Maintaining HIPAA Privacy and Security Rule Compliance - PowerPoint PPT Presentation

1 / 65

About This Presentation

Title:

Maintaining HIPAA Privacy and Security Rule Compliance

Description:

At the time it was commonly referred to as 'Kennedy-Kassebaum' (after Senators ... Incapacitated by Implementation - A HIPAAchondriac ... – PowerPoint PPT presentation

Number of Views:134

Avg rating:3.0/5.0

Slides: 66

Provided by: Saul77

Category:

more less

Transcript and Presenter's Notes

Title: Maintaining HIPAA Privacy and Security Rule Compliance

1
Maintaining HIPAA Privacy and Security Rule
Compliance

Bruce D. Armon, Esquire
Saul Ewing LLP
215-972-7985
OR
1-800-355-7777, ext. 7985
barmon_at_saul.com
April 27, 2005

2
HIPAAWhat Is This About?
3
HIPAA Overview

The Health Insurance Portability and
Accountability Act of 1996 (P.L. 104-191) (HIPAA)
became law on August 21, 1996. At the time it
was commonly referred to as Kennedy-Kassebaum
(after Senators Ted Kennedy (D-MA) and Nancy
Kassebaum (R-KS) who were instrumental in its
passage.)

4
HIPAA Key Provisions

Insurance reform - improve portability and
continuity of health insurance for groups and
individuals.
Extend fraud and abuse prevention measures to all
types of insurers (not just Medicare/Medicaid),
and dedicate additional resources to fraud and
abuse enforcement.
Administrative simplification - create a
framework for the standardization of electronic
data interchange (EDI) in health care, including
protections for the privacy and security of
individually identifiable health information.

5
Administrative Simplification

Electronic Transactions and Code Sets
Standards
Privacy Standards
Security Standards
Electronic Signature Standards
Identifier Standards
Employer Identifier Standard
Provider Identifier Standard
Health Plan Identifier Standard
Individual Identifier Standard

6
Privacy Standards

Final Rule published December 28, 2000 (65 FR
82462 et seq.)
Effective Date - April 14, 2003

Final Rule, Version II, published August 14, 2002
(67 FR 53182 et seq.)

7
Privacy Standards
Health information is any information, whether
oral or recorded in any form or medium, that

Is created or received by a health care provider,
health plan, public health authority, employer,
life insurer, school or university, or health
care clearinghouse and
Relates to the past, present, or future physical
or mental health or condition of an individual,
the provision of health care to an individual, or
the past, present, or future payment for the
provision of health care to an individual.

8
Individually Identifiable Health Information

Individually Identifiable Health Information
(IIHI) is health information that identifies an
individual or there is a reasonable basis to
believe could be used to identify an individual.

9
Protected Health Information

The focus of the Privacy Rule is Protected Health
Information (PHI). PHI is IIHI that is
transmitted or maintained in electronic or any
other form or medium.

10
Applicability
Privacy Rule applies to covered entities

Health Plans
Health Care Clearinghouses
Health Care Providers

11
Health Care Providers

Health care providers include any individual or
entity that is covered as a provider under
Medicare or any other person or organization that
provides medical or other services or who
furnishes, bills or is paid for health services
or supplies in the normal course of business.

12
Uses and Disclosures of PHI

When PHI is to be disclosed for purposes of
Treatment
Payment
Health Care Operations

an individuals consent is not required pursuant
to the Final Rule, Version II
13
Administrative Requirements

Privacy official
Contact person for complaints
Training
Safeguards
Complaints
Sanctions
Mitigation

14
Administrative Requirements (contd)

Intimidating or retaliatory acts
Waiver of Rights
Policies and procedures
Documentation

15
Administrative Requirements

Privacy Official
Designate someone to develop and implement the
policies and procedures

16
Administrative Requirements

Contact Person for Complaints
Designate someone who is responsible for
receiving complaints and NPP issues

17
Administrative Requirements

Training
Train all members of the workforce to carry out
their respective functions
Train new members of the workforce as they are
hired
Document the training

18
Administrative Requirements

Safeguards
Appropriate administrative, technical and
physical safeguards to protect PHI

19
Administrative Requirements

Complaints
Establish a process for individuals to make
complaints
Document complaints, and disposition

20
Administrative Requirements

Sanctions
Must have and apply against workforce members who
do not comply, and document sanctions
Exception for whistleblowers

21
Administrative Requirements

Mitigation
Lessen harmful effect known to Covered Entity of
impermissible use or disclosure of PHI

22
Administrative Requirements

Intimidation for Retaliatory Acts
Covered Entity cannot intimidate, threaten,
coerce, discriminate or take retaliatory action
against individuals exercising these rights

23
Administrative Requirements

Waiver of Rights
Covered Entity may not require an individual to
waive rights as a condition of treatment,
payment, enrollment or eligibility

24
Administrative Requirements

Policies and Procedures
Implement policies and procedures
Change as necessary, including changes in law

25
Administrative Requirements

Documentation
Maintain policies and procedures in written or
electronic form
Maintain communications required to be in writing
Retain for six years from date of creation or
date when last in effect, whichever is later

26
Privacy Rule Compliance Issues

Notice of Privacy Practices
Authorization
Oral Communications
Accounting for Disclosures
Deidentified Information
Business Associates
Preemption

27
Notice of Privacy Practices

Plain language
Uniform header
Identify uses and disclosures
Individual rights
Covered Entitys duties
Complaints
Contact Person

28
Notice of Privacy Practices

Changes to Notice of Privacy Practices
Written acknowledgment of receipt of Notice of
Privacy Practices
Web page availability
OHCAs

29
Authorization

Valid authorizations
Defective authorizations
Compound authorizations
Conditioning authorizations
Revoking authorizations

30
Oral Communications

Privacy Rule applies to individually identifiable
health information in all forms, electronic,
written, and oral.
If oral communications were not covered, any
protected health information could be disclosed
to any person as long as the disclosure was by
the spoken word.

31
Accounting for Disclosures

Grants individuals the right to request and
receive an accounting of disclosures of ones
protected health information.
Time frame 6 years prior to the date on which
the accounting is requested.
Exceptions to the accounting rules.

32
Deidentified Information

Deidentified Information is that which does not
identify an individual or with respect to which
there is no reasonable basis to believe that the
information could be used to identify an
individual.

19 data elements must be removed to deidentify
information

33
Business Associate

Business Associate means with respect to a
Covered Entity (other than as a member of the
workforce) an entity that performs or assists
In the performance of a function or activity
involving the use or disclosure of individually
identifiable health information, including claims
processing or administration, data analysis,
process or administration, utilization review,
quality assurance, billing, benefit management,
practice management and repricing, or any other
function covered by these regulations.

34
Business Associate Services for a Covered Entity

Legal
Actuarial
Accounting
Consulting
Data aggregation

Management
Administrative
Accreditation
Financial

35
Disclosure to a Business Associate

A Covered Entity may disclose protected
health information to Business Associates and
may allow Business Associates to create or
receive protected health information if the
Covered Entity obtains satisfactory assurances
that the Business Associate will appropriately
safeguard the information.

36
Preemption of State Law

General preemption rule. A requirement or other
provision of the HHS Privacy Rule that is
contrary to a provision of state law preempts the
state law provision unless an exception applies.

37
Who Enforces HIPAA Privacy Regulations

Enforcement of the privacy regulations has been
delegated to the Department of Health and Human
Services, Office of Civil Rights

38
Security Standards

Final Rule published February 20, 2003 (68 FR
8334 et seq.)
Effective Date - April 20, 2005

39
Security Rule Obligations

Covered entities must
ensure the confidentiality, integrity, and
availability of all electronic protected health
information (ePHI) the covered entity creates,
receives, maintains, or transmits.
protect against any reasonably anticipated
threats or hazards to the security or integrity
of such information.

40
Covered Entities

protect against any reasonably anticipated uses
or disclosures of such information that are not
permitted or required.
ensure compliance by its work force.

41
Flexibility in Implementing the Security Rules

Greatest advantage
Toughest challenge

42
Flexibility in Implementing the Security Rules

Covered entities may use any security measures
that allow the covered entity to reasonably and
appropriately implement the standards and
implementation specifications.

43
4 Factors for Covered Entity to Consider

the size, complexity, and capabilities of the
covered entity
the covered entitys technical infrastructure,
hardware, and software security and capabilities
the costs of security measures and
the probability and criticality of potential
risks to electronic protected health information.

44
Flexibility

One size does not fit all.
A small physician practice will take different
steps than a large hospital system.

45
What is Risk Analysis?

Conduct an accurate and thorough assessment of
the potential risks and vulnerabilities to the
confidentiality, integrity, and availability of
electronic protected health information held by
the covered entity.

46
Security Rule and Privacy Rule

While Security Rule applies only to electronic
PHI, the Privacy Rule applies to all PHI.

47
What are Standards?

A standard is a general requirement that must be
complied with by the covered entity.

48
What is an Implementation Specification?

A more detailed and specific description of the
method or approach that a covered entity can use
to meet a particular standard.
Not all standards have implementation
specifications.

49
Required Implementation Specifications

If an implementation specification is required,
the covered entity must take action to implement
the specification.

50
Addressable Implementation Specifications

Covered entity does not need to take action
3-step consideration process

51
Addressable Implementation Specifications 3
Steps

Assess whether the specification is a reasonable
and appropriate safeguard for the covered entity
Implement the specification if reasonable and
appropriate or
If implementing the specification would not be
reasonable and appropriate, document this fact,
and implement an equivalent alternative measure
if reasonable and appropriate.

52
Alternative Approaches

Covered entity may also decide that the
implementation specification does not apply to it
and no measure is necessary
Document the decision-making
Addressable does not mean optional.

53
HIPAA Security Rule Standards