HIPAA Basics November 1, 2014

Contents Fields & Associates Policy Terms & Definitions HIPAA Timeline Review of Basics Privacy Security Breach Enforcement References

F&A Policy It is the policy of Fields & Associates, Inc. to comply with all applicable laws rules and regulations governing the privacy and security of patient information. Anyone connected with Fields and Associates who has access to protected health information (PHI) is required to read and agree to the F&A HIPAA Privacy & Security Policy posted at www.fieldsinc.com.

Terms & Definitions ARRA – American Recovery an Reinvestment Act of 2009 BA – Business Associate CE – Covered Entity CMP – Civil Monetary Penalty CMS – Centers for Medicare and Medicaid Services EPHI – Electronic Protected Health Information HHS – Department of Health and Human Services HIPAA – Health Insurance Portability and Accountability Act HITECH – Health Information Technology for Economic & Clinical Health ONC – Office of the National Coordinator OCR – Office for Civil Rights PHI – Protected Health Information

Terms & Definitions Covered Entity is defined as: A health plan; A health care clearinghouse A health care provider who transmits any health information in electronic form in connection with a covered transaction Business Associate is defined as: a person who creates, receives, maintains, or transmits PHI for a function or activity on behalf of a covered entity. The BA provides, other than in the capacity of a member of the CE’s workforce, such services as legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation or financial.

Terms & Definitions The definition of a business associate includes a “subcontractor that creates, receives, maintains, or transmits protected health information on behalf of the business associate.” Subcontractor means: “a person to whom a business associate delegates a function, activity, or service, other than in the capacity of a member of the workforce of such business associate.” Therefore, all subcontractors of F&A who have access to PHI are required to abide by the same HIPAA requirements as F&A and are responsible for same.

HIPAA Timeline August 21, 1996 - The Health Insurance Portability and Accountability Act (HIPAA) was signed into law. April 14, 2003 - Deadline for Covered Entities to comply with the Privacy Rule. October 16, 2003 - Deadline for Covered Entities to comply with the Transactions and Code Sets Rule. April 20, 2005 - Deadline for Covered Entities to comply with the Security Rule. March 13, 2006 - The Enforcement Rule goes into effect.  February 17, 2009 - The American Recovery and Reinvestment Act of 2009 (ARRA) was signed into law. ARRA includes the Health Information Technology for Economic and Clinical Health (HITECH) Act, which mandates the US Department of Health and Human Services to develop new regulations related to the HIPAA provisions.

HIPAA Timeline cont’d September 23, 2010 - The Interim Final Rule goes into effect requiring Covered Entities to notify patients when a breach of their unsecured, protected health information occurs. January 17, 2013, the U.S. Department of Health and Human Services (HHS) releases the Omnibus Final Rule, implementing the changes required by the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009.  March 26, 2013 – The Omnibus Final Rule takes effect. September 23, 2013 – Covered Entities, Business Associates, and subcontractors must be in compliance with most provisions under the Final Rule.

The Basics Privacy Security Breach Enforcement We will touch on the following topics: Privacy Security Breach Enforcement

Privacy The Privacy Rule covers protected health information (PHI) that: Relates to the individuals’ past, present or future physical or mental health condition; the provision of health care to an individual; or to the past, present, or future payment for the provision of health care to the individual; And Either identifies the individual, or for which there is a reasonable basis to believe it can be used to identify the individual

Privacy There is an expectation that disclosures and release of information of any kind are kept to the “minimum necessary”. Minimum necessary refers to the practice of limiting disclosure of information to that information reasonably necessary to accomplish the purpose for which disclosure is sought. For example, if there was a request for a patient’s diagnosis, then you should only release the diagnosis and would NOT release a copy of a document such as a discharge summary that contains the diagnosis AND other information. This might require taking extra steps such as abstracting information or redacting information from a document, but it is absolutely necessary in order to comply with the “minimum necessary” provision.

Privacy Associates, contractors and sub-contractors of F&A: Will only use PHI/EPHI as permitted and/or outlined in the business associate contract and/or F&A Project Agreement. Will not share PHI/EPHI with unauthorized individuals Will not leave PHI/EPHI where it can be easily seen/accessed Will secure all PHI/EPHI when not in use Will return to F&A or destroy PHI/EPHI upon the completion of the project or engagement Will take appropriate safeguards (such as encryption) when transmitting PHI/EPHI electronically

Security The HIPAA Security Rule establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity or business associate. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.

Security Administrative Safeguards are: administrative actions, and policies and procedures to manage the selection, development, implementation and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity’s or business associate’s workforce in relation to the protection of that information. Physical Safeguards are: physical measures, policies, and procedures to protect a covered entity’s or business associate’s electronic information systems and related buildings and equipment from natural and environmental hazards and unauthorized intrusion.

Security Technical Safeguards are: the technology and the policy and procedures for its use that protect electronic protected health information and control access to it.

Security So what does this mean? There must be: Written policies and procedures Physical safeguards such as locked doors, locked file cabinets and access control to physical locations Restricted access to electronically stored data by use of things such a passwords Use of encryption or other secured means for transmitting PHI

Breach Breach means The acquisition, access, use or disclosure of protected health information in a manner not permitted by the Privacy/Security Rules that compromises the security or privacy of the PHI. Exceptions: Unintentional acquisition, access or use by CE or BA staff as long as it doesn’t result in further use or disclosure Inadvertent disclosure within a CE or BA organization that is not further used or disclosed A disclosure where a CE or BA has a good faith belief that the unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information.

Breach Breach Notification A business associate is required to notify the covered entity no later than 60 days after the discovery of a breach of protected health information. Therefore, any contractor working for F&A who has knowledge of a breach of PHI, must report the details of the breach to the CEO, Richard Fields, MD as soon as the breach is discovered.

Breach Breach Notification A BA is required to conduct a risk assessment whenever a breach occurs. Documentation of the breach report and risk assessment must be created and maintained.

Enforcement Civil Monetary Penalties (CMP) will be imposed for violations of HIPAA based on a tiered structure with 4 levels which distinguishes the level of culpability as follows: Unknowing. The covered entity or business associate did not know and reasonably should not have known of the violation. Reasonable Cause. The covered entity or business associate knew, or by exercising reasonable diligence would have known, that the act or omission was a violation, but the covered entity or business associate did not act with willful neglect. Continued on next slide

Enforcement Willful Neglect – Corrected. The violation was the result of conscious, intentional failure or reckless indifference to fulfill the obligation to comply with HIPAA. However, the covered entity or business associate corrected the violation within 30 days of discovery. Willful Neglect – Uncorrected. The violation was the result of conscious, intentional failure or reckless indifference to fulfill the obligation to comply with HIPAA, and the covered entity or business associate did not correct the violation within 30 days of discovery.

Total CMP for Violations of an Identical Provision in a Calendar Year Enforcement Below are the monetary penalties for each tier: Violation Category Each Violation Total CMP for Violations of an Identical Provision in a Calendar Year Unknowing $100 – $50,000 $1,500,000 Reasonable Cause $1,000 – $50,000 Willful Neglect – Corrected $10,000 – $50,000 Willful Neglect – Not Corrected At least $50,000

Closing The purpose of this training is to provide you with a basic understanding of the key concepts and requirements of business associates under the HIPAA regulations. In no way is it intended to provide you with a comprehensive or complete review of the federal regulations regarding healthcare privacy, security, breach and enforcement. As a contractor of Fields and Associates, you agree to comply with all applicable laws, rules and regulations governing the privacy and security of patient information.

References HIPAA Privacy Rules are contained in 45 CFR Part 160 and Part 164 subparts A&E HIPAA Security Rules are contained in 45 CFR Part 160 and Part 164 subparts A&C HIPAA Enforcement Rules are contained at 45 CFR Part 160 Subparts C-E You may search for these regulations at the link below: http://www.gpo.gov/fdsys/granule/CFR-2011-title45-vol1/CFR-2011- title45-vol1-sec164-304

References Security Risk Assessment HIPAA Privacy - HHS HITECH Act http://www.healthit.gov/providers-professionals/security-risk-assessment-tool HIPAA Privacy - HHS http://www.hhs.gov/ocr/privacy/ HITECH Act http://www.hhs.gov/ocr/privacy/hipaa/administrative/enforcementrule/hitechenf orcementifr.html OMNIBUS Final Rule (pdf) http://www.gpo.gov/fdsys/pkg/FR-2013-01-25/pdf/2013-01073.pdf

Make sure you complete the form at www. fieldsinc Make sure you complete the form at www.fieldsinc.com to document your completion of this training.