what employers need to know about hipaa and hitech
TRANSCRIPT
fisherphillips.com
What Employers Need to Know
About HIPAA and HITECH
Lorie Maring
Phone: (404) 240-4225
Email: [email protected]
Chelsea Deppert
Phone: (404) 240-4268
Email: [email protected]
Presented by:
fisherphillips.com
Agenda
•HIPAA Basics and Background
•Use & Disclosure of PHI
•What is a Breach
•OCR Enforcement Efforts & Other Developments
•HIPAA Best Practices
fisherphillips.com
Back to the Basics
fisherphillips.com
HIPAA
• Health Insurance Portability And Accountability Act Of 1996
• Title I: Portability and Nondiscrimination
• Title II: “Administrative Simplification”
▪ Includes the Privacy and Security Rules
fisherphillips.com
HITECH and the Omnibus Rule
• The Health Information Technology for Economic and Clinical Health Act of 2009 was passed to create a national network of electronic health records. Among other things, it changed:
▪ Business Associate liability
▪ Breach analysis and notification
▪ Enforcement
• The Omnibus Rule followed
fisherphillips.com
Who must comply?
• Group Health Plans
▪ Includes medical, dental, vision, health FSAs, some EAPs
▪ Does not include work comp, life insurance or disability plans
▪ Excluded if <50 participants, self-funded and self-administered
• Health Care Providers
▪ Who transmit health information in electronic form in connection with specific transactions
• Health Care Clearinghouses
• Does Not Include Employers, Just Their Plans
fisherphillips.com
Benefits Plans subject to HIPAA
• individual plans providing medical care
• major medical plans
• dental and vision plans
• health flexible spending arrangements
• governmental health plans
• church plans
• wellness programs
• employee discount programs
that provide discounted
medical services
• retiree health plans
• on-site medical clinics (as a
provider)
fisherphillips.com
Benefits plans that might have to comply with HIPAA
• supplemental benefits (cancer insurance, hospital indemnity)
• employee assistance plans
• long-term care
• cafeteria plans
• life insurance
* coverage depends upon whether these plans provide medical care and whether they are maintained by an employer.
fisherphillips.com
Who else must comply?
• Business Associates are service providers that perform a function or activity for a Covered Entity
▪ TPA
▪ Attorney
▪ Broker
▪ Actuary
▪ Accountant
▪ Service providers
fisherphillips.com
Business Associate Contracting
Covered Entity
Business Associate
Business Associate Subcontractor
Business Associate Subcontractor
Contract
Contract
Contract
No Contract needed
fisherphillips.com
HIPAA: Digging a Little Deeper
fisherphillips.com
Fully-insured Plans
• Most fully-insured plans will attempt to keep a
“hands off” approach
• Summary Health Information
• Enrollment data
• Claims assistance
• FSAs and HRAs
fisherphillips.com
Self-insured Plans
• Self-insured plans generally cannot qualify for “hands-off” status
• Incudes the following self-insured arrangements:▪ FSAs and HRAs (limited exception re
excepted benefits)
▪ Employee Assistance Programs (EAPs)
▪Group health (major medical type) plans
▪Wellness Programs affiliated with a group health plan
fisherphillips.com
HIPAA Required Notices/Disclosures
• Notice of Privacy Practices (NPP)▪ The HIPAA Privacy Rule requires covered plans and providers
to distribute a notice that provides a clear, user friendly
explanation of individuals rights with respect to their personal
health information and the privacy practices of health plans and
health care providers (model notice available on HHS website )
▪ Must provide to new enrollees at enrollment, a reminder at least
every 3 years, and upon request
• Notice of Special Enrollment Rights▪ Must notify eligible employees on/before time that the
employees are given the opportunity to enroll
▪ Best practice: Include in SPD
fisherphillips.com
Electronic Disclosure
• HIPAA has specific requirements for electronic distribution of the NPP:
▪ Covered entity that maintains a web site that provides information about the covered entity's customer services or benefits must prominently post its notice on the web site and make the notice available electronically through the web site
▪ Covered entity may provide the NPP by e-mail if the individual agrees to electronic notice and such agreement has not been withdrawn (if the covered entity knows that the e-mail transmission has failed, a paper copy of the notice must be provided to the individual)
▪ For covered health care providers with a direct treatment relationship, if the first service delivery to an individual is delivered electronically, the covered health care provider must provide electronic notice automatically and contemporaneously in response to the individual’s first request for service
▪ Participant retains the right to obtain a paper copy of the notice from a covered entity upon request
fisherphillips.com
Acknowledgements & Recordkeeping
• A covered health care provider with a direct treatment relationship with
individuals must make a good faith effort to obtain written
acknowledgement from patients of receipt of the privacy practices notice
▪ Privacy Rule does not prescribe any particular content for the acknowledgement
▪ Provider must document the reason for any failure to obtain the patient’s written
acknowledgement (unless emergency treatment situation)
• Covered entity must document compliance with the notice requirements
by retaining copies of the NPP and, if applicable, any written
acknowledgments of receipt of the NPP (or documentation of good faith
efforts to obtain such written acknowledgment)
fisherphillips.com
Protected Health Information (PHI)
fisherphillips.com
Protected Health Information (PHI)
• Individually identifiable health information created or received by a Covered Entity or Business Associate which relates to past, present, or future health care or payment for health care
• Excludes employment records
• Examine source, purpose and use to determine whether a document is an employment record
• ePHI is PHI stored or transmitted electronically
fisherphillips.com
Information that is not PHI
•Summary Health Information (SHI)
▪ Info summarizing claims history, expenses or types of claims from which all identifying information has been removed
▪SHI may be used only for modifying or terminating a health plan or seeking bids for coverage
•Use this information if feasible
fisherphillips.com
Use / Disclosure of PHI w/o Authorization
• Treatment
• Payment
▪ Activity undertaken to fulfill plan responsibility for provision of benefits or obtain reimbursement for health care. Includes eligibility and coverage determinations, adjudication of benefit claims, coordination of benefits, determining cost-sharing, risk adjusting, billing, premium collection, claims management, medical necessity, cost review and utilization review.
• Healthcare Operations
▪ Activities directly related to treatment or payment. Includes internal quality oversight review, credentialing, legal services, audit functions, general administration, placing reinsurance, underwriting renewal or replacement of a contract of health insurance.
• Other Disclosures
▪ To the individual, Business Associates, or as required by law
• Emergencies
• If not, individual authorization is required
fisherphillips.com
Minimum Necessary Standard
• Covered Entity/Business Associate must limit disclosure of PHI to the minimum necessary
• Only employees with a need to know may have access
• Identify employees who need access to PHI and limit access to those employees and the specific PHI necessary for them to perform job function
• Requests: establish policies and procedures limiting PHI disclosure to amount and type necessary
fisherphillips.com
Security Rule Structure
• Security Rule requirement are called “Standards.”
• Each Standard has a general security requirement and identifies what a Covered Entity/Business Associate must do to meet a Standard (“implementation specifications”)
• Implementation specifications are either required (“R”) or addressable (“A”)
• R = must be implemented as stated in Security Regulations
• A = addressable
fisherphillips.com
Security Requirements:
HIPAA Security Officer must regularly conduct reviews to make sure the following HIPAA security requirements are met and update procedures & safeguards accordingly:
1) Security Management Process – your company must have an overall process to prevent, detect, contain, and correct security violations.
2) Assigned Security Responsibility – your company must appoint a Security Official.
3) Workforce Security – your company must ensure all employees have access to ePHI appropriate to their duties and prevent others from obtaining access.
fisherphillips.com
Security Requirements:
4) Information Access Management – your company must authorize appropriate access to ePHI.
5) Security Awareness and Training – your company must provide security awareness and training programs for workforce members who may handle/access ePHI (incl. mgmt.).
6) Security Incident Procedures – your company must adopt procedures to address attempted or successful unauthorized access, use, disclosure, modification, or destruction of info or interference with system operations in an information system.
7) Contingency Plan – your company must adopt a plan for emergency response (such as fire, vandalism, system failure, and natural disaster) when systems that contain ePHI are damaged.
fisherphillips.com
Security Requirements:
8) Evaluation – your company must periodically evaluate (both technically and nontechnically) components of security safeguards.
9) Business Associate Contracts – your plan may permit a business associate to create, receive, maintain, or transmit ePHI only if you obtain a satisfactory written contract requiring the BA to comply with HIPAA.
10) Facility Access Controls – your company must limit physical access to electronic information systems or facilities in which they are housed, while ensuring that properly authorized access is allowed.
fisherphillips.com
Security Requirements:
11) Workstation Use – your company must specify proper functions to be performed, the manner in which functions are to be performed, and physical attributes of surrounding of specific workstations or class of workstations with access to ePHI.
12) Workstation Security – physical safeguards are required for all workstations that access ePHI in order to restrict access to only authorized users.
13) Device and Media Controls – your company must monitor and control the receipt and removal of hardware and electronic media containing ePHI and movement into, out of, and within your facility.
14) Access Control – your company must make sure your systems allow access to maintain ePHl only to persons or software that have been granted access rights.
fisherphillips.com
Security Requirements:
15) Audit Controls – your company must record and examine activity in its information systems that store or use ePHI.
16) Integrity – your company must take steps to protect ePHIfrom improper alteration or destruction.
17) Person or Entity Authentication – your company must verify the identity of persons seeking access to ePHI.
18) Transmission Security – our company must guard against unauthorized access to ePHI that is being transmitted over an electronic communications network (e.g. encryption).
fisherphillips.com
What security measures should you use?
• One Size Does Not Fit All
• Your company has flexibility in selecting among a variety of security measures to achieve compliance.
• Factors to consider:• size, complexity, and capabilities of your company/plan
• technical infrastructure, hardware, and software security capabilities
• costs of security measures
• probability and criticality of potential risks to ePHI
fisherphillips.com
Voluntary Cybersecurity Practices for the Health Industry
• Released by HHS on December 28, 2018 in partnership with industry representatives to raise awareness, provide vetted practices, and foster consistency in mitigating the most pertinent and current cybersecurity threats
• Consists of three documents—a main document and two technical volumes, and an appendix of resources and templates
• Indicates the 5 main threat vectors & 10 practices to protect against those threats
• Tailored to small, medium, or large organizations based on the size/sophistication of the organization
• NOT standards; just guidance on “basic security hygiene”
fisherphillips.com
Voluntary Cybersecurity Practices for the Health Industry
• Five current threats identified in healthcare:
1) Email Phishing Attacks
2) Ransomware Attacks
3) Loss or Theft of Equipment or Data
4) Internal, Accidental, or Intentional Data Loss
5) Attacks Against Connected Medical Devices that May Affect Patient Safety
• Ten practices to combat these threats:
1) Email Protection Systems
2) Endpoint Protection Systems
3) Access Management
4) Data Protection and Loss Prevention
5) Asset Management
6) Network Management
7) Vulnerability Management
8) Incident Response
9) Medical Device Security
10) Cybersecurity Policies
fisherphillips.com
What is a Breach?
fisherphillips.com
fisherphillips.com
What is a Breach?
• Unauthorized acquisition, access, use, or disclosure of unsecured PHI in a manner not allowed by the Privacy Rule which compromises the security and privacy of an Individual’s PHI.
• PHI is unsecure if it is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology approved by HHS.
fisherphillips.com
What do most breaches look like?
fisherphillips.com
Breach Analysis After HITECH
The 2013 final rule to the HITECH Act provides that a covered entity or business associate must presume that an acquisition, access, use, or disclosure of PHI in violation of the privacy rule is a breach
This presumption holds unless the covered entity or business associate demonstrates that there is a “low probability” that the PHI has been compromised based on a risk assessment which considers at least the following factors:
• the nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification;
• the unauthorized person who used the PHI or to whom the disclosure was made;
• whether the PHI was actually acquired or viewed; and
• the extent to which the risk to the PHI has been mitigated
fisherphillips.com
Breach Procedures
• All unauthorized acquisition, access, use, or disclosure of PHI must be reported to the Privacy Official immediately.
• Notice to the Individual, Health and Human Services, and the Media may be required.
fisherphillips.com
What are the penalties for failure to comply with HIPAA:
Civil Penalties
fisherphillips.com
What are the penalties for failure to comply with HIPAA:
Criminal Penalties:
➢Fines up to $50,000 +
➢Imprisonment up to 1 yr
May apply to entity OR to workers
Government has started enforcing!
fisherphillips.com
OCR HIPAA Compliance Efforts
• Since the Privacy Rule’s compliance
date in 2003, OCR has received over
199,485 HIPAA complaints and has
initiated over 928 compliance reviews
• OCR has settled or imposed a civil
money penalty in 62 cases resulting in
a total dollar amount of $96,581,582
• Most common types of covered entities
required to take corrective action are:▪ General Hospitals;
▪ Private Practices and Physicians;
▪ Outpatient Facilities;
▪ Pharmacies; and
▪ Health Plans (group health plans and health
insurance issuers)
• Most investigated compliance issues:▪ Impermissible uses and disclosures of PHI;
▪ Lack of safeguards of PHI;
▪ Lack of patient access to their PHI;
▪ Lack of administrative safeguards of ePHI; and
▪ Use or disclosure of more than the minimum
necessary PHI
fisherphillips.com
OCR Enforcement Efforts
“Our record year underscores the need for covered entities to be proactive about data
security if they want to avoid being on the wrong end of an
enforcement action.”
- OCR Director Roger Severino.
fisherphillips.com
2018 HHS Enforcement Actions
fisherphillips.com
Changes may be on the horizon
• In December 2018, HHS released a “Request for Information on Modifying HIPAA Rules To Improve Coordinated Care” soliciting input from the public on how the HIPAA Rules could be modified to further the HHS Secretary’s goal of promoting coordinated, value-based healthcare
• In addition to broad input, the RFI seeks comments on specific areas of the HIPAA Privacy Rule, including:
▪ Encouraging information-sharing for treatment and care coordination
▪ Facilitating parental involvement in care
▪ Addressing the opioid crisis and serious mental illness
▪ Accounting for disclosures of PHI for treatment, payment, and health care operations as required by the HITECH Act
▪ Changing the current requirement for certain providers to make a good faith effort to obtain an acknowledgment of receipt of the NPP
fisherphillips.com
Don’t Forget State Privacy Laws!
• CA Confidentiality of Medical Information Act▪ May require additional analysis in the case of a
breach, depending on the fats and circumstances
▪ Applies to health plans, healthcare providers and “contractors” (i.e., business associates)
• All 50 states now have state-level breach laws▪ Client in other states could be affected
▪ The CA breach law exempts entities that properly follow HIPAA
fisherphillips.com
Privacy / Security Compliance Obligations
• Designate Privacy & Security Officials
• Conduct annual risk assessment
• Maintain Written Policies
• Honor Individual Rights
• Audit both Privacy and Security Practices
• Maintain a Notice of Privacy Practices
• Obtain Individual Authorizations for non-plan functions
• Enter into agreements with Business Associates
• Amend your plan
• Report any breach
fisherphillips.com
The Big Take Away
• Recognize PHI
• Only save PHI you need
• Secure physical PHI under lock and key
• Never keep copies of Employee Health Statements from
enrollment applications
• Shred documents with sensitive information if it has been
saved in electronic format
• Sensitive employee information, from any source, should
never be shared unless for a valid business reason and in a
method that it will be protected
fisherphillips.com
The Big Take Away
• Never include sensitive information in email subject line
• Secure and transmit ePHI In an encrypted form
• Do not send emails with sensitive information through
Salesforce
• Secure phones, laptops and tablets (passwords, remote
disabling, and locating software)
• Refer to company handbook for rules to protect the
company’s computer systems and electronic information
• If you see something, say something
fisherphillips.com
Final [email protected]
Lorie MaringPhone: (404) 240-4225
Email: [email protected]
Chelsea DeppertPhone: (404) 240-4268
Email: [email protected]
Presented by:
fisherphillips.com
Thank You
Lorie Maring
Phone: (404) 240-4225
Email: [email protected]
Chelsea DeppertPhone: (404) 240-4268
Email: [email protected]
Presented by: