Introduction Dennis M. Walsh, President Patriot Networks, Inc. firstname.lastname@example.org www.patriotnetworks.com Sources: 4MedApproved web site HHS.gov web site
Course Overview HIPAA Overview What is the HIPAA Privacy Rule What is the HIPAA Security Rule HIPAA Regulations for Business Associates The Hitech Act and The HIPAA Omnibus Final Rule 2013 HIPAA Office for Civil Rights Audits and Enforcements HIPAA Penalties and Data Breaches
Course Overview (cont’d) HIPAA Training, Policies and Procedures, and Awareness Compliance with other Laws and Regulations Technology Topics Email Encryption Windows XP End of Life Offsite Backup File sharing solutions i.e. DropBox Miscellaneous topics End of Course Summary
HIPAA Overview HIPAA a.k.a. Health Insurance Portability and Accountability Act Passed by Congress in 1996 HIPAA required insurance companies to accept most new customers with pre-existing conditions—creating “portability” of health insurance. Three Major goals of HIPAA are: Lowering healthcare administration costs Providing individuals with some control over their health information Set standards for providers sharing health information
HIPAA Overview (cont’d) HIPAA is supposed to be written so that it covers the single provider practice all the way through billion dollar corporations It is fairly specific on requirements, but vague on implementation of technologies due to constant changes in technology The U.S. Department of Health and Human Services (HHS) administers HIPAA. The Office for Civil Rights (OCR), an agency of HHS is responsible for enforcement, policy development, and technical assistance.
HIPAA Overview (cont’d) From the Office for Civil Rights web site, part of their mission statement reads: “Annually resolving more than 10,000 citizen complaints alleging discrimination or a violation of HIPAA”
HIPAA Overview (cont’d) Covered Entities include Health Plans Health care Clearinghouses Health care Providers Business Associates are businesses that provide services to a Covered Entity that may encountered PHI.
HIPAA Overview (cont’d) Protected Health Information (PHI) All "individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information "protected health information (PHI)." 12 Privacy Rule Governs the use and disclosure of PHI Information should be shared on a “minimum necessary” basis
HIPAA Overview (cont’d) Security rule Governs the Confidentiality, Integrity, and Availability of electronic health information Requirements covered include: Administrative Technical Physical HITECH Act Included significant changes to HIPAA in 2009 Increased civil penalties Provided funding for incentives for the adoption of Electronic Health Record systems for doctors
HIPAA Overview (cont’d) Enforcement of HIPAA and Penalties The loss of PHI or improper release of PHI by Business Associates and Covered Entities needs to be reported by law Civil penalties of up to $1.5 million Failure to cooperate with the investigation can result in additional fines Criminal penalties include fines and imprisonment up to 10 years The intentional use of health information for commercial gain or personal gain, or to cause harm is a cause for criminal penalty
What is the HIPAA Privacy Rule Protects health information in all forms: Electronic Verbal Written Applies to all Covered Entities and Business Associates Information Disclosure: PHI may be shared between providers without requiring a patient’s written authorization Information is being used as part of healthcare operations, payment, or treatment of that patient
What is the HIPAA Privacy Rule Information shared on a “Minimum Necessary” basis: This is the Baseline and Guideline for the sharing of all PHI Policies and Procedures can vary greatly based on the size of the organization: In a small office, the front desk person may need access to everything because they wear many hats and have responsibility for most activities In a large office, you may limit the access of the front desk person based on their responsibilities Notice of Privacy Practices Covered Entities are required to provide patients with a Notice of Privacy Practices (NPP) The NPP describes the use of patients records in the practice. Describes the responsibility to protect the information, including confientiality Continued-
What is the HIPAA Privacy Rule Notice of Privacy Practices (cont’d) The patient’s rights to withhold or release information Disclose who is the HIPAA Security officer for the practice How to file a complaint The deadline for revisions to NPP’s was September 23, 2013 and was enacted as part of the HIPAA Omnibus Final Rule
What is the HIPAA Privacy Rule Information shared on a “Minimum Necessary” basis “Minimum Necessary” examples: HHS compliance or enforcement due to audit or investigation Patient explicitly authorizes the disclosure Giving the information directly to the patient Access by a healthcare provider for treatment Release required by legal means, including disclosure to law enforcement
What is the HIPAA Security Rule From the HHS web site: “The HIPAA Security Rule establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.”
What is the HIPAA Security Rule Three Safeguards of the Security Rule: Administrative Physical Technical Under the safeguards, there are specifications that are Required and ones that are Addressable
What is the HIPAA Security Rule From the HHS Publication “HIPAA Administrative Simplification” Administrative Safeguards: Security Management Process Implement policies and procedures to prevent, detect, contain, and correct security violations Assigned Security Responsibility Identify the security official who is responsible for the development and implementation of the policies and procedures …. Workforce Security Implement policies and procedures to ensure that all members of its workforce have appropriate access to electronic protected health information ….. Information Access Management Implement policies and procedures for authorizing access to electronic protected health information … Continued
What is the HIPAA Security Rule Administrative Safeguards: (cont’d) Security Awareness and Training Implement a security awareness and training program for all members of its workforce Security Incident Procedures Implement policies and procedures to address security incidents. Contingency Plan Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information. Evaluation Perform a periodic technical and nontechnical evaluation ….. that establishes the extent to which a covered entity's or business associate's security policies and procedures meet the requirements of this subpart.
What is the HIPAA Security Rule Physical Safeguards: Facility Access Controls Implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed. Workstation Use Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access electronic protected health information. Continued
What is the HIPAA Security Rule Physical Safeguards: (cont’d) Workstation Security Implement physical safeguards for all workstations that access electronic protected health information, to restrict access to authorized users. Device and Media Controls Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information into and out of a facility, and the movement of these items within the facility. Includes policies for disposal of media, media re-use, and data backup
What is the HIPAA Security Rule Technical Safeguards: Access Control Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in (your Administrative Safeguards) Audit Controls Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information. Integrity Implement policies and procedures to protect electronic protected health information from improper alteration or destruction.
What is the HIPAA Security Rule Technical Safeguards: Person or Entity authentication Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed. Transmission Security Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network. Also includes: Encryption: Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate.
HIPAA Regulations for Business Associates What is a Business Associate? A person or business that performs a function or activity on behalf of, or provides services to, a Covered Entity that involves Individually Identifiable Health Information –Is not a workforce member –Covered Entity can be a Business Associate
HIPAA Regulations for Business Associates Examples of Business Associates: A third party administrator that assists a health plan with claims processing. A CPA firm whose accounting services to a health care provider involve access to protected health information. An attorney whose legal services to a health plan involve access to protected health information. A consultant that performs utilization reviews for a hospital. A health care clearinghouse that translates a claim from a non-standard format into a standard transaction on behalf of a health care provider and forwards the processed transaction to a payer. An independent medical transcriptionist that provides transcription services to a physician. A pharmacy benefits manager that manages a health plan’s pharmacist network.
HIPAA Regulations for Business Associates Business Associate Contracts: A covered entity’s contract or other written arrangement with its business associate must contain the elements specified at (the HIPAA standard for contracts on the HHS web site). For example, the contract must: Describe the permitted and required uses of protected health information by the business associate Provide that the business associate will not use or further disclose the protected health information other than as permitted or required by the contract or as required by law Require the business associate to use appropriate safeguards to prevent a use or disclosure of the protected health information other than as provided for by the contract. Where a covered entity knows of a material breach or violation by the business associate of the contract or agreement, the covered entity is required to take reasonable steps to cure the breach or end the violation, and if such steps are unsuccessful, to terminate the contract or arrangement.
The Hitech Act & The HIPAA Omnibus Final Rule of 2013 The Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 was part of the American Recovery and Reinvestment Act, also known as the “Stimulus Package”. Changes it made to HIPAA include: Increased civil penalties – from $100 per violation to $25,000 per violation Strengthened breach notification requirements Exempted breach notifications for encrypted data Required Business Associates to comply with HIPAA to the same extent as Covered Entities, giving the federal government direct authority over Business Associates Extended civil enforcement to include the Attorney General of each state
The Hitech Act & The HIPAA Omnibus Final Rule of 2013 What is a Breach? A breach is, generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information. An impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment of at least the following factors: The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification; The unauthorized person who used the protected health information or to whom the disclosure was made; Whether the protected health information was actually acquired or viewed; The extent to which the risk to the protected health information has been mitigated.
The Hitech Act & The HIPAA Omnibus Final Rule of 2013 Exceptions to definition of a “breach”: The first exception applies to the unintentional acquisition, access, or use of protected health information by a workforce member or person acting under the authority of a covered entity or business associate, if such acquisition, access, or use was made in good faith and within the scope of authority. The second exception applies to the inadvertent disclosure of protected health information by a person authorized to access protected health information at a covered entity or business associate to another person authorized to access protected health information at the covered entity or business associate, or organized health care arrangement in which the covered entity participates. In both cases, the information cannot be further used or disclosed in a manner not permitted by the Privacy Rule. The final exception applies if the covered entity or business associate has a good faith belief that the unauthorized person to whom the impermissible disclosure was made, would not have been able to retain the information.
The Hitech Act & The HIPAA Omnibus Final Rule of 2013 Is Encrypted Data excluded from the “breach” regulations: Electronic PHI has been encrypted as specified in the HIPAA Security Rule by “the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key” (45 CFR 164.304 definition of encryption) and such confidential process or key that might enable decryption has not been breached. Encrypted data is excluded from the breach regulations.
The Hitech Act & The HIPAA Omnibus Final Rule of 2013 The HITECH Act extended civil enforcement to the state Attorneys General. As a result, HIPAA violations may be subject to both federal and state penalties.
HIPAA Office for Civil Rights Audits and Enforcements The HITECH Act of 2009 included funding for audits and enforcement, and it also extended authority to enforce civil violations to the state attorneys general. As a result, the regulatory environment for healthcare providers has changed significantly with regard to HIPAA compliance. The federal government classifies health information privacy as a fundamental civil Right, akin to other rights protected by the Constitution. The HHS Office for Civil Rights (OCR), with an annual budget of approximately $39 million, is the primary enforcer of HIPAA compliance.
HIPAA Office for Civil Rights Audits and Enforcements Increased enforcement partially due to the requirement that all breaches of more than 500 patient records be reported to the Office for Civil Rights within 60 days The HITECH requires periodic audits take place. A pilot program ran from November 2010 through December 2012 performed 115 audits. Reports of HIPAA violations typically come from breach reports, patient complaints, and whistleblower complaints.
HIPAA Penalties and Data Breaches From HHS.gov web site – June 2014 $800,000 HIPAA settlement in medical records dumping case Parkview Health System, Inc. will pay $800,000 and adopt a corrective action plan to address deficiencies in its HIPAA compliance program. OCR opened an investigation after receiving a complaint from a retiring physician alleging that Parkview had violated the HIPAA Privacy Rule. left 71 cardboard boxes of these medical records unattended and accessible to unauthorized persons on the driveway of the physician’s home
HIPAA Penalties and Data Breaches (cont’d) From HHS.gov web site – December 2014 Anchorage Community Mental Health Services (ACMHS) has agreed to settle potential violations ACMHS will pay $150,000 and adopt a corrective action plan to correct deficiencies in its HIPAA compliance program. OCR opened an investigation after receiving notification from ACMHS regarding a breach of unsecured electronic protected health information (ePHI) affecting 2,743 individuals due to malware compromising the security of its information technology resources. the security incident was the direct result of ACMHS failing to identify and address basic risks, such as not regularly updating their IT resources with available patches and running outdated, unsupported software
HIPAA Training, Policies and Procedures, and Awareness Policies are rules. Procedures are steps needed to implement the rules. The policies should be general so that changes in products or technologies does not require a change in policy. The procedures should be specific and detail how the policy will be met or enforced. Example: The policy is that all email with PHI will be encrypted. The procedure details the solution used to encrypt the emails and steps necessary to encrypt the email.
HIPAA Training, Policies and Procedures, and Awareness HIPAA does not state how to write the policies. Procedures should be detailed and reference the HIPAA requirement. They can include specific steps to complete a task or written details on the configuration of item, such as a firewall, antivirus software, etc. Implement an Awareness program to remind your staff of HIPAA rules and regulations and your office policies and procedures. All current staff and new hires in the future should be properly trained on HIPAA. An annual training session is a good policy.
Compliance with other Laws and Regulations Massachuestts Privacy Law 201 CMR 17.00: STANDARDS FOR THE PROTECTION OF PERSONAL INFORMATION OF RESIDENTS OF THE COMMONWEALTH Went into effect March 1, 2010 Was specific as to protecting personal information Included email encryption, encrypting laptops, and requiring firewalls
Email Encryption Required under HIPAA Not just about protecting the information during sending but ensuring it reaches the correct recipient. Multi-step process to access attachments in the encrypted email by the recipient
Email Encryption - Example Create a new email, in the Subject line include the word “Securemail”, attach the file, and send the email. The recipient will receive this email:
Email Encryption Ways to Encrypt an email (your mileage may vary) Use a keyword or phrase in the subject line Using a lexicon or preselect policy i.e. contains Social Security number or other key types of information Mark the message “Confidential” in Outlook Button on Outlook toolbar that is clicked to encrypt the email
Email Encryption Recipient clicks on the link to “Open Message” which opens web page:
Email Encryption Recipient logs in and gets list of encrypted emails in their account. Double click on email to open:
Email Encryption Recipient can download the attachment or forward the email, which will be in encrypted in this case, but depends on the solution you use.
Email Encryption Headaches Patients not being able to access the email, time wasted trying to walk patient through the process Patient gets frustrated and says they want you to “just send it unencrypted” Given the number of options and programs that offices can use for encryption, offices will have multiple accounts to use, one for each service Major headache for specialist offices Multi-step process to access attachments in the encrypted email by the recipient
Windows XP Support ends April 8, 2014 for Windows XP and Office 2003 No more security updates and patches Computer will still function, but will be out of HIPAA compliance No direct upgrade path to Windows 7 or Windows 8
Online Backup Questions Is the solution HIPAA compliant? If there is a local copy, is that encrypted? At any point is the backup not encrypted? Where are physical locations of servers that store the data? Can there employees access the data files?
Data Sharing Solutions Questions Same questions as Online Backup: Is the solution HIPAA compliant? If there is a local copy, is that encrypted? At any point is the file not encrypted? Where are physical locations of servers that store the data? Can there employees access the data files?
Miscellaneous Topics Should I blank my computer screen after a few minutes of inactivity? Should I lock my computer when I leave the room? What security is available with my Practice Management software? Can I print out a schedule that shows patient names and treatments and leave it on my counter? Windows user accounts and passwords Practice Management Software user accounts & passwords
Miscellaneous Topics PITA Patients PITA staff member Hard Drive Disposal Laptop locks Other topics
End of Course Summary Dennis M. Walsh, President Patriot Networks, Inc. email@example.com www.patriotnetworks.com Eat, drink, and be merry for tomorrow we comply! Sources: 4MedApproved web site HHS.gov web site