Patient Privacy Check Up: How to Keep Your Practice Out Of HIPAA Hot Water

About This Presentation

Title:

Patient Privacy Check Up: How to Keep Your Practice Out Of HIPAA Hot Water

Description:

Business Associates. Business associates are persons or entities who create, receive, maintain, or transmit PHI for a function or activity covered by HIPAA, including ... – PowerPoint PPT presentation

Number of Views:1418

Avg rating:3.0/5.0

Slides: 40

Provided by: slk50

Category:

more less

Transcript and Presenter's Notes

Title: Patient Privacy Check Up: How to Keep Your Practice Out Of HIPAA Hot Water

1
Patient Privacy Check UpHow to Keep Your
Practice Out Of HIPAA Hot Water

Erin Smith Aebel, Board Certified Health Lawyer,
and
Kelly Ann Thompson, Esq.
Shumaker, Loop Kendrick, LLP
eaebel_at_slk-law.com 813.227.2357
kthompson_at_slk-law.com 813.676.7281

2
Roadmap for Todays Presentation

An overview of the HIPAA Privacy and Security
Rule.
A discussion of breach notification requirements
under the Privacy and Security Rule, as well as
under Florida law.
An overview of HIPAA enforcement agencies and
penalties, and a discussion of recent cases
involving physicians.

3
What is HIPAA?

The Health Insurance Portability and
Accountability Act (HIPAA) of 1996.
Created by Congress to improve many aspects of
the delivery of health care in the U.S.
Stated Goals
To improve the portability and continuity of
health insurance
Combat waste, fraud, and abuse in health care
insurance and delivery
Protect the privacy of consumers health
information and
Simplify the administration of health insurance.
In January 2013, HIPAA was updated via the Final
Omnibus Rule.

4
HIPAA Enforcement

HIPAA was created by the U.S. Department of
Health and Human Services (HHS)
HIPAA is enforced by the Office for Civil Rights
(OCR)
http//www.hhs.gov/ocr/office/
This link provides educational materials, FAQs,
training materials, and complaint forms.

5
Two Areas of Most Concern

There are two areas of HIPAA that health care
providers are most concerned with
Security Regulations
Concern the security of protected health
information in electronic form.
Privacy Regulations
Concern the security of all protected health
information.

6
Who Must Comply with HIPAA

Covered Entities (CE) must comply with HIPAA.
Covered entities include
Health care providers (any provider who transmits
any information in electronic form in connection
with a covered entity)
Health plans (i.e., HMOs, Medicare, Medicaid)
Healthcare clearing houses (i.e., billing
service)
Business Associates (BA)

7
Business Associates

Business associates are persons or entities who
create, receive, maintain, or transmit PHI for a
function or activity covered by HIPAA, including
claims processing or administration, data
analysis, processing or administration,
utilization review, quality assurance, patient
safety activities, billing, benefit management,
practice management or re-pricing.
EX Collection agencies, outside accountants or
attorneys, etc.
Covered entities are required to enter into
written agreements with their BAs providing that
they will appropriately safeguard and limit their
use and disclosure of PHI.
BAs should have already been revised for
compliance with the Omnibus Rule requirements.
If your BAs have not recently been revised, it is
important to review/revise them to ensure the
updated language is included.
Practice Tip When in doubt, get a BA
agreement.

8
Business Associates Continued

The Omnibus Rule extended provisions of HIPAA
directly to business associates. Now, aside from
contractual obligations under a BA agreement,
business associates also have obligations under
HIPAA to comply, and are subject to fines and
penalties for failure to comply.
The Omnibus Rule made it clear that
subcontractors of Business Associates are also
considered business associates.
As such, providers should make sure their BA
agreements include provisions requiring the BA to
obtain written assurances from their own
subcontractors providing they will comply with
the same restrictions agreed to between the
provider and their BA.
Practice Tip Providers may want to include
audit provisions allowing them to verify that
their BA has secured downstream agreements.

9
What do the Privacy Regulations Protect?

Protected Health Information (PHI) in ANY
form--oral, written, or electronic.
PHI is any individually identifiable health
information that relates to any physician or
mental health of an individual or that can be
used to identify the individual.
What is considered identifiable information?
Name, address, DOB, SSN, date of death, telephone
or fax number, health plan or account number,
license or vehicle ID number, biometric
indicators (finger prints)
Health information that has been properly
de-identified is NOT protected by the Privacy
Rule.
The Privacy Rule affects where and how you speak
about a patients health information.

10
How do Privacy Regulations Protect PHI

Certain restrictions are placed on the use and
disclosure of PHI
There are 3 basic categories of restrictions on
PHI
Certain uses and disclosures of PHI are permitted
without a patients written authorization
Other uses and disclosures require a patients
written authorization
PHI can be disclosed to another person if you
notify the patient in advance and give them the
opportunity to object

11
Uses and Disclosures of PHI that do not require a
Patients Authorization

Disclosures for treatment purposes
Disclosure to health care providers outside of
your practice, for treatment purposes
Disclosures for payment purposes
Disclosures for health care operations (i.e.,
coordination of care, advice about treatment
options, business management, general
administrative activities)

12
Disclosures Required by Law

Certain uses and disclosures of PHI are required
by law
For example
To law enforcement
For certain public health activities such as
preventing or controlling disease (i.e., Recent
Ebola concerns)
To report child abuse or domestic violence
For judicial or administrative proceedings
Upon receipt of the written consent of the
patient
Upon a court order
In response to a subpoena, discovery request, or
other lawful process if the provider has received
satisfactory assurances from the party seeking
the information that
Reasonable efforts have been made to ensure the
individual has been given notice of the request
or
Has made reasonable efforts to secure a
protective order.
For workers compensation

13
Disclosures Requiring Patients Written
Authorization

When an employee tries to seek or use a patients
PHI for purposes other than treatment, payment or
health care operations, or disclosures required
by law, the employee must first obtain the
patients authorization.
EX marketing purposes
The patient should sign an authorization form
which is kept in the patients file, and a copy
should be given to the patient.
Only use or disclose the PHI as permitted by the
authorization.
The authorization must be maintained in the
patient file as long as it is valid and for at
least 6 years thereafter.
TIP When in doubt, the best policy is to obtain
the patients written authorization PRIOR to a
use or disclosure.

14
Disclosures to Family Members

Situations arise where a patient comes for
treatment with a friend or family member
You may disclose PHI in the presence of the
friend or family member with the patients
permission.
You may, but are not required, to obtain an
authorization for this type of disclosure.
However, you should note their permission on the
patients chart either way.
Generally do not need authorization or permission
from a child to discuss their PHI with a legal
guardian.
You may send appt. reminders to patients, leave
voicemails, or send correspondence to patients
regarding treatment options UNLESS the patient
has requested in writing that you do not do so.

15
Patients Rights

Right to request that certain restrictions be
placed upon the use and/or disclosure of their
PHI
Practices also need to comply with the provisions
in their Notice of Privacy Practices which
specify how the practice will process
restrictions.
Practice Tip Make sure the staff marks
restrictions on patient charts clearly to ensure
it is complied with.
Right to request that PHI is communicated by an
alternate means or in an alternate location
Right to access his or her PHI
Right to request an amendment to his or her PHI
Right to request an accounting of disclosures of
his or her PHI.
All staff should be aware of these rights. They
should be a part of your compliance plan and
training. Additionally, you should have
procedures for dealing with patients who exercise
these rights consistent with the privacy
regulations.

16
Reasonable Measures to Safeguard PHI

Employees must only access or disclose the
minimum PHI necessary for their functions.
Employees are also required to employ reasonable
measures to safeguard a patients PHI. For
example, do not leave a patients PHI in plain
view of others.
Practice Tips
Cover or turn over patients chart when it could
be seen by other people
Limit persons with access to patient charts, lock
file cabinets or file rooms as appropriate,
and/or block access with signage.
Ensure employees, including receptionists, are
mindful or protecting PHI in their oral
communications.
Use passwords to protect computer patient
information.
Only allow appropriate system access settings
that are tailored to an employees job duties.

17
Notice of Privacy Practices

CE must create and provide to patients a Notice
of Privacy Practices regarding its use and
disclosure of a patients PHI and the patients
rights with respect to this information.
The Notice should be posted in your practice in a
clear location where patients can read it.
It should also be posted on any website
associated with your practice.
Attempt to obtain an acknowledgement that each
patient has received the Notice.
Additionally, with limited exceptions, HIPAA
requires an individuals written authorization
before a use or disclosure of his or her PHI can
be made for marketing.
The OCR has a model Notice of Privacy Practices
for providers located at http//www.hhs.gov/ocr/pr
ivacy/hipaa/modelnotices.html. However, each
notice should be tailored for your practice.

18
Notice of Privacy Practices Continued

If a patient files a complaint with the OCR, the
letter from the OCR will likely request a copy of
the providers Notice of Privacy Practices, along
with a copy of the signed acknowledgement form.
Practice Tip Require staff to review the Notice
of Privacy Practices form from time-to-time.
Staff should be familiar with what the Notice of
Privacy Practices form says, and they are
expected to follow it when speaking with
patients, and working with PHI.

19
Notice of Privacy Practices Requirements

Description of types of uses and disclosures that
require authorization
Statement regarding individuals rights with
respect to PHI
Statement of CEs legal duties, including duty to
notify of breach
Statement regarding ability to make complaints
Effective date and contact information
In an investigation of an alleged breach of the
Privacy Rule and Security Rule, the government
will ask for all of your written privacy and
security policies and forms. It is important to
have those compliant and in good form.
Practice Tip Review policies and procedures at
least annually and indicate that you have done so
in your records (for audit purposes). The second
round of OCR audits begins this year and the OCR
will look for revisions for compliance with the
Omnibus Rule updates. They strongly dislike
policies that havent been dusted off in a while,
(i.e. 2003).

20
Important Changes that Require Updates to Notice
of Privacy Practices

The Omnibus Rule now requires for providers to
include a patients right to receive an
electronic copy of their designated record set,
as well as a patients right to direct covered
entities to transmit a copy of PHI to another
person.
This request must be in writing, signed by the
individual, and clearly identify the designated
person, as well as where to send the copy of the
PHI.
Providers must honor a patients request to
restrict communication to a health plan where the
disclosure is for the purpose of payments or
health care operations, and the PHI pertains
solely to a health care item or service for which
the health care provider involved has been paid
out of pocket.

21
Security Rule

The Security Rule is designed to complement the
HIPAA Privacy Rule.
The Privacy Rule covers health information in any
form.
The Security Rule protects a subset of
information covered by the Privacy Rule, which is
all individually identifiable health information
a covered entity creates, receives, maintains or
transmits in electronic format (e-PHI).
The Security Rule is flexible to allow covered
entities to analyze their own needs and implement
solutions appropriate for their practice size.
The covered entity will need to consider
Its size, complexity, and capabilities
Its technical, hardware, and software
infrastructure
The costs of security measures, and
The likelihood and possible impact of potential
risks to e-PHI

22
Security Rule Implementations

Covered Entities must
Perform a risk analysis. This is the single most
important part of HIPAA Security Rule compliance,
and the first thing the OCR looks at when
investigating a security breach and an alleged
HIPAA violation.
Evaluate the likelihood and impact of potential
risks to e-PHI,
Implement appropriate security measures to
address the risks identified in the risk
analysis
Document the chosen security measures and the
rationale for these measures
Maintain continuous, reasonable, and appropriate
security protections
The OCR has a risk assessment tool available
online for small practices that do not have the
resources to hire a third party.
http//www.hhs.gov/news/press/2014pres/03/20140328
a.html
Practice Tip It is recommended to perform an
annual risk assessment.

23
Security Rule Implementations Continued

Covered Entities must also
Ensure the confidentiality, integrity, and
availability of all e-PHI they create, receive,
maintain, or transmit
Identify and protect against reasonably
anticipated threats to the security or integrity
of information
Protect against reasonably anticipated
impermissible uses or disclosures and
Ensure compliance by the workforce.
Practice Tip Designate a Security Official
and Privacy Officer, regardless of practice size,
to ensure compliance with HIPAA requirements

24
What if a Breach of PHI Occurs?

First, determine if a breach occurred under
HIPAA.
Complete a risk assessment to determine the
probability of PHI being compromised as a result
of the improper use or disclosure of PHI.
If a breach occurred, what are your notification
requirements?

25
What is a Breach Under HIPAA?

A breach is an impermissible use or disclosure
that compromises the security or privacy of the
PHI. An impermissible use or disclosure of PHI
is presumed to be a breach unless the covered
entity or BA demonstrates there is a low
probability that the PHI has been compromised.
A breach excludes
Unintentional acts by CEs or BAs if breach
occurred in good faith and within the scope of
authority.
An inadvertent disclosure among workforce members
without further use or disclosure.
Disclosure with the good faith belief that
information would not be able to be retained.

26
Breach Risk Assessment

There is a presumption of a breach unless the CE
or BA can demonstrate a low probability of PHI
being compromised based on a risk assessment of
The nature and extent of information involved,
including types of identifiers and likelihood of
re-identification
The unauthorized person who used the PHI or to
whom the disclosure was made
Whether the PHI was actually acquired or viewed
The extent to which the risk has been mitigated.
A breach can only occur if the PHI is unsecured.
Unsecured PHI is PHI that has not been rendered
unusable, unreadable, or indecipherable to
unauthorized individuals through the use of
technology or methodology specified by the
Secretary of Health and Human Services. (i.e.,
encryption).

27
Breach Notification Requirements under HIPAA

Covered entities must notify individuals of a
breach without unreasonable delay and in no case
later than 60 calendar days after discovery of a
breach.
Remember, notification to affected individuals is
only required if the breach involved unsecured
PHI, and is likely to be compromised based on
your risk assessment.
Use first class mail to individual, or electronic
notice if the individual has consented.
Substitute notice required if contact information
is insufficient
Telephone or alternate written notice if under 10
individuals.
Conspicuous posting for 90 days on web or by
notice to media if 10 or more individuals
Notify the OCR within 60 days if 500 or more
individuals, or at year end for fewer than 500
individuals.
OCR filings are done online and are relatively
painless.

28
Civil Monetary Penalties

Penalties can range from 100 to 50,000 per
violation.
Breaches from reasonable cause result in 1,000
to 50,000 per violation.
Breaches caused by willful neglect range from
10,000 to 50,000 per violation.
In all cases, the penalty will not exceed 1.5
million for identical violations within a
calendar year.
No penalties if there was no willful neglect, and
the breach was corrected within 30 days of the
violation.

29
Reasonable Cause Willful Neglect

Reasonable cause--covered entity of business
associate knew, or by exercising reasonable
diligence, would have known that the act or
omission violated an administrative
simplification provision.
Willful neglect--conscious, intentional failure,
or reckless indifference.
For example You dont have any privacy
protection rules or required forms in place, you
failed to document a risk assessment, you ignored
or failed to cooperate with the OCR
investigation.

30
Assessing Penalties

Nature and extent of violation
Number of individuals affected
Time period during which violation occurred
Nature and extent of harm
Physical, financial, reputational harm
Effect on ability to obtain health care
Prior Compliance

31
Florida Information Protection Act 2014 (FIPA)

FIPA applies to entities that acquire, maintain,
store, or use personal information (more than
just health care providers).
Personal information includes a persons first
name or first initial and last name in
combination with any of the following elements
Email addresses account numbers with passwords
First and last names with health or medical
information
Social security or drivers license numbers
Online account credentials
Personal information also includes a health
insurance policy number or subscriber
identification number and any unique identifier
used by a health insurer to identify the
individual.
Covered entities must take reasonable measures to
protect and secure data in electronic form, such
as encrypting data or removing personally
identifiable information from data.

32
FIPA Requirements

After a covered entity discovers a breach,
which includes unauthorized access to personal
information, the covered entity has 30 days to
notify the affected individual. For breaches
affecting under 500 people, FIPA requires notice
to each person residing in Florida. If the
breach affects 500 or more people, in addition to
the individual, notice must also be provided to
the Florida Dept. of Legal Affairs. If the
breach affects more than 1,000 people, notice
must also be given to consumer credit reporting
agencies.
Third party vendors (business associates) have 10
days to notify a covered entity of a breach (as
opposed to 60 days under HIPAA).
Practice Tip Require business associates to
notify the CE without unreasonable delay and to
not exceed 5 days to ensure the CE has time to
comply with their notification requirements.
Covered entities must, within 30 days, notify all
individuals in writing located in Florida whose
personal information was accessed as a result of
a breach, UNLESS, after appropriate investigation
and consultation with law enforcement, the
covered entity determines and documents in
writing that the breach will not likely result in
identify theft or financial harm to those
affected.
Failure to comply with FIPA results in a fine of
1,000 per day for the first 30 days and 50,000
for each subsequent 30 day period, up to a
maximum of 500,000.

33
Recent HIPAA News

HIPAA data breaches have climbed 138 since 2012.
The Office of Civil Rights (OCR), which handles
HIPAA privacy and security violations, has warned
that enforcement will get aggressive.
The Federal Trade Commission has begun to use
consumer protection laws to go after health care
entities that dont adequately protect patients
health information.
3 Recent Examples
Anthem Breach
Medical Records Dumping
Data Breach
Security Rule Violation

34
Anthem Breach

Health insurer, Anthem, reported to the FBI this
month that 80 million of its customers may have
been exposed to a data breach.
Anthem allegedly failed to encrypt its data. The
stolen data includes information such as names,
DOB, home addresses, email addresses, and income
data.
Morgan Morgan has already filed a proposed
class action suit against Anthem.

35
Medical Records Dumping Case

A covered entity left 71 cardboard boxes of
medical records unattended and accessible to
unauthorized persons during a transition of
patients to new providers following the
retirement of one of their physicians.
Resulted in an 800,000 HIPAA settlement

36
Data Breach

A breach occurred when a physician attempted to
deactivate a personally owned computer server on
the covered entities network containing patient
PHI.
During the deactivation, a lack of technical
safeguards resulted in PHI being accessible on
internet search engines.
Resulted in 4.8 million dollars in HIPAA
settlements.

37
Security Rule Violation

A security breach occurred from malware that
compromised the systems security.
Resulting in a breach of unsecured PHI.
OCR investigation revealed the covered entity
failed to conduct an accurate and thorough
assessment of the potential risks and
vulnerabilities of its electronically stored
medical records.
150,000 settlement.

38
A Few Final Thoughts

Ensure your Notice of Privacy Practices is
updated and covers all the required information.
Establish policies to control employees use of
social media on the job.
Encrypt anything that can move phones, flash
drives, disks, laptops and look at encryption
solutions for data in motion, particularly if you
are texting.