs.gov/ocr/privacy/hipaa/enforcement/compliancereport201
36. Recent HIPAA Fines
o $4.8 million – New York Presbyterian Hospital and Columbia
University (May 2014)
o Patient information was available on Google
o $4.3 million – Cignet Health Center (Oct 2010)
o Denied access to records for 41 patients
o $275K – Shasta Regional Medical Center (June 2013)
o Settled Privacy Breach for $275,000. The CEO had sent an email to 800
employees disclosing the confidential details of diabetes patients
o $150K – Anchorage Community Mental Health Services
o Unpatched software
o Failed to conduct a meaningful Risk Assessment
o $800K Parkview Health Systems (June 2014)
o Left 71 cardboard boxes with PHI on a physician’s front porch
37. Penalties from Omnibus Ruling
Violation Category 1176(a)(1) Each Violation Maximum fine for an
identical violation in a
calendar year
(A) Did Not Know $100-$50,000 $1,500,000
(B) Reasonable Cause $1,000-$50,000 $1,500,000
(C)(i) Willful Neglect-Corrected $10,000-$50,000 $1,500,000
(C)(ii) Willful Neglect-Not
Corrected
$50,000 $1,500,000
38. Criminal Penalties
Violation Penalties
Knowingly obtaining or
disclosing PHI
$50,000 + 1 year in prison
Offenses conducted
under false pretenses
Up to $100,000 + 5 years in prison
Intent to sell,
financial gain, harm
Up to $250,000 + 10 years in prison
39. G-L-B Penalties
o You will lose your license to practice
o You can be fined up to $100,000 per violation
o Officers and directors can be fined up to $10,000
per violation
o Fines will be doubled if G-L-B is violated along
with another Federal Law, or pattern of any illegal
activity involving more than $100,000 within a
12-month period. Those responsible can be
imprisoned for up to 10 years
o Criminal Penalties include imprisonment for up to
5 years, a fine, or both
41. Marketplace Privacy Rules
New obligations to protect Personally
Identifiable Information (PII) within the
Marketplace
42. Personally Identifiable Information(PII)
Any information about an individual maintained, used,
transmitted or stored by an agent/broker related to
Marketplace transactions:
Any information that can be
used to distinguish or trace an
individual‘s identity
Examples: name, social security
number, date and place of
birth, mother‘s maiden name,
or biometric records
Any other information that is
linked or linkable to an
individual
Examples: medical, educational,
financial, and employment
information
43. How Did I Get Here?
If you have completed training for the Federally-
Facilitated Marketplaces, and ‘signed’ the
Agreements…
o You agreed to protect PII that you obtain in
the course of selling or supporting individuals
who purchase through the Marketplaces
44. What exactly did I agree to do?
Protect any PII that is:
o Created, collected, disclosed, accessed, maintained,
stored, and used to perform any of the various
Marketplace functions within the FFM such as:
o Assisting with applications for QHP eligibility
o Supporting QHP selection and enrollment
o Assisting with plan selection and plan comparisons
o Transmitting information about decisions regarding QHP
enrollment
o Facilitating payment of the initial premium amount to
appropriate QHP
45. What Exactly Did I Agree to Do?
Provide a Privacy Notice to all prospects and
buyers in the Marketplace
(Similar requirements to the Privacy Notices
under HIPAA and G-L-B)
46. What Am I Required to Do?
o If you have a website, prominently and
conspicuously display Notice of Privacy Practices
o Review and revise as necessary but at least annually
o Meet data quality and integrity standards for PII
o Identical to requirements within HIPAA Security
o Breach notification
o Broadly similar to HIPAA Breach Rules but…..must notify CMS
within one hour of becoming aware of a Breach
o Telephone at (410) 7862580 or 18005621963
o Email notification at cms_it_service_desk@cms.hhs.gov
48. What Are the Penalties?
For any violation of PII protections
o $25,000 per person per violation
oThese are in addition to HIPAA and G-L-B Penalties
o Termination of your ability to do business through
the Marketplace