A general review of HIPAA standards and privacy practices2017

* 45 CFR, 164…Health Insurance Portability and Accountability Act

* Privacy Rule* Security Rule* Treatment, Payment and Healthcare

Operations * 42 CFR, Part 2, Confidentiality of Alcohol

and Drug Abuse Patient Records* HITECH ACT* Workplace Reminders

* Health Insurance Portability and Accountability Act of 1996:

Effective April 2003.* Created standards for privacy and security

of personal health data.* Established standardized patient rights.* Established “minimum necessary”

standard for disclosure of protected health information (PHI).

* Mandates annual privacy training for all healthcare employees.

HIPAA was enacted by Congress as an attempt at healthcare reform - it was initially introduced in Congress as the Kennedy-Kassebaum Bill. The landmark Act was passed in 1996 with two objectives.One was to ensure that individuals would be able to maintain their health insurance between jobs. This is the Health Insurance Portability part of the Act.

The second part of the Act is the "Accountability" portion. This section is designed to ensure the security and confidentiality (privacy) of patient information/data. In addition, it mandates uniform standards for electronic data transmission of administrative and financial data relating to patient health information

* The HIPAA Privacy Rule standards address the use and disclosure of individuals’ health information—called “protected health information” or PHI - by organizations subject to the Privacy Rule — called “covered entities,” as well as standards for individuals' privacy rights to understand and control how their health information is used.

* The HIPAA Security Rule establishes national standards to protect individuals’ electronicpersonal health information that is created, received, used, or maintained by a covered entity. * The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.

* “ Covered Entity”: healthcare provider, healthcare payer, or healthcare clearinghouse that processes healthcare claims electronically.* “Business Associate”: person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.

If not a covered entity, then a business associate agreement (BAA) should be in place - with specific HIPAA language.

• Allows for disclosure of PHI between covered entities without written consent when used for:

• TREATMENT• PAYMENT

• OPERATIONS

* Treatment: “the provision, coordination, or management of health care and related services for an individual by one or more health care providers”

• PHI may be disclosed to other providers involved in patient care such as:

Diagnostic services Rehabilitative services Therapies (OT, PT, chemo) Hospice, home healthcare agencies Transportation services: specialized van/bus Durable medical equipment: home deliveries of

medical equipment and/or supplies; discharge planning

* Payment: PHI can be disclosed to third party payers – Medicare, Medicaid, private insurance companies – for reimbursement, pre-authorization, and utilization review activities:

Was medical necessity documented? Were clinical measures met? Billing audits

* Healthcare operations: Administrative, Financial and Legal activities of organization:

Training & education: internal & external Signed collaborative agreements with higher education

institutions; requires internal privacy training Statistical reporting for funding – IHS, grants Generally de-identified but some information may be

patient specific Immunizations may be disclosed to schools Public health activities:

Child abuse and neglect Communicable diseases Other required reporting for medico-legal reasons

* Certain law enforcement activities allowed under 45 CFR 164.512 (f)(1)(ii)(A,B,C)

Death as result of a (suspected) crime Victim of crime: gunshots and stabbings Warrants, subpoenas, and court orders Must be signed by a judge, not clerk or attorney Official letterhead and compliant with HIPAA Valid requests for PHI/records to HIM; other

administrative requests to Administration Tribal attorneys notified (SNHS policy)

* Privacy Rule mandates NPP* Given to all patients effective April 13, 2003* Details patient rights and how the entity may

disclose PHI* Details HIPAA privacy rule and includes two

examples each of treatment, payment and health care operations

* Updated notice September 2013 for HITECH * Can be found on our website, SNHS Privacy

Policy and linked to the SNHS intranet

* Patient rights: To access information To obtain copy of information To request an amendment to his/her

information if patient believes it contains an error

To request a restriction for disclosure: HITECH- patient pays for claim in full and can restrict disclosure to third party payer

To file a privacy complaint* Requests should be in writing

and signed by the patient.

* Not all requests have to be approved* Process for amendments can take up to 90 days:

Can only be approved by author Must be valid. Facts cannot be altered because

patient didn’t like what was documented.* Restriction for disclosure does not have to be approved if it interferes with treatment, payment and health care operations.

HITECH: restriction to third party payer only one that has to be honored.

* Specific form to use if not for “TPO”* Patient or personal representative must

have legal authority to sign. Over 18 years of age unless emancipated minor Power of attorney specifically states “healthcare” Legal guardian appointed by court of competent

jurisdiction Either natural parent may sign unless legally

unable to do so Minor may sign for own child

* Certain information is considered “sensitive”* Requires specific authorization before disclosure * Authorization for disclosure form (ROI) needs to be checked and signed:

Drug and alcohol abuse treatment records HIV and AIDS – includes testing Mental health Sickle cell anemia Includes STDs as part of SNHS practice* PSYCHOTHERAPY NOTES - any request for psychotherapy note need to be on its OWN ROI form

* HIPAA is clear on releasing only the “minimum necessary” – “protected health information should not be used or disclosed when it is not necessary to satisfy a particular purpose or to carry out a function.”* Key element of the HIPAA Privacy Rule.* Entities must enhance efforts to limit

unnecessary or inappropriate access.

* “A covered entity is required to develop role-based access policies and procedures that limit which members of its workforce may have access to protected health information for treatment, payment and healthcare operations, based on those who need access to the information to do their jobs.”* Who? Why? What type of access?* Access based on need-to-know for work

related duties.

* Employees should not look up own or family members’ information unless a normal function of duties.

* If information is needed, follow proper procedure – get ROI, forward patient to registration or scheduling, send to appropriate staff.

Don’t look because you CAN or

because you have an inquiring mind!

* HIPAA doesn’t require soundproofing or extensive remodeling, but …

* Healthcare entities should make reasonable efforts to minimize incidental disclosure.

* Change passwords, limited EMR access based on job duties, annual privacy training.

* Practice auditory privacy.* EMR: different levels of access, including

the Practice Management (PM) or Electronic Medical Record (EMR).

The Health Information Technology for Economic and Clinical Health Act is part of the American Recovery and Reinvestment Act of 2009 (ARRA).

Contains specific incentives designed to accelerate the adoption of electronic health record (EHR) systems among providers.

(meaningful use) Widens the scope of privacy and security Increases the potential legal liability for non-

compliance; and it provides for more enforcement. Including new breach notification requirements.

Established: “national standards to protect individuals’ electronic personal health information that is created, received, used or maintained by a covered entity.”

Requires: “appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.”

* Mandates entities have an Information Security Officer (ISO) responsible for security.

* DO NOT SHARE – different levels of access* Prompted to change* Seneca Health passwords must meet the following minimum

requirements:· Not contain the user's account name or parts of the user's full name that exceed two consecutive characters· Be at least six characters in length· Contain characters from three of the following four

categories:1. English uppercase characters (A through Z)2. English lowercase characters (a through z)3. Base 10 digits (0 through 9)4. Non-alphabetic characters (for example, !, $, #, %)

* Personally identifiable information – PII –obtained during course of daily business must also be protected.

* Some examples of PII:- Name - Phone number- Address - E-mail address- SSN** - Medical Record number- Date of birth - Photo- Account numbers - Any license or ID number

* Potential for identity theft, fraud and prescription abuse.**SSN most often cited.

* Patients have a right to alternative means of communication: phone, e-mail, letter,

different mailing address* When leaving messages, don’t be too

specific. Less is better.* Do not give out test results or details of

treatment or referral plan when leaving auditory messages.

* Brief message “This is Jane at the health center calling for John. Please call back at this number and extension.”

* Social media is not a secure method of communication. Do not post PHI/PII or other official communications on social media.

* SNHS not set up to text PHI - for employees, do not use personal cell phones to contact patients. Not secure.

* Photos should not be taken of patients without proper consent. Never post photos to social media!

• If patients desire e-mail communication, * They will be instructed to use the SNHS

patient portal* SNHS portal is secure and HIPAA

compliant

* Required as part of HITECH – Stage 2 of meaningful use – for entities using an EMR system.

* Alternative means of communication* Patients need to sign up at Registration* Electronic access for only certain PHI in

the EMR.* Also required for PCMH certification

* Lock out monitor (control-alt-delete) when leaving computer unattended.

* Limit access to your office or work station to avoid an “incidental disclosure”.

* Practice auditory privacy – don’t discuss patient care if others can overhear.

* Limit printing, and when done, shred or dispose of document properly.

No strip shredders for PHI or PII From the Department of HHS:“For PHI in paper records, shredding, burning,

pulping, or pulverizing the records so that PHI is rendered essentially unreadable, indecipherable, and otherwise cannot be reconstructed.”

SNHS has a shredding company that comes on-site to destroy documents with PHI/PII

* Use common sense - place documents face down on desk.

• Never give out or share your password.

• DO NOT PUT YOUR USERNAME AND PASSWORD ON A STICKY UNDER YOUR KEYBOARD You are assigned a level of access for your job

Audit trail

* Penalties – civil and criminal – can be issued.

* US Office of Civil Rights (OCR) investigates privacy complaints for non-compliance.

* Employee and/or entity can be held responsible for non-compliance.

* Fines and/or incarceration can be levied.* US Department of Justice responsible

for prosecution.

* Impermissible Uses and Disclosure Not permitted under TPO or unauthorized

disclosure * Lack of Safeguards of PHI

Administrative, Technical and Physical * Lack of Patient Access to PHI

Restricted disclosures to patient* Uses and Disclosures more than Minimally

Necessary * Lack PHI Administrative Safeguards

Access policies, need-to-know

Year Issue 1 Issue 2 Issue 3 Issue 4 Issue 5

2015 Impermissible Uses & Disclosures

Safeguards Administrative Safeguards

Access Technical Safeguards

2014 Impermissible Uses & Disclosures

Safeguards Administrative Safeguards

Access Technical Safeguards

2013 Impermissible Uses & Disclosures

Safeguards Access Administrative Safeguards

Minimum Necessary

2012 Impermissible Uses & Disclosures

Safeguards Administrative Safeguards

Access Minimum Necessary

* Privacy complaints against the organization or an employee can be made by patient, employee or general public.

* SNHS complaint/grievance process will be used.* Contact Privacy Officer for guidance.

PO does not take any action against employee Supervisor and HR responsible for following

disciplinary process if complaint is found to be valid.* Disciplinary action including termination may

result in breach or unauthorized disclosure.* SNI HR policy also requires confidentiality.

* Pharmacy records were disposed in unsecured containers. They were not shredded and contained personally identifiable information (PII) regarding specific patients.

* Organization failed to implement written policies and procedures as required by HIPAA.

* Organization fined $125,000 and correction action included implementing policies and develop & provide training for staff.

• On April 12, 2012, MHS (Memorial Healthcare System) submitted a breach report to HHS indicating that two MHS employees inappropriately accessed patient information

• Payment. MHS agrees to pay to HHS the amount of $ 5,500,000 ("Resolution Amount").

• Corrective Action Plan. MHS has entered into and agrees to comply with the Corrective Action Plan ("CAP”)

* Catholic Health Care Services – June 29, 2016 * CHCS agreed to settle violations of the HIPAA Security Rule after the theft of a *mobile devicecompromised the protected health information (PHI) of hundreds of nursing home residents. * The total number of individuals affected by the combined breaches was 412. * The settlement includes a monetary payment of $650,000 and a corrective action plan.

* Oregon Health & Science University - July 18, 2016 * $2,700,000 settlement to resolve violations of the HIPAA

Privacy and Security Rules, as well as a comprehensive three-year corrective action plan.

* OCR’s investigation began after OHSU submitted multiple breach reports affecting thousands of individuals, including two reports involving unencrypted laptops and another large breach involving a stolen unencrypted thumb drive.

* The investigation uncovered evidence of widespread vulnerabilities within OHSU’s HIPAA compliance program, including the storage of the electronic protected health information (ePHI) of over 3,000 individuals on a cloud-based server without a business associate agreement.

* OCR found significant risk of harm to 1,361 of these individuals due to the sensitive nature of their diagnoses.

* A health care employee's supervisor accessed, PHI from an employee's medical record. • OCR's investigation confirmed that the use and

disclosure of protected health information by the supervisor was not authorized…was not otherwise permitted by the Privacy Rule.

* Among other corrective actions to resolve the specific issues in the case;

a letter of reprimand was placed in the supervisor's personnel file;

the supervisor received additional training about the Privacy Rule.

• An employee's medical record is protected by the Privacy Rule, even though employment records held by a covered entity in its role as employer are not

* First HIPAA enforcement action for lack of timely breach notification settles for $475,000 *The U.S. Department of Health and Human Services, Office for Civil Rights (OCR), has announced the first HIPAA settlement based on the untimely reporting of a breach of unsecured protected health information. Presence Health has agreed to settle potential violations of the HIPAA Breach Notification Rule by paying $475,000 and agreeing to implement a corrective action plan.

“Covered entities must not only make assessments to safeguard ePHI, they must act on those assessments as well” said OCR Director Jocelyn Samuels. “OCR works tirelessly and collaboratively with covered entities to set clear expectations and consequences.”

* Department of Health and Human Services, Office for Civil Rights (OCR)

* 45 CFR, Parts 160 (privacy) and 164 (security)* 42 CFR, Part 2 (drug & alcohol)* 41 CFR, Parts 105, 412, 413, 422 * Centers for Medicare and Medicaid Services* Indian Health Service* SNI HR Policy* National Institute of Standardization and

Technology (NIST)