Presentation on theme: "WHAT IS HIPAA? HBR Training – New Rules May 15, 2013."— Presentation transcript:
1 WHAT IS HIPAA?HBR Training – New RulesMay 15, 2013
2 Overview of HIPAA: The HIPAA Act of 1996 Important information about the Health Insurance Portability and Accountability Act of 1996 (HIPAA)Title I of HIPAA protects health insurance coverage for workers and their families when they change or lose their jobs.Title II of HIPAA, known as the Administrative Simplification provisions, requires the establishment of national standards for electronic health care transactions and national identifiers for providers, health insurance plans, and employers. These provisions also address the security and privacy of health data. The standards are meant to improve the efficiency and effectiveness of the nation's health care system.The “Privacy and Security Rules” fall under Title II.
3 Overview of HIPAA: The HIPAA Act of 1996 (cont’d) The American Recovery and Reinvestment Act of 2009 (ARRA) strengthened HIPAA.The Health Information Technology for Economic and Clinical Health Act (HITECH) was enacted as part of the ARRA to promote the adoption and meaningful use of health information technology.Subtitle D of the HITECH Act addresses privacy and security concerns associated with the electronic transmission of health information through several provisions that strengthen civil and criminal enforcement of the HIPAA rules. The Final Omnibus Rule became effective on March 26, 2013, and requires compliance for most provisions by September 23, Omnibus modifies HIPAA regulations concerning privacy, security, enforcement and breach notification.
4 Department of Health and Human Services The Department of Health and Human Services (HHS) issues regulations and through the Office for Civil Rights (OCR), handles HIPAA violations.OCR enforces the HIPAA Privacy Rule, which protects the privacy of individually identifiable health information (IIHI) and the HIPAA Security Rule, which sets national standards for the security of electronic protected health information (ePHI).Enforcement of the Privacy Rule began April 14, 2003, for most HIPAA covered entities.HIPAA covered entities were required to comply with the Security Rule beginning on April 20, OCR became responsible for enforcing the Security Rule on July 27, 2009.
5 Why might HIPAA apply to you as a DST employee? On January 1, 2012, the State Health Plan for Teachers and State Employees (State Health Plan) became a division of the Department of State Treasurer.With State Health Plan’s transfer, DST now performs business activities that include both functions that are and functions that are not covered by HIPAA and DST has been designated as a “hybrid entity” for HIPAA compliance purposes.As a result of this designation, the following divisions must be trained in HIPAA rules and regulations: The State Health Plan for Teachers and State Employees, Information Technology Services, Legal Services, Internal Audit Services, the Office of State Treasurer, and Financial Operations Division.These divisions are collectively referred to as “Covered Healthcare Components” or “CHCs.”
7 Protecting Your Health Care Information What is protected health care information or PHI?Any health information that can be used to identify an individual, whether living or deceased, or which relates to the individual’s past, present, or future physical or mental health or condition, including health care services provided and the payment for those services.Individually identifiable health information that’s transmitted or maintained in any form or medium including oral communications, electronically, or written (on paper).
8 How to Identify PHI: 18 Identifiers NameAddress (street address, city, county, ZIP code (more than 3 digits) or other geographic codes)Dates directly related to patientTelephone numberFax numberaddressesSocial Security numberMedical record numberHealth Plan beneficiary numberAccount numberCertificate/License numberAny vehicle or device serial numberWeb URLInternet Protocol (IP) addressFinger or voice printsPhotographic imagesAny other unique identifying number, characteristic, or code (whether generally available in the public realm or not)Age greater than 89 (due to the ‘90 year old and over’ population being relatively small)
9 Permitted Disclosures of PHI When the disclosure is to the individual to whom the PHI pertains.For treatment, payment, or health care operations (TPO) as permitted by and incompliance with HIPAA. [45 C.F.R. § ]An incidental use or disclosure that could not have been prevented, was limited in nature, and occurred as a by-product of an otherwise permitted use or disclosure.For example, when a provider talks with an administrative staff member about billing a patient for a particular procedure and is overheard by one or more persons in the waiting room.When the Covered Entity receives a valid authorization as permitted by HIPAA. [45 C.F.R. § ]When the Covered Entity has obtained the individual’s oral agreement or is otherwise permitted under HIPAA. [45 C.F.R. § ]When the Covered Entity is permitted to use or disclose PHI without the written consent or authorization of the individual, or when an opportunity for the individual to object or agree to the use or disclosure is not required. [45 C.F.R. § ]
10 When Authorization Is Not Required for Disclosure of PHI The following exceptions don’t require an individual’s authorization or opportunity to agree or object to a use or disclosure (such exceptions still must be reviewed by the HIPAA Privacy and Security Officer prior to disclosure):As required by lawFor judicial and administrative proceedingsTo correctional institutions and other law enforcement entities in custodial situationsFor uses and disclosures about victims of abuse, neglect, or domestic violenceFor specialized government functionsFor public health activitiesFor health oversight activitiesTo avert a serious threat to health or safetyFor disaster relief (such as to the American Red Cross)To other health plans or health care providers for treatment, payment, or health care operations (TPO)To Business AssociatesFor research purposesWhen PHI has been de-identified (to create a collection of information that can no longer be traced back to the individual)For uses and disclosures about decedentsFor cadaveric organ, eye, or tissue donationFor workers’ compensation
11 How the Plan Handles Data Requests… The SHP has a Data Use and Disclosure Committee (DUDC) whose primary function is to ensure that PHI is disclosed in accordance with HIPAA Privacy Rules, DST Policies and Procedures and NC State Law. DUDC meets every other week at the SHP Building. SHP data cannot be released without prior approval of the DUDC.DUDC is responsible for the following:Review all data requests for SHP data from third parties;Formally approve, reject or modify requests for SHP data;Provide quarterly reports on data requests and ongoing releases of data to the Plan’s Executive Committee;Maintain documentation related to data requests and the Plan’s response for six years.Procedures for DUDC review may be found in Section X.E. of the HIPAA Privacy Manual (pg. 40).SHP-POL-5001-SHP is the Plan’s policy regarding third party data requests.
12 What is a Breach?HIPAA defines a “breach” as the “unauthorized acquisition, access, use, or disclosure of PHI which compromises the security or privacy of such information, except where there is a low probability that the PHI has been compromised.” This is a new definition under the Omnibus Final Rule.Presumes a breach and that PHI has been compromised unless shown otherwise based on a 4 factor risk assessment approachFour (4) factors to consider by the CE or BA:The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification;The unauthorized person who used the PHI or to whom the disclosure was made;Whether the PHI was actually viewed or acquired; andThe extent to which the risk to the PHI has been mitigated.A risk assessment must be thorough and completed in good faith and come to a reasonable conclusion.Safe Harbor: PHI that is encrypted.
13 What Do We Do If We Have a Suspected Breach? Under the terms of our Privacy Manual, when I am notified there is a suspected breach, I will conduct a thorough risk assessment using the 4 factors outlined above. My findings are documented on a Breach Response Form and retained for six (6) years.When I am notified by a Business Associate that there is a suspected breach, depending on the terms of our Business Associate Agreement, I will either request that the Business Associate investigate the incident further or will conduct the investigation on my own (with the assistance of either Internal Audit, Information Security Officer or Director of Healthcare Analytics and the HIPAA Team).If it is determined that a breach has occurred, affected individuals will be notified as well as the media (if the breach is over 500 individuals) and the Office of Civil Rights (OCR).We are required to report breaches on an annual basis to the OCR.
14 Applied Penalties For Breaches Violation CategoryCivil Monetary PenaltiesCap for Identical Violations per Calendar YearThe Covered Entity did not know of the violation.$100-$50,000$1,500,000The violation was due to reasonable cause* and not willful neglect.$1,000-$50,000The violation was due to willful neglect but was corrected within 30 days of discovery.$10,000-$50,000The violation was due to willful neglect but was not corrected within 30 days of discovery.$50,000Such breaches may result in civil and criminal penalties. DST, as an employer, may impose sanctions against its employees. Under the HITECH Act, DST is required to notify potentially affected individuals of breaches involving their PHI either directly or through its Business Associates. Additionally, the North Carolina Identity Theft Protection Act requires the DST to notify individuals of breaches involving their Social Security numbers. *“Reasonable Cause” has been clarified to mean “when the covered entity or business associate knew, or by exercising reasonable diligence would have known, that the act or omission is a violation, but did not act with the conscious intent associated with willful neglect.”
15 North Carolina Identity Theft Protection Act of 2005 This Act is a restriction on the collection, use, and safekeeping of a consumer's Social Security number and consumer financial information.The Act requires businesses, charities and government to notify individuals if a security breach has compromised any personal information and placed them at risk of identity theft.Consumers were given the right to obtain a freeze on their credit reports. Placing a security freeze on a credit report would prohibit credit reporting agencies from releasing any information about you to new creditors, making it difficult for an identity thief to open an account or obtain credit in your name.Further the Act gave the right to sue for civil damages in the event of identity fraud/theft. The Act applies to any entity (financial institutions, charities, government, businesses, etc.).Companies located in and out of state that conduct business in state or keep personal information of state residents are required to comply.
16 New Rule – “Omnibus Final Rule” made changes in the following areas: Business Associate definitionElectronic MediaCivil Monetary PenaltiesBusiness Associates must comply with Security RuleMarketingBusiness Associate changes under Privacy RulePermitted and Required Uses and DisclosuresMinimum NecessaryBusiness Associate AgreementsTransition ProvisionsAuthorizationsSale of PHICompound Authorizations for Research ActivitiesAuthorizing Future Research Use or DisclosureDecedentsStudent Immunizations RecordsFundraisingNPPRight to Request RestrictionsRight to AccessBreach NotificationGenetic Information Nondiscrimination Act of 2008 (GINA)
17 What is the “Omnibus Final Rule?” The Department of Health and Human Services (HHS) finally has released its “Omnibus” Health Insurance Portability and Accountability Act (HIPAA)/Health Information Technology for Economic and Clinical Health (HITECH) Act regulation, implementing changes to the HIPAA Privacy, Security and Enforcement Rules, as well as the interim final regulation on breach notification and certain changes to the Privacy Rule as required by the Genetic Information Nondiscrimination Act (GINA). The regulation was published in the Federal Register on January 25, See 78 Fed. Reg (Jan. 25, 2013).The Omnibus Final Rule was effective March 26, 2013, with 180 days for compliance (September 23, 2013).
18 Business Associate Re-defined Health and Human Services expanded the definition of “business associate” 45 CFR § to include patient safety organizations (PSOs), health information organizations (HIOs) and subcontractors of business associates as well as to change the definition.Business Associate: An individual or corporate “person” that creates, receives, maintains, or transmits PHI on behalf of the Hybrid Entity.A business associate must now obtain satisfactory assurances from its HIPAA-covered subcontractor, in the form of a written agreement, that the subcontractor will appropriately safeguard PHI.
19 Electronic Media Re-defined The definition for electronic media has also been modified in 45 C.F.R. § to reflect technological advances. Principally, the new definition:Replaces the term “electronic storage media” with “electronic storage material,”Expands the definition to include intranets; andIncorporates voice transmissions that were electronically stored prior to transmission.In addition, the preamble stated that devices that store PHI are subject to the Privacy and Security Rules regardless of whether such storage was intentional or not.
20 Compliance and Enforcement HHS will now (as opposed to “may”) investigate all complaints when evidence indicates possible violation due to willful neglect.In addition, HHS removed the requirement that it first attempt informal resolution of investigations and can now proceed directly to imposition of civil monetary penalties (CMP).Changed the definition of “reasonable cause” to mean “when the covered entity or business associate knew, or by exercising reasonable diligence would have known, that the act or omission is a violation, but did not act with the conscious intent associated with willful neglect.”Lastly, and perhaps the most concerning, covered entities and business associates are now liable for the activities of their agents, regardless of their own compliance.
21 Business Associates Must Comply with Security Rule HHS did this to ensure any subcontractors entered into a contract or other arrangment to protect the security of e-PHI and report covered entity breaches of unsecured PHI.Security Rule BAA requirements applicable to arrangements involving a business associate and a subcontractor of that BA in the same manner as the requirement apply to arrangements between covered entities and BAs.Covered entities are not required to obtain satisfactory assurances from (or enter into a BAA with) a business associate that is a subcontractor; rather this is the obligation of the business associate that has engaged the subcontractor.The Plan will be asking potential BAs regarding their subcontractor arrangements and will be placing language in our contracts regarding this rule but our BAA has always held the BA liable for the acts of any and all subcontractors.
22 Business Associates Must Comply with the Privacy Rule Business associates are permitted to use or disclose PHI only as permitted or required by their BAAs or other arrangements, or as required by law. They are prohibited from using or disclosing PHI in a manner that would violate the Privacy Rule if done by the covered entity (with exceptions for the proper management and administration of the business associate and to provide data aggregation services for the covered entity, if permitted by the BAA). Business associates are also directly required to:Provide breach notification to the covered entity;Provide access to a copy of ePHI to either the covered entity, the individual or the individual’s designee (whichever is specified in the BAA);Disclose PHI where required by the Secretary to investigate or determine the business associate’s compliance with the HIPAA Rules;Provide an accounting of disclosures; andComply with the requirements of the Security Rule.Business Associates may only disclose the “minimum necessary” when using or disclosing PHI or when requesting PHI from another covered entity or another Business Associate.Omnibus now allows Business Associates to disclose PHI to a business associate that is a subcontractor, and to allow the subcontractor to create or receive PHI on its behalf, if the business associate obtains satisfactory written assurances that the subcontractor will appropriately safeguard the information. Importantly, a covered entity is not required to obtain satisfactory assurances from business associates that are subcontractors, but the burden is instead placed on the business associate to obtain such assurances.
23 Changes to When an Authorization is Required Currently, an authorization must be obtained from an individual for must uses and disclosures of psychotherapy notes and uses and disclosures for purposes of marketing. Now, you must obtain an authorization for the sale of PHI. This changes the general prohibition on sale of PHI. In addition, HHS has defined what constitutes “sale of PHI.”The Privacy Rule now permits an authorization for the use or disclosure of PHI for a research study to be combined with any other type of written permission for the same or another research study, including combining such an authorization with an authorization for the creation/maintenance of a research database or repository or with a consent to participate in research.Authorizations used to be “study specific.” Now, an authorization for participation in a study may include language that the PHI may be used or disclosed in future research.
24 DecedentsThe Privacy Rule is now limited to 50 years – meaning that a decedent’s information is no longer protected and can be disclosed 50 years after their death… we all can look at JFK’s medical records come November of this year!The Privacy Rule now expressly permits covered entities to disclose a decedent's PHI to family members and others who were involved in the care or payment for care of the decedent prior to death, unless doing so would be inconsistent with the individuals' prior expressed preference, which is known to the covered entity.
25 Changes to Notice of Privacy Practices Omnibus made five (5) changes to Notice of Privacy Practices (NPP):NPP must now contain a statement indicating that most uses and disclosures of psychotherapy notes (where appropriate), uses and disclosures of PHI for marketing purposes, and disclosures that constitute a sale of PHI require authorization.NPP must state that other uses and disclosures not described in the NPP will be made only with authorization from the individual.If a covered entity intends to contact the individual for fundraising purposes, the NPP must now contain a statement informing the individual of this intention and of his or her right to opt out of receiving such fundraising communications.The NPP must now contain a statement informing the individual of his or her right to restrict disclosures of PHI to a health plan if the disclosure is for payment or health care operations and pertains to a health care item or service for which the individual has paid out of pocket in full; however, HHS noted this new NPP requirement would only apply to health care providers’ NPPs.The NPP must now contain a statement explaining the right of affected individuals to be notified following a breach of unsecured PHI. HHS confirmed that a simple statement set forth in an NPP (e.g., an individual has a right to or will receive notifications of breaches of his or her unsecured PHI), will sufficiently comply with this new requirement.
26 Changes to Breach Notification Rule Changed the definition of “breach” and outlined 4 factors to consider in a risk assessment of a suspected breach as discussed above.Notification to Individuals – covered entities remain ultimately responsible but may delegate the notification duty to the BA that caused the breach.Notification to Media – clarified that a covered entity need not incur a cost to print or run a media notification, media outlets are not required by law to print or run information about the breach, and publication of a press release on the CE’s website is not media notification.Notification to the Secretary – “immediate reporting” of breaches of over 500 individuals to the HHS is determined to be “contemporaneous with notice to those affected individuals.”Notification by a BA – if a BA is deemed to be an “agent” of a CE, the BA’s discovery of the breach will be attributed to the CE.
27 Questions?Please feel free to contact me: Martha K. Wewer, JD, CHPSE HIPAA Privacy and Security Officer 4901 Glenwood Ave., Suite 300 Raleigh, NC (919)