Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 TECO ENERGY, INC. HIPAA PRIVACY AND SECURITY REQUIREMENTS April 29, 2014 Dana L. Thrasher Constangy, Brooks & Smith, LLP (205)

Similar presentations


Presentation on theme: "1 TECO ENERGY, INC. HIPAA PRIVACY AND SECURITY REQUIREMENTS April 29, 2014 Dana L. Thrasher Constangy, Brooks & Smith, LLP (205)"— Presentation transcript:

1 1 TECO ENERGY, INC. HIPAA PRIVACY AND SECURITY REQUIREMENTS April 29, 2014 Dana L. Thrasher Constangy, Brooks & Smith, LLP (205)

2 2 History/Background

3 3 “HIPAA” “Health Insurance Portability and Accountability Act” “Health Insurance Portability and Accountability Act” Privacy and security requirements were initially effective in Privacy and security requirements were initially effective in

4 4 Privacy and Security Privacy Rule sets standards for who can have access to protected health information (“PHI”). It requires “covered entities” to have appropriate administrative, physical and technical safeguards and to reasonably implement those safeguards. Privacy Rule sets standards for who can have access to protected health information (“PHI”). It requires “covered entities” to have appropriate administrative, physical and technical safeguards and to reasonably implement those safeguards.

5 5 Privacy and Security Security Rule sets standards for ensuring that only those who should have access to electronic protected health information actually have access. It closely follows the Privacy Rule. Security Rule sets standards for ensuring that only those who should have access to electronic protected health information actually have access. It closely follows the Privacy Rule. Distinction – Privacy Rule applies to all forms of PHI (electronic, written or oral); Security Rule applies only to electronic PHI (“EPHI”). Distinction – Privacy Rule applies to all forms of PHI (electronic, written or oral); Security Rule applies only to electronic PHI (“EPHI”).

6 6 Privacy and Security Privacy Rule contains requirements to safeguard PHI. Privacy Rule contains requirements to safeguard PHI. Security Rule has far more comprehensive security requirements for EPHI. Security Rule has far more comprehensive security requirements for EPHI. HHS oversees the Privacy Rule; CMS enforces the Security Rule. HHS oversees the Privacy Rule; CMS enforces the Security Rule.

7 7 Effective Dates The HIPAA Privacy Rule was originally effective April 14, 2003 with a one-year extension for certain small plans. The HIPAA Privacy Rule regulates the use and disclosure of protected health information (PHI) held by “covered entities.” The HIPAA Privacy Rule was originally effective April 14, 2003 with a one-year extension for certain small plans. The HIPAA Privacy Rule regulates the use and disclosure of protected health information (PHI) held by “covered entities.” Security Rule was effective April 20, 2005 – with a delay to April 20, 2006 for small health plans. Security Rule was effective April 20, 2005 – with a delay to April 20, 2006 for small health plans.

8 8 Effective Dates Special rules regarding electronic transactions involving PHI and use of specific formats and code sets were effective October 16, Special rules regarding electronic transactions involving PHI and use of specific formats and code sets were effective October 16, 2003.

9 9 Significant Changes in 2009 In February of 2009, the Health Information Technology for Economic and Clinical Health Act (“HITECH”), which was contained in the American Recovery and Reinvestment Act (“ARRA”), modified the Privacy and Security Rules originally enacted in HIPAA. In February of 2009, the Health Information Technology for Economic and Clinical Health Act (“HITECH”), which was contained in the American Recovery and Reinvestment Act (“ARRA”), modified the Privacy and Security Rules originally enacted in HIPAA.

10 10 Significant Changes in 2013 On January 25, 2013, HHS published the final rule that implements mandated changes to the HIPAA Privacy Rule set forth by HITECH. On January 25, 2013, HHS published the final rule that implements mandated changes to the HIPAA Privacy Rule set forth by HITECH. It was effective March 26, It was effective March 26, 2013.

11 11 Privacy and Security Because the security requirements track the privacy requirements, we will address the privacy rules as a general background. Because the security requirements track the privacy requirements, we will address the privacy rules as a general background. Additional specific information will be provided later regarding the specific security requirements. Additional specific information will be provided later regarding the specific security requirements.

12 12 HIPAA Protection

13 13 What Information Is HIPAA Designed to Protect? Protected Health Information (“PHI”) Protected Health Information (“PHI”) encompasses all individually identifiable health information transmitted or maintained by a covered entity, regardless of form.

14 14 What Information Is HIPAA Designed to Protect?  “Transmitted” - not defined, generally includes sharing of information electronically, by telephone, fax, mail or even orally.  “Covered Entity”- a health plan, a health plan provider, or a health care clearinghouse. Note: Employers are NOT “covered entities,” and employment files are not subject to the HIPAA privacy requirements.

15 15 Covered Entities Must carefully identify any group health plans subject to HIPAA. Must carefully identify any group health plans subject to HIPAA. Health care providers are subject to HIPAA – be aware that employer-provided medical services (e.g., on-site clinics) likely are subject to HIPAA. Health care providers are subject to HIPAA – be aware that employer-provided medical services (e.g., on-site clinics) likely are subject to HIPAA.

16 16 Purposes of HIPAA Protections

17 17 Reasons for HIPAA Privacy Rules Perceived need for protection of individual health information. Perceived need for protection of individual health information. Potential for abuse and concern that an individual’s health information would be misused. Potential for abuse and concern that an individual’s health information would be misused.

18 18 What are the Purposes of the Privacy Rule? To give the consumer more control over health information To give the consumer more control over health information  Participant/patient education on privacy protections.  Ensuring participant/patient access to medical records.  Receiving participant/patient authorization before information is released.  Providing recourse if privacy protections are violated.

19 19 What are the Purposes of the Privacy Rule? To establish boundaries on the use and release of medical records To establish boundaries on the use and release of medical records  Ensuring that health information is not used for improper purposes.  Providing the minimum amount of information necessary.

20 20 What are the Purposes of the Privacy Rule? To establish accountability for the use and release of medical records, including: To establish accountability for the use and release of medical records, including:  Civil penalties  Federal criminal penalties

21 21 What Does This Mean To Me? If you improperly request or disclose an individual’s protected health information, you could face civil and/or criminal penalties (e.g., significant monetary penalties and possible prison time). If you improperly request or disclose an individual’s protected health information, you could face civil and/or criminal penalties (e.g., significant monetary penalties and possible prison time).

22 22 Why Are You Here? Plan Sponsors are required by law to train anyone who has access to protected health information. Plan Sponsors are required by law to train anyone who has access to protected health information. You need training to avoid potential personal liability. You need training to avoid potential personal liability. You need training to avoid subjecting others to potential personal liability. You need training to avoid subjecting others to potential personal liability.

23 23 Penalties

24 24 Civil Penalties Tiered Penalties: Tiered Penalties:  Tier 1: If a person is not aware of the violation (and would not have known with reasonable diligence), the penalty is $100 - $50,000 per violation, not to exceed $1,500,000 for all violations of the same requirement in the same calendar year.  These are violations in which the offender did not realize he or she violated HIPAA and would have handled the matter differently if he or she had.

25 25 Civil Penalties  Tier 2: If a violation is due to “reasonable cause” (but not willful neglect), the penalty is $1,000 - $50,000 per violation, not to exceed $1,500,000 for all violations of the same requirement in the same calendar year.  The final rule defined reasonable cause as an act or omission in which a covered entity or business associate knew, or by exercising reasonable diligence would have known, that the act or omission violated HIPAA but in which the covered entity or business associate did not act with willful neglect.

26 26 Civil Penalties  Tier 3: If violation is due to willful neglect and is corrected in 30 days, the penalty is $10,000 - $50,000 per violation, not to exceed $1,500,000 for all violations of the same requirement in the same calendar year.  Willful neglect means conscious, intentional failure or reckless indifference to the obligation to comply with the administrative simplification provision violated.

27 27 Civil Penalties  Tier 4: If a violation is due to willful neglect and is not corrected in 30 days, the penalty is at least $50,000/violation, not to exceed $1,500,000 for all violations of the same requirement in the same calendar year.

28 28 Civil Penalties State AGs. State AGs are authorized to bring a civil action for HIPAA violations to enjoin violations and seek damages on behalf of residents.  Damages are calculated by multiplying the number of violations by $100. The penalty is not to exceed $25,000 for all violations of an identical requirement during a calendar year.

29 29 Civil Penalties  Court may award costs and reasonable attorneys’ fees to State.  State action may NOT be brought during pendency of Federal action. Individual Compensation. Mechanism for individuals to recover a portion of HHS civil penalty or monetary settlements. Individual Compensation. Mechanism for individuals to recover a portion of HHS civil penalty or monetary settlements.

30 30 Criminal Penalties Up to $50,000 fine and 1 year in prison for obtaining or disclosing PHI. Up to $50,000 fine and 1 year in prison for obtaining or disclosing PHI. Up to $100,000 fine and up to 5 years in prison for obtaining PHI under “false pretenses”. Up to $100,000 fine and up to 5 years in prison for obtaining PHI under “false pretenses”.

31 31 Criminal Penalties Up to $250,000 fine and up to 10 years in prison for obtaining or disclosing PHI with the intent to sell, transfer or use for commercial advantage, personal gain, or malicious harm. Up to $250,000 fine and up to 10 years in prison for obtaining or disclosing PHI with the intent to sell, transfer or use for commercial advantage, personal gain, or malicious harm.

32 32 Enforcement Mechanisms Audits. HHS will conduct periodic audits of covered entities and business associates, even if no complaint is filed. Audits. HHS will conduct periodic audits of covered entities and business associates, even if no complaint is filed. Willful Neglect: Willful Neglect:  An audit is required if preliminary investigation of a complaint indicates willful neglect.  HHS is required to impose a penalty for violations due to willful neglect.

33 33 What is Covered? What is Not Covered?

34 34 How Does HIPAA Impact Employment Medical Files? HIPAA does not cover the employer’s medical files containing ADA, FMLA, Workers Compensation, Sick Leave, Doctor’s Excuses for Absences, etc. HIPAA does not cover the employer’s medical files containing ADA, FMLA, Workers Compensation, Sick Leave, Doctor’s Excuses for Absences, etc. In applying normal procedures for those leave/accommodation requests, medical providers will require an authorization from the individual to release information to the employer (because providers are subject to HIPAA). In applying normal procedures for those leave/accommodation requests, medical providers will require an authorization from the individual to release information to the employer (because providers are subject to HIPAA).

35 35 How Does HIPAA Impact Employment Medical Files? Even though employment medical files are not subject to HIPAA, the files should be kept confidential subject to general privacy policies of the employer. Even though employment medical files are not subject to HIPAA, the files should be kept confidential subject to general privacy policies of the employer.

36 36 Plans Subject to HIPAA: Subject to HIPAA:  Group Health Plan  Group Dental Plan  Health Care Flexible Spending Account Plan  Employee Assistance Plan  Any other plan that now or in the future is a “group health plan” Plans or programs that do not provide coverage for medical expenses are not subject to HIPAA. Plans or programs that do not provide coverage for medical expenses are not subject to HIPAA.

37 37 Protecting PHI

38 38 How Will a Plan Receive PHI? Enrollment information for a covered plan Enrollment information for a covered plan Health information obtained or created by the plan Health information obtained or created by the plan Information provided by a health care provider regarding services provided (e.g., submitting information for payment) Information provided by a health care provider regarding services provided (e.g., submitting information for payment) Etc. Etc.

39 39 What are the Authorization Requirements? PHI may be used by covered entities for purposes of treatment, payment, and health care operations (“TPO”) without authorization. PHI may be used by covered entities for purposes of treatment, payment, and health care operations (“TPO”) without authorization. PHI must be disclosed to the government in the case of a HIPAA investigation. PHI must be disclosed to the government in the case of a HIPAA investigation. Otherwise, participant authorization is required. Otherwise, participant authorization is required.

40 40 What Must a Plan Do to Ensure Privacy? Plan documents must be amended to include required provisions. Plan documents must be amended to include required provisions. PHI can only be disclosed to the plan sponsor if the plan sponsor certifies that it will only use the information in accordance with the HIPAA rules. The plan sponsor: PHI can only be disclosed to the plan sponsor if the plan sponsor certifies that it will only use the information in accordance with the HIPAA rules. The plan sponsor:  cannot use or disclose PHI except as permitted by the plan or required by law;

41 41 What Must a Plan Do to Ensure Privacy?  must ensure that agents and vendors who receive PHI agree to the same restrictions;  cannot use or disclose PHI for employment- related actions or for other benefit plans;  must report to the Plan any violation of the privacy requirements;  must make PHI available to individuals as required by HIPAA;

42 42 What Must a Plan Do to Ensure Privacy?  must allow individuals to amend their PHI;  must provide individuals with an accounting of disclosures of PHI;  must make its practices available to the government to determine compliance;

43 43 What Must a Plan Do to Ensure Privacy?  must return or destroy PHI received from the plan that the plan sponsor maintains in any form;  must not retain copies of PHI longer than needed for the purpose for which the disclosure was made;

44 44 What Must a Plan Do to Ensure Privacy?  ensure that security procedures have been established that:  identify employees or classes of employees who will have access to employees who will have access to PHI; PHI;  restrict access solely to those individuals for the functions performed for the plan; and  provide a mechanism for resolving issues of noncompliance with participants.

45 45 What Must a Plan Do to Ensure Privacy? Privacy policies must be developed to ensure that only the minimum necessary amount of information to achieve the purpose of the disclosure is provided to a third person and that the other HIPAA requirements are satisfied. Privacy policies must be developed to ensure that only the minimum necessary amount of information to achieve the purpose of the disclosure is provided to a third person and that the other HIPAA requirements are satisfied.  Minimum Necessary Standard  Generally, uses, disclosures and requests by a covered entity are limited to the information that is the minimum necessary to accomplish the intended purpose.

46 46 What Must a Plan Do to Ensure Privacy? A Notice of Privacy Practices must be distributed to inform Plan participants of their rights under HIPAA. A Notice of Privacy Practices must be distributed to inform Plan participants of their rights under HIPAA. Physical security measures must be put in place to protect PHI (secured file cabinets, software encryption, password protected databases). Physical security measures must be put in place to protect PHI (secured file cabinets, software encryption, password protected databases).

47 47 What Must a Plan Do to Ensure Privacy? Designate a Privacy Officer to be in charge of monitoring compliance with HIPAA requirements. Designate a Privacy Officer to be in charge of monitoring compliance with HIPAA requirements. HIPAA covered plans must train individuals who may come into contact with PHI as to the HIPAA requirements and employer and plan procedures for maintaining the privacy of PHI. HIPAA covered plans must train individuals who may come into contact with PHI as to the HIPAA requirements and employer and plan procedures for maintaining the privacy of PHI.  For example, all PHI information, questions or problems should be faxed, ed or directed to the Privacy Officer at private fax numbers.

48 48 What Must a Plan Do to Ensure Privacy? Identify Business Associates Identify Business Associates  HITECH expanded the definition of business associate Business associates must report to the covered entity any breach of unsecured PHI, as required by the HITECH security breach notification regulations. Business associates must report to the covered entity any breach of unsecured PHI, as required by the HITECH security breach notification regulations.

49 49 What Must a Plan Do to Ensure Privacy? Policies and procedures for participant complaints must be developed and communicated, and records must be maintained. Policies and procedures for participant complaints must be developed and communicated, and records must be maintained.  Retaliation for participant complaints is prohibited.

50 50 Can Protected Information Be Shared Among Plans? AUTHORIZATION IS REQUIRED! AUTHORIZATION IS REQUIRED!

51 51 Procedures for Handling Employee Inquiries Employees will be advised to contact the appropriate Privacy Officer or designated individuals for help with plan issues. Employees will be advised to contact the appropriate Privacy Officer or designated individuals for help with plan issues. Other Human Resources staff, supervisors, etc., should not have access to PHI and should not provide assistance unless specifically designated to have access per the policies and procedures. Other Human Resources staff, supervisors, etc., should not have access to PHI and should not provide assistance unless specifically designated to have access per the policies and procedures. Any inquiry that may involve PHI should be referred to the Privacy Officer. Any inquiry that may involve PHI should be referred to the Privacy Officer.

52 52 Disclosure of Breach Covered entities or business associates must notify each affected individual when an unauthorized disclosure of PHI occurs. Covered entities or business associates must notify each affected individual when an unauthorized disclosure of PHI occurs.  If there is no known contact for an individual, disclosure may be posted on employer’s website or through a media outlet.

53 53 Notification of Breach Requirements If security of “Unsecured PHI” is “breached,” the Plan must provide notice without unreasonable delay and within 60 days after “discovery” of breach: If security of “Unsecured PHI” is “breached,” the Plan must provide notice without unreasonable delay and within 60 days after “discovery” of breach:  To the impacted individual: written notice must be sent to the last known address (with special rules if imminent misuse is possible or individual’s address is unknown).  To the media: If a breach involves more than 500 individuals in state or jurisdiction, notice must be sent through major media outlets.  The final rule clarifies that notification to the media does not require a covered entity to incur any costs to print or run the notice about the breach.  The final rule also provides that media outlets are not required to print or run the information.

54 54 Notification of Breach Requirements  To HHS:  If a breach involves more than 500 individuals, the Plan must notify HHS immediately, and HHS will identify the covered entity on its website.  If a breach involves less than 500 individuals, the Plan must log the breach and provide the log to HHS on an annual basis. The final rule requires such notification to be made to the Secretary no later than 60 days after the end of the year in which the breaches were discovered (not when the breaches occurred).The final rule requires such notification to be made to the Secretary no later than 60 days after the end of the year in which the breaches were discovered (not when the breaches occurred). If a business associate discovers a breach, the business associate must notify the plan. If a business associate discovers a breach, the business associate must notify the plan.

55 55 Notification of Breach Requirements When is a breach “discovered?” When is a breach “discovered?”  A breach is discovered as of the first day that it is known (or reasonably should have been known) to the covered entity or business associate.  The covered entity or business associate has knowledge of the breach on the day that any employee, officer or other agent has such knowledge (except for the individual who committed the breach).

56 56 Notification of Breach Requirements HHS issued the HITECH breach notification rules: HHS issued the HITECH breach notification rules:  An online form was created which covered entities must use to report breaches of PHI.  Only covered entities can report breaches.  Contacting affected individuals may be delegated to a business associate.

57 57 Notification of Breach Requirements Notice must contain: Notice must contain:  a brief description of the breach, including dates;  a description of the types of unsecured PHI involved;  the steps an impacted individual should take to protect against potential harm;

58 58 Notification of Breach Requirements  a brief description of the steps the Plan has taken to investigate the incident, mitigate harm, and protect against further breaches; and  contact information.

59 59 Prohibition on the Sale of PHI Covered entity or business associate cannot receive compensation, directly or indirectly, for any PHI unless per a valid authorization specifically addressing sale. Covered entity or business associate cannot receive compensation, directly or indirectly, for any PHI unless per a valid authorization specifically addressing sale. The final rule defines a sale of PHI as a disclosure of PHI by a covered entity or business associate where the covered entity or business associate directly or indirectly receives remuneration from or on behalf of the recipient of the PHI in exchange for the PHI. The final rule defines a sale of PHI as a disclosure of PHI by a covered entity or business associate where the covered entity or business associate directly or indirectly receives remuneration from or on behalf of the recipient of the PHI in exchange for the PHI.

60 60 Prohibition on the Sale of PHI Under HITECH, there are certain transactions that do not constitute a sale of PHI. Under HITECH, there are certain transactions that do not constitute a sale of PHI.  Payments to a covered entity in the form of a grant, contract or other arrangement to perform activities such as a research study.  Receipt of a grant or funding from a governmental agency to conduct a program.  The exchange of PHI through a health information exchange that is paid for by fees assessed to its participants.

61 61 HIPAA Security

62 62 HIPAA Security Rule The Security Standards for the Protection of Electronic Protected Health Information establish security standards for protecting certain health information that is held or transferred in electronic form. The Security Rule invokes protections in the Privacy Rule by addressing technical and non- technical safeguards that covered entities must put in place to secure electronic protected health information (EPHI). The Security Standards for the Protection of Electronic Protected Health Information establish security standards for protecting certain health information that is held or transferred in electronic form. The Security Rule invokes protections in the Privacy Rule by addressing technical and non- technical safeguards that covered entities must put in place to secure electronic protected health information (EPHI).

63 63 HIPAA Security Rule The Security Rule requires covered entities to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting EPHI. The Security Rule requires covered entities to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting EPHI.

64 64 HIPAA Security Rule Each set of safeguards is comprised of a number of “standards” which in turn are comprised of “implementation specifications” (detailed instructions for implementation) that are either “required” or “addressable.” Each set of safeguards is comprised of a number of “standards” which in turn are comprised of “implementation specifications” (detailed instructions for implementation) that are either “required” or “addressable.”

65 65 HIPAA Security Rule “Addressable” means that a covered entity must assess whether it is reasonable or appropriate in the entity’s environment (analyze the likelihood that implementation will protect the entity’s EPHI from anticipated threats and hazards). “Addressable” means that a covered entity must assess whether it is reasonable or appropriate in the entity’s environment (analyze the likelihood that implementation will protect the entity’s EPHI from anticipated threats and hazards). If addressable standards are not adopted, document the reasoning and explain any alternative measures implemented. If addressable standards are not adopted, document the reasoning and explain any alternative measures implemented.

66 66 HIPAA Security Rule Conduct a risk analysis, security analysis, financial analysis, etc. Conduct a risk analysis, security analysis, financial analysis, etc. Assess current security risks and gaps; develop an implementation plan, read the Security Rule, understand required vs. addressable standards, analyze addressable standards, document decisions, implement decisions, reassess/update. Assess current security risks and gaps; develop an implementation plan, read the Security Rule, understand required vs. addressable standards, analyze addressable standards, document decisions, implement decisions, reassess/update.

67 67 HIPAA Security Rule Administrative safeguards – e.g., hiring, assigning and delegating security duties and providing training; conducting risk analysis and risk management; understanding flow of EPHI; maintaining audit logs, access reports, incident tracking; etc. Administrative safeguards – e.g., hiring, assigning and delegating security duties and providing training; conducting risk analysis and risk management; understanding flow of EPHI; maintaining audit logs, access reports, incident tracking; etc.

68 68 HIPAA Security Rule The rule requires that a covered entity must implement a security awareness and training program for all members of its workforce. The rule requires that a covered entity must implement a security awareness and training program for all members of its workforce.

69 69 HIPAA Security Rule Physical safeguards – physical measures to protect electronic systems, buildings and equipment, such as safeguarding and protecting systems, restricting access, providing back-up, controlling workstation use and security, etc. Physical safeguards – physical measures to protect electronic systems, buildings and equipment, such as safeguarding and protecting systems, restricting access, providing back-up, controlling workstation use and security, etc.

70 70 HIPAA Security Rule Technical safeguards – technical and related policies and procedures that protect EPHI and control access to it (e.g., access control, automatic log-off, encryption and decryption, audit controls, protecting integrity so that there is no improper alteration or destruction, transmission security, etc. Technical safeguards – technical and related policies and procedures that protect EPHI and control access to it (e.g., access control, automatic log-off, encryption and decryption, audit controls, protecting integrity so that there is no improper alteration or destruction, transmission security, etc.

71 71 Privacy and Security Officers Privacy and Security Officers (and other staff, as identified by those individuals) have additional, detailed involvement in developing and implementing the policies and procedures and the security standards. Privacy and Security Officers (and other staff, as identified by those individuals) have additional, detailed involvement in developing and implementing the policies and procedures and the security standards. Policies, procedures and training must be updated periodically. Policies, procedures and training must be updated periodically.

72 72 Conclusion Compliance with the HIPAA privacy and security requirements is critical to avoid personal liability and significant penalties. Compliance with the HIPAA privacy and security requirements is critical to avoid personal liability and significant penalties. Compliance often requires significant cultural and procedural changes. Compliance often requires significant cultural and procedural changes. Some employees will require additional training. Some employees will require additional training.

73 73 QUESTIONS


Download ppt "1 TECO ENERGY, INC. HIPAA PRIVACY AND SECURITY REQUIREMENTS April 29, 2014 Dana L. Thrasher Constangy, Brooks & Smith, LLP (205)"

Similar presentations


Ads by Google