HIPAA COMPLIANCE IN YOUR PRACTICE

Download Report

Transcript HIPAA COMPLIANCE IN YOUR PRACTICE

HIPAA
COMPLIANCE
IN YOUR
PRACTICE
MARIBEL VALENTIN, ESQUIRE
OBJECTIVES
 To
understand the legal requirements
under The Health Insurance and
Portability and Accountability Act (HIPAA)
 , The Health Information for Economic and
Clinical Health Act (HITECH) and
 State Law- Special protections.
DEFINITIONS


Health care provider means a provider of medical
or health services, and any other person or
organization who furnishes, bills, or is paid for
health care in the normal course of business.
A business associate includes: a health information
organization, e-prescribing gateway, or other
person that provides data transmission services
with respect to PHI to a covered entity and that
requires access on a routine basis to such PHI; and
a person that offers a personal health record (PHR)
to one or more individuals on behalf of a covered
entity.
DEFINITIONS cont.
The Standards or Code of Conduct establish
the practices and ethical rules through which
an entity implements a culture of compliance
and integrity in the handling of Protected
Health Information (PHI).
 Covered entity means:
(1) A health plan.
(2) A health care clearinghouse.
(3) A health care provider who transmits any
health information in electronic form.

THE HEALTH INSURANCE AND
ACCOUNTABILITY ACT (HIPAA)
 Federal
requirement
o Privacy- effective since April 14, 2003
o Security- effective on April 21, 2005
o HITECH- effective on February 11, 2010
 Breach Notification Requirements
o Requires healthcare organizations to
maintain the privacy and security of
Protected Health Information (PHI)
HIPAA vs. State Law
 When
state law is more restrictive than the
federal HIPAA Regulations, then state law
prevails.
 Requires patient authorization prior to
release
 State law additional requirements may
vary from state to state
UNDERSTANDING PHI


PHI is any and all information about a
patient’s health that identifies the patient, or
information that could identify the patient.
As a rule of thumb, any patient information
that you see, hear or say must be kept
confidential.
PHI is information that can individually identify
a patient. PHI can include:



Any type of information found in medical and
billing records, for example:
Diagnoses, Test Results, Progress Notes, etc.
Name, Address, Phone, Social Security Number,
Photographs,
HIPAA PATIENT PRIVACY RIGHTS








Right to Notice
Right to Amend
Right to Access
Right to an Accounting of Disclosures
Right to Request Restrictions
Right to Request Confidential
Communications
Right to Notification of a Security Breach
Right to File a Complaint
HIPAA DISCLOSURES
 How
much PHI can we share?
 All disclosures are subject to a
determination that PHI disclosed is
the MINIMUM NECESSARY for the
lawful purpose.
 What is Minimum Necessary?
HIPAA allows the use of PHI for
these purposes:
 Payment
Insurance companies
 Treatment
Physicians
Providers
Nursing and ancillary staff
 Operations
Risk Management
Quality Improvement
Peer Review
Preventing Unauthorized
Disclosures






Discuss patient information in public areas
Position computer screens or leave the
computer unattended so that unauthorized
persons may view the private data
Leave medical records unattended
Remove records containing PHI from the
facility
Disseminate reports containing PHI via
unsecured methods
Use FAX preprogramed settings or redial
before confirming the number
The Security Rule

Ensure the confidentiality, integrity and availability
of all electronic Protected Health Information (ePHI)

Confidentiality: that patient information is not
made available or disclosed without proper
authorization

Integrity: that patient information has not been
altered or destroyed

Availability: that patient information is accessible
and usable upon demand by an authorized
person
Security Safeguards



Administrative - Developing information security
programs designed to protect ePHI and to also
manage the conduct of the workforce in the
relation to the use of the protected information.
Physical - Ensuring the physical protection of
information systems including the protection of
related buildings and equipment from natural and
environmental hazards and unauthorized intrusion.
Technical - Identifying technology to be utilized
and ensuring procedures are in place to protect
ePHI and to control access to it.
The Health Information Technology for
Economic and Clinical Health Act
(HITECH)



HITECH amends HIPAA to create new
enforcement provisions and expanded civil and
criminal penalties ranging from $100 to $50,000 per
violation, and calendar year penalty caps ranging
from $25,000 to $1.5 million.
Any unauthorized disclosure is a breach unless the
Covered Entity can show by objective proof that
there is a low probability that the information was
compromised.
Anyone that has regular access to PHI to perform
a function on behalf of a Covered Entity is a
Business Associate.
Monitoring and Enforcement
 The
Compliance Program
 A compliance program is designed to
develop and ensure effective internal
controls that promote best practices and
adherence to all applicable Federal and
State legal or regulatory requirements,
including HIPAA Privacy and Security
compliance
Elements of a Compliance
Program
 Standards
of Code of Conduct
 Designation of a Privacy Officer
 Access to a Compliance Hotline
 Policies and Procedures (Administrative
Safeguards)
 Education (training)
 Monitoring (oversight)
 Enforcement (cons)
Reporting
HIPAA violations should be reported to
the Privacy Officer for investigation.
 Every covered entity must identify a
Privacy Officer

Investigations
 If
the infraction is confirmed as a security
breach then the following must occur:




The patient is notified
The Department of Health and Human
Services is notified
An action plan is developed to mitigate
harm
Policies are enforced
Enforcement
 Enforcement
activities should be
consistent regardless of who is the person
involved in the infraction.
 Same
facts – Same outcome
Who is a Business Associate?
 Any
individual or entity that creates
maintains or transmits PHI on a regular
basis when performing a function on
behalf of the covered entity is a business
associate.
 Another covered entity may be a Business
Associate
Conduits
 If
the information is delivered by courier,
the courier is not a business associate
because they are not accessing the
information; they are acting as a
mechanism to transfer data or a
“conduit”.
Agents
A
Covered Entity may be liable for the
acts of an agent.
 Independent contractors may be agents
If the covered entity has control over the
contractor’s activities.
What is a Breach?
A
breach is an unauthorized disclosure
where the information released is usable,
readable and decipherable. This includes
data in motion and data at rest.
Breach Notification
Procedures




The presumption of a breach may only be
rebutted if the covered entity can show through
objective evidence that the disclosure posed a
low probability that the PHI was compromised.
If you determine that a breach has occurred you
must notify, correct the problem, enforce your
policies and procedures and make the
appropriate notifications.
If the breach involves from 1-499 patients – notify
the patient within 60 days and HHS at the end of
the calendar year.
If the breach involves 500 or more patients – notify
the patient, HHS and the media within 60 days.
Government Enforcement
 The
Office of Civil Rights (OCR) is charged
with the enforcement of the Privacy,
Security and HITECH regulations, including
investigations of whether a security
breach has occurred.
 OCR will also conduct random audits of
compliance with the Privacy and Security
Rules
Penalties




1ST Tier- Did not know -would not have known
 at least $100/violation, not to exceed $25,000
per year
2nd Tier- Reasonable cause (not willful neglect)
 at least $1,000/violation, not to exceed
$100,000 per year
3rd Tier- Willful neglect – corrected within 30 days
 at least $10,000/violation, not to exceed
$250,000 per year
4th Tier- Willful neglect- not corrected within 30
days
 $50,000/violation, not to exceed $1.5 million per
year
Questions ?