FCSRMC – HIPAA PRIVACY & SECURITY PRESENTATION

BDO USA, LLP, a Delaware limited liability partnership, is the U.S. member of BDO International Limited, a UK company limited by guarantee, and forms part of the international BDO network of independent member firms. BDO is the brand name foPrathgeeB1DO network and for each of the BDO Member Firms.

What is HIPAA?

HIPAA stands for: Health Insurance Portability and Accountability Act (HIPAA)

August 1996: Federal law enacted

April 2001: Privacy Rule

April 2005 Security Rule

February 2010: HITECH Act March 2013: HIPAA Omnibus (Final) Rule

Page 2

HIPAA Privacy Rule

HIPAA’s Privacy Rule:

Addresses the use and disclosure of an individual’shealth information regardless of how it iscommunicated (electronically, verbally, or written).

Establishes standards for an individual to understand and control how their health information is used.

Assures that health information is properly protectedwhile allowing the flow of health information neededto provide and promote high quality health care andto protect the public‘s health and well being.

Page 3

Covered Entity (CE)

A Covered Entity includes a health plan or payor, a healthcare clearinghouse, and all healthcare providers who transmit any healthcare information in electronic form (including telephones, fax machines and computers).

Examples: • Physician Practices• Dentists• Hospitals• Diagnostic Services (lab, radiology)• Nursing Homes• Pharmacies• Home Health Agencies• Health Plans

Page 4

Covered Entity (CE)

FCSRMC is considered a Covered Entity (Group Health Plan) and it’s member colleges act as the plan sponsor.

A covered health plan includes a group health plan, which is defined as an employee welfare benefit plan under ERISA.

This may include: hospital and medical benefit plans

dental plans vision plans health flexible spending accounts

employee assistance plans

Page 5

Business Associate

A Business Associate is a person or entity that performs certain functions or activities that involve the use or disclosure of Protected Health Information (PHI) on behalf of, or provides services to, a Covered Entity.

Examples include vendors, contractors and subcontractors such as:

● Billing Company ● Attorney● Transcription Service ● Accountant● Practice Management System ● Consultant● Document Storage Company ● EMR/EHR System● Collection Agency ● I.T. Vendor

Business Associates are accountable for protecting the privacy/security of PHI and are directly liable for criminal and civil penalties for violations.

Page 6

Protected Health Information (PHI) Protected Health Information (PHI) is:

*individually identifiable health information that has beentransmitted or maintained in any medium (paper, verbal, electronic).

*created or received by the organization, relates to the health of anindividual or payment for health services, and identifies the individual.

Employee Name Complete Address All Elements of Dates Telephone Numbers Fax Numbers E-Mail Address Social Security Number

Medical Record Number

Certificate/License Number Vehicle Identifiers (License Plate Number) IPAddress Biometric Identifiers (voice and fingerprint) Full Face Photographic Images Any Other Unique Identifying Number/ Code

Health Plan Beneficiary Number Account Numbers

Page 7

De-Identified Health InformationDe-identified health information refers to information that cannot be used to identify an individual. Examples include information that has been redacted from documents containing health information, or reports that do not identify a specific individual.

Uses:

• Research (market analysis)

• Financial Reports

• Statistical Reports

• Demographic Studies

• Reports for Public Health Purposes

• Quality Improvement Activities

• Health Care Operations

Page 8

Notice of Privacy PracticesThe Covered Entity must provide a Notice of Privacy Practices to each individual. It is brief, written in plain language, and includes:

a description of the types of uses and disclosures that the Covered Entity is permittedto make for treatment, payment and healthcare operations.

a description of other purposes for which the Covered Entity is permitted or requiredto disclose PHI without the individual’s written authorization.

a description of the types of uses and disclosures that require an authorization.

a statement outlining the Covered Entity’s duties to maintain the privacy of PHI.

a statement that individuals may complain to the covered entity if they believe theirprivacy rights have been violated.

The Privacy Notice is provided by the Group’s Health Plan TPA (Florida Blue) to the Group Health Plan

participants (FCSRMC). Page 9

Notice of Privacy PracticesFCSRMC and it’s member colleges have adopted a HIPAA Privacy Policy Statement. The Privacy Policy should be reviewed with new staff at the time of new hire orientation. Employees should sign the acknowledgement form indicating they have received and have had an opportunity to read the HIPAA Privacy Policy.

Page 10

Consent and Authorization

Covered Entities cannot share PHI without the individual's awareness of their privacy rights.

To use and disclose PHI for purposes other than treatment, payment and health operation purposes, Covered Entities must obtain a standard consent or authorization with a few exceptions.

Consent can be revoked by an employee/individual (patient) in writing.

It is the policy of FCSRMC and it’s member colleges that individuals have a right to request that no disclosure be made of PHI. FCSRMC or it’s member colleges is not obligated to grant the request.

Page 11

When Consent and Authorization is NOT Required

Permitted PHI disclosures without an authorization:

Treatment - Disclosures between Covered Entities (such as other healthcare providers) involved in the patient care, information to/from pharmacy or diagnostic center

Payment – Disclosure regarding balance to patient, all information needed by the health plan, information to collection agencies

Health Operations – Fraud/abuse detection, compliance programs, government inspections, training new employees, competency assessments, business management activities, quality improvement activities

• Public health activities• Victims of abuse, neglect or domestic violence• Law enforcement purposes• To comply with Workers’ Compensation• To avoid serious threat to health or safety

Page 12

When Consent and Authorization IS Required

An authorization is required for:

o Use and disclose PHI for purposes other than treatment, payment and healthoperation purposes

o Releasing psychotherapy noteso Marketing, research, sale of PHI, and fundraisingo Releasing PHI to the patient’s employer

An authorization must include:

Description of the information to be disclosed Names of persons to whom the information is

to be given Purpose of the disclosure An expiration date for the use of the

information

Page 13

Right to Restrict Disclosures

Right of Access

Right to Amendment

Right to Accounting Disclosures

Requests for the above should be directed to, and processed by, the Group’s Health Plan TPA.

Individual’s Rights

Page 14

Individual’s Rights

Staff can file a written complaint if they believe their privacy has been violated. Complaints should be directed to the college’s privacy contact, and any intimidating or retaliatory acts are prohibited.

It is important for staff to know that their PHI is safeguarded to protect PHI from any intentional or unintentional use or disclosure that is in violation of the HIPAA Privacy Rule.

Page 15

“Minimum Necessary”

“Minimum Necessary” is limiting the amount of PHI that is used (within the facility) or disclosed (outside of the facility) to the least amount of information possible to accomplish the intended purpose.

Your facility should evaluate who should be accessing PHI(documented in job descriptions).

Only staff who need access to PHI to perform their job dutiesshould be granted access to these areas (a unique sign-on andpassword, access to paper files, etc.).

Minimum Necessary does not apply to requests/disclosures to the staff or another healthcare provider for treatment purposes.

Page 16

Medical Information – Personnel Records In accordance with Section 112.0455, Florida Statutes, Drug-Free Workplace Act), drug screen results are confidential and exempt from disclosure under the public records law.

The Americans with Disabilities Act (ADA) and HIPAA require that all medical documents be filed separately from personnel records.

Medical information should be kept confidential and away from personnel records even if the company does not fall under ADA or HIPAA regulations.

Medical paperwork that should be filed separately includes the following:

Reports from pre-employment physicals Drug and alcohol testing results Workers' compensation paperwork Medical leave of absence forms Disability paperwork Insurance applications that reveal pre-existing conditions

Anything that identifies a medical issuePage 17

HIPAA Privacy Vs. Security Rules

Privacy Rule Security Rule

Sets standards for who needs access to

PHI

Applies to all forms of PHI (electronic,

written, oral)

Ensures access is only given to those

who need it to perform their job

Only applies to electronic forms of

PHI

Page 18

HIPAA Security Rule

Security encompasses the measures organizations must take to protect information within their possession from internal and external threats.

Page 19

Administrative Safeguards Establish HIPAA policies/procedures

Provide security awareness and reminders to staff

Perform a risk analysis to determine where you might be vulnerable to abreach

Have a Disaster Recovery Plan in case of emergency

Implement sanctions and terminations for staff who breach PHI

Management passwords, including disabling access upon termination

Appoint a Privacy/Compliance Officer and Security Official

Implement Business Associate Agreements for all vendors who access PHI

Page 20

Physical Safeguards Design a contingency operations plan when data is temporarily

unavailable

Implement a security plan for facility (door locks, electronicaccess controls, video monitoring)

Install password protection on monitors

Ensure monitors are not facing public areas

Password protect thumb drives and documents containing PHI(Word, Excel, etc.)

Properly dispose of devices (hard drives, copiers, fax machines,scanners)

Page 21

Technical Safeguards Only use certified software systems

Use data encryption/decryption on all devices (laptops, cell phones)

Install firewalls and antivirus software

Assign unique sign-on and passwords to software containing PHI

Utilize integrity controls to ensure PHI has not been tampered with ordestroyed

Implement automatic log-off after system has been idle

Back up data daily

Continually monitor and audit system to ensure the system has not beenhacked or compromised

Page 22

Staff Training

Employers are required to provide privacy and security training to staff and to provide periodic security reminders.

Security reminders may include:

How to maintain security, including the need for strongpasswords

Specific threats to PHI that have been identified such as viruses

PHI access restrictions Changes in policies/procedures concerning HIPAA regulations Procedures to follow for modifying access to PHI How to report security breaches and to whom

Page 23

Breach of PHI A breach is:

Any unauthorized access, use or disclosure of unsecured PHI which compromises the security or privacy of PHI, unless there is a low probability that the PHI has been compromised.

From January – June 2017, there was 2,000 HITECH Breaches:

175 million people

affected

127.6 million ­network server

6.6 million ­desktop

5.6 million laptop

– 2.1 million –unsecured

email

Page 24 Source: HIPAAOne - www.hipaaone.com/2017-hipaa

Mitigating Risk Data protection

o Use workstations properly - don’t leave information open and unattendedo Don’t share passwords or post where others can see ito Don’t discuss confidential information with unauthorized individualso Lock computer, desk and file cabinetso Use shredder/recycle bin when destroying information

Access controls – only give authorized staff access to software/files containing PHI

Report potential threats to the Privacy Contact at your facility

Encrypt emails containing PHI

Obtain BAA from vendors when accessing/obtaining PHI

Password protect mobile devices if accessing company emails on device

Prevent malware infection on your computer by not downloading and installinganything you do not understand or trust, no matter how tempting

Provide training at time of hire and annually thereafter

Page 25

Sanctions Policy All workforce members must protect the confidentiality, integrity,

and availability of sensitive information at all times.

FCSRMC will take appropriate disciplinary action against employees,contractors, or any individuals who violate the information securityand privacy policies or state, or federal confidentiality laws orregulations, including the Health Insurance Portability andAccountability Act of 1996 (HIPAA).

FCSRMC will impose sanctions on any individual who accesses, uses,or discloses sensitive information without proper authorization.Sanctions may include: policy changes personnel changes transfer to another department retraining written reprimands suspension termination

Page 26

Document Retention Maintain the following documentation for six years, unless a longer period applies:

All policies and procedures

Business Associate Agreements

Signed Acknowledgement of Privacy Policies

Authorization forms

Notices and amended notices

Training of employees

Patient/employee complaints and their disposition (this must be documented on thecomplaint form and forwarded to FCSRMC)

Page 27

Key Points

Provide initial training at hire and annually thereafter. Use the group attendance log as documentation.

Maintain a separate employee health file.

Keep all protected information in a limited access area and under lock and key.

Page 28

1. Who is not a Covered Entity?a. Supermarketb. Physicianc. Health Plan

2. Who must comply with HIPAA privacy and security rules?a. Only physicians and hospitalsb. Patientsc. All Covered Entities and Business Associates

3. Who should have access to PHI?a. Everyone in the companyb. Everyone in the departmentc. Only those who need access to perform their job duties

4. It is OK to share your user name and password with someone you know as longas they do not share it with anyone else.a. True b. False

Page 29

5. PHI can be used to make employment related decisions.a. True b. False

6. When is an authorization required to release PHI?a. Disclosures not related to treatment, payment or healthcare operationsb. When someone requires assistance with insurance claims/benefitsc. Both a and b

7. How long is the document retention policy under HIPAA?a. 10 yearsb. 6 yearsc. Indefinitely

8. Ways to mitigate risk to PHI is:a. Secure your workstation and other areas containing PHIb. Don’t report a breach if you suspect it has occurredc. Avoid the HIPAA training sessions

Page 30

Questions?

Carol Crews, CMPE, CPMA, OHCC Sr. Manager, Healthcare Advisory

BDO Center for Healthcare Excellence & Innovation

BDO USA

(904) 224-9787

ccrews@bdo.com

Page 31

References More detailed information can be found at the following resources:

U.S. Department of Health and Human Resources. 45 CFR Parts 160 and 164. Federal Register www.hhs.gov/ocr/privacy/hipaa/administrative/endor cementrule/enfifr.pdf

U.S. Department of Health and Human Services, Office for Civil Rights www.hhs.gov/ocr/privacy/hipaa/understanding/covere dentities/provider_ffg.pdf

Centers for Medicare & Medicaid Services, Office of E-Health Standards and Services. www.hhs.gov/ocr/privacy/hipaa/enforcement/ cmscompliancerev08.pdf

U.S. Department of Health and Human Services. www.hhs.gov/ocr/privacy/hipaa/administrative/securi tyrule

Page 32