Presented by Capture Billing and Consulting, Inc.

Katie Jennings, RN and Michelle Ivanchukov, CPC, CCS-P

www.CaptureBilling.com

703.327.1800

Health Insurance Portability and Accountability Act (HIPAA)

HIPAA Refresher 101 • The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was established to improve the efficiency and effectiveness of our healthcare system by establishing federal standards and requirements. • It is an amendment to the Internal Revenue Service Code of 1986.

• Established federal portability requirements for all group health plans, non-discrimination requirements and restricted preexisting condition exclusion limitations.

• Designed to prevent inappropriate use and disclosure of individual health information and to require those organizations which use it to protect that information and their systems that store, transmit and process it.

4/26/2020 2

Health Insurance Portability and Accountability Act (HIPAA)

4/26/2020

HIPAA Legislative Act HIPAA Public Law 104-191 is composed of the following:

Title I: • Health care access, portability and renewability (requires employers and health plans to allow a new employee’s medical coverage to remain continuous without regard to pre-existing conditions) Title II: •Preventing health care fraud and abuse; administrative simplification, medical liability reform (defines new requirements for privacy and security of individually identifiable patient information) •Administrative simplification (reduces the administrative component of health care costs through the implementation of electronic data interchange (EDI) standards) Title III: • Tax-related health provisions (standardizes the savings amount per person in a pre-tax medical savings account) Title IV: • Application and enforcement of group health plan requirements (broadened information on insurance provisions) Title V: •Revenue offsets (regulations on how employers can deduct company-owned life insurance premiums for income tax purposes)

https://www.highmark.com/hmk2/about/hipaa/hipaaMain.shtml

3

Health Insurance Portability and Accountability Act (HIPAA)

Administrative Simplification

The provisions of the Administration Simplification required the Department of Health and Human Services (HHS) to adopt the following: Electronic Health Care Transactions and Data Standardization of Medical Code Sets Unique Health Identifiers (Standard Unique Employer Identifiers (EINs) and National Provider Identifiers (NPIs) Security 4/26/2020 4

Health Insurance Portability and Accountability Act (HIPAA)

Administrative Simplification

In order to maintain the privacy of health information utilizing electronic transmission, Congress incorporated mandated Federal privacy protections for individually identifiable health information.

Privacy Rule: National standards for the protection of individually identifiable health information by covered entities Security Rule: National standards for protecting confidentiality, integrity and availability of electronic protected health information 4/26/2020 5

These rules are enforced by the Office for Civil Rights (OCR) of the HHS

Health Insurance Portability and Accountability Act (HIPAA)

Covered Entities

The HIPAA Privacy and Security Rules provide specific requirements that must be followed by the following covered entities who transmit health information in electronic form: Health Care Providers Health Plans •Doctors, Psychologists, Dentists, Chiropractors (and their billing services) •Health Insurance Companies •HMOs •Company Health Plans •Clinics, Nursing Homes •Pharmacies •Government programs (Medicare, Medicaid, Military/Veterans) Health Care Clearinghouses •Entities that process and convert information they receive from another entity Business Associates •Person or organization that performs certain functions or activities on behalf of a covered entity (including legal, accounting, consulting, data aggregation, accreditation) 4/26/2020 6

Health Insurance Portability and Accountability Act (HIPAA)

HIPAA Standards for Privacy of Individually Identifiable Health Information (Privacy Rule)

According to the HHS “a major goal of the Privacy Rule is to assure that individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care and to protect the public’s health and well being”.

•Finalized December 28, 2000 with final modifications published August 14, 2002 •Requires appropriate safeguards to protect the privacy of personal health information (protected health information [PHI]) •Sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization •Provides patients rights concerning their health information, including ability to examine, obtain a copy and request corrections 4/26/2020 7

Health Insurance Portability and Accountability Act (HIPAA)

Protected Health Information (PHI)

PHI is considered individually identifiable health information held or transmitted by a covered entity or its business associate.

Individually identifiable health information is any information including demographic data that relates to: The individual’s past, present or future physical or mental health or condition The provision of health care to the individual The past, present, or future payment for the provision of health care to the individual 4/26/2020 8

Health Insurance Portability and Accountability Act (HIPAA)

Use and Disclosure Limitations

Privacy Rule limits the circumstances in which an individual’s PHI may be used or disclosed by covered entities Covered entity may not use or disclose PHI unless : As the Privacy Rule permits or requires As the individual or personal representative authorizes use or disclosure in writing To the HHS in the event of a compliance investigation or review or enforcement action 4/26/2020 9

Health Insurance Portability and Accountability Act (HIPAA)

4/26/2020 To the Individual Limited Data Set for the purposes of research, public health or health care operations (with a data use agreement) Public Interest and Benefit Activities (required by law/court order, FDA, abuse, law enforcement) A Covered Entity is permitted to use and disclose PHI without an individual’s authorization for the following purposes or situations: Incident to an otherwise permitted use and disclosure (ex. Hospital visitor may overhear a provider discussing information with another provider in order to provide prompt and effective healthcare) Treatment, Payment and Health Care Operations (provider coordination of care, reimbursement) Opportunity to Agree or Object (directory of patient contact information or location in a facility, family disclosure/coordinat ion of care) 10

Permitted Use and Disclosure

Health Insurance Portability and Accountability Act (HIPAA)

Notice of Policy Practices

Covered Entities must provide a notice of its Privacy Practices to include: Use and disclosure of PHI permitted and used by the covered entity Duties to protect privacy Notice of Privacy Practices and terms to abide by Individual’s rights and grievance process if rights have been violated Point of contact for further information and to receive complaints Must distribute to each individual no later than the first service encounter, by automatic and contemporaneo us electronic response, by prompt mailing Posted on covered entity website 4/26/2020 11

Health Insurance Portability and Accountability Act (HIPAA)

4/26/2020

Administrative Requirements

Guidelines vary depending on the size of the covered entity but should include some of the following solutions: • Written Privacy Policies and Procedures (policy manual) • Designated Privacy Official or Security Officer to designate and implement policies and procedures • Workforce Training and Management • Mitigation (disclosure of any harmful effect of violation of privacy policy) • Data Safeguards (encryption, shredding) • Complaint procedure • Retaliation and Waiver • Documentation and Record Retention (must maintain for at least six years after creation of record) 12

Health Insurance Portability and Accountability Act (HIPAA)

De-identification

Individually Identifiable Health Information can be de-identified to ensure compliance and reducing risk by removing identifiers such as: • Name • Geographic identifiers smaller than a state (except for the first 3 digits of the zip code) • Telephone or fax numbers, email addresses • Birth date (except year) • Admission or discharge dates • Social Security or Medical Record Numbers • Account numbers 4/26/2020 13

Health Insurance Portability and Accountability Act (HIPAA)

Enforcement and Compliance

The OCR is responsible for administering and enforcing standards and may conduct complaint investigations and compliance reviews 4/26/2020 Covered Entities that fail to comply voluntarily may be subject to Civil Money Penalties Violations occurring on or after 2/18/2009:    Penalty Amount $100 to $50,000 or more per violation Calendar Year Cap of $1,500,000 Penalties may not be imposed in certain circumstances • Failure to comply was not due to willful neglect and was corrected during a 30-day period after entity knew or should have known failure to comply occurred • Department of Justice has imposed a criminal penalty for failure to comply 14

Health Insurance Portability and Accountability Act (HIPAA)

Criminal Prosecution

Violations of the Privacy Rule may be subject to criminal prosecution.

A person who knowingly obtains or discloses PHI in violation of the Privacy Rule may face a criminal penalty of up to $50,000 and up to one year imprisonment.

•Criminal penalties increase up to $100,000 and up to five years imprisonment if wrongful conduct involves false pretenses •Can increase up to $250,000 and up to 10 years imprisonment if wrongful conduct involves the intent to sell, transfer or use identifiable PHI for commercial advantage, personal gain or malicious harm 4/26/2020 15

Health Insurance Portability and Accountability Act (HIPAA)

HHS Case Examples

Patient was not given access to her medical records because of an outstanding balance. Practice did not release records. Privacy Rule states that the covered entity must provide an individual access within 30 days of the request.

Hospital staff person left a message on a patient’s home phone answering machine failing to accommodate patient’s request that PHI communication be made via her cell or work phone. Hospital had to retrain an entire Department with Privacy Rule requirements.

Complainant both an employee and patient of a hospital filed a complaint that her PHI was disclosed to her supervisor. Further investigation revealed that it was impermissible disclosure and staff was disciplined and retrained.

4/26/2020 16

Health Insurance Portability and Accountability Act (HIPAA)

HIPAA Violations Found on the web…

UCLA Medical Center agrees to settle HIPAA violation charges for $865K Team 4 Uncovers HIPAA Records Violations Nurses Fired Over Cell Phone Photos Of Patient – Case Referred To FBI For Possible HIPAA Violations Local psychiatrist faces federal charges in HIPAA case Cignet fined $4M for HIPAA violation  Cignet Health of Prince George’s County has been fined a total of $4.3 million for alleged violations of the Health Insurance Portability and Accountability Act of 1996. The Department of Health and Human Services Office of Civil Rights alleges Cignet violated 41 patients’ rights in 2008 and 2009 by not providing them access to their medical records in a reasonable amount of time.

Two to plead guilty to fraud, HIPAA violations 4/26/2020 17

References

Department of Health and Human Services: http://www.hhs.gov/ocr/privacy/hipaa/understanding/index.html

Department of Medical Assistance Services: h ttp://www.dmas.virginia.gov/hpa-hipaa_faqs.htm

Highmark Blue Cross Blue Shield: https://www.highmark.com/hmk2/about/hipaa/hipaaMain.shtml

Department of Labor: http://www.dol.gov/ebsa/faqs/faq_consumer_hipaa.html

4/26/2020 18