Title: Legal Issues in Information Security Health Insurance Portability and Accountability Act (HIPAA) Week 5
1Legal Issues in Information SecurityHealth
Insurance Portability and Accountability Act
(HIPAA) Week 5
- Gary A Bannister, FCMA, AICPA
2Learning Objectives
- Understanding of the privacy provisions and how
they are related to other privacy provisions in
other acts. - Understand the right of notice
- Understand who and what is covered.
- Understand the implications and requirements for
IT Digital Data.
3Health Insurance Portability and Accountability
Act (HIPAA)
- The Health Insurance Portability and
Accountability Act of 1996 (HIPAA) was designed
to improve "the efficiency and effectiveness of
the health care system by encouraging the
development of a health information system,
through the establishment of standards and
requirements for the electronic transmission of
certain health information"
4Health Insurance Portability and Accountability
Act (HIPAA)
- Became law on August 21, 1996.
- Congress recognized the importance of protecting
the privacy of health information given the rapid
evolution of health information systems.
5HIPAA
- Primary objectives
- Ensure that people who are changing or losing
jobs are not denied health insurance due to
preexisting medical conditions. - Make the provision of health care more efficient
- Administrative Simplification
6Who Must Comply With HIPAA Regulations?
- Any health care provider, health plan, hospital,
health insurer, and health care clearinghouse
that electronically maintains or transmits any
electronic protected health information (EPHI).
7Covered Transactions
- Information between two parties to carry out
financial or administrative activities related to
health care including - Health care claims or equivalent encounter
information. - Health care payment and remittance advice.
- Coordination of benefits.
- Health care claim status.
- Enrollment and un-enrollment in a health plan.
- Eligibility for a health plan.
- Health-plan premium payments.
- Referral certification and authorization.
8HIPAA Privacy Rule
- Most parties subject to the Privacy Rule must
implement the Rules standards and requirements
by April 14, 2003. - The Department of Health and Human Services
Office of Civil Rights (OCR) has been given the
authority to implement and enforce it.
9HIPAA Privacy Rule
- The HIPAA Privacy Rule (Standards for Privacy of
Individually Identifiable Health Information)
provides the first national standards for
protecting the privacy of health information. - The Privacy Rule established minimum Federal
standards for protecting the privacy of personal
health information. - Regulates the way certain health care groups,
organizations, or businesses, called covered
entities under the Rule, handle the individually
identifiable health information known as
Protected Health Information (PHI).
10Information Covered by the Privacy Rule
- PHI is defined as individually identifiable
health information transmitted or maintained, in
electronic or any other form or medium, (e.g.,
electronic, paper, or oral), but excludes certain
educational records and employment records. - Individually identifiable health information is
health information (including demographic
information) collected from an individual that - Is created or received by a health care provider,
health plan, employer, or health care
clearinghouse - Relates to the past, present, or future physical
or mental health, or condition of an individual
the provision of health care to an individual or
the past, present, or future payment for the
provision of health care to an individual - Identifies the individual, or with respect to
which there is a reasonable basis to believe the
information can be used to identify the
individual
11HIPAA Privacy Rule Individual Rights
- The Rule balances an individuals interest in
keeping his or her health information
confidential with other social benefits,
including health care research. - Receive access to PHI.
- Request amendments to PHI
- Receive adequate notice.
- Receive an accounting of disclosures
- Request restrictions on the use of their PHI
12HIPAA Privacy Rule Provisions
- Gives patients more control over their health
information - Sets boundaries on the use and release of health
records - Establishes appropriate safeguards that the
majority of health-care providers and others must
achieve to protect the privacy of health
information - Holds violators accountable with civil and
criminal penalties that can be imposed if they
violate patients' privacy rights - Strikes a balance when public health
responsibilities support disclosure of certain
forms of data
13HIPAA Privacy Rule Provisions, cont.
- Enables patients to make informed choices based
on how individual health information may be used - Enables patients to find out how their
information may be used and what disclosures of
their information have been made -
- Limits release of information to the minimum
reasonably needed for the purpose of the
disclosure - Gives patients the right to obtain a copy of
their own health records and request corrections - Empowers individuals to control certain uses and
disclosures of their health information.
14HIPAA Privacy Rule What is Required
- For covered entities using or disclosing PHI, the
Privacy Rule requires covered entities to -
- Notify individuals regarding their privacy rights
and how their PHI is used or disclosed - Adopt and implement internal privacy policies and
procedures - Train employees to understand these privacy
policies and procedures as appropriate for their
functions within the covered entity
15HIPAA Privacy Rule What is Required
- Designate individuals who are responsible for
implementing privacy policies and procedures, and
who will receive privacy-related complaints - Establish privacy requirements in contracts with
business associates that perform covered
functions - Have in place appropriate administrative,
technical, and physical safeguards to protect the
privacy of health information - Meet obligations with respect to health consumers
exercising their rights under the Privacy Rule.
16Business Associates Requirements
- The Privacy Rule allows a covered provider or
health plan to disclose PHI to a business
associate (e.g., lawyers, accountants, billing
companies, and other contractors) if satisfactory
written assurance is obtained that the business
associate will use the information only for the
purposes for which it was engaged, will safeguard
the information from misuse, and will help the
covered entity comply with certain of its duties
under the Privacy Rule.
17Patient Rights Regarding PHI
- Right to Notice
- All individuals have a right to receive notice of
the uses and disclosures of PHI that may be made
by any covered entity. Any individual may request
this notice no customer or patient relationship
need exist between the individual and covered
entity holding the PHI. -
18HIPAA Privacy Rule Exceptions Required PHI
Disclosures
- A covered entity is required by the Privacy Rule
to disclose PHI in only two instances - When an individual has a right to access an
accounting of his or her PHI - When DHHS needs PHI to determine compliance with
the Privacy Rule.
19HIPAA Privacy Rule Exceptions
- Permitted PHI Disclosures Without Authorization
- Law enforcement
- Judicial and administrative proceedings
- Oversight (DHHS / FTC)
- Worker's compensation
20HIPAA Privacy Rule Exception Medical Research
- The Privacy Rule recognizes the legitimate need
of the research community to use, access and
disclose individually identifiable health
information. - Certificates of Confidentiality offer
protection for the privacy of research study
participants. Allows researches to refuse to
disclose information that could identify research
participants in any civil, criminal, or other
proceeding.
21HIPAA Privacy Rule Penalties
- Health plans, providers and clearinghouses
violators may suffer - Civil penalties of 100 per incident, up to
25,000 per person, per year, per standard. - Federal criminal penalties for violators that
knowingly and improperly disclose information or
obtain information under false pretenses. - Penalties would be higher for actions designed to
generate monetary gain. - Criminal penalties are up to 50,000 and one year
in prison for obtaining or disclosing protected
health information - Up to 100,000 and up to five years in prison for
obtaining protected health information under
"false pretenses. - Up to 250,000 and up to 10 years in prison for
obtaining or disclosing protected health
information with the intent to sell, transfer or
use it for commercial advantage, personal gain or
malicious harm.
22HIPAA Security Final Rule
- On February 13, 2003, HHS announced the adoption
of the HIPAA Security Final Rule. - Most covered entities had two full years, until
April 21, 2005 to comply with the standards.
23HIPAA Security Final Rule
- The Security rule is consistent with the Privacy
Rule in that it covers "protected health
information. - Limits the scope only to PHI that is in
electronic form
24HIPAA Security Rule Provisions
- Requires covered entities to
- Ensure the confidentiality, integrity, and
availability of all electronic protected health
information (EPHI) the covered entity creates,
receives, maintains, or transmits - Protect against any reasonably anticipated
threats or hazards to the security or integrity
of such information - Protect against any reasonably anticipated uses
or disclosures of such information that are not
permitted or required by the Privacy Rule - Ensure compliance by its workforce
25Administrative Safeguards
- The security standards establish baseline
safeguards and use two types of implementation
specifications - Required
- Addressable
26HIPAA Security Rule Addressable Implementation
Specifications
- Required must comply as written / specified in
the law. 13 of the implementation specifications
are required - Addressable specifications represent approaches
to meeting specific standards, any of which may
not be relevant to the covered entity's
environment. The majority of the specifications
are termed "addressable."
27HIPAA Security Rule Administrative Safeguards
- The central focus is security management, which
are the policies and procedures designed to
prevent, detect, contain, and correct security
violations. - Includes four required implementation
specifications - Risk analysis
- Risk management
- Sanction policy
- Information system activity review
28HIPAA Security RulePhysical Safeguards
- A single individual must bear the responsibility
for physical security - Requires Physical Safeguards to protect EPHI from
unauthorized disclosure, modification, or
destruction. This section includes standards for - Facility access controls
- Access control and validation procedures (staff
and visitors) - The collection of appropriate maintenance records
for the physical components of a facility that
are related to security (such as hardware, walls,
doors, and locks). - Standards for proper workstation use and physical
security of workstations that access EPHI. - Standards for device and media controls
29Security RuleTechnical Safeguards
- Covered entities must implement
- Technical policies and procedures for access
control on systems that maintain EPHI. - Must allow for unique user identification and
include an emergency access procedure for
obtaining necessary EPHI during an emergency.
30Security Rule Business Associate Contracts
- Requires a Business Associate agreement, which is
already required by the Privacy Rule. For
relationships where a third party is used to
create, receive, maintain or transmit EPHI on the
covered entity's behalf, the Security Rule
requires the business associate to Implement
administrative, physical and technical safeguards
that reasonably and appropriately protect the
confidentiality, integrity and availability of
the covered entity's EPHI
31Security RulePolicies, Procedures and
Documentation
- Requires covered entities to implement reasonable
and appropriate policies and procedures to comply
with the standards, implementation
specifications, or other requirements of the
Security Rule. - Maintain the documentation for six years from the
date of its creation or the date when it last was
in effect, whichever is later - Make the documentation available to those persons
responsible for implementing the procedures to
which the documentation pertains - Review documentation periodically, and update as
needed, in response to environmental or
operational changes affecting the security of the
electronic protected health information.
32HIPAAAdministrative Simplification
- HIPAA's Administrative Simplification provisions,
sections 261 through 264 of the statute, were
designed to improve the efficiency and
effectiveness of the health care system by
facilitating the electronic exchange of
information. - Universal standards for the electronic transfer
of health information - Privacy of health information
- Security of health information
- Electronic signatures
33Standards for Electronic Transactions and Code
Sets
- HIPAA requires the standardization of the
reporting of medical procedures with industry
established and maintained codes. These are the
codes used by the health care providers to
identify what procedures, services and diagnoses
pertain to that encounter. This will eliminate
the use of government and commercial proprietary
medical codes sets.
34- Standards for Electronic Transactions and Code
Sets
- On Oct. 16, 2003, the transactions and code sets
standards that are part of the Health Insurance
Portability and Accountability Act of 1996
(HIPAA) took effect. - The intent is to create standard transactions to
replace the many versions currently being used
for claim status inquiries, eligibility
verification, referral authorization and others. - After Oct. 16, 2003 Medicare will no longer
accept paper claims from practices with 10 or
more full-time equivalent (FTE) staff, and all
payers will be required by law to accept only
those electronic claims that use HIPAA-standard
formats.
35Standards for Electronic Transactions and Code
Sets
- The HIPAA administration simplification provision
requires that payers, physicians and other
providers use new standard claims formats and
electronic transmission procedures. - Doing so should speed claims processing and
reduce errors in both claims filings and
payments.
36Standards for Electronic Transactions and Code
Sets
- Â The Electronic Transactions Standard applies to
all of the types of business that are performed
daily to provide proper healthcare. - Health claims, payments for care and premiums,
coordination of benefits and other related
transactions. - All health providers, clearinghouses and plans
that transmit health related information
electronically. - Clearinghouse transmissions to providers and
health plans - Transmissions which use all types of media
including Internet, dial-up lines and private
networks. - All health plans for all transactions.
- Provider transmissions and the reception of
electronic transmissions.
37HIPAA Compliance Best Practices
- Don't rely on your payers, or software vendors to
make you compliant. - HIPAA regulations are full of statements like
'reasonable effort' and 'as permitted'. Adapt the
terms to your environment. - Analyze the number of possible conduits that PHI
is capable of leaving your custody to an
unauthorized entity.
38HIPAA Compliance Best Practices
- Be diligent about covering all the bases.
- There has to be a paper trail or 'chain of
custody' for the information. - If you use software for billing, you need to be
in conversation with the vendor. - There are state-governed requirements for
submitting billing.
39Questions?