330 likes | 958 Vues
HIPAA Privacy and Security. HIPAA Privacy and Security. In the news…. What Is HIPAA?. Among HIPAA's primary purposes are — Privacy and security of healthcare information Standardization of healthcare data Simplification of healthcare operations to help reduce costs
E N D
What Is HIPAA? • Among HIPAA's primary purposes are — • Privacy and security of healthcare information • Standardization of healthcare data • Simplification of healthcare operations to help reduce costs • Insurance portability for individuals who change jobs or become unemployed • Preventing discrimination against applicants or businesses • Preventing fraud through stiffer penalties and tighter controls • We must also comply with more restrictive state laws regarding privacy and security of healthcare information
What Is HIPAA? • Among HIPAA's primary purposes are — • Privacy and security of healthcare information • Standardization of healthcare data • Simplification of healthcare operations to help reduce costs • Insurance portability for individuals who change jobs or become unemployed • Preventing discrimination against applicants or businesses • Preventing fraud through stiffer penalties and tighter controls • We must also comply with more restrictive state laws regarding privacy and security of healthcare information
What Is HIPAA? (Cont’d) • Among HIPAA's primary purposes are — • Privacy and security of healthcare information • Standardization of healthcare data • Simplification of healthcare operations to help reduce costs • Insurance portability for individuals who change jobs or become unemployed • Preventing discrimination against applicants or businesses • Preventing fraud through stiffer penalties and tighter controls • We must also comply with more restrictive state laws regarding privacy and security of healthcare information
Who Is Subject to HIPAA? • Covered entities include hospitals, insurance companies, self-insured employers and small physician practices • Three categories of covered entities: • Healthcare plans • Health providers • Clearinghouses • HIPAA applies to companies that offer healthcare and treatment to their employees on-site
Who Is Subject to HIPAA? (cont’d) • Business associates are individuals and businesses that help covered entities carry out healthcare activities and functions • Auditors, consultants, lawyers • Claims-processing firms, pharmacy benefit managers Business associates are subject to HIPAA in two ways: They must provide written assurance that they will use information only for proper purposes, safeguard information from misuse, and help covered entity comply with HIPAA privacy duties They must comply directly with HIPAA regulations requiring administrative, physical and technical safeguards for security of protected information
Pop Quiz! • What happens if a business associate of a covered entity violates HIPAA? • The business associate will be subject to the same HIPAA penalties as the covered entity. • The business associate will be liable to the covered entity only for breach of contract. • Nothing – business associates aren't subject to HIPAA.
Protected Health Information (PHI) • Protected health information includes any part of an individual's medical record or payment history PHI concerns — • Any past, present or future physical or mental health of an individual • Providing healthcare to an individual • Payment for healthcare of an individual Any identifiable health information becomes PHI under HIPAA Privacy Rule covers PHI in all forms, while the Security Rule covers only electronic PHI
HIPAA Privacy • A covered entity may use or disclose an individual's PHI only under these conditions: • To communicate directly with the individual about his/her PHI • With the individual's written authorization or other legal agreement • Without the individual's authorization for treatment, payment and operations When using or disclosing PHI we must try to limit our use or disclosure as much as possible
HIPAA Privacy (Cont’d) • A covered entity may use or disclose an individual's PHI only under these conditions: • To communicate directly with the individual about his/her PHI • With the individual's written authorization or other legal agreement • Without the individual's authorization for treatment, payment and operations When using or disclosing PHI we must try to limit our use or disclosure as much as possible
Notice of Privacy Practices • Covered entity must furnish Notice of Privacy Practices to individuals with whom it has direct treatment relationship • At enrollment, within 60 days of material revision, and at least every three years • To anyone who requests it • On any website it maintains for customer-service or benefits information • Covered entity must document compliance by retaining copies of issued notices • Covered entity must make good-faith effort to obtain patient's written acknowledgment of receiving NPP
Notice of Privacy Practices (cont’d) • Covered entity must furnish Notice of Privacy Practices to individuals with whom it has direct treatment relationship • At enrollment, within 60 days of material revision, and at least every three years • To anyone who requests it • On any website it maintains for customer-service or benefits information • Covered entity must document compliance by retaining copies of issued notices • Covered entity must make good-faith effort to obtain patient's written acknowledgment of receiving NPP
Notice of Privacy Practices (cont’d) • Covered entity must furnish Notice of Privacy Practices to individuals with whom it has direct treatment relationship • At enrollment, within 60 days of material revision, and at least every three years • To anyone who requests it • On any website it maintains for customer-service or benefits information • Covered entity must document compliance by retaining copies of issued notices • Covered entity must make good-faith effort to obtain patient's written acknowledgment of receiving NPP
Reasonable Safeguards • Covered entity must use reasonable safeguards to protect confidentiality of PHI • Speaking softly when discussing PHI in public spaces • Not using name of individual whose PHI is being discussed • Reminding employees to keep PHI secure at workstations and in public spaces • Isolating and locking filing cabinets containing PHI • Equipping computers with password-protected screensavers
Using PHI for Marketing • Covered entities may not disclose PHI for marketing purposes without patient's written authorization Covered entity does not need written authorization to communicate — • To describe product or service provided by the covered entity • For treatment purposes • For case-management, care-coordination, or to recommend alternative therapies/providers • For face-to-face communications • For other communications that promote health in general manner
Pop Quiz! • PHI may be disclosed without the patient's written authorization in which of the following situations? • Sending marketing literature about healthcare-related products to the patient. • Sending marketing literature about non-healthcare-related products to the patient. • Recommending any products to the patient in a face-to-face conversation.
HIPAA Security • Security Rule addresses creation, receipt, maintenance and transmission of electronic PHI by covered entities and their business associates Primary goals: • To maintain confidentiality of stored and transmitted electronic PHI • To protect electronic PHI from unauthorized creation, modification and deletion • To ensure that electronic PHI is available to authorized individuals/entities when needed Requires administrative, physical and technical safeguards
Administrative Safeguards • Administrative safeguards: • Security Officer responsible for the development and implementation of security policies • Workforce Security plan for granting employees varying levels of access to PHI • Contingency Plan for responding to emergencies and natural disasters • Business Associate Contracts to protect confidentiality of PHI exchanged • Termination Procedures to prevent terminated employee from having access to confidential information
Physical Safeguards • Physical safeguards: • Facility Access Controls that allow only authorized access to places where PHI is kept • Workstation Use procedures for PHI displayed on computer screens • Workstation Security — secured rooms, curtains, partitions or user IDs/passwords for workstations on which PHI is processed • Device and Media Controls for handling computer hardware and software, including proper disposal and storage
Technical Safeguards • Technical safeguards: • Access Controls limiting PHI access on need-to-know basis based on roles and context • Audit Controls for recording and examining system activity to eliminate unnecessary access to PHI • Person or Entity Authentication using passwords, PIN numbers, biometrics or tokens to ensure only authorized access to PHI • Transmission Security to protect PHI during transmission over electronic networks, including encryption, firewalls, SSL/TLS protocol and S/MIME support
Pop Quiz! • A pharmaceutical company set up a service to send regular e-mail messages to remind people to take their anti-depressant medication. Due to a programming error, each of the people who received an e-mail message could see the names and e-mail addresses of all of the others to whom reminder messages were sent. Does this present a HIPAA problem? • Yes. • Maybe, if the e-mail messages were not encrypted. • No, because it was due to a programming error — not a breach of security.
Handling PHI • Follow these guidelines when handling PHI: • Access PHI only to extent necessary to perform job-related functions • Obtain authorization whenever using PHI for marketing purposes • Destroy PHI once it is no longer needed • Take steps to verify proper receipt of transmitted PHI • Secure work areas by keeping documents containing PHI in locked cabinet and maintaining strong passwords on electronic systems • Take special precautions while working in field or at home to ensure PHI is secured in laptop computers and briefcases
Security Breach • Secure PHI is information that is — • Protected by a technology or methodology specified by HHS • Rendered "unusable, unreadable, or indecipherable" to unauthorized persons • Shredded/destroyed so that it cannot be read or reconstructed If there is a security breach involving unsecured PHI: • Notice must be given to affected individuals • If breach affects 500 or more individuals, notice must also be given Government and media Report security breach to your supervisor or Privacy Officer immediately
Security Breach (Cont’d) • Secure PHI is information that is — • Protected by a technology or methodology specified by HHS • Rendered "unusable, unreadable, or indecipherable" to unauthorized persons • Shredded/destroyed so that it cannot be read or reconstructed If there is a security breach involving unsecured PHI: • Notice must be given to affected individuals • If breach affects 500 or more individuals, notice must also be given Government and media Report security breach to your supervisor or Privacy Officer immediately
PHI Rights of Individuals • Individuals have these rights over use and disclosure of their PHI: • Covered entities must abide by individual's request not to divulge PHI if he/she is paying for full service cost • Individuals are entitled to copies of records that covered entity keeps electronically • Individuals have right to request that covered entity correct inaccurate PHI • Covered entities maintaining electronic health records must provide accounting of all PHI disclosures during prior three years upon request • Fundraisers must notify individuals of right to opt out of future fundraising solicitations
Enforcement • Failure to comply with HIPAA can lead to significant penalties: • Civil fines from $100 to $50,000 for each violation up to $1.5 million per year • Criminal penalties for basic offense may include fine of up to $50,000 and/or imprisonment for up to one year • Criminal penalties for offense committed with intent to use PHI for commercial advantage may include fine up to $250,000 and/or imprisonment for up to ten years
Enforcement (cont’d) • Failure to comply with HIPAA can lead to significant penalties: • Civil fines from $100 to $50,000 for each violation up to $1.5 million per year • Criminal penalties for basic offense may include fine of up to $50,000 and/or imprisonment for up to one year • Criminal penalties for offense committed with intent to use PHI for commercial advantage may include fine up to $250,000 and/or imprisonment for up to ten years
Thank you for participating! This course and the related materials were developed by WeComply, Inc. and the Association of Corporate Counsel.