tecoedge.tecoenergy.com
Download
Report
Transcript tecoedge.tecoenergy.com
TECO ENERGY, INC.
HIPAA PRIVACY AND
SECURITY REQUIREMENTS
April 29, 2014
Dana L. Thrasher
Constangy, Brooks & Smith, LLP
[email protected]
(205) 226-5464
1
History/Background
2
“HIPAA”
“Health Insurance Portability and
Accountability Act”
Privacy and security requirements were
initially effective in 2003-2005.
3
Privacy and Security
Privacy Rule sets standards for who can
have access to protected health information
(“PHI”). It requires “covered entities” to
have appropriate administrative, physical
and technical safeguards and to reasonably
implement those safeguards.
4
Privacy and Security
Security Rule sets standards for ensuring that only
those who should have access to electronic
protected health information actually have access.
It closely follows the Privacy Rule.
Distinction – Privacy Rule applies to all forms of
PHI (electronic, written or oral); Security Rule
applies only to electronic PHI (“EPHI”).
5
Privacy and Security
Privacy Rule contains requirements to
safeguard PHI.
Security Rule has far more comprehensive
security requirements for EPHI.
HHS oversees the Privacy Rule; CMS
enforces the Security Rule.
6
Effective Dates
The HIPAA Privacy Rule was originally
effective April 14, 2003 with a one-year
extension for certain small plans. The
HIPAA Privacy Rule regulates the use and
disclosure of protected health information
(PHI) held by “covered entities.”
Security Rule was effective April 20, 2005
– with a delay to April 20, 2006 for small
health plans.
7
Effective Dates
Special rules regarding electronic
transactions involving PHI and use of
specific formats and code sets were
effective October 16, 2003.
8
Significant Changes in 2009
In February of 2009, the Health Information
Technology for Economic and Clinical
Health Act (“HITECH”), which was
contained in the American Recovery and
Reinvestment Act (“ARRA”), modified the
Privacy and Security Rules originally
enacted in HIPAA.
9
Significant Changes in 2013
On January 25, 2013, HHS published the
final rule that implements mandated
changes to the HIPAA Privacy Rule set
forth by HITECH.
It was effective March 26, 2013.
10
Privacy and Security
Because the security requirements track the
privacy requirements, we will address the
privacy rules as a general background.
Additional specific information will be
provided later regarding the specific
security requirements.
11
HIPAA Protection
12
What Information Is HIPAA
Designed to Protect?
Protected Health Information (“PHI”)
encompasses all individually identifiable
health information transmitted or
maintained by a covered entity, regardless
of form.
13
What Information Is HIPAA
Designed to Protect?
“Transmitted” - not defined, generally includes
sharing of information electronically, by
telephone, fax, mail or even orally.
“Covered Entity”- a health plan, a health plan
provider, or a health care clearinghouse.
Note: Employers are NOT “covered entities,” and
employment files are not subject to the HIPAA
privacy requirements.
14
Covered Entities
Must carefully identify any group health
plans subject to HIPAA.
Health care providers are subject to HIPAA
– be aware that employer-provided medical
services (e.g., on-site clinics) likely are
subject to HIPAA.
15
Purposes of HIPAA Protections
16
Reasons for HIPAA Privacy
Rules
Perceived need for protection of individual
health information.
Potential for abuse and concern that an
individual’s health information would be
misused.
17
What are the Purposes of the
Privacy Rule?
To give the consumer more control over
health information
Participant/patient education on privacy
protections.
Ensuring participant/patient access to medical
records.
Receiving participant/patient authorization
before information is released.
Providing recourse if privacy protections are
violated.
18
What are the Purposes of the
Privacy Rule?
To establish boundaries on the use and
release of medical records
Ensuring that health information is not used
for improper purposes.
Providing the minimum amount of
information necessary.
19
What are the Purposes of the
Privacy Rule?
To establish accountability for the use and
release of medical records, including:
Civil penalties
Federal criminal penalties
20
What Does This Mean To Me?
If you improperly request or disclose an
individual’s protected health information,
you could face civil and/or criminal
penalties (e.g., significant monetary
penalties and possible prison time).
21
Why Are You Here?
Plan Sponsors are required by law to train
anyone who has access to protected health
information.
You need training to avoid potential
personal liability.
You need training to avoid subjecting others
to potential personal liability.
22
Penalties
23
Civil Penalties
Tiered Penalties:
Tier 1: If a person is not aware of the violation
(and would not have known with reasonable
diligence), the penalty is $100 - $50,000 per
violation, not to exceed $1,500,000 for all
violations of the same requirement in the same
calendar year.
These are violations in which the offender did
not realize he or she violated HIPAA and would
have handled the matter differently if he or she
had.
24
Civil Penalties
Tier 2: If a violation is due to “reasonable
cause” (but not willful neglect), the penalty is
$1,000 - $50,000 per violation, not to exceed
$1,500,000 for all violations of the same
requirement in the same calendar year.
The final rule defined reasonable cause as an
act or omission in which a covered entity or
business associate knew, or by exercising
reasonable diligence would have known, that the
act or omission violated HIPAA but in which
the covered entity or business associate did not
25
act with willful neglect.
Civil Penalties
Tier 3: If violation is due to willful neglect and
is corrected in 30 days, the penalty is $10,000 $50,000 per violation, not to exceed $1,500,000
for all violations of the same requirement in the
same calendar year.
Willful neglect means conscious, intentional
failure or reckless indifference to the obligation
to comply with the administrative simplification
provision violated.
26
Civil Penalties
Tier 4: If a violation is due to willful neglect
and is not corrected in 30 days, the penalty is at
least $50,000/violation, not to exceed
$1,500,000 for all violations of the same
requirement in the same calendar year.
27
Civil Penalties
State AGs. State AGs are authorized to
bring a civil action for HIPAA violations to
enjoin violations and seek damages on
behalf of residents.
Damages are calculated by multiplying the
number of violations by $100. The penalty is
not to exceed $25,000 for all violations of an
identical requirement during a calendar year.
28
Civil Penalties
Court may award costs and reasonable
attorneys’ fees to State.
State action may NOT be brought during
pendency of Federal action.
Individual Compensation. Mechanism for
individuals to recover a portion of HHS civil
penalty or monetary settlements.
29
Criminal Penalties
Up to $50,000 fine and 1 year in prison for
obtaining or disclosing PHI.
Up to $100,000 fine and up to 5 years in
prison for obtaining PHI under “false
pretenses”.
30
Criminal Penalties
Up to $250,000 fine and up to 10 years in
prison for obtaining or disclosing PHI with
the intent to sell, transfer or use for
commercial advantage, personal gain, or
malicious harm.
31
Enforcement Mechanisms
Audits. HHS will conduct periodic audits of
covered entities and business associates,
even if no complaint is filed.
Willful Neglect:
An audit is required if preliminary investigation
of a complaint indicates willful neglect.
HHS is required to impose a penalty for
violations due to willful neglect.
32
What is Covered?
What is Not Covered?
33
How Does HIPAA Impact
Employment Medical Files?
HIPAA does not cover the employer’s
medical files containing ADA, FMLA,
Workers Compensation, Sick Leave,
Doctor’s Excuses for Absences, etc.
In applying normal procedures for those
leave/accommodation requests, medical
providers will require an authorization from
the individual to release information to the
employer (because providers are subject to
HIPAA).
34
How Does HIPAA Impact
Employment Medical Files?
Even though employment medical files are
not subject to HIPAA, the files should be
kept confidential subject to general privacy
policies of the employer.
35
Plans
Subject to HIPAA:
Group Health Plan
Group Dental Plan
Health Care Flexible Spending Account Plan
Employee Assistance Plan
Any other plan that now or in the future is a
“group health plan”
Plans or programs that do not provide
coverage for medical expenses are not
subject to HIPAA.
36
Protecting PHI
37
How Will a Plan Receive PHI?
Enrollment information for a covered plan
Health information obtained or created by
the plan
Information provided by a health care
provider regarding services provided (e.g.,
submitting information for payment)
Etc.
38
What are the Authorization
Requirements?
PHI may be used by covered entities for
purposes of treatment, payment, and health
care operations (“TPO”) without
authorization.
PHI must be disclosed to the government in
the case of a HIPAA investigation.
Otherwise, participant authorization is
required.
39
What Must a Plan Do to Ensure
Privacy?
Plan documents must be amended to
include required provisions.
PHI can only be disclosed to the plan
sponsor if the plan sponsor certifies that it
will only use the information in accordance
with the HIPAA rules. The plan sponsor:
cannot use or disclose PHI except as permitted
by the plan or required by law;
40
What Must a Plan Do to Ensure
Privacy?
must ensure that agents and vendors who
receive PHI agree to the same restrictions;
cannot use or disclose PHI for employmentrelated actions or for other benefit plans;
must report to the Plan any violation of the
privacy requirements;
must make PHI available to individuals as
required by HIPAA;
41
What Must a Plan Do to Ensure
Privacy?
must allow individuals to amend their PHI;
must provide individuals with an accounting of
disclosures of PHI;
must make its practices available to the
government to determine compliance;
42
What Must a Plan Do to Ensure
Privacy?
must return or destroy PHI received from the
plan that the plan sponsor maintains in any
form;
must not retain copies of PHI longer than
needed for the purpose for which the disclosure
was made;
43
What Must a Plan Do to Ensure
Privacy?
ensure that security procedures have been
established that:
identify employees or classes of
employees who will have access to
PHI;
restrict access solely to those
individuals for the functions
performed for the plan; and
provide a mechanism for resolving
issues of noncompliance with
participants.
44
What Must a Plan Do to Ensure
Privacy?
Privacy policies must be developed to
ensure that only the minimum necessary
amount of information to achieve the
purpose of the disclosure is provided to a
third person and that the other HIPAA
requirements are satisfied.
Minimum Necessary Standard
Generally, uses, disclosures and requests by a
covered entity are limited to the information that
is the minimum necessary to accomplish the
intended purpose.
45
What Must a Plan Do to Ensure
Privacy?
A Notice of Privacy Practices must be
distributed to inform Plan participants of
their rights under HIPAA.
Physical security measures must be put in
place to protect PHI (secured file cabinets,
software encryption, password protected
databases).
46
What Must a Plan Do to Ensure
Privacy?
Designate a Privacy Officer to be in charge
of monitoring compliance with HIPAA
requirements.
HIPAA covered plans must train individuals
who may come into contact with PHI as to
the HIPAA requirements and employer and
plan procedures for maintaining the privacy
of PHI.
For example, all PHI information, questions or
problems should be faxed, e-mailed or directed
to the Privacy Officer at private fax numbers.
47
What Must a Plan Do to Ensure
Privacy?
Identify Business Associates
HITECH expanded the definition of
business associate
Business associates must report to the
covered entity any breach of unsecured PHI,
as required by the HITECH security breach
notification regulations.
48
What Must a Plan Do to Ensure
Privacy?
Policies and procedures for participant
complaints must be developed and
communicated, and records must be
maintained.
Retaliation for participant complaints is
prohibited.
49
Can Protected Information Be
Shared Among Plans?
AUTHORIZATION IS REQUIRED!
50
Procedures for Handling
Employee Inquiries
Employees will be advised to contact the
appropriate Privacy Officer or designated
individuals for help with plan issues.
Other Human Resources staff, supervisors, etc.,
should not have access to PHI and should not
provide assistance unless specifically designated
to have access per the policies and procedures.
Any inquiry that may involve PHI should be
referred to the Privacy Officer.
51
Disclosure of Breach
Covered entities or business associates must
notify each affected individual when an
unauthorized disclosure of PHI occurs.
If there is no known contact for an individual,
disclosure may be posted on employer’s
website or through a media outlet.
52
Notification of Breach
Requirements
If security of “Unsecured PHI” is “breached,” the Plan
must provide notice without unreasonable delay and
within 60 days after “discovery” of breach:
To the impacted individual: written notice must be sent
to the last known address (with special rules if
imminent misuse is possible or individual’s address is
unknown).
To the media: If a breach involves more than 500
individuals in state or jurisdiction, notice must be sent
through major media outlets.
The final rule clarifies that notification to the media
does not require a covered entity to incur any costs
to print or run the notice about the breach.
The final rule also provides that media outlets are
53
not required to print or run the information.
Notification of Breach
Requirements
To HHS:
If a breach involves more than 500 individuals, the
Plan must notify HHS immediately, and HHS will
identify the covered entity on its website.
If a breach involves less than 500 individuals, the
Plan must log the breach and provide the log to HHS
on an annual basis.
• The final rule requires such notification to be
made to the Secretary no later than 60 days after
the end of the year in which the breaches were
discovered (not when the breaches occurred).
If a business associate discovers a breach, the business
associate must notify the plan.
54
Notification of Breach
Requirements
When is a breach “discovered?”
A breach is discovered as of the first day that it
is known (or reasonably should have been
known) to the covered entity or business
associate.
The covered entity or business associate has
knowledge of the breach on the day that any
employee, officer or other agent has such
knowledge (except for the individual who
committed the breach).
55
Notification of Breach
Requirements
HHS
issued the HITECH breach
notification rules:
An online form was created which
covered entities must use to report
breaches of PHI.
Only covered entities can report breaches.
Contacting affected individuals may be
delegated to a business associate.
56
Notification of Breach
Requirements
Notice must contain:
a brief description of the breach, including
dates;
a description of the types of unsecured PHI
involved;
the steps an impacted individual should take to
protect against potential harm;
57
Notification of Breach
Requirements
a brief description of the steps the Plan has
taken to investigate the incident, mitigate harm,
and protect against further breaches; and
contact information.
58
Prohibition on the Sale of PHI
Covered entity or business associate cannot
receive compensation, directly or indirectly,
for any PHI unless per a valid authorization
specifically addressing sale.
The final rule defines a sale of PHI as a
disclosure of PHI by a covered entity or
business associate where the covered entity or
business associate directly or indirectly
receives remuneration from or on behalf of the
recipient of the PHI in exchange for the PHI.
59
Prohibition on the Sale of PHI
Under HITECH, there are certain transactions that
do not constitute a sale of PHI.
Payments to a covered entity in the form of a
grant, contract or other arrangement to perform
activities such as a research study.
Receipt of a grant or funding from a
governmental agency to conduct a program.
The exchange of PHI through a health
information exchange that is paid for by fees
assessed to its participants.
60
HIPAA Security
61
HIPAA Security Rule
The Security Standards for the Protection of
Electronic Protected Health Information establish
security standards for protecting certain health
information that is held or transferred in electronic
form. The Security Rule invokes protections in the
Privacy Rule by addressing technical and nontechnical safeguards that covered entities must put
in place to secure electronic protected health
information (EPHI).
62
HIPAA Security Rule
The Security Rule requires covered entities
to maintain reasonable and appropriate
administrative, technical, and physical
safeguards for protecting EPHI.
63
HIPAA Security Rule
Each set of safeguards is comprised of a
number of “standards” which in turn are
comprised of “implementation
specifications” (detailed instructions for
implementation) that are either “required”
or “addressable.”
64
HIPAA Security Rule
“Addressable” means that a covered entity must
assess whether it is reasonable or appropriate in
the entity’s environment (analyze the likelihood
that implementation will protect the entity’s EPHI
from anticipated threats and hazards).
If addressable standards are not adopted,
document the reasoning and explain any
alternative measures implemented.
65
HIPAA Security Rule
Conduct a risk analysis, security analysis,
financial analysis, etc.
Assess current security risks and gaps;
develop an implementation plan, read the
Security Rule, understand required vs.
addressable standards, analyze addressable
standards, document decisions, implement
decisions, reassess/update.
66
HIPAA Security Rule
Administrative safeguards – e.g., hiring,
assigning and delegating security duties and
providing training; conducting risk analysis
and risk management; understanding flow
of EPHI; maintaining audit logs, access
reports, incident tracking; etc.
67
HIPAA Security Rule
The rule requires that a covered entity must
implement a security awareness and training
program for all members of its workforce.
68
HIPAA Security Rule
Physical safeguards – physical measures to
protect electronic systems, buildings and
equipment, such as safeguarding and
protecting systems, restricting access,
providing back-up, controlling workstation
use and security, etc.
69
HIPAA Security Rule
Technical safeguards – technical and related
policies and procedures that protect
EPHI and control access to it (e.g., access
control, automatic log-off, encryption and
decryption, audit controls, protecting
integrity so that there is no improper
alteration or destruction, transmission
security, etc.
70
Privacy and Security Officers
Privacy and Security Officers (and other
staff, as identified by those individuals)
have additional, detailed involvement in
developing and implementing the policies
and procedures and the security standards.
Policies, procedures and training must be
updated periodically.
71
Conclusion
Compliance with the HIPAA privacy and
security requirements is critical to avoid
personal liability and significant penalties.
Compliance often requires significant
cultural and procedural changes.
Some employees will require additional
training.
72
QUESTIONS
73