A HIPAA Roadmap Past, Present and Future

1
A HIPAA Roadmap Past, Present and
FutureA Review

• LBA Healthcare Consulting Services, LLC
• LeeAnn Brust, RN, MBA, CPC, CCP, CMPE
• (904) 396-4015

2
Health Insurance Portability and Accountability
Act

• Enacted in 1996.
• Congress called for the Department of Health
  Human Services to develop standards and
  requirements for the electronic transmission of
  health information
• Administrative Simplification (AS) Provision

3
Administrative Simplification(Part C of Title XI)

• This aspect of the HIPAA law requires the United
  States Department of Health and Human Services
  (DHHS) to develop standards and requirements for
  maintenance and transmission of health
  information that identifies individual patients.

4
What are the Standards Designed to do?

• Improve the efficiency and effectiveness of the
  healthcare system by standardizing the
  interchange of electronic data for administrative
  financial transactions.
• Protect the security and confidentiality of
  electronic health information.

5
Who must Comply with HIPAA?

• All healthcare organizations that maintain or
  transmit electronic health information must
  comply.
• Including health plans, health care
  clearinghouses, and health care providers from
  large integrated systems to individual providers.

6
Six Key Areas of HIPAA

• Standardization of Electronic Transactions Code
  Sets
• Privacy
• Security
• National Provider Identifiers
• Electronic Signatures
• Electronic Medical Records

7
Penalties for Failure to Comply

• 100 per person per violation.
• May not exceed 25,000 for a violation of a
  single standard per calendar year.
• HHS Office of Civil Rights (OCR) has been charged
  with enforcement

8
Wrongful Disclosure of Individually Identifiable
Health Information

• Wrongful disclosure offense 50,000,
  imprisonment of not more than one year, or both.
• Offense under false pretenses 100,000,
  imprisonment of not more than 5 years, or both.

9
Wrongful Disclosure of Individually Identifiable
Health Information

• Offense with intent to sell information
  250,000, imprisonment of not more than 10 years,
  or both.

10
EDI standards applies to Nine specific
transactions

1. Health Claims or the equivalent encounter
   information
2. Pharmacy Transactions National Council for
   Prescription Drug Programs (NCPDP)
3. Health Claims attachment
4. Health plan enrollments and dis-enrollments

11
EDI standards applies to Nine specific
transactions

• Health plan eligibility
• Health care payment and remittance advice
• Health Plan premium payments
• Health claim status
• Referral certification and authorization.

12
Privacy RuleSection 264 of HIPAA

• DHHS published the final regulations on December
  28, 2000.
• The legislation with modifications was finalized
  on August 14, 2002, with a final compliance date
  of April 2003 (Federal Registry).

13
Business Associates

• Do you have Business Associate contracts from all
  business relationships where exposure to PHI
  might be possible?

14
Government Access to PHI

• Government operated health plans and providers
  are subject to the same HIPAA requirements as
  all other health care organizations
• Office of Civil Rights is granted access to PHI,
  but only for investigative or enforcement
  purposes, and the information OCR request will be
  limited and protected.
• Regulations allow certain disclosures to made for
  law enforcement purposes but any state law that
  has tighter limits on such uses and disclosures
  of PHI will control.

15
Payment Disclosure

• Conditions under which PHI may be used or
  disclosed for payment purposes
• 1. Billing and Collections
• 2. Determining health plan eligibility
• 3. Disclosures to consumer reporting
• agencies.

16
Understanding Incidental Use and Disclosure

• DHHS acknowledges that incidental use and
  disclosure of confidential information may occur
  in the course of daily operations.
• Incidental use and disclosure will not be
  considered a violation of the privacy rule if you
  have taken reasonable safeguards and meet the
  minimum necessary requirements.

17
Use and Disclosure

• The individual who is the subject of the
  disclosure must provide authorization.
• In the case of a disclosure (phone or in person)
  the individual must be verified by obtaining two
  pieces of identifiable information. This be
  documented.
• Disable or Deceased individuals (previous
  employees are also protected. Power of attorney
  proof is required by the individual who is
  requesting information

18
Minimum Necessary

• Do your policies and procedures support the
  minimum necessary???

19
Create Protected Health Information (PHI)
firewalls

• Establish an accounting procedure to track uses
  and releases of PHI
• Limit access to those employees that require it.
  (Minimum necessary)

20
Create PHI firewalls

• Minimum necessary use
• Must identify persons or classes of persons who
  need access to PHI to carry out their duties
• Must identify the categories of PHI for each
  person or class of persons (job descriptions is
  one of the most common areas).

21
Maintain Documentation

• All necessary policies and procedures
• Ensure changes to policies and procedures are not
  implemented until documented and appropriate
  persons are notified
• Maintain documentation for six years, unless a
  longer period applies

22
Maintain Documentation

• Business Associate contracts
• Patient Acknowledgement of Privacy Policies
• Authorization forms
• Notices and amended notices
• Training of employees
• Patient complaints and their disposition (this
  must be documented on the complaint form and
  forwarded to FCCRMC)

23
Security RuleSection 264 of HIPAA

• Final Rule Published-February 20, 2003.
• DHHS tried to more closely align the security
  regulations with the final privacy regulations

24
Why a Security Rule?

• Protecting PHI becomes more important as
• business transition to a paperless environment

25
Purpose of the Security Rule

• To Protect electronic patient health information
  (PHI) in three ways
• Confidentiality - PHI concealed from people who
• do not have the right to see the
  information
• Integrity - information has not been improperly
  changed or deleted
• Availability - healthcare provider can access the
  
• information when it is needed

26
Understanding the Intersection of Privacy and
Security
27

• Security encompasses the measures organizations
  must take to protect information within their
  possession from internal and external threats

28

• Privacy is the consumers
• view of the way his/her information is treated.

29

• Privacy
• The privacy rule mandates that entities
  safeguard all PHI, no matter what the form.
• Security
• The security rules focuses on requirements for
  safeguarding PHI in the electronic form through
  policies, procedures, technology in order to
  preserve confidentiality, integrity, and
  availability of electronic PHI..

30
Areas Where the Privacy Rule Requires
Implementation of Security

• Reasonable safe guards
• Limit Information to minimal necessary access.
• Individual accounting of disclosures outside of
  TPO releases.

31
Security

• The proposed security standard is divided into
  four categories
• 1) Administrative procedures
• 2) Physical Safeguards
• 3) Technical data security services
• 4) Technical Security mechanisms

32
Administrative Procedures

• Ensure that security plans, policies, procedures,
  training and contractual agreements exist.
• Establish an employee termination policy.
• Security incident reporting system (report,
  respond, repair)
• Procedures that address staff responsibilities
  for protecting data

33
Physical Safeguards

• These safeguards protect physical computer
  systems and related buildings and equipment from
  fire and other environmental hazards, as well as
  intrusion.
• The use of locks, keys, and administrative
  measures used to control access to computer
  systems and facilities are also included.

34
Physical Safeguards

• Facility security plan
• Visitor sign-in
• Workstation use
• Monitor position
• Log off terminal
• Screen saver
• Terminal timeout
• Maintenance records

35
Technical Data Security Services

• These include the processes used to protect,
  control, and monitor information access.
• Provide specific authentication.
• Authorization, access and audit controls to
  prevent improper access to PHI.
• Guard data integrity, confidentiality and
  availability

36
Technical Security Mechanisms

• These include the processes used to prevent
  unauthorized access to data transmitted over a
  communications network.
• Encryption
• System alarms
• Audit trails
• Passwords

37
Specific Ways Staff Can Help

• Manage their password
• Identify and keep out malicious software
• Use workstations properly
• Know the practices sanction policies
• Learn and follow the practices policies and
  procedures

38
Manage Your Password

• When creating a password use a combination of
  letters and numbers
• Choose a song, a saying, a poem - something easy
  to remember
• Do not allow staff to write their password
  anywhere
• Use a separate password for personal accounts

39
Manage Your Password (contd)

• Once your staff members have a password
• Encourage them not to share it with anyone
• Change passwords according to policy (at least
  every 12 months)
• Encourage staff to use the same password for all
  of their accounts/programs.

40
Manage Your Password (contd)

• Ask your staff to report the following
  immediately
• Someone has learned their password (change it
  immediately)
• Your account has been used by someone other than
  yourself

41
Identify and Keep Out Malicious Software

• Warning signs that indicate a workstation may be
  infected
• System is running particularly slow
• Storage capacity is suddenly at the maximum
• Activity on the computer at unusual times
• Activity logs erased
• Warnings from monitoring software that you have a
  virus in the computer

42
Identify and Keep Out Malicious Software

• Safety Measure to teach your staff
• Open email attachments only from known sources
• Clear the use of Instant Messaging Programs with
  our ISO
• Use desktop firewall settings established by our
  ISO
• Use office computers only for practice business
• Dont download or install software without ISO
  approval

43
Use Workstations Properly

• Position monitor so others, especially visitors,
  cannot see the screen
• Staff should log off workstations (or activate
  the password- protected screen saver) when they
  are
• Finished with a task
• Leaving the area and cant see the workstation
• New user log on with their password

44
Warning!

• Time outs are a protection system
• for when you forget to logoff.
• Do not change the timer!

45
Use Workstations Properly (contd)

• Threats to a network
• Devices introducing viruses into the system -
  CDs, floppies, IPods, USB drives, Palm Pilots
• Family members or friends using practice
  computers in off-hours can introduce viruses and
  expose patient data
• Web surfing for personal enjoyment
• Downloading free programs or music from the
  Internet onto office machines can introduce
  viruses

46
Use Workstations Properly (contd)

• Protect your Private Information
• -Implement policies about what is allowed in
  emails
• and when they are to be deleted
• -Encrypt documents for storage and
  transmission as
• directed by your IT department
• -Report the loss of any equipment which
  might
• contain identifiable health information to
  your IT
• department.

47
Consequences for Violations

• Intentional infractions may lead directly to
  dismissal.
• Infractions can result in civil and governmental
  penalties for the violator, as well as for those
  responsible for implementing and monitoring our
  security policies
• Knowingly misusing patient information (in
  electronic form or any form) is a felony under
  HIPAA

48
Security Risk are Real

1. 24,000 complaints filed
2. 18,529 complaints closed
3. 362 case sent to the Department of Justice only
   39 accepted
4. 32 of the cases opened were closed with no
   violations found
5. 57 had to implement a corrective action plan

49
Key Points

• Ensure your HIPAA policies and procedures are
  updated and that the location is known by all
  applicable staff.
• Provide initial training at hire and annually
  thereafter. Use the group attendance log as
  documentation.
• Maintain a separate employee health files.
• Keep all protected information in a limited
  access area and under lock and key.