Transcript Document

A HIPAA Roadmap
Past, Present and Future…
A Review
LBA Healthcare Consulting Services, LLC
LeeAnn Brust, RN, MBA, CPC, CCP, CMPE
(904) 396-4015
Health Insurance Portability and
Accountability Act
 Enacted in 1996.
 Congress called for the Department of
Health & Human Services to develop
standards and requirements for the
electronic transmission of health
information
 Administrative Simplification (AS)
Provision
Administrative Simplification
(Part C of Title XI)
This aspect of the HIPAA law requires the
United States Department of Health and
Human Services (DHHS) to develop
standards and requirements for maintenance
and transmission of health information that
identifies individual patients.
What are the Standards
Designed to do?
 Improve the efficiency and effectiveness of
the healthcare system by standardizing the
interchange of electronic data for
administrative & financial transactions.
 Protect the security and confidentiality of
electronic health information.
Who must Comply with HIPAA?
 All healthcare organizations that maintain
or transmit electronic health information
must comply.
 Including health plans, health care
clearinghouses, and health care providers
from large integrated systems to individual
providers.
Six Key Areas of HIPAA
 Standardization of Electronic Transactions
& Code Sets
 Privacy
 Security
 National Provider Identifiers
 Electronic Signatures
 Electronic Medical Records
Penalties for Failure to Comply
 $100 per person per violation.
 May not exceed $25,000 for a violation of a
single standard per calendar year.
 HHS Office of Civil Rights (OCR) has been
charged with enforcement
Wrongful Disclosure of
Individually Identifiable
Health Information
 Wrongful disclosure offense: $50,000,
imprisonment of not more than one year, or
both.
 Offense under false pretenses: $100,000,
imprisonment of not more than 5 years, or
both.
Wrongful Disclosure of
Individually Identifiable
Health Information
 Offense with intent to sell information:
$250,000, imprisonment of not more than
10 years, or both.
EDI standards applies to
Nine specific transactions
1. Health Claims or the equivalent encounter
information;
2. Pharmacy Transactions: National Council
for Prescription Drug Programs (NCPDP);
3. Health Claims attachment;
4. Health plan enrollments and disenrollments;
EDI standards applies to
Nine specific transactions
5. Health plan eligibility;
6. Health care payment and remittance
advice;
7. Health Plan premium payments;
8. Health claim status;
9. Referral certification and authorization.
Privacy Rule
Section 264 of HIPAA
 DHHS published the final regulations on
December 28, 2000.
 The legislation with modifications was
finalized on August 14, 2002, with a final
compliance date of April 2003 (Federal
Registry).
Business Associates
 Do you have Business Associate contracts
from all business relationships where
exposure to PHI might be possible?
Government Access to PHI
• Government operated health plans and providers
are subject to the same HIPAA requirements as all
other health care organizations
• Office of Civil Rights is granted access to PHI, but
only for investigative or enforcement purposes,
and the information OCR request will be limited
and protected.
• Regulations allow certain disclosures to made for
law enforcement purposes but any state law that
has tighter limits on such uses and disclosures of
PHI will control.
Payment Disclosure
• Conditions under which PHI may be used or
disclosed for payment purposes:
1. Billing and Collections
2. Determining health plan eligibility
3. Disclosures to consumer reporting
agencies.
Understanding Incidental
Use and Disclosure
 DHHS acknowledges that incidental use
and disclosure of confidential information
may occur in the course of daily
operations.
 Incidental use and disclosure will not be
considered a violation of the privacy rule if
you have taken reasonable safeguards and
meet the minimum necessary requirements.
Use and Disclosure
• The individual who is the subject of the
disclosure must provide authorization.
• In the case of a disclosure (phone or in
person) the individual must be verified by
obtaining two pieces of identifiable
information. This be documented.
• Disable or Deceased individuals (previous
employees are also protected. Power of
attorney proof is required by the individual
who is requesting information
“Minimum Necessary”
Do your policies and procedures support
the “minimum necessary”???
Create Protected Health
Information (PHI) “firewalls”
 Establish an “accounting” procedure to
track uses and releases of PHI
 Limit access to those employees that
require it. (“Minimum necessary”)
Create PHI “firewalls”
“Minimum necessary” use:
 Must identify persons or classes of
persons who need access to PHI to carry
out their duties
 Must identify the categories of PHI for
each person or class of persons (job
descriptions is one of the most common
areas).
Maintain Documentation
 All necessary policies and procedures
 Ensure changes to policies and procedures
are not implemented until documented and
appropriate persons are notified
 Maintain documentation for six years,
unless a longer period applies
Maintain Documentation






Business Associate contracts
Patient Acknowledgement of Privacy Policies
Authorization forms
Notices and amended notices
Training of employees
Patient complaints and their disposition (this must
be documented on the complaint form and forwarded to
FCCRMC)
Security Rule
Section 264 of HIPAA
Final Rule Published-February 20,
2003.
DHHS tried to more closely align the
security regulations with the final
privacy regulations
Why a Security Rule?
Protecting PHI becomes more important as
business transition to a paperless environment
Purpose of the Security Rule
To Protect electronic patient health information
(PHI) in three ways:
1. Confidentiality - PHI concealed from people who
do not have the right to see the information
2. Integrity - information has not been improperly
changed or deleted
3. Availability - healthcare provider can access the
information when it is needed
Understanding the Intersection of
Privacy and Security
Security encompasses the
measures organizations must
take to protect information
within their possession from
internal and external threats
Privacy is the consumer’s
view of the way his/her
information is treated.
• Privacy
The privacy rule mandates that entities
safeguard all PHI, no matter what the form.
• Security
The security rules focuses on requirements
for safeguarding PHI in the electronic form
through policies, procedures, technology in
order to preserve confidentiality, integrity,
and availability of electronic PHI..
Areas Where the Privacy Rule
Requires Implementation of Security
• Reasonable safe guards
• Limit Information to minimal necessary
access.
• Individual accounting of disclosures outside
of TPO releases.
Security
 The proposed security standard is divided
into four categories:
1) Administrative procedures
2) Physical Safeguards
3) Technical data security services
4) Technical Security mechanisms
Administrative Procedures
 Ensure that security plans, policies,
procedures, training and contractual
agreements exist.
 Establish an employee termination policy.
 Security incident reporting system (report,
respond, repair)
 Procedures that address staff responsibilities
for protecting data
Physical Safeguards
 These safeguards protect physical computer
systems and related buildings and
equipment from fire and other
environmental hazards, as well as intrusion.
 The use of locks, keys, and administrative
measures used to control access to computer
systems and facilities are also included.
Physical Safeguards
 Facility security plan
 Visitor sign-in
 Workstation use
 Monitor position
 Log off terminal
 Screen saver
 Terminal timeout
 Maintenance records
Technical Data Security Services
 These include the processes used to protect,
control, and monitor information access.
 Provide specific authentication.
 Authorization, access and audit controls to
prevent improper access to PHI.
 Guard data integrity, confidentiality and
availability
Technical Security Mechanisms
 These include the processes used to prevent
unauthorized access to data transmitted over
a communications network.
 Encryption
 System alarms
 Audit trails
 Passwords
Specific Ways Staff Can Help
• Manage their password
• Identify and keep out malicious software
• Use workstations properly
• Know the practices sanction policies
• Learn and follow the practices policies and
procedures
Manage Your Password
•When creating a password use a combination of
letters and numbers
– Choose a song, a saying, a poem - something
easy to remember
– Do not allow staff to write their password
anywhere
– Use a separate password for personal
accounts
Manage Your Password
(cont’d)
• Once your staff members have a password
– Encourage them not to share it with anyone
– Change passwords according to policy (at least
every 12 months)
– Encourage staff to use the same password for
all of their accounts/programs.
Manage Your Password
(cont’d)
• Ask your staff to report the following
immediately:
– Someone has learned their password
(change it immediately)
– Your account has been used by someone
other than yourself
Identify and Keep Out
Malicious Software
•Warning signs that indicate a workstation may be
infected
– System is running particularly slow
– Storage capacity is suddenly at the maximum
– Activity on the computer at unusual times
– Activity logs erased
– Warnings from monitoring software that you have a
virus in the computer
Identify and Keep Out
Malicious Software
Safety Measure to teach your staff
• Open email attachments only from known sources
• Clear the use of Instant Messaging Programs with
our ISO
• Use desktop firewall settings established by our
ISO
• Use office computers only for practice business
• Don’t download or install software without ISO
approval
Use Workstations Properly
• Position monitor so others, especially visitors,
cannot see the screen
• Staff should log off workstations (or activate the
password- protected screen saver) when they
are:
– Finished with a task
– Leaving the area and can’t see the workstation
– New user log on with their password
Warning!
Time outs are a protection system
for when you forget to logoff.
Do not change the timer!
Use Workstations Properly (cont’d)
• Threats to a network
– Devices introducing viruses into the system - CDs,
floppies, IPods, USB drives, Palm Pilots
– Family members or friends using practice
computers in off-hours can introduce viruses and
expose patient data
– Web surfing for personal enjoyment
– Downloading free programs or music from the
Internet onto office machines can introduce
viruses
Use Workstations Properly
(cont’d)
• Protect your Private Information
-Implement policies about what is allowed in emails
and when they are to be deleted
-Encrypt documents for storage and transmission as
directed by your IT department
-Report the loss of any equipment which might
contain identifiable health information to your IT
department.
Consequences for Violations
•Intentional infractions may lead directly to
dismissal.
•Infractions can result in civil and governmental
penalties for the violator, as well as for those
responsible for implementing and monitoring our
security policies
•Knowingly misusing patient information (in
electronic form or any form) is a felony under
HIPAA
Security Risk are Real
1. 24,000 complaints filed
2. 18,529 complaints closed
3. 362 case sent to the Department of Justice; only
39 accepted
4. 32% of the cases opened were closed with no
violations found
5. 57% had to implement a corrective action plan
Key Points
• Ensure your HIPAA policies and procedures
are updated and that the location is known
by all applicable staff.
• Provide initial training at hire and annually
thereafter. Use the group attendance log as
documentation.
• Maintain a separate employee health files.
• Keep all protected information in a limited
access area and under lock and key.