1. HIPAA Privacy and Security For Employer Sponsored Health Plans
Presented By: Your Name
Date
Business Insurance | Risk Solutions | Employee Benefits | Personal Insurance | Global Solutions | kapnick.com

2. HIPAA Overview Privacy Practices Security definitions
Agenda
HIPAA Overview
Privacy Practices
Security definitions
Security standards
Security safeguards
Security incidents
Sanctions
Breach notification
Enforcement update

3. Overview of HIPAA HIPAA We Focus on This Portion of HIPAA only.
Title I — Health
Care Access,
Portability and
Renewability
Title II —
Preventing
Health Care
Fraud and Abuse
Title III — Tax-
Related Health
Provisions
Title IV — Group
Health Plan
Requirements
Title V —
Revenue Offsets
Subtitle F — Administrative Simplification
Privacy
Electronic
Transactions
Unique
Identifiers
Information
Security
Employer Identifier
Code Sets
HIPAA stands for the Health Insurance Portability and Accountability Act. It’s the Kennedy Kesselbaum Act of 1996.
The portion of the Act we are addressing is Title II, which deals with the accountability portion of HIPAA. Specifically, we are addressing subtitle F “Administrative Simplification.”
The underlying rational for HIPAA is to standardize electronic transactions and code sets. These are the first two boxes on the bottom of our chart here. Prior to HIPAA there were over 400 different standards for these transactions: there were no standards in other words. HIPAA identified the 8 transactions in healthcare administration these are: Health claims and equivalent encounter information; Enrollment and disenrollment in a health plan; Eligibility for a health plan; Health care payment and remittance advice; Health plan premium payments; Health claim status; Referral certification and authorization; Coordination of benefits. For each transaction type, there is now 1 standard format for the transaction itself.
With the standardization of transactions and code sets, there was concern about the Privacy and Security of PHI. The Privacy regulation was passed to protect the rights of consumers, restore trust in the healthcare system and to reduce fraud in Medicare. Prior to Privacy, your doctor could sell you health information to a marketing or drug company and you couldn’t prevent it. Now, this is the most egregious offense under HIPAA.
The Security regulation was passed to address the safeguarding of PHI in electronic format. Security is the final significant regulation under HIPAA.

4. Covered Entities - Must Comply
Who Does HIPAA Impact?
Covered Entities - Must Comply
#1 – Health care providers
#2 - Group health plans (fully or self-insured employer sponsored plans & health insurance issuers)
#3 - Clearinghouses
Business Associate - Should Comply
#4 – Firms working with covered entities. Examples include Billing Services, Transcription Services, TPA’s, brokers
Providers are the group that is most impacted by HIPAA because it affects their business day-to-day operations. Covered Entitys include hospitals, physician practices, nursing homes, chiropractors, dentist, and so forth.
Health plans are the second group of covered entities. Health plan include insurance companies who provide health insurance to individuals, groups and employer sponsored plans.
The second group of health plans are the employer sponsored health plans themselves. If an employer provides a health insurance benefit to its employees and has access to PHI as part of that process, they are coved under the regulation. HIPAA affects almost every business in the United States.
The third group is the smallest group. These are organizations that process claims for physician practices by converting from one form (paper) to another (electronic). They are also known as clearinghouses.
The last group are third parties not defined as “covered entities” but provide a service to the covered entity, billing service, transcription services, utilization review companies, and others

5. Protected Health Information (PHI) Individually Identifiable Health Information
Protected Health Information (PHI) is information relating to past present or future physical or mental health of an individual (employee) whether they are active or terminated.
Individually Identifiable PHI is that which identifies an individual. This could include: name, address, date of birth, Social Security number, telephone numbers, address, account numbers, Group Health Plan beneficiary number, or any other unique identifying number, characteristic or code.
Here are a few key terms that are important to understand;
First, Protected Health Information (PHI) is information relating to past present or future physical or mental health of an individual (employee) whether they are active or terminated.
So, let’s say you have a prescription that says 10 milligrams of Prozac. Is this considered PHI? It is if you can identify that prescription to an individual. So, you have a name, date of birth, employee id, health plan id or some other identifier, the PHI becomes INDIVIDUALLY IDENTIFIABLE and covered under HIPAA.
A question we frequently get is: are the identifiers themselves considered PHI? The answer is yes and we clearly saw this in the first criminal conviction under HIPAA. A man named Richard Gibson served a 16 month prison sentence for improperly disclosing name, SSN and date of birth.

6. Applies to paper/oral/electronic records
Privacy Rule
Applies to paper/oral/electronic records
Sets boundaries on the Use and Disclosure of health information
Gives “individuals” more control over their own health information
Establishes safeguards for protecting the privacy of health information.
Holds covered entities accountable for violations of privacy requirements.
The Privacy rule applies to PHI in any format whether its on-paper, oral or in electronic format.
The Privacy rule sets boundaries on the use and disclosure of PHI.
The Privacy rule gives individuals more control over their health information. The Privacy rule protects the individuals right to access their information, amend this information if it is incorrect and also receive and accounting of who else has seen this information where the use or disclosure was not part of typical treatment, payment and operations of the administration of PHI.
The Privacy rule establishes safeguards for protecting the privacy of health information. The rule uses the term “reasonable safeguards.” The Security regulation goes into much greater detail about how to determine what these reasonable safeguards are.
The Privacy rule holds covered entities accountable for violations of the privacy requirements.

7. Privacy Regulation
Some requirements that a covered entity must comply with include, but is not limited to the following:
Designating a Privacy Official.
Designating a Contact for handling Complaints.
Developing policies and procedures on the use and disclosure of individually identifiable health information.
Providing training to all workforce members on the policies and procedures that affect their job duties.
Providing a Notice of Privacy Practices to individuals
The Privacy Official is responsible for bringing the entity into compliance with the Privacy regulation and Covered Entity’s ongoing Privacy practices.
Some requirements that a covered entity must comply with include the following:
Designating a Privacy Official.
Designating a Contact for handling Complaints.
Developing policies and procedures on the use and disclosure of individually identifiable health information.
As with any regulation, policies and procedures must be documented and followed.
Providing training to all workforce members on the policies and procedures that affect their job duties.

8. How Does Covered Entity Use Protected Health Information?
They share this information with other healthcare providers. They are permitted to use and/or disclose information for treatment, payment or health care operations without getting permission from an individual.
To use information for any other reason or to disclose it to any one other than the patient or Covered Entity may require a signed and verified authorization.
Covered Entity shares this information with our clients and other Covered Entitys.
Covered Entity is permitted to use and/or disclose information for treatment, payment or health care operations without getting permission from a patient. The patient has received notification of the uses and disclosures in the notice of privacy practices provided by their Covered Entity.
To use information for any other reason or to disclose it to someone other than the patient or clinician may require a signed and verified authorization.

9. What is an authorization When is it used
Authorizations
What is an authorization
When is it used
An authorization is used to allow us to disclose PHI for reasons other than those we have already discussed, TPO to the participant, etc.
Valid authorizations must be limited in scope, good for only a limited time and can be revoked by the participant.
Examples: disclose to spousal or other family member who is not a personal representative. For marketing purposes, research or fund raising.

10. Other Aspects of HIPAA Administration
Individual has the right to access their protected health information, receive an accounting, amendment their protected health information, file a complaint, request confidential communications or restrict access to their protected health information.
Covered Entity patients have received a notice of privacy practices from their Covered Entity. In this notice are the rights of the individual, they are:
Individuals have the right to access their PHI that Covered Entity may have created, maintained or received.
They have the right to amend this information if they believe it to be incorrect
They have the right to receive an accounting of who has seen their PHI through non-routine (not treatment, payment or operations related) disclosures by Covered Entity , their insurance carriers, Covered Entitys or third parties. These entities must account for disclosures that are not specified in the Privacy Notice or otherwise required by law.
Individuals have the right to file a complaint about Covered Entity use or disclosure of their PHI. Please encourage a patient who feels they have a complaint to make that compliant to the complaint contact. The employees alternative to filing a complaint with Covered Entity is to file with HHS. Covered Entity would prefer to receive this complaint and take appropriate action.
Individuals have the right to request confidential communications. If they want to discuss PHI with you they can do this in a confidential manner
Individuals have the right to restrict access to their PHI. For example a patient may request that you not disclose the PHI to a third party because their former spouse works there.
Forward all such issues to the appropriate staff member

11. Civil or criminal penalties may also apply.
Confidentiality
All Covered Entity employees that have access to protected health information agree that at no time, during or after their employment with Covered Entity, will they use, access or disclose protected health information to anyone except as required or permitted in the course and scope of their duties.
Unauthorized use/disclosure may result in disciplinary action up to and including termination.
Civil or criminal penalties may also apply.
If you have access to protected health information you should have signed an agreement that at no time, during or after your employment with Covered Entity, will you use, access or disclose protected health information to anyone except as required or permitted in the course and scope of your duties. If you have not signed this agreement, please contact the privacy official as soon as possible.
Any unauthorized use/disclosure may result in disciplinary action up to and including termination.
Civil or criminal penalties may also apply. There have been criminal convictions under HIPAA resulting in prison sentences and fines for employees who improperly used and disclosed PHI with intent to sell. There are many more cases pending with the Department of Justice.

12. Safeguards
Covered entities must implement appropriate safeguards to protect an individual’s protected health information.
Remember to do the following:
Records that contain protected health information should be maintained in a secure location or locked away.
Records that contain protected health information should be shredded before discarding the information.
Passwords should not be shared with anyone. Electronic protected health information needs to be safeguarded as well.
Covered Entity has implemented appropriate safeguards to protect an individual’s protected health information.
Remember to do the following:
Records that contain protected health information should be maintained in a secure location or locked away. Secure this information except when you are using it for a specific purpose.
Records that contain protected health information should be shredded before discarding the information, as long as record retention minimums have been met. The typical retention period is 6 years for this information.
Passwords should not be shared with anyone. Electronic protected health information needs to be safeguarded as well. There are serious consequences for violating this policy including disciplinary action and termination.

13. HIPAA Security May 21, Purdue University
May 21, Jackson Community College (Michigan)
May 19, Westborough Bank (Florida)
May, Business Week On-line forum
May 14, MTSU
May 5, Wharton school (MSU)
May 2, Time Warner
April 28, Bank of America, Commerce Bankorp, PNC Bank
April 21, Carnegie Mellon University
April 20, AmeriTrade
April 8, San Jose Medical Group
March 28, University of California, Berkley
March 20, Kellogg MBA program
March 17, Boston College
March 17, Chico State University
March 16, Kaiser Permanente
March 8, DSW
March, LexisNexis (Seisint)
February 15, Bell v. Michigan Council 25
February, Bank of America
February, Choice Point
February, PayMaxx
November, Wells Fargo
November, Gibson Sentencing US District Court
November, Minneapolis School District
This list represents a sampling of companies affected by HIPAA breaches.
HIPAA breaches Eli Lilly inadvertently revealed over 600 patient addresses when it sent a message to every individual registered to receive reminders about taking Prozac.
Hacker downloaded medical records, health info, SS numbers of more than 5,000 patients at the University of Washington Medical Center.
Dr.’s laptop was stolen at medical conference. Contained names and medical histories of patients.
Half of these incidents where caused by outsiders, the other half disgruntled employees or just someone not following procedures, because --- there were no P&P’s to follow or they had never been trained.

14. Individually identifiable health information:
What is Electronic PHI?
Individually identifiable health information:
Transmitted by electronic media
Maintained in electronic media
Transmitted or maintained in any other form or medium
EPHI is the electronic information you as an organization create maintain, and send or receive. Examples of EPHI included but are not limited to:
Claim information
Medical records
Billing information
Lab results

15. Only those that need access
Security Standards
Only those that need access
Physical access
Technical access
The covered entity is responsible for the confidentiality, integrity and availability of EPHI
The covered entities safeguards are the first line of defense
Access both physical (file servers, Data Centers) and technical (USERID/PASSW) are limited to those with a need to know, legal right to know, or as mandated by state or federal law.
You want to insure the data is kept confidential, its integrity is maintained, or otherwise not changed inappropriately or corrupted, and can be recovered if lost, stolen or destroyed.
The safeguards the covered entity has put into place are all about protecting the confidentiality, integrity and availability of the EPHI the organization creates, maintains sends or receives.

16. Security Standards - General rules
Must have Policies & Procedures
Security measures are appropriate and reasonable
Considerations:
Size
Complexity
Mission
Purposes of the EPHI created, maintained and transmitted
Some of the first measures is to adopt policies and procedures to protect EPHI
Adopt “procedures” to protect the security of individual’s information.
Policies and Procedures are “living “ documents and need to be maintained when changes occur
You do what is appropriate for your organization considering….
The size of the organization
Complexity
Mission ie., Covered Entity, Business Associate or employer

17. Security Management Process
Risk Analysis
Risk Management
Sanction Policy
Information System Activity Review
Covered entity has conducted a Risk Analysis to identify any vulnerabilities we may have based on the Security Standards established by the HIPAA Regulation
Vulnerabilities will be managed and shored up as necessary.
Workforce must follow P&P’s, failure to do so can lead to disciplinary actions
How the information systems are used, accessed, etc will be periodically reviewed.

18. Facility Security plan Workstation use Device & Media controls
Safeguards
Workforce security
Information access
Facility Security plan
Workstation use
Device & Media controls
Access controls (technical)
Administrative requirements
Workforce:
Background checks
Authorization and supervision – confidentiality agreements
Termination
Information access:
Access authorization
Facility:
Access authorization and control
Accountability, hardware and software inventories, media control, etc
Workstation:
Acceptable and unacceptable uses of computer technology
Device & Media:
Disposal
Reuse
Data backups
Access controls:
Unique user
Automatic logoff
Encryption
Administrative:
Contingency plans
P&P’s

19. Protection against malicious software Password management
Security Awareness
Training
Security reminders
Protection against malicious software
Password management
Training will be done and tracked for those in the organization that need to be trained.
New employees will be trained where appropriate.
Periodic security reminders will be communicated to workforce members.
Passwords must comply with password standards

20. Contingency Plans (Availability)
Data backups
Disaster recovery
Emergency operation plan
May have
Critical applications and data
Testing and revisions
Covered entity has implemented contingency plans to recover from a loss due to breach or disaster.
Contingency plans include:
Regularly scheduled data backups
Disaster recovery plan
Emergency Operation plan
May have
Critical application and corresponding data
Disaster recovery testing and make revisions when necessary.

21. Workforce Security Training
Who
When
New employees or contractors
Due to changes
Who: anyone in your organization who has access to EPHI as either part of their job or technically they have access.
When: as close as possible to the deadline. When you have significant changes or annually (recommended).
New emp: as part of other organizational training.

22. Events requiring action
Security Incidents
Sanctions
Breach Notification
Safeguards are in place.
Ongoing monitoring of use and who has access is conducted.
Training for the appropriate workforce completed.
Now what?

23. What are they? What should you do? Actions depend on the incident
Security Incidents
What are they?
What should you do?
Actions depend on the incident
Who was responsible, third party?
Are Sanctions required?
Is a various infecting one workstation and incident? No, if it is limited to one.
If that workstation was running for example payroll, yes it is an incident.
Fire or flooding in the Data Center? Yes.
Loss or theft of a laptop that contained EPHI? Yes.
Actions you take depend on the incident or scope of the incident.
What if one of our third parties experienced a security breach? Treat it as if it happened to you.
Document, document, document.
If the breach was caused by a workforce member are sanctions required? Depends on the event.

24. Sanctions/Violations
Workforce members who violate health plans Privacy or Security Policies may be subject to disciplinary actions, up to and including termination.
The amount and type of corrective action used in any particular situation will depend on the facts and circumstances. The company maintains the discretion to determine whether corrective action is appropriate.
Workforce members who violate Covered Entity HIPAA policies may be subject to discipline, up to and including termination.
As an example of why it is important to follow these policies & procedures on January 28, 2006 from the Salt Lake Tribune.
Intermountain Healthcare fired two employees after news media reportedly were alerted to the medical condition of LDS Church President Gordon B. Hinckley through an .    The 95-year-old president of The Church of Jesus Christ of Latter-day Saints underwent surgery at LDS Hospital to remove a cancerous growth.     Aryn Nelson, a gastroenterologist technician, said she was terminated because she had given her log-in information to a worker whose Internet privileges had been taken away.     Nelson said hospital officials told her the other employee allegedly signed in under Nelson's name and sent an to media outlets Tuesday, saying Hinckley was in the hospital.    Nelson admits giving out her log-in information.    "It's really upsetting to me," she said. "You put all you can into a company you hope you'll retire from, and overnight it's shattered. They wouldn't even show me the . They just fired me."    LDS Hospital spokesman Jess Gomez said that all new Intermountain Healthcare employees go through orientation, in which they learn about the company's password policy and patient privacy measures mandated by the Health Insurance Portability and Accountability Act (HIPAA).    “It's something we take very, very seriously," Gomez said "All of our employees have passwords and access codes in order to access medical information for patients in which they are a direct provider of care. Our policy is that employees safeguard their passwords and access codes so we can ensure privacy and confidentiality for our patients. A violation of that policy can result in termination."    Nelson said she knew the policy but says that workers sharing log-ins isn't uncommon.    "That would be a very clear violation of HIPAA standards," said Douglas Springmeyer, an assistant attorney general who worked on a guide explaining the complex guidelines

25. Notification to individuals Notification to the media
Specifics
Notification to individuals
Notification to the media
Notification to the Secretary
Notification by a business associate
Law enforcement delay
Burden of proof
Notification to the individual within 60 days of discovery via first class mail.
If over 500 impacted all within one state or jurisdiction, prominent news media outlets must also be notified.
If over 500 impacted must report to the secretary within 60 days, if under 500 must report within 60 days after the end of the calendar year the breach occurred.
Your BA’s must notify you within 60 days of discovery.
Law enforcement may ask for you to delay notification due to a pending investigation or due to national security.
Whether a security incident has occurred and you have determined it does not constitute a breach, or a breach has occurred, the burden of proof is on the CE or BA. Document, document document.
For more information see Breach Notification policy in either the Privacy or Security manual.

26. Guidance & Enforcement
Annual guidance regards technology
Random audits
Reports to congress
Increased fines
2013 changes
The secretary will provide annually guidance on what technologies best meet the standards of HIPAA and protect PHI.
HHS will conduct random audits, this is a change from previous enforcement activities as the regulation was compliant driven. Complaints will continue to be investigated as they come in.
The secretary must report to congress annually on enforcement activities and breach notifications events.
The fines have gone up up up…

27. The price for non-compliance:
Why Comply?
The price for non-compliance:
Problem
General Penalty
Civil Violation
$100/offense; up to 1.5mil/ year
Wrongful Action
$50,000/offense; 1 year in prison
False Pretense
$100,000/offense; 5 years in prison
Intent to Sell
$250,000/offense; 10 years in prison
$100 per violation and up to 1.5M per person for all identical violations in a calendar year.
If you knowingly obtain or disclose PHI _ 50,000
If you knowingly obtain or disclose PHI under false pretenses
If you obtain or disclose PHI with intent to sell, transfer or use the info for commercial advantage, personal gain or malicious harm.

28. Questions ?
Thank you for your attention today