HIPAA Privacy and Security
description
Transcript of HIPAA Privacy and Security
Copyright© 2010 WeComply, Inc. All rights reserved.
04/20/23
HIPAA Privacy and Security
Copyright© 2010 WeComply, Inc. All rights reserved.
04/20/23
HIPAA Privacy and Security
Copyright© 2010 WeComply, Inc. All rights reserved.
In the news…
Copyright© 2010 WeComply, Inc. All rights reserved.8/11/2010 4
What Is HIPAA?
Among HIPAA's primary purposes are —
•Privacy and security of healthcare information
•Standardization of healthcare data
•Simplification of healthcare operations to help reduce costs
•Insurance portability for individuals who change jobs or become unemployed
•Preventing discrimination against applicants or businesses
•Preventing fraud through stiffer penalties and tighter controls We must also comply with more restrictive state laws regarding privacy and security of healthcare information
Copyright© 2010 WeComply, Inc. All rights reserved.8/11/2010 5
What Is HIPAA?
Among HIPAA's primary purposes are —
•Privacy and security of healthcare information
•Standardization of healthcare data
•Simplification of healthcare operations to help reduce costs
•Insurance portability for individuals who change jobs or become unemployed
•Preventing discrimination against applicants or businesses
•Preventing fraud through stiffer penalties and tighter controls We must also comply with more restrictive state laws regarding privacy and security of healthcare information
Copyright© 2010 WeComply, Inc. All rights reserved.8/11/2010 6
What Is HIPAA? (Cont’d)
Among HIPAA's primary purposes are —
•Privacy and security of healthcare information
•Standardization of healthcare data
•Simplification of healthcare operations to help reduce costs
•Insurance portability for individuals who change jobs or become unemployed
•Preventing discrimination against applicants or businesses
•Preventing fraud through stiffer penalties and tighter controls We must also comply with more restrictive state laws regarding privacy and security of healthcare information
Copyright© 2010 WeComply, Inc. All rights reserved.8/11/2010 7
Who Is Subject to HIPAA?
Covered entities include hospitals, insurance companies, self-insured employers and small physician practices
Three categories of covered entities:
•Healthcare plans
•Health providers
•Clearinghouses
HIPAA applies to companies that offer healthcare and treatment to their employees on-site
Copyright© 2010 WeComply, Inc. All rights reserved.8/11/2010 8
Who Is Subject to HIPAA? (cont’d)
Business associates are individuals and businesses that help covered entities carry out healthcare activities and functions
•Auditors, consultants, lawyers
•Claims-processing firms, pharmacy benefit managers
Business associates are subject to HIPAA in two ways:
They must provide written assurance that they will use information only for proper purposes, safeguard information from misuse, and help covered entity comply with HIPAA privacy duties
They must comply directly with HIPAA regulations requiring administrative, physical and technical safeguards for security of protected information
Copyright© 2010 WeComply, Inc. All rights reserved.8/11/2010 9
Pop Quiz!
What happens if a business associate of a covered entity violates HIPAA?
A.The business associate will be subject to the same HIPAA penalties as the covered entity.
B.The business associate will be liable to the covered entity only for breach of contract.
C.Nothing – business associates aren't subject to HIPAA.
Copyright© 2010 WeComply, Inc. All rights reserved.8/11/2010 10
Protected Health Information (PHI)
Protected health information includes any part of an individual's medical record or payment history
PHI concerns —
•Any past, present or future physical or mental health of an individual
•Providing healthcare to an individual
•Payment for healthcare of an individual
Any identifiable health information becomes PHI under HIPAA
Privacy Rule covers PHI in all forms, while the Security Rule covers only electronic PHI
Copyright© 2010 WeComply, Inc. All rights reserved.8/11/2010 11
HIPAA Privacy
A covered entity may use or disclose an individual's PHI only under these conditions:
•To communicate directly with the individual about his/her PHI
•With the individual's written authorization or other legal agreement
•Without the individual's authorization for treatment, payment and operations
When using or disclosing PHI we must try to limit our use or disclosure as much as possible
Copyright© 2010 WeComply, Inc. All rights reserved.8/11/2010 12
HIPAA Privacy (Cont’d)
A covered entity may use or disclose an individual's PHI only under these conditions:
•To communicate directly with the individual about his/her PHI
•With the individual's written authorization or other legal agreement
•Without the individual's authorization for treatment, payment and operations
When using or disclosing PHI we must try to limit our use or disclosure as much as possible
Copyright© 2010 WeComply, Inc. All rights reserved.8/11/2010 13
Notice of Privacy Practices
Covered entity must furnish Notice of Privacy Practices to individuals with whom it has direct treatment relationship
•At enrollment, within 60 days of material revision, and at least every three years
•To anyone who requests it
• On any website it maintains for customer-service or benefits information
• Covered entity must document compliance by retaining copies of issued notices
• Covered entity must make good-faith effort to obtain patient's written acknowledgment of receiving NPP
Copyright© 2010 WeComply, Inc. All rights reserved.8/11/2010 14
Notice of Privacy Practices (cont’d)
Covered entity must furnish Notice of Privacy Practices to individuals with whom it has direct treatment relationship
•At enrollment, within 60 days of material revision, and at least every three years
•To anyone who requests it
• On any website it maintains for customer-service or benefits information
• Covered entity must document compliance by retaining copies of issued notices
• Covered entity must make good-faith effort to obtain patient's written acknowledgment of receiving NPP
Copyright© 2010 WeComply, Inc. All rights reserved.8/11/2010 15
Notice of Privacy Practices (cont’d)
Covered entity must furnish Notice of Privacy Practices to individuals with whom it has direct treatment relationship
•At enrollment, within 60 days of material revision, and at least every three years
•To anyone who requests it
• On any website it maintains for customer-service or benefits information
• Covered entity must document compliance by retaining copies of issued notices
• Covered entity must make good-faith effort to obtain patient's written acknowledgment of receiving NPP
Copyright© 2010 WeComply, Inc. All rights reserved.8/11/2010 16
Reasonable Safeguards
Covered entity must use reasonable safeguards to protect confidentiality of PHI
•Speaking softly when discussing PHI in public spaces
• Not using name of individual whose PHI is being discussed
• Reminding employees to keep PHI secure at workstations and in public spaces
• Isolating and locking filing cabinets containing PHI
• Equipping computers with password-protected screensavers
Copyright© 2010 WeComply, Inc. All rights reserved.8/11/2010 17
Using PHI for Marketing
Covered entities may not disclose PHI for marketing purposes without patient's written authorization
Covered entity does not need written authorization to communicate —
•To describe product or service provided by the covered entity
•For treatment purposes
•For case-management, care-coordination, or to recommend alternative therapies/providers
•For face-to-face communications
•For other communications that promote health in general manner
Copyright© 2010 WeComply, Inc. All rights reserved.8/11/2010 18
Pop Quiz!
PHI may be disclosed without the patient's written authorization in which of the following situations?
A.Sending marketing literature about healthcare-related products to the patient.
B.Sending marketing literature about non-healthcare-related products to the patient.
C.Recommending any products to the patient in a face-to-face conversation.
Copyright© 2010 WeComply, Inc. All rights reserved.8/11/2010 19
HIPAA Security
Security Rule addresses creation, receipt, maintenance and transmission of electronic PHI by covered entities and their business associates
Primary goals:
•To maintain confidentiality of stored and transmitted electronic PHI
•To protect electronic PHI from unauthorized creation, modification and deletion
• To ensure that electronic PHI is available to authorized individuals/entities when needed
Requires administrative, physical and technical safeguards
Copyright© 2010 WeComply, Inc. All rights reserved.8/11/2010 20
Administrative Safeguards
Administrative safeguards:
•Security Officer responsible for the development and implementation of security policies
•Workforce Security plan for granting employees varying levels of access to PHI
•Contingency Plan for responding to emergencies and natural disasters
•Business Associate Contracts to protect confidentiality of PHI exchanged
•Termination Procedures to prevent terminated employee from having access to confidential information
Copyright© 2010 WeComply, Inc. All rights reserved.
In the news…
Copyright© 2010 WeComply, Inc. All rights reserved.8/11/2010 22
Physical Safeguards
Physical safeguards:
•Facility Access Controls that allow only authorized access to places where PHI is kept
• Workstation Use procedures for PHI displayed on computer screens
• Workstation Security — secured rooms, curtains, partitions or user IDs/passwords for workstations on which PHI is processed
• Device and Media Controls for handling computer hardware and software, including proper disposal and storage
Copyright© 2010 WeComply, Inc. All rights reserved.8/11/2010 23
Technical Safeguards
Technical safeguards:
•Access Controls limiting PHI access on need-to-know basis based on roles and context
• Audit Controls for recording and examining system activity to eliminate unnecessary access to PHI
• Person or Entity Authentication using passwords, PIN numbers, biometrics or tokens to ensure only authorized access to PHI
• Transmission Security to protect PHI during transmission over electronic networks, including encryption, firewalls, SSL/TLS protocol and S/MIME support
Copyright© 2010 WeComply, Inc. All rights reserved.8/11/2010 24
Pop Quiz!
A pharmaceutical company set up a service to send regular e-mail messages to remind people to take their anti-depressant medication. Due to a programming error, each of the people who received an e-mail message could see the names and e-mail addresses of all of the others to whom reminder messages were sent. Does this present a HIPAA problem?
A.Yes.
B.Maybe, if the e-mail messages were not encrypted.
C.No, because it was due to a programming error — not a breach of security.
Copyright© 2010 WeComply, Inc. All rights reserved.8/11/2010 25
Handling PHI
Follow these guidelines when handling PHI:
•Access PHI only to extent necessary to perform job-related functions
•Obtain authorization whenever using PHI for marketing purposes
•Destroy PHI once it is no longer needed
•Take steps to verify proper receipt of transmitted PHI
• Secure work areas by keeping documents containing PHI in locked cabinet and maintaining strong passwords on electronic systems
• Take special precautions while working in field or at home to ensure PHI is secured in laptop computers and briefcases
Copyright© 2010 WeComply, Inc. All rights reserved.8/11/2010 26
Security Breach
Secure PHI is information that is —
•Protected by a technology or methodology specified by HHS
•Rendered "unusable, unreadable, or indecipherable" to unauthorized persons
•Shredded/destroyed so that it cannot be read or reconstructed
If there is a security breach involving unsecured PHI:
•Notice must be given to affected individuals
•If breach affects 500 or more individuals, notice must also be given Government and media
Report security breach to your supervisor or Privacy Officer immediately
Copyright© 2010 WeComply, Inc. All rights reserved.8/11/2010 27
Security Breach (Cont’d)
Secure PHI is information that is —
•Protected by a technology or methodology specified by HHS
•Rendered "unusable, unreadable, or indecipherable" to unauthorized persons
•Shredded/destroyed so that it cannot be read or reconstructed
If there is a security breach involving unsecured PHI:
•Notice must be given to affected individuals
•If breach affects 500 or more individuals, notice must also be given Government and media
Report security breach to your supervisor or Privacy Officer immediately
Copyright© 2010 WeComply, Inc. All rights reserved.8/11/2010 28
PHI Rights of Individuals
Individuals have these rights over use and disclosure of their PHI:
•Covered entities must abide by individual's request not to divulge PHI if he/she is paying for full service cost
•Individuals are entitled to copies of records that covered entity keeps electronically
• Individuals have right to request that covered entity correct inaccurate PHI
• Covered entities maintaining electronic health records must provide accounting of all PHI disclosures during prior three years upon request
• Fundraisers must notify individuals of right to opt out of future fundraising solicitations
Copyright© 2010 WeComply, Inc. All rights reserved.8/11/2010 29
Enforcement
Failure to comply with HIPAA can lead to significant penalties:
•Civil fines from $100 to $50,000 for each violation up to $1.5 million per year
•Criminal penalties for basic offense may include fine of up to $50,000 and/or imprisonment for up to one year
• Criminal penalties for offense committed with intent to use PHI for commercial advantage may include fine up to $250,000 and/or imprisonment for up to ten years
Copyright© 2010 WeComply, Inc. All rights reserved.8/11/2010 30
Enforcement (cont’d)
Failure to comply with HIPAA can lead to significant penalties:
•Civil fines from $100 to $50,000 for each violation up to $1.5 million per year
•Criminal penalties for basic offense may include fine of up to $50,000 and/or imprisonment for up to one year
• Criminal penalties for offense committed with intent to use PHI for commercial advantage may include fine up to $250,000 and/or imprisonment for up to ten years
Copyright© 2010 WeComply, Inc. All rights reserved.
04/20/23
Final Quiz
Copyright© 2010 WeComply, Inc. All rights reserved.
04/20/23
Questions?
Copyright© 2010 WeComply, Inc. All rights reserved.
04/20/23
Thank you for participating!
This course and the related materials were developed by WeComply, Inc. and the Association of Corporate Counsel.