2024 HIPAA Regulations and Strategies for Compliance Officers

1
HIPAA Training for the Compliance Officer
Brian L. Tuttle, CPHIT, CHA, CHP, CBRA, CISSP,
CCNA, Net
2

• The Health Insurance Portability Act of 1996
  (HIPAA)
• Enacted by the United States Congress and signed
  by President
• Clinton in 1996.

3

• Bi-partisan bill also known as the
  Kennedy-Kassebaum Act named after two of its
  major sponsors
• Senator Ted Kennedy (D) Massachusetts
• Senator Nancy Kassebaum (R) Kansas

4
The Bush Years

• Technical corrections to the law
• Mandates that OCR enforce HIPAA.
• HHS allowed the public to make comments on what
  modifications, if any, should be made to the
  Privacy Rule
• 2003, the Privacy Rule was finalized and covered
  entity compliance was required by April 14 of
  2003.

5
The Obama Years
In 2009, President Obama signed the Health
Information Technology for Economic and Clinical
Health Act HITECH Act. Introduced as part of
the the American Recovery and Reinvestment Act,
or ARRA. The HITECH Act introduced incentives to
improve technology infrastructure and to
encourage providers to switch to electronic
health record (EHR) platforms. Breach
Notification Rule introduced, requires covered
entities and business associates to report data
breaches to OCR, and to provide notice of a
breach to individuals affected by the
breach. Enforcement Rule introduced, providing
for a tiered financial penalty system.
6
Privacy Rule

• In general, the Privacy Rule covers protected
  health information (PHI) in all forms.
• The Privacy Rule sets the standards spelling out
  how you should control PHI
• More analytical based on dos and dont.s

7
Security Rule
The Security Rule only covers PHI in electronic
form. The Security Rule defines the standards
that you must implement to provide basic
safeguards to protect EPHI More abstract and
based on risk
8
Again, the HIPAA Privacy Rule vs. HIPAA Security
Rule
whats the difference?

• HIPAA Privacy Rule - defined as the right of an
  individual to keep his/her individual health
  information from being disclosed. Privacy
  encompasses controlling who is authorized to
  access patient information and under what
  conditions patient information may be accessed,
  used and/or disclosed to a third party. The HIPAA
  Privacy Rule applies to ALL protected health
  information.
• HIPAA Security Rule - mechanisms in place to
  protect the privacy of electronic health
  information - includes the ability to control
  access to patient information, as well as to
  safeguard patient information from unauthorized
  disclosure, alteration, loss or destruction.
  Security is typically accomplished through
  operational and technical controls. Since so much
  PHI is now stored and/or transmitted by computer
  systems, the HIPAA Security Rule was created to
  specifically address ELECTRONIC protected health
  information.

9
Business Associate (Definition)

• 2024 will show increased enforcement on BAs
• Business Associates (BAs) are individuals or
  entities who create, receive, maintain, or store
  private health information on behalf of a covered
  entity.
• Example Answering Services, Medical
  Transcription, IT groups, Billing companies,
  shredding services are clearly under the auspices
  of Business Associate

10
Risks of Telemedicine (Telecommuting)

• Telecommuting Policy Should be in Place
• Ideally a good telecommuting program includes
  working a paperless work environment (less risks)
• Under no circumstances should practice business
  information or participant information be
  disclosed in any way to individuals who are not
  privy to such information.

11
Telecommuting

• Telecommuting does not replace the need for child
  or dependent care.
• All staff members should be expected to make
  arrangements for children or dependents that
  require care to ensure that they do not interfere
  with your performance expectations and/or be
  privy to any confidential patient interactions.
• Acceptable arrangements include an off-site day
  care or another primary caregiver in your home.
• No one other than the employee should be allowed
  to use the practice owned computer or personally
  owned computers (if used to access, transmit, or
  store PHI)

12
HIPAA PRIVACY RULE CHANGES TO TAKE AFFECT IN 2024

1. Changes to Right of Access
2. Changes relating to Care Coordination and
   Information Sharing
3. Necessity to update the Notice of Privacy
   Practices

13
Right of Access

• Allows patients right to take notes and use
  personal resources
• such as a smartphone to take pics of their PHI
• Changes in Response Time for Requests timeframe
  for requests change from 30 days with optional 30
  day extension to 15 days with an optional 15 day
  extension
• Rights to PHI in Form and Format Requested by
  Patient readily
• producible copies of PHI (to include EPHI) must
  be provided through secure application program
  interfaces (APIs) via applications chosen by the
  individual
• Requirement to deliver copies of PHI in any form
  and format
• required by applicable state or other laws

• Eased Identity Verification prohibits covered
  entities from imposing unreasonable verification
  measures such as notarized signatures or proof of
  identification in person (when other credible,
  more convenient methods are available)

14
Mitigating Steps for Theft

• HARDWARE ENCRYPTION
• Remote Tracking GPS tracking ability, this is
  now standard on iPHones using Find my iPhone
  function
• Remote Disabling secondary layer of protection
  but
• will not protect if SIM card was stolen first.
• Remote Memory Wipe must be installed prior via
  app or function (last resort)

15
2024 Mobile Devices

• HHS issued guidance addressing the extent to
  which PHI is protected on mobile devices.
  Although the HIPAA Privacy Rule and Security Rule
  (protecting PHI when maintained or transmitted
  electronically) provide protections for the use
  and disclosure of PHI held or maintained by
  covered entities and their business associates,
  they do not address PHI accessed through or
  stored on personal devices owned by individual
  patients.
• Example although PHI maintained on electronic
  devices owned by a covered entity would be
  protected from disclosure by HIPAA, once a
  patient downloads that information to a personal
  device, HIPAA would no longer protect it.

16
TEXTING Positives in Healthcare

• Texting CAN provide great advantages in health
  care
• Appointment Reminders (2024 - MUST OPT IN FOR
  MENTAL HEALTH AND SUBSTANCE ABUSE)
• Fast
• Easy
• Loud background noise problems are mitigated
• Bad signal issues mitigated
• Device neutral

17
TEXTING Negatives in Healthcare

• Reside on device and not deleted
• Very easily accessed
• Not typically centrally monitored by IT
• Can be compromised in transmission relatively
  easy
• HIPAA Privacy Rule requires disclosure of PHI to
  patient (i.e. text message is used to make a
  judgement in patient care)
• CANNOT TEXT PATIENT ORDERS UNLESS ENCRYPTED

18
2020, 2021, and 2022 Violations Fines

• The last few years of investigations and
  violations
• confirmed many suspicions
• Small providers had many more issues than the
  larger
• ones
• Healthcare providers and Business Associates had
  more issues than clearinghouses or plans
• HIPAA Security Rule is the biggest concern (65)
  compared to HIPAA Privacy (26) and Breach
  Notification Rule (9)
• NOTE As it relates to fines the HIPAA Security
  Rule
• brought in over 90

19
Best Course of Action
20
THE END
QA Thank-You
Register Now