FCSRMC 2017 HIPAA PRESENTATION BDO USA, LLP, a Delaware limited liability partnership, is the U.S. member of BDO International Limited, a UK company limited by guarantee, and forms part of the international BDO network of independent member firms. BDO is the brand name for the BDO network and for each of the BDO Member Firms. Page 1
What is HIPAA? HIPAA stands for: Health Insurance Portability and Accountability Act (HIPAA) August 1996: Federal law enacted April 2001: Privacy Rule February 2010: HITECH Act March 2013: HIPAA Omnibus (Final) Rule Page 2
HIPAA s Privacy Rule: HIPAA Privacy Rule Addresses the use and disclosure of an individual s health information regardless of how it is communicated (electronically, verbally, or written). Establishes standards for an individual to understand and control how their health information is used. Assures that health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care and to protect the public s health and well being. Page 3
Covered Entity (CE) A Covered Entity includes a health plan or payor, a healthcare clearinghouse, and all healthcare providers who transmit any healthcare information in electronic form (including telephones, fax machines and computers). Examples: Physician Practices Dentists Hospitals Diagnostic Services (lab, radiology) Nursing Homes Pharmacies Home Health Agencies Health Plans Page 4
Covered Entity (CE) FCSRMC is considered a Covered Entity and it s member colleges act as the plan sponsor. A covered health plan includes a group health plan, which is defined as an employee welfare benefit plan under ERISA. This may include: hospital and medical benefit plans dental plans vision plans health flexible spending accounts employee assistance plans Page 5
Business Associate A Business Associate is a person or entity that performs certain functions or activities that involve the use or disclosure of Protected Health Information (PHI) on behalf of, or provides services to, a Covered Entity. Examples include vendors, contractors and subcontractors such as: Billing Company Transcription Service Practice Management System Document Storage Company Collection Agency Attorney Accountant Consultant EMR/EHR System I.T. Vendor Business Associates are accountable for protecting the privacy/security of PHI and are directly liable for criminal and civil penalties for violations. Page 6
Protected Health Information (PHI) Protected Health Information (PHI) is: * individually identifiable health information that has been transmitted or maintained in any medium (paper, verbal, electronic). * created or received by the organization, relates to the health of an individual or payment for health services, and identifies the individual. Employee Name Medical Record Number Complete Address Certificate/License Number All Elements of Dates Vehicle Identifiers (License Plate Number) Telephone Numbers IP Address Fax Numbers Biometric Identifiers (voice and fingerprint) E-Mail Address Full Face Photographic Images Social Security Number Any Other Unique Identifying Number/ Code Health Plan Beneficiary Number Account Numbers Page 7
De-Identified Health Information De-identified health information refers to patient information that cannot be used to identify an individual. City, state, zip code of patient s address Patient s date of birth Patient s date of death Uses: Research (market analysis) Public Health purposes Quality Improvement activities Health care operations within a pharmacy or clinic practice Page 8
Privacy Notice A summary of the Privacy Notice that is brief and written in plain language will be provided to the employee. It will: State how PHI will be used and disclosed Include the individual s privacy rights, date, and their signature or signature of their representative Refer individual to review the organization's Notice of Privacy Practices The Privacy Notice should be provided by the Group s Health Plan TPA (Florida Blue) to the Group Health Plan participants (FCSRMC). Page 9
Consent and Authorization Covered Entities cannot share PHI without the individual's awareness of their privacy rights. To use and disclose PHI for purposes other than treatment, payment and health operation purposes, Covered Entities must obtain a standard consent or authorization with a few exceptions. Consent can be revoked by an employee/individual (patient) in writing. It is the policy of FCSRMC and it s member colleges that individuals have a right to request that no disclosure be made of PHI. FCSRMC or it s member colleges is not obligated to grant the request. Page 10
When Consent and Authorization is NOT Required Permitted PHI disclosures without an authorization: Treatment - Disclosures between Covered Entities (such as other healthcare providers) involved in the patient care, information to/from pharmacy or diagnostic center Payment Disclosure regarding balance to patient, all information needed by the health plan, information to collection agencies Health Operations Fraud/abuse detection, compliance programs, government inspections, training new employees, competency assessments, business management activities, quality improvement activities Public health activities Victims of abuse, neglect or domestic violence Law enforcement purposes To comply with Workers Compensation To avoid serious threat to health or safety Page 11
When Consent and Authorization IS Required An authorization is required for: o o o o Use and disclose PHI for purposes other than treatment, payment and health operation purposes Releasing psychotherapy notes Marketing, research, sale of PHI, and fundraising Releasing PHI to the patient s employer An authorization must include: Description of the information to be disclosed Names of persons to whom the information is to be given Purpose of the disclosure An expiration date for the use of the information Page 12
Court Orders and Subpoenas A covered health care provider or health plan may disclose PHI required by a court order, including the order of an administrative tribunal. However, the provider or plan may only disclose the information specifically described in the order. A subpoena issued by someone other than a judge, such as a court clerk or an attorney in a case, is different from a court order. A covered provider or plan may disclose information to a party issuing a subpoena if the employee has signed a HIPAA authorization form specifically releasing the information or if they receive evidence that reasonable efforts were made to either: Notify the person who is the subject of the information about the request so the person has a chance to object to the disclosure; Or to seek a qualified protective order for the information from the court. Page 13
Individual s Rights Right to Restrict Disclosures Right of Access Right to Amendment Right to Accounting Disclosures Requests for the above should be directed to, and processed by, the Group s Health Plan TPA. Page 14
Individual s Rights Staff can file a written complaint if they believe their privacy has been violated. Complaints should be directed to the college s privacy contact, and any intimidating or retaliatory acts are prohibited. It is important for staff to know that their PHI is safeguarded to protect PHI from any intentional or unintentional use or disclosure that is in violation of the HIPAA Privacy Rule. Page 15
Minimum Necessary Minimum Necessary is limiting the amount of PHI that is used (within the facility) or disclosed (outside of the facility) to the least amount of information possible to accomplish the intended purpose. Your facility should evaluate who should be accessing PHI (documented in job descriptions). Only staff who need access to PHI to perform their job duties should be granted access to these areas (a unique sign-on and password, access to paper files, etc.). Minimum Necessary does not apply to requests/disclosures to the staff or another healthcare provider for treatment purposes. Page 16
Medical Information Personnel Records In accordance with Section 112.0455, Florida Statutes, Drug-Free Workplace Act), drug screen results are confidential and exempt from disclosure under the public records law. The Americans with Disabilities Act (ADA) and HIPAA require that all medical documents be filed separately from personnel records. Medical information should be kept confidential and away from personnel records even if the company does not fall under ADA or HIPAA regulations. Medical paperwork that should be filed separately includes the following: Reports from pre-employment physicals Drug and alcohol testing results Workers' compensation paperwork Medical leave of absence forms Disability paperwork Insurance applications that reveal pre-existing conditions Anything that identifies a medical issue Page 17
HIPAA Privacy Vs. Security Rules Privacy Rule Security Rule Sets standards for who needs access to PHI Ensures access is only given to those who need it to perform their job Applies to all forms of PHI (electronic, written, oral) Only applies to electronic forms of PHI Page 18
HIPAA Security Rule Security encompasses the measures organizations must take to protect information within their possession from internal and external threats. Page 19
Administrative Safeguards Establish HIPAA policies/procedures Provide security awareness and reminders to staff Perform a risk analysis to determine where you might be vulnerable to a breach Have a Disaster Recovery Plan in case of emergency Implement sanctions and terminations for staff who breach PHI Management passwords, including disabling access upon termination Appoint a Privacy/Compliance Officer and Security Official Implement Business Associate Agreements for all vendors who access PHI Page 20
Physical Safeguards Design a contingency operations plan when data is temporarily unavailable Implement a security plan for facility (door locks, electronic access controls, video monitoring) Install password protection on monitors Ensure monitors are not facing public areas Password protect thumb drives and documents containing PHI (Word, Excel, etc.) Properly dispose of devices (hard drives, copiers, fax machines, scanners) Page 21
Only use certified software systems Technical Safeguards Use data encryption/decryption on all devices (laptops, cell phones) Install firewalls and antivirus software Assign unique sign-on and passwords to software containing PHI Utilize integrity controls to ensure PHI has not been tampered with or destroyed Implement automatic log-off after system has been idle Back up data daily Continually monitor and audit system to ensure the system has not been hacked or compromised Page 22
Tips for Cybersecurity Protect mobile devices with passwords Maintain good computer habits unique sign-ons and passwords, automatic log off while idle, encryption, screen protectors Use a Firewall and install anti-virus software Control access to PHI only give access to those who need it to perform their job duties Use strong passwords and change them regularly Emails containing PHI should be sent as an encrypted file Control physical access (buildings, offices, servers, computers, fax machines) Page 23
Malware Malware Malware is malicious software that is specifically designed to gain access or damage a computer without the knowledge of the owner. Malware includes: Adware profit through forced advertising Spyware stealing sensitive information Spam unsolicited bulk messages sent through email with commercial, fraudulent or malicious intent Ransomware extorting money by locking down computer until ransom is paid The best protection from malware is to be careful when opening email attachments, to be cautious when going to sites on the internet, and to install/maintain an updated, quality antivirus program. Page 24
Staff Training Employers are required to provide privacy and security training to staff and to provide periodic security reminders. Security reminders include: How to maintain security, including the need for strong passwords Specific threats to PHI that have been identified such as viruses PHI access restrictions Changes in policies/procedures concerning HIPAA regulations Procedures to follow for modifying access to PHI How to report security breaches and to whom Page 25
Enforcement of HIPAA Compliance The Office of Civil Rights (OCR) has been assigned the authority to enforce the Privacy Rule. The OCR has several responsibilities: Investigating complaints it receives from individuals who believe that a Covered Entity is not complying with HIPAA privacy requirements Providing Covered Entities with assistance in order to achieve compliance Making determinations regarding exceptions to state law preemption. Any person or organization can file a complaint with OCR, but complaints typically must be filed within 180 days of the occurrence of an action in violation of the Privacy Rule. Page 26
Threats to Your PHI and Your Organization Employees Loss/Theft of Unsecured Devices Visitors Improper Use or Disposal Business Associates Hackers, Criminals Page 27
Breach of PHI A breach is: The acquisition, access, use, or disclosure of PHI which compromises the security or privacy of the PHI. Any unauthorized use or disclosure of unsecured PHI unless there is a low probability that the PHI has been compromised. More than 171 million people have been affected by HIPAA security breaches 144,622 patient complaints have been filed with the Office of Civil Rights (OCR) 35,741 cases have been investigated by the OCR. 69% required action by the Covered Entity. Page 28
Breach of PHI Healthcare Provider, 19% ENTITY Business Associate, 17% Health Plan, 64% Page 29
Breach of PHI TYPE 75% 14% 1% 5% 2% 4% Hacking/IT Improper Disposal Loss Other Theft Unauthorized Access/Disclosure Page 30
Breach of PHI Source NETWORK SERVER 76% OTHER 7% DESKTOP COMPUTER 6% LAPTOP 4% ELECTRONIC MEDICAL RECORD 4% PAPER/FILMS 2% PORTABLE ELECTRONIC DEVICE 1% EMAIL 1% 0% 10% 20% 30% 40% 50% 60% 70% 80% Page 31
Penalties under HIPAA $100 - $50,000/violation CE or BA did not know they had violated the law $1,000 - $50,000/violation Violation due to reasonable cause and not willful neglect $10,000 - $50,000/violation and up to 5 years imprisonment Violation due to willful neglect but was corrected $50,000/violation and up to 10 years imprisonment Violation due to willful neglect and was not corrected Page 32
H I P A A B R E A C H E S Cignet Health $4,300,000 fine Violated patients rights by denying them access to their medical records when they requested them CVS Pharmacy $2,250,000 fine Disposal of Protected Health Information in dumpsters Stanford Hospitals & Clinics $4,000,000 fine Data from 20,000 patient records were found posted online University of Washington $750,000 fine PHI of 90,000 people was accessed after employee downloaded an email attachment containing malware New York and Presbyterian Hospital $3,300,000 fine Disclosure of 6,800 individual records on unsecured server Affinity Health Plan $1,215,780 fine Returned leased copiers without first erasing data contained on the hard drives Concentra Health Services $1,725,000 fine One unencrypted laptop was stolen Wellpoint $1,700,000 fine Technical safeguards were not in place to verify the entities accessing its database containing PHI Page 33
Sanctions Policy All workforce members must protect the confidentiality, integrity, and availability of sensitive information at all times. FCSRMC will take appropriate disciplinary action against employees, contractors, or any individuals who violate the information security and privacy policies or state, or federal confidentiality laws or regulations, including the Health Insurance Portability and Accountability Act of 1996 (HIPAA). FCSRMC will impose sanctions on any individual who accesses, uses, or discloses sensitive information without proper authorization. Sanctions may include: Page 34 policy changes personnel changes transfer to another department retraining written reprimands suspension termination
Document Retention Maintain the following documentation for six years, unless a longer period applies: All policies and procedures Business Associate Agreements Signed Acknowledgement of Privacy Policies Authorization forms Notices and amended notices Training of employees Patient/employee complaints and their disposition (this must be documented on the complaint form and forwarded to FCSRMC) Page 35
Key Points Provide initial training at hire and annually thereafter. Use the group attendance log as documentation. Maintain a separate employee health file. Keep all protected information in a limited access area and under lock and key. Page 36
Key Points Ensure staff know who the Privacy Contact and Security Officer is for their location Identify systems/areas that have covered data (paper and electronic) Secure your PHI (paper and electronic) Ensure your HIPAA policies and procedures are updated and that the location is known by all applicable staff Assign internal roles and responsibilities Encrypt data at rest and/or in transit, including attachments to emails Install and update (when necessary) appropriate malware and antivirus software Contact the Security Official prior to downloading software Page 37
How Can Staff Help? Do not write password where others can see it and do not share with anyone Use workstations properly position computers so others cannot see screen Know FCSRMC s policies and procedures, including Sanctions policy Don t leave information open and unattended Don t discuss confidential employee information with unauthorized individuals Lock computer, desk and file cabinets when you leave Use the shredder when destroying information Prevent malware infection on your computer by not downloading and installing anything you do not understand or trust, no matter how tempting (includes other websites, emails, physical media, pop-up windows, other software, file-sharing) Report problems to the Privacy Contact at your facility Page 38
Questions? Carol Crews, CMPE, CPMA, OHCC Sr. Manager, Healthcare Advisory BDO USA (904) 224-9787 ccrews@bdo.com Page 39
References More detailed information can be found at the following resources: U.S. Department of Health and Human Resources. 45 CFR Parts 160 and 164. Federal Register www.hhs.gov/ocr/privacy/hipaa/administrative/endor cementrule/enfifr.pdf U.S. Department of Health and Human Services, Office for Civil Rights www.hhs.gov/ocr/privacy/hipaa/understanding/covere dentities/provider_ffg.pdf Centers for Medicare & Medicaid Services, Office of E- Health Standards and Services. www.hhs.gov/ocr/privacy/hipaa/enforcement/ cmscompliancerev08.pdf U.S. Department of Health and Human Services. www.hhs.gov/ocr/privacy/hipaa/administrative/securi tyrule Page 40