SlideShare a Scribd company logo

HIPAA presentation GAHU v7

Jason Karn
Jason Karn

This presentation was made at the Georgia Association of Health Underwriters (GAHU) meeting on March 25, 2015.

Education
1 of 50
HIPAA Privacy and Security 2.0 for Health Insurance Agents and Brokers PRESENTED BY
Daniel Trzos Healthcare Consultant US Marketplace Jason Karn Director Training and IT Total HIPAA Compliance Presenting Today
This program is educational and does not constitute, and may not be construed as, legal advice to, or creating an attorney-client relationship with any person or entity. The materials referenced here are subject to change, so frequent review of the source material is suggested. Housekeeping
Topics for Today HIPAA 2.0 o Privacy o Security o Breach o Penalties Gramm-Leach-Bliley Marketplace Privacy Rules
Types of Protected Information PII NPPIPHI
When Did the New HIPAA Regulations Go Into Effect? Requirements for the updated 2013 Omnibus Rules went into effect September 23, 2013 Non-compliance is potentially very expensive
HIPAA Compliance is Required for: o Medical o Medicare Supplement o Drug Coverage o Dental o Vision o Long-Term Care Insurance Only selling a little bit of these insurances or the size of your agency does not exempt you
HIPAA is Not Required for: o Short-term and long- term disability o Accidental Death and Dismemberment (AD&D) o Life insurance o Worker's Compensation o Auto medical insurance o Fitness-for-duty exams (DOT or OSHA exams) o Drug testing o Work-life benefits (on- site clinics; fitness center) o Family Medical Leave Act (FMLA) o Americans with Disabilities Act (ADA)
Best Business Practices If you’re coming in contact with Protected Health Information (PHI), no matter what type of insurance you are selling, you should be trained! o Share information in a multiline agency o Reduce potential liability
Key HIPAA Groups
Changes in HIPAA 2.0? o BAs and BA Subcontractors must meet the same requirements as Covered Entities o Increases in fines and penalties for Breaches of health information o Encryption required for all Protected Health Information (PHI) files and emails o Implement Policies and Procedures for Security and Privacy o Staff needs to be trained on both the HIPAA Rules and your Policies and Procedures
HIPAA Privacy
HIPAA Privacy Regulations General Rule: Covered Entities, their Business Associates and their Subcontractors may not use or disclose an individual's Protected Health Information (PHI) without the authorization of the individual unless specifically required or allowed by the privacy regulation Protects PHI in ANY form (oral, written, electronic)
Protected Health Information (PHI) Identifier Health Information Protected Health Information
Protected Health Information (PHI) Specifically, PHI can relate to: o An individual's past, present or future physical or mental health condition o The provision of health care to the individual o The past, present, or future payment for the provision of health care to an individual
Permitted Uses for PHI o Treatment o Payment o Health Care Operations o Auditing, credentialing, obtaining reinsurance, etc. o Certain public policy exceptions o All other uses require an individual’s written or verbal authorization
Subcontractors 2013 Regulations expand Rules to include Subcontractors Why so important? o Your agency could have direct liability for Subcontractors’ mistakes o Could jeopardize not only your business relationships but also expose you to penalties
Subcontractors If your Subcontractors are NOT compliant, this could be a liability issue for your agency. In accordance with the Federal Common law of Agency, it is now YOUR responsibility to make sure that your Subcontractors are implementing and following HIPAA.
+ Business Associate Agreements Identify Your Business Associates/BA Subcontractors These are vendors who have access to your PHI Review their compliance plans The 2013 HIPAA Omnibus penalizes BAs for Breaches Their Breaches could become your Breaches Review the Subcontractors they use Collect signed Business Associate Agreements Be sure the Agreement conforms to HIPAA’s requirements Be wary of extra provisions that could compromise your agency or business
HIPAA Security
Why a Security Rule? o Increased use of technology for data transmission o Emails o Electronic enrollments o Storage of data Electronic information has different guidelines for handling and protecting
Description of the Security Rule Requires protections for electronic Protected Health Information (ePHI) in three ways: o Confidentiality o ePHI concealed from people who do not have the right to see the information o Integrity o Information not improperly changed or deleted o Availability o Information can be accessed whenever it is needed
Protect the Business Do a Risk Assessment: o How are your computer systems protected? o How do you protect paper and electronic files? o How do you encrypt documents for storage and transmission (such as email)? o Do you have password protection and time-outs on ALL electronic devices? o Have you encrypted all hard drives and/or storage devices? o How are you backing up your computers?
Specific Staff Expectations o Manage passwords o Have staff members choose and remember o Change passwords regularly o Notify Information Security Officer if concerned that password is being improperly used by someone else o Identify and keep out malicious software o Use workstations properly o Know sanction policies o Learn and follow agency Privacy and Security Policies and Procedures
Specific Staff Expectations, cont’d o Limit use of external devices that might introduce viruses into the system: CDs, iPods, USB drives, tablets, smart phones o Establish policies on use of personal computing devices in the agency’s network (BYOD) o Restrict family members or friends from using the computers in off-site locations that could introduce viruses and expose to inadvertent ePHI disclosure o Implement strict controls on web surfing for personal enjoyment or downloading free programs or music from the Internet to office machines
Breach
What Is a Breach? PHI that has been accessed, used or acquired by, or disclosed to, an unauthorized person HIPAA Rules apply to PHI in any format o ePHI (electronic PHI) o Paper o Oral
Breach occurs Information Encrypted? Yes: No Breach No: Presume Breach Breach Process
Presumed Breach Written Notice Calls (if imminent threat) 500 or More Affected? Notify Media & HHS immediately Notify HHS annually Notice on Website Yes No
When There Is a Breach Any impermissible use or disclosure of PHI is presumed to be a Breach, unless… 30 One can demonstrate that there is a low probability that the PHI has been compromised
Exceptions o Unintentional access by employees o Inadvertent disclosure of PHI from one covered entity or Business Associate employee authorized to access PHI to a co-employee who is also authorized to access PHI o Unauthorized access to PHI by a third party who cannot reasonably use the information in its current format, or be able to retain the disclosed information
Breach Notification Notice Requirements: o Notify without unreasonable delay and at least within 60-day timeframe (The 60 days start the date one knew, or reasonably should have known about the Breach)
Penalties
Enforcement Results for 2012 "Annual Report to Congress on HIPAA Privacy, Security, and Breach Notification Rule Compliance." 1 Jan. 2013. Web. http://www.hhs.gov/ocr/privacy/hipaa/enforcement/compliancereport201 1-2012.pdf>.
Enforcement Results for 2013 "Annual Report to Congress on HIPAA Privacy, Security, and Breach Notification Rule Compliance." 1 Jan. 2013. Web. http://www.hhs.gov/ocr/privacy/hipaa/enforcement/compliancereport201
Recent HIPAA Fines o $4.8 million – New York Presbyterian Hospital and Columbia University (May 2014) o Patient information was available on Google o $4.3 million – Cignet Health Center (Oct 2010) o Denied access to records for 41 patients o $275K – Shasta Regional Medical Center (June 2013) o Settled Privacy Breach for $275,000. The CEO had sent an email to 800 employees disclosing the confidential details of diabetes patients o $150K – Anchorage Community Mental Health Services o Unpatched software o Failed to conduct a meaningful Risk Assessment o $800K Parkview Health Systems (June 2014) o Left 71 cardboard boxes with PHI on a physician’s front porch
Penalties from Omnibus Ruling Violation Category 1176(a)(1) Each Violation Maximum fine for an identical violation in a calendar year (A) Did Not Know $100-$50,000 $1,500,000 (B) Reasonable Cause $1,000-$50,000 $1,500,000 (C)(i) Willful Neglect-Corrected $10,000-$50,000 $1,500,000 (C)(ii) Willful Neglect-Not Corrected $50,000 $1,500,000
Criminal Penalties Violation Penalties Knowingly obtaining or disclosing PHI $50,000 + 1 year in prison Offenses conducted under false pretenses Up to $100,000 + 5 years in prison Intent to sell, financial gain, harm Up to $250,000 + 10 years in prison
G-L-B Penalties o You will lose your license to practice o You can be fined up to $100,000 per violation o Officers and directors can be fined up to $10,000 per violation o Fines will be doubled if G-L-B is violated along with another Federal Law, or pattern of any illegal activity involving more than $100,000 within a 12-month period. Those responsible can be imprisoned for up to 10 years o Criminal Penalties include imprisonment for up to 5 years, a fine, or both
Marketplace Privacy Rules
Marketplace Privacy Rules New obligations to protect Personally Identifiable Information (PII) within the Marketplace
Personally Identifiable Information(PII) Any information about an individual maintained, used, transmitted or stored by an agent/broker related to Marketplace transactions: Any information that can be used to distinguish or trace an individual‘s identity Examples: name, social security number, date and place of birth, mother‘s maiden name, or biometric records Any other information that is linked or linkable to an individual Examples: medical, educational, financial, and employment information
How Did I Get Here? If you have completed training for the Federally- Facilitated Marketplaces, and ‘signed’ the Agreements… o You agreed to protect PII that you obtain in the course of selling or supporting individuals who purchase through the Marketplaces
What exactly did I agree to do? Protect any PII that is: o Created, collected, disclosed, accessed, maintained, stored, and used to perform any of the various Marketplace functions within the FFM such as: o Assisting with applications for QHP eligibility o Supporting QHP selection and enrollment o Assisting with plan selection and plan comparisons o Transmitting information about decisions regarding QHP enrollment o Facilitating payment of the initial premium amount to appropriate QHP
What Exactly Did I Agree to Do? Provide a Privacy Notice to all prospects and buyers in the Marketplace (Similar requirements to the Privacy Notices under HIPAA and G-L-B)
What Am I Required to Do? o If you have a website, prominently and conspicuously display Notice of Privacy Practices o Review and revise as necessary but at least annually o Meet data quality and integrity standards for PII o Identical to requirements within HIPAA Security o Breach notification o Broadly similar to HIPAA Breach Rules but…..must notify CMS within one hour of becoming aware of a Breach o Telephone at (410) 7862580 or 18005621963 o Email notification at cms_it_service_desk@cms.hhs.gov
Marketing Restrictions In FFM Marketplace Rules DO NOT ALLOW ANY CROSS MARKETING
What Are the Penalties? For any violation of PII protections o $25,000 per person per violation oThese are in addition to HIPAA and G-L-B Penalties o Termination of your ability to do business through the Marketplace
Questions
HIPAA Privacy and Security 2.0 for Health Insurance Agents and Brokers PRESENTED BY

Recommended

Rights of Persons Served MH Ohio
Rights of Persons Served MH OhioRights of Persons Served MH Ohio
Rights of Persons Served MH OhioHouse of New Hope
 
HIPAA
HIPAAHIPAA
HIPAAKarna *
 
Personal Health Records & HIPAA
Personal Health Records & HIPAAPersonal Health Records & HIPAA
Personal Health Records & HIPAAMargery Lynn
 
HIPAA for Dummies
HIPAA for DummiesHIPAA for Dummies
HIPAA for Dummieshipaacompliance
 
Basic HIPAA Training by CMU
Basic HIPAA Training by CMUBasic HIPAA Training by CMU
Basic HIPAA Training by CMUAtlantic Training, LLC.
 
Annual HIPAA Training
Annual HIPAA TrainingAnnual HIPAA Training
Annual HIPAA TrainingCynthia Holland
 
UNA HIPAA Training 8-13
UNA HIPAA Training 8-13UNA HIPAA Training 8-13
UNA HIPAA Training 8-13University of North Alabama - Academic Affairs
 
C:\Fakepath\Secprimodule
C:\Fakepath\SecprimoduleC:\Fakepath\Secprimodule
C:\Fakepath\SecprimoduleBrenda Kershaw
 

Recommended

Rights of Persons Served MH Ohio
Rights of Persons Served MH OhioRights of Persons Served MH Ohio
Rights of Persons Served MH OhioHouse of New Hope
 
HIPAA
HIPAAHIPAA
HIPAAKarna *
 
Personal Health Records & HIPAA
Personal Health Records & HIPAAPersonal Health Records & HIPAA
Personal Health Records & HIPAAMargery Lynn
 
HIPAA for Dummies
HIPAA for DummiesHIPAA for Dummies
HIPAA for Dummieshipaacompliance
 
Basic HIPAA Training by CMU
Basic HIPAA Training by CMUBasic HIPAA Training by CMU
Basic HIPAA Training by CMUAtlantic Training, LLC.
 
Annual HIPAA Training
Annual HIPAA TrainingAnnual HIPAA Training
Annual HIPAA TrainingCynthia Holland
 
UNA HIPAA Training 8-13
UNA HIPAA Training 8-13UNA HIPAA Training 8-13
UNA HIPAA Training 8-13University of North Alabama - Academic Affairs
 
C:\Fakepath\Secprimodule
C:\Fakepath\SecprimoduleC:\Fakepath\Secprimodule
C:\Fakepath\SecprimoduleBrenda Kershaw
 
HIPAA and How it Applies to You
HIPAA and How it Applies to YouHIPAA and How it Applies to You
HIPAA and How it Applies to YouWinston & Strawn LLP
 
HIPAA 101- What all Doctors NEED to know
HIPAA 101- What all Doctors NEED to knowHIPAA 101- What all Doctors NEED to know
HIPAA 101- What all Doctors NEED to knowCompliancy Group
 
Updated modifications to the HIPAA Privacy Rule
Updated modifications to the HIPAA Privacy RuleUpdated modifications to the HIPAA Privacy Rule
Updated modifications to the HIPAA Privacy RuleJames Pekarek
 
HIPAA Basics by Brian Fleetham
HIPAA Basics by Brian FleethamHIPAA Basics by Brian Fleetham
HIPAA Basics by Brian FleethamAtlantic Training, LLC.
 
HIPAA HITECH training 7-9-12
HIPAA HITECH training 7-9-12HIPAA HITECH training 7-9-12
HIPAA HITECH training 7-9-12O2 TESTING SERVICES
 
HIPAA Audio Presentation
HIPAA Audio PresentationHIPAA Audio Presentation
HIPAA Audio PresentationLisa Shannon, RN, BSN, JD.
 
Hipaa.uo a
Hipaa.uo aHipaa.uo a
Hipaa.uo aJohn Wible
 
The Basics of HIPAA
The Basics of HIPAA The Basics of HIPAA
The Basics of HIPAA DamianKnowles1
 
HIPAA
HIPAAHIPAA
HIPAAkgriffin62
 
HIPAA Complaince
HIPAA ComplainceHIPAA Complaince
HIPAA ComplainceFarhatParveen10
 
Health Insurance Portability and Accountability Act (HIPPA) - Kloudlearn
Health Insurance Portability and Accountability Act (HIPPA) - KloudlearnHealth Insurance Portability and Accountability Act (HIPPA) - Kloudlearn
Health Insurance Portability and Accountability Act (HIPPA) - KloudlearnKloudLearn
 
HIPPA COMPLIANCE (SANJEEV.S.BHARWAN)
HIPPA COMPLIANCE (SANJEEV.S.BHARWAN)HIPPA COMPLIANCE (SANJEEV.S.BHARWAN)
HIPPA COMPLIANCE (SANJEEV.S.BHARWAN)Sanjeev Bharwan
 
HIPAA
HIPAAHIPAA
HIPAAbelziebub
 
Keys To HIPAA Compliance
Keys To HIPAA ComplianceKeys To HIPAA Compliance
Keys To HIPAA ComplianceCBIZ, Inc.
 
HIPAA Compliance for Developers
HIPAA Compliance for DevelopersHIPAA Compliance for Developers
HIPAA Compliance for DevelopersTrueVault
 
The Startup Path to HIPAA Compliance
The Startup Path to HIPAA ComplianceThe Startup Path to HIPAA Compliance
The Startup Path to HIPAA ComplianceJim Anfield
 
Hipaa journal com - HIPAA compliance guide
Hipaa journal com - HIPAA compliance guideHipaa journal com - HIPAA compliance guide
Hipaa journal com - HIPAA compliance guideFelipe Prado
 
Hipaa education
Hipaa educationHipaa education
Hipaa educationeklundc
 
Mandatory hippa and information security
Mandatory hippa and information securityMandatory hippa and information security
Mandatory hippa and information securityHiggi123
 
HIPPA-Health Insurance Portability and Accountability Act
HIPPA-Health Insurance Portability and Accountability ActHIPPA-Health Insurance Portability and Accountability Act
HIPPA-Health Insurance Portability and Accountability ActHarshit Trivedi
 
Hipaa presentation
Hipaa presentationHipaa presentation
Hipaa presentationcjkonsella
 
Confidentiality Issues Arising Under the ADA, FMLA, HIPAA
Confidentiality Issues Arising Under the ADA, FMLA, HIPAAConfidentiality Issues Arising Under the ADA, FMLA, HIPAA
Confidentiality Issues Arising Under the ADA, FMLA, HIPAAParsons Behle & Latimer
 

More Related Content

What's hot

HIPAA 101- What all Doctors NEED to know
HIPAA 101- What all Doctors NEED to knowHIPAA 101- What all Doctors NEED to know
HIPAA 101- What all Doctors NEED to knowCompliancy Group
 
Updated modifications to the HIPAA Privacy Rule
Updated modifications to the HIPAA Privacy RuleUpdated modifications to the HIPAA Privacy Rule
Updated modifications to the HIPAA Privacy RuleJames Pekarek
 
Health Insurance Portability and Accountability Act (HIPPA) - Kloudlearn
Health Insurance Portability and Accountability Act (HIPPA) - KloudlearnHealth Insurance Portability and Accountability Act (HIPPA) - Kloudlearn
Health Insurance Portability and Accountability Act (HIPPA) - KloudlearnKloudLearn
 
HIPPA COMPLIANCE (SANJEEV.S.BHARWAN)
HIPPA COMPLIANCE (SANJEEV.S.BHARWAN)HIPPA COMPLIANCE (SANJEEV.S.BHARWAN)
HIPPA COMPLIANCE (SANJEEV.S.BHARWAN)Sanjeev Bharwan
 
Keys To HIPAA Compliance
Keys To HIPAA ComplianceKeys To HIPAA Compliance
Keys To HIPAA ComplianceCBIZ, Inc.
 
HIPAA Compliance for Developers
HIPAA Compliance for DevelopersHIPAA Compliance for Developers
HIPAA Compliance for DevelopersTrueVault
 
The Startup Path to HIPAA Compliance
The Startup Path to HIPAA ComplianceThe Startup Path to HIPAA Compliance
The Startup Path to HIPAA ComplianceJim Anfield
 
Hipaa journal com - HIPAA compliance guide
Hipaa journal com - HIPAA compliance guideHipaa journal com - HIPAA compliance guide
Hipaa journal com - HIPAA compliance guideFelipe Prado
 
Hipaa education
Hipaa educationHipaa education
Hipaa educationeklundc
 
Mandatory hippa and information security
Mandatory hippa and information securityMandatory hippa and information security
Mandatory hippa and information securityHiggi123
 
HIPPA-Health Insurance Portability and Accountability Act
HIPPA-Health Insurance Portability and Accountability ActHIPPA-Health Insurance Portability and Accountability Act
HIPPA-Health Insurance Portability and Accountability ActHarshit Trivedi
 

What's hot (20)

HIPAA and How it Applies to You
HIPAA and How it Applies to YouHIPAA and How it Applies to You
HIPAA and How it Applies to You
 
HIPAA 101- What all Doctors NEED to know
HIPAA 101- What all Doctors NEED to knowHIPAA 101- What all Doctors NEED to know
HIPAA 101- What all Doctors NEED to know
 
Updated modifications to the HIPAA Privacy Rule
Updated modifications to the HIPAA Privacy RuleUpdated modifications to the HIPAA Privacy Rule
Updated modifications to the HIPAA Privacy Rule
 
HIPAA Basics by Brian Fleetham
HIPAA Basics by Brian FleethamHIPAA Basics by Brian Fleetham
HIPAA Basics by Brian Fleetham
 
HIPAA HITECH training 7-9-12
HIPAA HITECH training 7-9-12HIPAA HITECH training 7-9-12
HIPAA HITECH training 7-9-12
 
HIPAA Audio Presentation
HIPAA Audio PresentationHIPAA Audio Presentation
HIPAA Audio Presentation
 
Hipaa.uo a
Hipaa.uo aHipaa.uo a
Hipaa.uo a
 
The Basics of HIPAA
The Basics of HIPAA The Basics of HIPAA
The Basics of HIPAA
 
HIPAA
HIPAAHIPAA
HIPAA
 
HIPAA Complaince
HIPAA ComplainceHIPAA Complaince
HIPAA Complaince
 
Health Insurance Portability and Accountability Act (HIPPA) - Kloudlearn
Health Insurance Portability and Accountability Act (HIPPA) - KloudlearnHealth Insurance Portability and Accountability Act (HIPPA) - Kloudlearn
Health Insurance Portability and Accountability Act (HIPPA) - Kloudlearn
 
HIPPA COMPLIANCE (SANJEEV.S.BHARWAN)
HIPPA COMPLIANCE (SANJEEV.S.BHARWAN)HIPPA COMPLIANCE (SANJEEV.S.BHARWAN)
HIPPA COMPLIANCE (SANJEEV.S.BHARWAN)
 
HIPAA
HIPAAHIPAA
HIPAA
 
Keys To HIPAA Compliance
Keys To HIPAA ComplianceKeys To HIPAA Compliance
Keys To HIPAA Compliance
 
HIPAA Compliance for Developers
HIPAA Compliance for DevelopersHIPAA Compliance for Developers
HIPAA Compliance for Developers
 
The Startup Path to HIPAA Compliance
The Startup Path to HIPAA ComplianceThe Startup Path to HIPAA Compliance
The Startup Path to HIPAA Compliance
 
Hipaa journal com - HIPAA compliance guide
Hipaa journal com - HIPAA compliance guideHipaa journal com - HIPAA compliance guide
Hipaa journal com - HIPAA compliance guide
 
Hipaa education
Hipaa educationHipaa education
Hipaa education
 
Mandatory hippa and information security
Mandatory hippa and information securityMandatory hippa and information security
Mandatory hippa and information security
 
HIPPA-Health Insurance Portability and Accountability Act
HIPPA-Health Insurance Portability and Accountability ActHIPPA-Health Insurance Portability and Accountability Act
HIPPA-Health Insurance Portability and Accountability Act
 

Similar to HIPAA presentation GAHU v7

Hipaa presentation
Hipaa presentationHipaa presentation
Hipaa presentationcjkonsella
 
Confidentiality Issues Arising Under the ADA, FMLA, HIPAA
Confidentiality Issues Arising Under the ADA, FMLA, HIPAAConfidentiality Issues Arising Under the ADA, FMLA, HIPAA
Confidentiality Issues Arising Under the ADA, FMLA, HIPAAParsons Behle & Latimer
 
Training on confidentiality MHA690 Hayden
Training on confidentiality MHA690 HaydenTraining on confidentiality MHA690 Hayden
Training on confidentiality MHA690 Haydenhaydens
 
HIPAA HiTech Regulations: What Non-Medical Companies Need to Know
HIPAA HiTech Regulations: What Non-Medical Companies Need to KnowHIPAA HiTech Regulations: What Non-Medical Companies Need to Know
HIPAA HiTech Regulations: What Non-Medical Companies Need to KnowNetwork 1 Consulting
 
Hipaa basics pp2
Hipaa basics pp2Hipaa basics pp2
Hipaa basics pp2martykoepke
 
HIPAA INSERVICE 2017
HIPAA INSERVICE 2017 HIPAA INSERVICE 2017
HIPAA INSERVICE 2017 Meg Oser
 
Sylvia hipaa powerpoint presentation 2010(2)
Sylvia hipaa powerpoint presentation 2010(2)Sylvia hipaa powerpoint presentation 2010(2)
Sylvia hipaa powerpoint presentation 2010(2)bholmes
 
CAHU EXPO Grove City, OH 2014
CAHU EXPO Grove City, OH 2014 CAHU EXPO Grove City, OH 2014
CAHU EXPO Grove City, OH 2014 Jason Karn
 
Sylvia hipaa powerpoint presentation 2010(1)
Sylvia hipaa powerpoint presentation 2010(1)Sylvia hipaa powerpoint presentation 2010(1)
Sylvia hipaa powerpoint presentation 2010(1)bholmes
 
Data Security and Privacy Practices
Data Security and Privacy PracticesData Security and Privacy Practices
Data Security and Privacy PracticesSpringfield Clinic
 
HIPAA Basics
HIPAA BasicsHIPAA Basics
HIPAA BasicsKarna *
 
HIPAA Workforce Training by Wayne-Holmes Mental Health Recovery Board
HIPAA Workforce Training by Wayne-Holmes Mental Health Recovery BoardHIPAA Workforce Training by Wayne-Holmes Mental Health Recovery Board
HIPAA Workforce Training by Wayne-Holmes Mental Health Recovery BoardAtlantic Training, LLC.
 
HIPAA Part I the Law Test
HIPAA Part I the Law TestHIPAA Part I the Law Test
HIPAA Part I the Law TestSachiko Hurst
 
Marc etienne week1 discussion2 presentation
Marc etienne week1 discussion2 presentationMarc etienne week1 discussion2 presentation
Marc etienne week1 discussion2 presentationMarcEtienne6
 
HIPAA Training - 2011
HIPAA Training - 2011HIPAA Training - 2011
HIPAA Training - 2011darichardson
 

Similar to HIPAA presentation GAHU v7 (20)

Hipaa presentation
Hipaa presentationHipaa presentation
Hipaa presentation
 
Confidentiality Issues Arising Under the ADA, FMLA, HIPAA
Confidentiality Issues Arising Under the ADA, FMLA, HIPAAConfidentiality Issues Arising Under the ADA, FMLA, HIPAA
Confidentiality Issues Arising Under the ADA, FMLA, HIPAA
 
Training on confidentiality MHA690 Hayden
Training on confidentiality MHA690 HaydenTraining on confidentiality MHA690 Hayden
Training on confidentiality MHA690 Hayden
 
Hipaa
HipaaHipaa
Hipaa
 
Dustin HIPAA
Dustin HIPAADustin HIPAA
Dustin HIPAA
 
2022 Privacy Training
2022 Privacy Training2022 Privacy Training
2022 Privacy Training
 
HIPAA HiTech Regulations: What Non-Medical Companies Need to Know
HIPAA HiTech Regulations: What Non-Medical Companies Need to KnowHIPAA HiTech Regulations: What Non-Medical Companies Need to Know
HIPAA HiTech Regulations: What Non-Medical Companies Need to Know
 
Hipaa basics pp2
Hipaa basics pp2Hipaa basics pp2
Hipaa basics pp2
 
Hipaa inservice
Hipaa inserviceHipaa inservice
Hipaa inservice
 
HIPAA INSERVICE 2017
HIPAA INSERVICE 2017 HIPAA INSERVICE 2017
HIPAA INSERVICE 2017
 
Sylvia hipaa powerpoint presentation 2010(2)
Sylvia hipaa powerpoint presentation 2010(2)Sylvia hipaa powerpoint presentation 2010(2)
Sylvia hipaa powerpoint presentation 2010(2)
 
CAHU EXPO Grove City, OH 2014
CAHU EXPO Grove City, OH 2014 CAHU EXPO Grove City, OH 2014
CAHU EXPO Grove City, OH 2014
 
CONFIDENTIALITYANDHIPAA.ppt
CONFIDENTIALITYANDHIPAA.pptCONFIDENTIALITYANDHIPAA.ppt
CONFIDENTIALITYANDHIPAA.ppt
 
Sylvia hipaa powerpoint presentation 2010(1)
Sylvia hipaa powerpoint presentation 2010(1)Sylvia hipaa powerpoint presentation 2010(1)
Sylvia hipaa powerpoint presentation 2010(1)
 
Data Security and Privacy Practices
Data Security and Privacy PracticesData Security and Privacy Practices
Data Security and Privacy Practices
 
HIPAA Basics
HIPAA BasicsHIPAA Basics
HIPAA Basics
 
HIPAA Workforce Training by Wayne-Holmes Mental Health Recovery Board
HIPAA Workforce Training by Wayne-Holmes Mental Health Recovery BoardHIPAA Workforce Training by Wayne-Holmes Mental Health Recovery Board
HIPAA Workforce Training by Wayne-Holmes Mental Health Recovery Board
 
HIPAA Part I the Law Test
HIPAA Part I the Law TestHIPAA Part I the Law Test
HIPAA Part I the Law Test
 
Marc etienne week1 discussion2 presentation
Marc etienne week1 discussion2 presentationMarc etienne week1 discussion2 presentation
Marc etienne week1 discussion2 presentation
 
HIPAA Training - 2011
HIPAA Training - 2011HIPAA Training - 2011
HIPAA Training - 2011
 

Recently uploaded

CARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxCARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxGaneshChakor2
 
Contemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptx
Contemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptxContemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptx
Contemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptxRoyAbrique
 
Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityParis 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityGeoBlogs
 
APM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAPM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAssociation for Project Management
 
MENTAL STATUS EXAMINATION format.docx
MENTAL STATUS EXAMINATION format.docxMENTAL STATUS EXAMINATION format.docx
MENTAL STATUS EXAMINATION format.docxPoojaSen20
 
Measures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeMeasures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeThiyagu K
 
How to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptxHow to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptxmanuelaromero2013
 
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfBASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfSoniaTolstoy
 
The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13Steve Thomason
 
Introduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptxIntroduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptxpboyjonauth
 
Hybridoma Technology ( Production , Purification , and Application )
Hybridoma Technology ( Production , Purification , and Application ) Hybridoma Technology ( Production , Purification , and Application )
Hybridoma Technology ( Production , Purification , and Application ) Sakshi Ghasle
 
Employee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptxEmployee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptxNirmalaLoungPoorunde1
 
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxSOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxiammrhaywood
 
Mastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory InspectionMastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory InspectionSafetyChain Software
 
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxPOINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxSayali Powar
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introductionMaksud Ahmed
 
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...Marc Dusseiller Dusjagr
 
Arihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfArihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfchloefrazer622
 

Recently uploaded (20)

CARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxCARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptx
 
Contemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptx
Contemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptxContemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptx
Contemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptx
 
Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityParis 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activity
 
APM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAPM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across Sectors
 
MENTAL STATUS EXAMINATION format.docx
MENTAL STATUS EXAMINATION format.docxMENTAL STATUS EXAMINATION format.docx
MENTAL STATUS EXAMINATION format.docx
 
Measures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeMeasures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and Mode
 
How to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptxHow to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptx
 
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfBASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
 
The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13
 
Introduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptxIntroduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptx
 
Hybridoma Technology ( Production , Purification , and Application )
Hybridoma Technology ( Production , Purification , and Application ) Hybridoma Technology ( Production , Purification , and Application )
Hybridoma Technology ( Production , Purification , and Application )
 
Staff of Color (SOC) Retention Efforts DDSD
Staff of Color (SOC) Retention Efforts DDSDStaff of Color (SOC) Retention Efforts DDSD
Staff of Color (SOC) Retention Efforts DDSD
 
Employee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptxEmployee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptx
 
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxSOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
 
Código Creativo y Arte de Software | Unidad 1
Código Creativo y Arte de Software | Unidad 1Código Creativo y Arte de Software | Unidad 1
Código Creativo y Arte de Software | Unidad 1
 
Mastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory InspectionMastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory Inspection
 
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxPOINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introduction
 
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
 
Arihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfArihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdf
 

HIPAA presentation GAHU v7

  • 1. HIPAA Privacy and Security 2.0 for Health Insurance Agents and Brokers PRESENTED BY
  • 2. Daniel Trzos Healthcare Consultant US Marketplace Jason Karn Director Training and IT Total HIPAA Compliance Presenting Today
  • 3. This program is educational and does not constitute, and may not be construed as, legal advice to, or creating an attorney-client relationship with any person or entity. The materials referenced here are subject to change, so frequent review of the source material is suggested. Housekeeping
  • 4. Topics for Today HIPAA 2.0 o Privacy o Security o Breach o Penalties Gramm-Leach-Bliley Marketplace Privacy Rules
  • 5. Types of Protected Information PII NPPIPHI
  • 6. When Did the New HIPAA Regulations Go Into Effect? Requirements for the updated 2013 Omnibus Rules went into effect September 23, 2013 Non-compliance is potentially very expensive
  • 7. HIPAA Compliance is Required for: o Medical o Medicare Supplement o Drug Coverage o Dental o Vision o Long-Term Care Insurance Only selling a little bit of these insurances or the size of your agency does not exempt you
  • 8. HIPAA is Not Required for: o Short-term and long- term disability o Accidental Death and Dismemberment (AD&D) o Life insurance o Worker's Compensation o Auto medical insurance o Fitness-for-duty exams (DOT or OSHA exams) o Drug testing o Work-life benefits (on- site clinics; fitness center) o Family Medical Leave Act (FMLA) o Americans with Disabilities Act (ADA)
  • 9. Best Business Practices If you’re coming in contact with Protected Health Information (PHI), no matter what type of insurance you are selling, you should be trained! o Share information in a multiline agency o Reduce potential liability
  • 11. Changes in HIPAA 2.0? o BAs and BA Subcontractors must meet the same requirements as Covered Entities o Increases in fines and penalties for Breaches of health information o Encryption required for all Protected Health Information (PHI) files and emails o Implement Policies and Procedures for Security and Privacy o Staff needs to be trained on both the HIPAA Rules and your Policies and Procedures
  • 13. HIPAA Privacy Regulations General Rule: Covered Entities, their Business Associates and their Subcontractors may not use or disclose an individual's Protected Health Information (PHI) without the authorization of the individual unless specifically required or allowed by the privacy regulation Protects PHI in ANY form (oral, written, electronic)
  • 14. Protected Health Information (PHI) Identifier Health Information Protected Health Information
  • 15. Protected Health Information (PHI) Specifically, PHI can relate to: o An individual's past, present or future physical or mental health condition o The provision of health care to the individual o The past, present, or future payment for the provision of health care to an individual
  • 16. Permitted Uses for PHI o Treatment o Payment o Health Care Operations o Auditing, credentialing, obtaining reinsurance, etc. o Certain public policy exceptions o All other uses require an individual’s written or verbal authorization
  • 17. Subcontractors 2013 Regulations expand Rules to include Subcontractors Why so important? o Your agency could have direct liability for Subcontractors’ mistakes o Could jeopardize not only your business relationships but also expose you to penalties
  • 18. Subcontractors If your Subcontractors are NOT compliant, this could be a liability issue for your agency. In accordance with the Federal Common law of Agency, it is now YOUR responsibility to make sure that your Subcontractors are implementing and following HIPAA.
  • 19. + Business Associate Agreements Identify Your Business Associates/BA Subcontractors These are vendors who have access to your PHI Review their compliance plans The 2013 HIPAA Omnibus penalizes BAs for Breaches Their Breaches could become your Breaches Review the Subcontractors they use Collect signed Business Associate Agreements Be sure the Agreement conforms to HIPAA’s requirements Be wary of extra provisions that could compromise your agency or business
  • 21. Why a Security Rule? o Increased use of technology for data transmission o Emails o Electronic enrollments o Storage of data Electronic information has different guidelines for handling and protecting
  • 22. Description of the Security Rule Requires protections for electronic Protected Health Information (ePHI) in three ways: o Confidentiality o ePHI concealed from people who do not have the right to see the information o Integrity o Information not improperly changed or deleted o Availability o Information can be accessed whenever it is needed
  • 23. Protect the Business Do a Risk Assessment: o How are your computer systems protected? o How do you protect paper and electronic files? o How do you encrypt documents for storage and transmission (such as email)? o Do you have password protection and time-outs on ALL electronic devices? o Have you encrypted all hard drives and/or storage devices? o How are you backing up your computers?
  • 24. Specific Staff Expectations o Manage passwords o Have staff members choose and remember o Change passwords regularly o Notify Information Security Officer if concerned that password is being improperly used by someone else o Identify and keep out malicious software o Use workstations properly o Know sanction policies o Learn and follow agency Privacy and Security Policies and Procedures
  • 25. Specific Staff Expectations, cont’d o Limit use of external devices that might introduce viruses into the system: CDs, iPods, USB drives, tablets, smart phones o Establish policies on use of personal computing devices in the agency’s network (BYOD) o Restrict family members or friends from using the computers in off-site locations that could introduce viruses and expose to inadvertent ePHI disclosure o Implement strict controls on web surfing for personal enjoyment or downloading free programs or music from the Internet to office machines
  • 27. What Is a Breach? PHI that has been accessed, used or acquired by, or disclosed to, an unauthorized person HIPAA Rules apply to PHI in any format o ePHI (electronic PHI) o Paper o Oral
  • 28. Breach occurs Information Encrypted? Yes: No Breach No: Presume Breach Breach Process
  • 29. Presumed Breach Written Notice Calls (if imminent threat) 500 or More Affected? Notify Media & HHS immediately Notify HHS annually Notice on Website Yes No
  • 30. When There Is a Breach Any impermissible use or disclosure of PHI is presumed to be a Breach, unless… 30 One can demonstrate that there is a low probability that the PHI has been compromised
  • 31. Exceptions o Unintentional access by employees o Inadvertent disclosure of PHI from one covered entity or Business Associate employee authorized to access PHI to a co-employee who is also authorized to access PHI o Unauthorized access to PHI by a third party who cannot reasonably use the information in its current format, or be able to retain the disclosed information
  • 32. Breach Notification Notice Requirements: o Notify without unreasonable delay and at least within 60-day timeframe (The 60 days start the date one knew, or reasonably should have known about the Breach)
  • 34. Enforcement Results for 2012 "Annual Report to Congress on HIPAA Privacy, Security, and Breach Notification Rule Compliance." 1 Jan. 2013. Web. http://www.hhs.gov/ocr/privacy/hipaa/enforcement/compliancereport201 1-2012.pdf>.
  • 35. Enforcement Results for 2013 "Annual Report to Congress on HIPAA Privacy, Security, and Breach Notification Rule Compliance." 1 Jan. 2013. Web. http://www.hhs.gov/ocr/privacy/hipaa/enforcement/compliancereport201
  • 36. Recent HIPAA Fines o $4.8 million – New York Presbyterian Hospital and Columbia University (May 2014) o Patient information was available on Google o $4.3 million – Cignet Health Center (Oct 2010) o Denied access to records for 41 patients o $275K – Shasta Regional Medical Center (June 2013) o Settled Privacy Breach for $275,000. The CEO had sent an email to 800 employees disclosing the confidential details of diabetes patients o $150K – Anchorage Community Mental Health Services o Unpatched software o Failed to conduct a meaningful Risk Assessment o $800K Parkview Health Systems (June 2014) o Left 71 cardboard boxes with PHI on a physician’s front porch
  • 37. Penalties from Omnibus Ruling Violation Category 1176(a)(1) Each Violation Maximum fine for an identical violation in a calendar year (A) Did Not Know $100-$50,000 $1,500,000 (B) Reasonable Cause $1,000-$50,000 $1,500,000 (C)(i) Willful Neglect-Corrected $10,000-$50,000 $1,500,000 (C)(ii) Willful Neglect-Not Corrected $50,000 $1,500,000
  • 38. Criminal Penalties Violation Penalties Knowingly obtaining or disclosing PHI $50,000 + 1 year in prison Offenses conducted under false pretenses Up to $100,000 + 5 years in prison Intent to sell, financial gain, harm Up to $250,000 + 10 years in prison
  • 39. G-L-B Penalties o You will lose your license to practice o You can be fined up to $100,000 per violation o Officers and directors can be fined up to $10,000 per violation o Fines will be doubled if G-L-B is violated along with another Federal Law, or pattern of any illegal activity involving more than $100,000 within a 12-month period. Those responsible can be imprisoned for up to 10 years o Criminal Penalties include imprisonment for up to 5 years, a fine, or both
  • 41. Marketplace Privacy Rules New obligations to protect Personally Identifiable Information (PII) within the Marketplace
  • 42. Personally Identifiable Information(PII) Any information about an individual maintained, used, transmitted or stored by an agent/broker related to Marketplace transactions: Any information that can be used to distinguish or trace an individual‘s identity Examples: name, social security number, date and place of birth, mother‘s maiden name, or biometric records Any other information that is linked or linkable to an individual Examples: medical, educational, financial, and employment information
  • 43. How Did I Get Here? If you have completed training for the Federally- Facilitated Marketplaces, and ‘signed’ the Agreements… o You agreed to protect PII that you obtain in the course of selling or supporting individuals who purchase through the Marketplaces
  • 44. What exactly did I agree to do? Protect any PII that is: o Created, collected, disclosed, accessed, maintained, stored, and used to perform any of the various Marketplace functions within the FFM such as: o Assisting with applications for QHP eligibility o Supporting QHP selection and enrollment o Assisting with plan selection and plan comparisons o Transmitting information about decisions regarding QHP enrollment o Facilitating payment of the initial premium amount to appropriate QHP
  • 45. What Exactly Did I Agree to Do? Provide a Privacy Notice to all prospects and buyers in the Marketplace (Similar requirements to the Privacy Notices under HIPAA and G-L-B)
  • 46. What Am I Required to Do? o If you have a website, prominently and conspicuously display Notice of Privacy Practices o Review and revise as necessary but at least annually o Meet data quality and integrity standards for PII o Identical to requirements within HIPAA Security o Breach notification o Broadly similar to HIPAA Breach Rules but…..must notify CMS within one hour of becoming aware of a Breach o Telephone at (410) 7862580 or 18005621963 o Email notification at cms_it_service_desk@cms.hhs.gov
  • 47. Marketing Restrictions In FFM Marketplace Rules DO NOT ALLOW ANY CROSS MARKETING
  • 48. What Are the Penalties? For any violation of PII protections o $25,000 per person per violation oThese are in addition to HIPAA and G-L-B Penalties o Termination of your ability to do business through the Marketplace
  • 50. HIPAA Privacy and Security 2.0 for Health Insurance Agents and Brokers PRESENTED BY