A06

CRI and COLA do not endorse, directly or indirectly, the presentations given at this conference or the products or services provided by the exhibiting vendors. Presentations are intended to be free of bias. The use of any particular product is for demonstration purposes only, and does not imply an endorsement of the product by the presenter or the sponsors of the symposium. © 2017 CRI

HIPAA and Identity Theft for Medical Offices and Laboratories

Kelly Ogle, BSDH, MIOP, CMPM®, CHOP®

OSHA/HIPAA Specialist DoctorsManagement, LLC

Knoxville, TN

DESCRIPTION:

This session is ninety minutes packed with information on HIPAA, patient confidentiality, information security, and identity theft prevention. We take a patient from the very first contact with the practice/laboratory all the way through the billing process, pointing out privacy and security risks along the way. We even discuss contingency plans and breach notification. Also, we will be reviewing the importance of electronic security methods and how to assess your vulnerabilities. Identity theft is a concern for every business, workplace, and individual. This seminar includes valuable hints for protecting identity as well as a response when the unthinkable happens.

OBJECTIVES:

At the end of the session, participants will be able to:

Identify privacy and security risks in your laboratory

Discover ways to prevent these risks

Recognize your responsibility to recognize and respond to a security breach

Discuss documentation and what it means to be HIPAA compliant

Summarize importance of protecting identity for everyone

Outline what to do if someone steals your identity or that of someone you know

Thursday April 6, 2017

HIPAA and Identity Theftfor Medical Offices and Laboratories

Presented by: Kelly Ogle, MS, BSOSHA/HIPAA Specialist

About Your Presenter

• Over 13 years experience in healthcare

• Travels throughout the US doing 6 hour seminars

• Performs mock OSHA and HIPAA audits

• Bachelors in Dental Hygiene

• Masters in Organizational Psychology

• Completing Doctorate in Healthcare Administration

• OSHA/HIPAA Specialist

Agenda• HIPAA Definition and Titles• Transactions and Code Sets• Privacy Rule• Personal Identifiers• Notice of Privacy Practices• Breach Notification• Security• Enforcement

3

HIPAA:Health Insurance Portability and Accountability Act of 1996 Title I, “Health Care Access, Portability and Renewability”

Regulates ability and breath of group health plans and certain individual health insurance policies

Amends ERISA and Internal Revenue Code

Title II, “Preventing Health Care Fraud and Abuse; Administrative Simplification; Medical Liability Reform”

Privacy, Transactions and Code Sets, National Identifiers, Security, Enforcement

Applies to all “covered entities”: • Health plans, payers, clearinghouses, and providers that

process any health data electronically

Transactions and Code Sets

Transaction formats established by the American National Standards Institute

Primarily the responsibility of the software vendor, billing company, or clearinghouse

Now using Accredited Standards Committee (ASC) X12 version 5010◦ Eliminates problems found with 4010A1

◦ Allows for transition to ICD-10

5

Transactions and Code Sets

Procedural Codes◦ CPT– 4 (Current Procedural Terminology), and◦ HCPCS (Health Care [Financing Administration] Common

Procedure Coding System)◦ New ICD-10-PCS for inpatient hospital service procedures only,

beginning October 1, 2014◦ NCPDP D.0

Diagnosis Codes◦ ICD-9-CM (International Classification of Diseases)◦ New ICD-10-CM beginning October 1, 2014

Dental Codes◦ CDT-4 (Current Dental Terminology)

Drug Codes◦ NDC (National Drug Codes) to identify all medications

6

National Identifiers

National Employer Identifier◦ Tax ID Number established and maintained by the IRS

National Provider Identifier◦ Established by the National Plan and Provider Enumeration System

(NPPES)

National Health Plan Identifier◦ To be established in 2014

National Individual Identifier◦ On indefinite hold

7

Purpose: To protect individually identifiable information that

relates to condition, treatment, or payment and is transmitted or stored electronically or otherwise

Protected Health Information (PHI) Any data that can be linked to an individual

concerning their health or payment Identifiers listed on next slide

Privacy Officer Person in charge of complaints and investigations

relating to privacy issues8

Privacy Rule

Personal Identifiers

Name VIN: serial number and license

plate number SSN Phone and fax numbers E-mail address URL and IP address Medical record number Geographical location less

than state: street, city, zip code, county, precinct

Account number

Certificate/license number

Health plan member number

Dates except year: DOB, date of death; age > 89

Device identifiers, serial numbers

Full face photo

Bioidentifiers: iris, fingerprints

Other unique numbers

9

10

Notice of Privacy Practices (NPP)•The Notice of Privacy Practices must

• Be posted in the office and on web site • Be offered to each patient and given to anyone who requests it

•All three must be identical•Tell patients how their information may be used and what their rights concerning their PHI are under HIPAA

•The practice must attempt to get a signature acknowledging offer or receipt of NPP

•If unable to get signature, document attempt and why signature was not obtained, date and initial, treat patient as if signed

•Emergency? Administer care, and then deal with NPP

11

Notice of Privacy Practices (NPP) First encounter by phone?

-Mail the NPP with return receipt; file copy in chart

Scheduling first appointment-NPP does not have to be offered before making first appointment-May obtain information necessary to make appointment, then offer when patient comes for service-May send in advance but not required

First encounter by E-mail?-Automatically send NPP electronically with return receipt or other response

State laws stricter?-Always follow stricter laws-Add state law compliance to NPPLaws change?

-Revise NPP if HIPAA or state laws change

NPP: Use of PHIThe NPP must inform patients of how you may use their

PHI and their rights concerning their PHI.

PHI may be used and disclosed to carry out treatment, payment, or health care operations **Including CLIA/COLA surveys

PHI will be used for other purposes only if required by law or with the patient’s signed authorization

Patients have the right to inspect and copy their medical records (some exceptions) In electronic format if

requested

Patients have the right to requestamendments Provider may override

Patients have the right to opt out of fundraising communications

Patients have the right to request an accounting of ePHI disclosures EMR should generate Once per year free May charge for additional lists

• Health Care Operations include– Administrative, financial, legal, and quality improvement

activities necessary to run the business and support core functions

• Including but not limited to – business management, quality assessment and

improvement, cost containment activities – competency evaluations, staff development, training new

healthcare workers– customer service, complaint resolution – planning, and fund raising– OSHA, CLIA, X-ray, etc. audits and inspections

13

Health Care Operations

Patient Rights (continued)

14

Patients have the right to request a restriction on how the PHI will be used or disclosed for treatment, payment, or health care operations

Covered entity is not required to agree to restrictions May override request based on professional judgment

Patients’ right to request a restriction includes the right to request the covered entity to not disclose certain services or information relating to the service to their insurance plan if the patient pays the full cost of the service out-of-pocket and there is no law to the contrary. The practice must comply.

Patient Rights (continued)

Patients have the right to request confidential communications.

Alternate locations (home vs. office) or means (sealed envelope vs. postcard) – reasonable and effective The covered entity must accommodate requests only if they

agree to the request

Patients have the right to file complaints. The NPP must inform patients how they may file complaints: The name or title and phone number of a contact person at

the office of the covered entity and Contact information for the Office for Civil Rights

.

Privacy Principles

Healthcare always trumps HIPAA

Professional judgment may override certain requests

What you do here, what you see here, what you hear here, when you leave here, let it stay here!

Covered entities may not sell electronic PHI without specific authorization from the patient

Privacy protections continue beyond end of life◦ Now limited to 50 years

Confidentiality agreement continues until end of life

16

Privacy IssuesSigned Authorization For uses of PHI other than treatment, payment, or health

operations (including training healthcare professionals, state or federal inspections)

Not required for most law enforcement, legal proceedings, or governmental functions

Must have end date; patient may revoke at any time Required forMarketing (does not include information about treatment for your

patients) or sale of PHIReleasing PHI to the patient’s EmployerRelease of psychotherapy notesResearch unless de-identified or under Institutional Review Board

or Privacy Board that meets certain criteria 17

Privacy IssuesSigned Authorization Not Required Proof of immunizations to schools where

required by the state, with documented verbal authorization

Signed Authorization Required “Doctors’ excuse” to return to work or schoolRestrictions/Medications to school/work Post baby photos “Cavity-free Club”

18

Access to Records Patient or personal representative (verify ID) Within 30 days of the request

Get request in writing and let provider review it Provider may deny access based on professional judgmentIf there is suspicion of violence, abuse or neglectDuring participation in clinical trials

In electronic format if requested and CE has EMRsDo not accept patient’s media; do not require purchase of media

from the practice May charge for copies – fee set by state May offer summaryMay charge for developing the summary plus postage for mailing itMust provide actual copies if patient prefers that over summary

19

Access to Records HIPAA requires laboratories to provide test results

within 30 days of the date of a request or the date of the test completion. The laboratory must develop a protocol to verify the authority of the requesting individual. The report must be provided in a format acceptable to the patient.

The laboratory is not required to provide an interpretation of the result.

20

Privacy Issues

Minimum NecessaryKeep uses and disclosures to the minimum

necessary to perform the functionUse limited data set where possibleAll identifiers removed

HHS will provide more information later

21

Privacy IssuesAccounting of Disclosures of Electronic PHI Upon request by patient

Electronic version if patient agrees

Excludes uses or disclosures for treatment, payment, and health operations

One free per year; may charge for more per year

Goes back no more than six years for EMRNew proposal to include who accessed PHI

22

Personal Representative Someone who is authorized to have access to PHIPatientParent or guardian Friend?Next of kinExecutor for an estateHolder of durable power of attorneyProfessional judgment

MinorsParents may be personal representative state laws prevailProvider may make decisions based on professional opinion to

determine who should have access to PHI

23

Discussion

What are your concerns?◦ Phone calls◦ Faxes◦ E-mails◦ Visitors◦ Friends/family members◦ Personal representatives◦ Subpoena

24

Business AssociatesNot covered entity, not part of CE’s workforce,

but process health information on behalf of the CEEHR/PMR Clearinghouse Billing companyAuditors COLA Health info. exchangesIT support Consultants/Attorneys if access PHI

Covered entity must have Business Associate Agreements (BAA) with all Business Associates

Business Associates (BA) are held to the same privacy and security standards

25

Breach Notification

Notification of breach of unsecured PHI Breach

An impermissible use or disclosure that compromises the security or privacy of unsecured protected health information (PHI)Considered a breach unless proven otherwise

Unsecured PHIPHI that has not been rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the Secretary of the Department of Health and Human Services. The only methods currently approved are destruction and encryption

26

Breach Notification Applies to CEs and BAs Three exceptions:◦ An unintentional acquisition, access, or use of the PHI

by a member of the workforce acting under theauthority of a covered entity or a business associate◦ An inadvertent disclosure of PHI by a person

authorized to access the information to anotherperson authorized to access the information at thesame covered entity or business associate◦ The covered entity or business associate has a good

faith belief that the unauthorized individual whoreceived the information was unable to retain theinformation

27

28

Breach Notification

Required information◦ A description of the breach◦ A description of the types of information involved

in the breach◦ Steps the affected individuals should take to

protect themselves from potential harm◦ What the practice is doing to investigate the

breach, mitigate the harm, and prevent furtherbreaches◦ Contact information for the laboratory

Breach Discovery Response

• Document as much information as possible

• Report to Privacy/Security Officer• That individual will then

– Investigate –Notify affected individuals–Report to media and HHS if indicated– Implement corrective actions

• Including disciplinary actions if necessary

29

Privacy Issues

Confidentiality/Nondisclosure Agreement

For the entire workforce, including volunteers, students, etc.

Violations may result in disciplinary actions, including termination or fines

In effect for life

30

FAQ

• May covered entities discuss PHI (incl. payment) with friends and family members?

• Answer: Yes. – Covered entities may discuss PHI with individuals

involved in the patient’s care or payment• If the patient would not object (professional judgment)• Information released must be the minimum necessary• Provider may override request for privacy if it would

jeopardize care• For example, a friend may pick up a prescription or a family

member may make an appointment

31

Special Considerations

• Must include in Notice of Privacy Practices– Authorization to use/disclose psychotherapy notes –

if created or maintained by the practice– Authorization to sell PHI

• If CE plans to do so

– Authorization to market to the individual• If the CE plans to do so

– Fundraising• If the CE plans to contact the patient for this purpose• Must allow opt out with each fundraising communication;

must stop fundraising immediately upon opt-out and not resume unless patient “revokes” opt-out.

32

Security - Privacy

There are areas of overlap between the Security Rule and the Privacy Rule

Security Privacy

Purpose of the Security Rule

To maintain integrity of medical records To ensure availability of PHI To protect patient confidentiality At this time, the Security Rule applies

only to electronic PHI (ePHI) Other forms of PHI (paper and oral) may be addressed later Does not currently address electronic signatures

Security The Security Rule Is Divided into Three Broad

Categories:

Administrative Safeguards

PhysicalSafeguards

Technical Safeguards

Administrative Safeguards

Risk analysis and management Sanctions Termination procedures Systems activity review Workforce clearance,

authorization, supervision Access authorization,

establishment, changes Security reminders Protection from malicious

software Log-in monitoring

Password management Response, reporting Data back-up plan Disaster recovery plan Emergency mode operation

plan Testing and revision

procedures Application and Data criticality

analysis Business Associate

Agreements

36

Technical Safeguards

Unique user identification Emergency access procedure Automatic logoff Encryption and decryption Authentication of ePHI Integrity controls

37

Physical Safeguards

• Contingency operations• Facility security plan• Access control and validation procedures• Maintenance records• Workstation use and security• Device and media

– Disposal– Re-use– Accountability– Data backup and storage

38

Sample Security Controls

39

Install and regularly update virus protection software for servers and workstation computers.

Set screen savers to come on quickly with reactivation requiring a password.

For a home-based transcriptionist, require that person to sign a BAA obligating her/him to safeguard data (using a computer off-limits to family members, for example).

Sample Security Controls

Termination procedureWhen an employee quits or is fired, block his/her computer password and retrieve office keys. May need to change locks or access codes.

Workstation precautionPosition computer monitors so patients cannot read what shows on the screen.

PasswordsRequire staffers to memorize their passwords –

no sticky notes!!

Data Backup

Store backup tapes of files in a safe place off-site or in a locked, waterproof, fireproof safe, so that you will still have the data in the event of a fire or flood.

Consider a web-based service that automatically backs up files and programs off-site.

Passwords

Do not share with anyone Change at least every six months Should be at least seven positions Random arrangement of letters and

numbers◦ Suggestion: word with number within

Not easily guessed!◦ No names, birthdays, etc.

42

Sample Security Measures

•Put a lock on the door to the room or closet where you keep your server

•Do not let hackers view or tamper with your data: combine a firewall and a router, a device that connects your network to the Internet

•Control access to data by requiring staffers

to log-on with user IDs and passwords

Sample Security Issues

PDAs, desktop computers, and laptops – are easily stolen or lost;– should be password protected

Can also be harmed by food and beverages!

Discarding a computer? Remove and destroy the hard drive so that no one can retrieve the data.

Giving it away? Use program guaranteed to remove all information.

Best: shred and/or melt all storage media

Sample Security Issues (continued)

•Consider encrypting outgoing messages to ensure privacy.

Encryption is not required per se. Security for electronic communications is required, and encryption is the only method currently approved.

•The same goes for wireless transmissions inside the office.•To text or not to text? NOT!

There are no regulations about textingTexting is not private or secure

Reminders

Do not discuss PHI beyond minimum necessary

Do not discuss PHI with unauthorized people Do not bring software from home Do not download programs from the Internet If accessing E-mail, do not open attachments Treat all hardware and software like controlled

drugs – keep an accurate, current inventory Keep doors closed if possible Consider an electronic lock between reception

and clinical area

46

Enforcement

Mandatory Inspections◦ In response to a complaint◦ Random Will have advance notification

Penalties for violations◦ Sliding scale based on severity of violation◦ Affected individuals may be compensated

47

Enforcement Charges

Penalties for violations occurring after February 17, 2010◦ $100 - $50,000 with annual cap of $1,500,000 Violation was not known and would not have been known

even with reasonable diligence ◦ $1,000 - $50,000 with annual cap of $1,500,000 Reasonable cause, not willful neglect◦ $10,000 - $50,000 with annual cap of $1,500,000 Willful neglect but corrected in 30 days or would have been

known with reasonable diligence◦ $50,000 up to cap of $1,500,000 Willful neglect, not corrected in 30 days, or should have

known

48

Internal Penalties

HIPAA regulations emphasize disciplinary actions

May help mitigate fines if enforced Accountability and responsibility for

everyone across the board Individuals, not just the employer, may

be penalized

49

What Is Identity Theft?

Any situation when someone wrongfully obtains and uses another individual’s personal data

Example: Breach at BCBS, Chattanooga. Thief set up credit cards in victims’ names

50

What Is Personal Data? Name Date of birth SSN Driver’s license

number Bank account

number Internet screen name Vehicle identifiers Phone numbers

E-mail address URL Passwords Bank account

number PINs Credit card number Insurance account Patient chart number

51

Who, Where, and When?

Any individual or entity◦ This includes you

Any place where identity is used◦ School, work, shopping, restaurants◦ Including over the Internet◦ Healthcare facilities

Any time identification is used◦ Obtaining drivers’ licenses, passports

52

How Might ID Theft Happen?

Retaining full credit card number and security code

Listening to phone conversations Compromised PINs used at ATM, etc. (25% of

incidents) (Use debit card as credit card) Using camera phones Lost or stolen checkbook, credit or debit card

(43% of incidents) Mail diversion

53

How Might ID Theft Happen?

Accessing patient information Hacking into Internet accounts (11%) Accessing student accounts Stealing computers or software Lost or stolen wallet or purse Theft of business records Rummaging through trash Mail theft

54

Why Steal An Identity?

Ultimately it is always about the money◦ Healthcare◦ Job◦ Home, car loans

55

Why Identity Theft Protection?

Identity theft is the fastest growing crime in America

It increased 22% from 2007 to 2008 It is the fastest growing category of complaints

received by the Federal Trade Commission (FTC)

In the past five years, more than 27 million people have been victims

One in 23 adults in the U.S. have been or will be victims

56

Why Identity Theft Protection?

Victims may lose money, homes, healthcare insurance, cars, jobs

Businesses may lose customers, clients Practices may lose patients and/or

insurance contracts Corrective actions are expensive and

time-consuming

DoctorsManagement 57

Why Identity Theft Protection?

The federal government requires it HIPAA State privacy laws Financial institute regulations School privacy laws Federal Trade Commission approach: Deter,

Detect, Defend

DoctorsManagement 58

Sensitive Information

Credit card number (in part or whole) Credit card expiration date Cardholder name and address Social Security number Business identification number Employer identification number Paychecks and pay stubs Cafeteria plan check requests and paperwork

DoctorsManagement 59

Sensitive Information

Medical information including but not limited to:◦ Doctor names and claims

◦ Insurance claims

◦ Prescriptions

◦ Patient number

◦ Any related personal medical information

Other personal information belonging to any patient: ◦ Date of birth

◦ Telephone number

◦ Maiden name

DoctorsManagement 60

Personal Identity Theft Prevention

Personal responsibility of each individual Can happen to anyone, anywhere, at any

time Employers and retailers do have some

responsibility

DoctorsManagement 61

Personal Identity Theft Prevention

Never release personal information unless you know the requesting entity

Ask how this information will be used Opt out of pre-screened credit cards◦ 1-888-567-8688

Increase home security Use timers on lights when away

DoctorsManagement 62

Personal Identity Theft Prevention

Request “Vacation Hold” for mail when away◦ 1-800-275-8777◦ PS Form 8076 at the Post Office or at

www.usps.com

Shred all sensitive information Watch for expected mail◦ Especially bills

Deposit outgoing mail with sensitive data in postal collection box or Post Office

DoctorsManagement 63

Personal Identity Theft Prevention

Limit personal data you carry Cancel unused credit cards When ordering new checks, pick them up at the

bank rather than having them delivered to your home

Use initials rather than name Take extra care when writing checks, using

ATMs, or making credit card transactions over the Internet or on the phone

DoctorsManagement 64

If You Are A Victim

Contact credit card bureau◦ Equifax, Experian, or Trans Union

Close the accounts File a police report File a complaint with the FTC◦ 1-877-IDTHEFT (438-4338) or

www.consumer.gov/theft Document all actions

DoctorsManagement 65

Questions?

What you do here, what you hear here, what you see here, when you leave here, let it stay here.

Presented byKelly D. Ogle, BSDH, MIOPOSHA/HIPAA SpecialistDoctorsManagement

800-635-4040kogle@drsmgmt.com

66

THANK YOU!

CONTACT INFORMATIONPhone: 800-635-4040

Email: info@doctors-management.com

Website: www.doctors-management.com