HIPAA COMPLIANCE IN YOUR PRACTICE MARIBEL VALENTIN, ESQUIRE
OBJECTIVES To understand the legal requirements under The Health Insurance and Portability and Accountability Act (HIPAA) , The Health Information for Economic and Clinical Health Act (HITECH) and State Law- Special protections.
DEFINITIONS Health care provider means a provider of medical or health services, and any other person or organization who furnishes, bills, or is paid for health care in the normal course of business. A business associate includes: a health information organization, e-prescribing gateway, or other person that provides data transmission services with respect to PHI to a covered entity and that requires access on a routine basis to such PHI; and a person that offers a personal health record (PHR) to one or more individuals on behalf of a covered entity.
DEFINITIONS cont. The Standards or Code of Conduct establish the practices and ethical rules through which an entity implements a culture of compliance and integrity in the handling of Protected Health Information (PHI). Covered entity means: (1) A health plan. (2) A health care clearinghouse. (3) A health care provider who transmits any health information in electronic form.
THE HEALTH INSURANCE AND ACCOUNTABILITY ACT (HIPAA) Federal requirement o Privacy- effective since April 14, 2003 o Security- effective on April 21, 2005 o HITECH- effective on February 11, 2010 Breach Notification Requirements o Requires healthcare organizations to maintain the privacy and security of Protected Health Information (PHI)
HIPAA vs. State Law When state law is more restrictive than the federal HIPAA Regulations, then state law prevails. Requires patient authorization prior to release State law additional requirements may vary from state to state
UNDERSTANDING PHI PHI is any and all information about a patient’s health that identifies the patient, or information that could identify the patient. As a rule of thumb, any patient information that you see, hear or say must be kept confidential. PHI is information that can individually identify a patient. PHI can include: Any type of information found in medical and billing records, for example: Diagnoses, Test Results, Progress Notes, etc. Name, Address, Phone, Social Security Number, Photographs,
HIPAA PATIENT PRIVACY RIGHTS Right to Notice Right to Amend Right to Access Right to an Accounting of Disclosures Right to Request Restrictions Right to Request Confidential Communications Right to Notification of a Security Breach Right to File a Complaint
HIPAA DISCLOSURES How much PHI can we share? All disclosures are subject to a determination that PHI disclosed is the MINIMUM NECESSARY for the lawful purpose. What is Minimum Necessary?
HIPAA allows the use of PHI for these purposes: Payment Insurance companies Treatment Physicians Providers Nursing and ancillary staff Operations Risk Management Quality Improvement Peer Review
Preventing Unauthorized Disclosures Discuss patient information in public areas Position computer screens or leave the computer unattended so that unauthorized persons may view the private data Leave medical records unattended Remove records containing PHI from the facility Disseminate reports containing PHI via unsecured methods Use FAX preprogramed settings or redial before confirming the number
The Security Rule Ensure the confidentiality, integrity and availability of all electronic Protected Health Information (ePHI) Confidentiality: that patient information is not made available or disclosed without proper authorization Integrity: that patient information has not been altered or destroyed Availability: that patient information is accessible and usable upon demand by an authorized person
Security Safeguards Administrative - Developing information security programs designed to protect ePHI and to also manage the conduct of the workforce in the relation to the use of the protected information. Physical - Ensuring the physical protection of information systems including the protection of related buildings and equipment from natural and environmental hazards and unauthorized intrusion. Technical - Identifying technology to be utilized and ensuring procedures are in place to protect ePHI and to control access to it.
The Health Information Technology for Economic and Clinical Health Act (HITECH) HITECH amends HIPAA to create new enforcement provisions and expanded civil and criminal penalties ranging from $100 to $50,000 per violation, and calendar year penalty caps ranging from $25,000 to $1.5 million. Any unauthorized disclosure is a breach unless the Covered Entity can show by objective proof that there is a low probability that the information was compromised. Anyone that has regular access to PHI to perform a function on behalf of a Covered Entity is a Business Associate.
Monitoring and Enforcement The Compliance Program A compliance program is designed to develop and ensure effective internal controls that promote best practices and adherence to all applicable Federal and State legal or regulatory requirements, including HIPAA Privacy and Security compliance
Elements of a Compliance Program Standards of Code of Conduct Designation of a Privacy Officer Access to a Compliance Hotline Policies and Procedures (Administrative Safeguards) Education (training) Monitoring (oversight) Enforcement (cons)
Reporting HIPAA violations should be reported to the Privacy Officer for investigation. Every covered entity must identify a Privacy Officer
Investigations If the infraction is confirmed as a security breach then the following must occur: The patient is notified The Department of Health and Human Services is notified An action plan is developed to mitigate harm Policies are enforced
Enforcement Enforcement activities should be consistent regardless of who is the person involved in the infraction. Same facts – Same outcome
Who is a Business Associate? Any individual or entity that creates maintains or transmits PHI on a regular basis when performing a function on behalf of the covered entity is a business associate. Another covered entity may be a Business Associate
Conduits If the information is delivered by courier, the courier is not a business associate because they are not accessing the information; they are acting as a mechanism to transfer data or a “conduit”.
Agents A Covered Entity may be liable for the acts of an agent. Independent contractors may be agents If the covered entity has control over the contractor’s activities.
What is a Breach? A breach is an unauthorized disclosure where the information released is usable, readable and decipherable. This includes data in motion and data at rest.
Breach Notification Procedures The presumption of a breach may only be rebutted if the covered entity can show through objective evidence that the disclosure posed a low probability that the PHI was compromised. If you determine that a breach has occurred you must notify, correct the problem, enforce your policies and procedures and make the appropriate notifications. If the breach involves from patients – notify the patient within 60 days and HHS at the end of the calendar year. If the breach involves 500 or more patients – notify the patient, HHS and the media within 60 days.
Government Enforcement The Office of Civil Rights (OCR) is charged with the enforcement of the Privacy, Security and HITECH regulations, including investigations of whether a security breach has occurred. OCR will also conduct random audits of compliance with the Privacy and Security Rules
Penalties 1ST Tier- Did not know -would not have known at least $100/violation, not to exceed $25,000 per year 2nd Tier- Reasonable cause (not willful neglect) at least $1,000/violation, not to exceed $100,000 per year 3rd Tier- Willful neglect – corrected within 30 days at least $10,000/violation, not to exceed $250,000 per year 4th Tier- Willful neglect- not corrected within 30 days $50,000/violation, not to exceed $1.5 million per year
Questions ?