HIPAA PRIVACY AWARENESS, COMPLIANCE and ENFORCEMENT Maria R. Granaudo Gesty, Esq.

The Health Insurance Portability and Accountability Act What is “HIPAA?” The Health Insurance Portability and Accountability Act HIPAA is the federal law, enacted in 1996 Privacy Rule – right of the individual Security Rule – confidentiality is an obligation Electronic Data Exchange Standardized Rules Penalties

Important Terminology and Definitions HIPAA Basics Important Terminology and Definitions Covered Entity (CE): health plans, healthcare clearinghouses, and healthcare providers (hospitals, doctors, clinics) that conduct certain transactions (e.g. billing) in an electric form

Important Terminology and Definitions HIPAA Basics Important Terminology and Definitions Business Associate (BA): Not a member of a Covered Entity’s workforce Perform Services for Covered Entity Creates, maintains or transmits Protected Health Information (PHI)

HIPAA Basics Non-HIPAA Covered Entities: Schools Employer that requests information for sick leave Health clubs/gyms

Important Terminology and Definitions HIPAA Basics Important Terminology and Definitions Protected Health Information (PHI): Information on health, payment for care Covers more than just medical information such as full face photo, date of birth, fingerprint and voiceprint Transmissions in any form

Effective HIPAA Privacy Rule Compliance Plan “I know better not to reveal any private or confidential information. Discretion is my ‘middle name.’ Why do I need training?” Designate a Privacy Official HIPAA Compliance Policies and Procedures Identify Privacy Rule Safeguards: Administrative, Physical and Technical Safeguards, what can be reasonably anticipated for your entity.

Specific Questions Impacting Workforce Where do your store PHI? Who has access to PHI? Do you lock your office doors? Leave PHI on your desk? What security do you have at workstations? Do you share passwords?

Specific Questions Impacting Workforce Do you transmit PHI electronically? Is it encrypted? Are computers timed to shut off when not in use for specific time? Do employees work off site? If so, how is PHI handled? Are there safeguards on all portable devices including mobile phones, tablets and laptops?

PHI Safeguards Follow Company policies for safe practices for your computer system ID and Passwords Select strong passwords Keep confidential and secure Do not share or allow anyone else access to the system under your ID

PHI Safeguards Be mindful of monitor placement and public access to printers in unsecured areas Do not engage in activities that violate Company’s policy that are designed to protect PHI (e.g., unauthorized surfing of the Internet, opening unknown email attachments, installing applications not company approved) Know all guidelines for transmittals via fax, email, and mobile devices

Effective HIPAA Privacy Rule Compliance Plan Develop a Process for Filing Complaints Comprehensive Training Program Establish Sanctions for Privacy Violations – time is of the essence Make a Mitigation Plan – Eliminate the fear factor Publish a Non-Retaliation Statement Publish a Non-Waiver of Rights Statement Develop a Document Management Strategy

Permitted Use and Disclosure of PHI General Rule: Workforce members may use or disclose PHI ONLY for permitted purposes – otherwise you must obtain an individual’s specific written authorization Use vs. Disclosure of Information Permitted purposes include: “Treatment,” “Payment,” and “Healthcare Operations” or “TPO” Specific public policy exceptions (public health, law enforcement, health oversight activities)

Permissible Disclosure of Information De-Identified Health Care Information – when there is nothing left to protect Removal of all identifying information includes more than just names and addresses Policy that sets requirements Authorizing PHI Release – permission is granted Good Authorization vs. Bad Authorization

Who Enforces HIPAA and How? Company – Disciplinary action up to and including termination of employment Federal Government – Dept. of Health & Human Services/Office for Civil Rights (“OCR”) – imposes penalties, both civil and criminal Civil Penalties are steep! (Feb. 1, 2018: Fresenius Medical Care North America paying $3.5 million in settlement costs) Criminal penalties have sentencing guidelines up to 10 years HITECH also created new methods for enforcement (e.g. allows state attorney generals to enforce HIPAA regulations)

HIPAA Enforcement Department of Health & Human Services Stats

A Cautionary Tale… $2.5 million settlement shows that not understanding HIPAA requirements creates risk April 24, 2017 – HHS/OCR announced a HIPAA settlement based on the impermissible disclosure of unsecured (ePHI). CardioNet has agreed to settle potential noncompliance with the HIPAA Privacy and Security Rules by paying $2.5 million and implementing a corrective action plan. This settlement is the first involving a wireless health services provider, as CardioNet provides remote mobile monitoring of, and rapid response to, patients at risk for cardiac arrhythmias.

Questions?

burnswhite.com