you’ve been appointed as a hipaa officer— now what?€¦ · you’ve been appointed as a hipaa...

67
You’ve Been Appointed as a HIPAA Officer— Now What? Petula Workman, CEBS Division Vice President, Compliance Counsel Arthur J. Gallagher & Co. Houston, Texas 8A-1

Upload: others

Post on 14-Apr-2020

5 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: You’ve Been Appointed as a HIPAA Officer— Now What?€¦ · You’ve Been Appointed as a HIPAA Officer— Now What? Petula Workman, CEBS Division Vice President, Compliance Counsel

You’ve Been Appointed as a HIPAA Officer—Now What?Petula Workman, CEBSDivision Vice President, Compliance CounselArthur J. Gallagher & Co.Houston, Texas

8A-1

Page 2: You’ve Been Appointed as a HIPAA Officer— Now What?€¦ · You’ve Been Appointed as a HIPAA Officer— Now What? Petula Workman, CEBS Division Vice President, Compliance Counsel

Overview

Identify

Assess

Train

ImplementDocument

Retain

Repeat

8A-2

Page 3: You’ve Been Appointed as a HIPAA Officer— Now What?€¦ · You’ve Been Appointed as a HIPAA Officer— Now What? Petula Workman, CEBS Division Vice President, Compliance Counsel

Identify

8A-3

Page 4: You’ve Been Appointed as a HIPAA Officer— Now What?€¦ · You’ve Been Appointed as a HIPAA Officer— Now What? Petula Workman, CEBS Division Vice President, Compliance Counsel

Identify

• The players– HIPAA Privacy Officer

• HIPAA Privacy Contact Officer

– HIPAA Security Officer– HIPAA Workforce Members

Identify

8A-4

Page 5: You’ve Been Appointed as a HIPAA Officer— Now What?€¦ · You’ve Been Appointed as a HIPAA Officer— Now What? Petula Workman, CEBS Division Vice President, Compliance Counsel

Identify

• HIPAA Privacy Officer– A health plan must designate a privacy

official who is responsible for developing and implementing the plan’s Privacy policies and procedures

• Investigates security incidents and complaints

• Oversees responses to requests for access

Identify

8A-5

Page 6: You’ve Been Appointed as a HIPAA Officer— Now What?€¦ · You’ve Been Appointed as a HIPAA Officer— Now What? Petula Workman, CEBS Division Vice President, Compliance Counsel

Identify

• HIPAA Privacy Contact Officer– A health plan must designate a contact person or

office to receive complaints and provide further information about rights and responsibilities contained in health plan’s Notice of Privacy Practices

• Plan’s uses and disclosures of PHI• Invocation of Individual Rights

– May be same or different person as HIPAA Privacy Officer Identify

8A-6

Page 7: You’ve Been Appointed as a HIPAA Officer— Now What?€¦ · You’ve Been Appointed as a HIPAA Officer— Now What? Petula Workman, CEBS Division Vice President, Compliance Counsel

Identify

• HIPAA Security Officer– Identify the security official who is responsible

for the development and implementation of the policies and procedures required by the Security Rule

Identify

8A-7

Page 8: You’ve Been Appointed as a HIPAA Officer— Now What?€¦ · You’ve Been Appointed as a HIPAA Officer— Now What? Petula Workman, CEBS Division Vice President, Compliance Counsel

Identify

• HIPAA Workforce Members– A health plan must identify:

• Those persons or classes of persons, as appropriate, in its workforce who need access to PHI to carry out their duties; and

• For each such person or class of persons, the category or categories of PHI to which access is needed and any conditions appropriate to such access Identify

8A-8

Page 9: You’ve Been Appointed as a HIPAA Officer— Now What?€¦ · You’ve Been Appointed as a HIPAA Officer— Now What? Petula Workman, CEBS Division Vice President, Compliance Counsel

Identify

• Key HIPAA Workforce Members– Individuals who handle benefit-related functions

• Marketing• Claims analysis• Assisting employees with claims and benefits issues• COBRA administration

– IT personnel– Payroll Identify

8A-9

Page 10: You’ve Been Appointed as a HIPAA Officer— Now What?€¦ · You’ve Been Appointed as a HIPAA Officer— Now What? Petula Workman, CEBS Division Vice President, Compliance Counsel

Identify

• HIPAA Workforce Members—Payroll– “Payment” is defined as an activity

undertaken by a) A health plan to obtain premiums or to

determine or fulfill its responsibility for the provision of benefits under the health plan; or

b) A health care provider or a health plan to obtain or provide reimbursement for health care

– Payroll employees see deductions from paychecks representing premium payments Identify

8A-10

Page 11: You’ve Been Appointed as a HIPAA Officer— Now What?€¦ · You’ve Been Appointed as a HIPAA Officer— Now What? Petula Workman, CEBS Division Vice President, Compliance Counsel

Identify

• Identify and periodically update job duties– Privacy Officer– Security Officer– HIPAA Workforce Members

• Limit technical access based upon job duties• Ensure that HIPAA Workforce Members are

properly screened (e.g., conduct a background check)

Security Officer

Identify

8A-11

Page 12: You’ve Been Appointed as a HIPAA Officer— Now What?€¦ · You’ve Been Appointed as a HIPAA Officer— Now What? Petula Workman, CEBS Division Vice President, Compliance Counsel

Identify• Identify correct entities with whom Business Associate

Agreements are required– Consultants/Brokers– Third-party administrators– COBRA vendors– Benefits confirmation vendors– 6055/6056 vendors (if information comes from plan)– Cloud storage providers– Off-site document storage providers– Document and electronic media shredders– Health FSA vendors

Identify

8A-12

Page 13: You’ve Been Appointed as a HIPAA Officer— Now What?€¦ · You’ve Been Appointed as a HIPAA Officer— Now What? Petula Workman, CEBS Division Vice President, Compliance Counsel

Assess

8A-13

Page 14: You’ve Been Appointed as a HIPAA Officer— Now What?€¦ · You’ve Been Appointed as a HIPAA Officer— Now What? Petula Workman, CEBS Division Vice President, Compliance Counsel

Assess

• Understand HIPAA rules and regulations– HHS webpage: http://www.hhs.gov/hipaa/for-

professionals/index.html– Recent OCR Compliance Resolution Agreements:

http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/index.html

– OCR Audit Protocol: http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/protocol/index.html

Assess

8A-14

Page 15: You’ve Been Appointed as a HIPAA Officer— Now What?€¦ · You’ve Been Appointed as a HIPAA Officer— Now What? Petula Workman, CEBS Division Vice President, Compliance Counsel

Assess• Periodically review

– Review type of PHI shared• Employee claims issues

• Enrollment data from carrier or TPA website

• Claims reports from carriers and TPAs

• COBRA administration

• PPACA reporting information (from health plan)

• Responses to QMCSO or divorce court proceeding inquiries (directed to health plan)

– How PHI flows in and through your organization• Determine which individuals are involved

– Create an internal PHI flow map

– Create an external PHI flow map

• Determine means to share PHI (e.g., secure email portal, unencrypted email)

Assess

8A-15

Page 16: You’ve Been Appointed as a HIPAA Officer— Now What?€¦ · You’ve Been Appointed as a HIPAA Officer— Now What? Petula Workman, CEBS Division Vice President, Compliance Counsel

Assess

Benefits Department

Payroll

Field Locations

IT

Corporate/Legal

Personal emails

Laptops, Desktops, Email, Servers

VPN

Email Scans

Only contributions

Employees 

Email 

Remote Access

Electronic PHI Internal Map Example EOBs/claims issues

EOBs/claims issuesQMCSOs

Divorce proceedings

Shared Drive

EOBs/claims issuesQMCSOs

Divorce proceedingsAssess

8A-16

Page 17: You’ve Been Appointed as a HIPAA Officer— Now What?€¦ · You’ve Been Appointed as a HIPAA Officer— Now What? Petula Workman, CEBS Division Vice President, Compliance Counsel

Assess• Periodically review

– Where PHI is stored• Paper format

• Electronic format– Hard drives

– Group drives

– Copiers

– Scanners

– Fax machines

– Servers

– Portable electronic media

– Review where PHI is accessed• Include personal devices

• Include remote access capabilities to network

Assess

8A-17

Page 18: You’ve Been Appointed as a HIPAA Officer— Now What?€¦ · You’ve Been Appointed as a HIPAA Officer— Now What? Petula Workman, CEBS Division Vice President, Compliance Counsel

Assess

• Periodically review– Written policies and procedures

• Conduct more immediate review if any changes in business operations (e.g., new email provider) or operating environment (e.g., moving benefits offices) occur

• HIPAA Privacy and Security Officers should meet at least annually to ensure that the health plan’s Privacy and Security policies and procedures are aligned

Assess

8A-18

Page 19: You’ve Been Appointed as a HIPAA Officer— Now What?€¦ · You’ve Been Appointed as a HIPAA Officer— Now What? Petula Workman, CEBS Division Vice President, Compliance Counsel

Assess

• As part of periodic review, produce an analysis and report of compliance gaps– Map requirements to policies and procedures– Determine what changes to existing policies and

procedures needed– Determine what new policies and

procedures needed• Develop additional training

Assess

8A-19

Page 20: You’ve Been Appointed as a HIPAA Officer— Now What?€¦ · You’ve Been Appointed as a HIPAA Officer— Now What? Petula Workman, CEBS Division Vice President, Compliance Counsel

Assess

• At least annually, review past security incidents – Review steps taken to mitigate and remediate– Determine whether safeguards and/or policies and procedures

should be revised or updated

• Whenever a Breach occurs, immediately review policies and procedures to determine which may require changes to prevent future Breaches

Assess

8A-20

Page 21: You’ve Been Appointed as a HIPAA Officer— Now What?€¦ · You’ve Been Appointed as a HIPAA Officer— Now What? Petula Workman, CEBS Division Vice President, Compliance Counsel

Assess

• Evaluate technical and nontechnical Security measures

• Perform updated Risk Analysis– Maintain current Risk Analysis– Determine whether changes in business operations

(e.g., acquisition of a subsidiary) or business environment (e.g., changing location of servers) triggers need for new Risk Analysis

Security Officer

Assess

8A-21

Page 22: You’ve Been Appointed as a HIPAA Officer— Now What?€¦ · You’ve Been Appointed as a HIPAA Officer— Now What? Petula Workman, CEBS Division Vice President, Compliance Counsel

Assess

• Review new Business Associate Agreements– Plan must obtain satisfactory assurances that the

Business Associates will appropriately safeguard plan’s PHI

• A plan is not required to obtain satisfactory assurances from a subcontractor

– Agreement should contain assurances that Business Associate will have appropriate agreement with subcontractor

• Ensure that applicable provisions in place to handle Breach Notification, mitigation, and remediation

– In particular, address who will notify impacted individuals in case of a Breach

Assess

8A-22

Page 23: You’ve Been Appointed as a HIPAA Officer— Now What?€¦ · You’ve Been Appointed as a HIPAA Officer— Now What? Petula Workman, CEBS Division Vice President, Compliance Counsel

Assess

• Assess each Business Associate’s measures to ensure to protect the confidentiality, integrity, and availability of the health plan’s PHI– Request each Business Associate’s own HIPAA

policies and procedures

Assess

8A-23

Page 24: You’ve Been Appointed as a HIPAA Officer— Now What?€¦ · You’ve Been Appointed as a HIPAA Officer— Now What? Petula Workman, CEBS Division Vice President, Compliance Counsel

Train

8A-24

Page 25: You’ve Been Appointed as a HIPAA Officer— Now What?€¦ · You’ve Been Appointed as a HIPAA Officer— Now What? Petula Workman, CEBS Division Vice President, Compliance Counsel

Train

• Training is required under both the Privacy and Security Rules– No specific rules on format

• Webinars can be effective• Most effective format is in-person training

– No specific rules on timing• But some best practices suggest good

rules to follow Train

8A-25

Page 26: You’ve Been Appointed as a HIPAA Officer— Now What?€¦ · You’ve Been Appointed as a HIPAA Officer— Now What? Petula Workman, CEBS Division Vice President, Compliance Counsel

Train

• Privacy Training– A plan must train all of its HIPAA Workforce

Members “on the policies and procedures with respect to PHI required by the Privacy Rule, as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity”

– HIPAA Workforce Members should also be trained about what constitutes a breach and on the policies and procedures for reporting, analyzing, and documenting a possible breach of unsecured protected health information

Train

Privacy Officer

8A-26

Page 27: You’ve Been Appointed as a HIPAA Officer— Now What?€¦ · You’ve Been Appointed as a HIPAA Officer— Now What? Petula Workman, CEBS Division Vice President, Compliance Counsel

Train

• Security training– Plans must implement a security

awareness and training program for all HIPAA Workforce Members (including management)

• Security Reminders• Protection from Malicious Software• Log-in Monitoring• Password Management

Train

Security Officer

8A-27

Page 28: You’ve Been Appointed as a HIPAA Officer— Now What?€¦ · You’ve Been Appointed as a HIPAA Officer— Now What? Petula Workman, CEBS Division Vice President, Compliance Counsel

Train

• Include an affirmation that no intimidating, discriminatory, or other retaliatory actions will occur against persons who:– File, testify, assist, or participate in any

investigation, compliance review, proceeding, or hearing related to a HIPAA Privacy, Security, or Breach Notification violation, or

– Oppose any unlawful act or practice under HIPAA Train

8A-28

Page 29: You’ve Been Appointed as a HIPAA Officer— Now What?€¦ · You’ve Been Appointed as a HIPAA Officer— Now What? Petula Workman, CEBS Division Vice President, Compliance Counsel

Train• Timing

– For new HIPAA Workforce Members, conduct training within a reasonable period of time after the person joins the plan’s workforce

• Best practice = within 30 days

– For each member of the covered entity’s workforce whose functions are affected by a material change in the policies or procedures

– No specific requirement about when to conduct training for existing HIPAA Workforce Members in absence of change in policies or procedures

• Best practice = annual training Train

8A-29

Page 30: You’ve Been Appointed as a HIPAA Officer— Now What?€¦ · You’ve Been Appointed as a HIPAA Officer— Now What? Petula Workman, CEBS Division Vice President, Compliance Counsel

Implement

8A-30

Page 31: You’ve Been Appointed as a HIPAA Officer— Now What?€¦ · You’ve Been Appointed as a HIPAA Officer— Now What? Petula Workman, CEBS Division Vice President, Compliance Counsel

Implement

• Ensure HIPAA Workforce Members’ adherence to Privacy policies and procedures– Verification of identity of individuals seeking

access to PHI– Compliance with the Minimum Necessary

Standard

Privacy Officer

Implement

8A-31

Page 32: You’ve Been Appointed as a HIPAA Officer— Now What?€¦ · You’ve Been Appointed as a HIPAA Officer— Now What? Petula Workman, CEBS Division Vice President, Compliance Counsel

Implement

• Ensure HIPAA Workforce Members’ adherence to health Privacy plan policies and procedures– Handling individual rights (particularly

creating an accounting of disclosures for non-routine disclosures of PHI)

• Privacy Officer should be primarily responsible for reviewing requests that result in a denial

Privacy Officer

Implement

8A-32

Page 33: You’ve Been Appointed as a HIPAA Officer— Now What?€¦ · You’ve Been Appointed as a HIPAA Officer— Now What? Petula Workman, CEBS Division Vice President, Compliance Counsel

Implement• Maintain a current inventory of information systems

that create, receive, transmit, or maintain ePHI– Hardware, software, input and output sources

• Coordinate reviews of records of information system activity on a regular basis to prevent, detect, correct, and contain security violations by the use of hardware, software and/or procedural mechanisms that record and examine activity in information systems that store or use ePHI

Implement

Security Officer

8A-33

Page 34: You’ve Been Appointed as a HIPAA Officer— Now What?€¦ · You’ve Been Appointed as a HIPAA Officer— Now What? Petula Workman, CEBS Division Vice President, Compliance Counsel

Implement

• Maintain technical safeguards (such as protection against malicious software, use of strong passwords) in support of Security Rule requirements

• When reasonable or appropriate, implement electronic automatic logoff mechanisms

Implement

Security Officer

8A-34

Page 35: You’ve Been Appointed as a HIPAA Officer— Now What?€¦ · You’ve Been Appointed as a HIPAA Officer— Now What? Petula Workman, CEBS Division Vice President, Compliance Counsel

Implement

• Implement physical and technical safeguards for all workstations that access ePHI to restrict access to authorized users

Security Officer

Implement

8A-35

Page 36: You’ve Been Appointed as a HIPAA Officer— Now What?€¦ · You’ve Been Appointed as a HIPAA Officer— Now What? Petula Workman, CEBS Division Vice President, Compliance Counsel

Implement

• Addressable safeguards– Mechanisms to encrypt and decrypt

ePHI in transit or at rest – Termination of electronic access upon

termination of employment or change in job duties

Implement

Security Officer

8A-36

Page 37: You’ve Been Appointed as a HIPAA Officer— Now What?€¦ · You’ve Been Appointed as a HIPAA Officer— Now What? Petula Workman, CEBS Division Vice President, Compliance Counsel

Implement• Take a proactive approach to handling potential Breaches

– Train workforce members to identify security incidents– Create security incident team

• HIPAA Privacy Officer

• HIPAA Security Officer

• Legal Counsel

• Consultant/Broker

• Public relations (department or consultant)

• Computer forensics experts

– Create budget• Estimated cost per record is greater than $360 per record

– Consider Cyber Liability insuranceImplement

8A-37

Page 38: You’ve Been Appointed as a HIPAA Officer— Now What?€¦ · You’ve Been Appointed as a HIPAA Officer— Now What? Petula Workman, CEBS Division Vice President, Compliance Counsel

Implement

• Take a proactive approach to handling potential Breaches– Investigate promptly

• Determine the nature and extent of the PHI involved• Determine what types of identifiers the data included

and how easily could individuals can be re-identified• Determine who received or used the PHI• Determine whether the PHI actually acquired

or viewed• Determine whether the risk to the PHI been

mitigated, and if so, to what extent

Implement

8A-38

Page 39: You’ve Been Appointed as a HIPAA Officer— Now What?€¦ · You’ve Been Appointed as a HIPAA Officer— Now What? Petula Workman, CEBS Division Vice President, Compliance Counsel

Implement

• Take a proactive approach to handling potential Breaches– Communicate promptly

• Although HIPAA allows for 60 days, notification to individuals should occur as soon as possible to protect individuals impacted

– Ensure that communications plan is in place prior to a Breach

• Don’t forget about notification to HHS and potential obligation to notify media

Implement

8A-39

Page 40: You’ve Been Appointed as a HIPAA Officer— Now What?€¦ · You’ve Been Appointed as a HIPAA Officer— Now What? Petula Workman, CEBS Division Vice President, Compliance Counsel

Implement

• Take a proactive approach to handling potential Breaches– Implement mitigation and remediation

efforts as soon as possible– Generally, however, it will take two to

three years for a Breach reported to HHS to work through the Compliance Resolution process Implement

8A-40

Page 41: You’ve Been Appointed as a HIPAA Officer— Now What?€¦ · You’ve Been Appointed as a HIPAA Officer— Now What? Petula Workman, CEBS Division Vice President, Compliance Counsel

Document

8A-41

Page 42: You’ve Been Appointed as a HIPAA Officer— Now What?€¦ · You’ve Been Appointed as a HIPAA Officer— Now What? Petula Workman, CEBS Division Vice President, Compliance Counsel

Document

• The Privacy Rule requires health plans to maintain:– Policies and procedures in written or electronic

form;– Any communication that is required by the Privacy

Rule to be in writing (or an electronic copy);– A written or electronic record of any action, activity,

or designation that the Privacy Rule requires to be documented; and

– Documentation sufficient to meet the burden of proof under the Breach Notification provisions

Document

Privacy Officer

8A-42

Page 43: You’ve Been Appointed as a HIPAA Officer— Now What?€¦ · You’ve Been Appointed as a HIPAA Officer— Now What? Petula Workman, CEBS Division Vice President, Compliance Counsel

Document

• Key Privacy documentation requirements– Designation of HIPAA Privacy Officer

and Workforce Members– Policies and procedures– Notice of Privacy Practices– Non-routine disclosures

Document

Privacy Officer

8A-43

Page 44: You’ve Been Appointed as a HIPAA Officer— Now What?€¦ · You’ve Been Appointed as a HIPAA Officer— Now What? Petula Workman, CEBS Division Vice President, Compliance Counsel

Document• Key Privacy documentation requirements

– Non-routine disclosures• About victims of abuse, neglect, or domestic violence• Accidental disclosures• Disclosures pursuant to a court order or subpoena• Disclosures required by law• For judicial and administrative proceedings*• For law enforcement purposes*• For public health activities (except child abuse reports)*• For health oversight activities

Document

* Under proposed HIPAA regulations

Privacy Officer

8A-44

Page 45: You’ve Been Appointed as a HIPAA Officer— Now What?€¦ · You’ve Been Appointed as a HIPAA Officer— Now What? Petula Workman, CEBS Division Vice President, Compliance Counsel

Document

• Key Privacy documentation requirements– Non-routine disclosures

• About decedents• For cadaveric organ, eye or tissue donation purposes• For certain limited research purposes• To avert a serious threat to health or safety*• For specialized government functions• For military and veterans activities, the Department of

State’s medical suitability determinations, and government programs providing public benefits*

• Related to workers’ compensation programs Document

Privacy Officer

* Under proposed HIPAA regulations

8A-45

Page 46: You’ve Been Appointed as a HIPAA Officer— Now What?€¦ · You’ve Been Appointed as a HIPAA Officer— Now What? Petula Workman, CEBS Division Vice President, Compliance Counsel

Document

• Key Privacy documentation requirements– Responses to individual rights

• Restrictions on use and disclosure• Request for an amendment• Request for an accounting of disclosures• Request for confidential communications• Request for access Document

Privacy Officer

8A-46

Page 47: You’ve Been Appointed as a HIPAA Officer— Now What?€¦ · You’ve Been Appointed as a HIPAA Officer— Now What? Petula Workman, CEBS Division Vice President, Compliance Counsel

Document

• Key Privacy documentation requirements– Complaints– Sanctions– Security incident investigations– Breach Notification

• Breach log

– Identification of public officials seeking access to PHI

– Training Document

Privacy Officer

8A-47

Page 48: You’ve Been Appointed as a HIPAA Officer— Now What?€¦ · You’ve Been Appointed as a HIPAA Officer— Now What? Petula Workman, CEBS Division Vice President, Compliance Counsel

Document

• The Security Rule requires health plans to maintain:– Policies and procedures in written form

(which may be electronic);– A written record (which may be electronic) of

any action, activity, or assessment that the Security Rule requires to be documented

Document

Security Officer

8A-48

Page 49: You’ve Been Appointed as a HIPAA Officer— Now What?€¦ · You’ve Been Appointed as a HIPAA Officer— Now What? Petula Workman, CEBS Division Vice President, Compliance Counsel

Document• Key Security documentation requirements

– Designation of Security Officer– Risk Analysis and Risk Management Plan– Periodic Evaluation– Policies and procedures

• Compliance with Required safeguards• Compliance with Addressable safeguards

– Security incident investigations– Complaints– Sanctions– Training

Document

Security Officer

8A-49

Page 50: You’ve Been Appointed as a HIPAA Officer— Now What?€¦ · You’ve Been Appointed as a HIPAA Officer— Now What? Petula Workman, CEBS Division Vice President, Compliance Counsel

Document

• Key Security documentation requirements– Information system activity review

• A plan must regularly review records of information system activity

– Audit logs– Access reports– Security incident tracking reports

Document

Security Officer

8A-50

Page 51: You’ve Been Appointed as a HIPAA Officer— Now What?€¦ · You’ve Been Appointed as a HIPAA Officer— Now What? Petula Workman, CEBS Division Vice President, Compliance Counsel

Document

• Key Security documentationrequirements– Emergency Plan

• Data backup plan• Disaster recovery plan• Emergency mode operation plan

Document

Security Officer

8A-51

Page 52: You’ve Been Appointed as a HIPAA Officer— Now What?€¦ · You’ve Been Appointed as a HIPAA Officer— Now What? Petula Workman, CEBS Division Vice President, Compliance Counsel

Document

• Plan document amendments– The plan documents of

a group health plan must be amended to incorporate provisions to require the plan sponsor to take certain steps to safeguard PHI Document

8A-52

Page 53: You’ve Been Appointed as a HIPAA Officer— Now What?€¦ · You’ve Been Appointed as a HIPAA Officer— Now What? Petula Workman, CEBS Division Vice President, Compliance Counsel

Retain

8A-53

Page 54: You’ve Been Appointed as a HIPAA Officer— Now What?€¦ · You’ve Been Appointed as a HIPAA Officer— Now What? Petula Workman, CEBS Division Vice President, Compliance Counsel

Retain

• Health plans must:– Retain documentation required by the Privacy

or Security Rule for six years from the datethe documentation was created or the date itlast was in effect, whichever is later

– Make the documentation available to thosepersons responsible for implementing theprocedures

Retain

8A-54

Page 55: You’ve Been Appointed as a HIPAA Officer— Now What?€¦ · You’ve Been Appointed as a HIPAA Officer— Now What? Petula Workman, CEBS Division Vice President, Compliance Counsel

Repeat

8A-55

Page 56: You’ve Been Appointed as a HIPAA Officer— Now What?€¦ · You’ve Been Appointed as a HIPAA Officer— Now What? Petula Workman, CEBS Division Vice President, Compliance Counsel

Repeat

• HIPAA compliance is an ongoing effort– Policies and procedures should not be treated as

static processes– Periodic monitoring of compliance will reduce risk

of Breach or other mishandling of PHI– Incorporation of HIPAA compliance into everyday

activities leads to better practices

Repeat

8A-56

Page 57: You’ve Been Appointed as a HIPAA Officer— Now What?€¦ · You’ve Been Appointed as a HIPAA Officer— Now What? Petula Workman, CEBS Division Vice President, Compliance Counsel

Thank You

8A-57

Page 58: You’ve Been Appointed as a HIPAA Officer— Now What?€¦ · You’ve Been Appointed as a HIPAA Officer— Now What? Petula Workman, CEBS Division Vice President, Compliance Counsel

© 2016 GALLAGHER BENEFIT SERVICES, INC. SEPTEMBER 2016

HIPAA Officer Checklist

The Health Insurance Portability and Accountability Act (“HIPAA”) requires health plans to designate

individuals to fulfill two very important roles – that of HIPAA Privacy Officer and that of HIPAA

Security Officer. Those individuals have ongoing responsibilities which may be overlooked. Below are

two charts highlighting important responsibilities associated with each role.

HIPAA Privacy Officer Step Completed Activity Date

Completed

Identify ☐ Yes

☐ No

Ensure that HIPAA Workforce Member job descriptions

adequately describe access necessary for individuals to

accomplish their job duties associated with use and

disclosure of PHI

Identify ☐ Yes

☐ No

Periodically (at least annually) review job descriptions for

HIPAA Workforce Members and determine whether

access is appropriate for each Workforce Member

Identify ☐ Yes

☐ No

Determine all entities that are business associates with

whom a Business Associate Agreement is required

Assess ☐ Yes

☐ No

Maintain current knowledge of HIPAA Privacy Rules and

regulations

Assess ☐ Yes

☐ No

Periodically (at least annually) review how PHI flows

internally and externally and whether PHI is protected

while in transit

Assess ☐ Yes

☐ No

Periodically (at least annually) review how PHI is stored

whether PHI is protected while stored (e.g., locked file

cabinet)

Assess ☐ Yes

☐ No

Annually review HIPAA Privacy policies and procedures

for current compliance with HIPAA (in particular,

compare to current HIPAA audit protocol from HHS:

http://www.hhs.gov/hipaa/for-professionals/compliance-

enforcement/audit/protocol/index.html)

Assess ☐ Yes

☐ No

If any breaches of non-electronic PHI, assess policies and

procedures to determine if changes needed to prevent

future breach. If a breach of ePHI, coordinate assessment

with Security Officer.

8A-58

Page 59: You’ve Been Appointed as a HIPAA Officer— Now What?€¦ · You’ve Been Appointed as a HIPAA Officer— Now What? Petula Workman, CEBS Division Vice President, Compliance Counsel

PAGE 2 | © 2016 GALLAGHER BENEFIT SERVICES, INC. SEPTEMBER 2016

HIPAA Privacy Officer Step Completed Activity Date

Completed

Assess ☐ Yes

☐ No

Review any changes in business operations (e.g., new

email provider) or operational environment (e.g., change

in offices for benefits department) to determine whether

Privacy policies and procedures must be altered

Assess ☐ Yes

☐ No

At least annually, meet with the HIPAA Security Officer to

review whether the health plan’s Privacy policies and

procedures are aligned with the health plan’s Security

policies and procedures (remember that the Security

policies and procedures are intended to support the

separation between the HIPAA Workforce Members and

other workforce members)

Assess ☐ Yes

☐ No

Review Business Associate Agreements, with assistance

of applicable legal counsel, prior to engagement to

ensure that Business Associate provides assurance that it

will implement safeguards necessary to protect the

confidentiality, integrity, and availability of the health

plan’s PHI, that any subcontractors engaged by the

Business Associate will also comply, and that Business

Associate will timely comply with any Breach Notification

obligations

Assess ☐ Yes

☐ No

Monitor Business Associate and other third-party

compliance with HIPAA (this may require questioning

those third-parties about HIPAA compliance and include a

request to review the third-party’s own HIPAA policies

and procedures)

Train ☐ Yes

☐ No

Conduct Privacy training program for HIPAA Workforce

Members (as best practice, new HIPAA Workforce

Members should be trained within 30 days of joining the

HIPAA Workforce membership, and all HIPAA Workforce

Members should be retrained annually)

Train ☐ Yes

☐ No

Ensure that no intimidating, discriminatory, or other

retaliatory actions occur against persons who file, testify,

assist, or participate in any investigation, compliance

review, proceeding, or hearing related to a HIPAA Privacy,

Security, or Breach Notification violation or who oppose

any unlawful act or practice under HIPAA; further ensure

that training includes statement that organization will not

8A-59

Page 60: You’ve Been Appointed as a HIPAA Officer— Now What?€¦ · You’ve Been Appointed as a HIPAA Officer— Now What? Petula Workman, CEBS Division Vice President, Compliance Counsel

PAGE 3 | © 2016 GALLAGHER BENEFIT SERVICES, INC. SEPTEMBER 2016

HIPAA Privacy Officer Step Completed Activity Date

Completed

intimidate, discriminate, or retaliate against individuals

engaging in such actions

Train ☐ Yes

☐ No

Ensure that all workforce members are appropriately

trained and knowledgeable about what constitutes a

breach and on the policies and procedures for reporting,

analyzing, and documenting a possible breach of

unsecured protected health information

Implement ☐ Yes

☐ No

Ensure that individuals responsible for using and

disclosing PHI with involvement of third parties (such as

insurance carriers, third-party administrators,

consultant/brokers, employees, other plan participants,

parents, and government officials) follow appropriate

procedures to verify the identity of those third parties

and are documenting means of verification

Implement ☐ Yes

☐ No

Periodically review HIPAA Workforce Members

adherence to Minimum Necessary Standards (e.g., review

whether more than necessary individuals are copied on

emails with PHI; review whether reports have more PHI

than necessary for health plan administration purposes)

Implement ☐ Yes

☐ No

Oversee requests for use of individual rights by ensuring

that requests are handled correctly and appropriate

forms are used by HIPAA Workforce Members to address

requests for application of individual rights (right to

access; right to an amendment or correction; right to

confidential communications; right to restrictions on use

or disclosure of PHI; and right to an accounting of

disclosures)

Document ☐ Yes

☐ No

Investigate any security incidents involving non-electronic

PHI

Document ☐ Yes

☐ No

Coordinate investigation of any security incidents

involving electronic PHI with HIPAA Security Officer

Document ☐ Yes

☐ No

Make documents available to Security of Health and

Human Services when requested to determine health

plan’s compliance with HIPAA Privacy Rules (best practice

is to maintain a binder with written policies and

procedures, business associate agreements, and Notice of

Privacy Practices)

8A-60

Page 61: You’ve Been Appointed as a HIPAA Officer— Now What?€¦ · You’ve Been Appointed as a HIPAA Officer— Now What? Petula Workman, CEBS Division Vice President, Compliance Counsel

PAGE 4 | © 2016 GALLAGHER BENEFIT SERVICES, INC. SEPTEMBER 2016

HIPAA Privacy Officer Step Completed Activity Date

Completed

Document ☐ Yes

☐ No

Periodically review HIPAA Workforce Member’s tracking

of non-routine disclosures of PHI

Document ☐ Yes

☐ No

Ensure that individuals are aware of means to make a

complaint about the health plan’s adherence to the

HIPAA Rules and to the organization’s own policies and

procedures (contact information should be provided in

Notice of Privacy Practices and potentially as part of any

organizational ethics hotline)

Document ☐ Yes

☐ No

Ensure that any sanctions policy for individuals who

violate the HIPAA Rules or the organization’s own policies

and procedures is incorporated within or is coordinated

with organizational policies for sanctioning inappropriate

behavior by workforce members

Document ☐ Yes

☐ No

Ensure that Notice of Privacy Practices is timely

distributed to newly eligible individuals

Document ☐ Yes

☐ No

Ensure that plan participants are notified where to find

the Notice of Privacy Practices every three years (usually

called a notice of availability)(triennial notice required,

but best practice is to provide each year with annual

enrollment materials)

Document ☐ Yes

☐ No

Ensure that any necessary Breach Notification

requirements are met (timely notice to impacted

individuals and HHS; timely notice to media, if required)

Retain ☐ Yes

☐ No

Ensure that required documents are retained for

applicable six year period

8A-61

Page 62: You’ve Been Appointed as a HIPAA Officer— Now What?€¦ · You’ve Been Appointed as a HIPAA Officer— Now What? Petula Workman, CEBS Division Vice President, Compliance Counsel

PAGE 5 | © 2016 GALLAGHER BENEFIT SERVICES, INC. SEPTEMBER 2016

HIPAA Security Officer Step Completed Activity Date

Completed

Identify ☐ Yes

☐ No

Ensure that HIPAA Workforce Members’ technical access

to ePHI is limited to access necessary to accomplish their

job duties and that mechanisms are in place to

authenticate identify of each individual when accessing

information systems containing ePHI

Identify ☐ Yes

☐ No

Authorize user access to systems containing ePHI based

upon job responsibilities for individuals who work with

ePHI or in locations where ePHI might be accessed and

ensure that individuals with access to ePHI have sufficient

supervision and necessary level of access for each

individual to perform the individual’s assigned job

responsibilities (this is an addressable safeguard; if not

adopted, document reasonable alternative implemented)

Identify ☐ Yes

☐ No

Ensure that all HIPAA Workforce Members who will

access ePHI are properly screened (e.g., have background

checks)

Assess ☐ Yes

☐ No

Maintain current knowledge of HIPAA Security Rules and

regulations

Assess ☐ Yes

☐ No

Periodically (at least annually) review how ePHI flows

internally and externally and whether PHI is protected

while in transit (coordinate with Privacy Officer for non-

electronic PHI)

Assess ☐ Yes

☐ No

Periodically (at least annually) review how ePHI is stored

whether PHI is protected while stored (e.g., locked file

cabinet)

Assess ☐ Yes

☐ No

Annually review HIPAA Security policies and procedures

for current compliance with HIPAA (in particular,

compare to current HIPAA audit protocol from HHS:

http://www.hhs.gov/hipaa/for-professionals/compliance-

enforcement/audit/protocol/index.html)

Assess ☐ Yes

☐ No

Review any changes in business operations (e.g., new

email provider) or operational environment (e.g., change

in offices for benefits department) to determine whether

Security policies and procedures must be altered

Assess ☐ Yes

☐ No

If any breaches of ePHI, assess current administrative,

physical and technical safeguards to determine if changes

needed to prevent future breach.

8A-62

Page 63: You’ve Been Appointed as a HIPAA Officer— Now What?€¦ · You’ve Been Appointed as a HIPAA Officer— Now What? Petula Workman, CEBS Division Vice President, Compliance Counsel

PAGE 6 | © 2016 GALLAGHER BENEFIT SERVICES, INC. SEPTEMBER 2016

HIPAA Security Officer Step Completed Activity Date

Completed

Assess ☐ Yes

☐ No

Periodically conduct a Risk Analysis to identify potential

risks and vulnerabilities to the confidentiality, integrity,

and availability of the ePHI that the Plan transmits,

receives, maintains, or creates, including an assessment

of internal and external risks that may arise from human

activity (accidental and intentional), structural causes, or

natural/environmental causes

Assess ☐ Yes

☐ No

Periodically perform a technical and non-technical

evaluation to establish the extent to which the health

plan’s policies and procedures meet the HIPAA Security

Rule’s Requirements; in particular, conduct such an

evaluation in response to environmental or operation

changes or newly recognized risks

Assess ☐ Yes

☐ No

At least annually, meet with the HIPAA Privacy Officer to

review whether the health plan’s Privacy policies and

procedures are aligned with the health plan’s Security

policies and procedures (remember that the Security

policies and procedures are intended to support the

separation between the HIPAA Workforce Members and

other workforce members)

Assess ☐ Yes

☐ No

Review Business Associate Agreements, with assistance

of applicable legal counsel, prior to engagement to

ensure that Business Associate provides assurance that it

will implement safeguards necessary to protect the

confidentiality, integrity, and availability of the health

plan’s ePHI, and that any subcontractors engaged by the

Business Associate will also comply

Train ☐ Yes

☐ No

Conduct Security training program for HIPAA Workforce

Members (as a best practice, new HIPAA Workforce

Members should be training within 30 days of joining the

HIPAA Workforce membership, and all HIPAA Workforce

Members should be retrained annually)

Train ☐ Yes

☐ No

Provide security awareness training (login monitoring,

protection against malicious software, password

management, and security reminders)

Implement ☐ Yes

☐ No

Maintain a current inventory of information systems

(hardware, software, input and output sources) that

create, receive, transmit, or maintain ePHI

8A-63

Page 64: You’ve Been Appointed as a HIPAA Officer— Now What?€¦ · You’ve Been Appointed as a HIPAA Officer— Now What? Petula Workman, CEBS Division Vice President, Compliance Counsel

PAGE 7 | © 2016 GALLAGHER BENEFIT SERVICES, INC. SEPTEMBER 2016

HIPAA Security Officer Step Completed Activity Date

Completed

Implement ☐ Yes

☐ No

Coordinate reviews of records of information system

activity on a regular basis to prevent, detect, correct, and

contain security violations by the use of hardware,

software and/or procedural mechanisms that record and

examine activity in information systems that store or use

ePHI

Implement ☐ Yes

☐ No

Maintain technical safeguards (such as protection against

malicious software, use of strong passwords) in support

of Security Rule requirements

Implement ☐ Yes

☐ No

When reasonable or appropriate, implement electronic

automatic logoff mechanisms on certain ePHI Systems or

adopt equivalent alternative mechanisms (e.g.,

screen/session locking, screensaver implemented after

period of time) (this is an addressable safeguard; if not

adopted, document reasonable alternative implemented)

Implement ☐ Yes

☐ No

When appropriate, implement mechanisms to encrypt

and decrypt ePHI in transit or at rest (this is an

addressable safeguard; if not adopted, document

reasonable alternative implemented)

Implement ☐ Yes

☐ No

Oversee implementation of physical and technical

safeguards for all workstations that access ePHI to restrict

access to authorized users (e.g., use of user names and

strong passwords or role-based access)

Implement ☐ Yes

☐ No

Coordinate retrieval of all applicable physical security

tokens, keys, access cards, etc. that could be used to gain

access to ePHI from the Workforce Member and

terminate electronic access to ePHI shall be terminated

(e.g., remote access, email access) upon termination of

the employment or revision of job responsibilities to end

access to ePHI (this is an addressable safeguard; if not

adopted, document reasonable alternative implemented)

Document ☐ Yes

☐ No

Investigate any security incidents involving ePHI

Document ☐ Yes

☐ No

Maintain a contingency operation plan for the health plan

(including data backup, disaster recovery plan, and

emergency mode operation plan; testing and revision of

the contingency operation is an addressable safeguard,

8A-64

Page 65: You’ve Been Appointed as a HIPAA Officer— Now What?€¦ · You’ve Been Appointed as a HIPAA Officer— Now What? Petula Workman, CEBS Division Vice President, Compliance Counsel

PAGE 8 | © 2016 GALLAGHER BENEFIT SERVICES, INC. SEPTEMBER 2016

HIPAA Security Officer Step Completed Activity Date

Completed

so if not adopted then an alternative should be

documented)

Document ☐ Yes

☐ No

Maintain an inventory of all system components

(including software and hardware) containing ePHI and

determine the criticality of each (this is an addressable

safeguard; if not adopted, document reasonable

alternative implemented)

Document ☐ Yes

☐ No

Document repairs, changes, and modifications to building

exteriors, building interiors, and physical systems which

are related to security for facilities housing electronic

systems containing ePHI. (this is an addressable

safeguard; if not adopted, document reasonable

alternative implemented)

Document ☐ Yes

☐ No

Maintain workstation use policies such as a prohibition

against downloading, installing, or otherwise using

software that has not been specifically authorized by IT

Document ☐ Yes

☐ No

Ensure that electronic media containing ePHI that is to be

disposed of is thoroughly destroyed and rendered

unusable for purposes of retrieving the PHI under NIST

standards

Document ☐ Yes

☐ No

Ensure that all ePHI on electronic media is removed or

scrubbed prior to being re-used for storing non-PHI data

under NIST standards

Document ☐ Yes

☐ No

Maintain a log of hardware and electronic media

containing ePHI, and the names and positions of the

persons responsible for using them as a means of

maintaining the confidentiality of ePHI (this is an

addressable safeguard; if not adopted, document

reasonable alternative implemented)

Document ☐ Yes

☐ No

Ensure that ePHI is periodically backed up and that an

exact, retrievable copy of any ePHI is created, when

needed, prior to movement of equipment storing ePHI;

document backups and movement

Retain ☐ Yes

☐ No

Ensure that required documents are retained for

applicable six year period

8A-65

Page 66: You’ve Been Appointed as a HIPAA Officer— Now What?€¦ · You’ve Been Appointed as a HIPAA Officer— Now What? Petula Workman, CEBS Division Vice President, Compliance Counsel

© 2016 GALLAGHER BENEFIT SERVICES, INC. SEPTEMBER 2016

HIPAA Plan Document Amendment Checklist

Under the Health Insurance Portability and Accountability Act (“HIPAA”), employers who sponsor group

health plans must amend their plan documents to incorporate provisions as noted in the table below.

Amendments must address both Privacy and Security safeguards.

Privacy provisions to require the Plan Sponsor to:

☐ Yes

☐ No

Establish the permitted and required uses and disclosures of such information by the plan

sponsor, provided that such permitted and required uses and disclosures may not be

inconsistent with the Privacy Rule

Provide that the group health plan will disclose protected health information (“PHI”) to the

plan sponsor only upon receipt of a certification by the plan sponsor that the plan

documents have been amended to incorporate the following provisions and that the plan

sponsor agrees to:

☐ Yes

☐ No

(A) Not use or further disclose the information other than as permitted or required by

the plan documents or as required by law

☐ Yes

☐ No

(B) Ensure that any agents to whom it provides PHI received from the group health plan

agree to the same restrictions and conditions that apply to the plan sponsor with

respect to such information

☐ Yes

☐ No

(C) Not use or disclose the information for employment-related actions and decisions or

in connection with any other benefit or employee benefit plan of the plan sponsor

☐ Yes

☐ No

(D) Report to the group health plan any use or disclosure of the information that is

inconsistent with the uses or disclosures provided for of which it becomes aware

☐ Yes

☐ No

(E) Make available PHI in accordance with an individual’s right to access PHI

☐ Yes

☐ No

(F) Make available PHI for amendment and incorporate any amendments to protected

health information in accordance with an individual’s right to request an amendment to

PHI

☐ Yes

☐ No

(G) Make available the information required to provide an accounting of disclosures in

accordance with an individual’s right to receive an accounting of certain disclosures of

his or her PHI

☐ Yes

☐ No

(H) Make its internal practices, books, and records relating to the use and disclosure of

PHI received from the group health plan available to the Secretary of Health and Human

Services for purposes of determining compliance by the group health plan with the

Privacy Rule

☐ Yes

☐ No

(I) If feasible, return or destroy all PHI received from the group health plan that the

sponsor still maintains in any form and retain no copies of such information when no

8A-66

Page 67: You’ve Been Appointed as a HIPAA Officer— Now What?€¦ · You’ve Been Appointed as a HIPAA Officer— Now What? Petula Workman, CEBS Division Vice President, Compliance Counsel

PAGE 2 | © 2016 GALLAGHER BENEFIT SERVICES, INC. SEPTEMBER 2016

Privacy provisions to require the Plan Sponsor to:

longer needed for the purpose for which disclosure was made, except that, if such

return or destruction is not feasible, limit further uses and disclosures to those purposes

that make the return or destruction of the information infeasible

☐ Yes

☐ No

(J) Ensure that the adequate separation required by the Privacy Rule is established (see

next section)

Provide for adequate separation between the group health plan and the plan sponsor by:

☐ Yes

☐ No

(A) Describing those employees or classes of employees or other persons under the

control of the plan sponsor to be given access to the PHI to be disclosed (HIPAA

Workforce Members), provided that any employee or person who receives PHI relating

to payment under, health care operations of, or other matters pertaining to the group

health plan in the ordinary course of business must be included in such description

☐ Yes

☐ No

(B) Restricting the access to and use by such employees and other persons described to

the plan administration functions that the plan sponsor performs for the group health

plan

☐ Yes

☐ No

(C) Providing an effective mechanism for resolving any issues of noncompliance by

HIPAA Workforce Members with the plan document provisions required by the Privacy

Rule

Security provisions to require the Plan sponsor to:

☐ Yes

☐ No

Implement administrative, physical, and technical safeguards that reasonably and

appropriately protect the confidentiality, integrity, and availability of the electronic PHI

that it creates, receives, maintains, or transmits on behalf of the group health plan

☐ Yes

☐ No

Ensure that the adequate separation required by the Privacy Rule (i.e., designation of

HIPAA Workforce Members) is supported by reasonable and appropriate security

measures

☐ Yes

☐ No

Ensure that any agent to whom it provides this information agrees to implement

reasonable and appropriate security measures to protect the information

☐ Yes

☐ No

Report to the group health plan any security incident of which it becomes aware

8A-67