Keys To HIPAA Compliance

KEYS TO HIPAA
COMPLIANCE
for CAAP Practice Managers
Amy Wasdin, RN, MBA, CPHRM
Patient Safety Risk Manager II, Dept. of Patient Safety and Risk Management
The Doctors Company
March 17, 2016

DISCLOSURE STATEMENT
The Doctors Company would like to disclose that no one in a
position to control or influence the content of this activity has
reported relevant financial relationships with commercial
interests.
The information and guidelines contained in this activity are
generalized and may not apply to all practice situations. The
faculty recommends that legal advice be obtained from a
qualified attorney for specific application to your practice. The
information is intended for educational purposes and should be
used as a reference guide only.
2 KEYS TO HIPAA COMPLIANCE for Practice Managers

OBJECTIVES
After completing this activity, learners will be able to:
 Review the purpose of the HIPAA Privacy and Security Rules
 Discuss the 2013 Omnibus Rule and its impact on:
− Disclosures of Protected Health Information,
− Patient Rights, and
− Business Associates
 Describe the notifications necessary for a breach of PHI.
 Outline the steps necessary for HIPAA compliance in a medical practice.
KEYS TO HIPAA COMPLIANCE for Practice Managers3

I never had a policy;
I have just tried to do my very best each
and every day.
--Abraham Lincoln
1809-1865

How HIPAA compliant are you?
Select one:
A. I am 100% confident that our practice is HIPAA
compliant.
B. I am fairly certain that our practice is HIPAA
compliant but I’m not sure.
C. Our practice is not HIPAA compliant.
D. What’s HIPAA?

KEY CONCEPTS UNDER HIPAA
 Protected Health Information (PHI)
− All individually identifiable health information
− Held or transmitted by a covered entity or its business associate
− In any form or media, whether electronic, paper, or oral
 Covered Entity (CE)
− Health plan or health care clearinghouse
− Health care provider
 Business Associates (BA)
− Persons or organizations that perform certain functions on behalf of a
CE (billing, claims processing, data analysis)

OVERVIEW OF HIPAA
Healthcare Insurance Portability and Accountability Act:
the Privacy Rule and the Security Rule
 Protects privacy and confidentiality of PHI
 Assures security of electronic information
 The overall idea:
− Assure information is properly protected, but still promote flow and use
of technology to facilitate care
 Some state laws are more stringent than HIPAA
− If so, state law takes precedent over federal HIPAA

HIPAA VIOLATIONS
ON THE RISE…
 Total complaints received thru Dec 31, 2015:
125,4451
 2014 saw a 25% increase in HIPAAA breaches2
− 2013: Loss and theft of laptops and portable devices.
− 2014: “The year of the hacker” - CHS: 4.5 million patients
 Paper records are as vulnerable, or more, than
electronic records3
[1] HHS Compliance and Enforcement Numbers at a Glance. Mar 11 2016. www.hhs.gov
[2] 2014 Saw 25% Increase in HIPAA Breaches. Mar 11 2016. www.hipaajournal.com
[3] HIPAA in a HITECH World: HIPAA Violations on the Rise. Smart Data Collective, March 25, 2013

HIPAA FINES…
 Alaska DHHS fined $1.7 million
− USB device stolen from employee vehicle
 Cignet Health fined $4.3 million
− Failure to provide medical records to 41 patients
 UCLA fined $865,500
− Snooping employees
 CVS fined $2.25 million
− Disposal of PHI in trashcans
 Blue Cross of Tennessee fined $1.5 million
− Unencrypted laptops stolen

DATA BREACH:
GEORGIA HOSPICE GROUP
Unencrypted company laptop containing personal health
information was stolen from an employee's car in 2013.
Nearly 2,000 patients affected by the breach. Officials say
the laptop contained patient names, addresses, phone
numbers, dates of birth, Social Security numbers, insurance
numbers, clinical diagnoses and provider names.
Healthcare IT News - February 2013

CARDIAC SURGERY PRACTICE
April 2012–Phoenix Cardiac Surgery
 $100,000 with Corrective Action Plan
 Failed to implement policies to safeguard PHI
 Failed to document training of employees on Privacy
and Security Rules
 Failed to identify a security official and conduct
risk analysis
 Failed to have BA agreements with Internet based
e-mail and calendar services where provision of the
service included storage of and access to its PHI

PHI 18 IDENTIFIERS
 Name
 Medical record number
 Health plan beneficiary number
 Device identifiers and serial
numbers
 Vehicle identifiers and serial
numbers
 Biometric identifiers
(i.e., finger and voice prints)
 Full face photos and other
comparable images
 Any other unique identifying
number, code, or characteristic
 Postal address
 All elements of dates except year
 Telephone number
 Fax number
 E-mail address
 URL address (Uniform Resource
Locator or web address)
 IP security (Internet Protocol
address numbers)
 Social Security number
 Account numbers
 License numbers

Patient consent not required for…
 Use in treatment, payment, or operations (TPO)
 When records are subpoenaed
− Check with MPL carrier for subpoena validity
 Public interest or public health activities–required
by law:
− Mandated report of abuse to proper agencies
− Preventing and controlling disease–CDC reports
− FDA
AUTHORIZED
USE AND DISCLOSURE

AUTHORIZED
USE AND DISCLOSURE
Most of the time…
 Valid Authorization is required to release records to
another party
Specific consent required for…
 Psychotherapy notes
 Alcohol and drug abuse treatment program notes
 Participation in research studies
−Even for re-disclosure of any of the above
(continued)

SECURITY SAFEGUARDS
 Administrative
– Security Risk Assessment
– Designated Privacy Officer
– Policies and Procedures
– Staff training
 Physical
 Technical

THE FINAL
OMNIBUS HIPAA RULE
 Effective March 26, 2013
 Enforcement began September 23, 2013
− HITECH Modification
− HIPAA Enforcement Rule
− Breach Notification Rule

WHO DID
THE CHANGES AFFECT?
 HIPAA Covered Entities:
− Healthcare providers, health systems, health plans, clearinghouses
 HIPAA Business Associates and subcontractors:
− Vendors who contract with Covered Entities and access protected
health information (PHI)
−Examples: Technology vendors, service organizations,
accountable care organizations, third party administrators

OMNIBUS RULE - HITECH
 Holds BA’s directly liable for compliance;
 Strengthens limitation on use and disclosure
of PHI;
 Expands individual’s rights
How does this impact practice? …
Notice of Privacy Practices (NPP)

NPP MODIFICATIONS
 Prohibition on the sale of PHI without authorization
 Duty of CE to notify affected individuals of a breach
of unsecured PHI
 Right to restrict disclosures of PHI to health plan for
care that was paid out of pocket in full
 For CE that stated intent to fundraise in NPP, must
also advise individual of the right to opt out of
receiving fundraising communications from CE

NPP NOTIFICATION
TO PATIENTS
 Must make the NPP available upon request on or
after the effective date of the revision
 Must make the NPP available at the service
delivery site and post the NPP in a clear and
prominent location
 A health care provider is required to give a copy of
its NPP only to new patients—and not all
individuals seeking treatment

OMNIBUS – HIPAA
ENFORCEMENT RULE
Modifies privacy, security, and enforcement rule
of HIPAA
How does this impact the practice? ...
Penalties

OMNIBUS – BREACH
NOTIFICATION RULE
Establishes a process for notifying patients and HHS
when there is a breach of unsecured PHI.
How does this impact the practice? ...
CE’s are required to notify patients.

BREACH OF PHI
Any acquisition, access, use or disclosure
not permitted is a Breach…
UNLESS
the CE or BA demonstrates
a low probability of PHI compromise.

BREACH NOTIFICATION
OF UNSECURED PHI
 Applies to breach of unsecured PHI
 Applies to covered entities and business associates
 Business Associates notify Covered Entity
 Covered entity has burden to notify
patient (unencrypted)
 Must notify each individual affected by the breach
(written notification within 60 days of discovery)
 Discovery date = first date known

BREACH EXCEPTIONS
 Unintentional acquisition, access, or use by
workforce member with no further impermissible use
 Inadvertent disclosure from one authorized person to
another or CE or BA and no further impermissible use
 Recipient could not reasonably have retained the PHI
 Encrypted data per OCR guidance

BREACH
NOTIFICATION REQUIREMENTS
 Individual
− Contact by phone if urgent
− Written breach notification – first class mail unless e-mail preferred
 HHS
− <500 = Annual log report
− >500 = Media notice and immediate notice HHS Secretary
Annual report to HHS of all breaches
 Media
− <500 residents of a state or jurisdiction
− Insufficient contact information for 10 or more individuals

BREACH
NOTIFICATION REQUIREMENTS
 What happened?
 What information was breached?
 What steps the patient should take for protection?
 What the CE is doing to investigate, mitigate and prevent
future incidents?
 CE contact information
 Adhere to HIPAA Compliance plan for breach
(continued)

BREACH RESPONSE
–WHAT IS YOUR PLAN?
 Determine root cause of breach
 Identify gaps in compliance that led to breach
 Provide evidence that root cause has been addressed and
gaps corrected

TOP FIVE ISSUES
IN INVESTIGATED CASES
OCR took corrective action most often on…
 Impermissible use and disclosure
 Safeguards
− Not in place–fax, email, computer accessibility, etc.
 Access
− Access to records was granted or not granted improperly
 Minimum necessary
− More information than needed was disclosed (e.g., phone message)
 Notice of privacy practices
– Not given

BUSINESS ASSOCIATES
AGREEMENTS
 Business Associate Agreements must be updated to include
specific new provisions
 Existing agreements, entered before January 25, 2013, may
operate until agreement is amended / renewed, or until
September 22, 2014, whichever is earlier
 Covered Entities and Business Associates will need to
modify agreements and allocate risk through use of
insurance requirements and indemnity provisions

WHAT ACTIONS ARE REQUIRED?
 Perform risk assessment.
 Establish risk management plan to address and manage
areas of vulnerability.
 Designate a HIPAA Security officer.
 Encrypt all devices that contact PHI
 Have written policies on Sanctions and Breach Notification
 Train staff on how to protect PHI and ensure your policies
are compliance with HIPAA
 Audit/Test physical and electronic security policies and
procedures regularly
 Documentation

IF NOT ALREADY ADDRESSED…
 Update Notice of Privacy Practices
 Revise all Business Associates Agreements

Testing Your Compliance
Select One:
A. I am 100% confident that our practice is HIPAA
compliant.
B. I am fairly certain that our practice is HIPAA
compliant but I’m not sure.
C. Our practice is not HIPAA compliant.
D. What’s HIPAA?

TIPS FOR
PRIVACY AND SECURITY
 Limit access to a “need to know” basis
 Do not conduct discussion in elevators, waiting area, or
other public areas
 If you see a patient in a public place, be careful in greeting
him/her
 Obtain patient’s permission before discussing
care/treatment if there is someone with him/her
 Keep voices down when discussing PHI
 Log off computer when done

TIPS FOR
PRIVACY AND SECURITY
 Use password protected or encrypted systems
 Never share your password
 Protect zip drives, laptop, PDA from loss
 Never leave documents unattended
 Do not put PHI in the trash
 Avoid taking records out of the office if possible
 Obtain written permission before leaving voicemail
messages or emailing
 Confirm fax numbers before sending and use a
confidentiality statement on your cover sheet
(continued)

RESOURCES
 Security Risk Assessment – HealthIT.gov
www.healthit.gov/providers-professionals/security-risk-assessment
 Sample Notice of Privacy Practices-English
www.hhs.gov/ocr/privacy/hipaa/npp_fullpage_hc_provider.pdf
 Sample Business Associates Agreement
www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractpro
v.html
 Take Steps to Protect and Secure Information When Using a Mobile Device
www.healthit.gov/sites/default/files/fact-sheet-take-steps-to-protect-
information.pdf
 Security Rule Educational Paper Series
http://www.hhs.gov/hipaa/for-professionals/security/guidance/index.html

The key to wisdom is
knowing all the right questions.
--John Simone, Sr. --

Contact Information
For additional Patient Safety information,
please visit our Web site at:
www.thedoctors.com
Amy Wasdin, RN, MBA, CPHRM
Patient Safety Risk Manager II, Southeast
Department of Patient Safety and Risk Management
800-421-2368, ext 6728
Email: awasdin@thedoctors.com
----------------------------------------------------------------------------------------------------------------
Nelson Guzman, CIC, CRM
President, CBIZ Trinity
Southeast Regional Healthcare Director, CBIZ Insurance Services
Mobile: 404-791-8822
Email: nguzman@cbiztrinity.com
Evan Orvis, Sales Executive
Mobile: 770-712-3903
Direct: 470-282-2536
Email: eorvis@cbiz.com
Kathy Alba, CISR, CLCS
Senior Account Manager
Direct: 678-389-7858
Email: kalba@cbiz.com

THANK YOU
We relentlessly defend, protect, and reward
the practice of good medicine.

Keys To HIPAA Compliance

More Related Content

What's hot

Viewers also liked

Similar to Keys To HIPAA Compliance

More from CBIZ, Inc.

Recently uploaded

Keys To HIPAA Compliance