Erin Smith Aebel, Board Certified Health Lawyer, and

Slides:



Advertisements
Similar presentations
HIPAA Privacy Practices. Notice A copy of the current DMH Notice must be posted at each service site where persons seeking DMH services will be able to.
Advertisements

HIPAA: An Overview of Transaction, Privacy and Security Regulations Training for Providers and Staff.
HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.
“Reaching across Arizona to provide comprehensive quality health care for those in need” Our first care is your health care Arizona Health Care Cost Containment.
HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
1. As a Florida KidCare community partner families entrust you to not only help them navigate the Florida KidCare system but to keep the information they.
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
Health Insurance Portability and Accountability Act HIPAA Education for Volunteers and Students.
HIPAA. What Why Who How When What Is HIPAA? Health Insurance Portability & Accountability Act of 1996.
Confidentiality and HIPAA
HIPAA Privacy Rule Training
National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.
HIPAA – Privacy Rule and Research USCRF Research Educational Series March 19, 2003.
Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.
The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,
1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.
Key Changes to HIPAA from the Stimulus Bill (ARRA) Children’s Health System Department Leadership Meeting October 28, 2009 Kathleen Street Privacy Officer/Risk.
NAU HIPAA Awareness Training
HIPAA Regulations What do you need to know?.
 The Health Insurance Portability and Accountability Act of  Federal Law designed to protect sensitive information.  HIPAA violations are enforced.
COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.
HIPAA THE PRIVACY RULE Reviewed December HISTORY In 2000, many patients that were newly diagnosed with depression received free samples of anti-
2014 HIPAA Refresher Omnibus Rule & HIPAA Security.
Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.
Are you ready for HIPPO??? Welcome to HIPAA
HIPAA HIPAA Health Insurance Portability and Accountability Act of 1996.
Health Insurance Portability & Accountability Act (HIPAA)
March 19, 2009 Changes to HIPAA Privacy and Security Requirements Joel T. Kopperud Scott A. Sinder Rhonda M. Bolton.
© Copyright 2014 Saul Ewing LLP The Coalition for Academic Scientific Computation HIPAA Legal Framework and Breach Analysis Presented by: Bruce D. Armon,
Version 6.0 Approved by HIPAA Implementation Team April 14, HIPAA Learning Module The following is an educational Powerpoint presentation on the.
HIPAA COMPLIANCE IN YOUR PRACTICE MARIBEL VALENTIN, ESQUIRE.
HIPAA Health Insurance Portability & Accountability Act of 1996.
1 HIPAA Security Overview Centers for Medicare & Medicaid Services (CMS)
Notice of Privacy Practices Nebraska SNIP Privacy Subgroup July 18, 2002 Michael J. Brown, MHA, CPA Vice-President, Administrative & Regulatory Affairs,
HIPAA PRIVACY AND SECURITY AWARENESS.
“ Technology Working For People” Intro to HIPAA and Small Practice Implementation.
Confidentiality, Consents and Disclosure Recent Legal Changes and Current Issues Presented by Pam Beach, Attorney at Law.
LAW SEMINARS INTERNATIONAL CLOUD COMPUTING: LAW, RISKS AND OPPORTUNITIES Developing Effective Strategies for Compliance With the HITECH Act and HIPAA’s.
Privacy and Security Laws for Health Care Organizations Presented by Robert J. Scott Scott & Scott, LLP
Copyright ©2011 by Pearson Education, Inc. Upper Saddle River, New Jersey All rights reserved. Health Information Technology and Management Richard.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
Medical Law and Ethics, Third Edition Bonnie F. Fremgen Copyright ©2009 by Pearson Education, Inc. Upper Saddle River, New Jersey All rights reserved.
Speak HIPAA Like a Native A Guide to Common HIPAA Nomenclature University of Miami Ethics Programs.
Health Insurance Portability and Accountability Act (HIPAA) CCAC.
HIPAA BASIC TRAINING Presented by Anderson Health Information Systems, Inc.
HIPAA PRACTICAL APPLICATION WORKSHOP Orientation Module 1B Anderson Health Information Systems, Inc.
HIPAA THE PRIVACY RULE. 2 HISTORY In 2000, many patients that were newly diagnosed with depression received free samples of anti- depressant medications.
HealthBridge is one of the nation’s largest and most successful health information exchange organizations. Tri-State REC: Privacy and Security Issues for.
Rhonda Anderson, RHIA, President  …is a PROCESS, not a PROJECT 2.
HITECH and HIPAA Presented by Rhonda Anderson, RHIA Anderson Health Information Systems, Inc
Lessons Learned from Recent HIPAA Breaches HHS Office for Civil Rights.
Top 10 Series Changes to HIPAA Devon Bernard AOPA Reimbursement Services Coordinator.
Finally, the Final HIPAA/HITECH Regulations are Here! By LYNDA M. JOHNSON Friday, Eldredge & Clark.
HIPAA: Breach Notification By: Office of University Counsel For: Jefferson IRB Continuing Education September 2014.
AND CE-Prof, Inc. January 28, 2011 The Greater Chicago Dental Academy 1 Copyright CE-Prof, Inc
HIPAA TRIVIA Do you know HIPAA?. HIPAA was created by?  The Affordable Care Act  Health Insurance companies  United States Congress  United States.
Board of Directors – March 24, 2016 Denise Mannon, AHFI, CHPC Corporate Compliance Officer.
HIPAA Training. What information is considered PHI (Protected Health Information)  Dates- Birthdays, Dates of Admission and Discharge, Date of Death.
What is HIPAA? Health Insurance Portability and Accountability Act of HIPAA is a major law primarily concentrating on the prolongation of health.
HIPAA: So You Think You’re Compliant September 1, 2011 Carolyn Heyman-Layne, J.D.
HIPAA Training Workshop #3 Individual Rights Kaye L. Rankin Rankin Healthcare Consultants, Inc.
HIPAA Privacy Rule Training
Enforcement, Business Associates and Breach Notification. Oh my!
What is HIPAA? HIPAA stands for “Health Insurance Portability & Accountability Act” It was an Act of Congress passed into law in HEALTH INSURANCE.
HIPAA Administrative Simplification
HIPAA PRIVACY AWARENESS, COMPLIANCE and ENFORCEMENT
Disability Services Agencies Briefing On HIPAA
Presentation transcript:

Patient Privacy Check Up: How to Keep Your Practice Out Of HIPAA Hot Water Erin Smith Aebel, Board Certified Health Lawyer, and Kelly Ann Thompson, Esq. Shumaker, Loop & Kendrick, LLP eaebel@slk-law.com; 813.227.2357 kthompson@slk-law.com; 813.676.7281

Roadmap for Today’s Presentation An overview of the HIPAA Privacy and Security Rule. A discussion of breach notification requirements under the Privacy and Security Rule, as well as under Florida law. An overview of HIPAA enforcement agencies and penalties, and a discussion of recent cases involving physicians.

What is HIPAA? The Health Insurance Portability and Accountability Act (“HIPAA”) of 1996. Created by Congress to improve many aspects of the delivery of health care in the U.S. Stated Goals: To improve the portability and continuity of health insurance; Combat waste, fraud, and abuse in health care insurance and delivery; Protect the privacy of consumers’ health information; and Simplify the administration of health insurance. In January 2013, HIPAA was updated via the Final Omnibus Rule.

HIPAA Enforcement HIPAA was created by the U.S. Department of Health and Human Services (“HHS”) HIPAA is enforced by the Office for Civil Rights (“OCR”) http://www.hhs.gov/ocr/office/ This link provides educational materials, FAQs, training materials, and complaint forms.

Two Areas of Most Concern There are two areas of HIPAA that health care providers are most concerned with: Security Regulations Concern the security of protected health information in electronic form. Privacy Regulations Concern the security of all protected health information.

Who Must Comply with HIPAA Covered Entities (“CE”) must comply with HIPAA. Covered entities include: Health care providers (any provider who transmits any information in electronic form in connection with a covered entity) Health plans (i.e., HMOs, Medicare, Medicaid) Healthcare clearing houses (i.e., billing service) Business Associates (“BA”)

Business Associates Business associates are persons or entities who create, receive, maintain, or transmit PHI for a function or activity covered by HIPAA, including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, patient safety activities, billing, benefit management, practice management or re-pricing. EX: Collection agencies, outside accountants or attorneys, etc. Covered entities are required to enter into written agreements with their BAs providing that they will appropriately safeguard and limit their use and disclosure of PHI. BAs should have already been revised for compliance with the Omnibus Rule requirements. If your BAs have not recently been revised, it is important to review/revise them to ensure the updated language is included. * Practice Tip: When in doubt, get a BA agreement.

Business Associates Continued The Omnibus Rule extended provisions of HIPAA directly to business associates. Now, aside from contractual obligations under a BA agreement, business associates also have obligations under HIPAA to comply, and are subject to fines and penalties for failure to comply. The Omnibus Rule made it clear that subcontractors of Business Associates are also considered “business associates.” As such, providers should make sure their BA agreements include provisions requiring the BA to obtain written assurances from their own subcontractors providing they will comply with the same restrictions agreed to between the provider and their BA. * Practice Tip: Providers may want to include audit provisions allowing them to verify that their BA has secured downstream agreements.

What do the Privacy Regulations Protect? Protected Health Information (“PHI”) in ANY form--oral, written, or electronic. PHI is any individually identifiable health information that relates to any physician or mental health of an individual or that can be used to identify the individual. What is considered identifiable information? Name, address, DOB, SSN, date of death, telephone or fax number, health plan or account number, license or vehicle ID number, biometric indicators (finger prints) Health information that has been properly de-identified is NOT protected by the Privacy Rule. The Privacy Rule affects where and how you speak about a patient’s health information.

How do Privacy Regulations Protect PHI Certain restrictions are placed on the use and disclosure of PHI There are 3 basic categories of restrictions on PHI: Certain uses and disclosures of PHI are permitted without a patient’s written authorization Other uses and disclosures require a patient’s written authorization PHI can be disclosed to another person if you notify the patient in advance and give them the opportunity to object

Uses and Disclosures of PHI that do not require a Patient’s Authorization Disclosures for treatment purposes Disclosure to health care providers outside of your practice, for treatment purposes Disclosures for payment purposes Disclosures for health care operations (i.e., coordination of care, advice about treatment options, business management, general administrative activities)

Disclosures Required by Law Certain uses and disclosures of PHI are required by law For example: To law enforcement For certain public health activities such as preventing or controlling disease (i.e., Recent Ebola concerns) To report child abuse or domestic violence For judicial or administrative proceedings Upon receipt of the written consent of the patient Upon a court order In response to a subpoena, discovery request, or other lawful process if the provider has received satisfactory assurances from the party seeking the information that: Reasonable efforts have been made to ensure the individual has been given notice of the request; or Has made reasonable efforts to secure a protective order. For worker’s compensation

Disclosures Requiring Patient’s Written Authorization When an employee tries to seek or use a patient’s PHI for purposes other than treatment, payment or health care operations, or disclosures required by law, the employee must first obtain the patient’s authorization. EX: marketing purposes The patient should sign an authorization form which is kept in the patient’s file, and a copy should be given to the patient. Only use or disclose the PHI as permitted by the authorization. The authorization must be maintained in the patient file as long as it is valid and for at least 6 years thereafter. TIP: When in doubt, the best policy is to obtain the patient’s written authorization PRIOR to a use or disclosure.

Disclosures to Family Members Situations arise where a patient comes for treatment with a friend or family member You may disclose PHI in the presence of the friend or family member with the patient’s permission. You may, but are not required, to obtain an authorization for this type of disclosure. However, you should note their permission on the patient’s chart either way. Generally do not need authorization or permission from a child to discuss their PHI with a legal guardian. You may send appt. reminders to patients, leave voicemails, or send correspondence to patients regarding treatment options UNLESS the patient has requested in writing that you do not do so.

Patient’s Rights Right to request that certain restrictions be placed upon the use and/or disclosure of their PHI; Practices also need to comply with the provisions in their Notice of Privacy Practices which specify how the practice will process restrictions. Practice Tip: Make sure the staff marks restrictions on patient charts clearly to ensure it is complied with. Right to request that PHI is communicated by an alternate means or in an alternate location; Right to access his or her PHI; Right to request an amendment to his or her PHI; Right to request an accounting of disclosures of his or her PHI. All staff should be aware of these rights. They should be a part of your compliance plan and training. Additionally, you should have procedures for dealing with patients who exercise these rights consistent with the privacy regulations.

Reasonable Measures to Safeguard PHI Employees must only access or disclose the minimum PHI necessary for their functions. Employees are also required to employ reasonable measures to safeguard a patient’s PHI. For example, do not leave a patient’s PHI in plain view of others. Practice Tips: Cover or turn over patient’s chart when it could be seen by other people Limit persons with access to patient charts, lock file cabinets or file rooms as appropriate, and/or block access with signage. Ensure employees, including receptionists, are mindful or protecting PHI in their oral communications. Use passwords to protect computer patient information. Only allow appropriate system access settings that are tailored to an employee’s job duties.

Notice of Privacy Practices CE must create and provide to patients a “Notice of Privacy Practices” regarding its use and disclosure of a patient’s PHI and the patient’s rights with respect to this information. The Notice should be posted in your practice in a clear location where patients can read it. It should also be posted on any website associated with your practice. Attempt to obtain an acknowledgement that each patient has received the Notice. Additionally, with limited exceptions, HIPAA requires an individual’s written authorization before a use or disclosure of his or her PHI can be made for marketing. The OCR has a model Notice of Privacy Practices for providers located at http://www.hhs.gov/ocr/privacy/hipaa/modelnotices.html. However, each notice should be tailored for your practice.

Notice of Privacy Practices Continued If a patient files a complaint with the OCR, the letter from the OCR will likely request a copy of the providers Notice of Privacy Practices, along with a copy of the signed acknowledgement form. *Practice Tip: Require staff to review the Notice of Privacy Practices form from time-to-time. Staff should be familiar with what the Notice of Privacy Practices form says, and they are expected to follow it when speaking with patients, and working with PHI.

Notice of Privacy Practices Requirements Description of types of uses and disclosures that require authorization Statement regarding individual’s rights with respect to PHI Statement of CE’s legal duties, including duty to notify of breach Statement regarding ability to make complaints Effective date and contact information In an investigation of an alleged breach of the Privacy Rule and Security Rule, the government will ask for all of your written privacy and security policies and forms. It is important to have those compliant and in good form. *Practice Tip: Review policies and procedures at least annually and indicate that you have done so in your records (for audit purposes). The second round of OCR audits begins this year and the OCR will look for revisions for compliance with the Omnibus Rule updates. They strongly dislike policies that haven’t been dusted off in a while, (i.e. 2003).

Important Changes that Require Updates to “Notice of Privacy Practices” The Omnibus Rule now requires for providers to include a patient’s right to receive an electronic copy of their designated record set, as well as a patient’s right to direct covered entities to transmit a copy of PHI to another person. This request must be in writing, signed by the individual, and clearly identify the designated person, as well as where to send the copy of the PHI. Providers must honor a patient’s request to restrict communication to a health plan where the disclosure is for the purpose of payments or health care operations, and the PHI pertains solely to a health care item or service for which the health care provider involved has been paid out of pocket.

Security Rule The Security Rule is designed to complement the HIPAA Privacy Rule. The Privacy Rule covers health information in any form. The Security Rule protects a subset of information covered by the Privacy Rule, which is all individually identifiable health information a covered entity creates, receives, maintains or transmits in electronic format (“e-PHI”). The Security Rule is flexible to allow covered entities to analyze their own needs and implement solutions appropriate for their practice size. The covered entity will need to consider: Its size, complexity, and capabilities Its technical, hardware, and software infrastructure The costs of security measures, and The likelihood and possible impact of potential risks to e-PHI

Security Rule Implementations Covered Entities must: Perform a risk analysis. This is the single most important part of HIPAA Security Rule compliance, and the first thing the OCR looks at when investigating a security breach and an alleged HIPAA violation. Evaluate the likelihood and impact of potential risks to e-PHI, Implement appropriate security measures to address the risks identified in the risk analysis; Document the chosen security measures and the rationale for these measures Maintain continuous, reasonable, and appropriate security protections The OCR has a risk assessment tool available online for small practices that do not have the resources to hire a third party. http://www.hhs.gov/news/press/2014pres/03/20140328a.html Practice Tip: It is recommended to perform an annual risk assessment.

Security Rule Implementations Continued Covered Entities must also: Ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain, or transmit; Identify and protect against reasonably anticipated threats to the security or integrity of information; Protect against reasonably anticipated impermissible uses or disclosures; and Ensure compliance by the workforce. * Practice Tip: Designate a Security Official and Privacy Officer, regardless of practice size, to ensure compliance with HIPAA requirements

What if a Breach of PHI Occurs? First, determine if a breach occurred under HIPAA. Complete a risk assessment to determine the probability of PHI being compromised as a result of the improper use or disclosure of PHI. If a breach occurred, what are your notification requirements?

What is a Breach Under HIPAA? A breach is an impermissible use or disclosure that compromises the security or privacy of the PHI. An impermissible use or disclosure of PHI is presumed to be a breach unless the covered entity or BA demonstrates there is a low probability that the PHI has been compromised. A breach excludes: Unintentional acts by CEs or BAs if breach occurred in good faith and within the scope of authority. An inadvertent disclosure among workforce members without further use or disclosure. Disclosure with the good faith belief that information would not be able to be retained.

Breach Risk Assessment There is a presumption of a breach unless the CE or BA can demonstrate a low probability of PHI being compromised based on a risk assessment of: The nature and extent of information involved, including types of identifiers and likelihood of re-identification; The unauthorized person who used the PHI or to whom the disclosure was made; Whether the PHI was actually acquired or viewed; The extent to which the risk has been mitigated. A breach can only occur if the PHI is unsecured. Unsecured PHI is PHI that has not been rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of technology or methodology specified by the Secretary of Health and Human Services. (i.e., encryption).

Breach Notification Requirements under HIPAA Covered entities must notify individuals of a breach without unreasonable delay and in no case later than 60 calendar days after discovery of a breach. Remember, notification to affected individuals is only required if the breach involved unsecured PHI, and is likely to be compromised based on your risk assessment. Use first class mail to individual, or electronic notice if the individual has consented. Substitute notice required if contact information is insufficient Telephone or alternate written notice if under 10 individuals. Conspicuous posting for 90 days on web or by notice to media if 10 or more individuals Notify the OCR within 60 days if 500 or more individuals, or at year end for fewer than 500 individuals. OCR filings are done online and are relatively painless.

Civil Monetary Penalties Penalties can range from $100 to $50,000 per violation. Breaches from reasonable cause result in $1,000 to $50,000 per violation. Breaches caused by willful neglect range from $10,000 to $50,000 per violation. In all cases, the penalty will not exceed $1.5 million for identical violations within a calendar year. No penalties if there was no willful neglect, and the breach was corrected within 30 days of the violation.

Reasonable Cause & Willful Neglect Reasonable cause--covered entity of business associate knew, or by exercising reasonable diligence, would have known that the act or omission violated an administrative simplification provision. Willful neglect--conscious, intentional failure, or reckless indifference. For example: You don’t have any privacy protection rules or required forms in place, you failed to document a risk assessment, you ignored or failed to cooperate with the OCR investigation.

Assessing Penalties Nature and extent of violation Number of individuals affected Time period during which violation occurred Nature and extent of harm Physical, financial, reputational harm Effect on ability to obtain health care Prior Compliance

Florida Information Protection Act 2014 (“FIPA”) FIPA applies to entities that acquire, maintain, store, or use personal information (more than just health care providers). Personal information includes a person’s first name or first initial and last name in combination with any of the following elements: Email addresses & account numbers with passwords First and last names with health or medical information Social security or driver’s license numbers Online account credentials Personal information also includes a “health insurance policy number or subscriber identification number and any unique identifier used by a health insurer to identify the individual.” Covered entities must take reasonable measures to protect and secure data in electronic form, such as encrypting data or removing personally identifiable information from data.

FIPA Requirements After a covered entity discovers a “breach,” which includes unauthorized access to personal information, the covered entity has 30 days to notify the affected individual. For breaches affecting under 500 people, FIPA requires notice to each person residing in Florida. If the breach affects 500 or more people, in addition to the individual, notice must also be provided to the Florida Dept. of Legal Affairs. If the breach affects more than 1,000 people, notice must also be given to consumer credit reporting agencies. Third party vendors (business associates) have 10 days to notify a covered entity of a breach (as opposed to 60 days under HIPAA). Practice Tip: Require business associates to notify the CE without unreasonable delay and to not exceed 5 days to ensure the CE has time to comply with their notification requirements. Covered entities must, within 30 days, notify all individuals in writing located in Florida whose personal information was accessed as a result of a breach, UNLESS, after appropriate investigation and consultation with law enforcement, the covered entity determines and documents in writing that the breach will not likely result in identify theft or financial harm to those affected. Failure to comply with FIPA results in a fine of $1,000 per day for the first 30 days and $50,000 for each subsequent 30 day period, up to a maximum of $500,000.

Recent HIPAA News HIPAA data breaches have climbed 138% since 2012. The Office of Civil Rights (“OCR”), which handles HIPAA privacy and security violations, has warned that enforcement will get “aggressive”. The Federal Trade Commission has begun to use consumer protection laws to go after health care entities that don’t adequately protect patients health information. 3 Recent Examples: Anthem Breach Medical Records Dumping Data Breach Security Rule Violation

Anthem Breach Health insurer, Anthem, reported to the FBI this month that 80 million of its customers may have been exposed to a data breach. Anthem allegedly failed to encrypt its data. The stolen data includes information such as names, DOB, home addresses, email addresses, and income data. Morgan & Morgan has already filed a proposed class action suit against Anthem.

Medical Records Dumping Case A covered entity left 71 cardboard boxes of medical records unattended and accessible to unauthorized persons during a transition of patients to new providers following the retirement of one of their physicians. Resulted in an $800,000 HIPAA settlement

Data Breach A breach occurred when a physician attempted to deactivate a personally owned computer server on the covered entities network containing patient PHI. During the deactivation, a lack of technical safeguards resulted in PHI being accessible on internet search engines. Resulted in 4.8 million dollars in HIPAA settlements.

Security Rule Violation A security breach occurred from malware that compromised the systems security. Resulting in a breach of unsecured PHI. OCR investigation revealed the covered entity failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities of its electronically stored medical records. $150,000 settlement.

A Few Final Thoughts Ensure your Notice of Privacy Practices is updated and covers all the required information. Establish policies to control employee’s use of social media on the job. Encrypt anything that can move – phones, flash drives, disks, laptops – and look at encryption solutions for data in motion, particularly if you are texting.

QUESTIONS? Erin Smith Aebel, Esq. Board Certified Health Lawyer eaebel@slk-law.com 813.227.2357