Copyright© 2010 WeComply, Inc. All rights reserved. 4/28/2015 HIPAA Privacy and Security

Copyright© 2010 WeComply, Inc. All rights reserved. 4/28/2015 HIPAA Privacy and Security

Copyright© 2010 WeComply, Inc. All rights reserved. In the news…

Copyright© 2010 WeComply, Inc. All rights reserved. 8/11/20104 What Is HIPAA? Among HIPAA's primary purposes are — Privacy and security of healthcare information Standardization of healthcare data Simplification of healthcare operations to help reduce costs Insurance portability for individuals who change jobs or become unemployed Preventing discrimination against applicants or businesses Preventing fraud through stiffer penalties and tighter controls We must also comply with more restrictive state laws regarding privacy and security of healthcare information

Copyright© 2010 WeComply, Inc. All rights reserved. 8/11/20105 What Is HIPAA? Among HIPAA's primary purposes are — Privacy and security of healthcare information Standardization of healthcare data Simplification of healthcare operations to help reduce costs Insurance portability for individuals who change jobs or become unemployed Preventing discrimination against applicants or businesses Preventing fraud through stiffer penalties and tighter controls We must also comply with more restrictive state laws regarding privacy and security of healthcare information

Copyright© 2010 WeComply, Inc. All rights reserved. 8/11/20106 What Is HIPAA? (Cont’d) Among HIPAA's primary purposes are — Privacy and security of healthcare information Standardization of healthcare data Simplification of healthcare operations to help reduce costs Insurance portability for individuals who change jobs or become unemployed Preventing discrimination against applicants or businesses Preventing fraud through stiffer penalties and tighter controls We must also comply with more restrictive state laws regarding privacy and security of healthcare information

Copyright© 2010 WeComply, Inc. All rights reserved. 8/11/20107 Who Is Subject to HIPAA? Covered entities include hospitals, insurance companies, self-insured employers and small physician practices Three categories of covered entities: Healthcare plans Health providers Clearinghouses HIPAA applies to companies that offer healthcare and treatment to their employees on-site

Copyright© 2010 WeComply, Inc. All rights reserved. 8/11/20108 Who Is Subject to HIPAA? (cont’d) Business associates are individuals and businesses that help covered entities carry out healthcare activities and functions Auditors, consultants, lawyers Claims-processing firms, pharmacy benefit managers Business associates are subject to HIPAA in two ways: They must provide written assurance that they will use information only for proper purposes, safeguard information from misuse, and help covered entity comply with HIPAA privacy duties They must comply directly with HIPAA regulations requiring administrative, physical and technical safeguards for security of protected information

Copyright© 2010 WeComply, Inc. All rights reserved. 8/11/20109 Pop Quiz! What happens if a business associate of a covered entity violates HIPAA? A.The business associate will be subject to the same HIPAA penalties as the covered entity. B.The business associate will be liable to the covered entity only for breach of contract. C.Nothing – business associates aren't subject to HIPAA.

Copyright© 2010 WeComply, Inc. All rights reserved. 8/11/ Protected Health Information (PHI) Protected health information includes any part of an individual's medical record or payment history PHI concerns — Any past, present or future physical or mental health of an individual Providing healthcare to an individual Payment for healthcare of an individual Any identifiable health information becomes PHI under HIPAA Privacy Rule covers PHI in all forms, while the Security Rule covers only electronic PHI

Copyright© 2010 WeComply, Inc. All rights reserved. 8/11/ HIPAA Privacy A covered entity may use or disclose an individual's PHI only under these conditions: To communicate directly with the individual about his/her PHI With the individual's written authorization or other legal agreement Without the individual's authorization for treatment, payment and operations When using or disclosing PHI we must try to limit our use or disclosure as much as possible

Copyright© 2010 WeComply, Inc. All rights reserved. 8/11/ HIPAA Privacy (Cont’d) A covered entity may use or disclose an individual's PHI only under these conditions: To communicate directly with the individual about his/her PHI With the individual's written authorization or other legal agreement Without the individual's authorization for treatment, payment and operations When using or disclosing PHI we must try to limit our use or disclosure as much as possible

Copyright© 2010 WeComply, Inc. All rights reserved. 8/11/ Notice of Privacy Practices Covered entity must furnish Notice of Privacy Practices to individuals with whom it has direct treatment relationship At enrollment, within 60 days of material revision, and at least every three years To anyone who requests it On any website it maintains for customer-service or benefits information Covered entity must document compliance by retaining copies of issued notices Covered entity must make good-faith effort to obtain patient's written acknowledgment of receiving NPP

Copyright© 2010 WeComply, Inc. All rights reserved. 8/11/ Notice of Privacy Practices (cont’d) Covered entity must furnish Notice of Privacy Practices to individuals with whom it has direct treatment relationship At enrollment, within 60 days of material revision, and at least every three years To anyone who requests it On any website it maintains for customer-service or benefits information Covered entity must document compliance by retaining copies of issued notices Covered entity must make good-faith effort to obtain patient's written acknowledgment of receiving NPP

Copyright© 2010 WeComply, Inc. All rights reserved. 8/11/ Notice of Privacy Practices (cont’d) Covered entity must furnish Notice of Privacy Practices to individuals with whom it has direct treatment relationship At enrollment, within 60 days of material revision, and at least every three years To anyone who requests it On any website it maintains for customer-service or benefits information Covered entity must document compliance by retaining copies of issued notices Covered entity must make good-faith effort to obtain patient's written acknowledgment of receiving NPP

Copyright© 2010 WeComply, Inc. All rights reserved. 8/11/ Reasonable Safeguards Covered entity must use reasonable safeguards to protect confidentiality of PHI Speaking softly when discussing PHI in public spaces Not using name of individual whose PHI is being discussed Reminding employees to keep PHI secure at workstations and in public spaces Isolating and locking filing cabinets containing PHI Equipping computers with password-protected screensavers

Copyright© 2010 WeComply, Inc. All rights reserved. 8/11/ Using PHI for Marketing Covered entities may not disclose PHI for marketing purposes without patient's written authorization Covered entity does not need written authorization to communicate — To describe product or service provided by the covered entity For treatment purposes For case-management, care-coordination, or to recommend alternative therapies/providers For face-to-face communications For other communications that promote health in general manner

Copyright© 2010 WeComply, Inc. All rights reserved. 8/11/ Pop Quiz! PHI may be disclosed without the patient's written authorization in which of the following situations? A.Sending marketing literature about healthcare-related products to the patient. B.Sending marketing literature about non-healthcare-related products to the patient. C.Recommending any products to the patient in a face-to-face conversation.

Copyright© 2010 WeComply, Inc. All rights reserved. 8/11/ HIPAA Security Security Rule addresses creation, receipt, maintenance and transmission of electronic PHI by covered entities and their business associates Primary goals: To maintain confidentiality of stored and transmitted electronic PHI To protect electronic PHI from unauthorized creation, modification and deletion To ensure that electronic PHI is available to authorized individuals/entities when needed Requires administrative, physical and technical safeguards

Copyright© 2010 WeComply, Inc. All rights reserved. 8/11/ Administrative Safeguards Administrative safeguards: Security Officer responsible for the development and implementation of security policies Workforce Security plan for granting employees varying levels of access to PHI Contingency Plan for responding to emergencies and natural disasters Business Associate Contracts to protect confidentiality of PHI exchanged Termination Procedures to prevent terminated employee from having access to confidential information

Copyright© 2010 WeComply, Inc. All rights reserved. In the news…

Copyright© 2010 WeComply, Inc. All rights reserved. 8/11/ Physical Safeguards Physical safeguards: Facility Access Controls that allow only authorized access to places where PHI is kept Workstation Use procedures for PHI displayed on computer screens Workstation Security — secured rooms, curtains, partitions or user IDs/passwords for workstations on which PHI is processed Device and Media Controls for handling computer hardware and software, including proper disposal and storage

Copyright© 2010 WeComply, Inc. All rights reserved. 8/11/ Technical Safeguards Technical safeguards: Access Controls limiting PHI access on need-to-know basis based on roles and context Audit Controls for recording and examining system activity to eliminate unnecessary access to PHI Person or Entity Authentication using passwords, PIN numbers, biometrics or tokens to ensure only authorized access to PHI Transmission Security to protect PHI during transmission over electronic networks, including encryption, firewalls, SSL/TLS protocol and S/MIME support

Copyright© 2010 WeComply, Inc. All rights reserved. 8/11/ Pop Quiz! A pharmaceutical company set up a service to send regular messages to remind people to take their anti-depressant medication. Due to a programming error, each of the people who received an message could see the names and addresses of all of the others to whom reminder messages were sent. Does this present a HIPAA problem? A.Yes. B.Maybe, if the messages were not encrypted. C.No, because it was due to a programming error — not a breach of security.

Copyright© 2010 WeComply, Inc. All rights reserved. 8/11/ Handling PHI Follow these guidelines when handling PHI: Access PHI only to extent necessary to perform job-related functions Obtain authorization whenever using PHI for marketing purposes Destroy PHI once it is no longer needed Take steps to verify proper receipt of transmitted PHI Secure work areas by keeping documents containing PHI in locked cabinet and maintaining strong passwords on electronic systems Take special precautions while working in field or at home to ensure PHI is secured in laptop computers and briefcases

Copyright© 2010 WeComply, Inc. All rights reserved. 8/11/ Security Breach Secure PHI is information that is — Protected by a technology or methodology specified by HHS Rendered "unusable, unreadable, or indecipherable" to unauthorized persons Shredded/destroyed so that it cannot be read or reconstructed If there is a security breach involving unsecured PHI: Notice must be given to affected individuals If breach affects 500 or more individuals, notice must also be given Government and media Report security breach to your supervisor or Privacy Officer immediately

Copyright© 2010 WeComply, Inc. All rights reserved. 8/11/ Security Breach (Cont’d) Secure PHI is information that is — Protected by a technology or methodology specified by HHS Rendered "unusable, unreadable, or indecipherable" to unauthorized persons Shredded/destroyed so that it cannot be read or reconstructed If there is a security breach involving unsecured PHI: Notice must be given to affected individuals If breach affects 500 or more individuals, notice must also be given Government and media Report security breach to your supervisor or Privacy Officer immediately

Copyright© 2010 WeComply, Inc. All rights reserved. 8/11/ PHI Rights of Individuals Individuals have these rights over use and disclosure of their PHI: Covered entities must abide by individual's request not to divulge PHI if he/she is paying for full service cost Individuals are entitled to copies of records that covered entity keeps electronically Individuals have right to request that covered entity correct inaccurate PHI Covered entities maintaining electronic health records must provide accounting of all PHI disclosures during prior three years upon request Fundraisers must notify individuals of right to opt out of future fundraising solicitations

Copyright© 2010 WeComply, Inc. All rights reserved. 8/11/ Enforcement Failure to comply with HIPAA can lead to significant penalties: Civil fines from $100 to $50,000 for each violation up to $1.5 million per year Criminal penalties for basic offense may include fine of up to $50,000 and/or imprisonment for up to one year Criminal penalties for offense committed with intent to use PHI for commercial advantage may include fine up to $250,000 and/or imprisonment for up to ten years

Copyright© 2010 WeComply, Inc. All rights reserved. 8/11/ Enforcement (cont’d) Failure to comply with HIPAA can lead to significant penalties: Civil fines from $100 to $50,000 for each violation up to $1.5 million per year Criminal penalties for basic offense may include fine of up to $50,000 and/or imprisonment for up to one year Criminal penalties for offense committed with intent to use PHI for commercial advantage may include fine up to $250,000 and/or imprisonment for up to ten years

Copyright© 2010 WeComply, Inc. All rights reserved. 4/28/2015 Final Quiz

Copyright© 2010 WeComply, Inc. All rights reserved. 4/28/2015 Questions?

Copyright© 2010 WeComply, Inc. All rights reserved. 4/28/2015 Thank you for participating! This course and the related materials were developed by WeComply, Inc. and the Association of Corporate Counsel.