Maintaining HIPAA Privacy and Security Rule Compliance by tae66661

VIEWS: 13 PAGES: 65

									Maintaining HIPAA Privacy and
Security Rule Compliance
        Bruce D. Armon, Esquire;
             Saul Ewing LLP
             215-972-7985
                   OR
       1-800-355-7777, ext. 7985
         barmon@saul.com
            April 27, 2005
               HIPAA
               What Is This About?




Bruce D. Armon, Esq.
               HIPAA Overview

                   The Health Insurance Portability and
                   Accountability Act of 1996 (P.L. 104-
                   191) (HIPAA) became law on August
                   21, 1996. At the time it was commonly
                   referred to as “Kennedy-Kassebaum”
                   (after Senators Ted Kennedy (D-MA)
                   and Nancy Kassebaum (R-KS) who
                   were instrumental in its passage.)
Bruce D. Armon, Esq.
               HIPAA Key Provisions
             Insurance reform - improve portability and
              continuity of health insurance for groups and
              individuals.
             Extend fraud and abuse prevention measures to
              all types of insurers (not just Medicare/Medicaid),
              and dedicate additional resources to fraud and
              abuse enforcement.
             Administrative simplification - create a framework
              for the standardization of electronic data
              interchange (EDI) in health care, including
              protections for the privacy and security of
              individually identifiable health information.
Bruce D. Armon, Esq.
               Administrative Simplification
   Electronic Transactions and Code Sets
     Standards
   Privacy Standards
   Security Standards
   Electronic Signature Standards
   Identifier Standards
               Employer Identifier Standard
               Provider Identifier Standard

               Health Plan Identifier Standard

               Individual Identifier Standard
Bruce D. Armon, Esq.
               Privacy Standards

                      Final Rule published December 28,
                       2000 (65 FR 82462 et seq.)
                      Final Rule, Version II, published August
                       14, 2002 (67 FR 53182 et seq.)
                      Effective Date - April 14, 2003



Bruce D. Armon, Esq.
               Privacy Standards
 “Health information” is any information, whether oral
 or recorded in any form or medium, that:
         Is created or received by a health care provider, health
          plan, public health authority, employer, life insurer,
          school or university, or health care clearinghouse; and
         Relates to the past, present, or future physical or mental
          health or condition of an individual, the provision of
          health care to an individual, or the past, present, or
          future payment for the provision of health care to an
          individual.


Bruce D. Armon, Esq.
               Individually Identifiable Health
               Information

                       Individually Identifiable Health
                       Information (IIHI) is health information
                       that identifies an individual or there is a
                       reasonable basis to believe could be
                       used to identify an individual.



Bruce D. Armon, Esq.
               Protected Health Information

   The focus of the Privacy Rule is Protected
   Health Information (PHI). PHI is IIHI that
   is transmitted or maintained in electronic or
   any other form or medium.




Bruce D. Armon, Esq.
               Applicability

     Privacy Rule applies to covered entities:

                      Health Plans
                      Health Care Clearinghouses
                      Health Care Providers



Bruce D. Armon, Esq.
               Health Care Providers

                       Health care providers include any
                       individual or entity that is covered as a
                       provider under Medicare or any other
                       person or organization that provides
                       medical or other services or who
                       furnishes, bills or is paid for health
                       services or supplies in the normal
                       course of business.
Bruce D. Armon, Esq.
Uses and Disclosures of PHI

      When PHI is to be disclosed for purposes of
       Treatment

       Payment

       Health Care Operations



  an individual’s consent is not required
  pursuant to the Final Rule, Version II
Bruce D. Armon, Esq.
        Administrative Requirements
            Privacy official
            Contact person for complaints
            Training
            Safeguards
            Complaints
            Sanctions
            Mitigation
Bruce D. Armon, Esq.
               Administrative Requirements
               (cont’d)
                      Intimidating or retaliatory acts
                      Waiver of Rights
                      Policies and procedures
                      Documentation




Bruce D. Armon, Esq.
          Administrative Requirements

                          Privacy Official
                               Designate someone to develop and
                                implement the policies and
                                procedures




Bruce D. Armon, Esq.
               Administrative Requirements

                          Contact Person for Complaints
                              Designate someone who is
                               responsible for receiving complaints
                               and NPP issues




Bruce D. Armon, Esq.
               Administrative Requirements

                          Training
                               Train all members of the workforce
                                to carry out their respective
                                functions
                               Train new members of the workforce
                                as they are hired
                               Document the training

Bruce D. Armon, Esq.
               Administrative Requirements
                Safeguards
                      Appropriate administrative, technical
                       and physical safeguards to protect PHI




Bruce D. Armon, Esq.
               Administrative Requirements
                Complaints
                      Establish a process for individuals to
                       make complaints
                      Document complaints, and disposition




Bruce D. Armon, Esq.
               Administrative Requirements
              Sanctions
                      Must have and apply against workforce
                       members who do not comply, and
                       document sanctions
                      Exception for whistleblowers




Bruce D. Armon, Esq.
               Administrative Requirements
                 Mitigation
                          Lessen harmful effect known to Covered
                           Entity of impermissible use or disclosure
                           of PHI




Bruce D. Armon, Esq.
               Administrative Requirements
                      Intimidation for Retaliatory Acts
                          Covered Entity cannot intimidate,
                           threaten, coerce, discriminate or take
                           retaliatory action against individuals
                           exercising these rights




Bruce D. Armon, Esq.
               Administrative Requirements
                      Waiver of Rights
                          Covered Entity may not require an
                           individual to waive rights as a condition
                           of treatment, payment, enrollment or
                           eligibility




Bruce D. Armon, Esq.
               Administrative Requirements
                      Policies and Procedures
                          Implement policies and procedures
                          Change as necessary, including changes
                           in law




Bruce D. Armon, Esq.
               Administrative Requirements
                      Documentation
                          Maintain policies and procedures in
                           written or electronic form
                          Maintain communications required to be
                           in writing
                          Retain for six years from date of
                           creation or date when last in effect,
                           whichever is later

Bruce D. Armon, Esq.
          Privacy Rule Compliance Issues
        Notice of Privacy Practices
        Authorization
        Oral Communications
        Accounting for Disclosures
        Deidentified Information
        Business Associates
        Preemption
Bruce D. Armon, Esq.
               Notice of Privacy Practices
                      Plain language
                      Uniform header
                      Identify uses and disclosures
                      Individual rights
                      Covered Entity’s duties
                      Complaints
                      Contact Person
Bruce D. Armon, Esq.
               Notice of Privacy Practices
                      Changes to Notice of Privacy Practices
                      Written acknowledgment of receipt of
                       Notice of Privacy Practices
                      Web page availability
                      OHCAs



Bruce D. Armon, Esq.
               Authorization
                      Valid authorizations
                      Defective authorizations
                      Compound authorizations
                      Conditioning authorizations
                      Revoking authorizations



Bruce D. Armon, Esq.
               Oral Communications
                      Privacy Rule applies to individually
                       identifiable health information in all
                       forms, electronic, written, and oral.
                      If oral communications were not
                       covered, any protected health
                       information could be disclosed to any
                       person as long as the disclosure was by
                       the spoken word.
Bruce D. Armon, Esq.
               Accounting for Disclosures
                      Grants individuals the right to request
                       and receive an accounting of
                       disclosures of one’s protected health
                       information.
                      Time frame: 6 years prior to the date
                       on which the accounting is requested.
                      Exceptions to the accounting rules.

Bruce D. Armon, Esq.
               Deidentified Information
               Deidentified Information is that which
               

               does not identify an individual or with
               respect to which there is no reasonable
               basis to believe that the information
               could be used to identify an individual.
          19 data elements must be removed to
           deidentify information

Bruce D. Armon, Esq.
       Business Associate
      Business Associate means with respect to a Covered
      Entity (other than as a member of the workforce) an
      entity that performs or assists
     In the performance of a function or activity involving
      the use or disclosure of individually identifiable health
      information, including claims processing or
      administration, data analysis, process or
      administration, utilization review, quality assurance,
      billing, benefit management, practice management and
      repricing, or any other function covered by these
      regulations.
Bruce D. Armon, Esq.
      Business Associate Services
      for a Covered Entity
                      Legal                 Management
                      Actuarial             Administrative
                      Accounting            Accreditation
                      Consulting            Financial
                      Data aggregation




Bruce D. Armon, Esq.
                   Disclosure to a Business
                   Associate
                      A Covered Entity may disclose
                       protected health information to
                       Business Associates and may allow
                       Business Associates to create or
                       receive protected health information if
                       the Covered Entity obtains satisfactory
                       assurances that the Business Associate
                       will appropriately safeguard the
                       information.
Bruce D. Armon, Esq.
               Preemption of State Law
                      General preemption rule. A
                       requirement or other provision of the
                       HHS Privacy Rule that is contrary to a
                       provision of state law preempts the
                       state law provision unless an exception
                       applies.



Bruce D. Armon, Esq.
               Who Enforces HIPAA Privacy
               Regulations
                      Enforcement of the privacy regulations
                       has been delegated to the Department
                       of Health and Human Services, Office of
                       Civil Rights




Bruce D. Armon, Esq.
               Security Standards

                      Final Rule published February 20, 2003 (68
                       FR 8334 et seq.)

                      Effective Date - April 20, 2005




Bruce D. Armon, Esq.
               Security Rule Obligations
                      Covered entities must:
                          ensure the confidentiality, integrity, and
                           availability of all electronic protected health
                           information (ePHI) the covered entity
                           creates, receives, maintains, or transmits.
                          protect against any reasonably anticipated
                           threats or hazards to the security or
                           integrity of such information.

Bruce D. Armon, Esq.
               Covered Entities
                          protect against any reasonably anticipated
                           uses or disclosures of such information that
                           are not permitted or required.
                          ensure compliance by its work force.




Bruce D. Armon, Esq.
               Flexibility in Implementing the
               Security Rules
                      Greatest advantage

                      Toughest challenge




Bruce D. Armon, Esq.
               Flexibility in Implementing the
               Security Rules
                      Covered entities may use any security
                       measures that allow the covered entity
                       to reasonably and appropriately
                       implement the standards and
                       implementation specifications.




Bruce D. Armon, Esq.
               4 Factors for
               Covered Entity to Consider
                      the size, complexity, and capabilities of the
                       covered entity;
                      the covered entity’s technical infrastructure,
                       hardware, and software security and
                       capabilities;
                      the costs of security measures; and
                      the probability and criticality of potential risks
                       to electronic protected health information.

Bruce D. Armon, Esq.
               Flexibility
                      One size does not fit all.
                      A small physician practice will take
                       different steps than a large hospital
                       system.




Bruce D. Armon, Esq.
               What is Risk Analysis?
                      Conduct an accurate and thorough
                       assessment of the potential risks and
                       vulnerabilities to the confidentiality,
                       integrity, and availability of electronic
                       protected health information held by
                       the covered entity.



Bruce D. Armon, Esq.
               Security Rule and Privacy Rule
                      While Security Rule applies only to
                       electronic PHI, the Privacy Rule applies
                       to all PHI.




Bruce D. Armon, Esq.
               What are Standards?
                      A standard is a general requirement
                       that must be complied with by the
                       covered entity.




Bruce D. Armon, Esq.
               What is an
               Implementation Specification?
                      A more detailed and specific description
                       of the method or approach that a
                       covered entity can use to meet a
                       particular standard.
                      Not all standards have implementation
                       specifications.



Bruce D. Armon, Esq.
               Required Implementation
               Specifications
                      If an implementation specification is
                       required, the covered entity must take
                       action to implement the specification.




Bruce D. Armon, Esq.
               Addressable Implementation
               Specifications
                      Covered entity does not need to take
                       action
                      3-step consideration process




Bruce D. Armon, Esq.
               Addressable Implementation
               Specifications – 3 Steps
                      Assess whether the specification is a
                       reasonable and appropriate safeguard for the
                       covered entity;
                      Implement the specification if reasonable and
                       appropriate; or
                      If implementing the specification would not
                       be reasonable and appropriate, document
                       this fact, and implement “an equivalent
                       alternative measure” if reasonable and
                       appropriate.
Bruce D. Armon, Esq.
               Alternative Approaches
                      Covered entity may also decide that the
                       implementation specification does not
                       apply to it and no measure is
                       necessary;
                      Document the decision-making;
                      Addressable does not mean optional.


Bruce D. Armon, Esq.
                HIPAA Security Rule
                Standards
                      9 Administrative Safeguard Standards
                         12 Required Implementation Specifications

                         11 Addressable Implementation Specifications

                      4 Physical Safeguard Standards
                         4 Required Implementation Specifications

                         6 Addressable Implementation Specifications

                      5 Technical Safeguard Standards
                         4 Required Implementation Specifications

                         5 Addressable Implementation Specifications



Bruce D. Armon, Esq.
               9 Administrative Safeguard
               Standards
                      Security Management Process
                      Assigned Security Responsibility
                      Workforce Security
                      Information Access Management
                      Security Awareness and Training
                      Security Incident Procedures
                      Contingency Plan
                      Evaluation
                      Business Associate Contracts and Other
                       Arrangements
Bruce D. Armon, Esq.
                       12 Required Administrative
                       Specifications
                      Risk Analysis               Data Backup Plan
                      Risk Management             Disaster Recovery Plan
                      Sanction Policy             Emergency Mode
                      Information System           Operation Plan
                       Activity Review             Period Evaluation of
                      Assigned Security            Security Policies and
                       Responsibility               Procedures
                      Isolating Health care       Written Business
                       Clearinghouse Function       Associate Contract or
                      Security Incident            Other Arrangements
                       Response and Reporting
Bruce D. Armon, Esq.
            11 Addressable Administrative
            Implementation Specifications
                      Workforce Authorization      Security Reminders
                       and/or Supervision           Protection from Malicious
                      Workforce Clearance           Software
                       Procedure                    Log-in Monitoring
                      Workforce Termination        Password Management
                       Procedures                   Contingency Plan Testing
                      Access Authorization          and Revision Procedure
                       Management                   Applications and Data
                      Access Establishment          Criticality Analysis
                       and Modification

Bruce D. Armon, Esq.
               4 Physical Safeguard
               Standards
                      Facility Access Controls
                      Workstation Use
                      Workstation Security
                      Device and Media Controls




Bruce D. Armon, Esq.
                       4 Required Physical
                       Implementation Specifications
                      Workstation Use
                      Workstation Security
                      Media Disposal
                      Media Re-use




Bruce D. Armon, Esq.
               6 Addressable Physical
               Implementation Specifications
                      Facility Contingency Operations
                      Facility Security Plan
                      Facility Access Control and Validation
                       Procedures
                      Facility Maintenance Records
                      Media Accountability
                      Data Backup and Storage
Bruce D. Armon, Esq.
               5 Technical Safeguard
               Standards
                      Access Control
                      Audit Controls
                      Integrity
                      Person or Entity Authentication
                      Transmission Security



Bruce D. Armon, Esq.
        4 Required Technical
        Implementation Specifications
                      Unique User Identification
                      Emergency Access Procedure
                      Audit Controls
                      Person or Entity Authentication




Bruce D. Armon, Esq.
                5 Addressable Technical
                Implementation Specifications
                      Automatic Access Logoff
                      Access Encryption and Decryption
                      Mechanism to Authenticate Electronic
                       Protected Health Information
                      Transmission Integrity Controls
                      Transmission Encryption


Bruce D. Armon, Esq.
               Who Enforces HIPAA Security?
                      CMS; unlike the Privacy Rule.




Bruce D. Armon, Esq.
               Pitfalls to Avoid
                      Avoid the urge to solve known security
                       problems immediately
                      Avoid focusing only on technology
                      Avoid letting technology dictate policy
                      Don’t buy the wrong technology
                      Need time/knowledge to understand
                       security

Bruce D. Armon, Esq.
                   HIPAA Funnies
           A Covered Entity - a HIPAA Joint
           A Business Associate - Joined at the HIPAA
           Pledge - HIPAAcratic Oath
           Wants to Protect Own Privacy, But to Hell With
            Others’ - a HIPAAcrit
           Finds Fault With the Legislation - HIPAAcritical
           Incapacitated by Implementation - A
            HIPAAchondriac
           Been Reading the Rules Way Too Long -
            HIPAAnotized
Bruce D. Armon, Esq.

								
To top