1/19/2016

1

Impact of HIPAA on Public Health…Now.

Shefali Mookencherry, MPH, MSMIS, RHIA, CHPS, HCISPP

Presenter

January 15, 2016

Session 1 of 2

Presenter Introduction Shefali Mookencherry, MPH, MSMIS, RHIA, CHPS, HCISPP

Shefali Mookencherry has extensive experience in the HIPAA, healthcare

IT/finance, Meaningful Use, and revenue cycle areas, including 20+ years in the healthcare industry, with nine spent in senior management positions.

She has conducted HIPAA education, training, compliance assessments/analyses for various clients including small physician practices, IT vendors to larger integrated delivery networks and academic institutions.

Shefali is certified in national and international privacy and security regulations. Furthermore, She teaches graduate students at a local University about HIPAA, health insurance exchanges, revenue cycle, healthcare reform, and IT security.

2

Assumptions Certain information in this presentation comes from a

variety of sources such as:

CMS (their website cms.gov)

Office of Civil Rights (hhs.gov/ocr)

Illinois General Assembly (Public Acts/legislation)

Illinois Department of Healthcare and Family Services (HFS)

Industry blogs, journals, etc.

Disclaimer: The materials for this presentation are for informational purposes only. Information on

this topic does not constitute legal or business advice. Information in this presentation is provided without

warranty of any kind, either expressed or implied, including but not limited to, the implied warrantees of

fitness for a particular purpose.

3

Objectives for Today’s Webinar

Develop an understanding of HIPAA as a Federal Law…Now

Understand HIPAA’s Impact on Public Health

Uses and disclosures for Public Health

Accounting for Public Health

Notice of Privacy Practices

Minimum Necessary

The Privacy Rule and Public Health Research

HIPAA’s effect on Public Health reporting

De-identification methods

Business Associates/Trading Partners 4

Objectives for January 22, 2016 Webinar Session Review HIPAA compliance within various scenarios

Public Health activities vs. other Federal regulations (i.e.: HIV reporting, etc.)

Know how to protect PHI/ePHI with compliance activities

HIPAA compliance assessments

HIPAA IT Security Risk Analysis

HIPAA education

HIPAA enforcement

Understand your role in protecting privacy and the consequences for violations

5

Perspectives discussed in Webinar may include: As a public health authority

Agency

Health department

Local

State

Federal

As Covered Entity (CE)

As health care provider

6

1/19/2016

2

HIPAA as a Federal Law…Now

HIPAA as a Federal Law…Now HIPAA

What…is HIPAA?

Who...has to follow the HIPAA law and HITECH Act? What is the relationship with HITECH Act?

When…do we start?

How...does HIPAA affect you and your job?

Why…..is HIPAA important?

Where…can you get help with HIPAA?

Uses and Disclosures

Privacy Rule

Security Rule

Omnibus and Breach Notification Rules

8

What is HIPAA?

Health

Insurance

Portability

Accountability

Act

9

What is HIPAA? Federal law passed by Congress in 1996

That aims to:

Protect the privacy of a patient’s personal and health information

Provide for electronic and physical security of personal and health information

Simplify billing and other transactions

Regulations administered by the Dept of Health and Human Services

Guidelines implemented in April 2003

10

HIPAA Addresses… “Information Security” means to ensure the

confidentiality, integrity, and availability of information through safeguards.

“Confidentiality” – that information will not be disclosed to unauthorized individuals or processes.

“Integrity” – the condition of data or information that has not been altered or destroyed in an unauthorized manner. Data from one system is consistently and accurately transferred to other systems.

“Availability” – the property that data or information is accessible and useable upon demand by an authorized person.

11

Changes Brought About by HIPAA

Covered Entities are required to provide a Notice of Privacy Practices (NPP) to all patients that describes their rights over their PHI or ePHI.

Patients will sign an acknowledgement form stating that they received a copy of the Privacy Notice.

Covered Entities are required to make a “good faith effort” to obtain this acknowledgement (verbal acknowledgement is not enough, must be in writing).

12

1/19/2016

3

HIPAA Sets Formal Process For patients to:

Request copies of their medical record

Obtain a list of who has accessed their information

Make amendments to their medical records

Complain to our HIPAA liaison or privacy officer about our privacy practices

13

ARRA Expands HIPAA New privacy and security requirements imposed upon:

Covered Entities

Personal health record (PHR) vendors and various other PHR-related entities

Expands HIPAA Privacy and Security requirements:

Enhances the HIPAA penalty provisions

Provides for HIPAA enforcement by state attorneys general

14

Major HITECH Provisions

Establishes an Office of the National Coordinator for Health Information Technology (ONC)

Establishes HIT Policy and Standards Committees

Requires HHS to develop initial HIT standards by 2010

Establishes incentives for the broad adoption of electronic health records

Improves and expands federal privacy and security protections for health information.-(HIPAA)

15

Major HITECH Provisions- Continued

HIPAA privacy and security regulations expanded and applied directly to business associates

Defines breach of unsecured PHI and notification requirements

Modifies patient rights for requests for restrictions, access to medical records, and accounting of disclosures

Updates rules around marketing and the use of PHI

Increases civil monetary penalties for HIPAA violations

16

HIPAA Health Insurance Portability and Accountability Act of 1996

Transactions Code Sets Identifiers

Insurance

Portability

Administrative

Simplification Fraud and Abuse

Medical Liability Reform

Title I Title II Title III Title IV Title V

Security Privacy EDI

Tax Related

Health Provision

Group Health

Plan Requirements

Revenue

Off-sets

HIPAA Administrative Simplification Provisions

17

Purpose – TITLE II Administrative Simplification To increase and improve the efficiency and

effectiveness of the entire health care system through:

The electronic exchange of information

The standardization of that information

To enhance the security and privacy of Protected Health Information (PHI) throughout the entire health system

18

1/19/2016

4

Administrative Simplification Standardizes the exchange of electronic health

information transactions (administrative and financial)

• Health plan enrollment (or disenrollment)

• Health plan eligibility determinations

• Health plan premium payments

• Referral certification, authorization

• Claim submissions (encounter info)

• Health plan benefit coordination

• Claim status inquiries

• Payment and remittance advices

19

Administrative Requirements Designate a privacy officer with primary responsibility

for ensuring compliance with the regulations

Establish training programs for all members of the workforce

Implement appropriate policies & procedures to prevent intentional and accidental disclosures of PHI

20

Administrative Requirements Establish a system for receiving and responding to

complaints regarding the Covered Entity’s privacy practices

Implement appropriate sanctions for violations of the privacy guidelines

Make reasonable efforts to limit information to minimum necessary to accomplish a person’s purpose/job

21

Who Oversees HIPAA?

The Centers for Medicare and Medicaid Services Oversees:

Transactions and Code Sets

Standard Unique Identifiers

Security

Contact info:

http://www.cms.hhs.gov/hipaa/

hipaa2/

AskHIPAA@cms.hhs.gov

1-866-282-0659

The Office for Civil Rights

Oversees:

Privacy

Security (jointly with CMS)

Contact info:

http://www.hhs.gov/ocr/hipaa/OCRPrivacy@hhs.gov

1-866-627-7748

The Department of Health & Human Services

22

Covered Entities include:

Most health plans

Most healthcare providers

All healthcare clearinghouses

Who Is Covered?

23

Who Must Comply? (“Covered Entities” and “Covered Functions”)

Individual or group health plans (or programs) that provide health benefits directly, through insurance, or otherwise

Health care providers (or suppliers) of medical or other health services or supplies (that also conduct certain health care transactions electronically)

Health information clearinghouses that process or facilitate the processing of electronic health information into a standard format

24

1/19/2016

5

Who Else Must Comply? Hybrid entities whose business activities include both

covered and non-covered functions

Must identify health care components.

the health care component of an entity is the part that performs functions covered by HIPAA-- that is, the part that uses or discloses PHI. (i.e.: individual departments/units, subsidiaries, companies within corporations.)

Illinois Public Health departments are considered hybrid entities dependent on services provided

Business associates that perform certain functions or activities on behalf of a covered entity

Information trading partners that rely on protected health information for purposes not directly related to the business activities of covered entities

25

An individual or organization that performs, or assists in the performance of, a function or activity on behalf of the covered entity, involving the use or disclosure of PHI Example – A billing service who processes claims for a

provider is a business associate

Business Associates

26

Business Associates Examples

A third party administrator that assists a health plan with claims processing.

A CPA firm whose accounting services to a health care provider involve access to protected health information.

An attorney whose legal services to a health plan involve access to protected health information.

A consultant that performs utilization reviews for a hospital. A health care clearinghouse that translates a claim from a non-

standard format into a standard transaction on behalf of a health care provider and forwards the processed transaction to a payer.

An independent medical transcriptionist that provides transcription services to a physician.

A pharmacy benefits manager that manages a health plan’s pharmacist network.

27

Business Associate Agreements A written contract between a covered entity and a business

associate must:

(1) establish the permitted and required uses and disclosures of protected health information by the business associate

(2) provide that the business associate will not use or further disclose the information other than as permitted or required by the contract or as required by law

(3) require the business associate to implement appropriate safeguards to prevent unauthorized use or disclosure of the information, including implementing requirements of the HIPAA Security Rule with regard to electronic protected health information

28

Business Associate Agreements (4) require the business associate to report to the covered

entity any use or disclosure of the information not provided for by its contract, including incidents that constitute breaches of unsecured protected health information

(5) require the business associate to disclose protected health information as specified in its contract to satisfy a covered entity’s obligation with respect to individuals' requests for copies of their protected health information, as well as make available protected health information for amendments (and incorporate any amendments, if required) and accountings

29

Business Associate Agreements (6) to the extent the business associate is to carry out a

covered entity’s obligation under the Privacy Rule, require the business associate to comply with the requirements applicable to the obligation

(7) require the business associate to make available to HHS its internal practices, books, and records relating to the use and disclosure of protected health information received from, or created or received by the business associate on behalf of, the covered entity for purposes of HHS determining the covered entity’s compliance with the HIPAA Privacy Rule

30

1/19/2016

6

Business Associate Agreements (8) at termination of the contract, if feasible, require the

business associate to return or destroy all protected health information received from, or created or received by the business associate on behalf of, the covered entity

(9) require the business associate to ensure that any subcontractors it may engage on its behalf that will have access to protected health information agree to the same restrictions and conditions that apply to the business associate with respect to such information

31

Business Associate Agreements (10) authorize termination of the contract by the covered

entity if the business associate violates a material term of the contract. Contracts between business associates and business associates that are subcontractors are subject to these same requirements.

32

Trading Partners An organization with whom a covered entity

exchanges information electronically using a named transaction standard Example - A provider and a clearinghouse can be

trading partners

33

Trading Partner Examples

Other third parties used:

for which transactions; whether direct data entry is supported

whether disks or other media

dial-up connectivity

other electronic connectivity is supported

whether any additional, non-standard communication methods are supported and

any restrictions or required formats, etc.

34

Who has to comply with HIPAA, Now?

EVERYONE

ARRA HITECH

Covered

Entities

Business Associates

35

Trading

Partners

Subcontractors

Local

Public

Health

Dept.

Federal

& State

Public

Health

Depts.

Private Public

HIPAA Privacy Rule

1/19/2016

7

Privacy

Privacy Rule

PHI/IIHI/Authorizations

Permitted Uses and Disclosures

Mandated Uses and Disclosures

TPO

NPP

Minimum Necessary

Patient Rights

Administrative Requirements

37

The Hippocratic Oath (Classical Version)

“What I may see or hear in the course of the treatment or even outside of the treatment in regard to the life of men, which on no account one must spread abroad, I will keep to myself, holding such things shameful to be spoken about.”

-Hippocrates, aprox. 5th Cent. B.C.

38

Physician-Patient Privilege Codified in 735 ILCS 5/8-802

No physician or surgeon shall be permitted to disclose any information he or she may have acquired in attending any patient in a professional character, necessary to enable him or her professionally to serve the patient, except...

(3) with the expressed consent of the patient, or in case of his or her death or disability, of his or her personal representative or other person authorized to sue for personal injury or of the beneficiary of an insurance policy on his or her life, health, or physical condition

39

Illinois' Medical Patient Rights Act 410 ILCS 50/1

Protects the "nature and details of services provided to patients."

Prohibits physicians/health care providers from disclosing a patient's health information without patient consent, unless otherwise authorized or required by law or an enumerated exception applies.

40

HIPAA Privacy Rule: What Does It Do? Regulates the use or disclosure of Protected Health

Information (PHI)

41

What Is PHI? Health and demographic information about an

individual that is transmitted or maintained in any medium where the information: – Is created or received by a health care provider, health

plan, employer, or health care clearinghouse; and

– Relates to the past, present, or future

Physical or mental health condition of an individual, or

Provision of health care to an individual, or

Payment for the provision of health care to an individual

42

1/19/2016

8

Protected Individual Identifiers •Name •Geographic subdivisions smaller than a State

•Street Address •City •County •Precinct •Zip Code & their equivalent geocodes, except for the initial three digits

•Dates, except year •Birth date •Admission date •Discharge date •Date of death

•Telephone numbers •Fax number

•E-Mail Address •Social security numbers •Medical record numbers •Health plan beneficiary numbers •Account numbers •Certificate/license numbers •Vehicle identifiers and serial numbers, including license plate numbers •Device identifiers and serial numbers •Web universal resource locations (URLs) •Internet Protocol (IP) address numbers •Biometric identifiers, including finger and voice prints •Full face photographic images and any comparable images •Any other unique identifying number, characteristic, or code

43

IIHI…included under PHI Individually Identifiable Health Information

(IIHI): Related to an individual; the provision of health

care to an individual; or payment for health care

and that identifies the individual

or a reasonable basis to believe the information can be used to identify the individual

44

Permitted Uses & Disclosures HIPAA permits the use or disclosure only for the

following purposes:

– Treatment

– Payment

– Health Care Operations

(These are referred to as “TPO”) (Under ARRA now have to “account” for

disclosure)

45

Obtaining Permission for Treatment "Consent for Treatment"

Obtaining informed consent to treat a patient is an entirely different legal obligation as opposed to obtaining “consent for TPO,” which is not a legal obligation.

“Consent for Treatment” means that the client is giving permission to the health care provider to provide medical care and treatment to the client.

Obtaining “consent for TPO,” which is no longer recommended, means the client is giving the covered entity permission to use and disclose their PHI for treatment and payment activities as well as health care operations.

Health departments still need informed consent to treat a patient.

46

Health Care Operations Any of the following activities of a Covered Entity:

Quality assessment and improvement and population-based activities

Peer review and credentialing activities

Underwriting, premium rating, and other activities related to the creation, renewal, or replacement of a contract of health insurance

Medical review, legal services, and auditing

Business planning and development

Business management and general administrative activities

47

Understand HIPAA’s Impact on Public Health

1/19/2016

9

Public Health Authorities Performing Covered Functions Are subject to the Privacy Rule's provisions as

covered entities. For example, a local public health authority that

operates a health clinic providing essential health-care services to low-income persons and performs certain electronic transactions would be defined under the Privacy Rule as a covered health-care provider and therefore a covered entity.

49

Public Health Authorities Performing Covered Functions A public health authority that conducts health care

as part of its activities is a covered health-care provider if it also performs electronic transactions covered by the HIPAA Transactions Rule as part of these activities.

50

Mandated Uses & Disclosures

HIPAA mandates the disclosure of PHI for certain purposes such as:

Health oversight activities (such as public health departments)

Judicial and administrative proceedings

Law enforcement purposes

Organ donation

All other uses or disclosures require an authorization

51

Public Health Uses & Disclosures The Privacy Rule permits covered entities to disclose

protected health information, without authorization, to legally authorized public health authorities for the purpose of preventing or controlling disease, injury, or disability.

For example, the reporting of a disease or injury; reporting vital events, such as births or deaths; and conducting public health surveillance, investigations, or interventions. See 45 CFR 164.512(b)(1)(i).

52

Public Health Uses & Disclosures Covered entities may, at the direction of a public

health authority, disclose protected health information to a foreign government agency that is acting in collaboration with a public health authority. See 45 CFR 164.512(b)(1)(i).

Covered entities who are also a public health authority may use, as well as disclose, protected health information for these public health purposes. See 45 CFR 164.512(b)(2).

53

Public Health Uses & Disclosures A “public health authority” is an agency or authority

of the United States government, a State, a territory, a political subdivision of a State or territory, or Indian tribe that is responsible for public health matters as part of its official mandate, as well as a person or entity acting under a grant of authority from, or under a contract with, a public health agency. See 45 CFR 164.501.

Examples of a public health authority include State and local health departments, the Food and Drug Administration (FDA), the Centers for Disease Control and Prevention, and the Occupational Safety and Health Administration (OSHA).

54

1/19/2016

10

Public Health Uses & Disclosures The Privacy Rule permits covered entities to disclose

protected health information, without authorization, to such persons or entities for the public health activities discussed below:

To report known or suspected child abuse or neglect

To report quality, safety, or effectiveness of an FDA-regulated product or activity for which that person has responsibility: Collecting or reporting adverse events (including similar reports

regarding food and dietary supplements), product defects or problems (including problems regarding use or labeling), or biological product deviations;

Enabling product recalls, repairs, replacement or look back (which includes locating and notifying individuals who received recalled or withdrawn products or products that are the subject of look back)

55

Public Health Uses & Disclosures A covered entity may disclose protected health

information to a person who is at risk of contracting or spreading a disease or condition if other law authorizes the covered entity to notify such individuals as necessary to carry out public health interventions or investigations.

For example, a covered health care provider may disclose protected health information as needed to notify a person that (s)he has been exposed to a communicable disease if the covered entity is legally authorized to do so to prevent or control the spread of the disease.

See 45 CFR 164.512(b)(1)(iv).

56

Public Health Uses & Disclosures A covered health care provider who provides a health

care service to an individual at the request of the individual’s employer, or provides the service in the capacity of a member of the employer’s workforce:

May disclose the individual’s PHI to the employer for the purposes of workplace medical surveillance

May disclose evaluation of work-related illness and injuries to the extent the employer needs that information to comply with OSHA, the Mine Safety and Health Administration (MSHA).

The information disclosed must be limited to the provider’s findings regarding such medical surveillance or work-related illness or injury. See 45 CFR 164.512(b)(1)(v).

57

Receipt of PHI for Public Health To receive PHI for public health purposes, public health authorities

should be prepared to verify their status and identity as public health authorities under the Privacy Rule. To verify its identity, an agency could provide any one of the following:

if the request is made in person, presentation of an agency identification badge, other official credentials, or other proof of government status;

if the request is in writing, the request is on the appropriate government letterhead;

if the disclosure is to a person acting on behalf of a public health authority, a written statement on appropriate government letterhead that the person is acting under the government's authority [45 CFR § 164.514(h)(2)].

58

Authorizations Authorizations must be obtained for ALL uses and

disclosures other than TPO or those mandated under law

Authorizations must include: A description of the information to be disclosed

The name of the person or entities to whom the information will be disclosed

An expiration date

Information regarding right to revoke

Date and signature

59

Notice Of Privacy Practices (NPP) Privacy Notices Must:

Be in plain language

Contain a description and example of TPO

Contain a description and example of other uses and disclosures not requiring Authorization

Include statements about an individual’s rights

Include statements about the Covered Entity’s duties

Describe the complaint process

Provide other specific requirements

60

1/19/2016

11

Minimum Necessary A requirement that only “minimum necessary

disclosures” may be made to accomplish the intended purpose of the use, disclosure, or request for PHI.

61

Minimum Necessary Establishes Internal Requirements:

Identify workforce who need to access PHI

For each class, category or person identified, limit access based on need-to-know

External Requirements: Limit access to what is needed to accomplish the

purpose for which the request was made

Each request that is non-routine should be reviewed to determine whether it is reasonably necessary

62

When can I… Look at a person’s PHI only if you need it to do your

job

Use a person’s PHI only if you need it to do your job

Give a person’s PHI to others when it is necessary for them to do their jobs

Talk to others about a person’s PHI only if it is necessary to do your job

63

When do I “need to know”? “Need to Know” is when you need information to:

Document the patient’s treatment

Facilitate communication between physicians and other professionals contributing to the patient’s care

Provide continuity of patient care

Provide a basis for review, study, and evaluation of patient care processes

Provide clinical data for approved research, study, and education; and for legitimate business purposes

64

What are legitimate business purposes? Legitimate business purposes include provision of:

Statistical data for decision making and planning

Data to third parties as specified by law (e.g. communicable diseases, coroner’s cases, burns, cancer registry reporting, etc.)

Documentation for billing and insurance claims processing

Appropriate access to medical records and data as required for licensing and accreditation purposes

65

Confidential Information What patient information does HIPAA require me

to keep confidential?

Demographic information

Examples: Name, social security number, date of birth, address, etc.

Information about injury, illness or condition – including symptoms, diagnosis or treatment

Conversations between the patient and health care workers

66

1/19/2016

12

The Privacy Rule and Public Health Research The definition of research:

Systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge.

Designed to test a hypothesis, permit conclusions to be drawn, and thereby to develop or contribute to generalizable knowledge.

Public health activities (e.g., public health surveillance, and disease prevention and control projects) are based on scientific evidence and data collection or analytic methods similar to those used in research.

However, they are not designed to contribute to generalizable knowledge. Their primary purpose is to protect the health of the population through such activities as disease surveillance, prevention, or control. 67

The Privacy Rule and Public Health Research When authorization is necessary:

Some public health activities that are initially public health practice may subsequently evolve into a research activity (e.g., an investigation to determine the cause of an outbreak that incorporates a research study evaluating the efficacy of a new drug to treat the illness).

There may be cases where the activity is both research and public health practice (e.g., an ongoing survey to monitor health conditions in the population, data from which can also be analyzed for research purposes).

In those cases, disclosures may be made either under the research provisions or the public health provisions, as appropriate --- the covered entity need not comply with both sets of requirements.

68

Patient Rights Patients have the right to:

Request to be contacted at an alternate location

Request restrictions on uses & disclosures

Access, inspect & copy their PHI

Request amendment or correction of their PHI

Receive NPP and an accounting of disclosures of their PHI (except those related to treatment, payment, & operations)

Right to file a complaint

69

De-identification Methods De-identified data (e.g., aggregate statistical data or data stripped

of individual identifiers) require no individual privacy protections and are not covered by the Privacy Rule. De-identifying can be conducted through:

Statistical de-identification --- a properly qualified statistician using accepted analytic techniques concludes the risk is substantially limited that the information might be used, alone or in combination with other reasonably available information, to identify the subject of the information [45 CFR § 164.514(b)]; or the

Safe-harbor method --- a covered entity or its business associate de-identifies information by removing 18 identifiers and the covered entity does not have actual knowledge that the remaining information can be used alone or in combination with other data to identify the subject [45 CFR § 164.514(b)].

70

Limited Data Sets

Limited data set is not directly identifiable, but may contain more identifiers than de-identified data that has been stripped of the 18 identifiers [45 CFR § 164.514].

A data-use agreement (DUA) must establish:

Who is permitted to use or receive the limited data set

Provide that the recipient will not use or disclose the information other than as permitted by the agreement or as otherwise required by law;

Use appropriate safeguards to prevent uses or disclosures of the information that are inconsistent with the data-use agreement;

Report to the covered entity any use or disclosure of the information, in violation of the agreement, of which it becomes aware;

Ensure that any agents to whom it provides the limited data set agree to the same restrictions and conditions that apply to the limited data set recipient with respect to such information

Not attempt to re-identify the information or contact the individual.

71

Accounting For Disclosures "Disclosure means the release, transfer, provision of access

to, or divulging in any other manner of information outside the entity holding the information."

A covered entity is generally required to account for PHI research disclosures made after the compliance date without Authorization.

Including for research disclosures of PHI for: Reviews preparatory to research.

Research using decedents’ PHI.

Research under a waiver of Authorization (including waivers that meet the transition provision requirements).

Disclosures for public health activities.

Most disclosures mandated by law.

72

1/19/2016

13

Types Of Accounting General

Description of PHI, date, recipient, recipient address if known, purpose.

Multiple disclosures to same person for same purpose

Description of PHI, date of first disclosure; recipient; recipient address if known; purpose; frequency, periodicity or no. of disclosures, date of last disclosure.

For disclosures of PHI of 50 or more individuals for a particular research purpose Name of protocol, description of protocol or research activity

and PHI disclosed, date or period of time during which disclosure occurred or may have occurred and last date of disclosure, name, address, and phone no. of sponsor and recipient (and a requirement to assist in contacting the sponsor/researcher), statement that the PHI may or may not have been disclosed for a particular protocol or research activity.

73

Accounting - When Not Needed

Accounting is NOT needed for disclosures of PHI:

Pursuant to an Authorization.

In Limited Data Sets with a Data Use Agreement.

To the individual.

Made before April 14, 2003.

Which have been de-identified. (Safe Harbor vs. Experimental)

74

Documenting Disclosures When information is disclosed with client’s consent (via HIPAA compliant authorization) Put copy of signed authorization in client’s record. HIPAA requires that the client be given a copy of the signed authorization. Make a note in the record when the information is

actually released.

75

Documenting Disclosures When information is disclosed without permission when meeting a legal requirement to disclose, documentation in the client’s record should include:

the date and the fact of its disclosure,

to whom it was disclosed

why it was disclosed

the name of staff member that disclosed the information

the signature/initials of the staff member recording the documentation in the record

-Disclosures made without client authorization are required to be included in the Accounting of Disclosures.

76

Privacy Violations Associated With… Access

Authorizations

Business Associates

Conditioning Compliance with the Privacy Rule

Confidential Communications

Disclosures to Avert a Serious Threat to Health or Safety

Impermissible Uses and Disclosures

Minimum Necessary

Notice

Safeguards

Note: You could have a combination of these for one complaint as appropriate.

77

Key Components of Compliance with Privacy Rule Policies and procedures

Privacy Officer

Training Program

Complaint Process

Internal compliance audit program

Sanctions

Incident response and corrective action procedures

78

1/19/2016

14

Relationship of Privacy and Security Both rules are closely linked

Privacy is the “ Who, What, and When” and Security is the “How”

Definitions and many administrative requirements now aligned with the Privacy regulations

Privacy covers PHI on paper and in electronic form, while Security covers only electronic PHI

Security enables Privacy by requiring safeguards so that only those authorized to access data are able to do so.

Covered entities are required to detail in business associate agreements or other contracts how they and their business partners will protect the integrity, confidentiality, and availability of the data exchanges. Contracts such as these must be entered into with business associates

79

HIPAA Security Rule

Security Purpose and scope

Major concepts

Required vs. Addressable specifications

Administrative, technical, and physical safeguards

Relationship to Privacy Requirements

Provider Implementation

81

Purpose of the Security Rule Ensure integrity, confidentiality, and availability of

electronic Protected Health Information (ePHI)

Protect against reasonably anticipated threats and improper use or disclosure

82

So, what is “ePHI”? ePHI (electronic Protected Health Information) is

computer-based patient health information that is used, created, stored, received or transmitted by the covered entity using any type of electronic information resource.

Information in an electronic medical record, patient billing information transmitted to a payer, digital images and print outs, information when it is being sent by the covered entity to another provider, a payer or a researcher.

83

HIPAA Security Rule Sections 45 CFR… #164.308 – Administrative Safeguards

Risk Assessment & Risk Management Plan; workforce training; BAAs; evaluation

#164.310 – Physical Safeguards

Facility access; workstation use/security; device / media controls

#164.312 - Technical Safeguards

Access, audit, authentication controls, transmission security

#164.314 – Organization Requirements

#164.316 – Policies & Documentation Requirements

84

1/19/2016

15

What’s in the Security Rule …..

Title I

Technical Safeguards

Physical Safeguards

Administrative

Safeguards

85

Administrative Safeguards Security Management

Risk Analysis

Risk Management

Sanction Policy

Information System Activity

86

Administrative Safeguards (cont)

Assigned Security Responsibility

Workforce Security

Information Access Management

87

Administrative Safeguards (cont) Security Awareness Training

Incident Reporting

Contingency Planning

Technical Evaluation

Business Associate Contracts

88

Physical Safeguards Facility Access

Controls

Limit physical access

Safeguard facility and equipment

Access control and validation

Maintenance Records

89

Physical Safeguards (cont)

Workstation Use

Workstation Security

Device and Media Controls Disposal

Media Re-use

Accountability

Data Backup and storage

90

1/19/2016

16

Technical Safeguards Access Control

Unique User ID

Emergency Access

Encryption and Decryption

Audit Control

91

Technical Safeguards Integrity Controls

Person or Entity Authentication

Transmission Security

92

What are the Consequences for Security Violations? Risk to integrity of confidential information, e.g., data

corruption, destruction, unavailability of patient information in an emergency

Risk to security of personal information, e.g., identity theft

Loss of valuable business information

Loss of confidentiality, integrity & availability of data (and time) due to poor or untested disaster data recovery plan

Embarrassment, bad publicity, media coverage, news reports

Loss of patients’ trust, employee trust and public trust

Internal disciplinary action(s), termination of employment

Penalties, prosecution and potential for sanctions/lawsuits 93

Federal Trade Association (FTC) Role Breach Notification Rule:

Part of ARRA:

Requires covered entities/business associates that suffer a breach to: Notify everyone whose information was breached

In some cases, notify the media

Notify the FTC

94

HIPAA Omnibus Rule 2014 “This final Omnibus Rule marks the most sweeping

changes to the HIPAA Privacy and Security Rules since they were first implemented.”

“These changes not only greatly enhance a patient’s privacy rights and protections, but also strengthen the ability of my office to vigorously enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a health care provider, or one of their business associates.”

95

Who?

The Omnibus Rules apply to:

Covered Entities (providers, hospitals, health plans)

Business Associates

Subcontractors to Business Associates that handle PHI on behalf of Business Associates

96

1/19/2016

17

Who: Business Associates The HIPAA Rules define “business associate”

to mean a person who performs functions or activities on behalf of, or certain services for, a CE that involve the use or disclosure of PHI.

Disclosure means the release, transfer, provision of, access to, or divulging in any manner outside the entity holding the information.

Access means the ability or means necessary to read, write, modify or communicate data/information or otherwise use any system resource.

97

Who: Business Associates The Omnibus Rule expressly lists as BAs:

Health Information Organizations, e-Prescribing Gateways or other persons that provide data transmission services of PHI to a CE and that requires routine access to PHI

Persons who offer a personal health record (PHR) on behalf of a CE

Patient Safety Organizations (PSOs)

98

Who: Business Associates

A person becomes a BA by definition, not by the act of contracting with a CE or otherwise.

Therefore, liability for impermissible uses and disclosures attaches immediately when a person creates, receives, maintains, or transmits PHI on behalf of a CE or BA and otherwise meets the definition of a BA.

99

Who: Business Associates BAs must comply with the technical,

administrative, and physical safeguard requirements, as well as the policies and procedures and documentation requirements, for ePHI under the HIPAA Security Rule.

Direct liability for BAs under HIPAA would attach regardless of whether a BA, contractor and/or subcontractors have entered into the required business associate agreements.

100

Who: Subcontractors A subcontractor is a person who acts on behalf

of a BA, other than as a member of the workforce of the BA.

A subcontractor that creates, receives, maintains, or transmits PHI on behalf of a BA, including with respect to PHR

functions, is a HIPAA BA.

A subcontractor is also a person to whom a BA has delegated a function, activity, or service the BA has agreed to perform for a CE or BA.

101

Who: Subcontractors The term “subcontractor” applies to an agent or

other person who acts on behalf of the BA, even

if the BA has failed to enter into a BAA with the person.

CEs must ensure that they obtain satisfactory assurances from their BAs, and BAs must do the same with regard to subcontractors, and so on, no matter how far “down the chain” the information flows.

102

1/19/2016

18

What: Breach Notification An impermissible use or disclosure of PHI is presumed

to be a breach unless the CE or BA demonstrates that there is a low probability that the PHI has been compromised.

Unless the PHI was unreadable or undecipherable, the risk assessment must justify not disclosing a breach.

Previously, CEs and BAs were required to perform a risk assessment to determine if there was a significant risk of harm to the individual as a result of the impermissible use or disclosure. This was known as the risk of harm standard.

103

What: Breach Notification The risk of harm standard was removed and the risk

assessment modified to focus more objectively on the risk that PHI has been compromised.

The risk of harm standard may have been interpreted as setting a higher threshold for breach notification than was intended.

Breach notification is necessary in all situations except those in which the CE or BA demonstrates that there is a low probability that the PHI has been compromised.

104

What: Breach Notification CEs and BAs must assess the probability that the PHI

has been compromised based on a risk assessment that considers at least the following factors: the nature and extent of the PHI involved, including types of identifiers and likelihood of re-identification; the unauthorized person who used the PHI or to whom the disclosure was made; whether the PHI was actually acquired or viewed; and the extent to which the risk to the PHI has been

mitigated

105

What: Breach Notification Omnibus Rule breach example:

If a CE misdirects a fax containing PHI to the wrong physician practice, and upon receipt, the receiving physician calls the CE to say he has received the fax in error and has destroyed it, the CE may be able to demonstrate, after performing a risk assessment, that there is a low risk that the PHI has been compromised.

106

What: Restriction of PHI Disclosure Old Rule:

Individuals could request a CE to restrict uses or disclosures of their PHI.

But, CEs were not required to agree to such restrictions. If the CE did agree, however, than they were required to abide by the restriction.

New Rule:

Individuals can request a restriction on disclosure of PHI to a health plan and the CE must agree if the restriction applies to PHI that pertains solely to a health care item or service for which the health care provider has been paid out of pocket in full (unless such disclosure is otherwise required by law).

107

What: Restriction of PHI Disclosure CEs do not need to create separate medical records or

otherwise segregate PHI subject to a restricted health care item or service.

CEs will, however, need to flag or make a notation in the record with respect to the PHI that has been restricted to ensure that such information is not inadvertently sent to or made accessible to the health plan for payment or health care operations purposes, such as audits by the health plan.

CEs should already have in place minimum necessary policies and procedures, which require limiting the PHI disclosed to a health plan to the amount reasonably necessary to achieve the

purpose of the disclosure.

108

1/19/2016

19

What: Marketing Authorization is required for communications about

health-related products and services to individuals for which the CE receives financial remuneration by a third party.

Exceptions:

Refill reminders

Information concerning a currently prescribed drug

Face-to-face communications

109

What: Sale of PHI An authorization is required if PHI is disclosed in

exchange for remuneration.

Includes direct and indirect remuneration

Not limited to financial remuneration

If an authorization is obtained, it must state that disclosure will result in remuneration.

Exceptions

Corporate transactions (due diligence)

Treatment and Payment

Required by law

Public health

110

What: Fundraising Additional PHI data may be used for fundraising

purposes:

Department of service

Treating physician

Outcome

Health insurance status

Treatment cannot be conditioned on not opting-out and opt-out provisions must be clear and conspicuous.

111

What: GINA and Decedents

Genetic Information Non-discrimination Act

Genetic information is PHI

Genetic discrimination for health insurance and employment purposes is prohibited.

Applicable mainly to health plans

Decedents

A CE must comply with the requirements of the Privacy Rule with regard to the PHI of a deceased individual for a period of 50 years following the date of death.

112

What: GINA and Decedents (410 ILCS 513/5)

Sec. 5. Legislative findings; intent. The General Assembly finds that: (3) The public health will be served by facilitating voluntary and confidential nondiscriminatory use of genetic testing information.

(4) The use of electronic health record systems and the exchange of patient records, both paper and electronic, through secure means, including through secure health information exchanges, should be encouraged to improve patient health care and care coordination, facilitate public health reporting, and control health care costs, among other purposes.

(5) Limiting the use or disclosure of, and requests the disclosure of genetic information, when allowed by this Act, shall be performed in accordance with the minimum necessary standard when required under HIPAA.

(Source: P.A. 98-1046, eff. 1-1-15.) 113

What: Electronic Copy Requests If individual requests an electronic copy of PHI, the CE

must provide in the form requested, if readily producible, otherwise in readable format agreed to by CE and individual.

If individual will not agree to a format, CE must provide on paper.

CE may only charge for labor for copying and cost of media (CD, USB, etc.).

CE has 30 days (with one 30-day extension) to provide access.

114

1/19/2016

20

What: Enforcement OCR will investigate any compliant in which a

preliminary review indicates a possible violation due to willful neglect.

Willful neglects means “conscious, intentional failure or reckless indifference.”

Previously, OCR was required to attempt to resolve possible HIPAA violations informally.

Now, informal attempts at resolution are discretionary (except in case of willful neglect which requires an investigation).

115

What: Enforcement

A CE or BA may be liable for multiple violations of multiple requirements, and a violation of each requirement may be counted separately.

A CE or BA may be subject to multiple violations of up to a $1.5 million cap for each violation, which would result in a total penalty above $1.5 million.

Violation Penalty Max Calendar Year

Did Not Know $100 - $50,000 $1,500,000

Reasonable Cause $1,000 - $50,000 $1,500,000

Willful Neglect (Corrected)

$10,000 - $50,000 $1,500,000

Willful Neglect (Not Corrected)

$50,000 $1,500,000

116

IL Dept. of Healthcare and Family Services (HFS) Privacy Forms

HIPAA Privacy Forms

HFS 3806 Notice of Privacy Practice (pdf)

HFS 3806S Notice of Privacy Practice (pdf) (Spanish)

HFS 3806D Authorization to Disclose Health Information (pdf)

HFS 3806DS Authorization to Disclose Health Information (pdf) (Spanish)

HFS 3806E Complaint about Health Information Uses and Disclosures (pdf)

HFS 3806ES Complaint about Health Information Uses and Disclosures (pdf) (Spanish)

HFS3806F Personal Representative Designation (pdf)

HFS 3806FS Personal Representative Designation (pdf) (Spanish)

HFS 3806G Request for an Accounting of Disclosures of Health Information (pdf)

HFS 3806GS Request for an Accounting of Disclosures of Health Information (pdf) (Spanish)

HFS 3806H Request to Amend Health Information (pdf)

HFS 3806HS Request to Amend Health Information (pdf) (Spanish)

HFS 3806I Request to Contact Client at a Different Address (pdf)

HFS 3806IS Request to Contact Client at a Different Address (pdf) (Spanish)

HFS 3806J Request to Restrict Uses and Disclosures of Health Information (pdf)

HFS 3806JS Request to Restrict Uses and Disclosures of Health Information (pdf) (Spanish)

HFS 3806K Authorization to Disclose All Kids/FamilyCare Information (pdf)

HFS 3806KS Authorization to Disclose All Kids/FamilyCare Information (pdf) (Spanish)

HFS 3806L Request for Access to Health Information (pdf)

HFS 3806LS Request for Access to Health Information (pdf) (Spanish)

117