Embed Size (px)
Citation preview
Health Insurance Portability and Accountability Act of 1996 (“HIPAA”)
Training
www.cooley.com
Agenda
Introduction Privacy Rule Security Rule Breach Notification Requirements Penalties for Violations
2
www.cooley.com
Introduction – Overview of Law
The Health Insurance Portability and Accountability Act (“HIPAA”) became law in 1996
It was significantly amended and expanded by the Health Information Technology for Economic and Clinical Health Act of 2009 (“HITECH”), and it was significantly amended again in 2013 by the Final Omnibus Rule
The purpose of HIPAA is to improve the efficiency and effectiveness of the healthcare system by standardizing and protecting the communication of health information, with particular regard to privacy, security and electronic data interchange
Although this training will focus on HIPAA specifically, other laws and regulations (for example, state laws) also govern data privacy, security, and breach reporting
3
www.cooley.com
Introduction – To Whom does HIPAA Apply?
Generally, HIPAA seeks to safeguard Protected Health Information (“PHI”) that is used and/or disclosed by certain types of entities
HIPAA applies to “Covered Entities,” including: Health plans; Health care providers who transmit health information in electronic
form in connection with a covered transaction; and Health care clearinghouses (entities that process health information
in certain ways, such as certain billing services or “value-added” networks)
Achieve Beyond is a Covered Entity because Achieve Beyond is a
provider of health care; this training will focus on Achieve Beyond’s HIPAA obligations
4
www.cooley.com
Introduction – To Whom does HIPAA Apply?
HIPAA also applies to “Business Associates,” or independent contractors and agents of Covered Entities that create or obtain PHI in connection with providing services for the Covered Entity
Achieve Beyond has certain Business Associates that are obligated by
HIPAA to protect PHI they create or receive for or on behalf of Achieve Beyond Examples may include IT support, consultants, and/or accountants
5
www.cooley.com
Introduction - What Type of Information does HIPAA Protect?
PHI is information, transmitted or maintained in any form or medium, that: Relates to the:
past, present or future physical or mental health or condition of an individual;
provision of health care to an individual; and/or past, present or future payment for the provision of health
care to an individual; Identifies the individual in any way, including by name, social
security number, finger print, or full face photographic images; and
Has been created or received by a Covered Entity such as Achieve Beyond
6
www.cooley.com
Introduction – Overview of Rules
Privacy Rule: defines standards and requirements for the use and disclosure of PHI created, maintained, and/or transmitted by a Covered Entity in any form (e.g. paper, electronic, oral)
Security Rule: establishes standards for securing electronic PHI that is created, maintained, and/or transmitted by a Covered Entity
Breach Notification Rule: requires notification by Covered Entities to the government, affected individuals, and in certain cases, the media of certain breaches of unsecured PHI
7
www.cooley.com
Privacy Rule - Overview
What rights do individuals have regarding their PHI? When can we use and disclose PHI?
8
www.cooley.com
Privacy Rule - What Rights Do Individuals Have Regarding PHI?
HIPAA gives individuals rights that increase their ability to control their PHI, including rights to: Receive a Notice of Privacy Practices; Request Privacy Protections regarding their PHI; Request Access to their PHI; Request Amendment(s) to their PHI; and Receive an Accounting of Disclosures of their PHI
9
www.cooley.com
Privacy Rule - Right to Notice of Privacy Practices
A “Notice of Privacy Practices” (NPP) must be provided to all patients by Covered Entities including Achieve Beyond
Achieve Beyond has an NPP available on its website The NPP provides important information to patients
including: A summary of how PHI may be used and disclosed; A summary of individuals’ rights regarding their PHI; Instructions on filing complaints regarding potential
violations of privacy rights; and Contact information for further privacy information or
questions 10
www.cooley.com
Privacy Rule - Right to Request Privacy Protection
Individuals may request certain additional privacy protections regarding their PHI Individuals may request additional restrictions on uses or
disclosures of their PHI Individuals may request that Achieve Beyond only use or
disclose PHI for certain restricted purposes including treatment, payment, health care operations
Covered Entities generally are not required to grant such requests; however, Achieve Beyond must agree to such requests if the PHI is to be disclosed to a health plan, the purpose is to carry out payment or health care operations, and the PHI pertains solely to a health care item or service for which individual or someone on his or her behalf has paid in full
11
www.cooley.com
Privacy Rule - Right to Request Privacy Protection
Individuals may request certain additional privacy protections regarding their PHI Individuals may request to receive communications from Achieve
Beyond by alternative means or at alternative locations (e.g, use of a cell phone as opposed to a home phone; sending documents to a work address instead of a home address) Providers, including Achieve Beyond, must accommodate
reasonable requests
12
www.cooley.com
Privacy Rule - Right to an Accounting of Disclosures of PHI
Individuals may request an accounting of uses or disclosures of their PHI in the six years prior to the date of the request, with certain exceptions including but not limited to: Uses or disclosures to carry out treatment, payment, or health care
operations; Disclosures to individuals of PHI about such individuals; and Certain uses or disclosures for national security or intelligence purposes
Each accounting must be in writing and include: Date of disclosure; Name of entity or person who received PHI; Brief description of PHI disclosed; and Brief statement of purpose of the disclosure
Covered Entities must act on a request for an accounting within 60 days of receipt
13
www.cooley.com
Privacy Rule - Right to Access / Right to Amend PHI
With certain exceptions (e.g., psychotherapy notes), individuals have a right to access their PHI Individuals may request an electronic copy of their PHI and
may request a particular form and format. Achieve Beyond must act on such a request within 30 days
of receipt
Individuals may request an amendment to their PHI Achieve Beyond may deny such request under certain
circumstances (e.g., if the PHI is accurate and complete) Achieve Beyond must act on such a request within 60 days
of receipt
14
www.cooley.com
Privacy Rule - When Can We Use and Disclose PHI?
Achieve Beyond may not use or disclose customers’ PHI for any purposes it chooses. We only may use or disclose PHI: For purposes of treatment, payment, or health care operations
Treatment: provision, coordination, or management of health care and related services by a provider, including consultations or referrals between providers related to a patient
Payment: activities undertaken by providers or plans to obtain or provide reimbursement for the provision of health care
Health care operations: activities undertaken by Achieve Beyond to perform business functions such as conducting quality assessment; reviewing the qualifications of health care professionals; business planning and development; and general administrative activities
15
www.cooley.com
Privacy Rule - When Can We Use and Disclose PHI?
Achieve Beyond may not use or disclose customers’ PHI for any purposes it chooses. We only may use or disclose PHI: When required by law For purposes specifically authorized by the patient
Certain uses and disclosures require an opportunity for the individual to object Uses or disclosures for facility directories Uses and disclosures to friends and family involved in an individual’s care
Certain uses and disclosures do not require an authorization or the opportunity for the individual to object Uses and disclosures for law enforcement purposes Uses and disclosures to avert a serious threat to health or safety Disclosures for workers’ compensation
16
www.cooley.com
Privacy Rule – Minimum Necessary Rule
When using and disclosing PHI, we must use or disclose only the minimum necessary information to accomplish the intended purpose. Certain exceptions exist, such as: Uses or disclosures for purposes of treatment; Disclosures made to the individual about whom the PHI relates; and Uses or disclosures required by law
17
www.cooley.com
Privacy Rule - Authorizations
Individuals (or their personal representatives, such as their parents) may authorize us to disclose their PHI to certain parties to whom we may not otherwise be permitted to disclose such information Individuals must authorize:
Which information may be disclosed; To whom; and For what purpose
Authorizations must be signed and current to be effective Achieve Beyond will have a standard form to be used for
purposes of obtaining patient authorizations
18
www.cooley.com
Privacy Rule – Business Associate Agreements
Achieve Beyond may utilize various service providers, such as lawyers, consultants, and IT vendors, to help us perform various functions that require access to PHI so long as these entities are our Business Associates and enter into Business Associate Agreements (“BAAs”) with us. Achieve Beyond uses BAAs to:
Contractually obligate our Business Associates to comply with HIPAA;
Ensure that our Business Associates notify us when needed (e.g., in the event of a Breach of PHI); and
Govern practical matters, such as the return or destruction of PHI once our arrangement has terminated
Achieve Beyond will endeavor to use a standard BAA when possible to ensure compliance with law and consistency of obligations
19
www.cooley.com
Security Rule - Overview
As a Covered Entity, the Security Rule requires Achieve Beyond to: Ensure the confidentiality, integrity and availability of
electronic PHI (“ePHI”) that it creates, receives, maintains or transmits;
Protect against reasonably anticipated threats or hazards to the security or integrity of ePHI; and
Protect against uses or disclosures of ePHI that are not permitted by the Privacy Rule
20
www.cooley.com
Security Rule - Requirements
Achieve Beyond is required to implement three types of safeguards: Administrative safeguards Physical safeguards; and Technical safeguards
Certain safeguards (such as assigning unique user names or numbers to members of the workforce accessing ePHI on the Achieve Beyond system) are considered “required” and dictated by HIPAA
Other safeguards (such as encrypting ePHI in transmission) are considered “addressable” and permit more flexibility in achieving the desired security goal
21
www.cooley.com
Security Rule – Administrative Safeguards
Achieve Beyond must adopt a variety of administrative safeguards to protect ePHI. Certain safeguards, such as performing security training, represent ongoing obligations and will need to be applied repeatedly. Administrative safeguards include but are not limited to: Performing a risk analysis to identify potential risks and vulnerabilities to
ePHI held by Achieve Beyond; Adopting a risk management program; Adopting a sanction policy; Performing a review of information system activity; Ensuring proper access to ePHI by appropriate workforce members; Providing security training to the workforce; Adopting appropriate protections from malicious software; and Adopting a contingency plan in case of an emergency
22
www.cooley.com
Security Rule – Physical Safeguards
Achieve Beyond must adopt a variety of physical safeguards to protect ePHI. Physical safeguards include but are not limited to: Adopting a facility security plan; Implementing processes to address disposal of ePHI; Implementing processes regarding the re-use of media that
contained ePHI; and Adopting a data back-up system
23
www.cooley.com
Security Rule – Technical Safeguards
Achieve Beyond must adopt a variety of technical safeguards to protect ePHI. Technical safeguards include but are not limited to: Adopting user identifiers for members of the workforce who may
access ePHI; Adopting an automatic logoff procedure; Adopting a process, such as encryption, to ensure access control
over data at rest; and Adopting a process, such as encryption, to ensure the
transmission security of ePHI
24
www.cooley.com
Security Rule – What are my responsibilities?
Respect all Achieve Beyond policies regarding access/security Never share your computer password Ensure that you sign off of applications containing ePHI after use Secure portable electronic devices, such as USB thumb-drives or
laptops, that contain ePHI Avoid using individuals’ names, medical record numbers or
account numbers in transmission where possible Promptly report any loss or theft of electronic devices that
contain ePHI Promptly inform Privacy Officer of any suspected improper uses
of ePHI
25
www.cooley.com
Breach Notification – What is a Breach of PHI?
Breach is defined as: Unauthorized acquisition, access, use or disclosure of
unsecured (unencrypted) PHI That compromises the privacy or security of the PHI
Improper uses or disclosures of PHI are presumed to be Breaches unless Achieve Beyond demonstrates a low probability that the PHI has been compromised based on an assessment of factors including:
The nature and extent of the PHI involved; The unauthorized party who used or received the PHI; Whether the PHI was actually acquired or viewed; and The extent to which the risk to the PHI has been mitigated
26
www.cooley.com
Breach Notification – Reporting a Potential Breach
If you suspect that a Breach may have occurred, notify your supervisor and/or the Privacy Officer immediately Prompt notification is vital because:
Early risk mitigation tactics are key; Prompt investigation is important; and Significant action is required in a short period of time
27
www.cooley.com
Breach Notification – Notice Specifications Prompt notification is vital because, in the event of a Breach, Achieve Beyond must notify
the following external parties: Affected Individuals
Each individual whose unsecured PHI is reasonably believed to have been improperly accessed, acquired, used, or disclosed
Notification must be provided within 60 days of discovery of the Breach Office for Civil Rights (“OCR”) within the U.S. Department of Health and Human
Services (“HHS”) For a Breach involving 500 or more people, Achieve Beyond must notify HHS
within 60 days of discovery of the Breach For a Breach involving fewer than 500 people, Achieve Beyond must notify HHS
within 60 days after the end of that calendar year Media
For a Breach affecting more than 500 residents of a jurisdiction, Achieve Beyond must notify prominent media outlets serving that area
Notification must be provided within 60 days of discovery of the Breach Depending on the type of information involved, Achieve Beyond may also be required
to notify applicable states pursuant to state law
28
www.cooley.com
Penalties – Who Enforces HIPAA?
HIPAA has always been enforced by OCR The HITECH Act empowered state Attorneys General to
enforce HIPAA as well, in an effort to increase HIPAA enforcement State Attorneys General may now bring civil actions on
behalf of state residents for violations of HIPAA They may obtain damages on behalf of state residents or
to enjoin further HIPAA violations
29
www.cooley.com
Penalties - How Do Penalties for Non-Compliance Result?
Penalties for non-compliance with HIPAA can result in many ways, including but not limited to: An individual’s complaint to OCR regarding a potential HIPAA
violation; A Covered Entity’s required report to OCR regarding a Breach; Media coverage of a potential HIPAA violation; An HHS audit that uncovers non-compliance
30
www.cooley.com
Penalties – Types of Penalties
HIPAA carries both civil and criminal penalties HITECH significantly increased penalties for non-compliance with
HIPAA Scalable penalties are based on the nature and circumstances of
the violation, including knowledge, willfulness, and number of affected individuals
Curing/correcting a violation promptly may reduce potential penalties substantially
31
www.cooley.com
Penalties - Civil Penalties
Mandatory penalties range from $100 to $50,000 or more per violation
Overall limit of $1.5 million for identical violations during calendar year (note that one Breach may include non-identical violations)
Factors considered by OCR in determining the amount of a civil money penalty include: The nature of the violation; The time period during which the violation occurred; Whether the violation caused harm; Whether the entity has a history of non-compliance with HIPAA; The financial condition of the entity; and Such other matters as justice may require
32
www.cooley.com
Penalties - Criminal Penalties
Members of the Achieve Beyond workforce who knowingly disclose PHI in violation of HIPAA can be fined between $50,000 to $250,000 and imprisoned for up to 10 years depending on level of intent behind disclosure Offenses committed with intent to sell, transfer, or use PHI
for commercial advantage, personal gain or malicious harm carry higher penalties
33
www.cooley.com
Questions?
Please direct questions following this training presentation to:
Joe Matuza, Compliance and Privacy Officer [email protected]
718-762-7633 ext 190
34
