HIPAA: It Doesn’t Only Impact Medical Records Basic HIPAA Stuff and Overall Information Protection 1

AGENDA HIPAA basics Definitions A few occasional horror stories throughout the presentation The importance of treating ALL information very carefully

Basics What does HIPAA stand for? Purpose? To keep PHI private, secure, and confidential The speed limit HIPAA and social media 3 purposes of HIPAA 1. To combat waste and fraud in health insurance 2. Improve portability/continuity of health insurance 3. Simplify administrative side of health insurance

Terms and Definitions DHHS OCR NPRM CE BA BAA’s Audits for 2015 Risk assessments HIPAA impacts more than just medical records

Covered Entities Health care providers. They either give, bill, or are paid for providing healthcare. Examples: physicians, hospitals, laboratories, dentists, etc. Health care clearinghouses. They are the third party billing companies used between HCP’s and health insurance companies Health plans. They provide health insurance If you are a CE, do you have the required updated BAA’s with your business associates?

Business Associates Any person or entity that will perform a covered function under HIPAA for you or your organization (either for or on behalf of) Covered functions? Create, store, maintain, transmit or transport. offsite record storage companies, scanning/imaging, document destruction, x-ray collection, software hosts or that have remote access into your database, attorneys, etc. Can they each provide proof of a formal and documented HIPAA training program to you, that is current? Provide copies of any industry certifications proving they also are current?

What is PHI? Patient name + one or more of the following if its used in a medical context: all geographic identifiers smaller than a state; dates directly related to an individual; phone numbers; fax numbers; social security numbers; medical record numbers; health insurance beneficiary numbers; account numbers; certificate/license numbers; vehicle identifiers and serial numbers, including license plate numbers; device identifier and serial numbers; web uniform resource locators (URL’s); internet protocol (IP) numbers; biometric identifiers (finger prints, retinal prints and voice prints); full face photos and any other comparable images (such as tattoos); any other unique identifying number, characteristic, or code except the unique code assigned by the investigator to code the data.

Breach Definition “unauthorized acquisition, access, use, or disclosure of Protected Health Information which compromises the security or privacy of such information, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information” Any impermissible use or disclosure of PHI is presumed to be a breach unless the CE or BA, as applicable, demonstrates that there is a low probability that the PHI has been compromised

Breaches Identity theft is the driver for most breaches ID theft was a $28 Billion industry in 2013 Well over 700 million records have been breached since 2005 What are the thieves after? Billing and insurance records, medical files, payment details, prescriptions, social security numbers Medical ID theft has risen 400% in the past year Does leadership want their organization to be the subject of Tweets, ‘shares’, ‘likes’? Are your own medical records accurate?

*Civil Penalties* The 4 Tiers of civil penalties: (All monetary and in a calendar year) Tier A – Lowest level, single violation (an ‘oops’) Fine: not less than $100 up to $50,000 each Tier B – Reasonable cause: “A reason that would motivate a person of ordinary intelligence under the circumstances” Fine: not less than $1,000 up to $50,000 each Tier C – Willful neglect but corrected: “Conscious or intentional failure to perform a duty due to negligence.” Fine: not less than $10,000 up to $50,000 each Tier D – Multiple violations by willful neglect not corrected Fine: not less than $50,000 up to *$1.5 million All such violations of an identical provision in a calendar year is also $1.5 million

*Criminal Penalties* *Criminal Penalties* The 3 Tiers of criminal penalties: Tier A – Wrongful disclosure: knowingly uses or causes PHI to be used Fine: Up to $50,000 fine and 1 year imprisonment Tier B – Wrongful disclosure under false pretenses: a reporter who fails to identify themselves as a member of the press, obtains PHI & publishes it Fine: Up to $100,000 fine and 5 years imprisonment Tier C – Wrongful disclosure under false pretenses with intent to sell, or use for commercial or personal gain or malicious harm Fine: Up to $250,000 fine and 10 years imprisonment

Who Pays? The Company The Owners and/or shareholders The employee that caused the breach

Is it Okay to ….. FAX PHI? PHI? Use the USPS, FedEx or UPS to ship PHI? Use common carriers or courier/delivery services companies to deliver PHI?

EMR’s Do you have electronic files sent to you in place of doctors slips? How do store them? In one giant file or many separate subfolders, within a large folder? How do you control the access of that information? What about IT having total access to your system? Who keeps them out?

You Staying? I want to encourage you to stay for the workshop and learn more stuff about other stuff I will have time after the workshop to talk more to you about any specific questions that you have or am happy to discuss specific incidents that concern you

QUESTIONS? QUESTIONS? 16