HIPAA
Applicability to you (and me) as Business Associates
Brief review of HIPAA Health insurance Portability and Accountability Act. Created in 1996 to establish national standards for transactions involving electronic health care records. Aim is to ensure the security and privacy of personal health data.
Revisions or additions to the original HIPAA Privacy Rule that affects you (and me) HIPAA Privacy Rule: “Standards for Privacy of Individually Identifiable Health Information” in 2000, updated in 2002 Set of National standards for protecting individuals’ health information (PHI) Applies to all forms of PHI: electronic, paper, or oral Access to PHI requires a signed consent authorizing access to PHI Exclusions HIPAA Security Rule or “Security Standards for the Protection of Electronic Protected Health Information 2003 The HITECH (Health Information Technology for Economic and Clinical Health) Act f 2009 HIPAA Omnibus Rule (which comes under the HITECH Act; final release in January 2013)
Who or what are Business Associates? HIPAA defines BAs as any organization or person working in association with or providing services to a covered entity who handles or discloses individually identifiable health information known as Personal Health Information (PHI) Legal (you) Actuarial Accounting Consulting (me) Data aggregation Management Administrative Accreditation or Financial services a subcontractor that creates, receives, maintains, or transmits PHI on behalf of another business associate “A business associate may use or disclose protected health information only as permitted or required by its business associate contract or as required by law. A business associate is directly liable under the HIPAA Rules and subject to civil and, in some cases, criminal penalties for making uses and disclosures of protected health information that are not authorized by its contract or required by law. A business associate also is directly liable and subject to civil penalties for failing to safeguard electronic protected health information in accordance with the HIPAA Security Rule.” HHS.gov
Email transmission HIPAA requires that PHI remains secure at rest and in transit: From your workstation to Your server to Recipient’s email server to Recipient’s workstation so basicall: PHI must be protected while sitting on workstation and servers and each time your email crosses the internet What webmail services are secure for PHI transmission: most are NOT Emails must be encrypted: does not mean password-protected The data is made unreadable at rest and in transition
Some Products to explore AppRiver CipherPostPro: encrypts your message and only the authorized recipient with the proper password can read the message Citrix Zixmail (if your recipient is not a Zixmail user, the system will notify them of the email and the recipient can connect securely to the Zixmail server to retrieve the message Barracuda Hushmail Identillect Luxsci Protected Trust Virtru
Emails sent on your own secure server do not have to be encrypted; however, if you use remote access, the encryption rules must be followed Example in Handout: Concentra Health Services paid 1.72 million following the loss of an unencrypted laptop that had PHI I suggest you contact your IT provider if you have any questions regarding how your remote access technology works regarding PHI compliance; this is not my area of expertise
HIPAA compliant Cloud Storage Identified as the “Top 5” by SkyHigh (refer to Handouts) Dropbox – Business in November 2015, the company announced it was compliant with HIPAA and the HITECH Act; Box, “Enterprise” account Google Drive Microsoft OneDrive
Penalties as reported in the HIPAA Journal June 24, 2015 Enforcement Final Rule 2006 enabled the Department of Health and Human Services’ Office for Civil Rights (OCR) to issue financial penalties (and/or action plans) to covered entities (CEs) that fail to comply with HIPAA Rules” The Omnibus Rule provided that new penalties for HIPAA violations could be applied to specific groups which include Business Associates of Ces There are 4 classifications of violations that include fines from a minimum of $100.00 to a minimum of $50,000.00 The HITECH Act provided that state Attorney Generals have the authority to hold HIPAA CEs accountable for the exposure of the PHI of state residents and can file civil actions with the federal district courts AG offices are able to retain a percentage of the fines issued CT, MA, IN, VT and MN had acted by 2015; it was predicted other AGs would follow Criminal penalties can also be filed for HIPAA violations Penalties can also be issued for HIPAA non-compliance
Case Study
dolanmedicallegal.com (724) 734-9048 jan@nursemedlegal.com