What is HIPAA?
• The Health Insurance Portability and
y Act of 1996
Accountability
BASIC QUESTIONS AND
ANSWERS
What Does HIPAA do?
• Creates national standards to protect
individuals' medical records and other
personal health information (PHI).
• PHI is more than records!! It includes:
– Return to Work Notes
– Patient
P i
Lists
Li
– EOBs
To Whom Does HIPAA Apply?
• Any physician or practice that submits
y, and/or anyy
claims electronically,
Medicare participating practice with
p y
more than ten full-time employees.
TRANSACTION SETS
UPDATE
• failure to abide by the standard code set
your p
practice may
y not gget
rules means y
paid on any of its electronic claims to
y third p
partyy p
payor.
y
Medicare or any
Transaction Code Update
• universal language for the electronic
submission of health care information,,
and use established standard code sets
such as ICD-9 and HCPCS
• a letter of HIPAA compliance should be
sought from clearinghouses and software
manufacturers;
Privacy Rule
What Must a Physician Do to
Comply?
• Provide information to patients concerning their
privacy rights.
• Adopt clear, written privacy standards for the
practice.
• Train employees.
employees
• Designate a compliance officer
• Secure patient records.
records
Standard: Disclosures of PHI
must be the minimum necessary
to accomplish the intended
purpose.
purpose
Standard: Physicians must
include standards on oral
communications in their Policies
and Procedures
Procedures.
obtain assurances that business
associates (e.g.,
(e g billing agencies)
will use PHI only for the
purposes for which they were
engaged by the practice
practice. They
also must abide by HIPAA,
report and mitigate unauthorized
disclosures.
disclosures
HITECH
BAs must now disclose
disclose, mitigate
mitigate,
and otherwise abide byy HIPAA
Privacy and Security regulations
P lti ffor All Vi
Penalties
Violations
l ti
Increased to $10,000
$ ,
Inspectors Increased
Standard: Only the parent or
legal guardian of child has right
to access records.
records
Standard: Any use of PHI for
fundraising or marketing must be
specifically authorized by patient.
Standard: Use of PHI for
research is allowed so long as
identifiable
d
f bl health
h l h information
f
is
redacted.
redacted
Standard: Medicare and
Medicaid must comply with the
new requirements.
requirements
Standard: Physicians may use
PHI for payment purposes, but
patient may withhold
hh ld permission
to release information for which
patient paid in full.
$$$
HIPAA SECURITY RULE
Basic Elements
• “Reasonable” is key word
• Privacy Officer Can be Security Officer
18 standards
• Most are similar to Privacy Rule
Administrative Safeguards
• Security Management Process Standard:
– risk analysis
– risk management
– a sanction policy,
– information
i f
ti system
t review.
i
– For small offices, these steps may be taken internally, and
do not require the engagement of so-called HIPAA
experts.
Administrative Safeguards
• Assigned Security Responsibility Standard: A
HIPAA Security Officer must be named, who may
be the same person as the HIPAA Privacy Officer.
Officer
• Workforce Security Standard: The practice
must determine who should have access to PHI and
under what circumstances, and must ensure that
such access is terminated upon termination of an
employment Only those staff members with a need
employment.
to have access to PHI for a specific purpose will be
allowed access to PHI.
Administrative Safeguards
• Information Access Management Standard:
Likewise, offices must have policies and procedures
as to how authorized persons may access
information, such as passwords for electronic
information.
• Security Awareness and Training Standard:
All staff must be trained in the new security
standard.
standard
Administrative Safeguards
• Security Incident Procedures Standard:The
office must have policies and procedures to deal
with unauthorized disclosures; must require
identification and response to unauthorized
disclosures, mitigation of harmful effects, and
document the incidents and their outcomes.
• Contingency Plan Standard: Likewise, the office
must have policies to deal with the sudden loss of
PHI through data backup, an emergency plan, and
testing and revision procedures.
Administrative Safeguards
• Evaluation Standard:
Periodic evaluation to
determine if Practice is in compliance with the
Security Regulations.
• Business Associates Standard: As in the Privacy
Rule, Business Associates must guarantee that they
will provide security for PHI. The Business
Associate Letter incorporated into this Manual is
designed to meet this requirement.
Physical Safeguards
• Facility Access Controls Standard:
The
covered entity must have policies and procedures to
control access to PHI and the facility itself.
• Workstation Use Standard:
Covered entities
must have policies and procedures detailing what
may or may not be done at a workstation. For
instance, a ban on using the internet for personal use
may be appropriate.
Physical Safeguards
• Workstation Security Standard: Policies and
procedures must be developed and implemented to
ensure that only authorized employees have access
y
barriers ((such as doors and
to workstations. Physical
locks) and passwords are tools to comply with this
requirement.
Physical Safeguards
• Device and Media Controls Standard: Offices
must have policies to ensure that hardware,
software, and media storage (e.g., floppy disks) are
p
, reused or leavingg the
erased before beingg disposed,
building. This Practice will not dispose of any media
storage vehicle without first erasing all data from the
vehicle.
vehicle
Technical Safeguards
• Access Control Standard: Access to electronic
PHI must be restricted by office policies, which
include unique user identification and emergency
access procedures.
• Audit Controls Standard: The actual systems
y
that
house PHI must be audited/inspected periodically to
ensure the integrity of electronic PHI.
Technical Safeguards
• Integrity Standard:
Policies and Procedures
must be in place to ensure that electronic PHI cannot
be inappropriately altered or destroyed.
destroyed
• Person or Entity Authentication Standard:
A
mechanism must be in pplace to authenticate the
identity of those who gain access to electronic PHI.
Passwords are a typical form of authentication.
Technical Safeguards
• Transmission Security Safeguard:
p to
Covered entities must take steps
minimize the chance of unauthorized access
to electronic transmissions of PHI. Business
Associate Agreements and routine audits
p
this ggoal.
are to be used to accomplish
Unique Provider Identification
Number (NPI)
• Now Available from CMS.
• Information Publicly Available
2013 CHANGESIMPLEMENTATION
REQUIRED BY SEPTEMBER
22, 2013
• FINES INCREASED TO UP TO
$1,500,000
GOT YOUR ATTENTION?
• Business Associates are directly
p
for complying
p y g with Privacy
y
responsible
and Security Regulations
• Patients may request their records
electronically
• P
Patients
ti t may withhold
ithh ld permission
i i to
t send
d
PHI to insurers if patients paid in full
th
themselves.
l
REPORTING
• COVERED ENTITIES MUST NOW
REPORT ALL BREACHES BY END
OF CALENDAR YEAR IN WHICH
THEY OCCUR.