Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright 2013. Medical Group Management Association® (MGMA®). All rights reserved. Get Ready for the New HIPAA Privacy and Security Changes: An Action.

Similar presentations


Presentation on theme: "Copyright 2013. Medical Group Management Association® (MGMA®). All rights reserved. Get Ready for the New HIPAA Privacy and Security Changes: An Action."— Presentation transcript:

1 Copyright 2013. Medical Group Management Association® (MGMA®). All rights reserved. Get Ready for the New HIPAA Privacy and Security Changes: An Action Plan for Medical Groups MGMA Annual Conference San Diego Oct. 8, 2013 Susan Miller and Robert Tennant Moderated by Amy Nordeng

2 Copyright 2013. Medical Group Management Association® (MGMA®). All rights reserved. HIPAA RISK ANALYSIS MGMA, Session H6 October 8, 2013 Susan A. Miller, JD mailto:info@bridgefront.com www.bridgefront.com 866-447-2211

3 Copyright 2013. Medical Group Management Association® (MGMA®). All rights reserved. Amy Nordeng, JD MGMA Senior Counsel MGMA DC Office anordeng@mgma.org 202-293-3450 Robert Tennant, MA MGMA Senior Policy Advisor MGMA DC Office rtennant@mgma.org 202-293-3450

4 Copyright 2013. Medical Group Management Association® (MGMA®). All rights reserved. Current Privacy/Security Environment Increasing # of practices are adopting EHRs, mobile tech MU requires risk assessment (l#1 reason for recoupment) Data sharing for clinical purposes on the rise Patients are increasingly worried that sensitive health information might leak because of weak security Health care lags significantly behind other industries in security Providers face unique challenges with limited resources

5 Copyright 2013. Medical Group Management Association® (MGMA®). All rights reserved. What are the Practice Risks? Loss of patient financial data (identity theft) Permanent loss of confidential information Temporary loss of medical records Unauthorized access to confidential information Loss of physical assets (i.e., computers, smartphones) Damage to practice reputation, patient confidence Business continuity Government enforcement

6 Copyright 2013. Medical Group Management Association® (MGMA®). All rights reserved. Typical Threats and Events Threats Current employees (most common) Former employees Patients / visitors Vendors Commercial rivals Criminals Events Unauthorized access by employees Misuse of authorized access Physical disasters Server crashes Ineffective disposal of PHI (i.e., computer disks)

7 Copyright 2013. Medical Group Management Association® (MGMA®). All rights reserved. The “Omnibus Rule” Most HITECH Act privacy and security provisions Breach Notification rule modified Enforcement expansion Genetic Information Nondiscrimination Act (limits health plan use of genetic info for underwriting) General compliance date: September 23, 2013

8 Copyright 2013. Medical Group Management Association® (MGMA®). All rights reserved. What’s Still Missing? Accounting of disclosures/access reports –Potentially onerous! Minimum necessary guidance Distribution of penalties/settlements to harmed individuals –Could raise interest among patients

9 Copyright 2013. Medical Group Management Association® (MGMA®). All rights reserved. BREACH NOTIFICATION RULE

10 Copyright 2013. Medical Group Management Association® (MGMA®). All rights reserved. New “Compromise Standard” Previous approach: –“Significant risk of financial, reputational, or other harm” –Exception for limited data set without ZIP codes or dates of birth New approach: –Presumption of reportable breach, unless low probability the PHI has been compromised after risk assessment –NO exception for limited data sets

11 Copyright 2013. Medical Group Management Association® (MGMA®). All rights reserved. Breach Risk Assessment Factors Nature and extent of PHI involved The unauthorized person who used the PHI or to whom the disclosure was made Whether the PHI actually was acquired or viewed The extent to which the risk to the PHI has been mitigated

12 Copyright 2013. Medical Group Management Association® (MGMA®). All rights reserved. Avoiding Breach Notification: Encryption Safe Harbors Valid processes for encryption of stored PHI include those consistent with NIST Special Publication (“SP”) 800-111, Guide to Storage Encryption Technologies for End User Devices, including (but not limited to) full disk encryption, volume encryption, virtual disk encryption, and file/folder encryption Valid processes for encrypting PHI during transmission would be those complying with the requirements in Federal Information Processing Standard (“FIPS”) 140-2, including NIST SP 800-52, Guidelines for the Selection and Use of Transport Layer Security Implementations, 800-77, Guide to IPsec VPNs, or 800-113, guide to SSL VPNs

13 Copyright 2013. Medical Group Management Association® (MGMA®). All rights reserved. Breach Notification: To Do Avoidance (always your best option!) –Creation of internal “security team” –Conduct a thorough security risk analysis –Identify and address gaps with new or revised policies and procedures –Pay particular attention to highly vulnerable areas (strongly consider encryption): Mobile technology (laptops, tablets, smart phones) Remote access to EHR / transmission of PHI

14 Copyright 2013. Medical Group Management Association® (MGMA®). All rights reserved. Breach Notification: To Do Implement/revise breach response plan –Identify potential breaches –Internal reporting of potential breaches –Assess potential breaches (risk assessment with four factors) –Report breaches to individuals, annually to HHS –If 500+ patients, HHS asap and local media Integrate state law requirements Train staff

15 Copyright 2013. Medical Group Management Association® (MGMA®). All rights reserved. NEW LIMITS ON USES AND DISCLOSURES OF PHI

16 Copyright 2013. Medical Group Management Association® (MGMA®). All rights reserved. Marketing: Key Questions to Ask New restriction on disclosures that describe item or service when covered entity receives financial remuneration from third party whose item or service is described. –Question 1: Communication about a product or service that encourages purchase or use? If yes, marketing (patient authorization required). –Question 2: Describes health-related item or service offered by covered entity or treatment alternative? If yes, no longer marketing. –Question 3: Remuneration received from third party whose item or service is described? If yes, marketing again (patient authorization required). –Question 4: Payment for refill reminders about drug that is currently prescribed with remuneration reasonably related to cost of communication? If yes, no longer marketing. (Awaiting additional guidance.)

17 Copyright 2013. Medical Group Management Association® (MGMA®). All rights reserved. PHI Disclosures Practice may not receive remuneration in exchange for PHI Exceptions –Business associate activities –Any other permissible purpose if remuneration limited to reasonable, cost-based fee for preparation and transmittal (not in HITECH) –Research –Providing access and accounting to an individual Student Immunization Records –Written or oral agreement from parent/guardian required (must be documented)

18 Copyright 2013. Medical Group Management Association® (MGMA®). All rights reserved. Other Changes to Uses/Disclosures Decedent Information –No longer PHI 50 years after death (not a retention requirement) Fundraising –More categories of PHI may be used –More stringent opt out requirements Research –Greater ability to combine research authorizations –Authorization may cover future research

19 Copyright 2013. Medical Group Management Association® (MGMA®). All rights reserved. INCREASED PATIENT RIGHTS

20 Copyright 2013. Medical Group Management Association® (MGMA®). All rights reserved. Electronic Copy of PHI Practice must now provide an individual with a copy of their PHI that is maintained by the practice electronically, in the electronic form and format requested by the individual if such format is readily producible If the requested format is not readily producible, practice must offer at least one readable electronic format If patient/practice can’t agree on format, a readable hard copy must be provided Fees (paper or e-copy) are limited by state law and only include “reasonable” costs of production

21 Copyright 2013. Medical Group Management Association® (MGMA®). All rights reserved. Restriction for Out-of-Pocket Payments Practice must agree to individual’s request to restrict PHI disclosure to payer if the individual (or 3 rd party) pays out-of-pocket and in full For payment or health care operations Unless disclosure is required by law No requirement to monitor downstream providers (e.g., pharmacies) If payment dishonored, practices must make a reasonable effort to contact patient and obtain payment prior to disclosing PHI to health plan Practices will need to flag restricted PHI or note in the record that the PHI has been restricted

22 Copyright 2013. Medical Group Management Association® (MGMA®). All rights reserved. NOTICE OF PRIVACY PRACTICES

23 Copyright 2013. Medical Group Management Association® (MGMA®). All rights reserved. Changes to Notice of Privacy Practices Prohibition on sale of PHI Duty to notify affected individuals of a breach of unsecured PHI Right to opt out of fundraising (if applicable) Right to restrict disclosure of PHI when paid out of pocket

24 Copyright 2013. Medical Group Management Association® (MGMA®). All rights reserved. Notice of Privacy Practices: To Do Review current notice and identify required changes NPP to all new patients/current patients who request one Post new notice in prominent public area of the practice and on your website Good opportunity to revise your notice to include any practice changes (e.g., EHR, PHR, HIE) and write in “plain language” OCR templates for your office to use! –http://www.hhs.gov/ocr/privacy/hipaa/modelnotices.ht mlhttp://www.hhs.gov/ocr/privacy/hipaa/modelnotices.ht ml Review MGMA sample NPP

25 Copyright 2013. Medical Group Management Association® (MGMA®). All rights reserved. HIPAA Security/BAs/Enforcement RISK ANALYSIS – what it it Stories from the front! –Mobile Tools –Encryption –Office Tools –Email –Other Social Media –Cost of a Breach –Physical Security –Business Associates (BAs) –Enforcement

26 Copyright 2013. Medical Group Management Association® (MGMA®). All rights reserved. HIPAA Security Rule Requirement: RISK ANALYSIS What it asks of you? –Review the potential risks and vulnerabilities to your systems that hold ePHI Risks and vulnerabilities include people, weather and technology problems Office systems include your office EHR, your office mobile tools, your office tools such as FAX, copier, printer + clinical tools Review, analyze, and report on issues found across the security spectrum

27 Copyright 2013. Medical Group Management Association® (MGMA®). All rights reserved. Mobile Tools What is a mobile device? –It is a computing device that is mobile –It is a HIPAA Security workstation! What do mobile devices provide? –Anytime, anywhere access to PHI –Anytime, anywhere ability to communicate What are the categories of mobile devices? –Laptop –Tablet –Smart phone –Portable storage media –Clinical tools

28 Copyright 2013. Medical Group Management Association® (MGMA®). All rights reserved. Mobile Tools Currently loss and theft of mobile tools are the largest HIPAA breach problems: –http://www.hhs.gov/ocr/privacy/hipaa/administrative/breach notificationrule/breachtool.htmlhttp://www.hhs.gov/ocr/privacy/hipaa/administrative/breach notificationrule/breachtool.html Massachusetts provider settles HIPAA case for $1.5 M – loss of laptop –http://www.hhs.gov/ocr/privacy/hipaa/enforcement/example s/meei-agreement.htmlhttp://www.hhs.gov/ocr/privacy/hipaa/enforcement/example s/meei-agreement.html Hospice of North Idaho fined $50,000 – loss of laptop –http://www.hhs.gov/ocr/privacy/hipaa/enforcement/example s/honi-agreement.htmlhttp://www.hhs.gov/ocr/privacy/hipaa/enforcement/example s/honi-agreement.html

29 Copyright 2013. Medical Group Management Association® (MGMA®). All rights reserved. Encryption Breach = use or disclosure mistake with unsecured ePHI, paper PHI, oral PHI Unsecured ePHI = not encrypted! Encryption not mandated by HIPAA Security! –With encryption = safe harbor + no breach! –Typical cost ~$55/laptop, ~$36/tablet and smart phone See your EHR vendor for encryption help!

30 Copyright 2013. Medical Group Management Association® (MGMA®). All rights reserved. Office Tools What are office tools that the HIPAA Security rule covers? –Fax machines –Copy machines –Printers Why does the HIPAA Security Rule cover these tools? –In 2013 they are all computers? –They all have a hard drive like a computer that retains the ePHI that is faxed, copied or printed

31 Copyright 2013. Medical Group Management Association® (MGMA®). All rights reserved. Office Tools How do your dispose or clean of hard drives? –Dispose = shred! –Clean = degauss! Degauss = write over the original many times What happens if you dispose of a hard drive has not been cleaned? –Photocopier Breach Case: http://www.hhs.gov/ocr/privacy/hipaa/enforce ment/examples/affinity-agreement.html http://www.hhs.gov/ocr/privacy/hipaa/enforce ment/examples/affinity-agreement.html

32 Copyright 2013. Medical Group Management Association® (MGMA®). All rights reserved. EMail EMail is not mentioned in the HIPAA Security rule! –HIPAA Security rule = transmission security –EMail = electronic transmission –EMail with PHI needs transmission security And encryption …. OR… EMail should not include PHI Meaningful Use Stage 2 Portals –Load patient’s lab results, appointment notice, prescription refill to portal –Send EMail to patient that there is something on the portal for them

33 Copyright 2013. Medical Group Management Association® (MGMA®). All rights reserved. EMail What happens when your office EMail does not go to the intended person? –Alaska: Hope Community Resources Statewide network –EMail was to promote a survey It included confidential information about 3,700 disabled clients –Names –Dates of birth –Addresses –www.alaskadispatch.com/article/email-accident- violates-privacy-thousands-hope-community-clientswww.alaskadispatch.com/article/email-accident- violates-privacy-thousands-hope-community-clients

34 Copyright 2013. Medical Group Management Association® (MGMA®). All rights reserved. Other Social Media What other social media being used in healthcare? –Websites –Facebook –Twitter –You name it! If you use social media, your office needs –A policy when you will include ePHI in social media and when you will not permit ePHI in social media –An inventory of current and proposed uses for social media

35 Copyright 2013. Medical Group Management Association® (MGMA®). All rights reserved. Physical Security What is Physical Security? –It is your locks on doors and windows –It is the safety of your electronic tools –It includes Workstation Use and Workstation Security It is part of a risk analysis + easy to do! –Make sure no one keeps the back door propped open –Position computer screens to avoid being seen –Turn paper records over so no one can read the PHI –Have a sign-in sheet for patients –Have a sign-in sheet for vendors

36 Copyright 2013. Medical Group Management Association® (MGMA®). All rights reserved. Business Associates (BAs) What is a Business Associate? –An individual or business that acts on behalf of your practice and uses PHI –They create or receive and maintain or transmit PHI or ePHI Examples of Business Associates –Mailing company –Shredding company –Possibly, the Regional Extension Center (REC) in your state

37 Copyright 2013. Medical Group Management Association® (MGMA®). All rights reserved. Changes to BA Contracts Must specify compliance with Breach Notification Rule Should specify to whom BA provides electronic access Subcontractor must be subject to BA contract If practice delegates HIPAA responsibility, must specify that BA will comply with HIPAA Optional: –Control over BA use of subcontractors –Clarity regarding minimum necessary and safeguards –More stringent reporting timelines –INDEMNIFICATION

38 Copyright 2013. Medical Group Management Association® (MGMA®). All rights reserved. Business Associates (BAs) What/who is not a Business Associate? –The people who clean your office –The people who fix your printer You want a confidentiality statement with this type of vendor, and have a sign in sheet at your front desk for this type of vendor From the feds: sample business associate agreement provisions at http://www.hhs.gov/ocr/privacy/hipaa/understandin g/coveredentities/contractprov.html http://www.hhs.gov/ocr/privacy/hipaa/understandin g/coveredentities/contractprov.html From MGMA: http://www.mgma.com/search/default.aspx?q=busi ness%20associate%20agreement http://www.mgma.com/search/default.aspx?q=busi ness%20associate%20agreement

39 Copyright 2013. Medical Group Management Association® (MGMA®). All rights reserved. Overview of Settlements and Civil Money Penalties 15 settlements, 1 civil monetary penalty Average settlement amount ~ $920,000 Average settlement’s corrective action plan (CAP) is about 2.4 years Some settlements also involved Federal Trade Commission 5 of the settlements include independent on-site monitoring

40 Copyright 2013. Medical Group Management Association® (MGMA®). All rights reserved. Cost of a Breach If a mobile tool such as a laptop or tablet was lost or stolen and it contained PHI for 625 individuals the cost would be: –Breach response costs: $175 X 625 = $ 109, 375. –If a healthcare entity is fined by OCR the average lately is ~$1 M –Costs to remediate, mitigate and fix the mistake: estimated at $50,000 + Total costs might be $ 1,159,375

41 Copyright 2013. Medical Group Management Association® (MGMA®). All rights reserved. General Steps to HIPAA Compliance

42 Copyright 2013. Medical Group Management Association® (MGMA®). All rights reserved. Steps to HIPAA Compliance 1.Begin with a thorough risk assessment 2.Review all current policies and procedures (gap analysis) 3.Identify all locations with PHI 4.Determine whether encryption is warranted and to what extent 5.Review your medical record retention and destruction policies to confirm that data is being destroyed properly

43 Copyright 2013. Medical Group Management Association® (MGMA®). All rights reserved. Steps to HIPAA Compliance 6. Create a cost-effective plan to mitigate top risks (i.e., physician laptops) 7. Ensure BA contracts are modified 8.Update policies and procedures 9.Train impacted staff 10.Take a cross-functional approach to compliance 11.This is a good opportunity to do a HIPAA house- cleaning! 12.“HIPAATIZE” your staff!!

44 Copyright 2013. Medical Group Management Association® (MGMA®). All rights reserved. Resources MGMA: www.mgma.com/hipaawww.mgma.com/hipaa –HIMSS-MGMA Toolkit –Sample BAA, sample NPP, Security Risk Analysis toolkit –NIST resources (risk assessment tool, guidance) Office for Civil Rights: http://www.hhs.gov/ocr/office/index.html http://www.hhs.gov/ocr/office/index.html –Rules, regulations, guidance –Audit and enforcement actions

45 Copyright 2013. Medical Group Management Association® (MGMA®). All rights reserved. Questions?

46 Copyright 2013. Medical Group Management Association® (MGMA®). All rights reserved. Contact Information –Sue Miller TMSAM@aol.com (O) 978-369-2092 (C) 978-505-5660 –Robert Tennant rtennant@mgma.org – Amy Nordeng anordeng@mgma.org (O) 202-293-3450


Download ppt "Copyright 2013. Medical Group Management Association® (MGMA®). All rights reserved. Get Ready for the New HIPAA Privacy and Security Changes: An Action."

Similar presentations


Ads by Google