HIPAA Privacy and Security Summit 2018 HIPAA Privacy Rule: Compliance Plans, Training, Internal Audits and Patient Rights Widener University Delaware Law School 1st Healthcare Compliance Wilmington, Delaware November 8, 2018 Catherine E. Walters, Esquire Ann Waldo, JD, CIPP Bybel Rutledge LLP Waldo Law Offices, PLLC Lemoyne, PA Washington, D.C. George W. Bodenger, Esquire Law Offices of George W. Bodenger LLC Radnor, PA

Today’s Agenda More on the HIPAA Privacy Rule and compliance Compliance strategies Compliance programs Employee training and education Self audits Patient and provider rights Panel discussion and questions

Compliance Strategies Goals Comply with HIPAA privacy standards Protect patient privacy Minimize costs of protecting privacy and compliance Considerations Organization size Treatment relationship Organizational structure

Compliance Strategy? ©HarrisBiomedical

Compliance Programs The 7 elements of a compliance program: Standards and procedures Oversight by appropriate official Education and training Auditing and monitoring Open lines of communication Enforcement and discipline Response and prevention

Compliance Programs HIPAA privacy standards and protocols require coverage of broad territory, for example: Privacy policies and procedures Notice and authorization forms “Minimum Necessary” standard Business associate contracts Access to and amendment of PHI Complaint procedures Documentation procedures and systems Privacy training Privacy auditing and monitoring

Policies and Procedures Privacy and Security policies and procedures HIPAA handbooks for office staff and for clinical staff that explain: The privacy and security standards How to protect privacy, confidentiality and security of PHI, including working with patients, patient information, use of health information, safeguarding PHI and following protocols How to report suspected privacy and security incidents Consequences of noncompliance

Privacy Policies & Procedures Privacy official designation Staff responsibilities Training and education Reporting of suspected violations Investigation of potential staff violations Sanctions and penalties Business associates Development and maintenance of policies and procedures Documentation and record keeping

Privacy Policies & Procedures PHI use and disclosure for numerous different purposes Communications and media relations Notice of privacy practices Authorization of use or disclosure Patient requests to restrict uses/disclosures Personal representatives Parental access to PHI of children Disclosure of PHI to family members

Privacy Policies & Procedures Patient access to PHI Amendment of health information Accounting to patients for disclosures Complaints Complaint resolution procedures Mitigation Nonretaliation and protection for whistleblowers

Security Policies & Procedures Assigning security responsibility Security management process Risk analysis Risk management Sanction policy Information system activity review Workforce security: Authorization/supervision Workforce clearance Termination procedures

Security Policies & Procedures Information access management: Access authorization Access establishment and modification Security awareness and training Security reminders Protection from malicious software Log-in monitoring Password management Security incident procedures

Security Policies & Procedures Contingency planning Business associate contracts Facility access controls Workstation security Device and media controls Access, audit and integrity controls Person or entity authentication Transmission security

Compliance Training HIPAA includes multiple different workforce training requirements Privacy (45 CFR §164.530(b)) Security (45 CFR §164.308(a)(5)) Training of all staff is required Office staff Clinical staff State laws may also apply – if more stringent than HIPAA, state law controls

Privacy Training Policies and procedures Employee handbooks Increase awareness of privacy issues Educate on specific privacy requirements Educate on policies and procedures adopted to meet HIPAA requirements Examine day-to-day activities and review impact on how people do their jobs

Privacy Training Interaction with patients during office visits and subsequent uses of the patient’s information: Collection of PHI Use and disclosure of PHI Claims and bookkeeping Accounting for disclosures Patient right to review information Patient right to correct information

Privacy Training Using and sharing information Use and disclosure without authorization Sharing information with family/friends involved in patient’s care Incidental disclosures Notice of privacy practices Purpose and content of notice Procedures for documenting that notice has been provided to patients

Privacy Training Authorization Accounting for disclosures When authorization is required Content of authorization Procedures to obtain authorization Accounting for disclosures Records of accountings Procedures for requesting accountings Content of accountings

Privacy Training Patient access to information Procedures for patients to obtain PHI Procedures to request changes or corrections Privacy training should be refreshed on a regular basis – some states require annual training New employees and employees who change jobs should receive training When policies and procedures change, training should be provided to affected employees

Security Training Security training Increase awareness of security issues Educate on specific privacy and security requirements Educate on policies and procedures adopted to meet HIPAA privacy and security requirements Examine day-to-day activities and review impact on how people do their jobs

Security Training Information security rule Maintain confidentiality, integrity and availability of ePHI Protect against reasonably anticipated threats or hazards to security or integrity of information Protect against reasonably anticipated uses or disclosures not permitted or required under HIPAA Maintain worker compliance with HIPAA

Security Training Administrative safeguards Physical safeguards Technical safeguards Privacy and security training General security policies Physical and workstation security Passwords Periodic security reminders

Privacy and Security go Hand-in-Hand!

HIPAA Internal Audits Why perform an internal audit? Auditing and monitoring → compliance Security rule requirements What information should be audited? Privacy Rule elements Security Rule requirements HHS audit protocol items Trigger events

HIPAA Internal Audits What are trigger events? Conditions or events that suggest unauthorized access to ePHI may have occurred, for example: Data breach Patient complaints After hours activity Employee viewing records of patients EE was not involved in treating Employee viewing records of other employees Employee viewing records of patients involved in high-profile events or with specific diagnoses

HIPAA Internal Audits Creating an audit plan Conducting the audit Evaluating audit findings Preliminary and final reports Recommendations and follow-up or corrective actions Establishing a routine audit schedule Monitoring

Patient and Provider Rights Patients have the right to: Inspect and obtain copies of their own health information, including in electronic form if the provider maintains it electronically Request corrections or amendments to their own health information if they believe it contains errors Have corrections communicated to others Dispute a provider’s denial of a request for corrections or amendments to their records

Patient and Provider Rights Providers have the right to: Deny access to certain types of information Charge reasonable fees for copies, including copies provided in electronic format Deny requests for correction or amendments within specific parameters Must provide written notice to patient with reasons for denial and procedures for disputing the denial Provider must maintain records of all such correspondence

Panel Discussion Identifying trigger events Real life scenarios (truth is stranger than fiction!) Implementing change and getting it right Questions and answers