Maintaining HIPAA Privacy and Security Rule Compliance Bruce D. Armon, Esquire; Saul Ewing LLP 215-972-7985 OR 1-800-355-7777, ext. 7985 firstname.lastname@example.org April 27, 2005 HIPAA What Is This About? Bruce D. Armon, Esq. HIPAA Overview The Health Insurance Portability and Accountability Act of 1996 (P.L. 104- 191) (HIPAA) became law on August 21, 1996. At the time it was commonly referred to as “Kennedy-Kassebaum” (after Senators Ted Kennedy (D-MA) and Nancy Kassebaum (R-KS) who were instrumental in its passage.) Bruce D. Armon, Esq. HIPAA Key Provisions Insurance reform - improve portability and continuity of health insurance for groups and individuals. Extend fraud and abuse prevention measures to all types of insurers (not just Medicare/Medicaid), and dedicate additional resources to fraud and abuse enforcement. Administrative simplification - create a framework for the standardization of electronic data interchange (EDI) in health care, including protections for the privacy and security of individually identifiable health information. Bruce D. Armon, Esq. Administrative Simplification Electronic Transactions and Code Sets Standards Privacy Standards Security Standards Electronic Signature Standards Identifier Standards Employer Identifier Standard Provider Identifier Standard Health Plan Identifier Standard Individual Identifier Standard Bruce D. Armon, Esq. Privacy Standards Final Rule published December 28, 2000 (65 FR 82462 et seq.) Final Rule, Version II, published August 14, 2002 (67 FR 53182 et seq.) Effective Date - April 14, 2003 Bruce D. Armon, Esq. Privacy Standards “Health information” is any information, whether oral or recorded in any form or medium, that: Is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and Relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual. Bruce D. Armon, Esq. Individually Identifiable Health Information Individually Identifiable Health Information (IIHI) is health information that identifies an individual or there is a reasonable basis to believe could be used to identify an individual. Bruce D. Armon, Esq. Protected Health Information The focus of the Privacy Rule is Protected Health Information (PHI). PHI is IIHI that is transmitted or maintained in electronic or any other form or medium. Bruce D. Armon, Esq. Applicability Privacy Rule applies to covered entities: Health Plans Health Care Clearinghouses Health Care Providers Bruce D. Armon, Esq. Health Care Providers Health care providers include any individual or entity that is covered as a provider under Medicare or any other person or organization that provides medical or other services or who furnishes, bills or is paid for health services or supplies in the normal course of business. Bruce D. Armon, Esq. Uses and Disclosures of PHI When PHI is to be disclosed for purposes of Treatment Payment Health Care Operations an individual’s consent is not required pursuant to the Final Rule, Version II Bruce D. Armon, Esq. Administrative Requirements Privacy official Contact person for complaints Training Safeguards Complaints Sanctions Mitigation Bruce D. Armon, Esq. Administrative Requirements (cont’d) Intimidating or retaliatory acts Waiver of Rights Policies and procedures Documentation Bruce D. Armon, Esq. Administrative Requirements Privacy Official Designate someone to develop and implement the policies and procedures Bruce D. Armon, Esq. Administrative Requirements Contact Person for Complaints Designate someone who is responsible for receiving complaints and NPP issues Bruce D. Armon, Esq. Administrative Requirements Training Train all members of the workforce to carry out their respective functions Train new members of the workforce as they are hired Document the training Bruce D. Armon, Esq. Administrative Requirements Safeguards Appropriate administrative, technical and physical safeguards to protect PHI Bruce D. Armon, Esq. Administrative Requirements Complaints Establish a process for individuals to make complaints Document complaints, and disposition Bruce D. Armon, Esq. Administrative Requirements Sanctions Must have and apply against workforce members who do not comply, and document sanctions Exception for whistleblowers Bruce D. Armon, Esq. Administrative Requirements Mitigation Lessen harmful effect known to Covered Entity of impermissible use or disclosure of PHI Bruce D. Armon, Esq. Administrative Requirements Intimidation for Retaliatory Acts Covered Entity cannot intimidate, threaten, coerce, discriminate or take retaliatory action against individuals exercising these rights Bruce D. Armon, Esq. Administrative Requirements Waiver of Rights Covered Entity may not require an individual to waive rights as a condition of treatment, payment, enrollment or eligibility Bruce D. Armon, Esq. Administrative Requirements Policies and Procedures Implement policies and procedures Change as necessary, including changes in law Bruce D. Armon, Esq. Administrative Requirements Documentation Maintain policies and procedures in written or electronic form Maintain communications required to be in writing Retain for six years from date of creation or date when last in effect, whichever is later Bruce D. Armon, Esq. Privacy Rule Compliance Issues Notice of Privacy Practices Authorization Oral Communications Accounting for Disclosures Deidentified Information Business Associates Preemption Bruce D. Armon, Esq. Notice of Privacy Practices Plain language Uniform header Identify uses and disclosures Individual rights Covered Entity’s duties Complaints Contact Person Bruce D. Armon, Esq. Notice of Privacy Practices Changes to Notice of Privacy Practices Written acknowledgment of receipt of Notice of Privacy Practices Web page availability OHCAs Bruce D. Armon, Esq. Authorization Valid authorizations Defective authorizations Compound authorizations Conditioning authorizations Revoking authorizations Bruce D. Armon, Esq. Oral Communications Privacy Rule applies to individually identifiable health information in all forms, electronic, written, and oral. If oral communications were not covered, any protected health information could be disclosed to any person as long as the disclosure was by the spoken word. Bruce D. Armon, Esq. Accounting for Disclosures Grants individuals the right to request and receive an accounting of disclosures of one’s protected health information. Time frame: 6 years prior to the date on which the accounting is requested. Exceptions to the accounting rules. Bruce D. Armon, Esq. Deidentified Information Deidentified Information is that which does not identify an individual or with respect to which there is no reasonable basis to believe that the information could be used to identify an individual. 19 data elements must be removed to deidentify information Bruce D. Armon, Esq. Business Associate Business Associate means with respect to a Covered Entity (other than as a member of the workforce) an entity that performs or assists In the performance of a function or activity involving the use or disclosure of individually identifiable health information, including claims processing or administration, data analysis, process or administration, utilization review, quality assurance, billing, benefit management, practice management and repricing, or any other function covered by these regulations. Bruce D. Armon, Esq. Business Associate Services for a Covered Entity Legal Management Actuarial Administrative Accounting Accreditation Consulting Financial Data aggregation Bruce D. Armon, Esq. Disclosure to a Business Associate A Covered Entity may disclose protected health information to Business Associates and may allow Business Associates to create or receive protected health information if the Covered Entity obtains satisfactory assurances that the Business Associate will appropriately safeguard the information. Bruce D. Armon, Esq. Preemption of State Law General preemption rule. A requirement or other provision of the HHS Privacy Rule that is contrary to a provision of state law preempts the state law provision unless an exception applies. Bruce D. Armon, Esq. Who Enforces HIPAA Privacy Regulations Enforcement of the privacy regulations has been delegated to the Department of Health and Human Services, Office of Civil Rights Bruce D. Armon, Esq. Security Standards Final Rule published February 20, 2003 (68 FR 8334 et seq.) Effective Date - April 20, 2005 Bruce D. Armon, Esq. Security Rule Obligations Covered entities must: ensure the confidentiality, integrity, and availability of all electronic protected health information (ePHI) the covered entity creates, receives, maintains, or transmits. protect against any reasonably anticipated threats or hazards to the security or integrity of such information. Bruce D. Armon, Esq. Covered Entities protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required. ensure compliance by its work force. Bruce D. Armon, Esq. Flexibility in Implementing the Security Rules Greatest advantage Toughest challenge Bruce D. Armon, Esq. Flexibility in Implementing the Security Rules Covered entities may use any security measures that allow the covered entity to reasonably and appropriately implement the standards and implementation specifications. Bruce D. Armon, Esq. 4 Factors for Covered Entity to Consider the size, complexity, and capabilities of the covered entity; the covered entity’s technical infrastructure, hardware, and software security and capabilities; the costs of security measures; and the probability and criticality of potential risks to electronic protected health information. Bruce D. Armon, Esq. Flexibility One size does not fit all. A small physician practice will take different steps than a large hospital system. Bruce D. Armon, Esq. What is Risk Analysis? Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity. Bruce D. Armon, Esq. Security Rule and Privacy Rule While Security Rule applies only to electronic PHI, the Privacy Rule applies to all PHI. Bruce D. Armon, Esq. What are Standards? A standard is a general requirement that must be complied with by the covered entity. Bruce D. Armon, Esq. What is an Implementation Specification? A more detailed and specific description of the method or approach that a covered entity can use to meet a particular standard. Not all standards have implementation specifications. Bruce D. Armon, Esq. Required Implementation Specifications If an implementation specification is required, the covered entity must take action to implement the specification. Bruce D. Armon, Esq. Addressable Implementation Specifications Covered entity does not need to take action 3-step consideration process Bruce D. Armon, Esq. Addressable Implementation Specifications – 3 Steps Assess whether the specification is a reasonable and appropriate safeguard for the covered entity; Implement the specification if reasonable and appropriate; or If implementing the specification would not be reasonable and appropriate, document this fact, and implement “an equivalent alternative measure” if reasonable and appropriate. Bruce D. Armon, Esq. Alternative Approaches Covered entity may also decide that the implementation specification does not apply to it and no measure is necessary; Document the decision-making; Addressable does not mean optional. Bruce D. Armon, Esq. HIPAA Security Rule Standards 9 Administrative Safeguard Standards 12 Required Implementation Specifications 11 Addressable Implementation Specifications 4 Physical Safeguard Standards 4 Required Implementation Specifications 6 Addressable Implementation Specifications 5 Technical Safeguard Standards 4 Required Implementation Specifications 5 Addressable Implementation Specifications Bruce D. Armon, Esq. 9 Administrative Safeguard Standards Security Management Process Assigned Security Responsibility Workforce Security Information Access Management Security Awareness and Training Security Incident Procedures Contingency Plan Evaluation Business Associate Contracts and Other Arrangements Bruce D. Armon, Esq. 12 Required Administrative Specifications Risk Analysis Data Backup Plan Risk Management Disaster Recovery Plan Sanction Policy Emergency Mode Information System Operation Plan Activity Review Period Evaluation of Assigned Security Security Policies and Responsibility Procedures Isolating Health care Written Business Clearinghouse Function Associate Contract or Security Incident Other Arrangements Response and Reporting Bruce D. Armon, Esq. 11 Addressable Administrative Implementation Specifications Workforce Authorization Security Reminders and/or Supervision Protection from Malicious Workforce Clearance Software Procedure Log-in Monitoring Workforce Termination Password Management Procedures Contingency Plan Testing Access Authorization and Revision Procedure Management Applications and Data Access Establishment Criticality Analysis and Modification Bruce D. Armon, Esq. 4 Physical Safeguard Standards Facility Access Controls Workstation Use Workstation Security Device and Media Controls Bruce D. Armon, Esq. 4 Required Physical Implementation Specifications Workstation Use Workstation Security Media Disposal Media Re-use Bruce D. Armon, Esq. 6 Addressable Physical Implementation Specifications Facility Contingency Operations Facility Security Plan Facility Access Control and Validation Procedures Facility Maintenance Records Media Accountability Data Backup and Storage Bruce D. Armon, Esq. 5 Technical Safeguard Standards Access Control Audit Controls Integrity Person or Entity Authentication Transmission Security Bruce D. Armon, Esq. 4 Required Technical Implementation Specifications Unique User Identification Emergency Access Procedure Audit Controls Person or Entity Authentication Bruce D. Armon, Esq. 5 Addressable Technical Implementation Specifications Automatic Access Logoff Access Encryption and Decryption Mechanism to Authenticate Electronic Protected Health Information Transmission Integrity Controls Transmission Encryption Bruce D. Armon, Esq. Who Enforces HIPAA Security? CMS; unlike the Privacy Rule. Bruce D. Armon, Esq. Pitfalls to Avoid Avoid the urge to solve known security problems immediately Avoid focusing only on technology Avoid letting technology dictate policy Don’t buy the wrong technology Need time/knowledge to understand security Bruce D. Armon, Esq. HIPAA Funnies A Covered Entity - a HIPAA Joint A Business Associate - Joined at the HIPAA Pledge - HIPAAcratic Oath Wants to Protect Own Privacy, But to Hell With Others’ - a HIPAAcrit Finds Fault With the Legislation - HIPAAcritical Incapacitated by Implementation - A HIPAAchondriac Been Reading the Rules Way Too Long - HIPAAnotized Bruce D. Armon, Esq.
Pages to are hidden for
"Maintaining HIPAA Privacy and Security Rule Compliance"Please download to view full document