Presentation is loading. Please wait.

Presentation is loading. Please wait.

HIPAA Privacy and Security Training

Published byRonald Watts Modified over 7 years ago

Similar presentations

Presentation on theme: "HIPAA Privacy and Security Training"— Presentation transcript:

1 HIPAA Privacy and Security Training
Speaker: Bob Ellerbrock December 16, 2016

2 Agenda for Discussion of HIPAA
Regulatory Overview – How and Why HIPAA Applies To You Privacy and Security Rule Overview How HIPAA Works Breach Notification Enforcement, Audits & Penalties Practical Suggestions for Complying with HIPAA

3 HIPAA – Does It Apply to You?
“YES” In general, HIPAA applies to entities that are: Healthcare providers or payors; Providing self-insured health plan benefits to employees; Performing services for, auditing or advising clients the types of entities mentioned above; and Performing services for, auditing or advising clients that perform services for, audit or advise the types of entities mentioned above. Since HIPAA applies to you, you must take it seriously because: (1) the federal government takes it seriously (e.g., audits, exposure to penalties/fines); and (2) it is easy to get blindsided by the law.

4 Quick Regulatory Overview
What is HIPAA? H = Health I = Insurance P = Portability and A = Accountability A = Act Not “HIPPA” or hippo Goal: To reform the health insurance market and simplify health care transactions and processes, (i.e., insurance reformed or “portability” and administrative simplification or “accountability”)

5 Quick Regulatory Overview
Providers Hospitals Health Plans Billing Agencies Clearinghouses Laboratories Pharmacies HIPAA Who is Affected? Covered Entities (CEs) Effective March 26, 2013, following the Omnibus HIPAA Final Rule, HIPAA applies to Business Associates (BAs) of “covered entities” set forth above and BA subcontractors.

6 Quick Regulatory Overview
Privacy Rule Protects the privacy of individually identifiable health information Refers to WHAT is protected – health information about an individual and the determination of WHO is permitted to create, receive, maintain, transmit or use such information Security Rule Sets national standards for security of electronic Protected Health Information Refers to HOW PHI is safeguarded – insures privacy by controlling access to information and protecting it from inappropriate disclosure or accidental or intentional destruction or loss

7 The Privacy and Security Rules
Rules apply to Covered Entities and Business Associates “Covered Entities” include healthcare providers and payors, as well as self-insured group health plans (e.g., medical, dental, flex, cafeteria) “Business Associates” and “Subcontractors” of BAs include persons who, on behalf of a CE, create, receive, maintain, transmit or use PHI for a function or activity of a CE or another BA (e.g., as a subcontractor) THIS IS A BROAD DEFINITION – typical BA functions include legal, accounting, consulting, data aggregation, actuarial, management, administrative, vending software, accreditation & financial services BA is NOT a member of a covered entity’s workforce (i.e., an employee)

8 The Privacy and Security Rules
What Do These Rules Cover? Protected Health Information (PHI) = Individually identifiable information of a covered entity relating to the past, present or future physical or mental health or condition of a patient All information, e.g., electronic, oral and paper format Examples: Name, Date of Birth, Address, , Photo, SSN, Phone Number, Diagnosis, Lab Results, Genetic Information NOTE: Plenty of information is NOT protected by HIPAA (though other data privacy and security rules may apply)

9 The Privacy and Securities Rules
Health Information Protected Health Information Individually Identifiable Electronic Protected

10 Privacy Rule Administrative Requirements Use & Disclosure Rules
Privacy Officer (currently, Troy Farnlacher) Training, Safeguards and Sanctions HIPAA Policies and Procedures Administrative, Physical and Technical Safeguards Use & Disclosure Rules Generally, CEs and BAs may not use/disclose PHI, unless permitted by regulations (e.g., for treatment, payment or health care operations) NO DISCLOSURE TO BA, UNLESS business associate agreement in place Limit to “minimum necessary” Individual Rights & Privacy Notices (only for CEs) Individual (Patient) Rights to Control, Access and Use PHI Notice of Privacy Practices

11 Security Rule PURPOSE: To safeguard PHI maintain or
transmitted in electronic form (ePHI) - Security rule is not just about technology - Careless or poorly trained employee is just as likely to cause violate the rule as hacker or virus Basic Concept: Each CE and BA must implement administrative, physical and technical safeguards to protect the confidentiality, integrity and availability of ePHI with standards that apply to both its internal and external activities

12 Breach Notification “Breach” = impermissible acquisition, access, use or disclosure of (unsecured) PHI Breach only exists if PHI is “unsecured” Per HHS guidance, two methods to “secure” PHI = Encryption (ePHI) and Destruction (ePHI or any other PHI) Exceptions for inadvertent, harmless mistakes Still, in many routine uses and disclosures, PHI is unsecured If a breach occurs, breach notification is required, UNLESS CE/BA: Can demonstrate there is a “low probability that PHI has been compromised” based on risk assessment

13 Breach Notification Following breach, CE/BA must notify affected individuals, HHS, state regulators (if applicable), and the media (if applicable) – THIS CAN BE EXPENSIVE, especially if there are credit monitoring costs and outside legal costs Generally, notifications must take place within 60 days after breach discovered or should have been discovered KEY TAKEAWAY: Employees of CEs/BAs that handle PHI must know who the Privacy Officer is, what HIPAA is, and notify the Privacy Officer immediately in the event of a breach or potential breach of unsecured PHI so that the CE (and BA via contract) can meet legal obligations in a timely manner

14 Enforcement, Audits & Penalties
If you do not comply with HIPAA, then you risk enforcement actions and penalties from federal and state agencies as well as liability to counterparties to BAAs and other contracts that you have signed Main Federal Agency HHS Office of Civil Rights (OCR) is primarily tasked with enforcing HIPAA. It is active in this area – OCR started Phase 2 audits of 350 CEs and 50 BAs (randomly selected) in Q1 2016 OCR also handles ADA/EEOC complaints Private Right of Action No right exists under HIPAA (individuals complain to OCR) Plaintiff’s lawyers are getting creative (state law claims such as negligence and invasion of privacy)

15 Enforcement, Audits & Penalties
Civil Penalties Increased tier penalties: Tier 1: If a person is not aware of the violation (and would not have known with reasonable diligence), the penalty is $100 - $50,000 per violation, not to exceed $1,500,000 for all violations of the same requirement in a calendar year These are violations in which the offender did not realize he or she violated HIPAA and would have handled the matter differently if he or she had.

16 Enforcement, Audits & Penalties
Civil Penalties Tier 2: If a violation is due to “reasonable cause” (but not willful neglect), the penalty is $1,000 - $50,000 per violation, not to exceed $1,500,000 for all violations of the same requirement in a calendar year The final rule defined reasonable cause as an act or omission in which a covered entity or business associate knew, or by exercising reasonable diligence would have known, that the act or omission violated HIPAA but in which the covered entity or business associate did not act with willful neglect

17 Enforcement, Audits & Penalties
Civil Penalties Tier 3: If violation is due to willful neglect and is corrected in 30 days, the penalty is $10,000 - $50,000 per violation, not to exceed $1,500,000 for all violations of the same requirement in a calendar year Willful neglect means conscious, intentional failure or reckless indifference to the obligation to comply with the administrative simplification provision violated Tier 4: If a violation is due to willful neglect and is not corrected in 30 days, the penalty is at least $50,000/violation, not to exceed $1,500,000 for all violations of the same requirement in a calendar year

18 Enforcement, Audits & Penalties
Civil Penalties State Attorney Generals (AGs) – State AGs are authorized to bring a civil action for HIPAA violations and, in connection therewith, enjoin violations and seek damages on behalf of residents Damages are calculated by multiplying the number of violations by $100. The penalty is not to exceed $25,000 for all violations of an identical requirement during a calendar year Court may award costs and reasonable attorneys’ fees to state State action may NOT be brought during pendency of federal action

19 Enforcement, Audits & Penalties
Criminal Penalties Up to $50,000 fine and 1 year in prison for obtaining or disclosing PHI Up to $100,000 fine and up to 5 years in prison for obtaining PHI under “false pretenses” Up to $250,000 fine and up to 10 years in prison for obtaining or disclosing PHI with the intent to sell, transfer or use for commercial advantage, personal gain, or malicious harm

20 Past Enforcement Actions
Blue Cross of Tennessee agreed to pay HHS $1.5 mil. to settle potential violations resulting from 57 unencrypted computer hard drives stolen from leased facility in Tennessee Cignet Health paid $4.3 mil. civil monetary penalty to OCR on Feb. 22, 2011 Breached HIPAA by not providing 41 individuals timely access to copies of their medical records Failed to cooperate with OCR investigation Failed to correct violations within 30 days Cited for “willful neglect” and penalized $1.3 mil. for failing to give patients their medical records and $3 mil. for failure to cooperate

21 Past Enforcement Actions
On August 14, 2013, Affinity Health Plan, Inc. agreed to a settlement of $1.2 mil. resulting from an OCR investigation Affinity impermissibly disclosed PHI of 344,000 individuals by returning multiple photocopiers to leasing agents without erasing the data contained on the copier hard drives In March 2016, North Memorial Health Care of Minnesota entered $1.55 mil. settlement with OCR Violation was failure to enter into business associate agreement with major contractor and failure to institute an organization-wide risk analysis to address the risks and vulnerabilities to its patient information

22 Identity Theft Data Points
Criminal attacks on healthcare organizations have increased 125% since 2010 and are now the leading cause of health care data breaches, surpassing other causes such as lost/stolen computing devices, unintentional employee actions and 3rd party snafus. Audits/assessments are primarily the reason a healthcare data breach is discovered (58%), followed by employee detection and patient complaints. It is much better to have employee detection and address a potential HIPAA issue internally, than to have an auditor detect it. 91% of healthcare organizations have had at least one data breach in the past two years. 40% of healthcare organizations have reported at least five data breach incidents in the last year. Data breaches are costing healthcare industry $6 billion annually. *These statistics have been pulled from the Ponemon Institute’s Data Breach Study (2014) and 5th Annual Benchmark Study on Privacy & Security of Healthcare Data (2015).

23 Practical Suggestions
Do the Basic Blocking and Tackling Have and make sure everyone knows the Privacy Officer Have HIPAA Policies and Procedures Implement and periodically review safeguards Train all employees with access to PHI about HIPAA Be Proactive About BAAs and Other Contracts Related to HIPAA (Draft and Use Templates) Indemnification is a big deal Consider requiring any PHI sent to you to be encrypted How does the “minimum necessary” requirement apply Spell out how it will be determined who handles notifications (& credit protection) in the event of a breach

24 Practical Suggestions
Select Subcontractors Carefully Consider subcontractors compliance with HIPAA Consider whether subcontractors can stand behind indemnification obligations Utilize Encryption (whenever possible) Create a Secure HIPAA File to Store PHI and Other Hard Copies of HIPAA-Related Materials Add Individual with Data Security and Privacy Background to Board (or ensure that Board consults with such an individual routinely)

25 Thank You Balch & Bingham LLP Bob Ellerbrock Birmingham Office
Phone:

Download ppt "HIPAA Privacy and Security Training"

Similar presentations

H = P = A = HIPAA DEFINED HIPAA … A Federal Law Created in 1996 Health

H = P = A = HIPAA DEFINED HIPAA … A Federal Law Created in 1996 Health
Presented by Elena Chan, UCSF Pharm.D. Candidate Tiffany Jew, USC Pharm.D. Candidate March 14, 2007 P HARMACEUTICAL C ONSULTANTS, I NC. P RO P HARMA HIPAA.

Presented by Elena Chan, UCSF Pharm.D. Candidate Tiffany Jew, USC Pharm.D. Candidate March 14, 2007 P HARMACEUTICAL C ONSULTANTS, I NC. P RO P HARMA HIPAA.
HIPAA Basics Brian Fleetham Dickinson Wright PLLC.

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
HIPAA: Privacy, Security, and HITECH, Oh My! Presented by Stephanie L. Ganucheau, Special Assistant Attorney General.

HIPAA: Privacy, Security, and HITECH, Oh My! Presented by Stephanie L. Ganucheau, Special Assistant Attorney General.
Steps to Compliance: Managing Business Associates PRESENTED BY.

Steps to Compliance: Managing Business Associates PRESENTED BY.
HIPAA Basics November 1, 2014.

HIPAA Basics November 1, 2014.
1. As a Florida KidCare community partner families entrust you to not only help them navigate the Florida KidCare system but to keep the information they.

1. As a Florida KidCare community partner families entrust you to not only help them navigate the Florida KidCare system but to keep the information they.
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.

HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
Confidentiality and HIPAA

Confidentiality and HIPAA
HIPAA Privacy Rule Training

HIPAA Privacy Rule Training
The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.

The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.
HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Constangy, Brooks & Smith, LLC (205) 252-9321; Victoria Nemerson.

HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Constangy, Brooks & Smith, LLC (205) ; Victoria Nemerson.
HIPAA Health Insurance Portability and Accountability Act.

HIPAA Health Insurance Portability and Accountability Act.
What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,

What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,
HIPAA CHANGES: HITECH ACT AND BREACH NOTIFICATION RULES February 3, 2010 Kristen L. Gentry, Esq. Catherine M. Stowers, Esq.

HIPAA CHANGES: HITECH ACT AND BREACH NOTIFICATION RULES February 3, 2010 Kristen L. Gentry, Esq. Catherine M. Stowers, Esq.
NAU HIPAA Awareness Training

NAU HIPAA Awareness Training
HIPAA Regulations What do you need to know?.

HIPAA Regulations What do you need to know?.
HIPAA Privacy Rule Compliance Training for YSU April 9, 2014.

HIPAA Privacy Rule Compliance Training for YSU April 9, 2014.
COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.

COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.
HIPAA THE PRIVACY RULE Reviewed December 2012 2 HISTORY In 2000, many patients that were newly diagnosed with depression received free samples of anti-

HIPAA THE PRIVACY RULE Reviewed December HISTORY In 2000, many patients that were newly diagnosed with depression received free samples of anti-

Similar presentations

Ads by Google