1 / 19

HIPAA Privacy of Health Information

HIPAA Privacy of Health Information. Claudia Allen, Esq. General Counsel HealthBridge. Federal Privacy Legislation. State laws requiring privacy and confidentiality have existed for many years

hija
Télécharger la présentation

HIPAA Privacy of Health Information

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. HIPAA Privacy of Health Information Claudia Allen, Esq.General Counsel HealthBridge

  2. Federal Privacy Legislation • State laws requiring privacy and confidentiality have existed for many years • Federal law – HIPAA – was enacted in 1996, but the regulations containing the Privacy and Security Rules were not in place until 2003 • HIPAA creates a minimum threshold of confidentiality – but does not pre-empt state law if the state law requires a higher standard

  3. Federal Privacy Legislation d.“Covered Entities” are subject to the rules protecting the privacy/confidentiality of “Protected Health Information” i. Covered Entities: 1. Providers of health care services (e.g., labs, physicians, dentists, chiropractors, psychologists) 2. Health Plans 3. Health Clearinghouses

  4. Federal Privacy Legislation ii. PHI is health related information that is 1. Identifiable to an individual (contains name, address, phone, SSN, medical record number, date of birth, etc.) 2. Transmitted or maintained by electronic or any other media

  5. I. HIPAA Privacy Rule (1) A. HIPAA sets standards for security, use and disclosure of PHI and permits disclosure or use of PHI without patient consent for the following purposes: i. Treatment ii. Payment iii. Health Care Operations iv. Research: Limited data set or IRB v. Public health vi. As otherwise required by law

  6. I. HIPAA Privacy Rule (2) B. HIPAA rules for Business Associates of CEs (e.g., HealthBridge, the Collaborative, EMR vendors) i. Covered Entities may authorize disclosure of PHI to BA for a specific permitted purpose ii. CE required to enter into a Business Associate Agreement with BAs to protect PHI security iii. Originally, a breach of the BAA would only subject the CE to liability to third parties iv. CE would recover cost from BA in a breach of contract lawsuit

  7. II. 2009: ARRA and HITECH Extended Privacy & Security Rules to Business Associates (“BA”) • Business Associates became directly subject to privacy/confidentiality requirements and some security rules (can be held liable) b. BA can be held liable for privacy non-compliance by a subcontractor who is acting as an “agent” of a BA c. BA Agreements are now required with entities that provide data to a CE such as Health Information Exchanges

  8. III: 2013: Omnibus Final Regulations A. Definition of “Business Associate” Expanded i. Entities that create, receive, maintain, transmit PHI to perform functions or activities for a CE ii. Health Information Organizations, e-prescribing gateways, entities maintaining personal health records for a CE iii. Subcontractors receiving PHI on behalf of BAs • Subcontractors are now subject to the same obligations as BAs with respect to the CE – need BAAs • Subs must have HIPAA compliant security policies

  9. III. Omnibus Final Regulations (2) B. New Breach Standard: When it is discovered that there has been an unauthorized use or disclosure of Unsecured PHI, notice is presumed necessary EXCEPT where CE or BA demonstrates that “there is a low probability that PHI has been compromised.”

  10. III. Omnibus Final Regulations (3) i. Final Rule does not define “Compromised” but specifies what the risk assessment must consider: • Nature and extent of PHI, types of identifiers (likelihood of re-identification) • The unauthorized person to whom PHI was disclosed • Was the PHI actually used/viewed? • Extent to which the risk has been mitigated

  11. III. Omnibus Final Regulations (4) C. Notification requirements upon determination of Breach: i. CEs must notify each individual whose UPHI is breached ii. BA must notify the CE (CE may delegate to BA by BAA) iii. Time period: without unreasonable delay but no later than 60 calendar days after discovery (first day known or should have been known)

  12. III. Omnibus Final Regulations (5) 1. Burden on discoverer to notify 2. Written notice by mail unless urgent 3. If more than 9 individuals involved, posting on web 4. Notice to media if over 500 residents in state or jurisdiction affected 5. Immediate notice to Secretary if over 500 affected 6. Breach log required to be sent to Secretary annually

  13. III. Omnibus Final Regulations (6) D. Notice must contain 1. Description of what happened 2. Description of types of data involved 3. Steps individuals should take to protect themselves 4. What CE is doing to investigate, mitigate losses, and protect from further breaches 5. Contact procedures

  14. IV. Patient Rights re Disclosures • Individuals may restrict disclosure to a health plan for payment or operations if individual has paid out of pocket in full for services • Patient may request an accounting of all 3 years’ disclosures of his/her ePHI to any third party including TPO – i.e., to the billing company, to the insurance company, to another provider for a consult.

  15. V. HHS Audit Initiative • Pilot Audit of 115 CEs uncovered violations • All but 13 had some type of violation • 60 violations were security related • Missing: risk assessments, documentation of decisions • Privacy violations include no notice of privacy practices • Notices must be revised to include new breach notification and disclosure rules • Policies and procedures (such as patient access to disclosure information, breach assessment and notification, restriction where paid) must be formulated and written • Employee training missing to inform them of rules and procedures

  16. VI. Practical Steps to Avoid Liability: Show How You Secure PHI • Appoint a Privacy Officer to establish policies, field questions and monitor compliance • Review company policies and procedures with your staff to ensure compliance with ARRA privacy and security requirements – update as needed • Make sure you have signed BAAs with those from whom you are receiving PHI (as from other physicians, clinics, hospitals, labs) and those you are sending/disclosing PHI to (e.g., billing company, insurance company, etc.) • Conduct a general risk assessment to determine if procedures are protecting PHI. Document review.

  17. VI. Practical Steps (2) e. Take steps to see that: • Doors are locked except for business entrances and exits during business hours • Employee access is restricted/logged during non-business hours • Visitors are not in a position to see or access data • Employees understand the importance of not disclosing patient information outside of work- and at work, only as necessary • All remote access to data is limited, inventoried • All portable electronics are encrypted

  18. VI. Practical Steps (3) vii. Keys, pass codes are inventoried/changed frequently viii. Workstations are secured, screens not in view of public ix. Procedures are implemented for ending data access by terminated employees x. Procedures are implemented for reporting suspicious activity xi. Hiring practices are implemented that help minimize risk –(i.e., checking references and background) xii. Regular training on privacy and security requirements is conducted xiii. Decisive action is taken if a breach is suspected: procedures are followed and actions documented.

  19. HIPAA Privacy QUESTIONS?

More Related