H I P A A HIPAA Federal Security Rule nsurance ortability ccountability ct of 1996 HIPAA Introduction - What is HIPAA? HIPAA = The Health Insurance Portability and Accountability Act A Federal Law Created in 1996 H = I = P = A = A = Health Insurance Portability and Accountability Act It is considered the MOST significant healthcare legislation since Medicare in 1965!!! HIPAA OVERVIEW HIPAA Introduction Health Insurance Portability and Accountability Act (HIPAA) Administrative Simplification [Accountability] Insurance Reform [Portability] Providers Hospitals Health Plans Laboratories Clearinghouses Billing Agencies Pharmacies Etc... Information is only available or disclosed to persons authorized to receive it Information has not been altered or destroyed without proper authorization Transactions, Code Sets, & Identifiers Compliance Date: 10/16/2002 Or 10/16/03 Privacy Compliance Date: 4/14/2003 Security Compliance Date: 2005 Information is accessible and usable upon demand by authorized personnel Copyright 2012 - Academy of Dental Learning 1
WHAT IF WE DO NOT COMPLY? Non-Compliance $100 for each violation Maximum of $25,000 per year per specific provision Unauthorized Disclosure or Misuse of Patient Information Penalties up to $250,000 Prison time up to 10 years PRIVACY vs. SECURITY What s the Difference?: PRIVACY Refers to WHAT is protected Health information about an individual and the determination of WHO is permitted to use, disclose, or access the information SECURITY Refers to HOW private information is safeguarded Insuring privacy by controlling access to information and protecting it from inappropriate disclosure and accidental or intentional destruction or loss. Privacy Rule Applies to protected health information in electronic, oral, and paper media Security Rule Applies to electronic protected health information at rest, during transmission, and receipt* *Does not include faxed information PRIVACY HIPAA Privacy Definitions just a few Protected Health Information Authorization Treatment, Payment, Healthcare Operations Patient Notice Uses & Disclosures Minimum Necessary Business Associate Agreements Protected Health Information Individual (Patient) identifiable health information relating to the past, present or future health conditions of the individual. This covers all information, whether maintained electronically, in paper form or communicated orally. PHI cannot be released unless authorized by the patient or for treatment, payment, or healthcare operations. Copyright 2012 - Academy of Dental Learning 2
Authorization A covered entity may not use or disclose protected health information without a valid written authorization from the individual. An authorization must be specific and cannot be combined with other documents. Treatment, Payment & Operations Treatment - the provision, coordination or management of health care and related services by one or more health care providers, including consultation or referral Payment - collection of premiums, reimbursement, coverage determinations, risk adjusting, billing, claims management, medical necessity determinations, utilization review, and preauthorization of services Health Care Operations - specified activities by or for a health plan or health care provider that are related to its covered functions, including quality assessment and improvement; peer review, training and credentialing of providers; business planning; and business management. Patient Notice Description of uses and disclosures of protected health information made by the covered entity. Every patient will receive a copy of the Patient Notice and will be asked to sign an Acknowledgement. How Protected information will be used and disclosed Have their rights explained in a Note of Privacy Practices Uses & Disclosures Use Employment, application, utilization, examination or analysis of information within a covered entity that holds the information. Disclosure Release, transfer, provision of access to, or divulging in any other manner of information outside the covered entity holding the information. Minimum Necessary A covered entity must make reasonable efforts to limit uses, disclosures, and requests for protected health information to the minimum necessary to accomplish the intended purpose (except uses and disclosures for treatment purposes). For internal uses of protected health information, workforce members must be classified on a need-to-know basis with appropriate controls over access to PHI for each class. For routine and recurring disclosures, standard protocols may be used to determine the minimum necessary amount of PHI required. For non-routine disclosures, a covered entity must develop and apply criteria for determining the minimum necessary amount required. Copyright 2012 - Academy of Dental Learning 3
OVERVIEW: Purpose: Encompasses: SECURITY To protect both the system and the information it contains from unauthorized access & misuse All safeguards in a covered entities structure including: Information systems (hardware/software) Personnel policies Information practice policies Disaster Preparedness SECURITY FINAL RULE PUBLISHED In effect April 2005 Administrative Procedures: Physical Safeguards: Technical Security Services Technical Security Mechanisms SECURITY To ensure security plans, policies, procedures, training, and contractual agreements exist To provide assigned security responsibility and controls over all media and devices To provide specific authentication, authorization, access, & audit controls to prevent improper access to electronically stored information To establish communications/network controls to avoid the risk of interception and/ or alteration during electronic transmission of information HIPAA Security Standards What is the Security Rule Bottom Line: We must assure that systems and applications operate effectively and provide appropriate confidentiality, integrity, and availability. We must protect information commensurate with the level of risk and magnitude of harm resulting from loss, misuse, unauthorized access, or modification. Confidentiality: the property that data or information is not made available or disclosed to unauthorized persons or processes. Must protect against unauthorized Uses Disclosures Access Integrity: the property that data or information has not been altered or destroyed in an unauthorized manner. Must protect against improper destruction or alteration of data Must provide appropriate backup in the event of a threat, hazard, or natural disaster Name Address -- street address, city, county, zip code (more than 3 digits) or other geographic codes Dates directly related to patient Telephone Number Fax Number email addresses Social Security Number Medical Record Number Health Plan Beneficiary Number Account Number Certificate/License Number Any vehicle or device serial number Web URL, Internet Protocol (IP) Address Finger or voice prints Photographic images Any other unique identifying number, characteristic, or code (whether generally available in the public realm or not) Age greater than 89 (due to the 90 year old and over population is relatively small) Copyright 2012 - Academy of Dental Learning 4
Not only is HIPAA required, it s good for business Perform a physical technical inventory Conduct a risk assessment Develop policies and procedures Facility Access Controls Workstation Use Workstation Security Device and Media Control Copyright 2012 - Academy of Dental Learning 5
Risk Analysis Conduct an assessment of potential risks Risk Management Implement security measures sufficient to reduce risks Assign a security official Sanction Policy Apply sanctions for workforce members that fail to comply Information System Activity Review Implement procedures to review records of information system activity Authorization and supervision Implement procedures for the authorized and/or supervised data access Workforce Clearance Procedure Ensure employees have appropriate access for their job Termination Procedures Ensure that terminated employees no longer have access to protected information Isolation Health Care Clearinghouse Function Assure your clearinghouse is using HIPAA standards for protected health information Access Authorization Implement policies and procedures for granting access to protected health information Access Establishment and Modification Ensure and create policies that users have only the access they need to do their jobs Security Reminders As appropriate, provide initial training on policies and procedures as well as periodic security updates Protection from Malicious Software Establish procedures for guarding against, detecting, and reporting malicious software Log-in Monitoring Procedures for monitoring log-in attempts and reporting discrepancies Password Management Develop procedures for creating, changing, and safeguarding passwords Copyright 2012 - Academy of Dental Learning 6
Response and reporting Implement policies and procedures to address security incidents Data Backup Plan Establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information Disaster Recovery Plan Establish (as needed) procedures to restore any loss of data Emergency Mode Operation Plan Establish (and implement as needed) a way to continue operation after an emergency Testing and Revision Procedures Implement procedures for testing the contingency plans Evaluation Perform periodic technical and non-technical evaluation of your contingency plan Create policies and procedures to insure the proper Functions to be performed Manner in which they are performed Physical attributes of the surroundings Implement physical safeguards for all workstations that access protected health information, to restrict access to unauthorized users Unique User Identification Assign a unique name and/or number for identifying and tracking user identity Emergency User Identification Establish (and implement as necessary) procedures for obtaining necessary information during an emergency Automatic Logoff Implement electronic procedures that terminate an electronic session after a period of inactivity Encryption and Decryption Implement a mechanism to encrypt and decrypt protected health information Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed Copyright 2012 - Academy of Dental Learning 7
Your user id and password are critical to ephi security. Maintain your password in a secure and confidential manner DO NOT keep an unsecured paper record of your passwords. DO NOT post your password in open view e.g. on your monitor. DO NOT share your password with anyone. DO NOT use the same passwords for work and your personal accounts DO NOT include passwords in automated logon processes DO NOT use weak passwords HIPAA Security Standards Administrative Passwords Passwords must be changed every 90 days. Passwords should be changed whenever there is a question of compromise. Strong passwords must be utilized when possible A minimum of 8 characters in length Must contain a component from at least 3 of the 4 following categories Upper case Lower case Numerals Keyboard symbols HIPAA Security Standards Administrative Malicious Software Emails with attachments should not be opened if: The sender is unknown to you You were not expecting the attachment The attachment is suspicious in any way Do not open non-business related email attachments or suspicious web URLs Do not open file attachments or URLs sent via instant messaging. HIPAA Security Standards Physical Workstations Position workstations so as to avoid viewing by unauthorized personnel. Use privacy screens where applicable. Use automatic password protected screen savers. Lock, logoff or shut down workstations when not attended. Workstation access should be controlled based on job requirements. FINAL NOTE on PRIVACY & SECURITY Copyright 2012 - Academy of Dental Learning 8