HIPAA RCM Myths, Facts, and Pitfalls

1. HIPAA RCMMyths, Facts, and Pitfalls Presented by: Mark Sammartano Blue Marsh Holdings, LLC www.bluemarshllc.com 866-794-1955

2. Overview • HIPAA Privacy Rule • HITECH – Key Initiatives • Enforcement – The Real Monster • Examples

3. What is PHI? • Protected Health Information • Individually identifiable health information – 18 specific data elements ►account numbers, MR#. • Relates to past present or future physical or mental health or; • The provision of health care to the individual, or; • The past, present, or future payment for the provision of health care to the individual. • ePHI – PHI maintained on electronic media.

4. Privacy Rule Myths or Facts? • Leaving messages on answering machines or with family members about appointments or prescriptions violates the Privacy Rule? • Discussing a medical bill with a spouse or guardian violates the Privacy Rule? • Sign-in logs are prohibited by the Privacy Rule? • Registration must be done in a soundproof environment to ensure incidental disclosure of PHI does not happen? • Patient names can’t be displayed doors? • Credit reporting is prohibited under the Privacy Rule? • The Privacy Rule prohibits sending PHI by FAX? • PHI can’t be sent by email?

5. Privacy Rule Exempt Activities - TPO • Treatment Examples: • Disclosing PHI to an interpreter for purposes of communicating with the patient; • Behavioral Health group therapy. • Payment Activities: • Communication with spouses and guardians; • Communicating with a Business Associate; • Location identification; • Credit Reporting. • Operations • Liability Insurance; • Medical Device Companies – for the treatment of a patient or payment for services; • Legal Counsel; • Fraud and abuse detection

6. Permitted Disclosures • To individuals or their representatives • TPO; • With Opportunity to agree or object; • Required by Law - Public interest and benefit activities; • Limited Data Set for research, public health or health care operations; • Incidental.

7. Incidental Uses and Disclosures “The Privacy Rule permits certain incidental uses and disclosures that occur as a by-product of another permissible or required use or disclosure, as long as the covered entity has applied reasonable safeguards and implemented the minimum necessary standard, where applicable, with respect to the primary use or disclosure. See 45 CFR 164.502(a)(1)(iii). An incidental use or disclosure is a secondary use or disclosure that cannot reasonably be prevented, is limited in nature, and that occurs as a result of another use or disclosure that is permitted by the Rule. However, an incidental use or disclosure is not permitted if it is a by-product of an underlying use or disclosure which violates the Privacy Rule.” OCR HIPAA Privacy

8. Incidental Disclosures - Examples • Sign-In Logs; • Information on Monitors; • Registration Interviews • Appointment Reminders;

9. Accounting for Incidental Disclosure Incidental disclosures are exempt from accounting requirements as per 45 CFR 164.528(a)(1).

10. Opportunity to Agree or Object • Facility directories – patient must be able to opt-out of disclosure of name, location, condition, and religious affiliation for: • Disclosure to clergy; • Disclosure to persons who request individual by name; • Disclosure of PHI to family, friends, or other identified by individual; • Notification of location, condition, or death to family, personal representatives. • If an individual is not present or incapacitated, disclosures are permissible if in the best interest of the individual

11. Minimum and Necessary • Covered entities must limit unnecessary disclosure of PHI. Disclosure should be limited to what is necessary to accomplish the intended purpose; • The standard does not apply to: • Disclosures to or by a healthcare provider for treatment purposes; • Disclosures to the individual; • Authorized disclosures; • Disclosures for HIPAA compliance; • Disclosures to HHS for enforcement purposes; • Uses and disclosures required by law.

12. Minimum and Necessary Reasonable Reliance “Covered entities may reasonably rely upon requester’s determination as to minimum amount necessary if: • From a public official • From another covered entity • From a Business Associate for provision of professional service • From a researcher with IRB/Privacy Board documentation or other appropriate representations” http://www.hhs.gov/ocr/privacy/hipaa/understanding/training/udmn.pdf

13. Other Privacy Rule Requirements • Notification – Patients must be given notification of their rights and the covered entities policies to comply with HIPAA; • Accounting for Disclosures – Covered entities must maintain and provide the individual with an accounting of certain disclosures.

14. Notification Composition45 CFR 164.520 (b) • How PHI is used and disclosed by the covered entity; • The individuals rights including how the individual can exercise these rights and how a complaint can be filed; • The covered entities legal duties regarding PHI; • How to obtain further information about the covered entities privacy policies.

15. Providing Notification • Must be available to any person who requests a notice; • Must be posted on any website that provides information about customer services or benefits; • Providers must provide notice no later than the first date of service; • Except in an emergency situation providers must make a good faith effort to obtain written acknowledgement. Efforts must be documented;

16. Providing NotificationContinued • Provide notice as soon as possible in an emergency treatment situation; • Make copies of the latest notice available for patients to take with them; • Post the notice in a clear and prominent location.

17. Accounting for Disclosures • TPO activities are excluded if not facilitated through EHR; • Examples of included disclosures: • For public health purposes; • Disclosure to social services or protective services; • Health oversight activities (audits, inspections); • Law enforcement.

18. Accounting for Disclosurescontinued • Coroners, Medical Examiners, or Funeral Directors; • Research without authorization; • Threats to health and safety; • FDA/IRB • Otherwise required or permitted by law; • Unauthorized disclosure (misdirected fax or email)

19. Personal Representatives • Sections 164.502 and 164.510(b) define personal representatives and individuals involved in the patients healthcare. • Personal representatives stand in the shoes of the individual under the privacy rule; • Authority of personal representatives can be limited. Example – living will.

20. Who is a Personal Representative? • Individuals with legal authority to make healthcare decisions; • Parents & Guardians. • Executor in cases of deceased individuals;

21. Personal Representative Exceptions • Parents & Guardians expressly prohibited by state law. Examples include: • State laws that allow adolescents the right to behavioral health without parental consent; • If a court or law authorizes someone other than the parent responsible for treatment decisions; • If the parent agrees to a confidential relationship between the minor and physician. • Abuse, neglect and endangerment situations caused by the personal representative

22. Covered Entity Documentation45 CFR § 164.530(j) • Policies and Procedures • Training provided, Privacy Official, Contact Person • Complaints to Covered Entity and their disposition, if any • Notice of Privacy Practices, Acknowledgement, and Good Faith efforts to obtain Acknowledgments • Authorizations • Business Associate Contracts • IRB (Institution Review Board)/Privacy Board Waivers • Designated record sets that are subject to access by the individual, access contact persons, requests, and responses

23. Documentation Requirementscontinued • Amendment contact persons, requests, denials, disagreements and rebuttals • Information required to be in accounting, accounting contact person, requests, and accountings provided to individual • Restriction Request Agreements • HCC (healthcare component) Designations – Hybrid Organizations • Affiliated Covered Entity Designations – common ownership or control; • Verification documents of public officials, personal representatives, etc. • Any other communication required by Rule to be in writing

24. HITECH • Part of the 2009 American Recovery and Reinvestment Act; • Includes new Business Associate provisions; • Introduced new security and privacy requirements; • Expands accounting requirements to all disclosures from EHR; • Enhanced Enforcement: • Establishes costly notification requirements for breaches of PHI; • Significantly increases fines and penalties (CMP); • Includes provisions for distribution of fines to individuals; • Criminal penalties range from 1 to 10 years imprisonment.

25. Business Associates • HITECH extends enforcement to BA as per 160.102 (b) final rule : “Where provided, the standards, requirements, and implementation specifications adopted under this subchapter apply to a business associate.” • HITECH specifies new provisions of the BA agreement. Covered entities should ensure their current BA agreements satisfy the HITECH requirements • HITECH extends notification requirements to breaches caused by BA’s.

26. Business AssociatesContinued • New BA effective 3/26/2013. Must be in place by 9/22/2014 • Bar lowered from significant risk of harm to requiring BA to demonstrate a low probability of PHI breach; • Breach is defined as an acquisition, access, use and/or disclosure of PHI not permitted under the Privacy Rule.

27. New Security and Privacy Requirements • Specifies controls for access to ePHI: • Multiple user accounts specifically prohibited; • Includes requirements for monitoring access to ePHI; • NIST encryption standards for data at rest and data in motion; • Defines 18 data elements of ePHI and de-identification standards;

28. EHR Accounting of Disclosures • HITECH expands accounting requirements to include TPO if facilitated through EHR; • Proposed rule still in comment period.

29. De-Identification of PHI A breach has not occurred if the PHI has been de-identified by either of the following methods: • Statistical Method; • Safe Harbor Method; • Encryption Method

30. De-identification of PHIStatistical Method • 45 CFR 164.514 (b) (1) risk is very small that information could be used, alone or in combination with other available information, to identify an individual; • An expert determines the risk is small using statistical and scientific methods; • Documents the methods and results of the analysis that support the determination.

31. De-identification of PHISafe Harbor Method Requires removing all 18 data elements: • Names; • All geographic subdivisions smaller than state; • All dates except for year directly related to the individual; • Telephone numbers; • FAX numbers; • Electronic Mailing Addresses;

32. Safe Harborcontinued • Social Security Numbers; • Medical Record Numbers; • Health plan beneficiary number; • Account Numbers; • Certificate/License Numbers; • VIN and Serial Numbers including license plate numbers;

33. Safe Harborcontinued • URLS; • IP addresses; • Biometric identifiers, including finger and voice prints; • Full face pictures or comparable images; • Any other unique identifying number, characteristic, or code.

34. Encryption Safe Harbor • Sec 13402 (a) – notification is required if unsecured PHI is breached; • (h) “Subject to subparagraph (B), for purposes of this section, the term ‘‘unsecured protected health information’’ means protected health information that is not secured through the use of a technology or methodology specified by the Secretary in the guidance issued under paragraph (2). • Guidance 74 FR 190006: • NIST publication 800-111 data at rest • NIST publication 800-52 TLS security for data in motion. • NIST publication 800-77 VPNs • NIST publication 800-113 SSL VPNs

35. Encryption Safe Harborcontinued 74 FR 42740 “Therefore, if a covered entity chooses to encrypt protected health information to comply with the Security Rule, does so pursuant to this guidance, and subsequently discovers a breach of that encrypted information, the covered entity will not be required to provide breach notification because the information is not considered “unsecured protected health information” as it has been rendered unusable, unreadable, or indecipherable to unauthorized individuals.”

36. Encryption Safe Harborcontinued 74 FR 42740 “On the other hand, if a covered entity has decided to use a method other than encryption or an encryption algorithm that is not specified in this guidance to safeguard protected health information, then although that covered entity may be in compliance with the Security Rule, following a breach of this information, the covered entity would have to provide breach notification to affected individuals.”

37. Breach Notification Requirements • Less than 500 individuals affected – must be reported to HHS on an annual basis and the individuals affected; • More than 500 individual affected – must report to HHS, major media outlets, and individuals within 60 days.

38. Enhanced Enforcement The Monster Is Here

39. Enforcement Actions • 9/17/2012 Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates Inc. settles HIPAA case for $1.5 million for “potential breaches” from an unencrypted stolen laptop; • 6/26/2012 Alaska DHSS settles HIPAA security case for $1,700,000 related to a USB drive stolen from the vehicle of a DHSS employee for “potential breach”.

40. Most Common Enforcement Actions • Impermissible uses and disclosures of protected health information; • Lack of safeguards of protected health information; • Lack of patient access to their protected health information; • Uses or disclosures of more than the minimum necessary protected health information; and • Lack of administrative safeguards of electronic protected health information. http://www.hhs.gov/ocr/privacy/hipaa/enforcement/highlights/index.html

41. Violation Categories and PenaltiesSection 1176(a)(1) Criminal penalties can range from 5 to 10 years

42. Criminal Penalties • Certain actions such as knowingly obtaining protected health information in violation of the lawcan subject individuals to criminal penalties; • Criminal penalties can range up to $50,000 and one year in prison for certain offenses; up t $100,000 and up to five years in prison if the offenses are committed under “false pretenses”; and up to $250,000 and up to 10 years in prison if the offenses are committed with the intent to sell, transfer or use protected health information for commercial advantage, personal gain or malicious harm. http://www.hhs.gov/ocr/privacy/hipaa/news/2003/privacyfactsapril03.pdf

43. Distribution of CMP • SEC 13409 of HITECH calls for a methodology to distribute of a percentage of CMP to harmed individuals within 3 years of enactment of the law; • Possible incentive that will increase the number of complaints filed with OCR? • Predatory litigation?

44. Affirmative Defense Limitations as of 2/18/2009 • The violation is corrected within 30 days of the violation or the date the covered entity should have know of the violation or within the extended period of time allocated by the Secretary; • The covered entity did not have knowledge of, and through reasonable diligence, should not have had knowledge of the violation; • The violation was not caused by willful neglect. • Waiver – The Secretary may waive portions of or all of CMP for violations not caused by willful neglect if CMP is determined excessive. 74 FR 56128

45. Recap - Privacy Rule Myths or Facts? Leaving messages on answering machines or with family members about appointments or prescriptions violates the Privacy Rule. No – incidental disclosure: “the Rule does not prohibit covered entities from leaving messages for patients on their answering machines. However, to reasonably safeguard the individual’s privacy, covered entities should take care to limit the amount of information disclosed on the answering machine. For example, a covered entity might want to consider leaving only its name and number and other information necessary to confirm an appointment, or ask the individual to call back. A covered entity also may leave a message with a family member or other person who answers the phone when the patient is not home. The Privacy Rule permits covered entities to disclose limited information to family members, friends, or other persons regarding an individual’s care, even when the individual is not present. However, covered entities should use professional judgment to assure that such disclosures are in the best interest of the individual and limit the information disclosed. See 45 CFR 164.510(b)(3).” http://www.hhs.gov/ocr/privacy/hipaa/faq/incidential_uses_and_disclosures/198.html

46. Recap - Privacy Rule Myths or Facts? Discussing a medical bill with a spouse or guardian violates the Privacy Rule. TPO - “The Privacy Rule permits a covered entity, or a business associate acting on behalf of a covered entity (e.g., a collection agency), to disclose protected health information as necessary to obtain payment for health care, and does not limit to whom such a disclosure may be made. Therefore, a covered entity, or its business associate, may contact persons other than the individual as necessary to obtain payment for health care services. See 45 CFR 164.506(c) and the definition of “payment” at 45 CFR 164.501. However, the Privacy Rule requires a covered entity, or its business associate, to reasonably limit the amount of information disclosed for such purposes to the minimum necessary, as well as to abide by any reasonable requests for confidential communications and any agreed-to restrictions on the use or disclosure of protected health information. See 45 CFR 164.502(b), 164.514(d), and 164.522.” http://www.hhs.gov/ocr/privacy/hipaa/faq/disclosures/266.html

47. Recap - Privacy Rule Myths or Facts? Sign-in logs are prohibited by the Privacy Rule. Incidental Disclosure: “Covered entities, such as physician’s offices, may use patient sign-in sheets or call out patient names in waiting rooms, so long as the information disclosed is appropriately limited. The HIPAA Privacy Rule explicitly permits the incidental disclosures that may result from this practice, for example, when other patients in a waiting room hear the identity of the person whose name is called, or see other patient names on a sign-in sheet. However, these incidental disclosures are permitted only when the covered entity has implemented reasonable safeguards and the minimum necessary standard, where appropriate. For example, the sign-in sheet may not display medical information that is not necessary for the purpose of signing in (e.g., the medical problem for which the patient is seeing the physician). See 45 CFR 164.502(a)(1)(iii).” http://www.hhs.gov/ocr/privacy/hipaa/faq/incidential_uses_and_disclosures/199.html

48. Recap - Privacy Rule Myths or Facts? Registration must be done in a soundproof environment to ensure incidental disclosure of PHI does not happen. No. “Covered entities must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information. This standard requires that covered entities make reasonable efforts to prevent uses and disclosures not permitted by the Rule. The Department does not consider facility restructuring to be a requirement under this standard.” http://www.hhs.gov/ocr/privacy/hipaa/faq/safeguards/197.html

49. Recap - Privacy Rule Myths or Facts? Patient names can’t be display doors. No. “The Privacy Rule explicitly permits certain incidental disclosures that occur as a by-product of an otherwise permitted disclosure—for example, the disclosure to other patients in a waiting room of the identity of the person whose name is called. In this case, disclosure of patient names by posting on the wall is permitted by the Privacy Rule, if the use or disclosure is for treatment (for example, to ensure that patient care is provided to the correct individual) or health care operations purposes (for example, as a service for patients and their families). The disclosure of such information to other persons (such as other visitors) that will likely also occur due to the posting is an incidental disclosure.” http://www.hhs.gov/ocr/privacy/hipaa/faq/safeguards/202.html

50. Credit reporting is prohibited by the Privacy Rule. Recap - Privacy Rule Myths or Facts? No – TPO: • Credit reporting is considered a payment function. HIPAA does not prohibit any aspect of credit reporting; • FCRA does prohibit publishing medical information on a credit report; • Under the FCRA credit bureaus do not list any information that shows the debt is related to Medical Services; • The unintended consequence is that medical credit reporting has become more effective.