3F&A PolicyIt is the policy of Fields & Associates, Inc. to comply with all applicable laws rules and regulations governing the privacy and security of patient information.Anyone connected with Fields and Associates who has access to protected health information (PHI) is required to read and agree to the F&A HIPAA Privacy & Security Policy posted at
4Terms & DefinitionsARRA – American Recovery an Reinvestment Act of 2009BA – Business AssociateCE – Covered EntityCMP – Civil Monetary PenaltyCMS – Centers for Medicare and Medicaid ServicesEPHI – Electronic Protected Health InformationHHS – Department of Health and Human ServicesHIPAA – Health Insurance Portability and Accountability ActHITECH – Health Information Technology for Economic & Clinical HealthONC – Office of the National CoordinatorOCR – Office for Civil RightsPHI – Protected Health Information
5Terms & Definitions Covered Entity is defined as: A health plan; A health care clearinghouseA health care provider who transmits any health information in electronic form in connection with a covered transactionBusiness Associate is defined as: a person who creates, receives, maintains, or transmits PHI for a function or activity on behalf of a covered entity. The BA provides, other than in the capacity of a member of the CE’s workforce, such services as legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation or financial.
6Terms & DefinitionsThe definition of a business associate includes a “subcontractorthat creates, receives, maintains, or transmits protected healthinformation on behalf of the business associate.” Subcontractormeans: “a person to whom a business associate delegates a function, activity, or service, other than in the capacity of a memberof the workforce of such business associate.”Therefore, all subcontractors of F&A who have access to PHI are required to abide by the same HIPAA requirements as F&A and are responsible for same.
7HIPAA TimelineAugust 21, The Health Insurance Portability and Accountability Act (HIPAA) was signed into law.April 14, Deadline for Covered Entities to comply with the Privacy Rule.October 16, Deadline for Covered Entities to comply with the Transactions and Code Sets Rule.April 20, Deadline for Covered Entities to comply with the Security Rule.March 13, The Enforcement Rule goes into effect. February 17, The American Recovery and Reinvestment Act of 2009 (ARRA) was signed into law. ARRA includes the Health Information Technology for Economic and Clinical Health (HITECH) Act, which mandates the US Department of Health and Human Services to develop new regulations related to the HIPAA provisions.
8HIPAA Timeline cont’dSeptember 23, The Interim Final Rule goes into effect requiring Covered Entities to notify patients when a breach of their unsecured, protected health information occurs.January 17, 2013, the U.S. Department of Health and Human Services (HHS) releases the Omnibus Final Rule, implementing the changes required by the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009. March 26, 2013 – The Omnibus Final Rule takes effect.September 23, 2013 – Covered Entities, Business Associates, and subcontractors must be in compliance with most provisions under the Final Rule.
9The Basics Privacy Security Breach Enforcement We will touch on the following topics:PrivacySecurityBreachEnforcement
10PrivacyThe Privacy Rule covers protected health information (PHI) that:Relates to the individuals’ past, present or future physical or mental health condition; the provision of health care to an individual; or to the past, present, or future payment for the provision of health care to the individual;AndEither identifies the individual, or for which there is a reasonable basis to believe it can be used to identify the individual
11PrivacyThere is an expectation that disclosures and release of information of any kind are kept to the “minimum necessary”.Minimum necessary refers to the practice of limiting disclosure of information to that information reasonably necessary to accomplish the purpose for which disclosure is sought.For example, if there was a request for a patient’s diagnosis, then you should only release the diagnosis and would NOT release a copy of a document such as a discharge summary that contains the diagnosis AND other information. This might require taking extra steps such as abstracting information or redacting information from a document, but it is absolutely necessary in order to comply with the “minimum necessary” provision.
12Privacy Associates, contractors and sub-contractors of F&A: Will only use PHI/EPHI as permitted and/or outlined in the business associate contract and/or F&A Project Agreement.Will not share PHI/EPHI with unauthorized individualsWill not leave PHI/EPHI where it can be easily seen/accessedWill secure all PHI/EPHI when not in useWill return to F&A or destroy PHI/EPHI upon the completion of the project or engagementWill take appropriate safeguards (such as encryption) when transmitting PHI/EPHI electronically
13SecurityThe HIPAA Security Rule establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity or business associate. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.
14Security Administrative Safeguards are: administrative actions, and policies and procedures to manage the selection, development, implementation and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity’s or business associate’s workforce in relation to the protection of that information.Physical Safeguards are:physical measures, policies, and procedures to protect a covered entity’s or business associate’s electronic information systems and related buildings and equipment from natural and environmental hazards and unauthorized intrusion.
15Security Technical Safeguards are: the technology and the policy and procedures for its use that protect electronic protected health information and control access to it.
16Security So what does this mean? There must be: Written policies and proceduresPhysical safeguards such as locked doors, locked file cabinets and access control to physical locationsRestricted access to electronically stored data by use of things such a passwordsUse of encryption or other secured means for transmitting PHI
17BreachBreach meansThe acquisition, access, use or disclosure of protected health information in a manner not permitted by the Privacy/Security Rules that compromises the security or privacy of the PHI.Exceptions:Unintentional acquisition, access or use by CE or BA staff as long as it doesn’t result in further use or disclosureInadvertent disclosure within a CE or BA organization that is not further used or disclosedA disclosure where a CE or BA has a good faith belief that the unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information.
18Breach Breach Notification A business associate is required to notify the covered entity no later than 60 days after the discovery of a breach of protected health information.Therefore, any contractor working for F&A who has knowledge of a breach of PHI, must report the details of the breach to the CEO, Richard Fields, MD as soon as the breach is discovered.
19Breach Breach Notification A BA is required to conduct a risk assessment whenever a breach occurs.Documentation of the breach report and risk assessment must be created and maintained.
20EnforcementCivil Monetary Penalties (CMP) will be imposed for violations of HIPAA based on a tiered structure with 4 levels which distinguishes the level of culpability as follows:Unknowing. The covered entity or business associate did not know and reasonably should not have known of the violation.Reasonable Cause. The covered entity or business associate knew, or by exercising reasonable diligence would have known, that the act or omission was a violation, but the covered entity or business associate did not act with willful neglect.Continued on next slide
21EnforcementWillful Neglect – Corrected. The violation was the result of conscious, intentional failure or reckless indifference to fulfill the obligation to comply with HIPAA. However, the covered entity or business associate corrected the violation within 30 days of discovery.Willful Neglect – Uncorrected. The violation was the result of conscious, intentional failure or reckless indifference to fulfill the obligation to comply with HIPAA, and the covered entity or business associate did not correct the violation within 30 days of discovery.
22Total CMP for Violations of an Identical Provision in a Calendar Year EnforcementBelow are the monetary penalties for each tier:Violation CategoryEach ViolationTotal CMP for Violations of an Identical Provision in a Calendar YearUnknowing$100 – $50,000$1,500,000Reasonable Cause$1,000 – $50,000Willful Neglect – Corrected$10,000 – $50,000Willful Neglect – Not CorrectedAt least $50,000
23ClosingThe purpose of this training is to provide you with a basic understanding of the key concepts and requirements of business associates under the HIPAA regulations. In no way is it intended to provide you with a comprehensive or complete review of the federal regulations regarding healthcare privacy, security, breach and enforcement. As a contractor of Fields and Associates, you agree to comply with all applicable laws, rules and regulations governing the privacy and security of patient information.
24ReferencesHIPAA Privacy Rules are contained in 45 CFR Part 160 and Part 164 subparts A&EHIPAA Security Rules are contained in 45 CFR Part 160 and Part 164 subparts A&CHIPAA Enforcement Rules are contained at 45 CFR Part 160 Subparts C-EYou may search for these regulations at the link below:title45-vol1-sec