hipaa privacy & securityagpersonnel.org/wp-content/uploads/2013/07/hipaaprivacy.pdf ·...
TRANSCRIPT
![Page 1: HIPAA PRIVACY & SECURITYagpersonnel.org/wp-content/uploads/2013/07/HIPAAPRIVACY.pdf · nikssarian insurance services, inc. ... privacy basics protect use & disclosure of protected](https://reader034.vdocuments.mx/reader034/viewer/2022042304/5ecf8a3307628275d208dea0/html5/thumbnails/1.jpg)
HIPAA PRIVACY
& SECURITY
DEMONSTRATING A GOOD FAITH BUSINESS PRACTICE
-ENFORCEMENT
-OVERVIEW OF LAW
-BEST PRACTICE PROCESS
![Page 2: HIPAA PRIVACY & SECURITYagpersonnel.org/wp-content/uploads/2013/07/HIPAAPRIVACY.pdf · nikssarian insurance services, inc. ... privacy basics protect use & disclosure of protected](https://reader034.vdocuments.mx/reader034/viewer/2022042304/5ecf8a3307628275d208dea0/html5/thumbnails/2.jpg)
DAVID NIKSSARIAN
NIKSSARIAN INSURANCE SERVICES, INC.
30 YEARS SERVING THE AGRICULTURE INDUSTRY
INSURANCE AGENCY SPECIALIZING IN HEALTH/EMPLOYEE
BENEFIT PROGRAMS; ALSO WORKERS’ COMPENSATION, AND
EMPLOYMENT PRACTICES LIABILITY INSURANCE
MARY JANE EADSON, J.D.
EADSON COMPLIANCE CENTER, LLC
ENTIRE CAREER WORKING IN AGRICULTURAL INDUSTRY
LEGAL COMPLIANCE CONSULTANT TO AGRICULTURAL HR &
BENEFIT DEPARTMENTS, HEALTH AGENTS AND BROKERS, TPAS,
AND CARRIERS
![Page 3: HIPAA PRIVACY & SECURITYagpersonnel.org/wp-content/uploads/2013/07/HIPAAPRIVACY.pdf · nikssarian insurance services, inc. ... privacy basics protect use & disclosure of protected](https://reader034.vdocuments.mx/reader034/viewer/2022042304/5ecf8a3307628275d208dea0/html5/thumbnails/3.jpg)
PENALTY ENFORCEMENT
(Scary Stuff!)
![Page 4: HIPAA PRIVACY & SECURITYagpersonnel.org/wp-content/uploads/2013/07/HIPAAPRIVACY.pdf · nikssarian insurance services, inc. ... privacy basics protect use & disclosure of protected](https://reader034.vdocuments.mx/reader034/viewer/2022042304/5ecf8a3307628275d208dea0/html5/thumbnails/4.jpg)
STATISTICS
• HHS-OFFICE OF CIVIL RIGHTS HAS
RECEIVED 77,190 COMPLAINTS
18,559 REQUIRED CORRECTIVE ACTION.
COMMON REASONS
1. IMPERMISSABLE USE OR DISCLOSURE OF PHI
2. LACK OF SAFEGUARDS OF PHI
3. USES OR DISCLOSURE OF MORE THAN MINIMUM NECESSARY PHI
4. LACK OF PATIENT ACCESS TO THEIR PHI
5. LACK OF SAFEGUARDS OF ELECTRONIC PHI
PHI = PERSONAL HEALTH INFORMATION
![Page 5: HIPAA PRIVACY & SECURITYagpersonnel.org/wp-content/uploads/2013/07/HIPAAPRIVACY.pdf · nikssarian insurance services, inc. ... privacy basics protect use & disclosure of protected](https://reader034.vdocuments.mx/reader034/viewer/2022042304/5ecf8a3307628275d208dea0/html5/thumbnails/5.jpg)
![Page 6: HIPAA PRIVACY & SECURITYagpersonnel.org/wp-content/uploads/2013/07/HIPAAPRIVACY.pdf · nikssarian insurance services, inc. ... privacy basics protect use & disclosure of protected](https://reader034.vdocuments.mx/reader034/viewer/2022042304/5ecf8a3307628275d208dea0/html5/thumbnails/6.jpg)
HEADLINES
3/14/2012 – BLUE CROSS BLUE SHIELD OF TENNESSEE SETTLEMENT
OF $1.5 MILLION
2/22/2011 – HHS IMPOSES $4.3 MILLION PENALTY
ON CIGNET HEALTH
2/14/2011 – MASSACHUSETTS GENERAL SETTLES HIPAA
INVESTIGATION FOR $1 MILLION
![Page 7: HIPAA PRIVACY & SECURITYagpersonnel.org/wp-content/uploads/2013/07/HIPAAPRIVACY.pdf · nikssarian insurance services, inc. ... privacy basics protect use & disclosure of protected](https://reader034.vdocuments.mx/reader034/viewer/2022042304/5ecf8a3307628275d208dea0/html5/thumbnails/7.jpg)
CIVIL & CRIMINAL
PENALTIES
VIOLATION MINIMUM MAXIMUM
INDIVIDUAL DID
NOT REASONABLY
KNOW THAT
HE/SHE VIOLATED
HIPAA
$100 PER VIOLATION
UP TO $25,000
ANNUALLY
$50,000 PER
VIOLATION WITH
AN ANNUAL
MAXIMUM OF $1.5
MILLION
HIPAA VIOLATION
DUE TO
REASONABLE
CAUSE – NOT
WILFUL NEGLECT
$1,000 PER
VIOLATION UP TO
$100,000 PER
VIOLATION
SAME AS ABOVE
HIPAA VIOLATION
DUE TO WILFUL
NEGLECT AND NOT
CORRECTED*
$50,000 PER
VIOLATION UP TO
$1.5 MILLION
ANNUALLY
SAME AS ABOVE
*CRIMINAL
PENALTY
+ 1 YEAR
IMPRISONMENT
![Page 8: HIPAA PRIVACY & SECURITYagpersonnel.org/wp-content/uploads/2013/07/HIPAAPRIVACY.pdf · nikssarian insurance services, inc. ... privacy basics protect use & disclosure of protected](https://reader034.vdocuments.mx/reader034/viewer/2022042304/5ecf8a3307628275d208dea0/html5/thumbnails/8.jpg)
OVERVIEW
![Page 9: HIPAA PRIVACY & SECURITYagpersonnel.org/wp-content/uploads/2013/07/HIPAAPRIVACY.pdf · nikssarian insurance services, inc. ... privacy basics protect use & disclosure of protected](https://reader034.vdocuments.mx/reader034/viewer/2022042304/5ecf8a3307628275d208dea0/html5/thumbnails/9.jpg)
HIPAA – 3 SPHERES OF
LAW
PORTABILITY
SECURITY PRIVACY
![Page 10: HIPAA PRIVACY & SECURITYagpersonnel.org/wp-content/uploads/2013/07/HIPAAPRIVACY.pdf · nikssarian insurance services, inc. ... privacy basics protect use & disclosure of protected](https://reader034.vdocuments.mx/reader034/viewer/2022042304/5ecf8a3307628275d208dea0/html5/thumbnails/10.jpg)
PRIVACY
APPLIES TO COVERED ENTITIES:
•HEALTH PLANS
•HEALTH CARE CLEARINGHOUSES
•HEALTH CARE PROVIDERS
![Page 11: HIPAA PRIVACY & SECURITYagpersonnel.org/wp-content/uploads/2013/07/HIPAAPRIVACY.pdf · nikssarian insurance services, inc. ... privacy basics protect use & disclosure of protected](https://reader034.vdocuments.mx/reader034/viewer/2022042304/5ecf8a3307628275d208dea0/html5/thumbnails/11.jpg)
PRIVACY
APPLIES TO BUSINESS ASSOCIATES:
•EMPLOYER WITH GROUP HEALTH PLAN
(PLAN SPONSOR)
•CONSULTANTS
•VENDORS
![Page 12: HIPAA PRIVACY & SECURITYagpersonnel.org/wp-content/uploads/2013/07/HIPAAPRIVACY.pdf · nikssarian insurance services, inc. ... privacy basics protect use & disclosure of protected](https://reader034.vdocuments.mx/reader034/viewer/2022042304/5ecf8a3307628275d208dea0/html5/thumbnails/12.jpg)
EXAMPLES
•ENROLLMENT
•BENEFIT QUESTIONS
•CLAIMS QUESTIONS
![Page 13: HIPAA PRIVACY & SECURITYagpersonnel.org/wp-content/uploads/2013/07/HIPAAPRIVACY.pdf · nikssarian insurance services, inc. ... privacy basics protect use & disclosure of protected](https://reader034.vdocuments.mx/reader034/viewer/2022042304/5ecf8a3307628275d208dea0/html5/thumbnails/13.jpg)
PRIVACY BASICS
PROTECT USE & DISCLOSURE OF
PROTECTED HEALTH
INFORMATION OF AN INDIVIDUAL
![Page 14: HIPAA PRIVACY & SECURITYagpersonnel.org/wp-content/uploads/2013/07/HIPAAPRIVACY.pdf · nikssarian insurance services, inc. ... privacy basics protect use & disclosure of protected](https://reader034.vdocuments.mx/reader034/viewer/2022042304/5ecf8a3307628275d208dea0/html5/thumbnails/14.jpg)
EMPLOYEE
HUMAN RESOURCES
EMPLOYER SPONSORED
HEALTH PLAN
ROLE OF HUMAN RESOURCES
![Page 15: HIPAA PRIVACY & SECURITYagpersonnel.org/wp-content/uploads/2013/07/HIPAAPRIVACY.pdf · nikssarian insurance services, inc. ... privacy basics protect use & disclosure of protected](https://reader034.vdocuments.mx/reader034/viewer/2022042304/5ecf8a3307628275d208dea0/html5/thumbnails/15.jpg)
WHEN MAY I
DISCLOSE PHI?
TREATMENT PAYMENT HEALTH CARE OPERATIONS
AUTHORIZATION
![Page 16: HIPAA PRIVACY & SECURITYagpersonnel.org/wp-content/uploads/2013/07/HIPAAPRIVACY.pdf · nikssarian insurance services, inc. ... privacy basics protect use & disclosure of protected](https://reader034.vdocuments.mx/reader034/viewer/2022042304/5ecf8a3307628275d208dea0/html5/thumbnails/16.jpg)
HOW MAY I DISCLOSE
PHI?
• IN A REASONABLE MANNER
• FOR THE MINIMUM PHI
NECESSARY FOR PURPOSE
![Page 17: HIPAA PRIVACY & SECURITYagpersonnel.org/wp-content/uploads/2013/07/HIPAAPRIVACY.pdf · nikssarian insurance services, inc. ... privacy basics protect use & disclosure of protected](https://reader034.vdocuments.mx/reader034/viewer/2022042304/5ecf8a3307628275d208dea0/html5/thumbnails/17.jpg)
WHEN MAY I
DISCLOSE PHI?
•INDIVIDUAL HOLDER
•HEALTH PLAN
•BUSINESS ASSOCIATE
•OTHER INDIVIDUAL
![Page 18: HIPAA PRIVACY & SECURITYagpersonnel.org/wp-content/uploads/2013/07/HIPAAPRIVACY.pdf · nikssarian insurance services, inc. ... privacy basics protect use & disclosure of protected](https://reader034.vdocuments.mx/reader034/viewer/2022042304/5ecf8a3307628275d208dea0/html5/thumbnails/18.jpg)
SECURITY
• APPLIES TO ELECTRONIC PROTECTED HEALTH INFORMATION
• SAFEGUARDS TO:
• ADMINISTRATIVE/OPERATIONS: IDENTIFY/ANALYZE POTENTIAL RISKS TO ELECTRONIC PHI AND IMPLEMENT SECURITY MEASURES
• PHYSICAL: LIMIT ACCESS TO FACILITIES WHERE ELECTRONIC PHI IS HOUSED
• TECHNICAL: IMPLEMENT AUDIT, INTEGRITY AND TRANSMISSION CONTROLS TO INFORMATION SYSTEMS WITH PHI
![Page 19: HIPAA PRIVACY & SECURITYagpersonnel.org/wp-content/uploads/2013/07/HIPAAPRIVACY.pdf · nikssarian insurance services, inc. ... privacy basics protect use & disclosure of protected](https://reader034.vdocuments.mx/reader034/viewer/2022042304/5ecf8a3307628275d208dea0/html5/thumbnails/19.jpg)
WAIT…THERE’S MORE!
![Page 20: HIPAA PRIVACY & SECURITYagpersonnel.org/wp-content/uploads/2013/07/HIPAAPRIVACY.pdf · nikssarian insurance services, inc. ... privacy basics protect use & disclosure of protected](https://reader034.vdocuments.mx/reader034/viewer/2022042304/5ecf8a3307628275d208dea0/html5/thumbnails/20.jpg)
FINAL RULES
RELEASED JANUARY 17, 2013
• “The most sweeping changes to HIPAA Privacy and Security Rules since they were first implemented”
• “These changes not only greatly enhance a patient’s privacy rights and protections, but also strengthen the ability of my office to vigorously enforce the HIPAA Privacy and Security protections …”
Leon Rodriguez
Director
HHS Office for Civil Rights
![Page 21: HIPAA PRIVACY & SECURITYagpersonnel.org/wp-content/uploads/2013/07/HIPAAPRIVACY.pdf · nikssarian insurance services, inc. ... privacy basics protect use & disclosure of protected](https://reader034.vdocuments.mx/reader034/viewer/2022042304/5ecf8a3307628275d208dea0/html5/thumbnails/21.jpg)
FINAL RULES
•EXPAND HIPAA PRIVACY AND SECURITY RULES TO BUSINESS
ASSOCIATES
•PENALTIES ASSESSED TO NEGLIGENCE MAXIMUMS ($1.5
MILLION)
•CERTAIN BREACHES OF UNSECURED PHI MUST BE REPORTED TO
HHS
•PATIENT RIGHTS TO PHI EXPANDED
•PATIENT RIGHT TO PROHIBIT ACCESS OF PHI TO HEALTH PLAN
•PROHIBITS SALE OF AN INDIVIDUALS’ HEALTH INFORMATION
W/O PERMISSION
![Page 22: HIPAA PRIVACY & SECURITYagpersonnel.org/wp-content/uploads/2013/07/HIPAAPRIVACY.pdf · nikssarian insurance services, inc. ... privacy basics protect use & disclosure of protected](https://reader034.vdocuments.mx/reader034/viewer/2022042304/5ecf8a3307628275d208dea0/html5/thumbnails/22.jpg)
FINAL RULES
•MOST SIGNIFICANT CHANGE IS TO THE DETERMINATION OF A
REPORTABLE BREACH TO OFFICE OF CIVIL RIGHTS AND
AFFECTED PARTY(IES)
•PREVIOUSLY REQUIRED TO REPORT IMPERMISSABLE USE IF
COVERED ENTITY DETERMINED THAT THE USE POSED A
SIGNIFICANT, FINANCIAL, REPUTATIONAL HARM TO AFFECTED
INDIVIDUALS
•FINAL RULE: COVERED ENTITY/BUSINESS ASSOCIATE MUST
REPORT BREACH TO OCR AND AFFECTED PARTY(IES) UNLESS
[THEY] CAN DEMONSTRATE A LOW PROBABILITY THAT PHI HAS
BEEN COMPROMISED
•PRESUMPTION THAT ALL IMPERMISSABLE USE OF PHI IS A
BREACH
![Page 23: HIPAA PRIVACY & SECURITYagpersonnel.org/wp-content/uploads/2013/07/HIPAAPRIVACY.pdf · nikssarian insurance services, inc. ... privacy basics protect use & disclosure of protected](https://reader034.vdocuments.mx/reader034/viewer/2022042304/5ecf8a3307628275d208dea0/html5/thumbnails/23.jpg)
RELATED PRIVACY
RULES
•SECURITY OF PERSONAL INFORMATION
•SOCIAL SECURITY CONFIDENTIALITY
•SOCIAL SECURITY TRUNCATION ON PAY STUBS
•MEDICAL INFORMATION CONFIDENTIALITY ACT
![Page 24: HIPAA PRIVACY & SECURITYagpersonnel.org/wp-content/uploads/2013/07/HIPAAPRIVACY.pdf · nikssarian insurance services, inc. ... privacy basics protect use & disclosure of protected](https://reader034.vdocuments.mx/reader034/viewer/2022042304/5ecf8a3307628275d208dea0/html5/thumbnails/24.jpg)
ORGANIZING
BEST PRACTICES
![Page 25: HIPAA PRIVACY & SECURITYagpersonnel.org/wp-content/uploads/2013/07/HIPAAPRIVACY.pdf · nikssarian insurance services, inc. ... privacy basics protect use & disclosure of protected](https://reader034.vdocuments.mx/reader034/viewer/2022042304/5ecf8a3307628275d208dea0/html5/thumbnails/25.jpg)
TARGETING GOOD FAITH
BUSINESS PRACTICE
BEST PRACTICE
PROCEDURES
POLICY STANDARDS
COMMUNICATIONS
MAINTENANCE
![Page 26: HIPAA PRIVACY & SECURITYagpersonnel.org/wp-content/uploads/2013/07/HIPAAPRIVACY.pdf · nikssarian insurance services, inc. ... privacy basics protect use & disclosure of protected](https://reader034.vdocuments.mx/reader034/viewer/2022042304/5ecf8a3307628275d208dea0/html5/thumbnails/26.jpg)
BEST PRACTICES
BEST METHOD TO SAFEGUARD PHI IS NOT TO CREATE PHI
- DO YOU NEED THE SSN ON THAT REPORT? IF NOT, THEN HAVE PROGRAMMING REMOVE IT
- IF YOU RECEIVE A REPORT WITH SSN LISTED, REMOVE THE COLUMN IF NOT NEEDED
![Page 27: HIPAA PRIVACY & SECURITYagpersonnel.org/wp-content/uploads/2013/07/HIPAAPRIVACY.pdf · nikssarian insurance services, inc. ... privacy basics protect use & disclosure of protected](https://reader034.vdocuments.mx/reader034/viewer/2022042304/5ecf8a3307628275d208dea0/html5/thumbnails/27.jpg)
BEST PRACTICES
DATA TRANSMITTAL
- PHI CANNOT BE TRANSMITTED UNSECURED
- E-MAIL IS NOT A SECURED METHOD
![Page 28: HIPAA PRIVACY & SECURITYagpersonnel.org/wp-content/uploads/2013/07/HIPAAPRIVACY.pdf · nikssarian insurance services, inc. ... privacy basics protect use & disclosure of protected](https://reader034.vdocuments.mx/reader034/viewer/2022042304/5ecf8a3307628275d208dea0/html5/thumbnails/28.jpg)
BEST PRACTICES
RECORD STORAGE:
CURRENT AND SHORT TERM
RECORD STORAGE:
LONG TERM
![Page 29: HIPAA PRIVACY & SECURITYagpersonnel.org/wp-content/uploads/2013/07/HIPAAPRIVACY.pdf · nikssarian insurance services, inc. ... privacy basics protect use & disclosure of protected](https://reader034.vdocuments.mx/reader034/viewer/2022042304/5ecf8a3307628275d208dea0/html5/thumbnails/29.jpg)
BEST PRACTICES
HEALTH PLAN BILLING
- SAFEGUARD IF SSN INCLUDED
- PROCESSING BY OTHER DEPARTMENTS
![Page 30: HIPAA PRIVACY & SECURITYagpersonnel.org/wp-content/uploads/2013/07/HIPAAPRIVACY.pdf · nikssarian insurance services, inc. ... privacy basics protect use & disclosure of protected](https://reader034.vdocuments.mx/reader034/viewer/2022042304/5ecf8a3307628275d208dea0/html5/thumbnails/30.jpg)
BEST PRACTICES
ENROLLMENT CARDS/FORMS
- WHO IS RESPONSIBLE FOR COLLECTING?
- DATA ENTRY?
- WHERE ARE THEY FILED?
- WHERE ARE THEY STORED LONG-TERM?
![Page 31: HIPAA PRIVACY & SECURITYagpersonnel.org/wp-content/uploads/2013/07/HIPAAPRIVACY.pdf · nikssarian insurance services, inc. ... privacy basics protect use & disclosure of protected](https://reader034.vdocuments.mx/reader034/viewer/2022042304/5ecf8a3307628275d208dea0/html5/thumbnails/31.jpg)
BEST PRACTICES
DOUBLE LOCK RULE
- HAVE TWO LOCKS BETWEEN OUTSIDE & PHI
- SECURITY (BURGLAR) ALARM COUNTS AS ONE
- INEXPENSIVE LOCKED CABINET VS. COMPLAINT
![Page 32: HIPAA PRIVACY & SECURITYagpersonnel.org/wp-content/uploads/2013/07/HIPAAPRIVACY.pdf · nikssarian insurance services, inc. ... privacy basics protect use & disclosure of protected](https://reader034.vdocuments.mx/reader034/viewer/2022042304/5ecf8a3307628275d208dea0/html5/thumbnails/32.jpg)
BEST PRACTICES
JANITORIAL SERVICES
- PROCEDURE FOR ACCESS/TIMING
- BUSINESS ASSOCIATE AGREEMENT
![Page 33: HIPAA PRIVACY & SECURITYagpersonnel.org/wp-content/uploads/2013/07/HIPAAPRIVACY.pdf · nikssarian insurance services, inc. ... privacy basics protect use & disclosure of protected](https://reader034.vdocuments.mx/reader034/viewer/2022042304/5ecf8a3307628275d208dea0/html5/thumbnails/33.jpg)
BEST PRACTICES
INTERNET
- FIREWALLS
- ANTI-VIRUS SOFTWARE
- AUTO TIMING ON SCREEN SAVERS
- ENCRYPTION
![Page 34: HIPAA PRIVACY & SECURITYagpersonnel.org/wp-content/uploads/2013/07/HIPAAPRIVACY.pdf · nikssarian insurance services, inc. ... privacy basics protect use & disclosure of protected](https://reader034.vdocuments.mx/reader034/viewer/2022042304/5ecf8a3307628275d208dea0/html5/thumbnails/34.jpg)
MISSING THE MARK
PENALTY
VIOLATION
REACTION
CONFUSION
ERRORS
![Page 35: HIPAA PRIVACY & SECURITYagpersonnel.org/wp-content/uploads/2013/07/HIPAAPRIVACY.pdf · nikssarian insurance services, inc. ... privacy basics protect use & disclosure of protected](https://reader034.vdocuments.mx/reader034/viewer/2022042304/5ecf8a3307628275d208dea0/html5/thumbnails/35.jpg)
CONTINUING THE BEST
PRACTICE PROCESS
STRATEGICAL ASSESSMENT
COMPLIANCE PLAN
IMPLEMENTATION
TRAINING
INCIDENT MANAGEMENT
MONITORING
![Page 36: HIPAA PRIVACY & SECURITYagpersonnel.org/wp-content/uploads/2013/07/HIPAAPRIVACY.pdf · nikssarian insurance services, inc. ... privacy basics protect use & disclosure of protected](https://reader034.vdocuments.mx/reader034/viewer/2022042304/5ecf8a3307628275d208dea0/html5/thumbnails/36.jpg)
OUR ROLE PROVIDES
TRUST
•TRANSPARENCY – OPENESS AND CLARITY TO ALL ACTIVITIES CONCERNING THE CAPTURE, COLLECTION, DISSEMINATION AND USE
OF PROTECTED HEALTH INFORMATION
•STEWARDSHIP – WE ASSUME A RESPONSIBITY OVER THE HANDLING AND PROTECTION OF EMPLOYEE INFORMATION REGARDLESS OF THE
SOURCE OR TYPE OF INFORMATION
![Page 37: HIPAA PRIVACY & SECURITYagpersonnel.org/wp-content/uploads/2013/07/HIPAAPRIVACY.pdf · nikssarian insurance services, inc. ... privacy basics protect use & disclosure of protected](https://reader034.vdocuments.mx/reader034/viewer/2022042304/5ecf8a3307628275d208dea0/html5/thumbnails/37.jpg)
“MOST PEOPLE DON’T DO WHAT’S
RIGHT…THEY DO WHAT’S CONVENIENT
AND THEN REPENT.” Bob Dylan
EADSON COMPLIANCE CENTER
www.eadsoncompliance.com
760/468-4082
NIKSSARIAN INSURANCE SERVICES, INC.
www.nikins.com
831/233-6700
![Page 38: HIPAA PRIVACY & SECURITYagpersonnel.org/wp-content/uploads/2013/07/HIPAAPRIVACY.pdf · nikssarian insurance services, inc. ... privacy basics protect use & disclosure of protected](https://reader034.vdocuments.mx/reader034/viewer/2022042304/5ecf8a3307628275d208dea0/html5/thumbnails/38.jpg)
THANKS FOR
ATTENDING