HIPAA: Direct Training For Health Care Workforce
HIPAA: Direct Training forHealth Care WorkforcePresented by:Marguerite Ahmann, Briar Andresen and Katie IltenJune 10, 2020
Overview Enforcement landscape HIPAA basics– Privacy Rule– Security Rule– Breach Notification Rule Common HIPAA issues Hypotheticals Q&A2 2020 Fredrikson & Byron, P.A.
Acronyms 3CE Covered entityBA Business associateBAA Business associate agreementPHI Protected health informationNPP Notice of privacy practicesOCR Office of Civil RightsCMP Civil money penalty 2020 Fredrikson & Byron, P.A.
What is HIPAA? Health Insurance Portability and Accountability ActProtects “protected health information” or PHIGives individuals certain rights with regard to PHIPrivacy, security and breach notificationcomponents Sets a floor for the protection of health information4 2020 Fredrikson & Byron, P.A.
Enforcement The Office for Civil Rights enforces HIPAA There is no private right of action under HIPAA State attorneys general can bring a civil action onbehalf of state residents for HIPAA violations Most OCR enforcement actions arise out ofinvestigations of complaints. OCR may alsoconduct compliance reviews of CEs and Bas.5 2020 Fredrikson & Byron, P.A.
Enforcement Who can get into trouble?– Covered entities– Business associates– Individuals (egregious, criminal circumstances) Potential penalties/enforcement action?– Resolution agreement– Civil money penalty (i.e., civil fine)– Criminal fine and/or imprisonment6 2020 Fredrikson & Byron, P.A.
Civil Money Penalties7 2020 Fredrikson & Byron, P.A.
State Law Some state laws are stricter than HIPAA – i.e.,state law may prohibit a CE from makingdisclosures that HIPAA would otherwise permit Where the state law is more protective of healthinformation, follow the state law Incorporate state law into policies Train staff on state law8 2020 Fredrikson & Byron, P.A.
Privacy Rule Basics HIPAA permits these Uses and Disclosures:––––––9Disclosure to the individual/personal representativeTreatment, payment and health care operationsRequired by lawBusiness associatesAs authorized by the patientOther 2020 Fredrikson & Byron, P.A.
Other Permitted Disclosures –HIPAA** Disclosure to family/friendsPublic health activities–––To public health authorityTo report child abuse/neglectTo FDA Law enforcement purposes Abuse, neglect and domestic violence Research Workers’ compensation Judicial and administrative proceedings**Remember that state law may be more protective.10 2020 Fredrikson & Byron, P.A.
Disclosure to Family/Friends When individual is present (and has capacity) and:– Agrees or has previously agreed; or– Has had the opportunity to object and does not; or– It can be reasonably inferred from the circumstances that the person doesnot object. When individual is unable to consent in an emergency:– When professional determines it is in patient’s best interests; and– Only as directly relevant to the person’s involvement in care. 11May use professional judgment to make reasonable inferences aboutwho is permitted to pick up prescriptions, supplies or other similarforms of disclosures of PHI 2020 Fredrikson & Byron, P.A.
Incidental Disclosures Allowed if a byproduct of another permissible orrequired use or disclosure CE must have “reasonable safeguards” to protectagainst impermissible uses and disclosures CE must also use “minimum necessary” policiesand procedures12 2020 Fredrikson & Byron, P.A.
Incidental Disclosures Examples:– Health care staff may orally coordinate services atnursing stations– Nurses or other health care professionals may discuss apatient’s condition over the phone with the patient, aprovider or a family member– A physician may discuss a patient’s condition ortreatment regimen in the patient’s semi-private room All about reasonableness13 2020 Fredrikson & Byron, P.A.
Minimum Necessary Use and disclose only the minimum amount of PHInecessary to accomplish the purpose of therequest, use or disclosure– Internal uses: use/disclosure should be consistent with jobresponsibilities14 2020 Fredrikson & Byron, P.A.
Minimum Necessary The minimum necessary standard does not apply tothe following:– Disclosures to or requests by a health care provider fortreatment purpose– Uses and disclosures by or to a patient of his or her own PHI– Disclosures made under a valid authorization– Disclosures to public officials when disclosure is required bylaw and the official represents that the information requestedis the minimum required for the purpose15 2020 Fredrikson & Byron, P.A.
Business Associates CE must have a Business Associate Agreementwith every Business Associate A Business Associate is a person or entity thatcreates, receives, maintains or transmits PHI onbehalf of the CE (e.g., document storagecompanies, IT vendors, shredding companies,lawyers, outside coders)16 2020 Fredrikson & Byron, P.A.
De-identification Once information has been de-identified, it is nolonger considered PHI “De-identified Information” NOT PHI– Doesn’t identify an individual AND– No reasonable basis to identify individual Two ways to accomplish de-identification– Qualified statistical expert OR– Safe harbor17 2020 Fredrikson & Byron, P.A.
De-identification – Safe Harbor 18NameGeographic subdivisions –including zip codeElements of dates (except year)Telephone numberFax numberE-mailSSNMedical record numberAny other unique identifyingcharacteristic or code 2020 Fredrikson & Byron, P.A. Health plan beneficiary numberAccount numberCertificate or license numberLicense plate numberDevice identifiersURLsIP addressBiometric identifiers includingfingerprints and voice printsFull face photographic images
Patient Rights 19Right to accessRight to request restrictionsRight to amendRight to an accounting of disclosuresRight to confidential communications 2020 Fredrikson & Byron, P.A.
Patient Rights: Access A CE has 30 days to provide access– One-time 30-day extension– If person requests an electronic copy of PHI maintained ina designated record set, must provide access in electronicform/format requested by person, if readily producible, or(if not) in readable electronic format as agreed by CE andindividual If the EHR has links to images or other data, theimages/data must also be included in the electronic copyprovided to the individual20 2020 Fredrikson & Byron, P.A.
Patient Rights: Access Can send an unencrypted email if CE advises individual ofrisk and individual still chooses that methodNot required to permit the patient to use their own portableexternal media, but a CE can’t make a patient buy athumb driveYou must have a reasonable electronic format: Consider encrypted emails CD-ROMs with PDFs21 2020 Fredrikson & Byron, P.A.
Patient Rights: Access If requested by an individual, a CE must transmitthe copy of PHI directly to another persondesignated by the individual Request must be in writing, signed by theindividual, and clearly identify the designatedperson and where to send the copy of the PHI Different from an authorization22 2020 Fredrikson & Byron, P.A.
Patient Rights: Access Charging patients – “reasonable, cost-based fee” Permits charging only for the labor costs of copyingPHI, supplies, postage and labor to preparesummary/explanation (if agreed to in advance) Not ok to charge a retrieval fee Not supposed to be a revenue stream Consider state laws – but keep in mind what is“reasonable”23 2020 Fredrikson & Byron, P.A.
Patient Rights: Access Three options:– Actual costs– Average costs Can develop a schedule of costs for labor based on average laborcosts to fulfill standard types of access requests Can add any applicable supply/postage costs Can be calculated/charged as a per-page fee only when in paper form– Flat fee for electronic copies maintained electronically 6.50 Includes labor, supplies and postage24 2020 Fredrikson & Byron, P.A.
Patient Rights: Access Unencrypted email:– Permitted only if the CE advises individual of the risk of noencryption and the individual agrees in writing to receive theunencrypted email Reasonable electronic formats:– Not required to permit the patient to use their own portableexternal media– A CE cannot make a patient buy a thumb drive– Consider patient portals, encrypted emails, or encrypted flash drivewith PDF25 2020 Fredrikson & Byron, P.A.
Patient Rights: Restrictions Right to request restrictions to health plan whenpaying in full––––26Exception when disclosure is required by lawIf patients don’t pay, CE can bill insuranceCan ask patients to pay up frontCan require prepayment where precertification wouldotherwise be required 2020 Fredrikson & Byron, P.A.
Other Patient Rights Right to Request Confidential Communications– Must agree to reasonable requests, can’t ask why Right to AmendmentRight to Accounting of Disclosures– Must account for certain disclosures Don’t need to account for: 27Treatment, payment or health care operations disclosuresTo individualIncidental/authorizedFacility directoryNational securityMore than six years prior 2020 Fredrikson & Byron, P.A.
Marketing, Fundraising orSale of PHI Use of PHI to make a subsidized marketingcommunication requires an authorization Sale of PHI requires an authorization Use of limited PHI for fundraising purposes is okay Take away: tread carefully!!28 2020 Fredrikson & Byron, P.A.
HIPAA Authorization Receipt of notice of privacy practices is NOT asubstitute for a HIPAA authorization Requires certain language –– Purpose of use/disclosure– Right to revoke– When CE may condition treatment, etc.29 2020 Fredrikson & Byron, P.A.
30 2020 Fredrikson & Byron, P.A.
Security Rule Requires covered entities to protect the“confidentiality, integrity, and availability” ofelectronic PHI Administrative, physical and technical safeguards A ton of guidance from OCR– Still difficult to comply completely– Need to be vigilant31 2020 Fredrikson & Byron, P.A.
Security Rule Must perform a security risk assessment andimplement protections based on the riskassessment Protect against reasonably anticipated threats Risk assessment is ongoing process to determinerisks to ePHI, wherever it is32 2020 Fredrikson & Byron, P.A.
Examples of Threats 33TheftLossMalware/hacking/ransomwareSnooping employeeEmailing PHI to wrong recipientInadvertent disclosures (exam room PCs)Natural disaster 2020 Fredrikson & Byron, P.A.
Security Rule CE determines who is responsible for developingand implementing Security Rule policies Identify which employees need access to ePHI,and what level of access is required Provide security awareness and training34 2020 Fredrikson & Byron, P.A.
Security Rule Encryption is not required for every CE, but“reasonable” security measures are required– OCR may decide that encryption is reasonable for yourorganization– Safest option: if you *can* encrypt, you should . . .35 2020 Fredrikson & Byron, P.A.
Security Rule Encrypt, encrypt, encrypt:––––– 36LaptopsPhonesFlash drivesiPadsDesktopsUse passwords as wellDo periodic Security Rule auditsIf something is NOT encrypted, use extreme caution! 2020 Fredrikson & Byron, P.A.
Malware 37Anchorage Community Mental Health Services paid 150,000 and adopted a corrective action plan after abreach of unsecured ePHI caused by a malware incidentaffected 2,743 individuals. The investigation revealedACMHS had adopted sample Security Rule policies andprocedures in 2005, but these were not followed.Moreover, the security incident was the direct result ofACMHS failing to identify and address basic risks, such asnot regularly updating their IT resources with availablepatches and running outdated, unsupported software. 2020 Fredrikson & Byron, P.A.
Mobile Devices and HIPAA Password protectAuto lock/logoffRegularly install security patches and updatesInstall or enable encryption, anti-virus/ anti-malwaresoftware and remote wipe Privacy screen Don’t use that camera38 2020 Fredrikson & Byron, P.A.
Mobile Devices and HIPAA 39Use only secure Wi-Fi connectionsUse secure VPNProhibit downloading of third-party apps?Delete all PHI before discarding or reusing 2020 Fredrikson & Byron, P.A.
40 2020 Fredrikson & Byron, P.A.
Breaches What is a breach?– An impermissible use or disclosure of “unsecured PHI” ispresumed to be a breach unless CE (or BA) candemonstrate that there is a low probability that the PHIhas been compromised What is “unsecured PHI”?– PHI that has not been rendered unusable andunreadable, or encrypted41 2020 Fredrikson & Byron, P.A.
Not a Breach! Unintentional acquisition or access or use of PHIby an employee if made in good faith and in scopeof authority AND doesn’t result in furtheruse/disclosure in violation of the rule Disclosure made to unauthorized individual whocouldn’t reasonably retain the information42 2020 Fredrikson & Byron, P.A.
Breaches Factors to assess the probability that PHI has beencompromised:– Nature and extent of PHI involved, including identifiersand likelihood of reidentification– Unauthorized person who used the PHI or to whom thedisclosure was made– Whether PHI was actually acquired or viewed– Extent to which the risk to the PHI has been mitigated– Other factors may be considered “where necessary”43 2020 Fredrikson & Byron, P.A.
What if there is a breach? CE must report:– To the individual– To the government Annually, in the CE’s breach notification log; and Right away, if the breach involves more than 500 people– To the media, if the breach involves more than 500 people– May name individuals or BA in notification44 2020 Fredrikson & Byron, P.A.
Consequences of a Breach Potential bad press Financial costs of breaches:–––––45Attorney and consultant feesComputer forensic analysisExtra staff timeEmployee discipline and termination/HR costsPotential penalties (breach reporting is where thegovernment gets much of its information on who isnoncompliant) 2020 Fredrikson & Byron, P.A.
Employee Sanctions A CE is required by law to sanction employees whoviolate the HIPAA Privacy or Security Rule Any violations of HIPAA will be handled under CE’semployee discipline policy, similar to otheremployee discipline issues Sanctions for using or disclosing PHI could includetermination of employment, depending on thenature of the violation46 2020 Fredrikson & Byron, P.A.
Hypothetical 1 The patient's chart, with name clearlydisplayed, is attached to the outsidedoor of examining room for passersbyto notice. Is this a HIPAA violation? Abreach?47 2020 Fredrikson & Byron, P.A.
Hypothetical 2 Patient brings spouse to everyappointment, and spouse sits in theexam room each time. Spouse callsfor results of patient’s biopsy. May theCE disclose the results to spouse?48 2020 Fredrikson & Byron, P.A.
Hypothetical 3 A hospital employee sees his neighbor atthe hospital one morning and later postson the neighbor’s Facebook page, “Itwas great to see you today!” Is this aHIPAA violation? A breach?49 2020 Fredrikson & Byron, P.A.
Hypothetical 4 A clinic sends an itemized bill to thewrong mailing address; the bill includesthe patient’s name, CPT codes forservices received and patient dueamounts. Is this a HIPAA violation? Abreach?50 2020 Fredrikson & Byron, P.A.
Hypothetical 5 A clinic sends a group email to patients whomay be interested in weight managementcounseling. The sender fails to “blind copy”the recipients; instead, all of the recipientsare visible to each other. Is this a HIPAAviolation? A breach?51 2020 Fredrikson & Byron, P.A.
Hypothetical 6 A fitness app developer asks a primary careclinic for a patient list so that the appdeveloper can provide information aboutthe app to patients who have asked theclinic for fitness resources. May the clinicprovide the list to the fitness appdeveloper?52 2020 Fredrikson & Byron, P.A.
PresentersMarguerite Ahmann612.492.7495mahmann@fredlaw.comKatherine Ilten612.492.7428kilten@fredlaw.com53 2020 Fredrikson & Byron, P.A.Briar Andresen612.492.7057bandresen@fredlaw.com
Jun 10, 2020 · The Office for Civil Rights enforces HIPAA There is no private right of action under HIPAA State attorneys general can bring a civil action on behalf of state residents for HIPAA violations Most OCR enforcement actions arise out of investigations of complaints
Chapter 1 - HIPAA Basics A-1: Discussing HIPAA fundamentals 1 Who's impacted by HIPAA? HIPAA impacts health plans, health care clearinghouses, and health care providers that send or receive, directly or indirectly, HIPAA-covered transactions. These entities have to meet the requirements of HIPAA.
What is HIPAA? HIPAA is the Health Insurance Portability and Accountability Act of 1996. HIPAA is a Federal Law. HIPAA is a response, by Congress, to healthcare reform. HIPAA affects the health care industry. HIPAA is mandatory.
Overview of HIPAA How Does HIPAA Impact EMS? HIPAA regulations affect how EMS person-nel use and transfer patient information HIPAA requires EMS agencies to appoint a “Compliance Officer” and create HIPAA policy for the organization to follow HIPAA mandates training for EMS personnel and administrative support staffFile Size: 229KB
Tel: 515-865-4591 email: Bob@training-hipaa.net HIPAA Compliance Template Suites Covered Entity HIPAA Compliance Tool (Less than 50 employees) . HIPAA SECURITY CONTINGENCY PLAN TEMPLATE SUITE Documents in HIPAA Contingency Plan Template Suite: . Business Impact Analysis Policy includes following sub document (12 pages) Business .
Tel: 515-865-4591 email: Bob@training-hipaa.net HIPAA Compliance Template Suites Covered Entity HIPAA Compliance Tool (Less than 50 employees) . HIPAA SECURITY CONTINGENCY PLAN TEMPLATE SUITE Documents in HIPAA Contingency Plan Template Suite: . Business Impact Analysis Policy includes following sub document (12 pages) Business Impact .
Basics of HIPAA and HITECH 4 What exactly is HIPAA? 4 Covered entities v. business associates 5 The HIPAA Omnibus Rule 6 7 H C E T I H HIPAA Compliance Simplified 8 Five security-thought-leader tips for HIPAA Compliance 8 Three specific HIPAA tips you need to know post-omnibus 11 Checklist: How to Make Sure You're Compliant 13
Bruksanvisning för bilstereo . Bruksanvisning for bilstereo . Instrukcja obsługi samochodowego odtwarzacza stereo . Operating Instructions for Car Stereo . 610-104 . SV . Bruksanvisning i original
STUDENT TRAINING / FACULTY RESEARCH HIPAA ORIENTATION Additional Training REQUIRED HIPAA regulated entities must provide individuals working or training within them with HIPAA training that is specific to the entity's HIPAA policies and procedures. This presentation is intended to provide a context for that mandated training; it is
