T.A.S. Communications, Inc.

HIPAA – Privacy & Security (Part 1 & Part 2)

HITECH (Part 3)

Revised 03/16/2010

2 parts of HIPAA covered in this presentation:

• HIPAA Privacy – Protection for the privacy of Protected Health Information (PHI) effective April 14, 2003 (including Standardization of electronic data interchange in health care transactions, effective October 2003)

• HIPAA Security – Protection for the security of electronic Protected Health Information (e-PHI) effective April 20, 2005

What is the difference between Privacy and Security?

• The Privacy Rule sets the standards for how covered entities and business associates are to maintain the privacy of Protected Health Information (PHI)

• The Security Rule defines the standards which require covered entities to implement basic safeguards to protect electronic Protected Health Information (e-PHI)

Part 1:

HIPAA Privacy Training

Revised 03/16/2010

The Health Insurance Portability and Accountability Act (HIPAA) requires that T.A.S. Communications, Inc. (as a business associate (BA)), train all workforce members on the HIPAA policies and…

…those specific HIPAA-required Procedures that may affect the work you do for the call center.

The HIPAA Training Program will help you to understand:

• What is HIPAA?• Who has to follow the HIPAA law?• When is the HIPAA implementation

date?• How does HIPAA affect you and your

job?• Why is HIPAA important?• Where can you get answers to your

questions about HIPAA?

What is HIPAA?

• HIPAA is the Health Insurance Portability and Accountability Act of 1996.

• HIPAA is a Federal Law.

• HIPAA is a response, by Congress, to healthcare reform.

• HIPAA affects the health care industry.

• HIPAA is mandatory.

HIPAA …

• Protects the privacy and security of a patient’s health information.

• Provides for electronic and physical security of a patient’s health information.

• Prevents health care fraud and abuse.• Simplifies billing and other transactions,

reducing health care administrative costs.

Who must follow the HIPAA Law?

At T.A.S. Communications, Inc., all employees must

follow the HIPAA Law.

A Business Associate is…• A person or entity which performs certain functions,

activities, or services for or to a covered entity involving the use and/or disclosure of PHI, but the person or entity is not a part of the covered entity or its workforce. (Examples: transcription services, temporary staffing services, off site call center, etc.)

• T.A.S. Communications, Inc. is required to have agreements with covered entities stating we will protect a patient’s PHI.

Examples of Covered Entities

• Providers • Health Plans• Clearinghouses for Electronic Billing• Business Associates (through

contracts)

Covered Transactions Consist of

• Enrollment and dis-enrollment• Premium payments • Eligibility• Referral certification and authorization• Health claims• Health care payment and remittance

advice

What Patient Information Must We Protect?• Protected Health Information (PHI)

Relates to past, present, or future physical or mental condition of an individual; provisions of healthcare to an individual; or for payment of care provided to an individual.

Is transmitted or maintained in any form (electronic, paper, or oral representation).

Identifies, or can be used to identify the individual.

Examples of PHIPHI = Health Information with Identifiers

• Name• Address (including street, city, county, zip

code, etc.)• Name of employer• Any date (birth date, date of appointment)• Telephone and Fax numbers• Electronic (email) addresses• Social Security Number

Other Examples of PHI

• Health Plan beneficiary number• Account number, billing records,

claims data, referral authorizations, EOBs

• Certificate/License number• Any Vehicle (or other device) serial

number• URL (Web universal resource locator)• Internet Address

More Examples of PHI

• Finger prints or voice prints • Photographic Images• Research records • ANY other unique identifying number,

characteristic, or code.

And More Examples of PHI…

• Medical records:Medical Record NumberX-raysLab resultsTest resultsPrescriptionsCharts

T.A.S. Communications as a Business Associate…

…may not use or disclose an individual’s protected health

information, except as otherwise permitted, or

required, by law.

But…

T.A.S. Communications MAY Use and Share a Patient’s PHI for:

Treatment of the patient, including appointment reminders

Business and management operationsDisclosures required by law

“Treatment” Includes…

• Direct patient care• Coordination of

care• Consultations• Referrals to other

health care providers

T.A.S. Communications, Inc• Must use or share only the minimum

amount of PHI necessary, except for requests madeby the patient, or as requested by the patient to

othersby the Secretary of the Department of Health &

Human Services (DHHS)as required by law

When Does T.A.S. Communications, Inc. Have to Protect PHI?

NOW!NOW!

NOW!NOW!

NOW!NOW!

Privacy Compliance went into effect on February 17th, 2010.

How does HIPAA affect MY job?

Well, if

• You currently see, use, or share a person’s PHI as a part of your job, HIPAA may change the way you do your job

As part of your job, you must protect the privacy of the patient’s PHI

When can you use PHI?

Only to do your job!

At all times, protect a patient’s information as if it were your own.

• Look at a patient’s PHI only if you need it to perform your job.

• Use a patient’s PHI only if you need it to perform your job.

• Give a patient’s PHI to others only when it’s necessary for them to perform their jobs.

• Talk to others about a patient’s PHI only if it is necessary to perform your job, and do it discreetly.

For Example…

• A man calls to confirm an appointment time for his wife. What can you do?

– You can look up her appointment time and give the information to her husband.

– You can ask your supservisor to look into her records for you.

– You can tell the man that you can only look at his wife’s medical records if she allows you to do so. Suggest that he have his wife call us to check on her appointment herself, or ask to speak with his wife for her to give authorization for him to receive the information.

Answer:

C. Under HIPAA, you are only allowed to use information required to do your job. Since the husband is not the recipient of the service, it is against the law to access the patient record or ask someone to access it on your behalf—even though you may want to be helpful. Keep in mind that people may want to keep their appointments private, even from family members.

Why is protecting privacy and security important?

• We all want our privacy protected when we are patients – it’s the right thing to do.Don’t be careless or negligent with PHI

in any form.

• HIPAA and Wisconsin law require us to protect a patient’s privacy.

What if there is a breach of confidentiality?

• Breaches of the policies and procedures or a patient’s confidentiality must be reported to a supervisor right away

• Send an email to Debbie with the following information: Date/Time of the callAccount number and nameThe name of the person whose PHI you

accidentally disclosedWhat information was disclosed and to whom.

…and if a breach is reported

• The incident will be thoroughly investigated.

• T.A.S. Communications is required to report any breach of PHI to the client affected.

Disciplinary Actions

• Internal Disciplinary Actions Individuals who breach the policies will be

subject to appropriate discipline.

• Civil PenaltiesBusiness Associates and individuals who

violate these standards will be subject to civil liability.

• An employee who does not protect a patient’s privacy could lose his or her job!

Penalties are

• $100 per violation• $25,000 for an identical violation within one

year• $50,000 for wrongful disclosure• $100,000 and/or 5 years in prison for

wrongful violation for obtaining PHI under false pretenses

• $250,000 and/or 10 years in prison if committed with intent to sell or transfer for commercial advantage, personal gain, or malicious harm, includes obtaining or disclosing.

Protecting Patient Privacy Requires Us to Secure Patient Information

Downloading/Copying/Removing

• Employees should not download, copy, or remove from the office any PHI, except when necessary to perform their job.

– For example, printing out a copy of a message ticket containing PHI to send to a client.

Public Viewing/Hearing

• PHI should not be left in areas where the information may be accessible to the public.

• Do not take papers with PHI outside of the office (for example, if you print something out and there is PHI on the reverse side, DO NOT take it with you!)

Treat a Patient’s Information as if it were your own …

T.A.S. Communications, Inc. Needs Your Help in Protecting

Patients’ Privacy.

In Review…

• T.A.S. Communications, Inc. is a Business Associate under HIPAA

• T.A.S. has specific policies relating to HIPAA

Part 2:

HIPAA Security Training

Revised 03/16/2010

So, what IS “e-PHI”?

• e-PHI (electronic Protected Health Information) is computer-based patient health information that is used, created, stored, received or transmitted by T.A.S. using any type of electronic information resource.

• Information in an electronic medical record, digital images and print outs, recordings of calls from patients, information when it is being sent by T.A.S. to a client electronically.

How do we protect e-PHI?

• Ensure the confidentiality, integrity, and availability of information through safeguards (Information Security)

• Ensure that the information will not be disclosed to unauthorized individuals or processes (Confidentiality)

• Ensure that the condition of information has not been altered or destroyed in an unauthorized manner, and data is accurately transferred from one system to another (Integrity)

• Ensure that information is accessible and useable upon demand by an authorized person (Availability)

Good Computing Practices:Safeguards for Users

Safeguard #1: Access Controls (Unique User Identification)

• Users are assigned a unique “User ID” for log-in purposes, which limits access to the minimum information needed to do your job. Never use anyone else’s log-on, or a computer someone else is logged-on to.

• Use of information systems is audited for inappropriate access or use.

• Access is cancelled for terminated

employees.

Safeguard #2: Password Protection• T.A.S. Communications requiresthat:

All passwords be changed immediately if a breach of a password is suspected.

• Passwords not be inserted into email messages or other forms of electronic communication;

If someone knows your password, he

has stolen your identity!

… so remember,

• Don’t write it down!

If I think someone knows my password?

• Notify Barrett and

• Change your password IMMEDIATELY (ask Barrett or a supervisor for assistance)

Remember: You are responsible for everything that occurs under your T.A.S. login.

Safeguard #3: Workstation Security

Workstation Security

Access Controls• Log-off or lock your workstation before

leaving it unattended. This will prevent other individuals from accessing PHI under your User-ID, and limit access by unauthorized users.

Malware – a few bad examples

• Viruses– are programs that attempt to spread

throughout your system and the entire network

– can be prevented by not

opening suspicious emails

or any attachments on your

station here at T.A.S.

Worms…

• spread without any user action. They take advantage of security holes in the operating system or software package

• .

Spyware…

• .

• is a class of programs that monitors your computer usage habits and reports them for storage in a marketing database

• are installed without you knowing while installing another program or browsing the Internet

• can open advertising windows

• can be prevented by installing and running an updated spyware scanner

Keystroke Loggers…

• can be software (programs that log every keystroke typed) or hardware (devices installed between your keyboard and computer

Remote Access Trojans…

• allow remote users to connect to your computer without your permission, letting them– take screenshots of your desktop– take control of your mouse and keyboard– access your programs at will

Suspicious Email includes…

• any email you receive with an attachment

• any email from someone whose name you don’t recognize

• Phishing

• .

Indication of tampered accounts…

• your account is locked when you try to open it

• your password isn’t accepted• you’re missing data• your computer settings have

mysteriously changed

If you suspect someone has tampered with your account, report it to Barrett.

Signs of Malware are…

• Reduced performance (your computer slows or “freezes”)

• Windows opening by themselves• Missing data• Slow network performance• Unusual toolbars added to your web browser

Contact Barrett if you suspect that your computer has malware installed

Acceptable Use of Computers

• End Users (read “YOU-ALL”) are responsible for any violations associated with their User ID

• Use of computer system must be consistent with T.A.S.’s goals

• All computer equipment and electronic data created by it belong to the company

• .

End users must comply…

• . • with all Federal and State laws

• with organizational rules and policies

• with terms of computing contracts

• with software licensing rules

And must take reasonable precautions to avoid introducing computer viruses into the network, and must participate and

cooperate with the protection of IT infrastructure.

And Thou shall not…• Engage in any activity that

jeopardizes the availability, performance, integrity, or security of the computer system

• Use computing resources wastefully

• Use IT resources for personal gain or commercial activities not related to your job

• Install, copy, or use any software in violation of licensing agreements, copyrights, or contracts

• .

Or …

• Try to access the files or email of others unless authorized by the owner

• Harass, intimidate, or threaten others through e-messages

• Construct a false communication that appears to be from someone else

• Send or forward unsolicited email to lists of people you don’t know

• Send, forward, or reply to email chain letters

• Send out “Reply to all” mass emailings

Or…

• Create or transmit offensive, obscene, or indecent images, data, or other material

• Re-transmit virus hoaxes

Because…

Engaging in these activities could result in disciplinary action up to, and including, loss of network access, termination of employment, and civil or criminal liability

• .

Security Incidents and e-PHI (HIPAA’s Final Security Rule)A “Security Incident” is

“The attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.’’ [45 CFR 164.304]

Reporting Security Incidents / BreachesYou are required to:• Respond to security incidents and security

breaches, and report them to:– Debbie

Security Reminders!

• Password protect your computers and devices• Log-out or lock your workstation when you are

away from your desk.• Keep offices secured

Security Reminders!

Good Security Standards follow the “90 / 10” Rule:

10% of security safeguards are technical90% of security safeguards rely on the computer user (“YOU”) to adhere to good computing practices

Example: The lock on the door is the 10%. Your responsibility is 90% which are remembering to lock, checking to see if it is closed, ensuring others do not prop the door open, keeping controls of keys. 10% security is worthless without YOU!

Sec - - y

Our goal.

Part 3:

Health Information Technology for Economic and Clinical Health Act

(HITECH)

Revised 03/16/2010

HITECH-Overview

• HITECH is a part of the American Recovery and Reinvestment Act (ARRA) of 2009

• It is a federal law that affects the healthcare industry

• ARRA allocated ~$20 billion to health information technology projects, expanded the reach of HIPAA by extending certain obligations to business associates and imposed a nationwide security breach notification law

HITECH-Breach Notification Provisions

• One of the biggest changes in HITECH is the inclusion of a federal

breach notification law for health information – Many states, including WI, have data breach laws that require entities to

notify individuals

– State laws typically only pertain to personal information (which does not necessarily include medical information)

HITECH-Breach Notification Provisions

• All employees of T.A.S. Communications, Inc. must be trained to ensure they are aware of the importance of timely reporting of privacy and security incidents and of the consequences of failing to do so.

• If you suspect a breach, you MUST report it immediately to Debbie.

HITECH-Breach Notification Provisions

• Law applies to breaches of “unsecured protected health information”

– Protected Health Information (PHI)• Relates to past, present, or future physical or mental condition of an

individual; provisions of healthcare to an individual; or for payment of care provided to an individual.

• Is transmitted or maintained in any form (electronic, paper, or oral representation).

• Identifies, or can be used to identify the individual. • Examples of PHI include

– Health information with identifiers, such as name, address, name of employer, telephone number, or SSN

– Medical Records including medical record number, x-rays, lab or test results, prescriptions or charts

HITECH-What Constitutes a Breach

Definition of “Breach”– Was there an impermissible acquisition, access, use or disclosure not

permitted by the HIPAA Privacy Rule?• Examples include

– A computer containing PHI is stolen– A person who is not authorized to access PHI looks through client

messages in order to learn of a patient’s treatment– An agent gives appointment information to someone other than the

patient.– An agent gives out information to a family member that a patient

called in to the call center to speak with their therapist.– An agent allows a person who is not an employee into the board room

and this person overhears an employee discussing PHI with a client.

HITECH-What Constitutes a Breach

2. Did the impermissible use or disclosure under the HIPAA Privacy Rule compromise the security or privacy of PHI?

• Is there a significant risk of financial, reputational or other harm to the individual whose PHI was used or disclosed? – If the nature of the PHI does not pose a significant risk of financial,

reputational, or other harm, then the violation is not a breach. For example, if a business associate improperly discloses PHI that merely included the name of an individual and the fact that he received services from a hospital, then this would constitute a violation of the Privacy Rule; but it may not constitute a significant risk of financial or reputational harm to the individual. In contrast, if the information indicates the type of services that the individual received (such as oncology services), that the individual received services from a specialized facility (such as a substance abuse treatment program), or if the PHI includes information that increases the risk of identity theft (such as a social security number, account number, or mother’s maiden name), then there is a higher likelihood that the impermissible use or disclosure compromised the security and privacy of the information.

• T.A.S. is responsible for conducting risk assessment and should be fact specific

HITECH-Breach Notification Obligations

• If a breach has occurred, T.A.S. will be responsible for providing notice to – The affected client(s) (without unreasonable

delay and in no event later than 60 days from the date of discovery—a breach is considered discovered when the incident becomes known not when the covered entity or Business Associate concludes the analysis of whether the facts constitute a Breach)

HITECH-Reporting Breaches

• Breaches of unsecured PHI (can include information in any form or medium, including electronic, paper, or oral form) or of any of T.A.S.’s HIPAA policies and procedures must be reported to the a supervisor immediately.

• If a breach is reported, the incident will be thoroughly investigated. • T.A.S. Communications, Inc. as a Business Associate is required to

provide notification to the Covered Entity if a breach has occurred.

Disciplinary Actions• Internal Disciplinary Actions

– Individuals who breach the policies will be subject to appropriate discipline

• Civil Penalties

– Business Associates and individuals who violate these standards may be subject to civil liability.

Tiered Civil Penalties

Circumstance of Violation

Minimum Penalty

Maximum Penalty

Entity did not know (even with reasonable diligence)

$100 per violation ($25,000 per year for violating same requirement)

$50,000 per violation ($1.5 million annually)

Reasonable cause, not willful neglect

$1,000($100,000)

$50,000($1.5 million)

Willful neglect, but corrected within 30 days

$10,000($250,000)

$50,000($1.5 million)

Willful neglect, not corrected

$50,000($1.5 million)

None

Disciplinary Actions

• An employee who does not report a breach in accordance with the policies and procedures could lose his or her job.

Employee Obligations

• Do not disclose PHI without patient authorization. If you have questions about whether a disclosure is permitted, ask your supervisor.

• If you think there has been an unauthorized disclosure of PHI, let a supervisor know immediately.

• Never remove PHI from the premises

Quiz Time!

Ask a supervisor for the multiple choice quiz!