1

HIPAA 101

PrivacyPart 2

August 13, 2018

Lawrence H. Muhlbaier, PhD

2

Basic Elements of a Privacy Program

• Controls

• Evaluate

• Monitor

•Enforce

•Consistent

•Corrective Action

• Areas of Risk

• Policies

• Sanctions

•Effective•Communicated•Enforced

Policies Training

AuditSanctions

3

Administrative Requirements

Policies and Procedures

Notice of Privacy Practices

Safeguards and Mitigation

Workforce Training & Employee Sanctions

Personnel Designations - Privacy Official

Person responsible for Policies, Procedures and Receiving Complaints

Complaint Process

No retaliation

3

4

Policies & Procedures

Authorization to release medical information

» Consider state requirements

Accounting for disclosures

Complaint Process

Patient Requests

Notice of Privacy Practices

No retaliation

4

5

Policies & Procedures Con’t

Marketing & Sale of PHI

Fundraising

Research

Sanctions

Safeguards & Mitigation

Training

Uses & Disclosures

Required Minimum Record Retention

This is not intended to be an all inclusive list

5

6

Notice of Privacy Practices

The HIPAA Privacy Rule gives individuals a fundamental new right to be informed of the privacy practices of their health plans and of most of their health care providers, as well as to be informed of their privacy rights with respect to their personal health information.

Health plans and covered health care providers are required to develop and distribute a notice that provides a clear explanation of these rights and practices.

6

7

Notice of Privacy Practices

Notice content – Including effective date

See 45 CFR 164.520(b)

Post and make available on website

Provide to individuals on request

Document that Notice was provided

Note – no signed Acknowledgement

7

8

Notice of Privacy Practices

Patients have the right to:

Request restrictions on release of their PHI

Receive confidential communications

Inspect & copy medical records

Request Electronic Copy

Request amendment to medical records

Make a complaint

Receive an accounting of any non TPO disclosures.

Obtain a paper copy of the Notice of Privacy Practices on request

8

9

Facility Directory

Must give individual opportunity to restrict or

prohibit use or disclosure of name, location,

general condition and religious affiliation

Opt Out required, Opt In allowed

Procedures to manage

9

10

Safeguards and Mitigation

• What safeguards are in place to prevent the unauthorized use and/or disclosure of medical information

• Implement appropriate administrative, technical, and physical safeguards to protect the privacy of PHI

• Mitigate any harmful effect of any use or disclosure of PHI in violation of policies and procedures that is known to the extent practicable

10

11

Workforce Training

Who needs to be trained?• Employees

• Clinicians

• Students

• Volunteers

What is the training content?• Training by role - MD vs. support staff vs.

housekeeper?

• How frequently will training be provided?•Annual is optimal

• Who will maintain documentation of training?

11

12

Designate a Privacy Official

• Job description

• Roles & responsibilities

• Reporting structure

• Identify individual to respond•to complaints, inquiries, etc.

• Inform Workforce

12

13

Complaint Process

Who receives complaints?

What is the definition of a complaint?

Who investigates complaints?

Where is documentation of the complaint

maintained?

Who communicates with the patient, family member

or other complainant?

13

14

Sanctions for Violators

Workforce members who violate policies regarding privacy / security of confidential /protected health information or ePHI are subject to sanctions.

Actions taken may include:• Department/Program is responsible for fines, penalties, notification costs

etc.

• Counseling & additional training

• Suspension

• Termination

• Violation of City, State and Federal laws may carry additional consequences of prosecution under the law

• Knowing, malicious intent can increase Penalties:• fines, jail!

14

15

Record Retention Requirements

Maintain program information for 6 years after last in

effect Policies and Procedures

Training Provided/Privacy Official

Complaints to Covered Entity

Notice of Privacy Practices / Acknowledgement (signature not

required)

Authorizations

Business Associate Agreements

IRB / Privacy Board Waivers

Designated Record Set(s)

Disclosures for accounting to individual

15

16

SUMMARY

Inform people of how

their information is used

Require NO disclosures

except to individual and

HHS for investigation or

enforcement

Require written

authorization for use

and disclosure for

other purposes

Allow disclosure for

national priorities

Allow heath information

to be used and shared for

treatment and payment of

health care

Require health plans and

providers to maintain

administrative & physical

safeguards

Hold accountable

entities that violate

privacy

16

17

Avoiding Penalties

17

Comprehensive Written Program

Policies and Procedures

Workforce Education

Periodic Evaluation

Prompt Corrective Action Plans

18

Hot Topics and Potential Risk Areas

Security Breaches

Security Incident Response

Physical Security

Disaster Recovery and

Business Continuity

Planning

Increased Enforcement

Privacy & Security

Training

Cyber Security Incidents

Disposal of Device Security

Mobile Healthcare

Use of Social Media

Cloud Computing

Meeting Meaningful Use

Requirements

Business Associates,

Vendors, Contractors

1

8

19

Breach Notification

19

• In Depth Discussion this afternoon

Applies to all electronic “unsecured Protected Health

Information” “encryption required”

Requires immediate notification to Federal

Government if more than 500 individuals affected

Annual notification if less that 500 individuals

Breach>500 is listed on a public website

Requires individual notification to patients /

remediation

May require notification to a major media outlet

20

Breach Notification

In depth discussion this afternoon

Applies to all electronic "unsecured PHI"

Breaches >500 listed on public web site

Requires individual notification/remediation

May require notification to major media

outlet

21

Major Recent Enforcement Actions

Unauthorized Filming for “NY Med” Results in $2.2 Million Settlement with New York Presbyterian Hospital

$750,000 settlement highlights the need for HIPAA business associate agreements (Raleigh, NC)

Five breaches add up to millions in settlement costs for entity that failed to heed HIPAA’s risk analysis and risk management rules - February 1, 2018

Most enforcement actions cite inadequate Policies & Procedures

http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements

22

Trends for Privacy & Information Security

• More policing, more penalties, OCR-style

• Increase in healthcare data breaches

• A wider use of mobile devices in healthcare

• Greater patient awareness

• Increased use of business associates (BAs)

• HITECH regs make BAs responsible for data protections

• Data breaches are costing healthcare organizations more than ever (In 2018 >$400/person)

• Taking protected health information (PHI) to the cloud

23

Future Rules

Access Accounting rule

Disclosure Accounting for TPO

24

Patient Privacy

At some point in our lives we will all be a patient.

Treat all information as though it were your own.

25

Resources

OCRhttp://www.hhs.gov/hipaa/index.html

Regulations texthttp://www.hhs.gov/sites/default/files/hipaa-simplification-

201303.pdf

NCHICA (membership recommended)http://nchica.org/resources/hipaahitech/

Privacy Rule & Research Guidancehttps://privacyruleandresearch.nih.gov/

26

Questions?

27

Contact

Lawrence H. ("Doc") Muhlbaier, PhD

Office of Audit, Risk and Compliance

Duke University

lawrence.muhlbaier@duke.edu

919-630-2509 (mobile)

28

Additional Slides on Research follow

29

Research and HIPAA

29

30

Research and HIPAA

The Privacy Rule protects the privacy of Protected Health Information (PHI) by establishing conditions for its use and disclosure.

Includes record research that uses existing PHI, e.g., databases and repositories; and research that includes treatment of research participants such as clinical trials.

Covered entities may use and/or disclose PHI for research: with an individual authorization or

without individual authorization under limited circumstances

30

31

Common Rule Vs. Privacy Rule

The Common Rule is a federalpolicy regarding Human Subjects Protection.

The main elements of the Common Rule include:

Requirements for assuring compliance by research institutions

Requirements for researchers’ obtaining and documenting informed consent to participate in the research based on the risk and benefits

Requirements for InstitutionalReview Board (IRB) membership, function, operations, review of research, and record keeping.

The Privacy Rule for HIPAA establishes privacy standards to protect a person’s health information

Limits the use and disclosure of health information

Gives patients the right to access their medical information, request amendments and restrict disclosures to the minimum intended purpose.

Established new requirements for access to records by researchers

Authorization generally required to use or disclose PHI (except TPO)

Waiver allowed for minimal risk

31

32

Key Terms for Researchers

• Covered Entity

• Business Associate Agreement

• Use – Sharing within the Organization

• Disclosure – Sharing outside the organization

• Data Use Agreement / Limited Data Set

• De-identified – without 18 identifiers

• Waiver / Authorization

32

33

Authorization for Research Purposes

• Permission to use or disclose PHI for research purposes

• Alternative to authorization is waiver or alteration – must

meet criteria

• Research participant authorization is required to use and/or

disclose PHI for research

•May be combined with informed consent to participation

in research

•Must include expiration date - May be "none" or may

continue until “end of research study”

33

34

Research Waiver or Alteration of Authorization

Requires a written assurance to the IRB or Privacy Board that PHI will not be re-used or disclosed except:

• As required by law,

• For authorized oversight of the research, or

• For other research that has been reviewed and approved by the IRB / Privacy Board with specific approval regarding access to this PHI

Consider - How will this information be protected?

Waiver requires minimal risk. Data protection is part of minimizing risk.

34

35

Decedent Data

Common Rule: definition of "human subjects" does not

include "decedents"

Privacy Rule: Protection extends to identifiable

information of decedents who have been dead <50 years

Must obtain "Notice" from researcher:

Representation that use or disclosure of PHI is necessary

for research purpose and will only be used for research

purposes

Documentation of the death of the individual, upon covered

entity’s request

(Note: no 'approval' required)

35

36

Limited Data Set with

Data Use Agreement

Only use or disclose limited data set / indirect identifiers

For Public Health, Research, Healthcare OperationsMost privacy Rule requirements do not apply

No authorization or waiver required

No need to track disclosures

Recipient must agree to a “data use agreement”Agreement between the covered entity and recipient of data

Generally describes the permitted used and disclosures of the information received and prohibits re-identifying or using this information to contact individuals.

Notify CE if loss/unauthorized use (breach analysis)

36

37

Research Privacy Considerations

• The Common Rule remains the rule for

research issues.

• The Privacy Rule was not written with

research in mind so the fit is not perfect.

• When the Common Rule and the Privacy

Rule do not agree – the correct path is

whatever offers the higher privacy

protection.

37