HIPAA Compliance and Electronic Records

WelcomeHIPAA Compliance and Electronic RecordsIntroductionDennis M. Walsh, PresidentPatriot Networks, Inc.

dwalsh@patriotnetworks.com

www.patriotnetworks.com/hipaa

Sources: 4MedApproved web siteHHS.gov web site

Course OverviewHIPAA OverviewWhat is the HIPAA Privacy RuleWhat is the HIPAA Security Rule HIPAA Regulations for Business AssociatesThe Hitech Act and The HIPAA Omnibus Final Rule 2013HIPAA Office for Civil Rights Audits and EnforcementsHIPAA Penalties and Data Breaches

Course Overview (contd)HIPAA Training, Policies and Procedures, and AwarenessCompliance with other Laws and RegulationsTechnology TopicsEmail EncryptionWindows XP End of LifeOffsite Backup File sharing solutions i.e. DropBoxMiscellaneous topicsEnd of Course SummaryHIPAA OverviewHIPAA a.k.a. Health Insurance Portability and Accountability ActPassed by Congress in 1996HIPAA required insurance companies to accept most new customers with pre-existing conditionscreating portability of health insurance. Three Major goals of HIPAA are:Lowering healthcare administration costsProviding individuals with some control over their health informationSet standards for providers sharing health information

HIPAA Overview (contd)HIPAA is supposed to be written so that it covers the single provider practice all the way through billion dollar corporationsIt is fairly specific on requirements, but vague on implementation of technologies due to constant changes in technologyThe U.S. Department of Health and Human Services (HHS) administers HIPAA.The Office for Civil Rights (OCR), an agency of HHS is responsible for enforcement, policy development, and technical assistance.

HIPAA Overview (contd)From the Office for Civil Rights web site, part of their mission statement reads:Annually resolving more than 10,000 citizen complaintsalleging discrimination or a violation of HIPAA

HIPAA Overview (contd)Covered Entities include Health Plans Health care ClearinghousesHealth care Providers Business Associates are businesses that provide services to a Covered Entity that may encountered PHI.

HIPAA Overview (contd)Protected Health Information (PHI)All "individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information "protected health information (PHI)."12Privacy RuleGoverns the use and disclosure of PHIInformation should be shared on a minimum necessary basis

HIPAA Overview (contd)Security ruleGoverns the Confidentiality, Integrity, and Availability of electronic health informationRequirements covered include:AdministrativeTechnical PhysicalHITECH ActIncluded significant changes to HIPAA in 2009Increased civil penaltiesProvided funding for incentives for the adoption of Electronic Health Record systems for doctors

HIPAA Overview (contd)Enforcement of HIPAA and PenaltiesThe loss of PHI or improper release of PHI by Business Associates and Covered Entities needs to be reported by lawCivil penalties of up to $1.5 millionFailure to cooperate with the investigation can result in additional finesCriminal penalties include fines and imprisonment up to 10 yearsThe intentional use of health information for commercial gain or personal gain, or to cause harm is a cause for criminal penalty

What is the HIPAA Privacy RuleProtects health information in all forms:ElectronicVerbalWritten

Applies to all Covered Entities and Business AssociatesInformation Disclosure:PHI may be shared between providers without requiring a patients written authorizationInformation is being used as part of healthcare operations, payment, or treatment of that patient

What is the HIPAA Privacy RuleInformation shared on a Minimum Necessary basis:This is the Baseline and Guideline for the sharing of all PHIPolicies and Procedures can vary greatly based on the size of the organization:In a small office, the front desk person may need access to everything because they wear many hats and have responsibility for most activitiesIn a large office, you may limit the access of the front desk person based on their responsibilitiesNotice of Privacy PracticesCovered Entities are required to provide patients with a Notice of Privacy Practices (NPP)The NPP describes the use of patients records in the practice.Describes the responsibility to protect the information, including confientialityContinued-

What is the HIPAA Privacy RuleNotice of Privacy Practices (contd)The patients rights to withhold or release informationDisclose who is the HIPAA Security officer for the practiceHow to file a complaint

The deadline for revisions to NPPs was September 23, 2013 and was enacted as part of the HIPAA Omnibus Final Rule

What is the HIPAA Privacy RuleInformation shared on a Minimum Necessary basisMinimum Necessary examples:HHS compliance or enforcement due to audit or investigationPatient explicitly authorizes the disclosureGiving the information directly to the patientAccess by a healthcare provider for treatmentRelease required by legal means, including disclosure to law enforcement

What is the HIPAA Security RuleFrom the HHS web site:

The HIPAA Security Rule establishes national standards to protect individuals electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information. What is the HIPAA Security RuleThree Safeguards of the Security Rule:AdministrativePhysicalTechnicalUnder the safeguards, there are specifications that are Required and ones that are Addressable

What is the HIPAA Security RuleFrom the HHS Publication HIPAA Administrative SimplificationAdministrative Safeguards:Security Management ProcessImplement policies and procedures to prevent, detect, contain, and correct security violationsAssigned Security ResponsibilityIdentify the security official who is responsible for the development and implementation of the policies and procedures .Workforce SecurityImplement policies and procedures to ensure that all members of its workforce have appropriate access to electronic protected health information ..Information Access ManagementImplement policies and procedures for authorizing access to electronic protected health information Continued What is the HIPAA Security RuleAdministrative Safeguards: (contd)Security Awareness and TrainingImplement a security awareness and training program for all members of its workforce Security Incident ProceduresImplement policies and procedures to address security incidents. Contingency PlanEstablish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information. EvaluationPerform a periodic technical and nontechnical evaluation .. that establishes the extent to which a covered entity's or business associate's security policies and procedures meet the requirements of this subpart. What is the HIPAA Security RulePhysical Safeguards: Facility Access ControlsImplement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed. Workstation UseImplement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access electronic protected health information.

Continued What is the HIPAA Security RulePhysical Safeguards: (contd)Workstation SecurityImplement physical safeguards for all workstations that access electronic protected health information, to restrict access to authorized users. Device and Media ControlsImplement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information into and out of a facility, and the movement of these items within the facility. Includes policies for disposal of media, media re-use, and data backup What is the HIPAA Security RuleTechnical Safeguards: Access ControlImplement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in (your Administrative Safeguards)Audit ControlsImplement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information. IntegrityImplement policies and procedures to protect electronic protected health information from improper alteration or destruction. What is the HIPAA Security RuleTechnical Safeguards: Person or Entity authenticationImplement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed. Transmission SecurityImplement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network. Also includes:Encryption:Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate. HIPAA Regulations for Business AssociatesWhat is a Business Associate?A person or business that performs a function or activity on behalf of, or provides services to, a Covered Entity that involves Individually Identifiable Health InformationIs not a workforce memberCovered Entity can be a Business Associate

HIPAA Regulations for Business AssociatesExamples of Business Associates:A third party administrator that assists a health plan with claims processing. A CPA firm whose accounting services to a health care provider involve access to protected health information. An attorney whose legal services to a health plan involve access to protected health information. A consultant that performs utilization reviews for a hospital. A health care clearinghouse that translates a claim from a non-standard format into a standard transaction on behalf of a health care provider and forwards the processed transaction to a payer. An independent medical transcriptionist that provides transcription services to a physician. A pharmacy benefits manager that manages a health plans pharmacist network.

HIPAA Regulations for Business AssociatesBusiness Associate Contracts:A covered entitys contract or other written arrangement with its business associate must contain the elements specified at (the HIPAA standard for contracts on the HHS web site).

For example, the contract must: Describe the permitted and required uses of protected health information by the business associate Provide that the business associate will not use or further disclose the protected health information other than as permitted or required by the contract or as required by lawRequire the business associate to use appropriate safeguards to prevent a use or disclosure of the protected health information other than as provided for by the contract.

Where a covered entity knows of a material breach or violation by the business associate of the contract or agreement, the covered entity is required to take reasonable steps to cure the breach or end the violation, and if such steps are unsuccessful, to terminate the contract or arrangement.The Hitech Act & The HIPAA Omnibus Final Rule of 2013The Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 was part of the American Recovery and Reinvestment Act, also known as the Stimulus Package. Changes it made to HIPAA include: Increased civil penalties from $100 per violation to $25,000 per violation Strengthened breach notification requirements Exempted breach notifications for encrypted data Required Business Associates to comply with HIPAA to the same extent as Covered Entities, giving the federal government direct authority over Business Associates Extended civil enforcement to include the Attorney General of each state

The Hitech Act & The HIPAA Omnibus Final Rule of 2013What is a Breach?A breach is, generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information. An impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment of at least the following factors:The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;The unauthorized person who used the protected health information or to whom the disclosure was made;Whether the protected health information was actually acquired or viewed;The extent to which the risk to the protected health information has been mitigated.

The Hitech Act & The HIPAA Omnibus Final Rule of 2013Exceptions to definition of a breach:The first exception applies to the unintentional acquisition, access, or use of protected health information by a workforce member or person acting under the authority of a covered entity or business associate, if such acquisition, access, or use was made in good faith and within the scope of authority. The second exception applies to the inadvertent disclosure of protected health information by a person authorized to access protected health information at a covered entity or business associate to another person authorized to access protected health information at the covered entity or business associate, or organized health care arrangement in which the covered entity participates. In both cases, the information cannot be further used or disclosed in a manner not permitted by the Privacy Rule. The final exception applies if the covered entity or business associate has a good faith belief that the unauthorized person to whom the impermissible disclosure was made, would not have been able to retain the information.

The Hitech Act & The HIPAA Omnibus Final Rule of 2013Is Encrypted Data excluded from the breach regulations:Electronic PHI has been encrypted as specified in the HIPAA Security Rule by the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key (45 CFR 164.304 definition of encryption) and such confidential process or key that might enable decryption has not been breached.

Encrypted data is excluded from the breach regulations.

The Hitech Act & The HIPAA Omnibus Final Rule of 2013The HITECH Act extended civil enforcement to the state Attorneys General. As a result, HIPAA violations may be subject to both federal and state penalties.

HIPAA Office for Civil Rights Audits and EnforcementsThe HITECH Act of 2009 included funding for audits and enforcement, and it also extended authority to enforce civil violations to the state attorneys general. As a result, the regulatory environment for healthcare providers has changed significantly with regard to HIPAA compliance. The federal government classifies health information privacy as a fundamental civil Right, akin to other rights protected by the Constitution. The HHS Office for Civil Rights (OCR), with an annual budget of approximately $39 million, is the primary enforcer of HIPAA compliance.

HIPAA Office for Civil Rights Audits and EnforcementsIncreased enforcement partially due to the requirement that all breaches of more than 500 patient records be reported to the Office for Civil Rights within 60 days

The HITECH requires periodic audits take place. A pilot program run from November 2010 through December 2012 performed 115 audits.

Reports of HIPAA violations typically come from breach reports, patient complaints, and whistleblower complaints.HIPAA Penalties and Data BreachesHIPAA Training, Policies and Procedures, and AwarenessPolicies are rules.Procedures are steps needed to implement the rules.The policies should be general so that changes in products or technologies does not require a change in policy.The procedures should be specific and detail how the policy will be met or enforced. Example: The policy is that all email with PHI will be encrypted. The procedure details the solution used to encrypt the emails and steps necessary to encrypt the email. HIPAA Training, Policies and Procedures, and AwarenessHIPAA does not state how to write the policies. Procedures should be detailed and reference the HIPAA requirement. They can include specific steps to complete a task or written details on the configuration of item, such as a firewall, antivirus software, etc.Implement an Awareness program to remind your staff of HIPAA rules and regulations and your office policies and procedures.All current staff and new hires in the future should be properly trained on HIPAA. An annual training session is a good policy.Compliance with other Laws and RegulationsMassachuestts Privacy Law 201 CMR 17.00: STANDARDS FOR THE PROTECTION OF PERSONAL INFORMATION OF RESIDENTS OF THE COMMONWEALTH Went into effect March 1, 2010Was specific as to protecting personal informationIncluded email encryption, encrypting laptops, and requiring firewalls

Email EncryptionRequired under HIPAANot just about protecting the information during sending but ensuring it reaches the correct recipient.Multi-step process to access attachments in the encrypted email by the recipient

Email Encryption - ExampleCreate a new email, in the Subject line include the word Securemail, attach the file, and send the email. The recipient will receive this email:

Email EncryptionWays to Encrypt an email (your mileage may vary)

Use a keyword or phrase in the subject lineUsing a lexicon or preselect policy i.e. contains Social Security number or other key types of informationMark the message Confidential in OutlookButton on Outlook toolbar that is clicked to encrypt the email

Email EncryptionRecipient clicks on the link to Open Message which opens web page:

Email EncryptionRecipient logs in and gets list of encrypted emails in their account. Double click on email to open:

Email EncryptionRecipient can download the attachment or forward the email, which will be in encrypted in this case, but depends on the solution you use.

Email Encryption HeadachesPatients not being able to access the email, time wasted trying to walk patient through the processPatient gets frustrated and says they want you to just send it unencryptedGiven the number of options and programs that offices can use for encryption, offices will have multiple accounts to use, one for each serviceMajor headache for specialist officesMulti-step process to access attachments in the encrypted email by the recipient

Windows XP Support ends April 8, 2014 for Windows XP and Office 2003No more security updates and patchesComputer will still function, but will be out of HIPAA complianceNo direct upgrade path to Windows 7 or Windows 8

Online Backup QuestionsIs the solution HIPAA compliant?If there is a local copy, is that encrypted?At any point is the backup not encrypted?Where are physical locations of servers that store the data?Can there employees access the data files?

Data Sharing Solutions QuestionsSame questions as Online Backup:Is the solution HIPAA compliant?If there is a local copy, is that encrypted?At any point is the file not encrypted?Where are physical locations of servers that store the data?Can there employees access the data files?

Miscellaneous Topics Should I blank my computer screen after a few minutes of inactivity?Should I lock my computer when I leave the room?What security is available with my Practice Management software?Can I print out a schedule that shows patient names and treatments and leave it on my counter?Windows user accounts and passwordsPractice Management Software user accounts & passwords

Miscellaneous TopicsPITA PatientsPITA staff memberHard Drive DisposalLaptop locksOther topics

End of Course SummaryDennis M. Walsh, PresidentPatriot Networks, Inc.dwalsh@patriotnetworks.comwww.patriotnetworks.com/hipaa

Eat, drink, and be merry for tomorrow we comply!

Sources: 4MedApproved web siteHHS.gov web site