%sb%clinical%network%ipa,%llc%d/b/a% …...

© 2015 Rivkin Radler LLP 1

HIPAA Compliance Training SB CLINICAL NETWORK IPA, LLC d/b/a

Suffolk Care CollaboraCve

Rivkin Radler LLP 926 RXR Plaza

Uniondale, NY 11556

516-‐357-‐3000


What is HIPAA and Why Do We Care?


Statutory Authority

•  Congress enacted the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”)

•  The Health InformaSon Technology for Economic and Clinical Health Act (“HITECH”) was enacted under the American Recovery and Reinvestment Act of 2009 (“ARRA”), encompassing all aspects of HIPAA

•  HITECH required the Secretary of the Department of Health and Human Services to promulgate more stringent Privacy and Security RegulaSons that were finalized as the Omnibus Rule in 2013.

•  The Omnibus Rule further protects paSent privacy and safeguards paSents’ health informaSon in an expanding digital world.


What is PHI?

•  What is Protected? –  “Protected health informaSon” (PHI) is individually

idenSfiable health informaSon (including demographic informaSon) that is transmibed or maintained in any form or medium (paper or electronic) relaSng to: •  The past, present or future physical or mental health or condiSon of a person,

•  The provision of health care to a person, or •  The past, present or future payment for the provision of health care to a person.


What is NOT PHI?

•  De-‐idenSfied informaSon (InformaSon that is stripped of the informaSon of certain idenSfiers or that has been processed by staSsScal methods by an expert)

•  Employee health informaSon contained in an employment record

•  Limited data sets for research, public health, healthcare operaSons and purposes


HIPAA

•  Who is required to comply with HIPAA? –  HIPAA applies to “covered enSSes” – health plans, health

care clearinghouses and health care providers who engage in electronic transacSons.


ApplicaCon of HIPAA to Suffolk Care CollaboraCve as a Business Associate

•  Business Associates (BAs) are also required to comply with HIPAA –  BAs are individuals or enSSes that create, receive, maintain,

or transmit PHI on behalf of a covered enSty. •  Suffolk Care CollaboraSve is a business associate (BA) of its coaliSon

partners (such as medical pracSces) because it uses PHI to provide data analysis and related services for uSlizaSon of such data by coaliSon partners under DSRIP.

•  Suffolk Care CollaboraSve also transmits, maintains or stores such PHI.


ResponsibiliCes of the Business Associate

•  A BA is contractually responsible to the Covered EnSty it does business with AND can be penalized directly by the federal government for HIPAA violaSons –  Cannot use or disclose PHI except as stated in BA agreement

–  Any other use or disclosure subjects BA to penalSes


ResponsibiliCes of Business Associate

•  ImplementaSon of safeguards for PHI in paper/hard copy form

•  Compliance with Security Rule for electronic PHI (ePHI)

•  Entering into Business Associate Agreements (“BAAs”) with covered enSSes

•  Entering into subcontractor BAAs with sub BAs (a BA that creates, receives, maintains, or transmits PHI on behalf of Suffolk Care CollaboraSve

•  Prompt noCficaCon of security incident or breaches to covered enSty

•  CooperaCon with HHS/OCR in an invesSgaSon or audit


Privacy Rule

•  Privacy Rule porSon of HIPAA protects health informaSon in any form of media, whether electronic, wriben, paper or oral.

•  Puts restricSons on the use and disclosure of PHI –  You use PHI every Sme you view a paSent’s account or record to conduct data analysis

–  You disclose PHI when you release it outside of Suffolk Care CollaboraSve


HIPAA Privacy Rule

•  Basic Requirements of Privacy Rule – General rule is that paSent authorizaSon is required before disclosing PHI

–  ExcepSon for payment, treatment and/or health care operaSons

– Minimum Necessary Rule


Minimum Necessary Rule

Minimum Necessary Rule •  BA can only use and disclose the minimum amount of PHI necessary to accomplish the purpose of the use or disclosure –  Only use and disclose the PHI necessary to do your job –  Role-‐Based Access: does the recepSonist need to access the enSre medical record?


Minimum Necessary Rule (cont’d)

•  Basic Requirements of Privacy Rule for BAs –  Minimum Necessary Rule

•  If at all possible, the HITECH Act requires uses and disclosures to not include any of the following informaSon: –  Names, addresses, phone or fax numbers or e-‐mail addresses

–  Social security numbers, medical record numbers, health plan beneficiary numbers or account numbers

–  CerSficate/license numbers, vehicle idenSfiers (e.g., license plate number) and device idenSfiers or serial numbers

–  Internet addresses or locaSons (URLs, IP address numbers)

–  Biometric idenSfiers (e.g., fingerprints) –  Pictures


Who is enCtled to inspect PHI?

•  The individual who is the subject of the PHI; •  A Personal RepresentaSve of the individual; (State law

determines who qualifies as a Personal RepresentaCve); •  In New York, examples of personal representaSves include:

health care agent, court appointed guardian, a power of aborney with powers to access medical records, an executor of the estate, a distributee of any deceased paSent, an aborney of the paSent who possesses a power of aborney permikng medical record access, a parent or guardian of a minor; and

•  Public Officials (law enforcement).


•  Basic Requirements of Privacy Rule for BAs –  You need to protect your paper files from them and/or improper use by others (risk of idenSty them or other fraud)

» Where do you keep your paper files? Are they secure?

»  Do you use a shredder or do you just throw out medical records?

»  Is your workspace shared by others?

Privacy Rule


VerificaCon

•  If requests for PHI are made, Suffolk Care CollaboraSve must verify the authority of the requestor, and obtain wriben documentaSon supporSng the authority where applicable.

•  For example, if request is made by: –  Personal or Legal RepresentaSves –  Public Officials or Law Enforcement


Denial of Access to Records

•  Individual access may be denied under limited circumstances: –  If access would endanger the life or safety of an individual

–  If informaSon was obtained from a non-‐healthcare enSty, subject to a confidenSality agreement

–  Access to psychotherapy notes may be denied


Right to Amend Records

•  PaSents have the right to request that Suffolk Care CollaboraSve amend the PHI in their record

•  Suffolk Care CollaboraSve may deny the request if the record: –  Was not created by Suffolk Care CollaboraSve –  If such amendment would change impression or observaSon of clinicians

–  Is accurate and complete –  The paSent did not explain why the amendment should be made


Response to Amendment Requests

•  Suffolk Care CollaboraSve must respond to the request within 60 days by either: –  AccepSng the request to amend and making proper notaSon in the record; or

–  Denying request and issuing a wriben denial


Disclosure to Third ParCes

•  Requests by an individual to transmit a copy of their PHI to another designated individual must be honored and comply with specific requirements: –  Must be in wriSng –  Must verify the idenSty of any person requesSng the PHI –  Reasonable safeguards implemented to protect the

informaSon –  Example: confirmaSon of the correct email address of third

party is not necessary but requires reasonable procedures to ensure that the email address is entered into the system correctly


AccounCng of Disclosures

•  IdenSty verificaSon is important because paSents have a right to receive an accounSng of disclosures of PHI made by Suffolk Care CollaboraSve for up to 6 years prior to the date request of the accounSng

•  AccounCng Log should indicate the specifics of uses and disclosures made by Suffolk Care CollaboraCve


AccounCng ObligaCon

•  AccounCng is NOT required for disclosures made:

–  To carry out treatment, payment and healthcare operaSons; –  To individuals of PHI about them; –  Incident to a use or disclosure otherwise permibed or

required by law; –  Pursuant to an authorizaSon; –  For NaSonal security or intelligence purposes; or –  To correcSonal insStuSons or law enforcement officials; or

as part of a limited data set.


Request to Restrict Use and Disclosure

•  PaSents have the right to request restricSons on the uses and disclosures of PHI.

•  Suffolk Care CollaboraSve is not required to agree to such restricSons except if the restricSon is for the disclosure of PHI to a health plan where the disclosure is for payment or health care operaSons purposes and the PHI “pertains solely to a health care item or service for which the health care enSty involved has been paid out of pocket”, and is not otherwise requested by law.

•  Suffolk Care CollaboraSve must not violate agreed upon restricSons except in an emergency.


Audits and Billing

•  Suffolk Care CollaboraSve is permibed to disclose PHI in connecSon with a Medicaid audit without prior wriben authorizaSon

•  Any inquiry from Medicaid in order to process claims for payment does not require an authorizaSon nor tracking for accounSng


Security Rule

•  BAs must comply with the Security Rule, which applies to electronic PHI (ePHI) only –  Establishes minimum standards for the security of ePHI while PHI is in the custody of a covered enSty or BA or in transit

–  Requires BAs to adopt administraSve, physical and technical safeguards to protect ePHI

–  Suffolk Care CollaboraSve has a comprehensive HIPAA security policy


Security Rule

•  What does this mean for you? –  While Suffolk Care CollaboraSve needs to conduct its own risk assessment for possible security issues, you need to be aware of your own work habits in order to appropriately protect ePHI •  Do you use a mobile device for work?

–  Most losses of PHI we see involve a mobile device –  Mobile devices containing PHI should at least be password protected (use of encrypSon is even beber)

–  Mobile devices should not be lem unabended when you are traveling with them or should at least be appropriately secured


Security Rule

•  What does this mean for you (cont’d)? –  Emails and documents containing PHI should be encrypted or sent through a secure email server when possible

–  When sending an e-‐mail message, documents containing PHI should be password-‐protected, with password transmibed via a separate e-‐mail message

–  Do you save documents to your hard drive? •  Do other people have access to your hard drive?


AdministraCve Requirements

•  Conduct a Risk Analysis to idenSfy potenSal risks and vulnerabiliSes to the confidenSality, integrity, and availability of electronic PHI

•  Implement security measures to reduce risks and vulnerabiliSes: –  Log-‐in monitoring –  ProtecSon from malicious somware –  Password management Ø  Apply sancSons against workforce members who fail to comply

with security policies and procedures Ø  Ensure all members of the workforce have appropriate access to

electronic PHI and to prevent those workforce members who do not have access from obtaining access

Ø  IdenSfy a Security Officer responsible for the development and implementaSon of the policies and procedures of the Security Rule


AdministraCve Requirements (cont’d)

•  Must train all members of workforce on policies and procedures relaSng to PHI –  Within reasonable period of Sme to new employees –  Within reasonable period of Sme to members of the

workforce who are affected by a change in policy pracSce –  Training should be role based (as necessary and

appropriate to funcSon) –  Document all training and retain for 6 years –  Respond and report suspected or known security incidents –  MiSgate harmful effects of security incidents known to

Suffolk Care CollaboraSve and document incidents and outcomes


Technical Safeguards

•  Limit physical access to electronic informaSon •  Implement Access Controls:

–  Unique user idenSficaSon –  Emergency Access Procedure –  AutomaSc logoff –  EncrypSon and DecrypSon (electronic mail) –  PDF with passwords

•  Implement Audit Controls: –  Hardware, somware, and/or mechanisms to record and

examine acSvity on systems containing electronic PHI


Physical Safeguards

•  Limit physical access to electronic informaSon systems and the locaSon in which such systems are housed, while ensuring that properly authorized access is allowed. –  Safeguard equipment –  Validate access to faciliSes –  Maintenance records of physical facility housing equipment

–  Device and media controls, limiSng and controlling of electronic media containing electronic PHI in and out of facility


Physical Safeguards (cont’d)

•  Shredding or destrucSon of all electronic PHI •  Electronic media cleansed prior to re-‐use •  Log kept by Security Officer of movements of

hardware and electronic media and person responsible thereof

•  Data back-‐up and storage •  CreaSon of retrievable, exact copy of electronic PHI

before movement of any equipment


Electronic Media

•  PHI stored in photocopiers, facsimiles or other office machines is subject to Privacy and Security Rules. PHI stored in the machines must be protected and secured from inappropriate access. HHS suggests monitoring or restricSng physical access to a photocopier or a fax machine that is used for copying or sending PHI. Before removal of the device, such as at the end of the lease term for a photocopier machine, proper safeguards should be followed to removed electronic PHI from the media.


Breach

•  Breach is an unauthorized transfer of unsecured PHI. E.G. Faxing PHI to the wrong fax number.

•  An impermissible use of disclosure of PHI is presumed to be a breach, unless it can be demonstrated that there is a low probability that PHI has been compromised based upon a four-‐part risk assessment


Four Part Risk Assessment for Breach

•  1. Nature and extent of the PHI involved in the breach

•  2. The unauthorized person who used the PHI or to whom the disclosure was made

•  3. Whether the PHI was actually acquired or viewed •  4. The extent to which the risk to the PHI was

miSgated

•  **If the risk assessment fails to demonstrate that there is a low probability that any PHI was compromised, breach noSficaSon is required.


Discovery of a Breach

•  A business associate is deemed to have knowledge of a breach if the breach is known or by exercising reasonable diligence would have been known to a person who is an employee, officer or other agent of the business associate.


Breach NoCficaCon Standard

•  Covered enSSes and BAs are required to report breaches involving “unsecured” PHI to affected individuals –  Unsecured PHI is PHI that has not been either encrypted or

physically destroyed (e.g., shredded) –  A breach is basically any use or disclosure not permibed by

HIPAA


Breach NoCficaCon Rules

•  It is very important that you immediately report any suspected breach to Suffolk Care CollaboraSve’s Privacy/Security Officer as soon as you are aware –  There are Sght Smelines involved for the covered enSty’s reporSng to affected individuals, so the Smeframe for the BA’s report to the covered enSty is even Sghter

–  The clock starts Scking when Suffolk Care CollaboraSve knew or should have known about the breach



•  Your report to the Privacy/Security Officer does not necessarily mean the breach must be reported –  Privacy/Security Officer is required to make the final determinaSon whether a reportable breach occurred


NoCficaCon ObligaCons in the Event of a HIPAA Breach

•  NoSficaSon must be made within 60 calendar days amer discovery of the breach. Business Associate’s knowledge of a breach will be imputed to the Covered EnSty

•  If Breach involves more than 500 persons, must noSfy: –  Individual, media, and Secretary of HHS

•  If breach involves fewer than 500 individuals, the Secretary of HHS is noSfied not later than 60 days amer the end of the calendar year in which the breach was “discovered”

II



•  Federal regulaSons prohibit any inSmidaSon, coercion, discriminaSon or other retaliatory acSon against you for reporSng a breach –  However, you will likely be subject to discipline if you do not report a breach!


Impact of Breach

•  Because of the onerous nature of these rules, and the serious implicaSons of a violaSon –  Loss of clients –  Financial/reputaSonal detriment


Business Associate Liability

•  Direct Liability for BAs for: –  Impermissible uses and disclosures –  Failure to provide breach noSficaSon to Covered EnSty –  Failure to provide access to copy of electronic PHI to

Covered EnSty, individual or individual designee (as specified in BAA)

–  Failure to enter into a BAA with subcontractors –  Failure to disclose PHI to Secretary if required –  Failure to provide accounSng of disclosures –  Failure to comply with Security Rule


Subcontractors

•  Same analysis as Business Associates •  Perform services as a downstream enSty to a Business

Associate other than as part of the Business Associate’s workforce

•  Direct Liability for Noncompliance (same as Business Associates) •  ** Covered EnSSes are not required to have a contract with the

subcontractor, Business Associates have obligaSon to obtain saSsfactory assurances in a wriben contract or other arrangement that subcontractor will safeguard PHI just as Covered EnSSes must obtain assurances with regard to Business Associates. ObligaSons flow “down the chain” as far as the flows.


Consequences of ViolaCons

•  Civil penalSes can be imposed by Federal Department of Health and Human Services –  Amount of civil penalty depends on whether violaSon was

knowing or willful and whether it was corrected –  PenalSes range from $100/violaSon to $50,000/violaSon –  $1.5 million annual maximum for idenScal violaSons

(regardless of level of culpability) •  MulSple violaSons of different requirements arising from the same incident could greatly mulSply the $1.5 million cap!

–  HHS retains discreSon to modify penalSes to make the punishment fit the violaSon


InvesCgaCon of ViolaCons

•  Most frequently invesSgated compliance issues: 1.  Impermissible uses and disclosures of protected

health informaSon 2.  Lack of safeguards of protected health informaSon 3.  Lack of paSent access to their protected health

informaSon 4.  Uses or disclosures of more than the Minimum

Necessary protected health informaSon 5.  Lack of miSgaSon of risk upon discovery of a breach


HIPAA Case Studies

•  Subcontractor of Boston Medical Center fired third party vendor transcripSon company amer the business associate posted health records and demographic data of 15,000 paSents to the vendor’s website with no password protecSon.

•  Massachusebs General was required to pay $1,000,000 and enter into a CorrecSve AcSon Plan (CAP) to implement policies and procedures to safeguard the privacy of its paSents.

•  Unencrypted USB drive stolen from a car caused a fine of $150,000 and correcSve acSon plan implementaSon for a covered enSty


•  Affinity Health Plan, a not-‐for-‐profit managed care plan serving the New York metropolitan area, sebled with OCR for $1.2 million for HIPAA violaSons. –  Affinity impermissibly disclosed the PHI of up to 344,579

individuals when it returned mulSple photocopiers to leasing agents without erasing the data contained on the copier hard drives.

HIPAA Case Studies


•  February 2015 Registered Nurse who was an employee of a Business Associate of Senior Health Partners, part of Health First in New York had her laptop and mobile phone stolen. Although it was encrypted, the encrypSon key was in the laptop bag that was stolen. The mobile phone was not encrypted or password protected. –  PHI included paSent names, demographics. SS numbers,

Medicaid IDs, dates of birth, clinical diagnoses, treatment informaSon and health insurance claim numbers

•  Triple-‐S Management Corp., a San Juan-‐based insurance holding company was fined $6.8 Million in penalSes for improperly handling the medical records of 70,000 individuals

HIPAA Case Studies


Consequences of ViolaCons

•  U.S. Department of JusSce can pursue criminal charges against individual violators –  Maximum fine of $50,000 and one year imprisonment •  Certain aggravaSng factors can add to those numbers

•  ViolaSons of Suffolk Care CollaboraSve’s HIPAA policies will subject the violator to disciplinary measures, up to and including terminaSon


BA Impact on HIPAA Breaches

•  In 2014, the Office for Civil Rights stated that as high as 64 percent of all HIPAA breaches involved a business associate

•  Those incidents in which BAs were parScipants tended to affect a greater number of individuals than those that did not


Privacy and Security Officer

•  Suffolk Care CollaboraSve’s Privacy/Security Officer is Stephanie Musso –  Address: 3 Technology Drive, Suite 700, East Setauket, New

York 11733 –  Phone: 631-‐444-‐5796 –  E-‐mail: [email protected]


AdministraCve Requirements

•  Designate a Privacy/ Security Officer and Contact Person for complaints or quesSons & contact info. (phone #/address);

•  Develop and implement systems to safeguard PHI; •  Implement Policies and Procedures; •  Develop a system to track and account for disclosures; •  Train Workforce; •  Develop sancSons for employee violaSons of policies and

procedures; •  Enter into BAAs where necessary •  Develop and implement a complaint process •  Document and retain compliance acSviSes for six years


Compliance is Key

Non-‐Compliance is Costly!


QuesCons?

%sb%clinical%network%ipa,%llc%d/b/a% …...

Documents