HIPAA and HITECH

What You Need to Know

Today's Presenters

2

Andrew Lenardon, Director of National Accounts Indirect Solutions for North America at Shred-it Andrew Lenardon is the Director of National Accounts Indirect Solutions for North America at Shred-it International,Inc., where he brings over 15 years of sales and leadership experience. In his role, Lenardon leads a team of professionals in helping Healthcare and Enterprise client improve the security of how they handle confidential records and identify wasteful spending that can be shifted to priorities such as information security, compliance efforts and business efficiency. Lenardon has worked at Shred-it since 2006. A graduate from McMaster University, Lenardon holds a B.Sc. in Biochemistry and currently resides in Toronto, Canada.

Chris Sheehan, Compliance Agent, Providence, Rhode Island Chris has a combined 17 years of experience in the Records Management & Information Security industries. In the past he has served on the Board of Directors and Vice President for ARMA (Association for Records Managers & Administrators). For the last five years Chris has worked with the Federal & State governments in implementing policies to assist with the prevention of Fraud and the protection of Identity. Certified in Mass Law with regard to Mass Reg 201 CMR 17:00 Chris conducts Compliance Training for clients and assists with developing their Written Information Security Plan (WISP). Chris conducts Information Sessions for a number of Colleges and Universities to future educate Administrators, faculty and the student body on information security and sustainability for saving the Environment.

David Pinter, National Accounts Executive David began his career at Shred-it over 12 years ago. He has been assisting healthcare organizations with their compliance and document security efforts since 2003 when HIPAA was first launched. David is a member of Shred-it’s National Accounts Healthcare Team where he provides new business development support and consulting activities for customers in the Healthcare and Group Purchase Organization spaces.

Protecting Patient Privacy – how important is it?

3

What is HIPAA?

• Health Insurance Portability and Accountability Act (HIPAA) HIPAA requires health care organizations to have and maintain safeguards to prevent intentional or unintentional use or disclosure of protected health information.

• The Federal law that requires health care organizations to, “maintain reasonable and appropriate, technical, and physical safeguards to prevent intentional or unintentional use or disclosure of protected health information.”

• Specifically, the management of private information is detailed through the Privacy Rule and the Security Rule. Both rules are designed to protect an individual’s private and confidential information by standardizing the rules for how it is used, handled, stored, etc.

4

What is HITECH?

• The Health Information Technology for Economic and Clinical Health (HITECH) Act includes rules that impact organizations that operate within HIPAA legislation.

• It is in direct relation to HIPAA because it imposes standards on

medical and healthcare organizations (business associates) in addition to those that are imposed by HIPAA (CE’s). It was part of the Reinvestment Act of 2009.

• This act requires that all organizations in the medical field apply

“meaningful use” of technology that demonstrates security efforts. This ensures that the confidentiality, integrity and availability of

protected data is not compromised.

5

Major Changes Brought on by HITECH Since 2009

•Enforcement has become more proactive; meaning there are more penalties for smaller breaches and more parties.

•Data that falls under the scope of protection is now grown to include other personal information beyond EPHI.

•Stricter audits are now in practice.

•Every consumer now has a right to own a copy of their PHI without paying a fee.

•Business Associates are now required to comply with this act, not just Covered Entities.

•There are now more restrictions on the use of protected health information for marketing purposes.

6

Key Terms • PHI and EPHI

• Covered Entity and Business Associate

• Security Rule and Privacy Rule

• Common Control

• Willful Neglect

7

PHI and EPHI

PHI: Protected Health Information

EPHI: PHI that has been converted in some way to electronic media

8

• Medical records

• Diagnosis of a certain condition

• Procedure codes on claim forms

• Claims data or information

• Explanation of Benefits (EOB)

• Pre-authorization forms

• Crime reports

• Coordination of benefit forms

• Enrolment information and forms

• Election forms

• Reimbursement request forms

• Records indicating payment

• Claims denial and appeal information

What is Considered PHI?

9

Covered Entity and Business Associate

Covered Entities (CE’s) include health care providers, health care clearinghouses, and health plans that electronically store, process or transmit electronic protected information (EPHI).

Business Associates (BA’s) are parties that include any person or group that provides or facilitates for a covered entity in some way.

10

Privacy Rule & Security Rule

• The Privacy Rule

• Establishes national standards to protect individuals’ medical records and other personal health information

• Applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically

• Requires appropriate safeguards to protect the privacy of personal health information

• Sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization

• Gives patients rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections

• The Security Rule • Establishes national standards to protect individuals’ electronic personal

health information that is created, received, used, or maintained by a covered entity

• Requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information

11

What is Common Control?

•A situation where a covered entity has indirect or direct power or influence over another entity’s actions or policies.

•It places the onus on the CE to ensure that the outside BA they contracted is taking the necessary safe guards and actions to protect the PHI of individuals.

12

What is Willful Neglect?

• Defined as “A tendency to be negligent and uncaring”

• In the context of HIPAA and HITECH the terms differs from case to case.

• With regards to the health care industry, willful neglect is a failure to comply or perform certain necessary tasks that is either intentional or conscious.

• HITECH brought in harsher penalties for willful neglect.

13

How do organizations and individuals comply?

• Companies should explore the requirements of HIPAA Privacy and Security Rules.

• Health care organizations must implement policies and procedures related to accessing information.

• Business associates must adopt HIPAA-compliant practices.

14

Why is compliance important?

Patient privacy is very important and people have the expectation that health care organizations keep their information secure and private. They expect that their information will be safe from breaches. Not only is compliance important for the patient’s sake, but for the company’s own interests as well. Not only is your reputation at risk of being damaged, but cases of willful neglect in HITECH can be vulnerable to a penalty of AT LEAST $50,000.00 per violation for a total of $1.5 million in a calendar year. Compliance is important on many levels regardless of the circumstances.

15

What happens if you don’t comply?

There are different penalties put into place by HIPAA and HITECH depending on the circumstances and situation.

Since HITECH came into the picture in 2009, the penalties have become harsher and less forgiving.

16

Security Breach

A major insurance coverer in Tennessee had a massive breach in 2009 which affected over 1 million people. They settled in court as of this year with a settlement of $1.5 million •It involved the theft of 57 unencrypted computer hard-drives On those hard-drives were:

•Members names •Social Security Numbers •Diagnosis Codes •Date of birth’s •Health plan ID numbers

•The investigation showed a lack of and failure of implementation of an appropriate safe guards for information. Not only digital but physical safe guards are required by HIPAA/HITECH and were missing in this situation.

•The Company spent almost $17 million attempting to rectify the

situation 17

What are the Penalties?

18

If a person… They will be fined…

Or face Imprisonment of…

Causes, uses or obtains individually identifiable information

Up to $50,000.00

1 Year

Commits an offense under false pretences

Up to $100,000.00

5 Years

If a person Commits an offense with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm.

Up to $250,000.00

10 Years

19

What are some ways that you can avoid a violation or a breach?

Here are Some Tips for Best Practice…

20

Best Practices

Stay informed Learn about HIPAA and HITECH and other privacy laws that impact your organization, and how to stay compliant.

Establish a security plan

Document the flow of confidential information in your workplace, and make sure that you have formal security policies in place.

Educate and enforce

Train your employees to understand and follow your information security policies. Update staff on a regular basis and post your policy and guidelines as frequent reminders.

21

Best Practices

Limit access

Only authorized personnel should handle confidential documents.

Create a retention policy

Determine which documents you must keep and for how long. Clearly mark a destruction date on all records in storage.

Eliminate risk

Introduce a Shred-All policy for all documents that are no longer needed, so that your employees do not have to decide what is – or isn’t – confidential.

Secure destruction Partner with a knowledgeable industry leader that specializes in secure information destruction.

22

Who is Shred-it?

• Shred-it specializes in providing a tailored information destruction service that allows businesses to comply with legislation and ensure that the client, employee and confidential business information is kept secure at all times.

• Through our strict chain-of-custody processes, reliable on-time service and a global network of local service centers, Shred-it provides the most secure and efficient confidential information destruction service in the industry.

23

QUESTIONS?

24

Where can you find more information?

Sources

http://resource.shredit.com/LegislativeFactSheets

http://www.healthcareinfosecurity.com/

http://www.hipaasurvivalguide.com/

http://www.hhs.gov/

http://www.datamountain.com/resources/hipaa-hitech-compliance/hipaa-hitech-faq/

25