A HIPAA Roadmap Past, Present and Future … A Review LBA Healthcare Consulting Services, LLC LeeAnn Brust, RN, MBA, CPC, CCP, CMPE (904)
Health Insurance Portability and Accountability Act Enacted in Congress called for the Department of Health & Human Services to develop standards and requirements for the electronic transmission of health information Administrative Simplification (AS) Provision
Administrative Simplification (Part C of Title XI) This aspect of the HIPAA law requires the United States Department of Health and Human Services (DHHS) to develop standards and requirements for maintenance and transmission of health information that identifies individual patients.
What are the Standards Designed to do? Improve the efficiency and effectiveness of the healthcare system by standardizing the interchange of electronic data for administrative & financial transactions. Protect the security and confidentiality of electronic health information.
Who must Comply with HIPAA? All healthcare organizations that maintain or transmit electronic health information must comply. Including health plans, health care clearinghouses, and health care providers from large integrated systems to individual providers.
Six Key Areas of HIPAA Standardization of Electronic Transactions & Code Sets Privacy Security National Provider Identifiers Electronic Signatures Electronic Medical Records
Penalties for Failure to Comply $100 per person per violation. May not exceed $25,000 for a violation of a single standard per calendar year. HHS Office of Civil Rights (OCR) has been charged with enforcement
Wrongful Disclosure of Individually Identifiable Health Information Wrongful disclosure offense: $50,000, imprisonment of not more than one year, or both. Offense under false pretenses: $100,000, imprisonment of not more than 5 years, or both.
Wrongful Disclosure of Individually Identifiable Health Information Offense with intent to sell information: $250,000, imprisonment of not more than 10 years, or both.
EDI standards applies to Nine specific transactions 1.Health Claims or the equivalent encounter information; 2.Pharmacy Transactions: National Council for Prescription Drug Programs (NCPDP); 3.Health Claims attachment; 4.Health plan enrollments and dis- enrollments;
EDI standards applies to Nine specific transactions 5.Health plan eligibility; 6.Health care payment and remittance advice; 7.Health Plan premium payments; 8.Health claim status; 9.Referral certification and authorization.
Privacy Rule Section 264 of HIPAA Privacy Rule Section 264 of HIPAA DHHS published the final regulations on December 28, The legislation with modifications was finalized on August 14, 2002, with a final compliance date of April 2003 (Federal Registry).
Business Associates Do you have Business Associate contracts from all business relationships where exposure to PHI might be possible?
Government Access to PHI Government operated health plans and providers are subject to the same HIPAA requirements as all other health care organizations Office of Civil Rights is granted access to PHI, but only for investigative or enforcement purposes, and the information OCR request will be limited and protected. Regulations allow certain disclosures to made for law enforcement purposes but any state law that has tighter limits on such uses and disclosures of PHI will control.
Payment Disclosure Conditions under which PHI may be used or disclosed for payment purposes: 1. Billing and Collections 2. Determining health plan eligibility 3. Disclosures to consumer reporting agencies.
Understanding Incidental Use and Disclosure DHHS acknowledges that incidental use and disclosure of confidential information may occur in the course of daily operations. Incidental use and disclosure will not be considered a violation of the privacy rule if you have taken reasonable safeguards and meet the minimum necessary requirements.
Use and Disclosure The individual who is the subject of the disclosure must provide authorization. In the case of a disclosure (phone or in person) the individual must be verified by obtaining two pieces of identifiable information. This be documented. Disable or Deceased individuals (previous employees are also protected. Power of attorney proof is required by the individual who is requesting information
“Minimum Necessary” Do your policies and procedures support the “minimum necessary”???
Create Protected Health Information (PHI) “firewalls” Establish an “accounting” procedure to track uses and releases of PHI Limit access to those employees that require it. (“Minimum necessary”)
Create PHI “firewalls” “Minimum necessary” use: Must identify persons or classes of persons who need access to PHI to carry out their duties Must identify the categories of PHI for each person or class of persons (job descriptions is one of the most common areas).
Maintain Documentation All necessary policies and procedures Ensure changes to policies and procedures are not implemented until documented and appropriate persons are notified Maintain documentation for six years, unless a longer period applies
Maintain Documentation Business Associate contracts Patient Acknowledgement of Privacy Policies Authorization forms Notices and amended notices Training of employees Patient complaints and their disposition (this must be documented on the complaint form and forwarded to FCCRMC)
Security Rule Section 264 of HIPAA Final Rule Published-February 20, DHHS tried to more closely align the security regulations with the final privacy regulations
Why a Security Rule? Protecting PHI becomes more important as business transition to a paperless environment
Purpose of the Security Rule To Protect electronic patient health information (PHI) in three ways: 1.Confidentiality - PHI concealed from people who do not have the right to see the information 2.Integrity - information has not been improperly changed or deleted 3.Availability - healthcare provider can access the information when it is needed
Understanding the Intersection of Privacy and Security
Security encompasses the measures organizations must take to protect information within their possession from internal and external threats
Privacy is the consumer’s view of the way his/her information is treated.
Privacy The privacy rule mandates that entities safeguard all PHI, no matter what the form. Security The security rules focuses on requirements for safeguarding PHI in the electronic form through policies, procedures, technology in order to preserve confidentiality, integrity, and availability of electronic PHI..
Areas Where the Privacy Rule Requires Implementation of Security Reasonable safe guards Limit Information to minimal necessary access. Individual accounting of disclosures outside of TPO releases.
Security The proposed security standard is divided into four categories: 1) Administrative procedures 2) Physical Safeguards 3) Technical data security services 4) Technical Security mechanisms
Administrative Procedures Ensure that security plans, policies, procedures, training and contractual agreements exist. Establish an employee termination policy. Security incident reporting system (report, respond, repair) Procedures that address staff responsibilities for protecting data
Physical Safeguards These safeguards protect physical computer systems and related buildings and equipment from fire and other environmental hazards, as well as intrusion. The use of locks, keys, and administrative measures used to control access to computer systems and facilities are also included.
Physical Safeguards Facility security plan Visitor sign-in Workstation use Monitor position Log off terminal Screen saver Terminal timeout Maintenance records
Technical Data Security Services These include the processes used to protect, control, and monitor information access. Provide specific authentication. Authorization, access and audit controls to prevent improper access to PHI. Guard data integrity, confidentiality and availability
Technical Security Mechanisms These include the processes used to prevent unauthorized access to data transmitted over a communications network. Encryption System alarms Audit trails Passwords
Specific Ways Staff Can Help Manage their password Identify and keep out malicious software Use workstations properly Know the practices sanction policies Learn and follow the practices policies and procedures
Manage Your Password When creating a password use a combination of letters and numbers –Choose a song, a saying, a poem - something easy to remember –Do not allow staff to write their password anywhere –Use a separate password for personal accounts
Manage Your Password Manage Your Password (cont’d) Once your staff members have a password –Encourage them not to share it with anyone –Change passwords according to policy (at least every 12 months) –Encourage staff to use the same password for all of their accounts/programs.
Manage Your Password Manage Your Password (cont’d) Ask your staff to report the following immediately: –Someone has learned their password (change it immediately) –Your account has been used by someone other than yourself
Identify and Keep Out Malicious Software Warning signs that indicate a workstation may be infected –System is running particularly slow –Storage capacity is suddenly at the maximum –Activity on the computer at unusual times –Activity logs erased –Warnings from monitoring software that you have a virus in the computer
Identify and Keep Out Malicious Software Safety Measure to teach your staff Open attachments only from known sources Clear the use of Instant Messaging Programs with our ISO Use desktop firewall settings established by our ISO Use office computers only for practice business Don’t download or install software without ISO approval
Use Workstations Properly Position monitor so others, especially visitors, cannot see the screen Staff should log off workstations (or activate the password- protected screen saver) when they are: –Finished with a task –Leaving the area and can’t see the workstation –New user log on with their password
Warning! Time outs are a protection system for when you forget to logoff. Do not change the timer!
Use Workstations Properly Use Workstations Properly (cont’d) Threats to a network –Devices introducing viruses into the system - CDs, floppies, IPods, USB drives, Palm Pilots –Family members or friends using practice computers in off-hours can introduce viruses and expose patient data –Web surfing for personal enjoyment –Downloading free programs or music from the Internet onto office machines can introduce viruses
Use Workstations Properly Use Workstations Properly (cont’d) Protect your Private Information -Implement policies about what is allowed in s and when they are to be deleted -Encrypt documents for storage and transmission as directed by your IT department -Report the loss of any equipment which might contain identifiable health information to your IT department.
Consequences for Violations Intentional infractions may lead directly to dismissal. Infractions can result in civil and governmental penalties for the violator, as well as for those responsible for implementing and monitoring our security policies Knowingly misusing patient information (in electronic form or any form) is a felony under HIPAA
Security Risk are Real 1.24,000 complaints filed 2.18,529 complaints closed case sent to the Department of Justice; only 39 accepted 4.32% of the cases opened were closed with no violations found 5.57% had to implement a corrective action plan
Key Points Ensure your HIPAA policies and procedures are updated and that the location is known by all applicable staff. Provide initial training at hire and annually thereafter. Use the group attendance log as documentation. Maintain a separate employee health files. Keep all protected information in a limited access area and under lock and key.