hipaa/hitech compliance - direct marketing services ......hipaa/hitech compliance organization #...
Post on 16-Sep-2020
4 Views
Preview:
TRANSCRIPT
CONFIDENTIALITY NOTICE: This document contains confidential information intended solely for the
recipient(s) named herein. The information set forth in this document may not be reproduced
or disclosed by the recipient(s) without the prior written consent of the author.
HIPAA/HITECH Compliance
Presented by: Victor Hair, Certified HIPAA Professional (CHP)
2015
2
What is HIPAA?
HIPAA/HITECH COMPLIANCE
The Health Insurance Portability and Accountability Act of 1996 is federal
regulations establishing national standards for protection of healthcare
information during usage and transferring it by all organizations.
Administrative Simplification - Title II, Subtitle F, of HIPAA which
authorizes HHS to: (1) adopt standards for transactions and code sets
that are used to exchange health data; (2) adopt standard identifiers for
health plans, healthcare providers, employers, and individuals for use on
standard transactions; and (3) adopt standards to protect the security and
privacy of personally identifiable health information.
3
Terms
HIPAA/HITECH COMPLIANCE
Business Associate is: A person or company who performs or assists in the
performance of a function or activity on behalf of a covered entity (healthcare
provider) involving the use or disclosure of protected health information (PHI).
Common Rule – Under HIPAA, it outlines the necessity of obtaining informed
consent from patients.
Chain of Trust Agreement – Referred to in HIPAA rules, this is a contract needed to
extend the responsibility to protect healthcare data across a series of sub-contractual
relationships.
Covered Entities – Health Plans, Healthcare Clearinghouses, and Healthcare
Providers who must comply with HIPAA regulations and standards because they
transmit health information in electronic form in connection with HIPAA covered
transactions.
Deidentified Information – Patient Identifiable Information with all of the identifying
details removed so that it can no longer be linked to any specific person.
4
Terms (cont.)
HIPAA/HITECH COMPLIANCE
Disclosing PHI – Transmitting Protected Health Information (PHI) outside the covered
entity. Some disclosures are allowed by the Privacy Act, some are disallowed.
PHI – Protected Health Information.
PII – Patient Identifiable Information such as name, address, phone number, social
security number, etc., which can isolate exactly which individual has received or been
billed for healthcare treatment.
Routine Disclosure – Using Protected Health Information (PHI) for the acceptable
purposes outlined in the Privacy Rule.
Privacy Rule – Healthcare legislation to set national standards for the protection
of certain patient information.
Security Rule – Healthcare legislation to set national standards for the security
of electronic healthcare information.
5
HITECH Act Regulations for Business Associates
HIPAA/HITECH COMPLIANCE
HITECH Act passed in 2009 and went into effect in 2010. Changes to original HIPAA Act
passed in 1996.
BAs are directly subject to HIPAA regulations and to fines and penalties for violations.
BAs are directly subject to security breach notification requirements.
BAs are prohibited from selling PHI (or ePHI) and from accepting payment from outside
companies for communications using PHI.
6
What HIPAA Regulations Require From BAs
HIPAA/HITECH COMPLIANCE
Adopting clear privacy procedures for its business operations.
Training employees so that they understand the privacy procedures.
Designating an individual to be responsible for seeing that the privacy procedures are
adopted and followed.
Securing patient information containing individually identifiable health information so that
they are not readily available to those who do not need them.
7
Business Associate Agreement
HIPAA/HITECH COMPLIANCE
HIPAA requires that the covered entity have “satisfactory assurances” that the business
associate will appropriately safeguard the PHI it receives from the covered entity.
“Satisfactory assurances” means that there is a written contract between the covered
entity and the business associate which contains specific provisions identified in HIPAA.
8
Checklist for Business Associate Agreement:
HIPAA/HITECH COMPLIANCE
Specify permitted uses and disclosures of PHI by Business Associate
No disclosure of PHI that would violate HIPAA
No disclosure of PHI other than as allowed for by the BAA
Safeguards for PHI
Report any unauthorized disclosure of PHI
Provide an accounting of disclosures
Agents and subcontractors of Business Associate agree to same provisions
Return or destroy PHI at end of contract
Authorize Covered Entity to terminate contract with BAA for material breach
9
What ensures that BA is HIPAA compliant:
HIPAA/HITECH COMPLIANCE
Appoint a Privacy/Security Officer to implement policies and monitor compliance.
Develop privacy policies and procedures for permitted uses and disclosures of
protected health information.
Reorganize your company’s structure to eliminate unnecessary uses or disclosures
of protected health information.
Establish a policy to ensure that employees are only disclosing the minimum amount
of protected health information necessary for each particular purpose.
10
What ensures that BA is HIPAA compliant: (cont.)
HIPAA/HITECH COMPLIANCE
Develop a policy regarding oral disclosures of protected health information.
Develop a policy on when Authorizations are needed for disclosures by the company
and draft an Authorization to be used for such disclosures.
Develop a complaint procedure and appoint a contact person to receive complaints.
Develop a training program and provide training to all employees that will handle or
have access to protected health information.
Establish sanctions for violations of the Business Associate’s privacy practices.
11
Minimum Necessary Rule
HIPAA/HITECH COMPLIANCE
A central aspect of the Privacy Rule is the principle of “minimum necessary” use and
disclosure. A covered entity must make reasonable efforts to use, disclose, and request
only the minimum amount of protected health information needed to accomplish the
intended purpose of the use, disclosure, or request.*
*The HIPAA Academy Quick Reference Card
12
HITECH notification requirements for each
privacy or security breach
HIPAA/HITECH COMPLIANCE
Patient notification mandated in certain circumstances, without reasonable delay and
within 60 days.
Upon discovery of a breach of unsecured PHI under its control, a business associate
is required to notify the covered entity, which then must notify the impacted individual.
Notice of the breach must be provided to HHS and prominent media outlets serving
a particular area if more than 500 individuals in that area are impacted.
HHS website for listing reaches affecting 500 or more individuals
http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/postedbreaches.html
13
Sources of health data breaches in 2014
HIPAA/HITECH COMPLIANCE
Of the 169 breaches of 500 or more records
posted on the HHS Wall of Shame for 2014,
Business Associates were involved in 36 of
them. However, these breaches represented
7,163,530 records of the total of 9,042,851
breached, or 79%!
Theft was still the leading reason for all
HITECH Act breaches, totaling 5.4 million of
the 9 million records breached. Hacking only
represented less than 250,000 of the breached
records — but this trend has reversed in 2015
dramatically with hacking certain to be the
largest cause of healthcare breaches in 2015!
Breaches by Location
# of Breaches Location # of Individuals
affected
32 Laptop 2,821,984
41 Paper 374,001
15 Desktop 2,175,468
22 Other Portable
Electronic Devices 2,233,616
59 Other 1,437,782
Breaches by Reason
# of Breaches Reason # of Individuals
affected
72 Theft 5,409,197
16 Loss 159,804
19 Hacking 242,139
9 Improper Disposal 91,549
36 Unauthorized Access 2,817,597
17 Other 322,565
169 9,042,851
14
Top 10 breaches of health data for 2014
HIPAA/HITECH COMPLIANCE
Organization # Individuals affected
Community Health Systems Professional Services Corporation 4,500,000
Xerox State Healthcare, LLC 2,000,000
Sutherland Healthcare Solutions, Inc. 342,197
Touchstone Medical Imaging, LLC 307,528
Indian Health Service 214,000
Walgreen Co. 160,000
NRAD Medical Associates, P.C. 97,000
Visionworks, Inc. 73,994
St. Vincent Hospital and Health Care Center, Inc. 63,325
Onsite Health Diagnostics 60,582
15
Far more health breach victims in 2014
HIPAA/HITECH COMPLIANCE
2014 was a landmark year, although unfortunately for the healthcare industry, for the wrong
reasons. The year has seen some of the largest recorded HIPAA data breaches ever to
affect the healthcare industry, exposing the protected health data of millions of patients and
costing the healthcare industry as a whole many tens of millions in fines and levies.
The healthcare industry accounted for 42.3% of all data breaches recorded this year.
Healthcare providers have exposed the PHI of over 8 million in 322 recorded breaches.
2014’s biggest HIPAA data breaches were significantly larger than 2013’s.*
There were 169 total HIPAA-related data breaches in 2014 compared to 140 in 2013
that affected 500 or more people.
* According to the Identity Theft Resource Center Report for 2014
16
Far more health breach victims in 2014 (cont.)
HIPAA/HITECH COMPLIANCE
The year had only just begun when the FBI released a stern warning to the healthcare
industry that cybercriminals were likely to target the healthcare sector in the coming months,
and that medical devices and hospital networks were under an elevated risk of a targeted
attack. The FBI attributed the increased threat to the “mandatory transition from paper to
electronic health records, lax cybersecurity standards, and a higher financial payout for
medical records in the black market.”
Private healthcare providers were not the only healthcare entities to record major data
breaches this year:
The Montana State Department of Public Health and Human Services was also targeted
by cybercriminals and they stole the health data of 1.3 million individuals.
The Indiana Health Service also suffered a major breach involving the exposure of
214,000 patient records.
17
Leading cause of PHI breaches in 2014
HIPAA/HITECH COMPLIANCE
Loss and theft of laptop computers and mobile devices was a major problem throughout
the year and has potentially exposed the data of many millions of Americans. Whether
they were opportunistic thefts or targeted attacks for the data contained on the devices,
all HIPAA breaches would have been avoided had the data on the devices been
encrypted, as required by HIPAA Privacy and Security Rules.
18
Government response
HIPAA/HITECH COMPLIANCE
The Department of Health and Human Services’ Office for Civil Rights is charged with
policing HIPAA and it has been particularly active this year, investigating more incidents
involving data breaches and issuing increased fines for data breaches resulting from lax
security standards.
New York-Presbyterian Hospital and Columbia University were the hardest hit, receiving
a joint $4.8 million fine for HIPAA violations with the combined total being the highest ever
settlement collected by the OCR.
Concentra Health Services was required to pay $1,725,220 in another major 2014 OCR
HIPAA settlement.
19
Cost of PHI breaches continues to climb
HIPAA/HITECH COMPLIANCE
The Ponemon Institute released data in 2014 on the true cost of data breaches, clearly
showing the total cost to be far in excess of the fines issued by the Office for Civil Rights
for non-compliance.
In its report, 2014 Cost of Data Breach Study: Global Analysis, data breaches were
estimated to cost an average of $3.5 million, while the total annual cost to the healthcare
industry as a whole was estimated at $5.6 billion, not including the cost to the reputations
of the organizations that have failed to protect patient data.
20
Penalties
HIPAA/HITECH COMPLIANCE
Civil monetary penalties: HITECH sets mandatory fines for HIPAA violations.
Category Monetary penalty per violation
Calendar year cap for identical violations
The covered entity did not know of the violation
$100 - $50,000 $1.5 million
Violation due to reasonable cause, not willful neglect
$1,000 - $50,000 $1.5 million
Violation due to willful neglect, corrected within required time
$10,000 - $50,000 $1.5 million
Violation due to willful neglect, not corrected
$50,000 $1.5 million
21
Penalties and monetary settlements
HIPAA/HITECH COMPLIANCE
Examples of penalties accessed by HHS in 2014:
Organization Amount accessed
New York-Presbyterian Hospital $4.8 million
And Columbia University
Concentra Health Services $1,725,220
Parkview Health System $800,000
QCA Health Plan $250,000
22
Under HITECH, individuals are subject
to civil monetary penalties
HIPAA/HITECH COMPLIANCE
The Office of Civil Rights may pursue an investigation and impose civil monetary
penalties against any individual for an alleged criminal violation of the Privacy and
Security Rules even if the Justice Department does not prosecute the individual.
State Attorneys General are now authorized to bring civil actions in federal district
court against individuals who violate HIPAA in order to enjoin further violations.
23
Penalties
HIPAA/HITECH COMPLIANCE
Criminal Penalties:
A fine of up to $50,000 and up to one year in prison for a person who knowingly
obtains or discloses individually identifiable health information in violation of HIPAA.
A fine of up to $100,000 and up to five years in prison if the wrongful conduct
involves false pretenses.
A fine of up to $250,000 and up to ten years in prison if the wrongful conduct
involves the intent to sell, transfer, or use individually identifiable health information
for commercial advantage, personal gain, or malicious harm.
The HIPAA Academy Quick Reference Card
24
Data breach costs continue to rise (costs other than penalties and lawsuits)
HIPAA/HITECH COMPLIANCE
Average organizational cost increased to $3.5 million*
- 15% increase over the previous year
Total annual cost to the Healthcare Industry in 2014: $5.6 billion*
The recently announced hacking of Anthem Healthcare’s member records, exposing the
private information of more than 80 million members, is expected to cost Anthem well in
excess of $100 million. This incident represents a significant increase in the impact of
healthcare breaches both from the total number of individuals impacted and the total
cost of healthcare breaches.
*Source: Ponemon Institute - 2014 Cost of Data Breach Study: Global Analysis
25
What if State Laws Conflict?
HIPAA/HITECH COMPLIANCE
Conflicts between this federal law and state laws are addressed in the HIPAA legislation.
The general rule is that HIPAA supersedes (overrides) any contrary state law, except in
the following circumstances:
The Secretary of HHS determines that the state laws are necessary for the technical
purposes outlined in the statute.
State laws that the Secretary determines address controlled substances.
State laws regarding the privacy of the individually identifiable health information that
is contrary to and more stringent than the federal requirements.
When state laws and federal HIPAA laws conflict, the best practice is to follow the
stricter of the two statutes.
The HIPAA Academy Quick Reference Card
26
Examples of state privacy laws more strict than HIPAA:
HIPAA/HITECH COMPLIANCE
California: Requires reporting of any size breach to the state health department and
notification to affected individuals within 5 business days of discovery.
Connecticut: The state Insurance Department requires reporting of any “information
security incident” within 5 calendar days of discovery.
HIPAA requires notification without unreasonable delay, no later than 60 days after
discovery and reporting of breaches affecting 500 or more individuals to HHS, as well as
local media outlets if 500 or more individuals reside in the same state.
The HIPAA Academy Quick Reference Card
27
HITECH Security rule applies to
Covered Entities and Business Associates
HIPAA/HITECH COMPLIANCE
The HITECH Act obligates business associates to comply with all of the security
requirements that only covered entities were previously required to follow.
Civil and criminal penalties for violating those standards now apply directly to business
associates as well as covered entities.
28
HIPAA/HITECH COMPLIANCE
Physical Security Maintain lock and restricted access to areas.
Implement the use of shredders and/or locked recycling containers.
Secure locations and placement of individual records.
Electronic Security Update computers with passwords, automatic logouts, virus protection, and
encryption mechanisms.
Minimize exposure of computer screens that are visible with protected health
information by placing privacy screens on computer monitors.
Prevent unnecessary copying or faxing of health information and releasing of
such information.
29
Mitigation, Complaints and Retaliation
HIPAA/HITECH COMPLIANCE
Mitigation – A covered entity must mitigate, to the extent practicable, any harmful
effect it learns was caused by use or disclosure of protected health information by its
workforce or its business associates in violation of its privacy policies and procedures
or the Privacy Rule.
Complaints – Consumers have up to 180 days to file a complaint from the time they
are aware of the violation or perceived violation. A covered entity must have procedures
for individuals to complain about its compliance with its privacy policies and procedures
and the Privacy Rule.
Retaliation – A covered entity may not retaliate against a person for exercising rights
provided by the Privacy Rule, for assisting in an investigation by HHS or another
appropriate authority, or for opposing an act or practice that the person believes
in good faith violates the Privacy Rule.
30
Documentation and Record Retention
HIPAA/HITECH COMPLIANCE
A covered entity must maintain, until six years after the later of the date of their creation
or last effective date, its privacy policies and procedures, its privacy practices notices,
disposition of complaints, and other actions, activities, and designations that the Privacy
Rule requires be documented.
31
HITECH Accounting of electronic disclosures
HIPAA/HITECH COMPLIANCE
Individuals have the right to request an accounting of all disclosures of their electronic
PHI including disclosures made for treatment, payment and healthcare operations
(TPO) in the previous three years.
For each electronic health record, access logs must include:
the name and address of the person accessing the records
a brief description of the type of health information disclosed
the date and time of the access
changes to the record, including modifications
Effective dates for compliance:
For records acquired before 1/1/2009, record TPO disclosures made on or after
January 1, 2014. For records acquired after 1/1/2009, record TPO disclosures made
on or after January 1, 2011.
32
HITECH Marketing Restrictions
HIPAA/HITECH COMPLIANCE
Marketing communication based on or containing PHI is not allowed if it involves
direct or indirect payment to the covered entity (or business associate) for making
the communication.
33
OCR HIPAA compliance audits
HIPAA/HITECH COMPLIANCE
The HITECH law requires The Office for Civil Rights (OCR) to conduct audits of
organizations subject to HIPAA regulations.
Organizations to be audited will receive a notification with request for documentation
of the organization’s HIPAA policies and procedures, latest risk assessment, security
incident response plan, breach notification plan and employee training plan.
Auditors will also conduct site visits.
Fines and/or penalties may be imposed depending on the results of the audits.
34
Thank you!
top related