2DISCLAIMERPlease note that the information provided is to inform our clients and friends of recent HIPAA and HITECH act developments. It is not intended, nor should it be used, as a substitute for specific legal advice
3HIPAA Regulations What do you need to know? Rate your practice’s current compliance.Are you HIPAA Compliant right now?Privacy Rule compliance requirementsSecurity Rule compliance requirementsBreach notifications requirementsDocumentationAuditsFirst question.
4Recent Breaches in the News Recent Breaches and their Costs!Experts: Lack of HIPAA basics cost BCBST $18.5 millionBasic compliance 101—policies, training, monitoring, and risk assessments—may have saved Blue Cross Blue Shield of Tennessee (BCBST) millions, experts say.Instead, the health insurer agreed to a $1.5 million settlement with the Office for Civil Rights (OCR) over potential HIPAA security violations and spent another $17 million in breach response costs.In the fall of 2009, BCBST reported to OCR that 57 unencrypted computer hard drives were stolen from a leased facility in Tennessee. The hard drives contained protected health information (PHI) for more than one million individuals, including member names, Social Security numbers, diagnosis codes, birthdates, and health plan identification numbers.
5WHY SHOULD I CARE?OCR's investigation of Phoenix Cardiac Surgery PC (2 physician practice)failed to implement adequate policies and procedures to appropriately safeguard patient information;failed to document that it trained any employees on its policies and procedures on the Privacy and Security Rules;failed to identify a security official and conduct a risk analysisfailed to obtain business associate agreements with Internet-based and calendar services where the provision of the service included storage of and access to its ePHI.Corrective Action Plan requiredPenalty - $100,000Reputation Impact?
7OCR Findings fromDoes your practice have a Designated HIPAA Privacy Officer?Failure to demonstrate adequate policies and procedures or safeguards to address response and reporting of security incidentsSecurity awareness and trainingAccess controlsInformation access managementWork station security
8HIPAA Privacy Rule 45 CFR Part 160 and Part 164, Subparts A and E. Designate a HIPAA Privacy OfficerUpdate your Notice of Privacy PracticesNew additional patient rights related to Privacy of their information and their access to it.Conduct Compliance AuditsConduct Annual Training of Staff on Privacy Rule policies and proceduresDocument all disclosures according to the Privacy Rule.
9HIPAA Security Rule 45 CFR Part 160 and Part 164, Subparts A and E. Accountability, Penalty, and Persecution for disclosure of/access to ePHIProtecting ePHI at rest, in transit, and in destruction.Breach ReportingAuditing3 sets of Safeguards (standards)AdministrativePhysicalTechnicalNeed to add line about risk assessment. To this slide.
10BREACH NOTIFICATION RULE HITECH ACT SECTION 13402 Definition of a “Breach”.A breach is, generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information such that the use or disclosure poses a significant risk of financial, reputational, or other harm to the affected individual.RequirementsFollowing a breach of unsecured protected health information covered entities must provide notification of the breach to affected individuals, the Secretary of HHS and, in certain circumstances, to the media. In addition, Business Associates must now notify covered entities of a breach if it occurred due to their actions or processes.Question: Has anyone written a Breach notification procedure for you practice.
11BREACH NOTIFICATION RULE Individual Notice - within 60 days of breachFirst class mailInclude description of the breach, description of the data involved, Protective steps for individuals, an action plan to resolve, mitigate and prevent further breaches.For unknown or out of date information on affected individuals. Notification should be done via an announcement on Covered Entities Website or in local media where the affected individual resides.Media Notice - within 60 days of breachFor Breaches of more than 500 patientsInclude description of the breach, description of the data involved, Protective actions for individuals, Action plan to resolve, mitigate and prevent further breaches.
12BREACH NOTIFICATION RULE Notice to Secretary of Health and Human ServicesFor breaches of less than 500 individualsFile a report on HHS website annuallyFor breaches of more than 500 individualsFile a report on the HHS website within 60 of the breach.Notification by Business AssociatesBusiness Associates required to notify the Covered Entity upon discovery of any breach within 60 daysBusiness associate should provide the covered entity with the identification of each individual affected by the breach as well as any information required to be provided by the covered entity in its notification to affected individuals
13Documentation HIPAA Privacy Rule Policies and Procedures Accounting of disclosuresNotice of Privacy PracticesRecord of periodic workforce trainingHIPAA Security Rule Policies and ProceduresDocumentation of periodic risk assessmentsRecord of Security Audits
14AuditingNeed to have written policies and procedures stating how often and what you will be monitoring, reviewingAudit LogsAccess ReportsSecurity incident tracking reports.Documentation of user access roles and granting/revocation of access upon termination or change in user role.
16A Few Last ThoughtsForm a TEAM at your practice, Include one member from each area, Providers, Nursing, Billing, front deskPerform a Risk Assessment to identify how ePHI is created, used, transmitted, and disposed of.Designated a HIPAA Privacy and Security OfficerCreate and Maintain Updated policies and proceduresDevelop and document your practice’s Breach Notification proceduresPeriodically monitor your systems (Audit)Consider encryption if you need to ePHI