The Privacy Rule Health insurance Portability & Accountability Act Enacted on August 21, 1996 to amend the Internal Revenue Code of 1986 To improve portability and continuity of health insurance coverage in the group and individual markets To combat waste, fraud and abuse in health insurance and health care delivery To promote the use of medical savings accounts To improve access to long term care services and coverage To simplify the administration of health insurance 1
HIPAA sections 261 thru 264 required the Secretary of the US Department of Health and Human Services (HHS) to publicize standards for the electronic exchange, privacy, and security of health information. Collectively these standards are known as the Administrative Simplification provisions. These include: Privacy Rule Security Rule Code Sets Electronic Transactions Identifiers HIPAA 1996 HIPAA Privacy Rule 2003 Security Rule 2005 HITECH Act 2009 Data Breech Rule 2009 HIPAA Omnibus Rule 2013 Compliance Deadline September 23, 2013 2
Individuals, organizations, and agencies that meet the definition of a covered entity under HIPAA must comply with the Rules requirements to protect the privacy and security of health information and must provide individuals with certain rights with respect to their health information. All of the Administrative Simplification rules apply to Covered Entities Healthcare Providers Health Plans (Payers) Healthcare Clearinghouse anyone who transmits health information in electronic form 3
Not Covered Entities but do come in contact with PHI and ephi Shredding companies, paper records storage IT companies, EHR vendors, Copier vendors Lawyers, accountants, collection agencies Data centers, Online back up companies, Cloud vendors Must sign Business Associate Agreement (BAA) Must comply with HIPAA Directly responsible for breaches Responsible for subcontractors The Privacy Rule protects all individually identifiable health information calling this information protected health information (PHI) Protected Health Information Identifiable Plus treatment and/or diagnostic information Electronic Protected Health Information PHI in electronic form Words, images, voice files On any media 4
Covered entities may not use or disclose PHI, except as permitted or required by the Privacy Rule Required Disclosures Permitted Uses and Disclosures To the individuals specifically when they request access to or an accounting of disclosures of their protected health information To HHS, to investigate or determine compliance with the Privacy Rule 5
To the individual Treatment, Payment, Health Care Operations Opportunity to Agree or Object Public Policy uses Incident to Limited Data Sets Limit network and EHR access by job role No viewing unless needed for your job duties No viewing family friends, neighbors, celebrities Educate workforce EHR system access audits 6
Health Information Technology for Economic and Clinical Health Act of 2009 made significant changes to the HIPAA Privacy and Security rules Patients have the right to request disclosures for TPO for the previous 3 years Patient may limit disclosure of PHI pertaining to services they paid for on their own Less flexibility for covered entities to use PHI in marketing and fundraising which now require signed authorization Effective September 23, 2013 Changed data breech law Changed patient access to data requirements Changed fees for patient records requests Blocked Insurers from patient records if patient paid out of pocket Updated Business Associates Agreement 7
Violation Enforcement The HITECH Act provides a tiered system for each HIPAA privacy and it s penalty Tier A $100 fine per violation $25,000 max per year Tier B $1000 fine per violation $100,000 max per year Tier C $10,000 fine per violation $250,000 max per year Tier D $50,000 fine per violation $1,500,000 max per year Networks Local area networks Wide area networks Virtual private networks Servers and Clients Definitions Viruses, Trojan Horses and Worms Definitions 8
Protection Access Controls Individual User Authentication Monitoring of Access Physical Security Disaster Recovery Protection of Remote Access Points Software and System Maintenance Data Breach Data Breach Law Breaches < 500 records Breaches > 500 records No longer a harm exemption All losses presumed to be a breach Encrypted devices exempt from reporting 9
47 states plus DC and Puerto Rico protect Social Security Number Drivers License Number Account number, credit or debit card 3 states trigger by access not acquisition 41 states have harm exemption 7 states have < 60 day reporting periods 8 states also protect medical information Email and texting Email is it secure? Texting should you? Technology tips Where are we headed? 10
Tiffany Morgan, CPC, CPCO, CPMA, CEMC tiffanymorgankc@gmail.com 11