HIPAA HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT
TERMINOLOGY • OMNIBUS FINAL RULE • Issued January 23, 2013 • Effective March 26, 2013 • Modified HIPAA privacy and security rule • HITECH modified to strengthen HIPAA and implemented breach notification rule and raised the civil monetary penalties. • Included Genetic Information Nondiscrimination Act of 2008 (GINA) • Genetic information can’t be used for underwriting • Is treated like PHI
TERMINOLOGY • HIPAA –Health insurance Portability & Accountability Act. • Enacted in 1996 so health insurance would be portable • Compliance by October 16, 2002 for EMR/EHR • Compliance by April 14, 2003 for privacy rules
PRIVACY RULE • Establishes national standard for protection of PHI • Addresses the use/disclosure of an individual’s PHI • Gives individuals rights with respect to their PHI • Policies and procedures must be in place to ensure that reasonable steps are taken to protect individual PHI.
SECURITY RULE • Establishes national standard for protection of PHI that is held or transferred in electronic form. • Address the technical and non-technical safeguards • Implement three safeguards: • 1. Administrative – assignment of individual to train and be responsible for security. • 2. Physical – how the electronic systems are protected in the environment. • 3. Technical – password protections; encryption
TERMINOLOGY • HITECH – Health Information Technology for Economic & Clinical Health Act • Provision under the Social Security Act • Modified to strengthen HIPAA • Modifications made significant changes
HOW HITECH AFFECTS HIPAA • Applies the same requirements and penalties for Covered Entities and Business Associates. • Establishes mandatory federal privacy and security breach reporting requirements • Creates new privacy requirements including new accounting disclosure requirements. • Establishes new criminal and civil penalties for non-compliance and new enforcement methods. • All these apply equally to Covered Entities and Business Associates
TERMINOLOGY PHI – Protected Health Information Identifiable health information Includes written, verbal or electronic form used in records, social media, internet, intranet
PHI IDENTIFIERS • This is the information that requires protection: • Name and address including zip code or other geographic codes • Date of birth and age • Telephone number, fax number, e-mail address • Social security number, medical record number • Health plan beneficiary number • Account number • Certificate/license number; license plate number • Web URL; IP address • Finger or voice prints • Photographs • Any other unique identifying characteristic
DE-IDENTIFICATION • When the identifiers are removed from a patient’s information, it is considered “de-identified.” • No longer considered PHI • No restrictions on the use/disclosure • There is no information that could easily identify the individual.
TERMINOLOGY • Minimum Necessary Standard • Only the minimum necessary PHI is made to use, disclose and request PHI to accomplish the intended purpose. • Breach • PHI has been used in a manner that compromises the security or privacy of the PHI.
TERMINOLOGY • Incidental Use and Disclosure • The use/disclosure of PHI that is a result of or “incident to” permitted use of PHI. ELECTRONIC MEDIA – revised definition hard drives, tapes, disks, memory cards, removable medium internet, intranet, private networks does not include fax, telephone as electronic media transmission
BUSINESS ASSOCIATE • Person/entity, other than a member of the workforce, who performs functions/activities on behalf of or for a Covered Entity that involves the use/disclosure of PHI. • A BA is also a subcontractor that creates, receives, transmits, or maintains PHI on behalf of another BA. • BAs and subcontractors have to safeguard PHI “down the stream.” • Typical BAs: billing service, collection agencies, answering service, EMR software vendor, labs, transcription
BUSINESS ASSOCIATE AGREEMENT • An agreement between a Covered Entity and Business Associate or between 2 BAs. • Clarifies and limits permissible use/disclosure of PHI. • Deadlines: • If currently have a BAA as of 1/25/13 and not due for renewal by 9/23/13, have until 9/23/14.. • Otherwise, update by 9/23/13
BUSINESS ASSOCIATE EXCEPTIONS • Health care providers concerning treatment of individual. • Doctor to doctor; nurse to nurse; referrals Banking and financial institutions Government agencies determining eligibility, enrollment or benefits Medicare, Medicaid, VA Pharmacies
COVERED ENTITY • Health Care Providers • Conduct transactions in electronic form • Physicians, clinics, dentists, nursing homes • Health Care Clearinghouses • Entities that process non-standard health information • Health Plans • Health insurance companies, HMOs • Government health programs
NOTICE OF PRIVACY PRACTICE • Statements set out in a written document for patients regarding the use/disclosure of PHI that is allowed without authorization and that which requires authorization. • Has to be displayed in a clear and prominent location • Must be provided to new patients and a hardcopy has to be provided to anyone who asks for one. • Has to be posted on Covered Entity’s website, if applicable. • Established patients must be made aware of changes. • Requires a signed acknowledgement of receipt.
PATIENT RIGHTS • Under the Final Rule and stated in the NPP: • Right to request a restriction of uses/disclosures • CE may consider which restrictions to honor • Right to access PHI • Only if maintained in electronic form • Do not have right to direct access to system • Can copy onto external device
PATIENT RIGHTS • Right to have an accounting of disclosures • An accounting is a record of each disclosure of each patient’s PHI for purposes other than treatment, payment or health care operations. • Can include 6 years prior to the date of which the accounting is requested and not before 2003. • Disclosures that do not need to be recorded: treatments, payments, disclosures made to the patient
PATIENT RIGHTS • Right to ask for a change in their medical record • If the individual believes there is an error or disagrees with what is in their EMR, they may ask for a change. • The Covered Entity, upon investigation, may or may not agree with the change. • Communication of the decision must be made in writing to the individual. • If there is a change, the original is not destroyed, but an addendum is made.
AUTHORIZED PHI DISCLOSURES • DECEDENT’S PHI: • The healthcare provider may disclose PHI to family members/others involved in care prior to death using minimum necessary standard. • After 50 years, PHI is no longer protected. • Arkansas: spouse or parent may receive autopsy report • Student Immunizations to Schools • Only require verbal authorization for release • Public Health Activities • May report for the public health and safety. E.g., communicable diseases
AUTHORIZATION REQUIRED • Must have valid written authorization for: • Use/disclosure of psychotherapy notes. • Use/disclosure for marketing purposes. • The sale of PHI
BREACH NOTIFICATION RULE • This Rule did not exist prior to the HITECH Act. • If a breach occurs, a Risk Assessment has to be performed to determine if there was a low probability of compromised PHI. • The risk of harm to the individual is not part of the assessment. • Affected individuals have to be notified of the breach within 60 days from discovery of the breach. • If more than 500 individuals have been affected, notice through prominent media outlets must occur; this is in additions to individual notices. • HHS has to be notified if > 500 involved.
Breach Notification • Notifications to individuals are to be sent via first class mail to last known address. • Can be sent via e-mail or telephone if address is out of date. • Parents of minors, personal representatives of adults without capacity and next of kin of deceased patients may be notified. • If there is insufficient information for 10 or more individuals, the CE must put up a notice on their web site or major print or broadcast media where the individuals reside. • BA has same requirements and must notify CE.
BURDEN OF PROOF • The CE and BA have to demonstrate there is a low probability that the information used/disclosed was compromised. • If it cannot clearly make this determination, it is treated as a breach. • CE and BA must also demonstrate that all notifications were made.
INVESTIGATION OF BREACH • Office of Civil Rights (OCR) under the Department of Health and Human Services (HHS) enforces HIPAA. • OCR is required to formally investigate a complaint. • Complaint has to be filed within 180 days of alleged violation. • If the preliminary investigation indicates a possible violation further investigation will expand into a compliance investigation. • OCR tries to determine whether willful neglect is indicated.
INVESTIGATION (CON’T) • The entity has 30 days to respond to OCR. • If a violation or willful neglect is found, a civil monetary penalty for each violation can be imposed.
CIVIL MONETARY PENALTIES • Failure to comply with HIPAA can result in civil and criminal penalties. • The HITECH Act: • significantly increased the amount of civil monetary penalties (CMP); • Reduced the number of available affirmative defenses; and • Required imposition of CMPs for all violations due to willful neglect under a tiered liability structure. • Prior to February 18, 2009, HIPAA violations were $100/each violation and the most in one year for same violation was $25,000. • Now up to $50,000/each violation and $1.5 million in one year for same violation.
TIERED LIABILITY STRUCTURE • Unknowing: The CE or BA did not know and reasonably should not know of the violation • Reasonable Cause: The CE or BA knew, or by exercising reasonable diligence would have known, that the act or omission was a violation, but the CE or BA did not act with willful neglect. • Willful Neglect: Corrected. The violation was the result of conscious, intentional failure or reckless indifference to fulfill the obligation to comply with HIPAA. However, the CE or BA corrected the violation within 30 days of discovery. • Willful Neglect: Uncorrected. The violation was the result of conscious, intentional failure or reckless indifference to fulfill the obligation to comply with HIPAA, and the CE or BA did not correct the violation within 30 days of discovery.
ADMINISTRATIVE REQUIREMENTS Written policies and procedures to comply with the administrative requirements must include: 1. A designated contact person to handle complaints and provide further information about the Notice of Privacy Practice. 2. A designated privacy officer who is responsible for development and implementation of the policies and procedures. 3. Required annual training of all workforce members with documentation of the training. 4. Safeguards to protect the privacy of PHI and limit incidental uses or disclosures. 5. Procedures for individuals to submit complaints regarding HIPAA compliance.
ADMINISTRATIVE REQUIREMENTS 6. Must have and apply appropriate sanctions against workforce members who violate privacy policies and procedures. 7. Must document sanctions that are applied, if any. 8. Must mitigate to the extent practicable any harmful effect due to violation. 9. Cannot take intimidating or retaliatory acts against any individual for filing a complaint or exercising his/her right. 10. Must retain policies and procedures, NPPs, disposition of complaints and other actions/activities for 6 years after the later of the date of their creation or last effective date. 11. Maintain documentation sufficient to meet the burden of proof.
Impermissible Use/Disclosure Removal and Loss of Medical Records • A Massachusetts hospital employee took work home, and accidentally left 192 billing records – containing detailed PHI – on the subway. • Even though an accident, severe penalties were imposed on hospital: • $1 million fine • 3 year corrective action plan with oversight by OCR. • Requirements to develop comprehensive policies and procedures using encryption. • Implementation of a comprehensive training program and written certification from all staff.
Accessing PHI Without Legitimate Purpose • Accessing Celebrity Records • Researcher at UCLA School of Medicine received notice of termination. • In retaliation, he accessed superior and co-workers medical records. • Over the next 4 weeks, he accessed UCLA patient records including many celebrities – a total of 323. • Penalty: sentenced to 4 years in prison.
Accessing & Leaking PHI to Media • AR. M.D. and 2 hospital employees accessed records of slain Arkansas TV reporter. • Details of the attack were leaked to the media. • The 3 pled guilty in federal court to misdemeanors. • Federal judge fined all 3 and sentenced them to 1 year of probation. • Hospital suspended M.D.’s privileges for 2 weeks and terminated the 2 employees + an account rep. and Emergency Department coordinator.
Lack of HIPAA Safeguards Small Phoenix surgery practice group (5 doctors) posted clinical and surgical appointments for its patients on Internet-based calendar that was publicly accessible. • OCR began investigation and noted the following violations: Failure to: • Implement adequate policies and procedures; • Document employee training; • Identify clinic security officer and conduct risk analysis, and • Obtain BAA with the internet-based email and calendar services. • OCR fined practice $100,000 and required implementation of corrective action plan that included compliance with violations listed above.
Improper Disposal of PHI • First of its kind joint investigation by OCR and Federal Trade Ccommissionover allegations that CVS Pharmacy was disposing of PHI such as prescription bottle labels and old prescriptions in public dumpsters. • Joint investigation revealed the following violations: Failure to: • Implement adequate policies and procedures to protect PHI during disposal; • Adequately train employees on proper disposal methods; • Have a sanctions policy. • CVS entered into a Resolution Agreement that required CVS to: • Revise and distribute its policies and procedures regarding disposal of PHI; • Train employees; sanction those that did not follow policies; • Engage a third party assessor to conduct assessments and submit reports to Health and Human Services.
Improper Disposal of PHI • Create new internal reporting procedures requiring employees to report all violations of the new policies and procedures • Submit compliance reports to HHS for 3 years AND • CVS was fined $2.5 million. • CVS is required to submit to 3rd part audits every 2 years for 20 years (part of its agreement with the FTC).
Willful Intent • Arkansas LPN accessed PHI for personal gain. • While working in an Arkansas clinic the LPN accessed a patient’s medical record and gave the information to her husband. • Husband called the patient and said he intended to use the information against him/her in “an upcoming legal proceeding.” • Upon discovery, the clinic fired the LPN. • A federal indictment charged her with wrongful disclosure of individually identifiable health information for personal gain and malicious harm. • Charges were dropped against her and husband for guilty plea. • Faced a maximum of 10 years in prison and a fine of up to $250,000 • Sentenced to 2 years probation • 100 hours of community service • Revocation of nursing license.
INSURANCE • Malpractice insurance does not cover HIPAA violations. • General liability insurance does not cover HIPAA violations. • May purchase cyber liability insurance for HIPAA.