HIPAA COMPLIANCE. for Small & Mid-Size Practices

Transcription

1 HIPAA COMPLIANCE for Small & Mid-Size Practices Golden State Web Solutions GSWS (4797)

2 INTRODUCTION Most individuals reading this are interested in HIPAA, GSWS, or some combination of the two; and the 2 most common questions asked are usually as follows: WHY SHOULD MY PRACTICE START COMPLYING WITH HIPAA? We could say It s the law and leave it at that, but let s take it a little further and look at what it adds to your practice. Other benefits include: Demonstrating to your patients that you care about their privacy. Incoming doctors (potential successor) will expect compliance. Improving operational procedures, efficiency and accuracy. Significantly reduce your exposure to data breaches and/or fines. WHY SHOULD GSWS BE YOUR CHOICE OF AUDITOR? GSWS has been managing medical practice networks and client data for years in a HIPAA compliant manner. We already know the requirements for getting (and staying) compliant. When clients started getting estimates, the quotes were expensive enough to make the process cost-prohibitive. Running in that wall enough times, we decided to start conducting audits ourselves. GSWS recognizes the need for audit assessment services at a cost that s affordable to small and mid-size healthcare practices. We will explain everything, set you up for success, and provide all the documentation you need if an auditor shows up at your door. SOUND GOOD ENOUGH ALREADY? SPEAK WITH US! To speak with someone, contact us at or Otherwise, we hope you find this document helpful and feel free to contact us with any questions you may have. PLEASE NOTE: This document is intended as an informational guide only, and has been greatly condensed. GSWS is not a law firm, and this is not legal advice. If you are seeking legal advice, you should contact an attorney.

3 HIPAA: WHAT IT IS & WHAT TO KNOW In simplest terms, HIPAA is the Health Insurance Portability and Accountability Act that sets the standard for protecting sensitive patient data. HIPAA regulations address the saving, accessing and sharing of medical and personal information of any individual, as well as outline the security standards to protect health data, also known as PHI (Protected Health Information). Any organization that deals with PHI must ensure that all the required physical, network, and process security measures are in place and followed. This includes covered entities (anyone who provides treatment, payment and operations in healthcare), and business associates (anyone with access to patient information and/or provides support in treatment, payment or operations). Subcontractors, or business associates of business associates, must also adhere to these standards and regulations. The word reasonable appears dozens of times in the HIPAA regulations. HIPAA law requires that CEs and BAs take reasonable steps to protect PHI from reasonably anticipated threats. If you are ever investigated for a HIPAA violation, and you acted in good faith and made reasonable efforts to do what HIPAA requires, your liability will be much lower than if you neglected your HIPAA obligations and/ or did not act in good faith.

4 COMMON QUESTIONS It s important to understand what HIPAA means to better protect your organization and the sensitive data that it holds. We gathered some of the most common questions about HIPAA and broke down what every single healthcare company in the U.S. needs to know. WHAT IS HIPAA? HIPAA, the Health Insurance Portability and Accountability Act, is a federal law that protects the privacy and security of health data. Initially passed in 1996, updated by a law called HITECH in 2009 and in 2013, (under the larger Omnibus rule) rolled the requirements of all 3 legislations into 1 act. For the sake of sanity, HIPAA, HITECH, and the Omnibus Rule all refer to the same concept: the HIPAA regulations. While it does include regulations and standards, it also allows some flexibility in how the regulations and standards can be addressed (i.e. data, data criticality, amount of employees, number of locations, etc.). That s where HIPAA gets more complicated, and we recommend you speak to a cybersecurity and compliance expert. WHO REGULATES HIPAA? HIPAA regulations are enforced by the Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS). WHO DOES HIPAA AFFECT? In short, everyone. Medical practitioners are responsible for managing client data within HIPAA s compliance regulations. Patients are affected with how their PHI/PII is classified and its levels of privacy. WHAT IS PHI/PII? PHI stands for Protected Health Information and PII stands for Personally Identifiable Information. In its most abbreviated description, PHI/ PII is any data unique to the individual/record. Examples include any information relating to an individual s past, present, or future physical or mental health or condition. Outside of medical information, it expands into information such as name, address, birthdate, and Social Security Number. Your only proof of HIPAA compliance is the paperwork and other evidence you create. For overall HIPAA compliance, it certainly helps to do the right things, and avoid those things HIPAA prohibits. If you cannot show evidence of your actions later, whether in court or in an OCR investigation or audit, all your efforts are in vain. HIPAA requires you to retain HIPAA-related documents for a minimum of six (6) years from the date a document was created or was last in effect, whichever is later. This does not refer to clinical, medical records, but to your HIPAA-related documents. HIPAA does not have a retention requirement for actual medical records, but leaves that issue to state laws and other federal laws.

5 WHAT IS REQUIRED TO BE HIPAA COMPLIANT? The HIPAA framework includes 18 standards and a total of 36 implementation specifications that detail the framework for compliance To see a complete list of standards and regulations, please see the 18 HIPAA Identifiers and HIPAA Security Regulations & Standards sections of this document. HOW CAN I MAKE SURE HIPAA REQUIREMENTS ARE MET? The most common way for your medical practice to ensure requirements are met is to hire a consultant (like us) to navigate you through the process. It can be tricky, and the penalties can be expensive, so it s not something to be taken lightly. Upon completion, your practice will have a complete HIPAA reference manual, fully updated with all the information required from an audit. We give you exactly what a potential HHS HIPAA auditor will be looking for. IF I HIRE YOU FOR AN AUDIT, WILL THIS ALL GO AWAY? Nice thought, but no. Compliance with the HIPAA Security Regulation is an ongoing process with periodic reviews and evaluations required. Best practice includes consistent reviews. Reviews can be based on the calendar year (i.e. every 6 or 12 months) or when there is a significant change to the organization (individuals leave, new hires, changes in technology, etc.). Additionally, part of the HIPAA framework adoption process states someone must be identified as the designated HIPAA Security Officer for the practice. This can be an employee within the organization, or by a third party. Part of the overall process will define what makes best sense for the organization. HOW CAN I START MY HIPAA COMPLIANCE PROCESS? Contact us at or First thing we are going to do is simply get together and discuss how the process works. There is no pressure, requirement to sign up nor any cost for an initial consultation. We look forward to speaking with you. PLEASE NOTE: This document is intended as an informational guide only, and has been greatly condensed. GSWS is not a law firm, and this is not legal advice. If you are seeking legal advice, you should contact an attorney.

6 HIPAA VIOLATIONS & PENALTIES What happens if you violate HIPAA? That depends of the severity of the violation. OCR prefers to resolve HIPAA violations using non-punitive measures, such as with voluntary compliance or issuing technical guidance to help covered entities address areas of non-compliance. However, if the violations are serious, have been allowed to persist for a long time, or if there are multiple areas of noncompliance, financial penalties may be imposed. HIPAA VIOLATION PENALTY TIERS First Tier The covered entity did not know and could not reasonably have known of the breach. The four categories used for the penalty structure are Category 1 A violation that the covered entity was unaware of and could not have realistically avoided, had a reasonable amount of care had been taken to abide by HIPAA Rules Category 2 A violation that the covered entity should have been aware of but could not have avoided even with a reasonable amount of care. (but falling short of willful neglect of HIPAA Rules) Category 3 A violation suffered as a direct result of willful neglect of HIPAA Rules, in cases where an attempt has been made to correct the violation Category 4 A violation of HIPAA Rules constituting willful neglect, where no attempt has been made to correct the violation HIPAA Violation Penalty Structure Each category of violation carries a separate HIPAA penalty. It is up to OCR to determine a financial penalty within the appropriate range. OCR considers a number of factors when determining penalties, such as the length of time a violation was allowed to persist, the number of people affected and the nature of the data exposed. An organization s willingness to assist with an OCR investigation is also taken into account. The general factors that can affect the level of financial penalty also include prior history, the organization s financial condition and the level of harm caused by the violation. Second Tier The covered entity knew, or by exercising reasonable diligence would have known of the violation, though they did not act with willful neglect. Third Tier The covered entity acted with willful neglect and corrected the problem within a 30-day time period. Fourth Tier The covered entity acted with willful neglect and failed to make a timely correction. Category 1: Minimum fine of $100 per violation up to $50,000 Category 2: Minimum fine of $1,000 per violation up to $50,000 Category 3: Minimum fine of $10,000 per violation up to $50,000 Category 4: Minimum fine of $50,000 per violation

7 The fines are issued per violation category, per year that the violation was allowed to persist. The maximum fine per violation category, per year, is $1,500,000. HIPAA Criminal Penalties In addition to civil financial penalties for HIPAA violations, criminal charges can be filed against the individual(s) responsible for a breach of PHI. Criminal penalties for HIPAA violations are divided into three separate tiers, with the term and an accompanying fine decided by a judge based on the facts of each individual case. As with OCR, a number of general factors are considered which will affect the penalty issued. If an individual has profited from the theft, access or disclosure of PHI, it may be necessary for all moneys received to be refunded, in addition to the payment of a fine. The tiers for HIPAA criminal penalties are Tier 1 Reasonable cause or no knowledge of violation. Up to 1 year in jail. Tier 2 Obtaining PHI under false pretenses. Up to 5 years in jail. Tier 3 Obtaining PHI for personal gain or malicious intent. Up to 10 years in jail. If a violation does occur, the investigation that follows will involve research and interviews to determine, among other things, what threats you reasonably anticipated, and what specific steps you took to guard against them. If you did everything right and a violation still happens, your liability is relatively low. If a violation happens and you did not take appropriate steps to guard against reasonably anticipated threats, your liability will be much higher.

8 THE 18 HIPAA IDENTIFIERS The HIPAA privacy rule sets forth policies to protect all individually identifiable health information that is held or transmitted by a covered entity. This information can be used to identify, contact, or locate a single person or can be used with other sources to identify a single individual. When personally identifiable information is used in conjunction with one s physical or mental health or condition, health care, or one s payment for that health care, it becomes Protected Health Information (PHI). These are the 18 HIPAA Identifiers that are considered personally identifiable information: 1. Name 2. Address (all geographic subdivisions smaller than state, including street address, city county, and zip code) 3. All elements (except years) of dates related to an individual (including birthdate, admission date, discharge date, date of death, and exact age if over 89) 4. Telephone numbers 5. Fax number 6. address 7. Social Security Number 8. Medical record number 9. Health plan beneficiary number 10. Account number 11. Certificate or licence number 12. Vehicle identifiers and serial numbers, including license plate numbers 13. Device identifiers and serial numbers 14. Web URL 15. Internet Protocol (IP) Address 16. Biometric identifiers, including finger and voice prints 17. Photographic image (images are not limited to images of the face) 18. Any other characteristic that could uniquely identify the individual DECEDENT RESEARCH Be aware that the HIPAA Privacy rule protects individually identifiable health information of deceased individuals for 50 years following the date of death. If the research will include any identifiers linked to living persons or involves accessing death records maintained by the State Registrar, local registrars, or county recorders, the project must be approved by the IRB in advance. If a communication contains any of these identifiers, or parts of the identifier, such as initials, the data is to be considered identified. To be considered de-identified, ALL of the 18 HIPAA Identifiers must be removed from the data set. This includes all dates, such as surgery dates, all voice recordings, and all photographic images.

9 HIPAA SECURITY REGULATIONS & STANDARDS ADMINISTRATIVE SAFEGUARDS 45 C.F.R Security Management Process a. Risk Analysis (Required) b. Risk Management (Required) c. Sanction Policy (Required) d. Information System Activity Review (Required) 2. Assigned Security Responsibility 3. Workforce Security a. Authorization and/or Supervision Policy (Addressable) b. Workforce Clearance Procedures (Addressable) c. Termination Procedures (Addressable) 4. Information Access Management a. Isolating Healthcare Clearinghouse Function (Required) b. Access Authorization (Addressable) c. Access Establishment and Modification (Addressable) 5. Security Awareness and Training a. Security Reminders (Addressable) b. Protection from Malicious Software (Addressable) c. Log-in Monitoring (Addressable) d. Password Management (Addressable) 6. Security Incident Procedures a. Response and Reporting (Required) 7. Contingency Plan a. Data Backup Plan (Required) b. Disaster Recovery Plan (Required) c. Emergency Mode Operation Plan (Required) d. Testing and Revision Procedures (Addressable) e. Applications and Data Criticality Analysis (Addressable) 8. Evaluation 9. Business Associate Contracts and Other Arrangement a. Written Contracts or Other Arrangement (Required) PREPARE IN ADVANCE! A response plan should be created that defines who does what, in what order, if an audit or investigation happens. Plan for a surprise onsite visit as well as a notifiedin-advance scenario. BE COMPLAINT FRIENDLY Treat each complaint as an opportunity to make someone happy, and build your reputation as a friendly place to do healthcare business. People who file a complaint generally believe a wrong has really occurred, and they want to be treated with dignity and espect. PHYSICAL SAFEGUARDS 45 C.F.R Facility Access Controls a. Contingency Operations (Addressable) a. Facility Security Plan (Addressable) b. Access Control and Validation Procedures (Addressable) c. Maintenance Records (Addressable)

10 11. Workstation Use. 12. Workstation Security. 13. Device and Media Controls. a. Disposal (Required). b. Media Re-use (Required). c. Accountability (Addressable). d. Data Back-up and Storage (Addressable). TECHNICAL SAFEGUARDS 45 C.F.R Access Control. a. Unique User Identification (Required). b. Emergency Access Procedure (Required). c. Automatic Log-Off (Addressable). d. Encryption and Decryption (Addressable). 15. Audit Control. 16. Integrity. a. Mechanism to Authenticate ephi (Addressable). 17. Person or Entity Authentication. 18. Transmission Security. a. Integrity Controls (Addressable). b. Encryption (Addressable). POLICIES, PROCEDURES, AND DOCUMENTATION REQUIREMENTS 45 C.F.R Policies and Procedures 20.Documentation a. Time Limit (Required) b. Availability (Required) c. Updates (Required) ORGANIZATIONAL REQUIREMENTS 45 C.F.R Business Associate Contracts or Other Arrangements a. Business Associate Contracts (Required) b. Other arrangements (Required) c. Business Associate Contracts with Sub-Contractors (Required) SOURCE: AOA HIPAA Security Regulation Compliance Manual

11 ADDITIONAL RESOURCES U.S. Department of Health & Human Services HHS main website: HHS HIPAA information for Professionals: HHS HIPAA information for Individuals: National Institute of Standards & Technology (NIST) An Introductory Resource Guide for Implementing the Health Insurance Portability and Ac countability Act. (HIPAA is based on the NIST Cybersecurity framework). Free downloadable pdf: gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/ nist80066.pdf HIPAA details for Optometric Practitioners: AOA HIPAA details for Dental Practitioners: ADA ics/electronic-health-records/health-systemreform-resources/hipaa-privacy-security HIPAA details for Chiropractors: American Chiropractic Association HIPAA Compliance Best Practices: HIPAA Journal Golden State Web Solutions Free Cybersecurity Awareness Training Online, On-Demand resource for educating employees:

12 CERTIFICATIONS AND ORGANIZATIONS ABOUT GSWS (GSWS) opened in 1994 as a startup internet technology company, offering website design, site maintenance, , hosting and domain name registration. Fast forward to today and providing clients with Cybersecurity solutions has become our primary focus. We still provide Managed IT, Web Development and Hosting services as always, but our core focus is on the security and compliance requirements placed upon our client s business needs. This simply means if you are our client, our primary focus is on what is most critical to you. This can be security centered, compliance related and/or just the overall way your organization is using technology to improve processes. Working together in that capacity, the structure and management of technology will inherently fall in order in a way that overall better supports your organization s needs and business objectives. We are a close-knit team of highly skilled (and personable) individuals who work closely together. Whether we are guiding a client through a security assessment report or presenting a tailored cybersecurity solution, our knowledge, skills, respect, quality service and care provides our clients support of their organization s technology needs and requirements. Everything starts with an initial consultation or vulnerability assessment, so we can speak to you as to what specifically affects your organization. Contact us with any questions you may have at or us directly at. We look forward to speaking with you. For additional information, please visit: