ccpa seminar a hipaa update september 11 2012 n.
Skip this Video
Loading SlideShow in 5 Seconds..
CCPA Seminar: A HIPAA UPDATE September 11, 2012 PowerPoint Presentation
Download Presentation
CCPA Seminar: A HIPAA UPDATE September 11, 2012

CCPA Seminar: A HIPAA UPDATE September 11, 2012

177 Views Download Presentation
Download Presentation

CCPA Seminar: A HIPAA UPDATE September 11, 2012

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. CCPA Seminar: A HIPAA UPDATESeptember 11, 2012 Pamela H. Del Negro Robinson & Cole LLP

  2. Agenda • HIPAA Overview • HIPAA Audit Protocols • What to include in your HIPAA Policies and Procedures Manual • HIPAA Training for Employees and Staff • Recent Enforcement Efforts and Upcoming Regulatory Updates


  4. WHAT INFORMATION IS PROTECTED UNDER HIPAA? • Protected Health Information (“PHI”) is individually identifiable health information in any form that relates to the health or condition of an individual or the payment for health care • Does not include de-identified information or employment records

  5. PERMITTED USES AND DISCLOSURES OF PHI • To the individual • Treatment, payment & health care operations • Pursuant to valid authorization • Business associates

  6. DISCLOSURE PERMITTED AFTER OPPORTUNITY TO AGREE OR OBJECT • Facility directory (sign in sheet/hospital log) • Disclose limited information (i.e., name, location in facility, general description of condition, religious affiliation, etc.) • Persons involved in care • If patient is present, ask whether disclosure is permitted • If patient is not present, use professional judgment, infer from circumstances • Limit disclosure to information directly relevant to such person’s involvement

  7. USES AND DISCLOSURES WITHOUT AUTHORIZATION Under limited circumstances, the following uses and disclosures do not require authorization or opportunity to object: • Public Health Activities • Reporting Victims of Abuse, Neglect, or Domestic Violence • Health Oversight • Judicial or Administrative Proceedings • Law Enforcement Purposes • Decedent’s Information • Organ/Tissue Donation • Avert a Serious Threat to Safety • Specialized Government Functions • Research (if IRB waives requirement) • Workers’ Compensation CONSULT STATE LAW!

  8. AUTHORIZATION • A more specific and detailed form of permission designed to allow other uses or disclosures of PHI • Required for all uses and disclosures not specifically permitted by HIPAA and required for uses or disclosures of certain sensitive information • Individual has a right to revoke the authorization • Generally cannot condition treatment on the individual providing an authorization • Not necessary if special circumstances (i.e. emergency) apply

  9. HOW MUCH PHI CAN I USE OR DISCLOSE? • In general, must make reasonable efforts to limit the use or disclosure of PHI to the minimum necessary • Comply with policies and procedures that limit the amount of information to the minimum necessary to perform your job • Your job description may limit your level of information access

  10. HOW MUCH PHI CAN I USE OR DISCLOSE? • Special rules: • Treatment purposes – no limits • Authorized disclosures - limited to the terms of the authorization • To the individual – no limits • Compliance purposes – no limits • Other legally required disclosures – as limited by law

  11. PERSONAL REPRESENTATIVES • Person with authority to act on behalf of individual, for example: • Parent of a minor • Court appointed guardian/conservator • Has all rights of individual with respect to relevant PHI

  12. ABUSE, NEGLECT, AND ENDANGERMENT • May choose not to treat an individual as a personal representative if: • Not in the individual’s best interest, and • The individual suspected to be victim of abuse or neglect by the personal representative, or • Treating the individual as the personal representative could endanger the individual

  13. VERIFICATION • Verify the identity of a person requesting information and determine that the person has the authority to receive the information

  14. PRIVACY OFFICER • DUTIES OF THE PRIVACY OFFICER (OR AS DELEGATED) • Develop Privacy Policies and Procedures • Coordinate with administration to implement privacy requirements • Develop administrative, technical, and physical safeguards • Maintain documentation and records for required time periods • Conduct periodic audits • Serve as a privacy consultant • Serve as liaison to government oversight agency • Receive (as contact person) and respond to individual complaints • Attempt to mitigate harm caused by improper disclosures

  15. NOTICE OF PRIVACY PRACTICES • Must be provided to all individuals prior to service delivery • Identifies the types of uses and disclosures that are permitted and required by you • Sets forth description of individual’s rights • States your duties to maintain the confidentiality of the PHI • Outlines the process for an individual to submit a complaint concerning a suspected privacy violation

  16. ACKNOWLEDGMENT /CONSENT FORM • Patient acknowledges receipt of Notice of Privacy Practices • Consent to use for treatment, payment and health care operations • Not the same as an Authorization

  17. RIGHTS OF INDIVIDUALS • Basic rights of individuals under HIPAA • Access • Amendment • Accounting of disclosures • Restrictions on use and disclosures • Confidential communications • Complaint process

  18. RETALIATION AND WAIVER • Retaliation: You may not intimidate, threaten, coerce, discriminate against or take retaliatory action against another person for: • Exercising a right provided by HIPAA • Filing a complaint with OCR • Assisting in a HIPAA-related investigation or hearing • Opposing any act unlawful under HIPAA • Waiver: You may not require individuals to waive rights to file a complaint under HIPAA as a condition of treatment.

  19. BUSINESS ASSOCIATES • Perform functions, activitiesor services on behalf of covered entities involving the use or disclosure of PHI, including: • Functions or Activities • Claims processing or administration • Data analysis • Utilization Review • Quality Assurance • Billing • Benefit Management • Practice Management • Services • Legal • Actuarial • Accounting • Administrative • Financial

  20. PENALTIES • Civil Penalties • Unknowingly - $100/violation • Reasonable cause – at least $1,000/violation • Willful neglect – HHS will conduct an investigation • If willful neglect but corrected, no less than $10,000, not to exceed $50,000 • If not corrected, $50,000 per violation, not to exceed $1,500,000/year. • State Attorney General • Criminal Penalties (e.g. intent to sell)


  22. Breach Notice Requirement • Part of HITECH • Notify each individual whose Unsecured PHI has been or is reasonably believed to have been accessed, acquired, used or disclosed as a result of a breach of Unsecured PHI (“Affected Individual”) • “Unsecured PHI” is any PHI that has not been rendered unusable, unreadable, or indecipherable to unauthorized individuals through encryption or destruction

  23. Definition of Breach • “Breach” is the unauthorized acquisition, access, use or disclosure of PHI that (i) violates the HIPAA privacy rules and (ii) compromises the security or privacy of such PHI • “Compromises the security or privacy of PHI” = poses a significant risk of financial, reputational, or other harm to the Affected Individual

  24. Definition of Breach (cont.) • Exclusions to definition of “breach” • Unintentional acquisition/access/use of PHI by a workforce member or individual acting under the authority of a covered entity or business associate if: • made in good faith • within the course and scope of authority • does not result in further use or disclosure

  25. Definition of Breach (cont.) • Exclusions (cont.) • Inadvertent disclosures by individual authorized to access PHI to another individual authorized to access PHI at the same entity and such information is not further used or disclosed • Disclosure with good faith belief that the unauthorized individual to whom PHI has been disclosed would not reasonably have been able to retain the information • Document the reasons why such use or disclosure satisfies the respective exception

  26. Risk Assessment • Fact specific analysis that varies with each impermissible use or disclosure • If there is less than a significant risk of harm then no notice is required • Document risk assessments

  27. When a Breach is Considered Discovered • As of the first day the breach is known or, by exercising reasonable diligence, would have been known • Knowledge of workforce member or agent is imputed

  28. Content of Notice Covered entities must provide breach notices that are written in plain language and include: • What happened • Types of Unsecured PHI involved (E.g. full name, SSN) • Steps the Affected Individuals should take to protect themselves from potential harm • Covered entity’s actions to investigate the breach, mitigate harm to the Affected Individual, and protect against any further breaches • Contact procedures that Affected Individuals can use to ask questions or learn additional information

  29. Delivery of Notice • Sent by first-class mail (or by electronic mail if the Affected Individual has specified such preference) • “Without unreasonable delay,” but no later than 60 days after the discovery of such breach • No current contact information for one or more Affected Individuals, notify through substitute form as soon as reasonably possible • Less than 10 Affected Individuals • Alternative written means • More than 10 Affected Individuals • Conspicuous posting for a period of 90 days on home page of Web site or in major print or broadcast media

  30. Notice to HHS and Media Outlets • Less than 500 Affected Individuals • Maintain a log of breaches • Notify HHS of breaches 60 days after end of calendar year in manner specified on HHS website • More than 500 Affected Individuals • Notify HHS contemporaneously with the notice provided to the Affected Individuals • If reside in the same state • Notify prominent media outlets serving the state • Written notice to the Affected Individuals • Notify HHS of such breach • HHS to specify on its Web site the information that covered entities must submit to HHS and how such information should be submitted to HHS

  31. Business Associate Requirements • Notify covered entity upon discovery of breach of Unsecured PHI • “Without unreasonable delay” and in no case later than 60 days after discovery of breach • Identity of each individual subject to breach • Provide other available information that covered entity is required to include in notice to Affected Individual • Provide information even if not available until after notifications have been sent to Affected Individuals or after 60-day period has elapsed.

  32. Delaying Notice • Delay if law enforcement official determines that providing notice would impede a criminal investigation or cause damage to national security • If notice of delay is provided in writing and includes length of time that notice must be delayed, delay providing notice for time specified • If notice of delay is given orally, document statement and identity of official and delay notification for no longer than 30 days, unless written statement is provided

  33. Step-by-Step Analysis • Practical steps when determining whether a breach of Unsecured PHI has occurred: Step 1: Determine whether there has been an impermissible use or disclosure of PHI that would violate the HIPAA privacy rules Step 2: Perform a risk assessment to determine harm Step 3: Determine whether exception to definition of “breach” applies • If there has been a breach of Unsecured PHI, provide appropriate notice


  35. HIPAA or State Law? • HIPAA is a federal floor of privacy and security protections • General rule: State laws contrary to HIPAA are preempted by HIPAA • State laws providing greater protection than HIPAA are not preempted by HIPAA


  37. HIPAA Security Rule • Protects the confidentiality, integrity and availability of protected health information that is maintained or transmitted electronically (“ePHI”)

  38. HIPAA Security Rule • CONFIDENTIALITY – ePHI must not be made available or disclosed to an unauthorized person or process, including employees who do not have a need to use the information • INTEGRITY – ePHI must not be altered or destroyed in an unauthorized manner • AVAILABILITY- ePHI must be accessible and useable by an authorized person at all times

  39. What Information is Protected Under Security Rule? • Electronic transmissions of ePHI within the company, as well as transmissions to outside entities • Extends to all members of the workforce, including those who work at home • Exceptions: • Facsimile • Telephone systems (voice or keypad) • Copy machines • Videoconferencing systems • Voicemail

  40. Who Must Comply with Security Rule? • Covered entities and business associates are required to comply with the Security Rule • The HIPAA Security Rule mandates that certain safeguards be implemented to protect ePHI including: • Administrative safeguards • Physical safeguards • Technical safeguards • Safeguards include: • Controls to limit access to ePHI by workforce • Audits to determine who accessed ePHI and when ePHI was accessed

  41. Who is Responsible for Implementing Security Safeguards? • “Security Officer” is responsible for: • Developing and implementing security safeguards to protect ePHI • Addressing security concerns • Periodically auditing and assessing the security of ePHI • The designation of a Security Officer must be documented and may be the same person as the Privacy Officer • Security Standards must be addressed • Implementation Specifications • Required • Addressable • If not reasonable and appropriate  Document reasons

  42. Administrative Safeguards • Documented policies and procedures for: • Managing day-to-day operations • The conduct and access of workforce members to ePHI • The selection, development and use of security controls

  43. Administrative Safeguards (cont.) • Standard: Security Management Process • Risk analysis (required) • Risk management (required) • Sanction policy (required) • Information system activity overview (required) • Standard: Security Responsibility • Standard: Workforce Security • Authorization and/or Supervision (addressable) • Workforce Clearance Procedure (addressable) • Termination Procedure (addressable)

  44. Administrative Safeguards (cont.) • Standard: Information Access Management • Access Authorization (addressable) • Access Establishment and Modification (addressable) • Standard: Security Awareness and Training • Security Reminders (addressable) • Protection from Malicious Software (addressable) • Log-in Monitoring (addressable) • Password Management (addressable) • Standard: Security Incident Procedures • Response and Reporting (required)

  45. Administrative Safeguards (cont.) • Standard: Contingency Plan • Data Backup Plan (required) • Disaster Recovery Plan (required) • Emergency Mode Operation Plan (required) • Testing and Revision Procedures (addressable) • Applications and Data Criticality Analysis (addressable) • Standard: Evaluation • Standard: Business Associate Contracts and Other Arrangements • Written Contract or Other Arrangement (required)

  46. Physical Safeguards Physical measures and policies and procedures that protect electronic information systems and related buildings and equipment from natural and environmental hazards and unauthorized intrusion

  47. Physical Safeguards (cont.) • Standard: Facility Access Controls • Contingency Operations (addressable) • Facility Security Plan (addressable) • Access Control and Validation Procedures (addressable) • Maintenance Records (addressable) • Standard: Workstation Use • Standard: Workstation Security • Standard: Device and Media Controls • Disposal (required) • Media Re-use (required) • Accountability (addressable) • Data Backup and Storage (addressable)

  48. Technical Safeguards The technology and the policy and procedures that protect ePHI and control access to it

  49. Technical Safeguards (cont.) • Standard: Access Control • Unique User Identification (required) • Emergency Access Procedure (required) • Automatic Logoff (addressable) • Encryption and Decryption (addressable) • Standard: Audit Controls • Standard: Integrity • Mechanism to Authenticate ePHI (addressable)

  50. Technical Safeguards (cont.) • Standard: Person or Entity Authentication • Standard: Transmission Security • Integrity Controls (addressable) • Encryption (addressable) • Standard: Policies and Procedures • Standard: Documentation Requirements • Time Limit (required) • Availability (required) • Updates (required)