Maintaining HIPAA Privacy and Security Rule Compliance

1
Maintaining HIPAA Privacy and Security Rule
Compliance

• Bruce D. Armon, Esquire
• Saul Ewing LLP
• 215-972-7985
• OR
• 1-800-355-7777, ext. 7985
• barmon_at_saul.com
• April 27, 2005

2
HIPAAWhat Is This About?
3
HIPAA Overview

• The Health Insurance Portability and
  Accountability Act of 1996 (P.L. 104-191) (HIPAA)
  became law on August 21, 1996. At the time it
  was commonly referred to as Kennedy-Kassebaum
  (after Senators Ted Kennedy (D-MA) and Nancy
  Kassebaum (R-KS) who were instrumental in its
  passage.)

4
HIPAA Key Provisions

• Insurance reform - improve portability and
  continuity of health insurance for groups and
  individuals.
• Extend fraud and abuse prevention measures to all
  types of insurers (not just Medicare/Medicaid),
  and dedicate additional resources to fraud and
  abuse enforcement.
• Administrative simplification - create a
  framework for the standardization of electronic
  data interchange (EDI) in health care, including
  protections for the privacy and security of
  individually identifiable health information.

5
Administrative Simplification

• Electronic Transactions and Code Sets
• Standards
• Privacy Standards
• Security Standards
• Electronic Signature Standards
• Identifier Standards
• Employer Identifier Standard
• Provider Identifier Standard
• Health Plan Identifier Standard
• Individual Identifier Standard

6
Privacy Standards

• Final Rule published December 28, 2000 (65 FR
  82462 et seq.)
• Effective Date - April 14, 2003

• Final Rule, Version II, published August 14, 2002
  (67 FR 53182 et seq.)

7
Privacy Standards
Health information is any information, whether
oral or recorded in any form or medium, that

• Is created or received by a health care provider,
  health plan, public health authority, employer,
  life insurer, school or university, or health
  care clearinghouse and
• Relates to the past, present, or future physical
  or mental health or condition of an individual,
  the provision of health care to an individual, or
  the past, present, or future payment for the
  provision of health care to an individual.

8
Individually Identifiable Health Information

• Individually Identifiable Health Information
  (IIHI) is health information that identifies an
  individual or there is a reasonable basis to
  believe could be used to identify an individual.

9
Protected Health Information

• The focus of the Privacy Rule is Protected Health
  Information (PHI). PHI is IIHI that is
  transmitted or maintained in electronic or any
  other form or medium.

10
Applicability
Privacy Rule applies to covered entities

• Health Plans
• Health Care Clearinghouses
• Health Care Providers

11
Health Care Providers

• Health care providers include any individual or
  entity that is covered as a provider under
  Medicare or any other person or organization that
  provides medical or other services or who
  furnishes, bills or is paid for health services
  or supplies in the normal course of business.

12
Uses and Disclosures of PHI

• When PHI is to be disclosed for purposes of
• Treatment
• Payment
• Health Care Operations

an individuals consent is not required pursuant
to the Final Rule, Version II
13
Administrative Requirements

• Privacy official
• Contact person for complaints
• Training
• Safeguards
• Complaints
• Sanctions
• Mitigation

14
Administrative Requirements (contd)

• Intimidating or retaliatory acts
• Waiver of Rights
• Policies and procedures
• Documentation

15
Administrative Requirements

• Privacy Official
• Designate someone to develop and implement the
  policies and procedures

16
Administrative Requirements

• Contact Person for Complaints
• Designate someone who is responsible for
  receiving complaints and NPP issues

17
Administrative Requirements

• Training
• Train all members of the workforce to carry out
  their respective functions
• Train new members of the workforce as they are
  hired
• Document the training

18
Administrative Requirements

• Safeguards
• Appropriate administrative, technical and
  physical safeguards to protect PHI

19
Administrative Requirements

• Complaints
• Establish a process for individuals to make
  complaints
• Document complaints, and disposition

20
Administrative Requirements

• Sanctions
• Must have and apply against workforce members who
  do not comply, and document sanctions
• Exception for whistleblowers

21
Administrative Requirements

• Mitigation
• Lessen harmful effect known to Covered Entity of
  impermissible use or disclosure of PHI

22
Administrative Requirements

• Intimidation for Retaliatory Acts
• Covered Entity cannot intimidate, threaten,
  coerce, discriminate or take retaliatory action
  against individuals exercising these rights

23
Administrative Requirements

• Waiver of Rights
• Covered Entity may not require an individual to
  waive rights as a condition of treatment,
  payment, enrollment or eligibility

24
Administrative Requirements

• Policies and Procedures
• Implement policies and procedures
• Change as necessary, including changes in law

25
Administrative Requirements

• Documentation
• Maintain policies and procedures in written or
  electronic form
• Maintain communications required to be in writing
• Retain for six years from date of creation or
  date when last in effect, whichever is later

26
Privacy Rule Compliance Issues

• Notice of Privacy Practices
• Authorization
• Oral Communications
• Accounting for Disclosures
• Deidentified Information
• Business Associates
• Preemption

27
Notice of Privacy Practices

• Plain language
• Uniform header
• Identify uses and disclosures
• Individual rights
• Covered Entitys duties
• Complaints
• Contact Person

28
Notice of Privacy Practices

• Changes to Notice of Privacy Practices
• Written acknowledgment of receipt of Notice of
  Privacy Practices
• Web page availability
• OHCAs

29
Authorization

• Valid authorizations
• Defective authorizations
• Compound authorizations
• Conditioning authorizations
• Revoking authorizations

30
Oral Communications

• Privacy Rule applies to individually identifiable
  health information in all forms, electronic,
  written, and oral.
• If oral communications were not covered, any
  protected health information could be disclosed
  to any person as long as the disclosure was by
  the spoken word.

31
Accounting for Disclosures

• Grants individuals the right to request and
  receive an accounting of disclosures of ones
  protected health information.
• Time frame 6 years prior to the date on which
  the accounting is requested.
• Exceptions to the accounting rules.

32
Deidentified Information

• Deidentified Information is that which does not
  identify an individual or with respect to which
  there is no reasonable basis to believe that the
  information could be used to identify an
  individual.

• 19 data elements must be removed to deidentify
  information

33
Business Associate

• Business Associate means with respect to a
  Covered Entity (other than as a member of the
  workforce) an entity that performs or assists
• In the performance of a function or activity
  involving the use or disclosure of individually
  identifiable health information, including claims
  processing or administration, data analysis,
  process or administration, utilization review,
  quality assurance, billing, benefit management,
  practice management and repricing, or any other
  function covered by these regulations.

34
Business Associate Services for a Covered Entity

• Legal
• Actuarial
• Accounting
• Consulting
• Data aggregation

• Management
• Administrative
• Accreditation
• Financial

35
Disclosure to a Business Associate

• A Covered Entity may disclose protected
  health information to Business Associates and
  may allow Business Associates to create or
  receive protected health information if the
  Covered Entity obtains satisfactory assurances
  that the Business Associate will appropriately
  safeguard the information.

36
Preemption of State Law

• General preemption rule. A requirement or other
  provision of the HHS Privacy Rule that is
  contrary to a provision of state law preempts the
  state law provision unless an exception applies.

37
Who Enforces HIPAA Privacy Regulations

• Enforcement of the privacy regulations has been
  delegated to the Department of Health and Human
  Services, Office of Civil Rights

38
Security Standards

• Final Rule published February 20, 2003 (68 FR
  8334 et seq.)
• Effective Date - April 20, 2005

39
Security Rule Obligations

• Covered entities must
• ensure the confidentiality, integrity, and
  availability of all electronic protected health
  information (ePHI) the covered entity creates,
  receives, maintains, or transmits.
• protect against any reasonably anticipated
  threats or hazards to the security or integrity
  of such information.

40
Covered Entities

• protect against any reasonably anticipated uses
  or disclosures of such information that are not
  permitted or required.
• ensure compliance by its work force.

41
Flexibility in Implementing the Security Rules

• Greatest advantage
• Toughest challenge

42
Flexibility in Implementing the Security Rules

• Covered entities may use any security measures
  that allow the covered entity to reasonably and
  appropriately implement the standards and
  implementation specifications.

43
4 Factors for Covered Entity to Consider

• the size, complexity, and capabilities of the
  covered entity
• the covered entitys technical infrastructure,
  hardware, and software security and capabilities
• the costs of security measures and
• the probability and criticality of potential
  risks to electronic protected health information.

44
Flexibility

• One size does not fit all.
• A small physician practice will take different
  steps than a large hospital system.

45
What is Risk Analysis?

• Conduct an accurate and thorough assessment of
  the potential risks and vulnerabilities to the
  confidentiality, integrity, and availability of
  electronic protected health information held by
  the covered entity.

46
Security Rule and Privacy Rule

• While Security Rule applies only to electronic
  PHI, the Privacy Rule applies to all PHI.

47
What are Standards?

• A standard is a general requirement that must be
  complied with by the covered entity.

48
What is an Implementation Specification?

• A more detailed and specific description of the
  method or approach that a covered entity can use
  to meet a particular standard.
• Not all standards have implementation
  specifications.

49
Required Implementation Specifications

• If an implementation specification is required,
  the covered entity must take action to implement
  the specification.

50
Addressable Implementation Specifications

• Covered entity does not need to take action
• 3-step consideration process

51
Addressable Implementation Specifications 3
Steps

• Assess whether the specification is a reasonable
  and appropriate safeguard for the covered entity
• Implement the specification if reasonable and
  appropriate or
• If implementing the specification would not be
  reasonable and appropriate, document this fact,
  and implement an equivalent alternative measure
  if reasonable and appropriate.

52
Alternative Approaches

• Covered entity may also decide that the
  implementation specification does not apply to it
  and no measure is necessary
• Document the decision-making
• Addressable does not mean optional.

53
HIPAA Security Rule Standards

• 9 Administrative Safeguard Standards
• 12 Required Implementation Specifications
• 11 Addressable Implementation Specifications
• 4 Physical Safeguard Standards
• 4 Required Implementation Specifications
• 6 Addressable Implementation Specifications
• 5 Technical Safeguard Standards
• 4 Required Implementation Specifications
• 5 Addressable Implementation Specifications

54
9 Administrative Safeguard Standards

• Security Management Process
• Assigned Security Responsibility
• Workforce Security
• Information Access Management
• Security Awareness and Training
• Security Incident Procedures
• Contingency Plan
• Evaluation
• Business Associate Contracts and Other
  Arrangements

55
12 Required Administrative Specifications

• Risk Analysis
• Risk Management
• Sanction Policy
• Information System Activity Review
• Assigned Security Responsibility
• Isolating Health care Clearinghouse Function
• Security Incident Response and Reporting

• Data Backup Plan
• Disaster Recovery Plan
• Emergency Mode Operation Plan
• Period Evaluation of Security Policies and
  Procedures
• Written Business Associate Contract or Other
  Arrangements

56
11 Addressable Administrative Implementation
Specifications

• Workforce Authorization and/or Supervision
• Workforce Clearance Procedure
• Workforce Termination Procedures
• Access Authorization Management
• Access Establishment and Modification

• Security Reminders
• Protection from Malicious Software
• Log-in Monitoring
• Password Management
• Contingency Plan Testing and Revision Procedure
• Applications and Data Criticality Analysis

57
4 Physical Safeguard Standards

• Facility Access Controls
• Workstation Use
• Workstation Security
• Device and Media Controls

58
4 Required Physical Implementation Specifications

• Workstation Use
• Workstation Security
• Media Disposal
• Media Re-use

59
6 Addressable Physical Implementation
Specifications

• Facility Contingency Operations
• Facility Security Plan
• Facility Access Control and Validation Procedures
• Facility Maintenance Records
• Media Accountability
• Data Backup and Storage

60
5 Technical Safeguard Standards

• Access Control
• Audit Controls
• Integrity
• Person or Entity Authentication
• Transmission Security

61
4 Required Technical Implementation Specifications

• Unique User Identification
• Emergency Access Procedure
• Audit Controls
• Person or Entity Authentication

62
5 Addressable Technical Implementation
Specifications

• Automatic Access Logoff
• Access Encryption and Decryption
• Mechanism to Authenticate Electronic Protected
  Health Information
• Transmission Integrity Controls
• Transmission Encryption

63
Who Enforces HIPAA Security?

• CMS unlike the Privacy Rule.

64
Pitfalls to Avoid

• Avoid the urge to solve known security problems
  immediately
• Avoid focusing only on technology
• Avoid letting technology dictate policy
• Dont buy the wrong technology
• Need time/knowledge to understand security

65
HIPAA Funnies

• A Covered Entity - a HIPAA Joint
• A Business Associate - Joined at the HIPAA
• Pledge - HIPAAcratic Oath
• Wants to Protect Own Privacy, But to Hell With
  Others - a HIPAAcrit
• Finds Fault With the Legislation - HIPAAcritical
• Incapacitated by Implementation - A
  HIPAAchondriac
• Been Reading the Rules Way Too Long -
  HIPAAnotized