the hipaa privacy & security rule … · hipaa security rule •addresses various physical,...

The HIPAA Privacy & Security Rule

Hosted by Olivia Ash, MS, Compliance Consultant

©Compliancedashboard, LLC 2018

About the Webinar

• Lines Are Muted

• Use Arrow To Minimize Menu

• View Slides in Full Screen Mode

• Enter Questions for Q&A Session

HRCI & SHRM Pre-Approved

In order to receive the HRCI* & SHRM** Credits:

• Must have signed in with your unique registration link

• Must attend the entirety of the webinar

• Must answer the applicable polls for HRCI credits

• An HRCI certificate with ID# will be sent to you upon completion of all of the above

• Make sure to add apbenefitadvisors.com to your whitelist/safe senders list to receive all follow-up emails

*The use of this seal confirms that this activity has met HR Certification Institute’s® (HRCI®) criteria forrecertification credit pre-approval.

**AP Benefit Advisors, LLC is recognized by SHRM to offer Professional Development Credits (PDCs) for SHRM-CPor SHRM-SCP. This program is valid for 1 PDC for the SHRM-CP or SHRM-SCP. For more information aboutcertification or recertification, please visit shrmcertification.org.

• Introduction

• HIPAA Privacy Rule

• HIPAA Security Rule

• Security Risk Assessment 101

Agenda

Note: Material contained in this presentation is not legal advice, and should not be construed as legal advice. If legal advice or other professional assistance is required with regard to any issues referenced in this presentation, the services of a competent legal or tax professional should be immediately sought.

About Our Presenter Olivia Ash worked the last 15 years in roles ranging from account management to business development contracting. She’s also a licensed teacher with experience in higher education. Olivia writes Compliancedashboard’s blog and activity content.

HIPAA Privacy & Security

HIPAA Privacy Rule• Gives an individual certain rights over how their health information may be used

or disclosed by organizations that are subject to the Privacy Rule

• Protects the unauthorized disclosure of certain medical information known as Protected Health Information “PHI”

HIPAA Security Rule• Addresses various physical, technical, and administrative safeguards that must

be implemented by organizations subject to the Security Rule and their Business Associates for protection of the confidentiality, integrity and availability of electronic protected health information.

6


Protected Health Information (PHI)Is individually identifiable health information that is held or transmitted by a Covered Entity or its business associate, in any form or media, whether electronic, paper, or oral.

To be PHI, the following elements

MUST be met: • Individually identifiable

• Health information

• Held or transmitted by Covered Entity or its business associate

Covered Entities:• Health care providers• Health care clearinghouses• Health plans

7


Individually Identifiable• Name

• Address

• Phone number

• Birth date

• Social security number

• Email address

Not considered PHI on its own. Must be combined with Health Plan data to qualify as “PHI.”

Health Plans• Medical, Dental, Vision

• Health Flexible Spending Accounts

• Health Reimbursement Arrangements

• Long-term Care

• Wellness Plans with health risk assessments

+

8


De-identified PHIAll data that could be used to identify an individual has been removed

• No longer considered PHI

• May be used & disclosed for any purpose

• Safe Harbor Guidance (See attached flyer.)1. List of 18 specific identifiers that must be

removed; and

2. Absence of actual knowledge that the remaining information could be used to identify an individual

Actual Knowledge:Clear and direct knowledge that the remaining data could be used, either alone or in combination with other data, to identify an individual who is a subject of the information.

9


Health Plans• Medical, Dental, Vision

• Health Flexible Spending Accounts (FSA)

• Health Reimbursement Arrangements

• Long-term Care

• Wellness Plans w/ health risk assessments

• Some EAPs

PHI must be health-related.

Even if your medical plan is fully-insured, you may have a Health FSA, HRA, or wellness plan that includes come type of health screening = Covered Entity

Remember!Health information maintained by an employer in its capacity as an employer is NOT considered PHI. The health plan is the covered entity, not the employer.

10

Question #1

PHI is an acronym for:A: Personally Identifiable Health Information

B: Protected Health Information

C: Personal Health Information

D: Personally Identifiable Information

11

HIPAA Privacy

Privacy Rule Requirements• Rules Set 1: Applies to the sponsoring employer

• Detail what employer must do to receive the PHI it needs to fulfill 2nd set of requirements

• Rules Set 2: Applies to the health plan itself• Detail what the plan must do to protect PHI

• In most cases, the employer implements these requirements.

12

HIPAA Privacy: Employer Requirements

Employer’s health plan document must:1. Include which uses/disclosures of PHI are permitted/required

2. State that PHI will be released to employer only upon receipt of a certification from the employer stating that plan documents incorporate specific provisions

3. Provide for adequate separation between the plan and the employer = “Firewalls”

Health and Human Services: www.HHS.gov/hipaa

http://www.hhs.gov/hipaa

13

HIPAA Privacy: Health Plan Requirements

Health Plan Must:✓ Designate a Privacy Official

• Responsible for development & implementation of policies & procedures• Receives complaints about Privacy Rule violations• Provides further info about matters covered by a Notice of Privacy Practices

✓ Provide a Complaint Process• Health plan can’t retaliate against a person who makes a complaint, testifies, or

opposes plan practices on the grounds that it has violated the Privacy Rule

✓ Provide an Assurance of Rights• Health plan can’t require a person to waive rights they

may have under the Privacy Rule as a condition of enrolling in or receiving benefits

14


Health Plan Must:✓ Protect the Privacy of PHI

• Ensure appropriate administrative, technical, and physical safeguards.

✓ Provide Reasonable Policies & Procedures• Policies & procedures must be implemented that are designed to ensure such

compliance with the Privacy Rule.

✓ Mitigate Harm• If the plan or a Business Associate uses or discloses PHI in a manner in violation of

the Privacy Rule, it must mitigate any harmful effect to a practicable or feasible extent.

15


Health Plan Must Provide:✓ Workforce Training

• Plan is responsible for training employees and imposing sanctions on any that fail to comply with policies & procedures.

✓ Notice of Privacy Practices• Must be available to anyone who asks for it.

• Must be prominently posted on website.

• HHS provides a model notice.

✓ Security Breach Notification• Without unreasonable delay

• Within 60 days after discovery of breach

16


Health Plan Must Provide:✓ Business Associate Agreements

• Imposes specific obligations on the third-party Business Associate with respect to the use & disclosure of PHI

17

Question #2

Which is NOT required in a plan document with respect to PHI?A. Permitted & required uses and disclosures of PHI

B. Certification by the employer that it will follow specific disclosure rules

C. Names of the entity’s Business Associates

D. Details on how they will identify who is to receive PHI

18

HIPAA Security

Covered Entities and their business associates must ensure the confidentiality, integrity and availability of ePHI through administrative, physical and technicalsafeguards embodied in written policies and procedures that have been developed and implemented through a specified process of risk assessment and risk management.

19

HIPAA Privacy vs. Security

Privacy• Broad Scope

• Less Cumbersome Implementation

• Applies to All PHI

• Concerned with Nature of PHI and how it can be used/ disclosed

• Leaves the process up to each Covered Entity

Security• Narrower Scope

• Cumbersome Implementation

• Applies only to ePHI

• Addresses confidentiality issues, data integrity and availability

• Outlines a detailed procedure that MUST be followed

20

HIPAA Security

Covered Entities must ensure:

Confidentiality• ePHI is protected from use by or disclosure to unauthorized individuals,

entities, or processes.

Integrity• Data being stored or transmitted is valid; protects against risks like

unauthorized modification, insertion, and deletion.

Availability• Data is accessible & useable upon demand by an

authorized entity

21

HIPAA Security

Covered Entities must utilize the following safeguards:

Administrative • Protected from use by or disclosure to unauthorized individuals,

entities or processes

Physical • Physical measures, policies, procedures to protect hardware, equipment, etc.

from natural & environmental hazards and unauthorized intrusion

Technical • Technology and policy & procedures for its use that protect ePHI and

control access to it

22

HIPAA Security

Risk Assessment• Process that identifies

• Where you come in contact with PHI• Who may need to access PHI• What systems will require protection

• Detailed regimen on how to make decisions about protections

• REQUIRED IN WRITING

Risk Management• How and when to deal with ePHI threats• REQUIRED IN WRITING

23

Question #3

Which statement is INCORRECT?

A. PHI: Individually identifiable health information held or transmitted by a covered entity or business associate

B. Privacy Rule: Applies to PHI

C. Security Rule: Applies to PHI

D. Written Policies & Procedures: MUST be included in plan documents.

24

Question #4

Which statement is/are TRUE?

A. Risk Assessments must to be performed.

B. Risk Management should be documented.

C. Business Associate Agreements: MUST be in place for any third-party entity you work with that may receive PHI or ePHI.

D. Notice of Privacy Practices: is not required by HIPAA Privacy Rule to make this available.

HIPAA Security Rule

4 General Requirements:1. Ensure the confidentiality, integrity, and availability of all ePHI the

covered entity or business associate creates, receives, maintains, or transmits.

2. Protect against any reasonably anticipated threats or hazards to the security or integrity of ePHI.

3. Protect against any reasonably anticipated uses or disclosures of ePHI.

4. Ensure workforce compliance.

HIPAA Security: Risk Assessment

The Risk Assessment:• Provides the framework for Security program

• Is COMPLEX!

Purpose:• Ensures proper safeguards are in place

• Administrative

• Physical

• Technical

Covered Entities

• Health care providers

• Health care clearinghouses

• Health plans


The Risk Assessment identifies:• ePHI

• Who may need access to the ePHI

• What systems require protection

• How breaches of ePHI security could occur

The process for identifying risks is just as important as the actual protections made to mitigate those risks.


Risk Identification Process• What decisions were made in determining risks?

• How will you protect against risks?

Document: • Questions asked• Answers to these questions• Decisions made based on responses• Why the decisions were made• Processes that were followed

Then:• Follow the plan• Review periodically

MUST BE DOCUMENTED IN WRITING.


Example:• Individual(s) will conduct the Risk Assessment

• Must document: • Who is involved

• How and why they were selected

• Process followed to select them

Fines & Penalties

Many fines and/or penalties related to HIPAA Security involve elements of the Risk Assessment.


Where do potential risks exist?• Unauthorized acquisition

of ePHI• Laptops

• Hacked databases

• Risks to data integrity & availability• Unauthorized modifications

• Accidental errors

• Omissions

• Unauthorized/inadvertent creation or deletion

• Natural Disasters• Floods

• Earthquakes

• Environmental Threats• Fire

• Power outages

• Equipment failure / obsolete equipment

Contingency Plan / Disaster Recovery Plan


Identify where & how ePHI is:• Created• Received• Maintained• Processed• Transmitted

Consider:• Cell Phones• Removable Media (flash drives)• Telecommuters• Copy Machines• Databases• Payroll Systems

What are the specifics?

Details vary! Every organization’s Risk Assessment is different, depending on the organization’s operations.


Remember to Document:

•What risks were identified?

•How is data going to be protected?

•Why was something determined NOT to be a threat?


Identify current security measures.• Are they being observed? • How effective are they?

Identify threats.• Theft• Hacking• Human error• Human mischief• Failure of organizational resources (i.e. improperly maintained/configured

hardware or software)• Natural & man-made disasters

HIPAA Security: Risk assessment

Identify vulnerabilities.• Poor building security ePHI exposed to theft

• Bad coding ePHI exposed to hacking

• Inadequate access controls ePHI exposed to human error & mischief

• Failure to install software updates ePHI exposed to failure of organizational resources

• Poor data backup practices ePHI exposed to loss through natural or man-made disasters


Assess the likelihood that a particular threat will exploit a given vulnerability.• YOUR organization’s experience:

• What will you actually experience in the

course of conducting business?

• Similar organizations:• Ex: TPAs look at other TPAs.

• Organizations using similar systems:• Ex: Lotus Notes, Outlook, Peoplesoft, etc.

Documentation!

• How would potential threats affect your organization?

• How would you deal with those consequences?

• How effective are your organization’s current security measures with respect to those threats?

Question #5

A Covered Entity must identify which of the following during a Risk Assessment:A. Threats

B. Current Security Measures

C. Persons handling ePHI

D. Vulnerabilities

E. All of the above

HIPAA Security: Risk Assessment Review

Covered entities must identify:• Where & how ePHI is created, received, maintained, processed,

or transmitted

• Security measures currently in place

• Threats that compromise the confidentiality, integrity, or accessibility of ePHI

• System weaknesses (vulnerabilities) that are susceptible to threats

HIPAA Security: Risk Assessment Review

Covered entities must assess:• The likelihood that a particular threat will exploit a given

vulnerability

Covered entities must determine:• How potential threats would affect the organization if they

occurred

• How effective the current security measures are with regard to anticipated threats

HIPAA: Noncompliance

Noncompliance = Civil Penalties

Violation Category Each Violation Identical violations in a calendar year

Unaware of the Violation $100 - $50,000 $1,500,000

Due to Reasonable Cause $1,000 - $5,000 $1,500,000

Willful Neglect - Corrected $10,000 - $50,000 $1,500,000

Willful Neglect - Not Corrected $50,000 $1,500,000

HIPAA Privacy & Security Review

Mutual Goal:To protect an individual’s health information

• PHI = Protected Health Information

• ePHI = Electronic PHI (excludes written/oral PHI)

What’s a Covered Entity?• Healthcare Provider

• Healthcare Clearinghouse

• Health Plan

HIPAA Privacy & Security Review

Privacy Rule• Applies to health plans but NOT

employer sponsors

• If employer handles ePHI: Reasonable & appropriate security safeguards required

Security Rule• Applies to ALL Health Plans

• Plan doesn’t receive health info = simpler compliance requirements

• Does enrollment data include anything health-related?

What counts as a Health Plan?

• Employer-sponsored medical plan

• Most dental & vision care plans

• Health FSAs and HRSAs

• Wellness programs that include screenings

the hipaa privacy & security rule … · hipaa security rule •addresses various physical,...

Documents