George Bailey, MS, CISSP, GCIHLuAnn Keyton, MBA, CRISC, CHP, HCISPP

Purdue Healthcare Advisors

How many of you believe your practice is HIPAA compliant?

Why bring this topic to the Indiana Dental Association?

What is HIPAA?Health Insurance Portability &

Accountability Act of 1996 (45 C.F.R. parts

160 & 164).

Provides a framework for establishment of

nationwide protection of patient

confidentiality, security of electronic

systems, and standards and requirements for

electronic transmission of health

information.

Why care about HIPAA??

• 2016 HIPAA Audits by the OCR

• To Protect your Practice

• To Protect your Clients’ Information

• To Avoid Fines

• Compliance is not an option, it is required

Type of Violation CIVIL Penalty (min) CIVIL Penalty (max)

Individual did not know (and by

exercising reasonable diligence would

not have known) that he/she violated

HIPAA

$100 per violation, with an annual

maximum of $25,000 for repeat

violations

$50,000 per violation, with an annual

maximum of $1.5 million

HIPAA violation due to reasonable

cause and not due to willful neglect

$1,000 per violation, with an annual

maximum of $100,000 for repeat

violations

$50,000 per violation, with an annual

maximum of $1.5 million

HIPAA violation due to willful neglect

but violation is corrected within the

required time period

$10,000 per violation, with an annual

maximum of $250,000 for repeat

violations

$50,000 per violation, with an annual

maximum of $1.5 million

HIPAA violation is due to willful

neglect and is not corrected

$50,000 per violation, with an annual

maximum of $1,000,000

$50,000 per violation, with an annual

maximum of $1.5 million

Type of Violation CRIMINAL Penalty

Covered entities and specified

individuals who "knowingly" obtain

or disclose individually identifiable

health information

A fine of up to $50,000

Imprisonment up to 1 year

Offenses committed under false

pretensesA fine of up to $100,000

Imprisonment up to 5 years

Offenses committed with the intent

to sell, transfer, or use individually

identifiable health information for

commercial advantage, personal gain

or malicious harm

A fine of up to $250,000

Imprisonment up to 10 years

Is a person, business, or agency a covered health care entity?

Does the person,

business, or agency

furnish, bill or receive

payment for, health care in

the normal course of

business (1)?

No

STOP!

The person,

business, or

agency is NOT

a covered

health care

entity.

STOP!

The person,

business, or

agency is a

covered health

care entity.

YesDoes the person, business

or agency transmit(send)

any covered transactions

electronically? (2)

Yes

NAME/TYPE NUMBER

Claims submission X12-837

Enrollment and disenrollment in a health plan

X12-834

Eligibility X12-270 and X12-271

Health care payment to provider (with remittance advice)

X12-835

Premium payment to health insurance plans

X12-820

Claim status request and response X12-276 and X12-277

Referral certification and authorization X12-278

Use of these Transaction Standards cause an clinic to become a HIPAA Covered Entity

How many of your clinics are HIPAA covered entities?

HIPAA Regulations

HIPAA Regulations require we protect our patients’ PHI in all media including, but not limited to, PHI created, stored, or transmitted in/on the following media:

It is the responsibility of every employee to protect the privacy and security of sensitive information

in ALL forms.

Privacy Rule

* Effective April 14, 2003

* Privacy refers to protection of an individual’s health care data

* Defines how patient information is used and disclosed

* Gives patients privacy rights and more control over their own health information

* Outlines ways to safeguard Protected Health Information (PHI)

HIPAA Privacy Requirements

• Designated and defined Privacy Officer

• Workforce members who handle PHI require training

• Create a method for patients to submit privacy

complaints

• Develop a sanctions policy/procedure for non-

compliance of workforce members

• Follow minimum necessary for data access

• Mitigate harmful effects of a violation

• Create policies and procedures as required

The HIPAA Privacy Rule requires health plans

and covered health care providers to develop

and distribute a notice that provides a clear, user

friendly explanation of individuals rights with

respect to their personal health information and

the privacy practices of health plans and health

care providers.

Notice of Privacy Practices

HIPAA allows Use and/or Disclosure of PHI for purpose

of:

Treatment – providing care to patients.

Payment – the provision of benefits and premium

payment.

Health Care Operations – normal business

activities (i.e. reporting, quality improvement,

training, auditing, customer service and resolution of

grievances data collection and eligibility checks and

accreditation).

Minimum Necessary – the covered entity must limit access to protected health information to those who need access to the information to do their jobs.

Privacy Violations

The following activities occurring in the absence of patient authorization are considered misuse of protected health information (PHI):

◦ Access◦ Using◦ Taking◦ Possession ◦ Release ◦ Editing ◦ Destruction

Security Rule

Effective April 21, 2005

Security means controlling:*Confidentiality of electronic protected health

information (ePHI)*Storage of electronic protected health

information (ePHI)*Access into electronic information

Security Safeguards

ExamplesAdministrative

Policies and procedures fostering privacy & confidentiality of PHI – including an annual risk assessment.

Awareness training

Auditing of data access

Physical

Alarm systems

Enforcing restricted access to chart rooms and data processing areas

Physically securing equipment or devices storing ePHI (e.g., tethering)

Technical

Data encryption

Strong authentication (e.g. unique usernames & robust passwords)

Anti-virus software

Protected Health Information

IdentifiersThe 18 Identifiers Defined by HIPAA are:

Names

Medical Record Numbers

Social Security Numbers

Account Numbers

License/Certification numbers

Vehicle Identifiers/Serial numbers/License plate numbers

Internet protocol addresses

Health plan numbers

Full face photographic images and any comparable images

Web universal resource locaters (URLs)

Any dates related to any individual (date of birth)

Telephone numbers

Fax numbers

Email addresses

Biometric identifiers including finger and voice prints

Any other unique identifying number, characteristic or code

Breach Notification Rule

Effective September 23, 2009

Breach means the acquisition, access, use, or disclosure of

protected health information in a manner not permitted

which compromises the security or privacy of the protected

health information.

By the Numbers

1544 breaches of >500 reported to HHS (through May 9,

2016)

Half are due to theft

Laptops & portable devices responsible for 1/3 of

cases

20% involve business associates

222,430 breaches of <500 (through April 17, 2016)

313,602,491

The Breach Notification Rule Requirements

Must notify affected individuals

Must notify HHS of all breaches on an annual basis,

or immediately if impacting more than 500 patients

Individual notification must be provided no later

than 60 days following the discovery of a breach

Notification to the media if impacting more than 500

patients

Business Associates are required to notify covered

entities of breaches at or by the BA

Breach Identification

Risk Assessment Factors

1. Documenting the nature and extent of PHI

involved, emphasis on the type of identifiers and

the likelihood of re-identification

2. The unauthorized person who accessed PHI, or to

who the disclosure was made

3. Whether or not the PHI was actually acquired or

viewed

4. The extent to which the risk to the PHI has been

mitigated

Breach Preparation

Develop a breach investigation & response policy

Will you provide identity protection services?

When will you get law enforcement involved?

When does Indiana (or other States) Attorney

General need to be notified?

Familiarize yourself with HHS reporting process

Draft example notification letters

Consider Cyber Security insurance coverage

Tabletop scenarios

Discuss with legal counsel

How to get your practice aligned with HIPAA

1. https://www.healthit.gov/sites/default/files/pdf/

privacy/privacy-and-security-guide.pdf

2. Written Policies and Procedures

3. Staff Training

4. Inventory of ePHI

5. Business Associates Agreements

6. Risk Analysis

7. Monitoring/auditing

8. Remediation

9. Documentation

Test time!

1. Violating the HIPAA Privacy rule can result in

A. Civil penalties

B. Criminal penalties

C. Both a and b

D. None of the above

2. Patient’s personal health information may be released without authorization to:

A. Local newspapers

B. Employers in worker's compensation cases

C. Social workers

D. Family and friends

3. A vendor such as a software firm that does business with a covered entity is

called a:

A. HIPAA firm

B. Business associate

C. HIPAA vendor

D. provider

4. HIPAA was designed to:

A. Create standards for electronic transmission but not uncover fraud and abuse

B. Uncover fraud and abuse and has nothing to do with protecting PHI

C. Protect PHI, create standards, uncover fraud and abuse

D. Ensure health insurance coverage, protect PHI, but did not create standards for

electronic transmission

5. An important part of a compliance plan is a commitment to keep both physicians

and medical office staff current by providing:

A. External audits

B. Ongoing training

C. OIG fraud advisories

D. Practice work plans

6. The provider owns the medical record, but the information contained in the

record belongs to:

A. The provider

B. The patient

C. The payer

D. None of the above

“Our office has an all in one printer/fax

machine on the network that breaks down daily.

We’re trading it in on a newer one. The vendor

will handle anything that needs to be done to

the old machine. Is that a problem? “

George and his family have chosen a new dentist.

George’s wife Amy calls the former dentist and

asks that the records be transferred to the new

dentist for the entire family. Is that acceptable?

Resources/Reference Materials

1. Toolkit

i. Template of Policies

ii. Security Risk Assessment tools

iii. Walkthrough Checklists

iv. HIPAA Summary info

v. Notice of Privacy Practices examples

vi. http://engr.purdue.edu/people/baileyga/D

ownloads/IDA_toolkit_May2016

2. Health IT Website

i. www.healthit.gov

Questions??