HIPPA

Download Report

Transcript HIPPA 

HIPAA
PRIVACY REGULATIONS
Presented By:
Marilyn Brothers, RHIA
DMH/DD/SAS
Sarah Brooks, MPA, RHIA
NC DHHS HIPAA PMO
TRAINING
OBJECTIVES
• Provide High Level Overview of HIPAA
Privacy and Security Regulations
• Respond to Questions
NCDHHS - HIPAA PMO
2
WHO IS AFFECTED?
• Covered Entities
– Health Plan (provides or pays the cost of medical care
- e.g., Medicaid, HMOs, BC/BS, Medicare, Champus)
– Health Care Clearinghouse (routes electronic data
between payers & providers - e.g., billing services )
– Health Care Provider who transmits any health
information in an electronic transaction (e.g.,
Hospitals, Physicians, Public Health Departments, Group
Homes, Home Health)
NCDHHS - HIPAA PMO
3
WHO IS AFFECTED?
(continued)
• Business Associates
– Definition: Person who performs a function or activity
on behalf of a covered entity
– Excludes person who is part of the Covered Entity’s
workforce (e.g., Employees, Physicians with Staff
Privileges)
– Contractual Agreements with Covered Entity (e.g.,
Area MH/DD/SAS Contract Agencies, S/W Vendors)
– Complies with HIPAA
• Health Care Providers Who Transmit Paper
Health Claims Must Use New Code Sets
NCDHHS - HIPAA PMO
4
HEALTH INFORMATION
DEFINED
• Health Information means any information,
whether oral or recorded in any form or
medium, that:
– Is created or received by a health care provider,
health plan, public health authority, employer, life
insurer, school or university, or health care
clearinghouse; and
– Relates to the past, present, or future physical or
mental health or condition of an individual; the
provision of health care to an individual; or the past,
present, or future payment for the provision of health
care to an individual.
NCDHHS - HIPAA PMO
5
PRIVACY vs. SECURITY
PRIVACY is the right of an individual to
keep his/her individual health information
from being disclosed.
SECURITY is the mechanism in place to
protect individual health information.
NCDHHS - HIPAA PMO
6
REGULATIONS OVERVIEW
PRIVACY
NCDHHS - HIPAA PMO
7
BASIC PRINCIPLES
• First Comprehensive Federal Law to Protect
the Privacy of Individually Identifiable Health
Information
– HIPAA Protections
• Importance
– To Patients
– To Healthcare Providers/Plans/Clearinghouses
• Protected Health Information (PHI)
– Past, Present, Future Health Information
– Electronic/Paper/Oral
– Best Practice
NCDHHS - HIPAA PMO
8
PROTECTED HEALTH
INFORMATION (PHI)
• Individually Identifiable Information
–
–
–
–
–
–
–
–
Name
Address
Social Security Number
Names of Relatives
Unique Identifiers
Telephone/Fax/Other Numbers
Geographic Designation Smaller than State
Photograph
NCDHHS - HIPAA PMO
9
GENERAL PROVISIONS
• HIPAA Preempts State Laws
– Provides uniform “floor” for protection
– More stringent current state laws will stand
– More stringent future state laws allowed
• Allows Consumer Control
– Establish rights of patients regarding their
confidential health information
• Recognizes Public Responsibility
– Balance of individual privacy and the public need
to know
NCDHHS - HIPAA PMO
10
GENERAL PROVISIONS
• Healthcare Provider Responsibilities
– Protect health information
– Secure health information
– Provide complete information to other Healthcare
Providers
– Provide “minimum necessary” information to other
requesters
– Create De-identified information when feasible
–
–
–
–
Remove
Code
Encrypt
Eliminate/conceal
NCDHHS - HIPAA PMO
11
GENERAL PROVISIONS
• Healthcare Provider Responsibilities (continued)
– Establish an Internal Complaint Process that
provides individuals with means to lodge
complaints about the entity’s information practices,
and maintain a record of any complaints
– Develop a system of sanctions for members of the
workforce and business partners who violate the
entity’s policies
– Enforcement and Compliance
NCDHHS - HIPAA PMO
12
NOTICE
• Notice of Information Practices
– Brochure
– Pamphlet
– Posted on Wall
• Notice must include anticipated uses and
disclosures of protected health information
without the patient’s written authorization
NCDHHS - HIPAA PMO
13
PATIENT’S RIGHTS
•
•
•
•
•
•
•
•
•
•
Right to be informed through NOTICE
Right to inspect and review record
Right to receive copies
Right to amend/correct copies
Right to add supplemental information
Right to restrict Use and Disclosure of information
Right to Accounting of Disclosures
Right to a personal representative
Right to revoke authorization
Right to appeal
NCDHHS - HIPAA PMO
14
ACCESS TO RECORD
• Healthcare Provider Provides Access
– 60 days after receiving request
– Extended 30 more days without reason
– Provide patient with a summary of records if
agreed upon in advance
– Recover cost-based fee for providing patient
with a copy, explanation or summary of
records
NCDHHS - HIPAA PMO
15
DENIED ACCESS
• Healthcare Provider Denial of Access with
Opportunity for Review when in the Opinion
of a Licensed Health Care Professional that:
– Information would endanger life or safety of
patient or others
– References to others is reasonably likely to cause
substantial harm to that other person
– Request was made by the patient’s personal
representative and access would likely cause
substantial harm to that person or others.
NCDHHS - HIPAA PMO
16
DENIED ACCESS
• Healthcare Provider Denial of Access
Without Opportunity for Review
– Psychotherapy Notes
– Information compiled for civil, criminal or
administrative actions
– Inmate request that would jeopardize health or
safety of inmate or others
– Research that includes treatment
– Information obtained from an anonymous source
under a promise of confidentiality
NCDHHS - HIPAA PMO
17
USE AND DISCLOSURE OF PHI
• Use: Protected Health Information is
“used” when shared, examined, applied or
analyzed within the covered entity that
maintains the information
• Disclosure: Protected Health information
is disclosed” when released, transferred,
been given access to or divulged outside
the entity holding the information.
NCDHHS - HIPAA PMO
18
USES AND DISCLOSURES WITH
INDIVIDUAL AUTHORIZATION
• A General Consent is required for use or
disclosure of information for treatment,
payment and health operations.
• A more specific Authorization is required
for use or disclosure of information for
purposes other than treatment, payment or
health operations.
NCDHHS - HIPAA PMO
19
USES AND DISCLOSURES WITHOUT
INDIVIDUAL AUTHORIZATION
• Disclosures For:
–
–
–
–
–
–
–
–
–
Public health activities
Health oversight activities
Judicial and administrative proceedings
Governmental health data systems
Research, emergency circumstances, next of kin,
and as required by other laws
Coroners and Medical Examiners
Law Enforcement
Directory information
Banking and payment processes
NCDHHS - HIPAA PMO
20
ADDITIONAL PROVISIONS
• Application to Information About Deceased
Persons
– Same as if person was alive
• Application to Covered Entities That Are
Components of Organizations That Are Not
Covered Entities
– Hybrid Entity (Covered functions are not the
primary functions of the entity)
NCDHHS - HIPAA PMO
21
IMPLEMENTATION
REQUIREMENTS
• Policies and Practices must be developed
and documented
• Scalability
– Appropriate to the nature and scope of the
business that enables protection of health
information in accordance with the rules
NCDHHS - HIPAA PMO
22
IMPLEMENTATION
REQUIREMENTS
• Designation of Privacy Officer
• Provide Privacy Initial & On-going
Training to Workforce
• Develop internal policies and forms
• Implement Safeguards
– To protect health information from intentional
or accidental misuse
• Audit and QA
NCDHHS - HIPAA PMO
23
PRIVACY OFFICER
Each Health Plan, Clearing House, and Certain
Healthcare Providers Must Designate a Privacy
Official Responsible For:
– Developing and implementation of Policies and
Procedures for the use and disclosure of protected
health information
– Ensuring health information is use and released in
compliance with HIPAA and other Federal and State
Laws and Regulations.
– Performing initial and periodic information privacy
risk assessment and ongoing compliance monitoring.
– Training, Training, Training
NCDHHS - HIPAA PMO
24
IMPLEMENTATION TIMELINE
The Compliance Date
for the Privacy is
April 14, 2003
NCDHHS - HIPAA PMO
25
REGULATIONS OVERVIEW
SECURITY
NCDHHS - HIPAA PMO
26
SECURITY OBJECTIVE
To Protect the Confidentiality, Integrity
and Availability of Individual
Health Information, While Permitting
the Appropriate Access and Use of
That Information by Healthcare
Providers, Healthcare Plans and
Healthcare Clearinghouses.
NCDHHS - HIPAA PMO
27
SCOPE OF SECURITY
REGULATIONS
• Applies to Healthcare Providers, Plans and
Clearinghouses
• Applies to All Size Organization (Physician
Offices, Medical Centers, County Public
Health Departments, HMOs, Medicaid, etc.)
• Applies to All Health Information Pertaining
to an Individual That Is Electronically
Created, Received, Transmitted or Maintained.
NCDHHS - HIPAA PMO
28
SECURITY STANDARD IMPACTS
ELECTRONICALLY MAINTAINED
AND TRANSMITTED DATA
• Data on Magnetic Tape or Disk
• Entry of Patient Information in Computers
• Transmission of Treatment Data to a Healthcare
Plan
• Claims Printed From a Healthcare Clearinghouse
• Records Transcribed and Stored in a Word Processor
• Lab Results Sent by Modem to a Printer at an Office
• Etc.
NCDHHS - HIPAA PMO
29
SECURITY STANDARD
• Does Not Identify or Require Specific
Technologies
• Allows Healthcare Industry to Implement
Different Solutions Depending Upon Needs
and Technologies in Place
• Mandates Safeguards for Physical Storage
and Maintenance, Transmission and Access
to Individual Health Information
NCDHHS - HIPAA PMO
30
GUARDING DATA INTEGRITY,
CONFIDENTIALITY AND
AVAILABILITY
1. Administrative Procedures
2. Physical Safeguards
3. Technical Security Services
4. Technical Security Mechanisms
5. Electronic Signature
NCDHHS - HIPAA PMO
31
ADMINISTRATIVE PROCEDURES
(Policies and Procedures)
1. Certification of Data Systems to Evaluate
Security
2. “Chain of Trust” Agreement
3. Contingency Plan in Case of Emergency
4. Formal Data Processing Protocols
5. Controlling Access to Data
6. Internal Audit Procedures
NCDHHS - HIPAA PMO
32
ADMINISTRATIVE PROCEDURES
(Policies and Procedures)
7. Security Activities by Personnel
8. Overall Security of Hardware, Software,
and Virus Checking
9. Protocols for Reporting and Responding to
Breaches of Security
10. Risk Management and Sanctions
11. Security Procedures in Event of Personnel
Terminations
12. Security Training Programs
NCDHHS - HIPAA PMO
33
PHYSICAL SAFEGUARDS
(Buildings and Equipment)
1. Designate Security Responsibilities
2. Develop Controls on Access and Manipulations of
Hardware Components (Disk, Keyboard, Monitor)
3. Develop Disaster/Intrusion Response and Recovery
Plans
4. Implement Personnel Identification for Access
5. Maintain Maintenance Records
6. Enforce Security Clearances (Need-to Know Basis)
7. Develop Protocols Regarding Activities and
Security at the Work Station Level
NCDHHS - HIPAA PMO
34
TECHNICAL SECURITY
MEASURES
(Software Controls)
1. Regulate Access (Includes Emergency
Access)
2. Audits and Controls
3. Data Authentication (Security of Stored Data)
4. Ensure User Authentication and Access
Control (User ID, Automatic Log-off)
NCDHHS - HIPAA PMO
35
TECHNICAL SECURITY
MECHANISMS
(Transmission of Data)
1. Storage and Transmission of Health Information
Cannot Easily Be Accessed or Interpreted by
Unauthorized Third Parties
2. Ensure Messages Sent and Received Are
the Same
3. Access Control to Transmission (Dedicated
Lines)
4. Encryption
NCDHHS - HIPAA PMO
36
ELECTRONIC SIGNATURE
(On Hold)
1. Ensure Identity of the Signer
2. Ensure Unaltered Transmission and
Receipt of the Data
3. Must Prevent a Signer from Successfully
Denying the Signature
Proposed standard explicitly notes that a Digital
Signature is the only technology that satisfies
these requirements.
NCDHHS - HIPAA PMO
37
SECURITY OFFICER
• Serves As Internal Information Security
Consultant in Agency
• Documents Security Policies and
Procedures
• Provides Risk Assessments
• Functions As Internal Auditor
• Monitors Compliance With Standards
NCDHHS - HIPAA PMO
38
SECURITY BOUNDARIES
• Identifies “What”
• Does Not Identify “How”
• Scalability (allows agency to define and
implement security appropriate to size and
activities of the agency)
NCDHHS - HIPAA PMO
39
GETTING STARTED
• Baseline Assessment
– Current Security Environment
• Policies
• Procedures
• Technology
– Information Systems
• GAP Analysis
– Compare Current Environment With Security Requirements
– Determine “GAPS”
• Risk Assessment
– Analyze likely and unlikely scenarios in terms of
probability of occurrence and impact on agency
NCDHHS - HIPAA PMO
40
SECURITY ASSESSMENT
• Not Just a Technology Issue
– 40% Information Technology
– 60% Business Issues
• Security and Privacy Go Hand-in-Hand
• Integrate Both Standards
NCDHHS - HIPAA PMO
41
ENFORCEMENT
• Responsibility: U.S. DHHS Office for Civil
Rights
–
–
–
–
–
–
Assist with voluntary compliance efforts
Respond to questions, interpretation, guidance
Respond to states’ requests for exceptions
Investigate complications
Conduct compliance surveys
Seek criminal prosecution for non-compliance
efforts
NCDHHS - HIPAA PMO
42
IMPOSING COMPLIANCE
• General Civil Penalty for Failure to Comply
– $100/violation/person
– Not to exceed $25,000 in one calendar year
• Criminal Penalties (Privacy) - Person who knowingly and
wrongfully discloses individually identifiable health information is
subject to fines and imprisonment
– Simple Offense - Up to $50,000 &/or 1 year imprisonment
– If Committed under False Pretenses - Up to $100,000 &/or 5
years imprisonment
– If Committed with Intent to Sell, Transfer, or Use Individual
Identifiable Health Information for Commercial Advantage,
Personal Gain, or Malicious Harm - Up to $250,000 &/or 10
years imprisonment
NCDHHS - HIPAA PMO
43
COMPLIANCE DATE
Expected to Become Effective
in Late 2001
NCDHHS - HIPAA PMO
44
RESOURCES
• Attachments to Slide Presentation Materials
– HIPAA Related Web Sites
– NCHICA HIPAA Committees
– NCHICA HIPAA Privacy Regulation Work
Groups
NCDHHS - HIPAA PMO
45
QUESTIONS