Advanced HIPAA /19/2016. Today s Agenda. What is the HIPAA Privacy Rule? Abbie Miller, MCS-P

Transcription

1 Advanced HIPAA 2016 Abbie Miller, MCS-P Today s Agenda A HIPAA eye toward social media and texting Please get your Business Associate agreements in order! Some definitions pertaining to HIPAA Privacy Dispose of patient information correctly New and existing employees must be trained, and it must be documented What is the HIPAA Privacy Rule? Standards that address the use and disclosure of individuals protected health information or PHI by covered entities Standards for individuals' privacy rights to understand and control how their health information is used 1

2 Should You Bother With Compliance? Cardiac Practice Fined for Not Shielding Patient Info Should You Bother With Compliance? Federal government has fined a Phoenix cardiac medical practice $100,000 for posting patient appt. information online Should You Bother With Compliance?..agreed to pay penalty to settle violations of HIPAA 2

3 Should You Bother With Compliance? HHS investigations found no policies and procedures and few safeguards to protect PHI Should You Bother With Compliance? also didn t have documentation of trained employees, no risk analysis conducted, no privacy or security official Some Definitions Covered Entity: any provider who transmits or receives health information in electronic form in connection with a covered electronic transaction. Business Associate (BA): A person or company that acts on behalf of a covered entity performing functions that involve the use or disclosure of PHI. Protected Health Information(PHI): Individually identifiable health information that is maintained or stored in electronic or any other form or medium. It includes demographic and financial information about the patient. Electronic Protected Health Information (ephi): Individually identifiable health information that is transmitted, maintained, or stored in electronic form. 3

4 7 Steps to Achieve Privacy Compliance 1. Install a Privacy Officer 2. Define Minimum Necessary for Your Office 3. Write HIPAA Privacy Policies and Procedures 4. Customize Your NPP (Notice of Privacy Practices) 5. Train Your Team Members 6. Monitor Your Active Privacy Program 7. Business Associate Agreements In Place Monitor Your Active Privacy Program Conduct Initial Program Audit Conduct Regular Self- Audits Privacy Program Audits NPP Acknowledgement Audits 1. Install a Privacy Officer Be careful to choose someone who: can understand the rules and guidelines that govern HIPAA can acquire all new HIPAA rules and regulations and stay updated on any changes can comfortably work alongside practice leadership personnel 4

5 1. Install a Privacy Officer Privacy Officer Role Develop, implement, maintain and assure adherence to the Privacy Policies and Procedures for your practice Privacy Officer Purpose Oversee the protection of PHI 1. Install a Privacy Officer 2. Minimum Necessary Standard The minimum necessary standard requires you to evaluate your practices and enhance any safeguards as needed to avoid and limit unnecessary or inappropriate access to and disclosure of PHI. 5

6 2. Minimum Necessary Standard The Privacy Rule requires you to take reasonable action to limit the use or disclosure of, as well as requests for, PHI to the minimum necessary to accomplish your intended purpose. 2. Minimum Necessary Standard Determine your own set of standards in P&P Entire medical record may be appropriate in certain circumstances Identify who needs access to PHI to carry out duties Identify specific categories of PHI for each group Does not apply to: Health care providers for treatment purposes The individual in question Those under authorization Disclosures to HHS Required by law Prior to 4/14/03 Common Uses and Disclosures: TPO Does not require signed authorization Must list on the NPP Treatment: Doctors can share information freely with each other Payment: billing and collections activities; determination of eligibility Healthcare Operations: Quality assurance, scheduling, auditing, and employee review 6

7 3. Write HIPAA Policies & Procedures You are required to have written HIPAA Policies and Procedures in place for a valid HIPAA Compliance Program in your office. 3. Write HIPAA Policies & Procedures Patient s Right to Restrict Disclosure Can request restriction of info to carry out payment or HCO Can restrict information given to a family member Not required to agree to the restriction. Special form should be used for documentation 7

8 3. Write HIPAA Policies & Procedures Authorizations: Non-TPO Selling a patient mailing list Employer disclosures Life insurance eligibility questionnaires Marketing and testimonials Must stipulate the approved use Have an expiration date 8

9 3. Write HIPAA Policies & Procedures Incidental Uses and Disclosures Unintentional Overhead phone conversations when answered at the front desk. A patient passing by another room where treatment is taking place Everyday operations 3. Write HIPAA Policies & Procedures Accidental Disclosures Faxing or ing PHI to the wrong destination Disclosing PHI to an unauthorized person If harmful, must be disclosed to the patient. Always included on non-tpo disclosure log 9

10 3. Write HIPAA Policies & Procedures Disclosure Logs and Accounting Patient may request accounting of all non- TPO disclosures All but incidental disclosures should be logged Not required for those with authorization, reporting neglect or abuse, law enforcement, or prior to 4/14/03 10

11 3. Write HIPAA Policies & Procedures Use of Photographs Permitted but must be out of public view As part of a testimonial or other marketing effort, you must have authorization Can include in electronic or paper form 3. Write HIPAA Policies & Procedures Faxes PRIVILEGED AND CONFIDENTIAL: This document and the information contained herein are confidential and protected from disclosure pursuant to federal law. This message is intended only for the use of the Addressee(s) and may contain information that is PRIVILEGED AND CONFIDENTIAL. If you are not the intended recipient, you are hereby notified that the use, dissemination, or copying of the information is strictly prohibited. If you have received this communication in error, please erase all copies of the message and its attachments and notify the sender immediately. 3. Write HIPAA Policies & Procedures s This , including any attachments, may include PRIVILEGED AND CONFIDENTIAL information and may be used only by the person or entity to which it is addressed. If the reader of this is not the intended recipient, or his or her authorized agent, the reader is hereby notified that any dissemination, distribution, or copying of this is prohibited. If you have received this in error, please notify the sender by replying to this message, and delete this immediately. 11

12 3. Write HIPAA Policies & Procedures Debt Collection Permitted use of debt collection services Falls under payment Even skip tracing has been approved by HHS as routine 3. Write HIPAA Policies & Procedures Safeguards: Common Sense 3. Write HIPAA Policies & Procedures What s OK? Sign in sheets: minimal information name, time, etc. Verification of Callers: PHI over phone-- Password, SSN, DOB, Zip, Maiden Name Social Security Number: use sparingly, or last four digits only 12

13 3. Write HIPAA Policies & Procedures Phone Messages/ Appt. Reminders Reminders are good Postcards are ok Answering machines are ok Do not leave PHI on the call, or results of test OK to say that you are reminding of an appointment and date/time Should include that information in the NPP 3. Write HIPAA Policies & Procedures More Common Sense Not required: Private rooms Soundproof rooms Wireless encryption Encrypted telephones A good idea: Have patients wait a few steps back from counter Curtains or screens Speaking quietly Files turned backward Folders marked confidential All faxes/ that contain PHI marked confidential Fax machines secure locations 3. Write HIPAA Policies & Procedures EOB s and COB s When coordinating benefits, blacken any other patient s PHI on EOB Clear out anything that does not apply to the claim Otherwise is a violation of HIPAA law. 13

14 3. Write HIPAA Policies & Procedures Oral Communication Overheard conversations are unavoidable Phone conversations are ok Training situations Calling out patient s name is not a violation 3. Write HIPAA Policies & Procedures Patient s Right to Access Information Patient will request in writing Must act upon this within 30 days if onsite, 60 if written notice Can be in summary form if agreed to May charge a reasonable fee 3. Write HIPAA Policies & Procedures Destruction of Medical Records You are responsible for wrongful disclosures due to improper disposal of PHI. Shred, get receipt Erase Proper disposal 14

15 3. Write HIPAA Policies. & Procedures Copying Fees Most state laws provide a maximum that can be charged for copying medical records. NPP says first request in 12 months is free 3. Write HIPAA Policies & Procedures Other Patient Rights Can submit amendment to record, not a change Must consider amendment, don t have to accept Can designate a personal rep Deceased-legal rep Parent usually for minor 3. Write HIPAA Policies & Procedures Disclosures to Law Enforcement CAN NOT disclose DNA information to law enforcement trying to locate an individual May use your own policies for the good of the patient Victims of domestic violence/abuse Privacy Rule does not interfere with federal or state laws 15

16 3. Write HIPAA Policies & Procedures Privacy Complaints Handled by your office Privacy Compliance Officer Patients may not be forced to waive their right to complaints as a condition of treatment Step 1: PCO formally files complaint within their office-complaint form Step 2: PCO tries to resolve complaint within their office Step 3: If patient persists, instruct to file with Office for Civil Rights 3. Write HIPAA Policies & Procedures 3. Write HIPAA Policies & Procedures Have a policy & procedure for every area of PHI risk as well as for patient rights Include: Faxes & s Phone calls Neglect/abuse Etc. 16

17 4. Customize Your NPP (Notice of Privacy Practices) HIPAA gives your patients a right to be informed of the privacy practices of your office HIPAA gives patients the ability to be informed of their rights concerning HIPAA privacy 4. Customize Your NPP (Notice of Privacy Practices) A statement from the provider to the patient on how the patient s PHI will be handled and protected by the office. Must be provided on or before the first delivery of service, except in an emergency. 17

18 4. Customize Your NPP (Notice of Privacy Practices) Must make a good faith attempt to obtain a written acknowledgement that they have received a copy of your NPP. 5. Train Your Team Members Ongoing training required, updates Access PHI on need to know basis Keep employment records separate from treatment records Fully explain sanctions for failure to comply. 18

19 19

20 6. Monitor Your Active Privacy Program Conduct Initial Program Audit Conduct Regular Self- Audits Privacy Program Audits NPP Acknowledgement Audits Audit Your Privacy Program 20

21 Audit Privacy Safeguards Audit Privacy in Patient Charts - NPP 7. Business Associate Agreements Must comply directly with HIPAA Privacy A person or entity that provides certain functions on behalf of the covered entity Not a member of the provider s work force A CE who discloses PHI to providers for TX are NOT business associates 21

22 Who are Business Associates? Vendors or other external entities that are considered business associates must also be considered part of a healthcare organization's security plan. All linked organizations should be properly identified and have signed a business associate agreement. This will ensure all involved parties are aware of what is mandated by HIPAA. Internal policies such as privacy notices and breach notifications should not be overlooked because they are as critical as the technology aspect. 7. Business Associate Agreements The Privacy Rule requires that you obtain satisfactory assurances from your business associate that they will appropriately safeguard the PHI it receives or creates on behalf of your office. The satisfactory assurances must be in writing in the form of a contract or other agreement between yourself and the business associate. 7. Business Associate Agreements Examples are billing companies, consultants, auditors, clearing house, attorney, collection agency, document shredders, answering service, contractors, software vendor, offsite record storage. 22

23 HIPAA Omnibus Rule - BAA You no longer have to report failures of your BAs BAs are DIRECTLY liable for these violations BAs are responsible for their subcontractors BAs MUST comply with Security and Breach Notification rules YOU ARE RESPONSIBLE FOR THE AGREEMENT!! HIPAA Omnibus Rule - BAA You had until Sept 23, 2014 to bring all BAA up to date and in conformance with new rules. Agreements in place prior to March 26, 2013 remain compliant until renewed or modified or Sept 23, /2014--HIPAA Omnibus Rule - BAA You MUST review your relationships and determine if a BAA is needed Does your associate create, receive, maintain, store, or transmit PHI on your behalf? 23

24 Epic Fail 24

25 Purpose of HIPAA Security Protect ephi Electronic Protected Health Information Confidentiality Integrity Availability 7 Steps to Achieve Security Compliance 1. Install a Security Officer 2. Understand the rules 3. Make a list of ephi 4. Conduct a Risk Analysis 5. Implement policies & procedures 6. Deliver security awareness training 7. Monitor ongoing security processes Step 1: Install a Security Officer Be careful to choose someone who: can understand the rules and guidelines that govern HIPAA can acquire all new HIPAA rules and regulations and stay updated on any changes 25

26 Step 1: Install a Security Officer Be careful to choose someone who: will be able to comfortably work alongside practice leadership personnel is technologically savvy Step 1: Install a Security Officer Step 2: Understanding the Rules: Who Must Comply & How any provider who sends or receives ephi electronically covered entities must adopt measures to safeguard ephi 26

27 Step 2: Understanding the Rules: Types of Safeguards Administrative Safeguards Physical Safeguards Technical Safeguards Step 2: Understanding the Rules: Security Controls Administrative Controls Physical Controls Technical Controls Step 2: Understanding the Rules: Security Principles Comprehensiveness Scalability Technology Neutrality 27

28 Step 3: List ephi: Your Information Systems Step 4: Perform a Risk Analysis Standard #2 Security Management Process Risk Analysis is an Implementation Specification Required 6 Steps to Risk Analysis Understand your information systems Identify threats in your environment Identify vulnerabilities that threats could attack 28

29 6 Steps to Risk Analysis Identify probability that a threat could attack, analyze the criticality of impact, and summarize risk Implement applicable measure Document your process and results Your Risk Analysis Step 5: Policies & Procedures: HIPAA relies on standard business practices for policy development Procedures are step-by-step instructions that implement the policies 29

30 Step 5: Policies & Procedures: Workforce Security You must provide only the minimum necessary access to ephi that is necessary for a team member to do his/her job. Step 5: Policies & Procedures: Workforce Security Step 5: Policies & Procedures: Workforce Security 30

31 Step 5: Policies & Procedures: Contingency Plan A Contingency Plan is needed to implement strategies for recovering ephi should an office have an emergency or occurrence that disrupts critical business operations. ephi must be available when needed, and your contingency planning determines what is necessary in the event of a power outage or other occurrence. Step 5: Policies & Procedures: Contingency Plan You must establish and implement, as needed, policies and procedures for responding to emergencies ( Your Contingency Plan must include Disaster Recovery Plan and Emergency Mode Operations Plan Step 5: Policies & Procedures: Contingency Plan 31

32 Step 6: Policies & Procedures: Train Your Team Members Step 7: Monitoring Ongoing Security Processes Ensure your security plans, policies and procedures continue to adequately protect your ephi Implement an ongoing monitoring and evaluation plan A technical and nontechnical evaluation of your security controls and processes must be done to document any needs for change 32

33 Step 7: Monitoring Ongoing Security Processes All appropriate areas and employees must be included in the evaluation. When an environmental or operational change has occurred that could significantly affect your ephi, you must conduct an evaluation. Step 7: Monitoring Ongoing Security Processes: Breach Notification Step 7: Monitoring Ongoing Security Processes: Self Audits 33

34 Are you in HIPAA Denial? HIPAA is something I can get to when I m not busy I did my HIPAA-thing in 2003, I m all set. No one is REALLY going to check my program I m a small provider HIPAA is too complicated, they don t expect me to do this Time to Act! Time to Act! 34

35 Timeline HIPAA HITECH OMNIBUS HITECH Expansion Reach obefore: Covered Entities: healthcare organizations oafter: Covered Entities: expanded to business associates Economics HITECH Expansion obefore: ,000 cases reported, no one fined; in 2009, CVS fined $2.25 M- Daily fine: $100/day oafter: Fines up to $1.5 M / year; regulators at HHS now benefit directly from fines levied (significant uptick in fines) Daily fine: $50,000/day 35

36 HITECH Act Further expanded the businesses covered by HIPAA Privacy and Security Rules by beefing up BA agreements Required all to comply with redefined security breach notification rules Enhanced penalties that can be handed down, and increases enforcement Widened the scope of Privacy and Security protections available under HIPAA; Increased potential legal liability for noncompliance; Provided more enforcement of HIPAA rules. HITECH Act Omnibus Final Rule March 26, 2013 September 23,

37 Know Your State Laws If your state privacy and confidentiality laws are more stringent then HIPAA laws, you must comply to which has the highest level of protection. Omnibus: Three Main Focuses Privacy, Security, and Breach Notification policies and procedures Notice of Privacy Practices Business Associate Agreements HIPAA Omnibus Rule - Breach Redefines Breach Harder to avoid reporting a breach Redefines: significant risk of financial, reputational, or other harm 37

38 HIPAA Omnibus Rule - Breach Breaches presumed reportable unless after performing a risk assessment (applying four factors) it is determined there is a low probability of PHI compromise HIPAA Omnibus Rule - Breach 1) Nature and extent of the PHI involved consider: Sensitivity of the information from a financial or clinical prospective Likelihood the information can be reidentified HIPAA Omnibus Rule - Breach 2) The person who obtained the unauthorized access consider: Does this person have an independent obligation to protect the confidentiality of the information 38

39 HIPAA Omnibus Rule - Breach 3) Whether the PHI was actually acquired or accessed consider: Was the exposed PHI actually accessed by anyone who may have had the ability to access or acquire HIPAA Omnibus Rule - Breach 4) The extent to which the risk has been mitigated consider: Getting a signed confidentiality agreement from the recipient HIPAA Omnibus Rule - Breach No need for independent entity to conduct risk assessment No need to conduct assessment if notification is made Take steps to reduce risks in future Must still adhere to requirements for individual notification, HHS notification, and media posting where applicable 39

40 HIPAA Omnibus Rule - Disclosures At the patients request, you may NOT disclose information to a patient s health plan if they have paid out of pocket for their care. HIPAA Omnibus Rule - Disclosures 40

41 HIPAA Omnibus Rule - Marketing New rules limit circumstances when you can provide marketing communication to your patients WITHOUT written authorization HIPAA Omnibus Rule - Marketing 1) the physician receives no compensation for the communication; 2) the communication is face-to-face; 3) the communication involves a drug or biologic the patient is currently being prescribed and the payment is limited to reasonable reimbursement of the costs of the communication (no profit); HIPAA Omnibus Rule - Marketing 4) the communication involves general health promotion, rather than the promotion of a specific product or service; or 5) the communication involves government or government-sponsored programs. Physicians are still permitted to give patients promotional gifts of nominal value. 41

42 HIPAA Omnibus Rule - Copies Changes to timeframes and fees for patient s written requests of PHI You have 30 days (with ONE 30 day extension) HIPAA Omnibus Rule - Copies Must provide access to EHR and other electronic records in electronic form of patient requests readily reproducible Otherwise, must be in another mutually agreed upon electronic format Hard copies only ok when individual refuses all e- formats HIPAA Omnibus Rule - Copies You must consider transmission security when ing PHI You can send in unencrypted if the patient is made aware of risks and still requests 42

43 HIPAA Omnibus Rule - Copies New rule modified the costs that may be charged to the patient for copies include labor costs supply costs if the patient requests a paper copy if electronic, the cost of any portable media (such as a USB memory stick or a CD) Must follow state law if a lower reimbursement rate is set. HIPAA Omnibus Rule - NPP NPP must be update NPP Include: New breach notification guidelines Updated patient rights concerning disclosures to health plans Marketing using PHI HIPAA Omnibus Rule - NPP Post revised NPP Make copies available All new patients Anyone who requests Post new NPP to website 43

44 Acknowledgement (Notice of Privacy Practices) Must make a good faith attempt to obtain a written acknowledgement that they have received a copy of your NPP. 44

45 New Rules Game Changer?! This final omnibus rule marks the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented, said HHS Office for Civil Rights Director Leon Rodriguez. These changes not only greatly enhance a patient s privacy rights and protections, but also strengthen the ability of my office to vigorously enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a health care provider, or one of their business associates. HIPAA Omnibus Rule - Vigorous Enforcement Unaware of violation - $100 to $50,000 Reasonable cause violation - $1,000 to $50,000 Willful neglect - $10,000 to $50,000 Willful neglect - $50,000 to $1.5 million Multiple HIPAA violations - surpass $1.5 million. 45

46 Does Enforcement Happen? Massachusetts provider settles HIPAA case for $1.5 million Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates, Inc. (collectively referred to as MEEI ) has agreed to pay the U.S. Department of Health and Human Services (HHS) $1.5 million to settle potential violations of the HIPAA Privacy and Security Rules. MEEI has also agreed to take corrective action to improve policies and procedures to safeguard the privacy and security of their patients protected health information and retain an independent monitor to report on MEEI s compliance efforts. OCR s investigation followed a breach report submitted by MEEI, as required by the HIPAA Breach Notification Rule, reporting the theft of an unencrypted personal laptop containing the electronic protected health information (ephi) of MEEI patients and research subjects. The information contained on the laptop included patient prescriptions and clinical information. OCR s investigation indicated that while MEEI s management was aware of the Security Rule, MEEI failed to take necessary steps to comply with the requirements of the Rule, such as such as conducting a thorough analysis of the risk to the confidentiality of ephi maintained on portable devices, implementing security measures sufficient to ensure the confidentiality of ephi that MEEI created, maintained, and transmitted using portable devices, adopting and implementing policies and procedures to restrict access to ephi to authorized users of portable devices, and adopting and implementing policies and procedures to address security incident identification, reporting, and response. Does Enforcement Happen? HHS Settles with Health Plan in Photocopier Breach Case Under a settlement with the U.S. Department of Health and Human Services (HHS), Affinity Health Plan, Inc. will settle potential violations of the HIPAA Privacy and Security Rules for $1,215,780. OCR s investigation indicated that Affinity impermissibly disclosed the protected health information of up to 344,579 individuals when it returned multiple photocopiers to a leasing agent without erasing the data contained on the copier hard drives. In addition, the investigation revealed that Affinity failed to incorporate the electronic protected health information stored in copier s hard drives in its analysis of risks and vulnerabilities as required by the Security Rule, and failed to implement policies and procedures when returning the hard drives to its leasing agents. HIPAA Social Media and Texting Woes In today s world of Social Media dominance, it s easy to forget that HIPAA violations are a real concern Texting is also considered electronic means 46

47 Scenario #1 Associate doctor leaves to open new clinic Calls his buddy the CA and asks her to take pictures of a patient s x-rays and text them because he doesn t have time to wait for them to send them through the mail Scenario #2 CA posts on Facebook Just met (name of famous football player) he is such a nice guy Friend replies, How did you meet? CA replies, Came in to get adjusted for low back problem Profile reveals CA works at ABC Chiropractic General Rules of Thumb Don t talk about patients, even in general terms. It s too easy to identify patients by geography, circumstances, etc. A simple slip up can have far-reaching effects 47

48 General Rules of Thumb When providing educational content on your site, blog or Facebook page, avoid specifics OK to be general like, Low back concerns of XYZ nature often present with these symptoms Never point out a specific case with any particulars that could be traced back to a patient If you wouldn t say it in the elevator, don t put it online. You can try speaking your post out loud before hitting the enter key. You are always representing your office and your profession General Rules of Thumb General Rules of Thumb Don t mix your personal and professional lives. Use separate accounts for your personal and professional lives Don t friend patients on Facebook Check privacy settings often and assume that anything you put online could become public If you want to have a professional presence on Facebook, create a page apart from your personal account 48

49 General Rules of Thumb Only use your cell phone for business texts if PW protected Don t use for appointment scheduling or for having a whole conversation about a condition This becomes part of the medical record Need to be able to track and document Record Retention HIPAA related documents are retained for 6 years Applies to authorizations, audit records, CA agreements, and contracts Destruction of Medical Records You are responsible for wrongful disclosures due to improper disposal of PHI. Shred, get receipt Erase Proper disposal not sitting around in office 49

50 Know What Happens if you Sell Your Practice HIPAA allows for the exchange of PHI without a written release between current and prior, or contemporaneously treating Does not permit the handover of PHI from one doctor to another, without the patient s written permission, when a practice is being sold Dr. A does not know if all of his/her former patients are going to treat with Doctor B. For this reason, Dr. A cannot just hand over patients confidential records to Dr. B Just handing the records over to the purchasing practitioner or corporate entity may seem expedient, but it is a HIPAA violation Possible Solutions Patients may not stay with new provider May make sense for the purchasing practitioner to agree to retain the records on site, essentially providing storage services for the selling practitioner s records Seller and purchaser enter into a contractual agreement that the purchaser will provide the seller with access to the physical record upon reasonable notice (such as two business days), and that the purchaser will not release or dispose of any original records without the seller s written permission As a part of this process, it will be necessary for seller and purchaser to execute a BAA, which helps ensure compliance with HIPAA s requirements Authorization is Required Patients who elect to stay with new provider can sign authorization New provider can then legally access the stored records Authorization is kept on file 50

51 HIPAA is a Process Not an Event Implementation requires commitment Don t try to do it alone Realize, that like OIG Compliance it s a process that will be ongoing, evergreen Take the first step to update what you have in place with these new forms and procedures Have fun! Helping Increase Paperwork Across America! Need Help? info@kmcuniversity.com 51