Legal Issues in Information Security Health Insurance Portability and Accountability Act (HIPAA) Week 5

1
Legal Issues in Information SecurityHealth
Insurance Portability and Accountability Act
(HIPAA) Week 5

• Gary A Bannister, FCMA, AICPA

2
Learning Objectives

• Understanding of the privacy provisions and how
  they are related to other privacy provisions in
  other acts.
• Understand the right of notice
• Understand who and what is covered.
• Understand the implications and requirements for
  IT Digital Data.

3
Health Insurance Portability and Accountability
Act (HIPAA)

• The Health Insurance Portability and
  Accountability Act of 1996 (HIPAA) was designed
  to improve "the efficiency and effectiveness of
  the health care system by encouraging the
  development of a health information system,
  through the establishment of standards and
  requirements for the electronic transmission of
  certain health information"

4
Health Insurance Portability and Accountability
Act (HIPAA)

• Became law on August 21, 1996.
• Congress recognized the importance of protecting
  the privacy of health information given the rapid
  evolution of health information systems.

5
HIPAA

• Primary objectives
• Ensure that people who are changing or losing
  jobs are not denied health insurance due to
  preexisting medical conditions.
• Make the provision of health care more efficient
• Administrative Simplification

6
Who Must Comply With HIPAA Regulations?

• Any health care provider, health plan, hospital,
  health insurer, and health care clearinghouse
  that electronically maintains or transmits any
  electronic protected health information (EPHI).

7
Covered Transactions

• Information between two parties to carry out
  financial or administrative activities related to
  health care including
• Health care claims or equivalent encounter
  information.
• Health care payment and remittance advice.
• Coordination of benefits.
• Health care claim status.
• Enrollment and un-enrollment in a health plan.
• Eligibility for a health plan.
• Health-plan premium payments.
• Referral certification and authorization.

8
HIPAA Privacy Rule

• Most parties subject to the Privacy Rule must
  implement the Rules standards and requirements
  by April 14, 2003.
• The Department of Health and Human Services
  Office of Civil Rights (OCR) has been given the
  authority to implement and enforce it.

9
HIPAA Privacy Rule

• The HIPAA Privacy Rule (Standards for Privacy of
  Individually Identifiable Health Information)
  provides the first national standards for
  protecting the privacy of health information.
• The Privacy Rule established minimum Federal
  standards for protecting the privacy of personal
  health information.
• Regulates the way certain health care groups,
  organizations, or businesses, called covered
  entities under the Rule, handle the individually
  identifiable health information known as
  Protected Health Information (PHI).

10
Information Covered by the Privacy Rule

• PHI is defined as individually identifiable
  health information transmitted or maintained, in
  electronic or any other form or medium, (e.g.,
  electronic, paper, or oral), but excludes certain
  educational records and employment records.
• Individually identifiable health information is
  health information (including demographic
  information) collected from an individual that
• Is created or received by a health care provider,
  health plan, employer, or health care
  clearinghouse
• Relates to the past, present, or future physical
  or mental health, or condition of an individual
  the provision of health care to an individual or
  the past, present, or future payment for the
  provision of health care to an individual
• Identifies the individual, or with respect to
  which there is a reasonable basis to believe the
  information can be used to identify the
  individual

11
HIPAA Privacy Rule Individual Rights

• The Rule balances an individuals interest in
  keeping his or her health information
  confidential with other social benefits,
  including health care research.
• Receive access to PHI.
• Request amendments to PHI
• Receive adequate notice.
• Receive an accounting of disclosures
• Request restrictions on the use of their PHI

12
HIPAA Privacy Rule Provisions

• Gives patients more control over their health
  information
• Sets boundaries on the use and release of health
  records
• Establishes appropriate safeguards that the
  majority of health-care providers and others must
  achieve to protect the privacy of health
  information
• Holds violators accountable with civil and
  criminal penalties that can be imposed if they
  violate patients' privacy rights
• Strikes a balance when public health
  responsibilities support disclosure of certain
  forms of data

13
HIPAA Privacy Rule Provisions, cont.

• Enables patients to make informed choices based
  on how individual health information may be used
• Enables patients to find out how their
  information may be used and what disclosures of
  their information have been made
• Limits release of information to the minimum
  reasonably needed for the purpose of the
  disclosure
• Gives patients the right to obtain a copy of
  their own health records and request corrections
• Empowers individuals to control certain uses and
  disclosures of their health information.

14
HIPAA Privacy Rule What is Required

• For covered entities using or disclosing PHI, the
  Privacy Rule requires covered entities to
• Notify individuals regarding their privacy rights
  and how their PHI is used or disclosed
• Adopt and implement internal privacy policies and
  procedures
• Train employees to understand these privacy
  policies and procedures as appropriate for their
  functions within the covered entity

15
HIPAA Privacy Rule What is Required

• Designate individuals who are responsible for
  implementing privacy policies and procedures, and
  who will receive privacy-related complaints
• Establish privacy requirements in contracts with
  business associates that perform covered
  functions
• Have in place appropriate administrative,
  technical, and physical safeguards to protect the
  privacy of health information
• Meet obligations with respect to health consumers
  exercising their rights under the Privacy Rule.

16
Business Associates Requirements

• The Privacy Rule allows a covered provider or
  health plan to disclose PHI to a business
  associate (e.g., lawyers, accountants, billing
  companies, and other contractors) if satisfactory
  written assurance is obtained that the business
  associate will use the information only for the
  purposes for which it was engaged, will safeguard
  the information from misuse, and will help the
  covered entity comply with certain of its duties
  under the Privacy Rule.

17
Patient Rights Regarding PHI

• Right to Notice
• All individuals have a right to receive notice of
  the uses and disclosures of PHI that may be made
  by any covered entity. Any individual may request
  this notice no customer or patient relationship
  need exist between the individual and covered
  entity holding the PHI.

18
HIPAA Privacy Rule Exceptions Required PHI
Disclosures

• A covered entity is required by the Privacy Rule
  to disclose PHI in only two instances
• When an individual has a right to access an
  accounting of his or her PHI
• When DHHS needs PHI to determine compliance with
  the Privacy Rule.

19
HIPAA Privacy Rule Exceptions

• Permitted PHI Disclosures Without Authorization
• Law enforcement
• Judicial and administrative proceedings
• Oversight (DHHS / FTC)
• Worker's compensation

20
HIPAA Privacy Rule Exception Medical Research

• The Privacy Rule recognizes the legitimate need
  of the research community to use, access and
  disclose individually identifiable health
  information.
• Certificates of Confidentiality offer
  protection for the privacy of research study
  participants. Allows researches to refuse to
  disclose information that could identify research
  participants in any civil, criminal, or other
  proceeding.

21
HIPAA Privacy Rule Penalties

• Health plans, providers and clearinghouses
  violators may suffer
• Civil penalties of 100 per incident, up to
  25,000 per person, per year, per standard.
• Federal criminal penalties for violators that
  knowingly and improperly disclose information or
  obtain information under false pretenses.
• Penalties would be higher for actions designed to
  generate monetary gain.
• Criminal penalties are up to 50,000 and one year
  in prison for obtaining or disclosing protected
  health information
• Up to 100,000 and up to five years in prison for
  obtaining protected health information under
  "false pretenses.
• Up to 250,000 and up to 10 years in prison for
  obtaining or disclosing protected health
  information with the intent to sell, transfer or
  use it for commercial advantage, personal gain or
  malicious harm.

22
HIPAA Security Final Rule

• On February 13, 2003, HHS announced the adoption
  of the HIPAA Security Final Rule.
• Most covered entities had two full years, until
  April 21, 2005 to comply with the standards.

23
HIPAA Security Final Rule

• The Security rule is consistent with the Privacy
  Rule in that it covers "protected health
  information.
• Limits the scope only to PHI that is in
  electronic form

24
HIPAA Security Rule Provisions

• Requires covered entities to
• Ensure the confidentiality, integrity, and
  availability of all electronic protected health
  information (EPHI) the covered entity creates,
  receives, maintains, or transmits
• Protect against any reasonably anticipated
  threats or hazards to the security or integrity
  of such information
• Protect against any reasonably anticipated uses
  or disclosures of such information that are not
  permitted or required by the Privacy Rule
• Ensure compliance by its workforce

25
Administrative Safeguards

• The security standards establish baseline
  safeguards and use two types of implementation
  specifications
• Required
• Addressable

26
HIPAA Security Rule Addressable Implementation
Specifications

• Required must comply as written / specified in
  the law. 13 of the implementation specifications
  are required
• Addressable specifications represent approaches
  to meeting specific standards, any of which may
  not be relevant to the covered entity's
  environment. The majority of the specifications
  are termed "addressable."

27
HIPAA Security Rule Administrative Safeguards

• The central focus is security management, which
  are the policies and procedures designed to
  prevent, detect, contain, and correct security
  violations.
• Includes four required implementation
  specifications
• Risk analysis
• Risk management
• Sanction policy
• Information system activity review

28
HIPAA Security RulePhysical Safeguards

• A single individual must bear the responsibility
  for physical security
• Requires Physical Safeguards to protect EPHI from
  unauthorized disclosure, modification, or
  destruction. This section includes standards for
• Facility access controls
• Access control and validation procedures (staff
  and visitors)
• The collection of appropriate maintenance records
  for the physical components of a facility that
  are related to security (such as hardware, walls,
  doors, and locks).
• Standards for proper workstation use and physical
  security of workstations that access EPHI.
• Standards for device and media controls

29
Security RuleTechnical Safeguards

• Covered entities must implement
• Technical policies and procedures for access
  control on systems that maintain EPHI.
• Must allow for unique user identification and
  include an emergency access procedure for
  obtaining necessary EPHI during an emergency.

30
Security Rule Business Associate Contracts

• Requires a Business Associate agreement, which is
  already required by the Privacy Rule. For
  relationships where a third party is used to
  create, receive, maintain or transmit EPHI on the
  covered entity's behalf, the Security Rule
  requires the business associate to Implement
  administrative, physical and technical safeguards
  that reasonably and appropriately protect the
  confidentiality, integrity and availability of
  the covered entity's EPHI

31
Security RulePolicies, Procedures and
Documentation

• Requires covered entities to implement reasonable
  and appropriate policies and procedures to comply
  with the standards, implementation
  specifications, or other requirements of the
  Security Rule.
• Maintain the documentation for six years from the
  date of its creation or the date when it last was
  in effect, whichever is later
• Make the documentation available to those persons
  responsible for implementing the procedures to
  which the documentation pertains
• Review documentation periodically, and update as
  needed, in response to environmental or
  operational changes affecting the security of the
  electronic protected health information.

32
HIPAAAdministrative Simplification

• HIPAA's Administrative Simplification provisions,
  sections 261 through 264 of the statute, were
  designed to improve the efficiency and
  effectiveness of the health care system by
  facilitating the electronic exchange of
  information.
• Universal standards for the electronic transfer
  of health information
• Privacy of health information
• Security of health information
• Electronic signatures

33
Standards for Electronic Transactions and Code
Sets

• HIPAA requires the standardization of the
  reporting of medical procedures with industry
  established and maintained codes. These are the
  codes used by the health care providers to
  identify what procedures, services and diagnoses
  pertain to that encounter. This will eliminate
  the use of government and commercial proprietary
  medical codes sets.

34
- Standards for Electronic Transactions and Code
Sets

• On Oct. 16, 2003, the transactions and code sets
  standards that are part of the Health Insurance
  Portability and Accountability Act of 1996
  (HIPAA) took effect.
• The intent is to create standard transactions to
  replace the many versions currently being used
  for claim status inquiries, eligibility
  verification, referral authorization and others.
• After Oct. 16, 2003 Medicare will no longer
  accept paper claims from practices with 10 or
  more full-time equivalent (FTE) staff, and all
  payers will be required by law to accept only
  those electronic claims that use HIPAA-standard
  formats.

35
Standards for Electronic Transactions and Code
Sets

• The HIPAA administration simplification provision
  requires that payers, physicians and other
  providers use new standard claims formats and
  electronic transmission procedures.
• Doing so should speed claims processing and
  reduce errors in both claims filings and
  payments.

36
Standards for Electronic Transactions and Code
Sets

•  The Electronic Transactions Standard applies to
  all of the types of business that are performed
  daily to provide proper healthcare.
• Health claims, payments for care and premiums,
  coordination of benefits and other related
  transactions.
• All health providers, clearinghouses and plans
  that transmit health related information
  electronically.
• Clearinghouse transmissions to providers and
  health plans
• Transmissions which use all types of media
  including Internet, dial-up lines and private
  networks.
• All health plans for all transactions.
• Provider transmissions and the reception of
  electronic transmissions.

37
HIPAA Compliance Best Practices

• Don't rely on your payers, or software vendors to
  make you compliant.
• HIPAA regulations are full of statements like
  'reasonable effort' and 'as permitted'. Adapt the
  terms to your environment.
• Analyze the number of possible conduits that PHI
  is capable of leaving your custody to an
  unauthorized entity.

38
HIPAA Compliance Best Practices

• Be diligent about covering all the bases.
• There has to be a paper trail or 'chain of
  custody' for the information.
• If you use software for billing, you need to be
  in conversation with the vendor.
• There are state-governed requirements for
  submitting billing.

39
Questions?