HIPAA Privacy and Security Update · ACS Sponsored Practice Management Teleconference Series … March 22, 2006 Annual Review of HIPAA Privacy & Security Rules The dramatic additions

ACS Sponsored Practice Management Teleconference Se ries … March 22, 2006

Annual Review of HIPAA Privacy & Security Rules

The dramatic additions to the Health Insurance Portability and Accountability Act (HIPAA), first passed into law in 1996, with the advent of the HIPAA Privacy Rules and two years later the HIPAA Security Rules provides a new layer of regu-lations that all medical practices need to deal with on a day-to-day basis. HIPAA Privacy Rules require the adoption of specific practice policies to address patient privacy issues, while the Security Rules require a broad technique to assess risk and the techniques for handling “electronic” data. In addition, both the Privacy and Security Rules require annual and ongoing training efforts for all physicians and staff. This course in an ideal way to satisfy all the requirements for the annual HIPAA Privacy and HIPAA Security training for all physicians, surgeons and staff.

This Practice Management Teleconference is just $99 for ACS Fellows & their Practices: ♦ A 90-minute live teleconference including a formal presentation and time for Q&A ♦ The course is given once as a live teleconference, on Wednesday March 22, 2006

(convenient for your staff) and then via streaming Internet technologies shortly thereafter. Your $99 registration fee covers either one or both presentations and handout materials.

♦ The ability for ACS Fellows and practice managers to e-mail follow-up questions to Economedix Practice Management Advisors for personalized responses

Course Objectives - Completion of this Practice Management Course will provide: 1. A broad understanding of regulations behind both the HIPAA Privacy and Security Rules 2. A review of HIPAA Privacy processes, techniques and best practices 3. Methods to define and measure “Risk Assessment” to review current security requirements 4. A review of both HIPAA Privacy & Security Policies and Procedures that will be needed for medical practices 5. An understanding of employee training requirements needed to fully implement these HIPAA Rules

Accreditation - The American College of Surgeons is accredited by the Accreditation Council for Continuing Medical Education (ACCME) to provide continuing medical education to physicians.

CME Credit - The American College of Surgeons designates this educational activity for a maximum of 1.5 category 1 credits toward the AMA Physician's Recognition Award. Each physician should claim only those credits that he/she actually spent in the educational activity. To earn the CME credit, participants must complete the combination Evalua-tion / CME Form, that is included in the course materials, and FAX this form back within seven days following the date of the teleconference.

Faculty - The faculty for the course is Mr. Tom Loughrey, MBA, CCS-P. Mr. Loughrey is CEO of Economedix and a noted practice management consultant to physicians, medical offices and medical societies. For over a decade, Mr. Loughrey has provided consulting services to the College as a part of the Consultant’s Corner at the annual ACS Clinical Congress and regularly is engaged by ACS to speak and teach at meetings and workshops throughout the country.

Registration & Information - This completed form can be Faxed Toll Free to 877-813-9784; or mailed to Economedix - 297 Valley Road # 200 - Wexford, PA 15090; For complete details and secure On-Line Registration simply go to: http://YourMedPractice.com/ACS

Thank you for your interest in this HIPAA Program!

Sponsored by the American College

of Surgeons

Practice: _____________________________________________________________

Address: ______________________________________________________________ Phone: _________________

City: ______________________________________________________ State: _____ Zip: ____________________

Contact: ___________________________________________ E-Mail: _____________________________________

[ X ] Yes, we want to participate in the Annual Review of HIPAA Privacy & Security Rules … and will attend [ ] Wednesday March 22, 2006 @ 3 PM Eastern, [ ] Web-based On-Demand … or [ ] Both Presentations.

Form of Payment: [ ] Check Payable to Economedix, LLC & mailed to: 297 Valley Rd # 200 - Wexford, PA 15090 or [ ] Credit / Debit Card (MC, Visa, Discover or American Express)

Card Number (15 or 16 digits): ________________________________________ Expiration Date: ____ / _________

3 Digit CVV Code* : ______ Name on Card: _________________________________________________________

Card Billing Address: ____________________________________________________________________________

Card Billing City, ST Zip: _____________________________________________ * Please use 4 Digit Code on front of AMX Card

American College of Surgeons Annual Review of HIPAA Privacy & Security Rules - Date: March 22, 2006

EVALUATION / CME FORM

NAME: _________________________________________________ Telephone #: ______________________

ACS Fellow #: _______________________ E-mail Address: ______________________________________

Please circle one number for each statement� Strongly Agree

Agree Neutral Disagree Strongly Disagree

1. Program topics and content were consistent with printed objectives 5� 4� 3� 2� 1

2. Program topics and content was relevant to my educational needs 5� 4� 3� 2� 1

3. Presenters were informative and added knowledge to the session 5� 4� 3� 2� 1

4. Discussion time was adequate and enhanced understanding of subject 5� 4� 3� 2� 1

5. Acquired knowledge will be applied in my practice environment 5� 4� 3� 2� 1

6. Supplemental written materials helped clarify course content 5� 4� 3� 2� 1

7. I will seek additional information on this subject 5� 4� 3� 2� 1

Very Good

Good Fair Poor Very Poor

8. The quality of the audio presentation was 5� 4� 3� 2� 1

9. Overall this Practice Management Course was 5� 4� 3� 2� 1

General Comments for this Course:

[ ] Colon & Rectal Surgery [ ] Pediatric Surgery [ ] 1-5 [ ] Private Practice

[ ] General Surgery (includes Oncology and Trauma)

[ ] Plastic Surgery [ ] 6-10 [ ] PPO/HMO

[ ] Neurological Surgery [ ] Thoracic Surgery [ ] 11-20 [ ] Group Practice

[ ] Obstetrics/Gynocological Surgery [ ] Urological Surgery [ ] 21-30 [ ] Academic Institution

[ ] Ophthalmic Surgery [ ] Vascular Surgery [ ] Over 30 [ ] Hospital

[ ] Orthopaedic Surgery [ ] Other - Please Specify Below: Military

[ ] Otorhinolaryngology Other - Please Specify Below:

Surgical Specialty Years out of Residency Training

Primary Type of Practice

Please FAX this Evaluation / CME Form Toll Free to: 877-813-9784 within 7 days following this Teleconference to receive CME recognition from the American College of Surgeons. Thank You !

Sign In Sheet Educational Activity: Annual Review of HIPAA Privacy & Security Rules Dates: Wednesday, March 22, 2006 @ 3:00 PM Eastern Faculty: R. Thomas (Tom) Loughrey, MBA, CCS-P of Economedix, LLC Sponsor: The American College of Surgeons 1. ___________________________________________________________________ 2. ___________________________________________________________________ 3. ___________________________________________________________________ 4. ___________________________________________________________________ 5. ___________________________________________________________________ 6. ___________________________________________________________________ 7. ___________________________________________________________________ 8. ___________________________________________________________________ 9. ___________________________________________________________________ 10. ___________________________________________________________________ 11. ___________________________________________________________________ 12. ___________________________________________________________________

1

© Economedix, LLC 2000 – 2006 All Rights Reserved

��

Presented by …

Your Partner In Building High Performance Practices


��

Annual Review of the HIPAA Privacy &Security Rules


��

R. Thomas (Tom) Loughrey, MBA, CCS-P

• Chairman, CEO & Co-Founder of Economedix• Certified Coding Specialist • BS Degree from Pennsylvania State University• Earned an MBA in Health & Hospital Administration

from the University of Florida• Former Hospital Administrator• Former Owner of a Medical Billing Company• Consultant to Physician Practices & Medical Societies• Member of Various Professional Organizations

Dealing with Medical Practice Management• Developed and Presented Thousands of Seminars

& Workshops Dealing with Practice Management

2


��

� Background of HIPAA� Overview and Scope of Coverage Under HIPAA� PHI: Its Use and Disclosure� General Rules� Patient Rights� Practical Examples� Purpose of Security� Security Requirements� Management and Implementation� Policies and Procedures

��


Overview of Privacy Rules� Health Insurance Portability & Accountability Act (HIPAA)

� Sets standards for privacy of individually identifiable health information

� Allows information to be used and shared for the purposes of treatment, payment and health care operations (TPO)

� Requires notification or authorization for use and disclosure

� Creates processes to let patients know how information is to be used, ensures patients have access to their information and an ability to correct inaccuracies.

� Requires health plans and providers to maintain administrative and physical safeguards on information

3


�� !��

� Covers all providers of any size from University Medical Centers to solo physicians

� Health Plans� Health care clearing houses

� Business agents of the above who have legitimate need to have information (consultants, employees, billing agencies)

Your practice is covered! And you have to help make it work!


�� !�� "��#

� All information relating to the diagnosis and treatment of a patient that is individually identifiable

� Originally, this was only to apply to electronic data. In the final rule it has been applied to all information

� Computerized information that is never transmitted is not covered. A paper fax is not covered but an electronically received fax is covered.

� HIPAA protects the information itself for privacy, it does not make patients anonymous!


��$��

� Providers and others are prohibited from using or disclosing PHI except when authorized by the patient or for treatment, payment or health care operations (TPO)

� TPO� This is the normal, everyday business of conducting the

office and seeing patients, referring them for tests and other care and getting paid for the work you do.

� It means staff can look at the chart, you can send needed information to other providers and you can provide a payer with information on the services and Dx

4


��$��

� Every patient must be notified of their privacy rights, the practice’s privacy policies and how PHI will be used. Patients must acknowledge this notification in writing.� This means the practice must have privacy

policies that describe the patient’s rights� Patients must have an opportunity to see your

policies and they must acknowledge in writing they have received this notification


��$��

� The amount of information to be used or disclosed should be the minimum that accomplishes the purpose.� Minimum Necessary Standard – you must make

reasonable efforts to limit the PHI to the minimum necessary to meet the purpose or request.

� Disclosures to or requests from other providers for treatment are an exception to this rule.

� Disclosures to or requests from the person for their own PHI is an exception to the rule

� Practices must identify the staff who need access to the PHI


��$��

� Business associates may have access to protected information under a contract with the provider. The agent then has the same responsibilities as the provider� If you have a billing service that needs to see PHI

as part of their billing they are an agent� If you engage a consultant to review charts or

engage in other practice work such as audits or QI/QA, they are an associate and are covered under the rules.

� Collection agencies are business associates

5


� Uses and disclosures are permitted – not required except by law.

� Only two disclosures are required:� Disclosure to the patient on request� Disclosures required by law (subpoenas,

federal payments, etc)

� Information will be protected for two years following the death of the patient

��$��


��!�� %

� Does the information identify the patient or can it be used to identify the patient?

� Does the information relate to the past, present or future health, treatment or payment for provision of services?

� Was the information created by a health care provider, health plan, employer, life insurer, public health agency, school, health care clearinghouse?


��&��'��%

� When the disclosure is to the patient

� For treatment, payment or health care operations involving the patient

� Incident to a use that is permitted

� When the practice receives a valid authorization� When the practice has obtained the patient’s

oral agreement� When the law specifically does not not require

authorization

6


��&��'��(��

� Quality Assurance Activities� Public health & emergencies affecting life or safety� Research� Judicial hearings� Law enforcement� Information to next-of-kin� Identification of a body or cause of death� Government Health Data Systems� Facilities Data Systems� Financial entities for processing claims� Where mandated by law


��

� The right to receive written notice of the information practices of providers and health plans

� The notice must describe the types of uses and disclosures the provider would make with the information

� The right to access protected information� The right to request amendment of records

� The right to receive an accounting of when protected information has been disclosed


)��

� Authorization and consents� After the fact authorizations and consents

in emergencies• Not possible or practical for the physician to be

carrying consents and authorizations• Forward the information and the forms for

consent and/or authorization as soon as practical after the initial encounter

• Tip: Have proof of mailing for after-the-fact notifications

7


)��

� Uses and Disclosures Involving Family and Friends� Does not require an authorization but is not

required unless directly requested by patient� May also use PHI to notify a family member or

responsible person of the patient’s location or condition

• Patient must be able to provide consent or an opportunity to object (and there is no objection)or reasonably infer the patient has no objection such as by being accompanied by a friend or family member


)��

� Dealing With Minors (or Personal Representatives)� The parent/guardian or personal

representative may provide all consents and notifications on the patient’s behalf

� Two exceptions:• If there is a reasonable belief that the patient

may be subjected to abuse by the requestor• If, under state law, the minor is emancipated or

the treatment concerns matters over which the state permits the minor to obtain health care without parental consent


)��

� Verification of Identity� Employees must verify the identity and

authority of persons making requests for PHI� Policies should describe minimal forms of

proper identification (which may include subpoenas)

� Information should be provided in a secure and confidential manner

� If you have a good faith belief that releasing the PHI will avert harm to the patient or the public you may release the information.

8


)��

� Business Associates� Tip: Make a list of all entities you believe are

business associates and request a new HIPAA compliant contract

� The practice is not liable for the privacy violations of its business associates but it must exercise appropriate safeguards and have mechanisms to act if it becomes aware of such violations

� Model contract language is available from CMS


�� *+��

�The patient is a minor and the patient’s mother wants to pick up a prescription for the patient.


�A pharmacy calls wanting authorization to re-fill a prescription.

�� *+��

9


�The patient is being referred to another practice and a copy of the most recent notes and lab findings are requested by the practice. Later they ask for the full chart.

�� *+��


�The patient is elderly and the patient’s adult daughter contacts the practice to get more information on her mother’s condition, treatment and plans.

�� *+��


�A father of a newborn wants medical records of the child but those records contain information on the mother as well.

�� *+��

10


�A patient indicates in a conversation with the doctor she heard another patient, who is a friend, is going to have some tests ordered and wonders if she is going to be okay.

�� *+��


�The practice has a sign-in sheet listing the names of all patients seen that day at the front desk. Anyone signing in can see it.

�� *+��


�Lists of patients, including the reason they are being seen, are posted around the office as the daily schedule.

�� *+��

11


��,�

� There is a great deal of authoritative information available from the Office of Civil Rights

http://www.hhs.gov/ocr/hipaa/� HIPAA Myths

http://www.healthprivacy.org/

�� ' ��


-��.��!��

� The Final Rule was published in February 2003

� The Rule took effect on April 21, 2005� Less a series of checklists and more a

description of standards� Apply only to electronic Personal Health

Information (ePHI)

12


� The Rule recognizes that cost of security is an issue and should be a factor in security decisions

� It is clear “that adequate security measures be implemented… cost is not meant to free covered entities from this responsibility.”

� General approach is now risk management based rather than mandatory controls

-��.��!��


��

� Language is consistent between rules� Supplements and defines the “mini-

security rule” within the Privacy Rule� Most definitions between the rules are now

the same (PHI, covered entity, Business Associate, etc)

� Privacy rule still controls security of non-electronic PHI


� �� *�� !� ��

� Some standards are sufficiently self-contained that their implementation is explicit or implicit in the standard itself

� Standards are grouped under three categories:� Administrative Safeguards� Physical Safeguards� Technical Safeguards

13


��/��&��

� Covered Entities (that means your practice) must meet four security requirements:� Ensure the confidentiality, integrity and availability

of all ePHI that is created, received, maintained or transmitted

� Protect against any reasonably anticipated threat or hazard to the security or integrity of the ePHI

� Protect against any reasonably anticipated uses or disclosure of ePHI that are not permitted

� Ensure compliance by every member of the workforce


��/��&��

� In meeting these rules the practice may factor in:� Cost, size, complexity, technical infrastructure,

other capabilities and the likelihood and seriousness of potential security risks

� The practice may use any security measures that allow it to reasonably and appropriately implement the standards

� Required standards with no Implementation Specifications must be implemented as it requires


��/��&��

� If the standard has a required Implementation Specification it must be met as required

� If the standard has an addressable Implementation Specification it must be met if reasonable and appropriate� If it is not, then the rationale for not meeting the

specification must be documented and the alternative methodology for meeting the standard must be explained

14


��/��(��/�0��

� The preamble to the rule states the administrative, physical and technical safeguards the practice employs must be reasonable and appropriate to to meet the standards

� There is a two-step process for determining this:� Step 1 is to assess the security risk the practice

faces� Step 2 is to implement appropriate

countermeasures proportionate to the risk� The practice must then manage the

countermeasures to keep up with new or increased risks


��/��(��/�0��

� The Security Rule does not advocate any type of technology. The Rule only looks at analyzing risks and then meeting the risk with an appropriate countermeasure.� For example, any computer may be compromised

by a “virus” or “worm” that can either destroy data or cause it to be sent to those who are not authorized to see the data. An appropriate countermeasure would include obtaining anti-virus software, keeping it up to date and providing training to users in how to avoid suspicious programs and e-mail attachments


Examples of PHI Not Covered

� Paper to paper faxes are not covered � Faxes to or from a computer are

covered

� Voice telephone transmissions are not covered� Data transmitted over telephone lines

is covered

15


�� 0��

� Practices must be able to track intrusions into the system and react quickly (incident response)

� These security processes may require new and more technology than smaller practices possess now

� Training is a security process that all practices must meet. Training should focus on threats and countermeasures

� There are no “safe-harbors” under the Rule


1��

� Any entity to whom you provide ePHI that is not covered by the rule must have a contract with you obligating them to protect the information.

� Requirements:� Implement administrative, physical and technical

safeguards that protect the confidentiality, integrity and availability of ePHI

� Ensure its agents and subcontractors do the same

� Report to the practice any security incident it becomes aware of.


� The agreement under this rule adopts all the rules applying to business associates under the Privacy Rule

� No agreement is required if it relates to the treatment or payment for services to the patient

� You are not liable for violations of Business Associates unless you know of a pattern or activity that is a violation and do nothing about it

1��

16


��

� Establish policies and procedures designed to identify risks and ensure effective countermeasures

� Ensure compliance� Training for everyone in the administrative,

technical and physical safeguards of ePHI� Policies and Procedures must be

documented


��

� Avoid Liability and Bad Publicity� Liability results when the practice either

has no policy or worse, does not enforce its policies

� Even if the security breach does not involve a lawsuit it could result in bad publicity in the community and among the patients of the practice


��

� Steps for Developing Security Policies & Procedures� Assemble your team (a doctor, the

manager, front office and back office)� Review the requirements with the team� You may want to refer to published

standards for information security (National Institute of Standards & Technology –Series 800)

� Begin Risk Analysis

17


��/��

� What is to be protected:� Hardware, servers, workstations,

computers, software, data and databases, and your own users

� Potential threats� Accidents, natural disasters, loss of

electrical power, theft, maliciousness, carelessness, etc


��2�� !��(�

� Clear and concise� Clearly state responsibilities of everyone,

what needs to be protected and how it is to be done

� Understandable� Written to the level of understanding for the

intended user. Techies vs. Staff� Doable

� Must be realistic in terms of the staff size, cost and technical requirements


��

� Start with a statement from the doctors and management� Acknowledge the importance of security� Indicate support for security throughout the

practice� Commit to development, implementation

and enforcement of policies� Define the intent of the security program

and how it relates to the business objectives of the practice.

18


��

� Develop Policies� General organizational policies

• Set overall vision of the program; a general framework

� Functional policies• Focused on specific topics, applications or

functions.• Generally deal with single topics


��

� Mandatory Standards vs. Guidelines� Standards are the mandatory rules, actions,

responses, directives and regulations that are the mechanism to to enforce policies.

� Example: “ All activity related to the creation, modification, accessing and disposal of data and ePHI must be recorded.”

� Standards differ from guidelines in that guidelines are recommendations but not absolutes.

� Example: “Pass words should be at least 6 digits of both alpha and numeric characters”


��

� Detailed Procedures� This is how standards and guidelines are

put into action� Plans

� May incorporate procedures such as in a “Disaster Recovery Plan”

� Personnel Responsibilities� Policies should identify the personnel to

carry out the policy and the functions to be performed

19


��

� Steps to Implementation of Procedures� Must be flexible and strike a balance

between too much detail and not enough direction and guidance

� Examples of Security Procedures� Back-up server each night. Store offsite on

CD dated and identified to the server� Back up all PHI on PC hard drives weekly

to CD dated and identified to the PC


��!�� !��

� Establish your team� Establish your

objectives� Identify the risks

and threats� Assess your

current status� Consider possible

solutions

� Draft policies in conformance with HIPAA

� Review with the stakeholders

� Formalize the policies and procedures

� Train� Review and Revise


��

� In one sense HIPAA privacy and security rules are nothing new. You have always treated information confidentially. Now there are uniform standards.

� Common sense and good judgment will almost always work if you are keeping the best interests of the patient in mind

� If in doubt, talk to your manager or supervisor.

20


��/��!�� !��

*��+3

��

��

�� !"��#�$��%��&��

��

��

��

�� !"��#�$��%��&��

��

Documents

HIPAA Privacy and Security Update · ACS Sponsored Practice Management Teleconference Series … March 22, 2006 Annual Review of HIPAA Privacy & Security Rules The dramatic additions