HIPAA PRIVACY & SECURITYagpersonnel.org/wp-content/uploads/2013/07/HIPAAPRIVACY.pdf · nikssarian...

38
HIPAA PRIVACY & SECURITY DEMONSTRATING A GOOD FAITH BUSINESS PRACTICE -ENFORCEMENT -OVERVIEW OF LAW -BEST PRACTICE PROCESS

Transcript of HIPAA PRIVACY & SECURITYagpersonnel.org/wp-content/uploads/2013/07/HIPAAPRIVACY.pdf · nikssarian...

Page 1: HIPAA PRIVACY & SECURITYagpersonnel.org/wp-content/uploads/2013/07/HIPAAPRIVACY.pdf · nikssarian insurance services, inc. ... privacy basics protect use & disclosure of protected

HIPAA PRIVACY

& SECURITY

DEMONSTRATING A GOOD FAITH BUSINESS PRACTICE

-ENFORCEMENT

-OVERVIEW OF LAW

-BEST PRACTICE PROCESS

Page 2: HIPAA PRIVACY & SECURITYagpersonnel.org/wp-content/uploads/2013/07/HIPAAPRIVACY.pdf · nikssarian insurance services, inc. ... privacy basics protect use & disclosure of protected

DAVID NIKSSARIAN

NIKSSARIAN INSURANCE SERVICES, INC.

30 YEARS SERVING THE AGRICULTURE INDUSTRY

INSURANCE AGENCY SPECIALIZING IN HEALTH/EMPLOYEE

BENEFIT PROGRAMS; ALSO WORKERS’ COMPENSATION, AND

EMPLOYMENT PRACTICES LIABILITY INSURANCE

MARY JANE EADSON, J.D.

EADSON COMPLIANCE CENTER, LLC

ENTIRE CAREER WORKING IN AGRICULTURAL INDUSTRY

LEGAL COMPLIANCE CONSULTANT TO AGRICULTURAL HR &

BENEFIT DEPARTMENTS, HEALTH AGENTS AND BROKERS, TPAS,

AND CARRIERS

Page 3: HIPAA PRIVACY & SECURITYagpersonnel.org/wp-content/uploads/2013/07/HIPAAPRIVACY.pdf · nikssarian insurance services, inc. ... privacy basics protect use & disclosure of protected

PENALTY ENFORCEMENT

(Scary Stuff!)

Page 4: HIPAA PRIVACY & SECURITYagpersonnel.org/wp-content/uploads/2013/07/HIPAAPRIVACY.pdf · nikssarian insurance services, inc. ... privacy basics protect use & disclosure of protected

STATISTICS

• HHS-OFFICE OF CIVIL RIGHTS HAS

RECEIVED 77,190 COMPLAINTS

18,559 REQUIRED CORRECTIVE ACTION.

COMMON REASONS

1. IMPERMISSABLE USE OR DISCLOSURE OF PHI

2. LACK OF SAFEGUARDS OF PHI

3. USES OR DISCLOSURE OF MORE THAN MINIMUM NECESSARY PHI

4. LACK OF PATIENT ACCESS TO THEIR PHI

5. LACK OF SAFEGUARDS OF ELECTRONIC PHI

PHI = PERSONAL HEALTH INFORMATION

Page 5: HIPAA PRIVACY & SECURITYagpersonnel.org/wp-content/uploads/2013/07/HIPAAPRIVACY.pdf · nikssarian insurance services, inc. ... privacy basics protect use & disclosure of protected
Page 6: HIPAA PRIVACY & SECURITYagpersonnel.org/wp-content/uploads/2013/07/HIPAAPRIVACY.pdf · nikssarian insurance services, inc. ... privacy basics protect use & disclosure of protected

HEADLINES

3/14/2012 – BLUE CROSS BLUE SHIELD OF TENNESSEE SETTLEMENT

OF $1.5 MILLION

2/22/2011 – HHS IMPOSES $4.3 MILLION PENALTY

ON CIGNET HEALTH

2/14/2011 – MASSACHUSETTS GENERAL SETTLES HIPAA

INVESTIGATION FOR $1 MILLION

Page 7: HIPAA PRIVACY & SECURITYagpersonnel.org/wp-content/uploads/2013/07/HIPAAPRIVACY.pdf · nikssarian insurance services, inc. ... privacy basics protect use & disclosure of protected

CIVIL & CRIMINAL

PENALTIES

VIOLATION MINIMUM MAXIMUM

INDIVIDUAL DID

NOT REASONABLY

KNOW THAT

HE/SHE VIOLATED

HIPAA

$100 PER VIOLATION

UP TO $25,000

ANNUALLY

$50,000 PER

VIOLATION WITH

AN ANNUAL

MAXIMUM OF $1.5

MILLION

HIPAA VIOLATION

DUE TO

REASONABLE

CAUSE – NOT

WILFUL NEGLECT

$1,000 PER

VIOLATION UP TO

$100,000 PER

VIOLATION

SAME AS ABOVE

HIPAA VIOLATION

DUE TO WILFUL

NEGLECT AND NOT

CORRECTED*

$50,000 PER

VIOLATION UP TO

$1.5 MILLION

ANNUALLY

SAME AS ABOVE

*CRIMINAL

PENALTY

+ 1 YEAR

IMPRISONMENT

Page 8: HIPAA PRIVACY & SECURITYagpersonnel.org/wp-content/uploads/2013/07/HIPAAPRIVACY.pdf · nikssarian insurance services, inc. ... privacy basics protect use & disclosure of protected

OVERVIEW

Page 9: HIPAA PRIVACY & SECURITYagpersonnel.org/wp-content/uploads/2013/07/HIPAAPRIVACY.pdf · nikssarian insurance services, inc. ... privacy basics protect use & disclosure of protected

HIPAA – 3 SPHERES OF

LAW

PORTABILITY

SECURITY PRIVACY

Page 10: HIPAA PRIVACY & SECURITYagpersonnel.org/wp-content/uploads/2013/07/HIPAAPRIVACY.pdf · nikssarian insurance services, inc. ... privacy basics protect use & disclosure of protected

PRIVACY

APPLIES TO COVERED ENTITIES:

•HEALTH PLANS

•HEALTH CARE CLEARINGHOUSES

•HEALTH CARE PROVIDERS

Page 11: HIPAA PRIVACY & SECURITYagpersonnel.org/wp-content/uploads/2013/07/HIPAAPRIVACY.pdf · nikssarian insurance services, inc. ... privacy basics protect use & disclosure of protected

PRIVACY

APPLIES TO BUSINESS ASSOCIATES:

•EMPLOYER WITH GROUP HEALTH PLAN

(PLAN SPONSOR)

•CONSULTANTS

•VENDORS

Page 12: HIPAA PRIVACY & SECURITYagpersonnel.org/wp-content/uploads/2013/07/HIPAAPRIVACY.pdf · nikssarian insurance services, inc. ... privacy basics protect use & disclosure of protected

EXAMPLES

•ENROLLMENT

•BENEFIT QUESTIONS

•CLAIMS QUESTIONS

Page 13: HIPAA PRIVACY & SECURITYagpersonnel.org/wp-content/uploads/2013/07/HIPAAPRIVACY.pdf · nikssarian insurance services, inc. ... privacy basics protect use & disclosure of protected

PRIVACY BASICS

PROTECT USE & DISCLOSURE OF

PROTECTED HEALTH

INFORMATION OF AN INDIVIDUAL

Page 14: HIPAA PRIVACY & SECURITYagpersonnel.org/wp-content/uploads/2013/07/HIPAAPRIVACY.pdf · nikssarian insurance services, inc. ... privacy basics protect use & disclosure of protected

EMPLOYEE

HUMAN RESOURCES

EMPLOYER SPONSORED

HEALTH PLAN

ROLE OF HUMAN RESOURCES

Page 15: HIPAA PRIVACY & SECURITYagpersonnel.org/wp-content/uploads/2013/07/HIPAAPRIVACY.pdf · nikssarian insurance services, inc. ... privacy basics protect use & disclosure of protected

WHEN MAY I

DISCLOSE PHI?

TREATMENT PAYMENT HEALTH CARE OPERATIONS

AUTHORIZATION

Page 16: HIPAA PRIVACY & SECURITYagpersonnel.org/wp-content/uploads/2013/07/HIPAAPRIVACY.pdf · nikssarian insurance services, inc. ... privacy basics protect use & disclosure of protected

HOW MAY I DISCLOSE

PHI?

• IN A REASONABLE MANNER

• FOR THE MINIMUM PHI

NECESSARY FOR PURPOSE

Page 17: HIPAA PRIVACY & SECURITYagpersonnel.org/wp-content/uploads/2013/07/HIPAAPRIVACY.pdf · nikssarian insurance services, inc. ... privacy basics protect use & disclosure of protected

WHEN MAY I

DISCLOSE PHI?

•INDIVIDUAL HOLDER

•HEALTH PLAN

•BUSINESS ASSOCIATE

•OTHER INDIVIDUAL

Page 18: HIPAA PRIVACY & SECURITYagpersonnel.org/wp-content/uploads/2013/07/HIPAAPRIVACY.pdf · nikssarian insurance services, inc. ... privacy basics protect use & disclosure of protected

SECURITY

• APPLIES TO ELECTRONIC PROTECTED HEALTH INFORMATION

• SAFEGUARDS TO:

• ADMINISTRATIVE/OPERATIONS: IDENTIFY/ANALYZE POTENTIAL RISKS TO ELECTRONIC PHI AND IMPLEMENT SECURITY MEASURES

• PHYSICAL: LIMIT ACCESS TO FACILITIES WHERE ELECTRONIC PHI IS HOUSED

• TECHNICAL: IMPLEMENT AUDIT, INTEGRITY AND TRANSMISSION CONTROLS TO INFORMATION SYSTEMS WITH PHI

Page 19: HIPAA PRIVACY & SECURITYagpersonnel.org/wp-content/uploads/2013/07/HIPAAPRIVACY.pdf · nikssarian insurance services, inc. ... privacy basics protect use & disclosure of protected

WAIT…THERE’S MORE!

Page 20: HIPAA PRIVACY & SECURITYagpersonnel.org/wp-content/uploads/2013/07/HIPAAPRIVACY.pdf · nikssarian insurance services, inc. ... privacy basics protect use & disclosure of protected

FINAL RULES

RELEASED JANUARY 17, 2013

• “The most sweeping changes to HIPAA Privacy and Security Rules since they were first implemented”

• “These changes not only greatly enhance a patient’s privacy rights and protections, but also strengthen the ability of my office to vigorously enforce the HIPAA Privacy and Security protections …”

Leon Rodriguez

Director

HHS Office for Civil Rights

Page 21: HIPAA PRIVACY & SECURITYagpersonnel.org/wp-content/uploads/2013/07/HIPAAPRIVACY.pdf · nikssarian insurance services, inc. ... privacy basics protect use & disclosure of protected

FINAL RULES

•EXPAND HIPAA PRIVACY AND SECURITY RULES TO BUSINESS

ASSOCIATES

•PENALTIES ASSESSED TO NEGLIGENCE MAXIMUMS ($1.5

MILLION)

•CERTAIN BREACHES OF UNSECURED PHI MUST BE REPORTED TO

HHS

•PATIENT RIGHTS TO PHI EXPANDED

•PATIENT RIGHT TO PROHIBIT ACCESS OF PHI TO HEALTH PLAN

•PROHIBITS SALE OF AN INDIVIDUALS’ HEALTH INFORMATION

W/O PERMISSION

Page 22: HIPAA PRIVACY & SECURITYagpersonnel.org/wp-content/uploads/2013/07/HIPAAPRIVACY.pdf · nikssarian insurance services, inc. ... privacy basics protect use & disclosure of protected

FINAL RULES

•MOST SIGNIFICANT CHANGE IS TO THE DETERMINATION OF A

REPORTABLE BREACH TO OFFICE OF CIVIL RIGHTS AND

AFFECTED PARTY(IES)

•PREVIOUSLY REQUIRED TO REPORT IMPERMISSABLE USE IF

COVERED ENTITY DETERMINED THAT THE USE POSED A

SIGNIFICANT, FINANCIAL, REPUTATIONAL HARM TO AFFECTED

INDIVIDUALS

•FINAL RULE: COVERED ENTITY/BUSINESS ASSOCIATE MUST

REPORT BREACH TO OCR AND AFFECTED PARTY(IES) UNLESS

[THEY] CAN DEMONSTRATE A LOW PROBABILITY THAT PHI HAS

BEEN COMPROMISED

•PRESUMPTION THAT ALL IMPERMISSABLE USE OF PHI IS A

BREACH

Page 23: HIPAA PRIVACY & SECURITYagpersonnel.org/wp-content/uploads/2013/07/HIPAAPRIVACY.pdf · nikssarian insurance services, inc. ... privacy basics protect use & disclosure of protected

RELATED PRIVACY

RULES

•SECURITY OF PERSONAL INFORMATION

•SOCIAL SECURITY CONFIDENTIALITY

•SOCIAL SECURITY TRUNCATION ON PAY STUBS

•MEDICAL INFORMATION CONFIDENTIALITY ACT

Page 24: HIPAA PRIVACY & SECURITYagpersonnel.org/wp-content/uploads/2013/07/HIPAAPRIVACY.pdf · nikssarian insurance services, inc. ... privacy basics protect use & disclosure of protected

ORGANIZING

BEST PRACTICES

Page 25: HIPAA PRIVACY & SECURITYagpersonnel.org/wp-content/uploads/2013/07/HIPAAPRIVACY.pdf · nikssarian insurance services, inc. ... privacy basics protect use & disclosure of protected

TARGETING GOOD FAITH

BUSINESS PRACTICE

BEST PRACTICE

PROCEDURES

POLICY STANDARDS

COMMUNICATIONS

MAINTENANCE

Page 26: HIPAA PRIVACY & SECURITYagpersonnel.org/wp-content/uploads/2013/07/HIPAAPRIVACY.pdf · nikssarian insurance services, inc. ... privacy basics protect use & disclosure of protected

BEST PRACTICES

BEST METHOD TO SAFEGUARD PHI IS NOT TO CREATE PHI

- DO YOU NEED THE SSN ON THAT REPORT? IF NOT, THEN HAVE PROGRAMMING REMOVE IT

- IF YOU RECEIVE A REPORT WITH SSN LISTED, REMOVE THE COLUMN IF NOT NEEDED

Page 27: HIPAA PRIVACY & SECURITYagpersonnel.org/wp-content/uploads/2013/07/HIPAAPRIVACY.pdf · nikssarian insurance services, inc. ... privacy basics protect use & disclosure of protected

BEST PRACTICES

DATA TRANSMITTAL

- PHI CANNOT BE TRANSMITTED UNSECURED

- E-MAIL IS NOT A SECURED METHOD

Page 28: HIPAA PRIVACY & SECURITYagpersonnel.org/wp-content/uploads/2013/07/HIPAAPRIVACY.pdf · nikssarian insurance services, inc. ... privacy basics protect use & disclosure of protected

BEST PRACTICES

RECORD STORAGE:

CURRENT AND SHORT TERM

RECORD STORAGE:

LONG TERM

Page 29: HIPAA PRIVACY & SECURITYagpersonnel.org/wp-content/uploads/2013/07/HIPAAPRIVACY.pdf · nikssarian insurance services, inc. ... privacy basics protect use & disclosure of protected

BEST PRACTICES

HEALTH PLAN BILLING

- SAFEGUARD IF SSN INCLUDED

- PROCESSING BY OTHER DEPARTMENTS

Page 30: HIPAA PRIVACY & SECURITYagpersonnel.org/wp-content/uploads/2013/07/HIPAAPRIVACY.pdf · nikssarian insurance services, inc. ... privacy basics protect use & disclosure of protected

BEST PRACTICES

ENROLLMENT CARDS/FORMS

- WHO IS RESPONSIBLE FOR COLLECTING?

- DATA ENTRY?

- WHERE ARE THEY FILED?

- WHERE ARE THEY STORED LONG-TERM?

Page 31: HIPAA PRIVACY & SECURITYagpersonnel.org/wp-content/uploads/2013/07/HIPAAPRIVACY.pdf · nikssarian insurance services, inc. ... privacy basics protect use & disclosure of protected

BEST PRACTICES

DOUBLE LOCK RULE

- HAVE TWO LOCKS BETWEEN OUTSIDE & PHI

- SECURITY (BURGLAR) ALARM COUNTS AS ONE

- INEXPENSIVE LOCKED CABINET VS. COMPLAINT

Page 32: HIPAA PRIVACY & SECURITYagpersonnel.org/wp-content/uploads/2013/07/HIPAAPRIVACY.pdf · nikssarian insurance services, inc. ... privacy basics protect use & disclosure of protected

BEST PRACTICES

JANITORIAL SERVICES

- PROCEDURE FOR ACCESS/TIMING

- BUSINESS ASSOCIATE AGREEMENT

Page 33: HIPAA PRIVACY & SECURITYagpersonnel.org/wp-content/uploads/2013/07/HIPAAPRIVACY.pdf · nikssarian insurance services, inc. ... privacy basics protect use & disclosure of protected

BEST PRACTICES

INTERNET

- FIREWALLS

- ANTI-VIRUS SOFTWARE

- AUTO TIMING ON SCREEN SAVERS

- ENCRYPTION

Page 34: HIPAA PRIVACY & SECURITYagpersonnel.org/wp-content/uploads/2013/07/HIPAAPRIVACY.pdf · nikssarian insurance services, inc. ... privacy basics protect use & disclosure of protected

MISSING THE MARK

PENALTY

VIOLATION

REACTION

CONFUSION

ERRORS

Page 35: HIPAA PRIVACY & SECURITYagpersonnel.org/wp-content/uploads/2013/07/HIPAAPRIVACY.pdf · nikssarian insurance services, inc. ... privacy basics protect use & disclosure of protected

CONTINUING THE BEST

PRACTICE PROCESS

STRATEGICAL ASSESSMENT

COMPLIANCE PLAN

IMPLEMENTATION

TRAINING

INCIDENT MANAGEMENT

MONITORING

Page 36: HIPAA PRIVACY & SECURITYagpersonnel.org/wp-content/uploads/2013/07/HIPAAPRIVACY.pdf · nikssarian insurance services, inc. ... privacy basics protect use & disclosure of protected

OUR ROLE PROVIDES

TRUST

•TRANSPARENCY – OPENESS AND CLARITY TO ALL ACTIVITIES CONCERNING THE CAPTURE, COLLECTION, DISSEMINATION AND USE

OF PROTECTED HEALTH INFORMATION

•STEWARDSHIP – WE ASSUME A RESPONSIBITY OVER THE HANDLING AND PROTECTION OF EMPLOYEE INFORMATION REGARDLESS OF THE

SOURCE OR TYPE OF INFORMATION

Page 37: HIPAA PRIVACY & SECURITYagpersonnel.org/wp-content/uploads/2013/07/HIPAAPRIVACY.pdf · nikssarian insurance services, inc. ... privacy basics protect use & disclosure of protected

“MOST PEOPLE DON’T DO WHAT’S

RIGHT…THEY DO WHAT’S CONVENIENT

AND THEN REPENT.” Bob Dylan

EADSON COMPLIANCE CENTER

[email protected]

www.eadsoncompliance.com

760/468-4082

NIKSSARIAN INSURANCE SERVICES, INC.

[email protected]

www.nikins.com

831/233-6700

Page 38: HIPAA PRIVACY & SECURITYagpersonnel.org/wp-content/uploads/2013/07/HIPAAPRIVACY.pdf · nikssarian insurance services, inc. ... privacy basics protect use & disclosure of protected

THANKS FOR

ATTENDING


HEALTHCON 2016 HIPAA Privacy and Security Breaches 10 ... · which compromises the security or privacy of the protected health information. April 11, 2016 HIPAA Breaches –10 Things

HEALTHCON 2016 HIPAA Privacy and Security Breaches 10 ... · which compromises the security or privacy of the protected health information. April 11, 2016 HIPAA Breaches –10 Things

HIPAA P i d S itHIPAA Privacy and Security Rules: What’s ... · level of privacy protections related to “protected health information” (PHI) Prior to HIPAA privacy rules, state

HIPAA P i d S itHIPAA Privacy and Security Rules: What’s ... · level of privacy protections related to “protected health information” (PHI) Prior to HIPAA privacy rules, state

Indiana University HIPAA Privacy and Security Compliance Plan · IU HIPAA Privacy and Security Compliance Plan LAST REVIEWED: 08/08/2019 10. Evaluate current use of protected health

Indiana University HIPAA Privacy and Security Compliance Plan · IU HIPAA Privacy and Security Compliance Plan LAST REVIEWED: 08/08/2019 10. Evaluate current use of protected health

HIPAA Privacy

HIPAA Privacy

HIPAA Privacy and Security

HIPAA Privacy and Security

Hipaa privacy and Security

Hipaa privacy and Security

HIPAA AND MEDICAL PRIVACY: Guidelines for Faculty, Staff ... · HIPAA AND MEDICAL PRIVACY: Guidelines for Faculty, Staff and Students Relating to Protected Health Information Page

HIPAA AND MEDICAL PRIVACY: Guidelines for Faculty, Staff ... · HIPAA AND MEDICAL PRIVACY: Guidelines for Faculty, Staff and Students Relating to Protected Health Information Page

HIPAA Privacy Training

HIPAA Privacy Training

HIPAA Privacy and Security Rules - Holland & Hart LLP · 2017-01-15 · – Requires covered entities to protect privacy of protected health info (“PHI”) – Gives patients certain

HIPAA Privacy and Security Rules - Holland & Hart LLP · 2017-01-15 · – Requires covered entities to protect privacy of protected health info (“PHI”) – Gives patients certain

HIPAA Privacy Basics

HIPAA Privacy Basics

WELCOME TO THE HIPAA PRIVACY AND SECURITY TRAINING MODULE …gmha.org/.../uploads/Online_Exams/HIPAA-PRIVACY-AND-SECURIT… · WELCOME TO THE HIPAA PRIVACY AND SECURITY TRAINING MODULE

WELCOME TO THE HIPAA PRIVACY AND SECURITY TRAINING MODULE …gmha.org/.../uploads/Online_Exams/HIPAA-PRIVACY-AND-SECURIT… · WELCOME TO THE HIPAA PRIVACY AND SECURITY TRAINING MODULE

Corporate Compliance HIPAA Privacy HIPAA Security.

Corporate Compliance HIPAA Privacy HIPAA Security.

HIPAA Privacy and Media

HIPAA Privacy and Media

HIPAA, Privacy, & Cybersecurity

HIPAA, Privacy, & Cybersecurity

HIPAA PRIVACY SECURITY - medicalcenterhealthsystem.commedicalcenterhealthsystem.com/wp-content/uploads/2019/01/HIPAA… · HIPAA Protects the privacy and security of a patient’s

HIPAA PRIVACY SECURITY - medicalcenterhealthsystem.commedicalcenterhealthsystem.com/wp-content/uploads/2019/01/HIPAA… · HIPAA Protects the privacy and security of a patient’s

HIPAA PRIVACY POLICY AND PROCEDURES FOR PROTECTED HEALTH INFORMATION · 2019-01-09 · HIPAA PRIVACY POLICY AND PROCEDURES FOR PROTECTED HEALTH INFORMATION . HILLSDALE COLLEGE HEALTH

HIPAA PRIVACY POLICY AND PROCEDURES FOR PROTECTED HEALTH INFORMATION · 2019-01-09 · HIPAA PRIVACY POLICY AND PROCEDURES FOR PROTECTED HEALTH INFORMATION . HILLSDALE COLLEGE HEALTH

HIPAA 101 Privacy - NCHICA · 14 Sanctions for Violators Workforce members who violate policies regarding privacy / security of confidential /protected health information or ePHI

HIPAA 101 Privacy - NCHICA · 14 Sanctions for Violators Workforce members who violate policies regarding privacy / security of confidential /protected health information or ePHI

Understanding HIPAA Compliance - Cognoscape, LLC€¦ · Understanding HIPAA Compliance Upholding the privacy and security of protected health information (PHI) and personal health

Understanding HIPAA Compliance - Cognoscape, LLC€¦ · Understanding HIPAA Compliance Upholding the privacy and security of protected health information (PHI) and personal health

HIPAA Privacy & Security Training

HIPAA Privacy & Security Training

Laidlaw Inc. HIPAA Privacy Standards Assessment ......Assessment Questionnaire A. Uses and Disclosures of Protected Health Information: General Rules, 45 C.F.R. 164.502 HIPAA Standards

Laidlaw Inc. HIPAA Privacy Standards Assessment ......Assessment Questionnaire A. Uses and Disclosures of Protected Health Information: General Rules, 45 C.F.R. 164.502 HIPAA Standards