kelly - cola symposium hipaa and identity theft€¦ · hipaa and identity theft for medical...
TRANSCRIPT
A06
CRI and COLA do not endorse, directly or indirectly, the presentations given at this conference or the products or services provided by the exhibiting vendors. Presentations are intended to be free of bias. The use of any particular product is for demonstration purposes only, and does not imply an endorsement of the product by the presenter or the sponsors of the symposium. © 2017 CRI
HIPAA and Identity Theft for Medical Offices and Laboratories
Kelly Ogle, BSDH, MIOP, CMPM®, CHOP®
OSHA/HIPAA Specialist DoctorsManagement, LLC
Knoxville, TN
DESCRIPTION:
This session is ninety minutes packed with information on HIPAA, patient confidentiality, information security, and identity theft prevention. We take a patient from the very first contact with the practice/laboratory all the way through the billing process, pointing out privacy and security risks along the way. We even discuss contingency plans and breach notification. Also, we will be reviewing the importance of electronic security methods and how to assess your vulnerabilities. Identity theft is a concern for every business, workplace, and individual. This seminar includes valuable hints for protecting identity as well as a response when the unthinkable happens.
OBJECTIVES:
At the end of the session, participants will be able to:
Identify privacy and security risks in your laboratory
Discover ways to prevent these risks
Recognize your responsibility to recognize and respond to a security breach
Discuss documentation and what it means to be HIPAA compliant
Summarize importance of protecting identity for everyone
Outline what to do if someone steals your identity or that of someone you know
Thursday April 6, 2017
HIPAA and Identity Theftfor Medical Offices and Laboratories
Presented by: Kelly Ogle, MS, BSOSHA/HIPAA Specialist
About Your Presenter
• Over 13 years experience in healthcare
• Travels throughout the US doing 6 hour seminars
• Performs mock OSHA and HIPAA audits
• Bachelors in Dental Hygiene
• Masters in Organizational Psychology
• Completing Doctorate in Healthcare Administration
• OSHA/HIPAA Specialist
Agenda• HIPAA Definition and Titles• Transactions and Code Sets• Privacy Rule• Personal Identifiers• Notice of Privacy Practices• Breach Notification• Security• Enforcement
3
HIPAA:Health Insurance Portability and Accountability Act of 1996 Title I, “Health Care Access, Portability and Renewability”
Regulates ability and breath of group health plans and certain individual health insurance policies
Amends ERISA and Internal Revenue Code
Title II, “Preventing Health Care Fraud and Abuse; Administrative Simplification; Medical Liability Reform”
Privacy, Transactions and Code Sets, National Identifiers, Security, Enforcement
Applies to all “covered entities”: • Health plans, payers, clearinghouses, and providers that
process any health data electronically
Transactions and Code Sets
Transaction formats established by the American National Standards Institute
Primarily the responsibility of the software vendor, billing company, or clearinghouse
Now using Accredited Standards Committee (ASC) X12 version 5010◦ Eliminates problems found with 4010A1
◦ Allows for transition to ICD-10
5
Transactions and Code Sets
Procedural Codes◦ CPT– 4 (Current Procedural Terminology), and◦ HCPCS (Health Care [Financing Administration] Common
Procedure Coding System)◦ New ICD-10-PCS for inpatient hospital service procedures only,
beginning October 1, 2014◦ NCPDP D.0
Diagnosis Codes◦ ICD-9-CM (International Classification of Diseases)◦ New ICD-10-CM beginning October 1, 2014
Dental Codes◦ CDT-4 (Current Dental Terminology)
Drug Codes◦ NDC (National Drug Codes) to identify all medications
6
National Identifiers
National Employer Identifier◦ Tax ID Number established and maintained by the IRS
National Provider Identifier◦ Established by the National Plan and Provider Enumeration System
(NPPES)
National Health Plan Identifier◦ To be established in 2014
National Individual Identifier◦ On indefinite hold
7
Purpose: To protect individually identifiable information that
relates to condition, treatment, or payment and is transmitted or stored electronically or otherwise
Protected Health Information (PHI) Any data that can be linked to an individual
concerning their health or payment Identifiers listed on next slide
Privacy Officer Person in charge of complaints and investigations
relating to privacy issues8
Privacy Rule
Personal Identifiers
Name VIN: serial number and license
plate number SSN Phone and fax numbers E-mail address URL and IP address Medical record number Geographical location less
than state: street, city, zip code, county, precinct
Account number
Certificate/license number
Health plan member number
Dates except year: DOB, date of death; age > 89
Device identifiers, serial numbers
Full face photo
Bioidentifiers: iris, fingerprints
Other unique numbers
9
10
Notice of Privacy Practices (NPP)•The Notice of Privacy Practices must
• Be posted in the office and on web site • Be offered to each patient and given to anyone who requests it
•All three must be identical•Tell patients how their information may be used and what their rights concerning their PHI are under HIPAA
•The practice must attempt to get a signature acknowledging offer or receipt of NPP
•If unable to get signature, document attempt and why signature was not obtained, date and initial, treat patient as if signed
•Emergency? Administer care, and then deal with NPP
11
Notice of Privacy Practices (NPP) First encounter by phone?
-Mail the NPP with return receipt; file copy in chart
Scheduling first appointment-NPP does not have to be offered before making first appointment-May obtain information necessary to make appointment, then offer when patient comes for service-May send in advance but not required
First encounter by E-mail?-Automatically send NPP electronically with return receipt or other response
State laws stricter?-Always follow stricter laws-Add state law compliance to NPPLaws change?
-Revise NPP if HIPAA or state laws change
NPP: Use of PHIThe NPP must inform patients of how you may use their
PHI and their rights concerning their PHI.
PHI may be used and disclosed to carry out treatment, payment, or health care operations **Including CLIA/COLA surveys
PHI will be used for other purposes only if required by law or with the patient’s signed authorization
Patients have the right to inspect and copy their medical records (some exceptions) In electronic format if
requested
Patients have the right to requestamendments Provider may override
Patients have the right to opt out of fundraising communications
Patients have the right to request an accounting of ePHI disclosures EMR should generate Once per year free May charge for additional lists
• Health Care Operations include– Administrative, financial, legal, and quality improvement
activities necessary to run the business and support core functions
• Including but not limited to – business management, quality assessment and
improvement, cost containment activities – competency evaluations, staff development, training new
healthcare workers– customer service, complaint resolution – planning, and fund raising– OSHA, CLIA, X-ray, etc. audits and inspections
13
Health Care Operations
Patient Rights (continued)
14
Patients have the right to request a restriction on how the PHI will be used or disclosed for treatment, payment, or health care operations
Covered entity is not required to agree to restrictions May override request based on professional judgment
Patients’ right to request a restriction includes the right to request the covered entity to not disclose certain services or information relating to the service to their insurance plan if the patient pays the full cost of the service out-of-pocket and there is no law to the contrary. The practice must comply.
Patient Rights (continued)
Patients have the right to request confidential communications.
Alternate locations (home vs. office) or means (sealed envelope vs. postcard) – reasonable and effective The covered entity must accommodate requests only if they
agree to the request
Patients have the right to file complaints. The NPP must inform patients how they may file complaints: The name or title and phone number of a contact person at
the office of the covered entity and Contact information for the Office for Civil Rights
.
Privacy Principles
Healthcare always trumps HIPAA
Professional judgment may override certain requests
What you do here, what you see here, what you hear here, when you leave here, let it stay here!
Covered entities may not sell electronic PHI without specific authorization from the patient
Privacy protections continue beyond end of life◦ Now limited to 50 years
Confidentiality agreement continues until end of life
16
Privacy IssuesSigned Authorization For uses of PHI other than treatment, payment, or health
operations (including training healthcare professionals, state or federal inspections)
Not required for most law enforcement, legal proceedings, or governmental functions
Must have end date; patient may revoke at any time Required forMarketing (does not include information about treatment for your
patients) or sale of PHIReleasing PHI to the patient’s EmployerRelease of psychotherapy notesResearch unless de-identified or under Institutional Review Board
or Privacy Board that meets certain criteria 17
Privacy IssuesSigned Authorization Not Required Proof of immunizations to schools where
required by the state, with documented verbal authorization
Signed Authorization Required “Doctors’ excuse” to return to work or schoolRestrictions/Medications to school/work Post baby photos “Cavity-free Club”
18
Access to Records Patient or personal representative (verify ID) Within 30 days of the request
Get request in writing and let provider review it Provider may deny access based on professional judgmentIf there is suspicion of violence, abuse or neglectDuring participation in clinical trials
In electronic format if requested and CE has EMRsDo not accept patient’s media; do not require purchase of media
from the practice May charge for copies – fee set by state May offer summaryMay charge for developing the summary plus postage for mailing itMust provide actual copies if patient prefers that over summary
19
Access to Records HIPAA requires laboratories to provide test results
within 30 days of the date of a request or the date of the test completion. The laboratory must develop a protocol to verify the authority of the requesting individual. The report must be provided in a format acceptable to the patient.
The laboratory is not required to provide an interpretation of the result.
20
Privacy Issues
Minimum NecessaryKeep uses and disclosures to the minimum
necessary to perform the functionUse limited data set where possibleAll identifiers removed
HHS will provide more information later
21
Privacy IssuesAccounting of Disclosures of Electronic PHI Upon request by patient
Electronic version if patient agrees
Excludes uses or disclosures for treatment, payment, and health operations
One free per year; may charge for more per year
Goes back no more than six years for EMRNew proposal to include who accessed PHI
22
Personal Representative Someone who is authorized to have access to PHIPatientParent or guardian Friend?Next of kinExecutor for an estateHolder of durable power of attorneyProfessional judgment
MinorsParents may be personal representative state laws prevailProvider may make decisions based on professional opinion to
determine who should have access to PHI
23
Discussion
What are your concerns?◦ Phone calls◦ Faxes◦ E-mails◦ Visitors◦ Friends/family members◦ Personal representatives◦ Subpoena
24
Business AssociatesNot covered entity, not part of CE’s workforce,
but process health information on behalf of the CEEHR/PMR Clearinghouse Billing companyAuditors COLA Health info. exchangesIT support Consultants/Attorneys if access PHI
Covered entity must have Business Associate Agreements (BAA) with all Business Associates
Business Associates (BA) are held to the same privacy and security standards
25
Breach Notification
Notification of breach of unsecured PHI Breach
An impermissible use or disclosure that compromises the security or privacy of unsecured protected health information (PHI)Considered a breach unless proven otherwise
Unsecured PHIPHI that has not been rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the Secretary of the Department of Health and Human Services. The only methods currently approved are destruction and encryption
26
Breach Notification Applies to CEs and BAs Three exceptions:◦ An unintentional acquisition, access, or use of the PHI
by a member of the workforce acting under theauthority of a covered entity or a business associate◦ An inadvertent disclosure of PHI by a person
authorized to access the information to anotherperson authorized to access the information at thesame covered entity or business associate◦ The covered entity or business associate has a good
faith belief that the unauthorized individual whoreceived the information was unable to retain theinformation
27
28
Breach Notification
Required information◦ A description of the breach◦ A description of the types of information involved
in the breach◦ Steps the affected individuals should take to
protect themselves from potential harm◦ What the practice is doing to investigate the
breach, mitigate the harm, and prevent furtherbreaches◦ Contact information for the laboratory
Breach Discovery Response
• Document as much information as possible
• Report to Privacy/Security Officer• That individual will then
– Investigate –Notify affected individuals–Report to media and HHS if indicated– Implement corrective actions
• Including disciplinary actions if necessary
29
Privacy Issues
Confidentiality/Nondisclosure Agreement
For the entire workforce, including volunteers, students, etc.
Violations may result in disciplinary actions, including termination or fines
In effect for life
30
FAQ
• May covered entities discuss PHI (incl. payment) with friends and family members?
• Answer: Yes. – Covered entities may discuss PHI with individuals
involved in the patient’s care or payment• If the patient would not object (professional judgment)• Information released must be the minimum necessary• Provider may override request for privacy if it would
jeopardize care• For example, a friend may pick up a prescription or a family
member may make an appointment
31
Special Considerations
• Must include in Notice of Privacy Practices– Authorization to use/disclose psychotherapy notes –
if created or maintained by the practice– Authorization to sell PHI
• If CE plans to do so
– Authorization to market to the individual• If the CE plans to do so
– Fundraising• If the CE plans to contact the patient for this purpose• Must allow opt out with each fundraising communication;
must stop fundraising immediately upon opt-out and not resume unless patient “revokes” opt-out.
32
Security - Privacy
There are areas of overlap between the Security Rule and the Privacy Rule
Security Privacy
Purpose of the Security Rule
To maintain integrity of medical records To ensure availability of PHI To protect patient confidentiality At this time, the Security Rule applies
only to electronic PHI (ePHI) Other forms of PHI (paper and oral) may be addressed later Does not currently address electronic signatures
Security The Security Rule Is Divided into Three Broad
Categories:
Administrative Safeguards
PhysicalSafeguards
Technical Safeguards
Administrative Safeguards
Risk analysis and management Sanctions Termination procedures Systems activity review Workforce clearance,
authorization, supervision Access authorization,
establishment, changes Security reminders Protection from malicious
software Log-in monitoring
Password management Response, reporting Data back-up plan Disaster recovery plan Emergency mode operation
plan Testing and revision
procedures Application and Data criticality
analysis Business Associate
Agreements
36
Technical Safeguards
Unique user identification Emergency access procedure Automatic logoff Encryption and decryption Authentication of ePHI Integrity controls
37
Physical Safeguards
• Contingency operations• Facility security plan• Access control and validation procedures• Maintenance records• Workstation use and security• Device and media
– Disposal– Re-use– Accountability– Data backup and storage
38
Sample Security Controls
39
Install and regularly update virus protection software for servers and workstation computers.
Set screen savers to come on quickly with reactivation requiring a password.
For a home-based transcriptionist, require that person to sign a BAA obligating her/him to safeguard data (using a computer off-limits to family members, for example).
Sample Security Controls
Termination procedureWhen an employee quits or is fired, block his/her computer password and retrieve office keys. May need to change locks or access codes.
Workstation precautionPosition computer monitors so patients cannot read what shows on the screen.
PasswordsRequire staffers to memorize their passwords –
no sticky notes!!
Data Backup
Store backup tapes of files in a safe place off-site or in a locked, waterproof, fireproof safe, so that you will still have the data in the event of a fire or flood.
Consider a web-based service that automatically backs up files and programs off-site.
Passwords
Do not share with anyone Change at least every six months Should be at least seven positions Random arrangement of letters and
numbers◦ Suggestion: word with number within
Not easily guessed!◦ No names, birthdays, etc.
42
Sample Security Measures
•Put a lock on the door to the room or closet where you keep your server
•Do not let hackers view or tamper with your data: combine a firewall and a router, a device that connects your network to the Internet
•Control access to data by requiring staffers
to log-on with user IDs and passwords
Sample Security Issues
PDAs, desktop computers, and laptops – are easily stolen or lost;– should be password protected
Can also be harmed by food and beverages!
Discarding a computer? Remove and destroy the hard drive so that no one can retrieve the data.
Giving it away? Use program guaranteed to remove all information.
Best: shred and/or melt all storage media
Sample Security Issues (continued)
•Consider encrypting outgoing messages to ensure privacy.
Encryption is not required per se. Security for electronic communications is required, and encryption is the only method currently approved.
•The same goes for wireless transmissions inside the office.•To text or not to text? NOT!
There are no regulations about textingTexting is not private or secure
Reminders
Do not discuss PHI beyond minimum necessary
Do not discuss PHI with unauthorized people Do not bring software from home Do not download programs from the Internet If accessing E-mail, do not open attachments Treat all hardware and software like controlled
drugs – keep an accurate, current inventory Keep doors closed if possible Consider an electronic lock between reception
and clinical area
46
Enforcement
Mandatory Inspections◦ In response to a complaint◦ Random Will have advance notification
Penalties for violations◦ Sliding scale based on severity of violation◦ Affected individuals may be compensated
47
Enforcement Charges
Penalties for violations occurring after February 17, 2010◦ $100 - $50,000 with annual cap of $1,500,000 Violation was not known and would not have been known
even with reasonable diligence ◦ $1,000 - $50,000 with annual cap of $1,500,000 Reasonable cause, not willful neglect◦ $10,000 - $50,000 with annual cap of $1,500,000 Willful neglect but corrected in 30 days or would have been
known with reasonable diligence◦ $50,000 up to cap of $1,500,000 Willful neglect, not corrected in 30 days, or should have
known
48
Internal Penalties
HIPAA regulations emphasize disciplinary actions
May help mitigate fines if enforced Accountability and responsibility for
everyone across the board Individuals, not just the employer, may
be penalized
49
What Is Identity Theft?
Any situation when someone wrongfully obtains and uses another individual’s personal data
Example: Breach at BCBS, Chattanooga. Thief set up credit cards in victims’ names
50
What Is Personal Data? Name Date of birth SSN Driver’s license
number Bank account
number Internet screen name Vehicle identifiers Phone numbers
E-mail address URL Passwords Bank account
number PINs Credit card number Insurance account Patient chart number
51
Who, Where, and When?
Any individual or entity◦ This includes you
Any place where identity is used◦ School, work, shopping, restaurants◦ Including over the Internet◦ Healthcare facilities
Any time identification is used◦ Obtaining drivers’ licenses, passports
52
How Might ID Theft Happen?
Retaining full credit card number and security code
Listening to phone conversations Compromised PINs used at ATM, etc. (25% of
incidents) (Use debit card as credit card) Using camera phones Lost or stolen checkbook, credit or debit card
(43% of incidents) Mail diversion
53
How Might ID Theft Happen?
Accessing patient information Hacking into Internet accounts (11%) Accessing student accounts Stealing computers or software Lost or stolen wallet or purse Theft of business records Rummaging through trash Mail theft
54
Why Steal An Identity?
Ultimately it is always about the money◦ Healthcare◦ Job◦ Home, car loans
55
Why Identity Theft Protection?
Identity theft is the fastest growing crime in America
It increased 22% from 2007 to 2008 It is the fastest growing category of complaints
received by the Federal Trade Commission (FTC)
In the past five years, more than 27 million people have been victims
One in 23 adults in the U.S. have been or will be victims
56
Why Identity Theft Protection?
Victims may lose money, homes, healthcare insurance, cars, jobs
Businesses may lose customers, clients Practices may lose patients and/or
insurance contracts Corrective actions are expensive and
time-consuming
DoctorsManagement 57
Why Identity Theft Protection?
The federal government requires it HIPAA State privacy laws Financial institute regulations School privacy laws Federal Trade Commission approach: Deter,
Detect, Defend
DoctorsManagement 58
Sensitive Information
Credit card number (in part or whole) Credit card expiration date Cardholder name and address Social Security number Business identification number Employer identification number Paychecks and pay stubs Cafeteria plan check requests and paperwork
DoctorsManagement 59
Sensitive Information
Medical information including but not limited to:◦ Doctor names and claims
◦ Insurance claims
◦ Prescriptions
◦ Patient number
◦ Any related personal medical information
Other personal information belonging to any patient: ◦ Date of birth
◦ Telephone number
◦ Maiden name
DoctorsManagement 60
Personal Identity Theft Prevention
Personal responsibility of each individual Can happen to anyone, anywhere, at any
time Employers and retailers do have some
responsibility
DoctorsManagement 61
Personal Identity Theft Prevention
Never release personal information unless you know the requesting entity
Ask how this information will be used Opt out of pre-screened credit cards◦ 1-888-567-8688
Increase home security Use timers on lights when away
DoctorsManagement 62
Personal Identity Theft Prevention
Request “Vacation Hold” for mail when away◦ 1-800-275-8777◦ PS Form 8076 at the Post Office or at
www.usps.com
Shred all sensitive information Watch for expected mail◦ Especially bills
Deposit outgoing mail with sensitive data in postal collection box or Post Office
DoctorsManagement 63
Personal Identity Theft Prevention
Limit personal data you carry Cancel unused credit cards When ordering new checks, pick them up at the
bank rather than having them delivered to your home
Use initials rather than name Take extra care when writing checks, using
ATMs, or making credit card transactions over the Internet or on the phone
DoctorsManagement 64
If You Are A Victim
Contact credit card bureau◦ Equifax, Experian, or Trans Union
Close the accounts File a police report File a complaint with the FTC◦ 1-877-IDTHEFT (438-4338) or
www.consumer.gov/theft Document all actions
DoctorsManagement 65
Questions?
What you do here, what you hear here, what you see here, when you leave here, let it stay here.
Presented byKelly D. Ogle, BSDH, MIOPOSHA/HIPAA SpecialistDoctorsManagement
66
THANK YOU!
CONTACT INFORMATIONPhone: 800-635-4040
Email: [email protected]
Website: www.doctors-management.com