HIPAA

HIPAA

HIPAA

To improve the efficiency and effectiveness of the health care system the Health Insurance Portability and Accountability Act of 1996 (HIPAA) of 1996, Public Law 104-191

Required the Department of Health and Human Services (HHS) to adopt national standards for

  • Electronic Health Care Transactions 
  • Code Sets 
  • Unique Health Identifiers 
  • Security

At the same time Congress recognized that advances in electronic technology could erode the privacy of health information.

Congress incorporated into HIPAA provisions that mandated the adoption of Federal Privacy Protection for identifiable health information.

Following the passage of HIPAA two additional laws have been enacted that add requirements to HIPAA and strengthen various aspects of administrative simplification.

Two Additional Laws

Health Information Technology for Economic and Clinical Health Act (HITECH) enacted as part of the American Recovery and Reinvestment Act of 2009 (ARRA)

HITECH Act addresses the privacy and security concerns associated with the electronic transmission of health information, in part, through several provisions that strengthen the civil and criminal enforcement of the HIPAA rules.

Published January 25, 2013

Effective March 26, 2013

Enforceable September 23, 2013

The Health Insurance Portability and Accountability Act (HIPAA) passed by congress in 1990s is a federal law that specifies administrative simplification provisions that:

Protect the privacy of patient information

Provide for electronic and physical security of patient health information

Require “minimum necessary” use and disclosure

Specify patient rights to approve the access and use of their medical information

Divided into Five Rules:

  • Privacy Rule
  • Security Rule
  • Transaction Rule
  • Identifiers Rule
  • Enforcement Rule (HITECH Act)

Privacy Rule

45 CFR § 164.5xx

Enforceable since 2003

Establishes Rights of Individuals

Controls on Uses and Disclosures

Baseline Privacy and Security Protection for PHI

The Privacy Rule establishes national standards to protect individuals’ medical records and other personal health information.

The Privacy Rule applies to

  • Health plans, 
  • Health care clearinghouses, and 
  • Health care providers that conduct health care transactions electronically.

Definition: Protected Health Information (PHI) is any information in the medical record or designated record set that can be used to identify an individual and that was created, used, or disclosed in the course of providing a health care service such as diagnosis or treatment.

HIPAA regulations allow researchers to access and use PHI when necessary to conduct research. However, HIPAA only affects research that uses, creates, or discloses PHI that will be entered in to the medical record or will be used for healthcare services, such as treatment, payment or operations.

For example, PHI is used in research studies involving review of existing medical records for research information, such as retrospective chart review. Also, studies that create new medical information because a health care service is being performed as part of research, such as diagnosing a health condition or a new drug or device for treating a health condition, create PHI that will be entered into the medical record. For example, sponsored clinical trails that submit data to the U.S. Food and Drug Administration involve PHI and are therefore subject to HIPAA regulations.

The HIPAA Privacy Rule requires appropriate safeguards to protect the privacy of Personal Health Information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization.
Data are "individually identifiable" if they include any of the 18 types of identifiers for an individual or for the individual's employer or family member, or if the provider or researcher is aware that the information could be used, either alone or in combination with other information, to identify an individual. These identifiers are:

PHI 18 Identifiers:
Name

  1. Address (all geographic subdivisions smaller than state, including street address, city, county, or ZIP code) and their equivalent geocodes, except for the three digits of a zip code, if according to the current publicly available data from the Bureau of the Census: the geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and the initial three digits of zip code for all such geographic units containing 20,000 or fewer people is changed to 000.  
  2. All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death, all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older
  3. Telephone numbers 
  4. FAX numbers 
  5. Email address 
  6. Social Security numbers
  7. Medical record numbers 
  8. Health plan beneficiary numbers 
  9. Account numbers
  10. Certificate/license numbers 
  11. Vehicle identifiers and serial numbers, including license plate numbers
  12. Device identifiers and serial numbers
  13. Web URLs
  14. Internet Protocol (IP) address numbers
  15. Biometric identifiers, including finger and voice prints 
  16. Full face photographic images and any comparable images 
  17. Any other unique identifying number, characteristic, or code (note this does not mean the unique code assigned by the investigator to code the data)

To protect individual’s privacy from re-identification

Any code used to replace the identifiers in datasets cannot be derived from any information related to the individual and the master codes, nor can the method to derive the codes be disclosed

For Example: A subject’s initials cannot be used to code their data because the initials are derived from their name.

Additionally, the researcher must not have actual knowledge that the research subject could be re-identified from remaining identifiers in the PHI used in the research study. In other words, the information would still be considered identifiable if there was a way to identify the individual even though all of the 18 identifiers were removed.

The Privacy Rule also gives patients rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections.

The following HIPAA forms are associated with the Privacy Rule:

  • Notice of Privacy Practices (NPP) Form
  • Request for Access to Protected Health Information (PHI) Form
  • Request for Restriction of Patient Health Care Information Form
  • Request for Accounting Disclosures Form
  • Authorization for Use or Disclosure Form
  • Privacy Complaint Form

Business Associate Defined. In general, a business associate is a person or organization, other than a member of a covered entity's workforce, that performs certain functions or activities on behalf of, or provides certain services to, a covered entity that involve the use or disclosure of individually identifiable health information. Business associate functions or activities on behalf of a covered entity include claims processing, data analysis, utilization review, and billing. Business associate services to a covered entity are limited to legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services. However, persons or organizations are not considered business associates if their functions or services do not involve the use or disclosure of protected health information, and where any access to protected health information by such persons would be incidental, if at all. A covered entity can be the business associate of another covered entity.

The Notice of Privacy Practices (NOPP) allows PHI to be used and disclosed for purposes of TPO

Treatment (T), Payment (P), Operations (O)

TPO includes teaching, medical staff/peer review, legal auditing, customer service, business management and releases mandated by law

Examples of TPO

The patient’s referring physician calls and asks for a copy of the patient’s recent exam:

Treatment

A patient’s insurance company calls and requests a copy of the patient’s medical record for a specific services date

Payment

The Quality Improvement office calls and asks for a copy of an operative report

Health Care Operations

For these TPO purposes, patient information may be provided

Except for Treatment, the Minimum Necessary Standard Applies

For patient care and treatment, HIPAA does not impose restrictions on use and disclosure of PHI by health care providers

Exception: Psychotherapy information, HIV test results, and substance abuse information

For anything else, HIPAA requires users to access the minimum amount of information necessary to perform their duties

Example: A billing clerk may need to know what laboratory test was done, but not the result

When Should You?

View PHI

Use PHI

Share PHI

Remember

Use information only when necessary to perform your job duties

Use only the minimum necessary to perform your job duties

Security Rule

45 CFR § 164.3xx

Enforceable since 2005

Applies to all electronic PHI

Flexible, customizable approach to health information security

Uses Risk Analysis to identify and plan mitigation of security risks

Calls for Policies and Procedures

Now being enforced more, including identity theft cases

The HIPAA Security Rule addresses the privacy protection of electronic protected health information (PHI).

Similar to the Privacy Rule, the Security Rule also deals with identifiable health information as defined by 18 HIPAA identifiers.

The Security Rule defines standards, procedures and methods for protecting electronic PHI with attention to how PHI is stored, accessed, transmitted, and audited.

The HIPAA Security Rule addresses three aspects of security:

Administrative Safeguards - Assignment of a HIPAA security compliance team.

Physical Safeguards - Protection of electronic systems, equipment and data.

Technical Safeguards - Authentication & encryption used to control data access.

Covered entities need to perform a Risk Analysis and utilize Risk Management methodologies so vulnerabilities and possible risks can be reduced.

Organizations should assign a security analyst or officer who is responsible for maintaining and enforcing the HIPAA standards within the organization.

Hardware, Software and Transmission Security

Organizations should have a hardware firewall in place.

Transmission of personal information should be encrypted and comply with HIPAA rulings.

Operating Systems should be hardened and up to date.

Policies should cover the updating of hardware, firmware, operating systems and applications.

Per HIPAA regulations, a Code Set is any set of codes used for encoding data elements, such as:

Medical terms

Medical concepts

Medical diagnosis codes

Medical procedure codes

Code sets for medical data are required for administrative transactions under HIPAA for diagnoses, procedures, and drugs.

Medical data code sets used in the health care industry under HIPAA include:

Coding systems for health-related problems and their manifestations;

Causes of injury, disease or impairment;

Actions taken to prevent, diagnose, treat, or manage diseases, injuries, and impairments;

And any substances, equipment, supplies, or other items used to perform these actions.

The following code sets are used in HIPAA transactions:

ICD-9-CM codes

ICD-10-CM codes

HCPCS Codes

CPT-3 Codes

CPT-4 Codes

NDC Codes

As part of the HIPAA Administrative Simplification regulation, there are currently three unique identifiers used for covered entities in HIPAA administrative and financial transactions. The use of these unique identifiers will promote standardization, efficiency and consistency.

The unique identifiers under HIPAA regulations are:

Standard Unique Employer Identifier
The same as the Employer Identification Number (EIN) used on an organization's federal IRS Form W-2. This identifies an employer entity in HIPAA transactions.

National Provider Identifier (NPI)
NPI is a unique 10-digit number used for covered health-care providers in all HIPAA administrative and financial transactions.

National Health Plan Identifier (NHI)
The NHI is a Centers for Medicare & Medicaid Services (CMS) proposed identifier to identify health plans and payers.

The HIPAA Enforcement Rule stems directly from the ARRA HITECH Act provisions that distinguishes between violations occurring before, and on or after the compliance date of Feb. 18, 2013 "with respect to the potential amount of civil money penalty and the affirmative defense available to covered entities," according to the rule.

ARRA describes "improvements" to existing HIPAA law, covered entities, business associates and others will be subject to more rigorous standards when it comes to protected health information (PHI). The HITECH Act expands the scope of the HIPAA Privacy and Security Rules and increases the penalties for HIPAA violations.

HITECH Act addresses five main areas of the HIPAA regulations:

Applies the same HIPAA privacy and security requirements (and penalties) for covered entities to business associates

Establishes mandatory federal privacy and security breach reporting requirements for HIPAA covered entities and business associates

Creates new privacy requirements for HIPAA covered entities and business associates, including new accounting disclosure requirements and restrictions on sales and marketing

Establishes new criminal and civil penalties for HIPAA non-compliance and new enforcement methods

Mandates that the new security requirements must be incorporated into all Business Associate contracts

The American Recovery and Reinvestment Act of 2013 includes the Health Information Technology for Economic and Clinical Health (HITECH) Act.

The HITECH Act provides Medicare and Medicaid monetary incentives for hospitals and physicians to adopt electronic health records (EHRs) and also provides grants for the development of a health information exchange (HIE). These incentives and grants were created to stimulate health care providers to adopt technology necessary to improve the efficiency of patient healthcare.

HITECH Act provides over $30 billion for healthcare infrastructure and the adoption of electronic health records (EHR).

According to the Act, physicians are eligible to receive up to $44,000 per physician from Medicare for "meaningful use" of a certified EHR system starting in 2013.

ARRA describes "improvements" to existing HIPAA law, covered entities, business associates and others will be subject to more rigorous standards when it comes to protected health information (PHI). The HITECH Act expands the scope of the HIPAA Privacy and Security Rules and increases the penalties for HIPAA violations

As part of the American Recovery and Reinvestment Act of 2009, the Health Information Technology for Economic and Clinical Health (HITECH) Act updated federal HIPAA privacy and security standards.

Updates Include:

Breach notification requirements

Fine and penalty increases for privacy violations

Right to request copies of the electronic health care record in electronic format

Mandates that Business Associates are civilly and criminally liable for privacy and security violations

Enforceable since February 2010

Final Rule in effect with new changes in how to determine if a Breach must be reported

Works with Privacy and Security Rules

Requires reporting of all PHI breaches to HHS and Individuals

HHS Wall of shame: Post all large Breaches 500 or more

Extensive/expensive obligation

Failure to comply with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) can result in Civil and Criminal penalties.

These civil and criminal penalties can apply to both Covered Entities and Individuals.

Section 13410(D) of the HITECH Act, which became effective on February 18, 2009, revised section 1176(a) of the Social Security Act by establishing:

Four categories of violations that reflect increasing levels of culpability;

Four corresponding tiers of penalties that significantly increase the minimum penalty amount for each violation; and

A maximum penalty amount of $1.5 million for all violations of an identical provision

CIVIL MONETARY PENALTIES

Individual rights of access

Individual rights of restriction

New restrictions on use of genetic information by health plans

Change in the way to determine whether or not a breach must be reported

New restrictions on disclosures for marketing, sale of PHI; changes to rules for use of PHI for fundraising

Notices of Privacy Practices must be updated to reflect new individual rights and privacy practices

Expansion of rules to Business Associates

PHI not protected > 50 years after individual’s death

Must have a process for individual to request access and for a reasonable cost-based fee

Must provide the entire record in the Designated Record Set if requested:

Medical and billing records used in whole or in part to make decisions related to health care

New- Information kept electronically must be available electronically if requested.

Exceptions for Psychotherapy notes, CLIA, others

Changes to HIPAA and CLIA proposed to allow access of lab information by individuals (not finalized yet)

New- 30-day extension to provide records held off-site no longer allowed-must retrieve within 30 days

HITECH Act § 13405 (e) Individual may request electronic copy of EHR information, now in § 164.524(c)

Includes all electronic data in the Designated Record Set

Request goes to Covered Entity- Business Associates may need to provide the information depending on role, arrangements, contract

Meaningful Use requirements for EHRs call for access by individuals

Portal

Logon

Password

Flexibility in encryption of PHI e-mailed to individuals

Standard: Confidential Communications Requirements

A covered health care provider must permit individuals to request and must accommodate reasonable requests by individuals to receive communications of protected health information from the covered health care provider by alternative means or locations

Provision of Access

Form of access requested

The covered entity must provide the individual with access to the protected health information in the form or format requested by the individual, if it is readily producible in such form or format; or, if not, in a readable hard copy form or such other or form or format as agreed to by the covered entity and the individual
If PHI is electronic, individual may request electronic copy (new)

Process:

Must accommodate reasonable request

Provide ability to mail to alternate addresses, not receive telephone calls, etc

May refuse if request is unreasonable

Individuals may want to use texting, e-mail, social media

Use Risk Analysis to determine suitability, obtain agreements

Each Risk Issue has an Impact and Likelihood

Impact: Is how great the damage would be (more information about more people with more details has greater impact)

Likelihood: Is how likely it is that the risk issue would become a reality

Risk = Impact x Likelihood

If risk level appears low, it may be acceptable to both the entity and the individual

An informed risk decision can be made about the importance of mitigating certain risks

Rights cannot be given under HIPAA, but individuals can make an informed risk decision

All kinds of electronic information in designated record set, not just HER

Have you performed an inventory of your electronic PHI?

Are access procedures in place?

Who responds to request for access?

How will you provide electronic access of PHI?

Will need to update policy to include new rights and remove allowance for extra

30 days to provide offsite records

Will need to update the Notice of Privacy Practices

Must have a process for individuals to request restrictions on use and disclosure

Need not honor request

Do what you reasonably can

New Individual may request no information shared with insurer if paid in full out of pocket: MUST honor the request

Must have a policy/procedure/process

Required in your HER to meet the law

Can you flag such encounters?

Create non-billable procedure codes for self-pay

What about pass- through effects?

Issues with aggregated data

What about contracts with insurers?

May need to update BA Agreements

Will need to update the Notice of Privacy Practices

Genetic Information Nondiscrimination Act (GINA)

Numerous changes to labor laws

New changes to HIPAA § 164.502(a)(5)(i)

Genetic information not to be used in health plan underwriting, enrollment, eligibility, premium computation, consideration of pre-existing conditions, etc..

Must be noted in Health Plan Notice of Privacy Practices

1. A group of records maintained by or for a covered entity that is:

A. The Medical records and billing records about individuals maintained by or for a covered health care provider;

The enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or

Used, in whole or in part, by or for the covered entity to make decisions about individuals

2. For purposes of this paragraph, the term record means any items, collection, or grouping of information that includes protected health information and is maintained, collected, used, or disseminated by for a covered entity

Security Rules applies

Breach Notification Rules applies

Privacy Rule Use (How they use the information) and Disclosure provision apply

BA responsible for having contracts with Covered Entities and Subcontractors

BA directly liable for compliance and violations

BA will need to educate their Subcontractors

Contracts signed since January 25, 2013 must meet new standard by September 23, 2013

Older, complaint contracts signed before January 25, 2013 have until September 23, 2014 to comply

Is an individual or entity, not acting as an employee:

Creates, receives, maintains, or transmits protected health information for a function or activity regulated by HIPAA on behalf of a Covered Entity (CE) or another BA

Provides legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services and needs PHI to do it

Anything a CE or BA could do itself but has someone else do it for them, involving creation, receipt, maintenance, or transmission of PHI

Now includes subcontractors, HIEs, Patient Safety Organizations

Must have a process for individual to request access, for a reasonable cost-based fee

Must provide the entire record in the Designated Record Set if requested:

Medical and billing records used in whole or in part to make decisions related to health care

Information kept electronically must be available electronically if requested

Exception for Psychotherapy notes, CLIA, others

Changes to HIPAA and CLIA proposed to allow access of lab information by individuals, not yet finalized

30 Day extension to provide records held off-site no longer allowed

Marketing requires an Authorization; treatment and healthcare operations do not require an authorization, except:

Authorizations are required for all treatment and healthcare operations where the Covered Entity receives financial remuneration from third party whose product or service is being marketed

Notice of Privacy Practices may not have to include notice, if authorization

Face to Face communication is still exempted from authorization requirements

Exemption for Refill reminders or other info about a drug or biologic that is currently prescribed

Communication promoting health in general and that do not promote a product or service from a particular provider, do not constitute marketing and do not require individual authorization

Communication about government and government-sponsored programs do not fall within the definition of “marketing”

HIPAA Notices of Privacy Practices must reflect individual rights and controls on uses and disclosures

New right of access to electronic PHI

New right of restriction of disclosures

New right to be notified in the event of a breach

Changing to marketing

Changes to Fundraising

GINA notice for health plan NPPs

Must update policies and NPP together, by deadline

Start using (and post) new version; no requirement for providers to redistribute to all patients

What is Breach?

Breach is acquisition, access, use, or disclosure of unsecured PHI in violation of Privacy Rule; exception by law if:

PHI is secured or destroyed

Unintentional, in good faith, with no further use (within your organization)

Inadvertent and within job scope (within your organization)

Information cannot be retained

Not reportable if there is a “low probability of compromise” of the data, based on a risk assessment

“Harm Standard” for evaluations of need to report was removed

All breaches not meeting an exception are reportable, unless there is a “low probability of compromise” of the data, based on a risk assessment including at least:

What was the information, how well identified was it, and is its release “adverse to the individual”

To whom it was disclosed

Was it actually acquired or viewed

The extent of mitigation

Right to notification of breaches must be listed in the Notice of Privacy Practices

1. Was there acquisition, access, use, or disclosure of PHI in violation of the Privacy Rule?

If No, not a breach, end of process

If an incident, document the incident and the determination of “not a breach”

If yes, Go on to Step 2

2. Was the information secured according to HHS guidance, or destroyed?

If Yes, not a reportable breach, end of process; document the incident and determination of “not a reportable breach”

If No, may be able to use lower security encryption in the evaluation of risk later in step 5; go to Step 3

3. Was the potential breach internal to your organization, and unintentional, in good faith, with no further use, or inadvertent and within job scope?

If Yes, not a breach, end of process, document the incident and determination of “not a breach”

If No, go on to step 4

4. Is there no way the breached information can be retained?

If no way the PHI was retained, not a breach, end of process, document the incident and determination of “not a breach”

If the breached information may be retained in some way, go to Step 5

5. If you’ve gotten here, you have a breach, and now the only way to keep from having to report it is to do a risk assessment to see if there is a “low probability of compromise”

If there is a low probability of compromise, it is not reportable, end of process, document incident and determination of “not a reportable breach”

If not a low probability of compromise, Must report

Breach Notification Risk Assessment: Not reportable if there is a “low probability of compromise" of the data, based on a risk assessment of:

What was the information and how well identified was it

To whom it was disclosed

Was it actually acquired or viewed

The extent of mitigation

If a small Breach (less than 500 individuals affected”):

Report to the individual within 60 days

Report to HHS no later than 60 days after the end of the year

If a large Breach (500 or more affected):

Report to the individual within 60 days

Report to HHS when you notify the individual

If more than 500 individuals in any jurisdiction, notify major media

Reported Breaches 500 > individuals’ PHI in the first year of reporting requirement:

76% of breaches involve loss (15%), theft (56%), improper disposal (5%)

17% are caused by unauthorized access or disclosure

6% are caused by hacking

Portable data, laptops, smart phones, memory sticks the leaders for breaches of PHI

Servers not immune from physical or technical attack

Business Associates are an increasing source of breaches (57%)

HHS Wall of Shame for large breaches

Privacy Rules:

HIPAA privacy rules define the circumstances under which a resident's electronic health care information can be disclosed to third parties. With few exceptions, a facility must have the resident's written authorization to disclose specific medical information.

Residents must be provided with a written notice as to how health information is used and shared.

Security Rules:

Facilities must implement administrative, technical, and physical safeguards to ensure that electronic protected health care information is not disclosed to unauthorized persons.

Specific electronic security systems and requirements are not defined in the HIPAA security rules, allowing nursing homes to select and tailor the security systems and equipment that is appropriate to their organization and facilities.

Enforcement:

The U.S. Department of Health & Human Services Office for Civil Rights, or OCR, investigates complaints of possible violations of HIPAA security and privacy rules.

The OCR also conducts compliance reviews and provides outreach and educational programs.

These Rules apply to you when you:

Look At

Use or

Share

Protected Health Information (PHI)

Health Insurance Portability and Accountability Act (HIPAA)

The Office for Civil Rights (OCR) is the arm of the federal government that oversees policy and enforcement for HIPAA Privacy, Security, and Breach Notification Rules. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) cover multiple areas of federal legislation including insurance portability, fraud enforcement, and administrative simplification (Compliance officer handbook 2014 Hcpro). HIPAA is a fraud enforcement function through the Privacy & Security Rule under the Administrative Simplification Section of Title II.

HIPAA created new standards for administrative transactions and the security of individual health information. There have been a number of updates to HIPAA legislation with the most recent with the final rules in the Omnibus Act in 2013. These updates increased HIPAA organizational and personal responsibilities and increased fines.

The primary purpose of HIPAA is to protect the security of health information and to standardize the methods in which information is exchanged. The HIPAA regulations govern the use and release of patient’s personal health information. It is our task as healthcare professionals to keep patient information private and secure.

Privacy Rule

The HIPAA Privacy Rule effective April 15, 2003 establishes federal protection for individually identifiable health information held by covered entities and their business associates (called “protected health information”) and gives patients important rights with respect to their health information. At the same time, the Privacy Rule is balanced to permit the use and disclosure of health information needed for patient care and other important purposes.

This established two approaches to protecting privacy of health information by assigning rights to individual patients to provide them with some control over their own health information and provide standards for the way the healthcare providers, health plans, and health clearing houses are permitted to access, use and disclose health information.

Protected Health Information otherwise known as PHI is any information in the medical record or designated record set that can be used to identify an individual and that was created, used, or disclosed in the course of providing healthcare services such as diagnosis or treatment. Data are "individually identifiable" if they include any of the 18 types of identifiers for an individual or for the individual's employer or family member, or if the provider or researcher is aware that the information could be used, either alone or in combination with other information, to identify an individual. These identifiers are:
PHI 18 Identifiers:

1. Name
2. Address (all geographic subdivisions smaller than state, including street address, city, county, or ZIP code) and their equivalent geocodes, except for the three digits of a zip code, if according to the current publicly available data from the Bureau of the Census:

– The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and
– The initial three digits of zip code for all such geographic units containing 20,000 or fewer people is changed to 000.

3. All elements of dates (except year) for dates directly related to an individual,

– Including birth date,
– Admission date,
– Discharge date,
– Date of death,
– All ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older

4. Telephone numbers
5. FAX numbers
6. Email address
7. Social Security numbers
8. Medical record numbers
9. Health plan beneficiary numbers
10. Account numbers
11. Certificate/license numbers
12. Vehicle identifiers and serial numbers, including license plate numbers
13. Device identifiers and serial numbers
14. Web URLs
15. Internet Protocol (IP) address numbers
16. Biometric identifiers, including finger and voice prints
17. Full face photographic images and any comparable images
18. Any other unique identifying number, characteristic, or code (note this does not mean the unique code assigned by the investigator to code the data)

PHI can be disclosed without using patient names. Just discussing the circumstance can disclose enough information that the patient may be identified to others. Communication about PHI can be verbal, written or electronic. All communication must be private and limited to those who have a need to know it for treatmentpayment or healthcare operations.

The Notice of Privacy Practice (NOPP) allows PHI to be used and disclosed for purposes of TPO.

  • Treatment (T), Payment (P), Operations (O): TPO includes teaching, medical staff/peer review, legal auditing, customer services, business management and release mandated by law.
  • Examples of TPO
    • The patient’s referring physician calls and asks for a copy of the patient’s recent exam:
      • Treatment
    • A patient’s insurance company calls and request a copy of the patient’s medical record for a specific services date
      • Payment
    • The Quality Improvement office calls and asks for a copy of an operative report
      • Health Care Operations
  • For these TPO purposes, patient information may be provided

Except for Treatment, the Minimum Necessary Standard Applies

  • For patient care and treatment, HIPAA does not impose restrictions on use and disclosure of PHI by health care providers
    • Exception: Psychotherapy information, HIV test results, and substance abuse information 
  • For anything else, HIPAA requires users to access the minimum amount of information necessary to perform their duties
    • Example: A billing clerk may need to know what laboratory test was done, but not the result

When should you View, Use, and Share PHI? Remember use PHI for information only when necessary to perform your job duties and use only the minimum necessary to perform your job duties. Just because you can access PHI doesn’t mean you should if it is not necessary to perform your job.

Patients expect their privacy when receiving healthcare. Under the latest regulations patients may also request a disclosure of everyone who has accessed their information. Therefore, IT departments should complete random audits of electronic health records to verify that all employees who accessed a patient record needed to do so based on job duties and the minimum use necessary to perform job.

Employee should be aware of PHI around them to avoid unintentional disclosure. For example, papers laying around such as nurses work sheets with patient information, computer screens visible, patient information on stickers, medication labels, forms, never share passwords and mindful of location of conversations involving patients.

Employees need to be aware of how to properly discard information containing PHI. For example, papers contain PHI that are no longer needed should be discarded in a locked shred bin. Avoid leaving papers at copier, fax machines and in conference rooms. Do not text any messages that contain PHI and any email containing PHI should be encrypted.

Security Rule

The HIPAA Security Rule addresses the privacy protection of electronic protected health information (PHI). Similar to the Privacy Rule, the Security Rule also deals with identifiable health information as defined by 18 HIPAA identifiers. The Security Rule defines standards, procedures and methods for protecting electronic PHI with attention to how PHI is stored, accessed, transmitted, and audited. The HIPAA Security Rule addresses three aspects of security:

  • Administrative Safeguards – Organizational Rules and Procedures. Administrative Safeguards are defined as “ Actions, policies and procedures to manage the selection, development, implementation, and maintenance of security measures and manage the conduct of the of the covered entity’s workforce”
    • 9 standards
    • 23 Implementation Specifications
  • Physical Safeguards – Physical Protection of Rules. Defined as “Physical measures, policies and procedures to protect covered entity’s electronic information systems and related buildings and equipment from natural and environmental hazards and unauthorized intrusion”
    • 4 Standards
    • 10 Implementation Specification

  • Technical Safeguards – Technology Protection and Rules. Defined as “The technology and the policy and procedures for its use that protect electronic protected health information and control access to it.”
    • 5 Standards
    • 9 Implementations

The Security Rule structure indicates the standard and the associated implementation specifications of each standard. Each specification is identified as either a required or addressable specification. If required it must be implemented and you don’t have a choice. If addressable, there is flexibility and latitude in meeting the specification based on what’s reasonable and appropriate “after the covered entity provides an analysis.”

Security applies to the spectrum of physical, technical and administrative safeguards put into place to protect the integrity, availability and confidentiality of information and the systems in which it is stored. The HIPAA Security regulation addresses the required physical, technical and administrative safeguards that a covered entity must employ to protect the integrity, availability and confidentiality of electronic health information. The difference between the Privacy and security rule is that the security regulation only applies to ePHI and the privacy regulation pertains to all PHI.

Some examples of Administrative safeguards are policies & procedures, practices, checklists and auditing and monitoring schedules. Physical Safeguard examples may include doors, locks, badge entry required areas and use of cameras. Technical Safeguards may include Passwords, User ID’s, and virus scanning programs.

The Privacy Rule and Security Rule penalize individuals and organizations that fail to maintain the confidentiality of PHI. HIPAA also includes administrative requirements for a Privacy Officer, the implementation of safeguards to protect confidentiality, integrity and availability of information and training and education requirements (Health Care Compliance Association Handbook 101).

The Health Information Technology for Economic and Clinical Health (HITECH) Act was passed in February 2009 as part of the American Recovery and Re-investment Act (ARRA).

Health care providers often hear that the Health Insurance Portability and Accountability Act (HIPAA) makes it difficult, if not impossible, to move electronic health data when and where it is needed for patient care and health. This is a misconception, and widespread throughout the healthcare industry.
Many people think HIPAA is only used to protect personal health information from misuse, however it also enables that personal health information be accessed, used, or disclosed when and where it is needed for patient care.

The OCR has posted fact sheets to help with examples when electronic health information can be exchanged

https://www.healthit.gov/sites/default/files/exchange_health_care_ops.pdf
https://www.healthit.gov/sites/default/files/exchange_treatment.pdf

HIPAA Enforcement Rule

The HIPAA Enforcement Rule stems directly from the ARRA HITECH Act provisions that distinguishes between violations occurring before, and on or after the compliance date of Feb. 18, 2013 "with respect to the potential amount of civil money penalty and the affirmative defense available to covered entities," according to the rule.

  • As part of the American Recovery and Reinvestment Act of 2009, the Health Information Technology for Economic and Clinical Health (HITECH) Act updated federal HIPAA privacy and security standards.
  • Updates Include:
    • Breach notification requirements
    • Fine and penalty increases for privacy violations
    • Right to request copies of the electronic health care record in electronic format
    • Mandates that Business Associates are civilly and criminally liable for privacy and security violations

HIPAA Breach Notification Rule

Enforceable since February 2010, the Final Rule in effect with new changes in how to determine if a Breach must be reported; Works with Privacy and Security Rules; Requires reporting of all PHI breaches to HHS and Individuals; includes the HHS Wall of shame: Post all large Breaches 500 or more ; Extensive/expensive obligation. It is essential that Compliance Officers maintain a log of all breaches.

What is a Breach? A Breach is acquisition, access, use, or disclosure of unsecured PHI in violation of Privacy Rule; exception by law if:

  • PHI is secured or destroyed
  • Unintentional, in good faith, with no further use (within your organization)
  • Inadvertent and within job scope(within your organization)
  • Information cannot be retained 
  • Not reportable if there is a “low probability of compromise” of the data, based on a risk assessment 
  • “Harm Standard” for evaluations of need to report was removed

All breaches not meeting an exception are reportable, unless there is a “low probability of compromise” of the data, based on a Risk Assessment including at least:

  • What was the information, how well identified was it, and is its release “adverse to the individual”
  • To whom it was disclosed
  • Was it actually acquired or viewed
  • The extent of mitigation 

Right to notification of breaches must be listed in the Notice of Privacy Practices.
A Breach is not reportable if there is a “low probability of compromise“ of the data, based on a risk assessment of:

  • What was the information and how well identified was it
  • To whom it was disclosed
  • Was it actually acquired or viewed
  • The extent of mitigation

When is notification of Breach required:

  • If a small Breach (less than 500 individuals affected”):
    • Report to the individual within 60 days
    • Report to HHS no later than 60 days after the end of the year
  • If a large Breach ( 500 or more affected):
    • Report to the individual within 60 days
    • Report to HHS when you notify the individual
    • If more than 500 individuals in any jurisdiction, notify major media

What are the penalties? The HITECH act increased the penalties for organizations and for the first time added penalties for individuals found guilty of HIPAA violation.

PENALTIES

Patient Rights

In addition to the privacy and security protections under HIPAA, patients have several rights under HIPAA.

  • Individual rights of access and obtain a copy of their PHI
  • Right to amend their PHI
  • Right to obtain an accounting or listing of disclosures of their PHI
  • Right to receive a Notice of Privacy Practices
  • Right to have communication about their PHI conducted in a confidential manner
  • Right to restrict disclosure on certain uses and disclosures of their PHI
  • Right to file a complaint about covered entity’s privacy practices to the covered entity as well as to the Office of Civil Rights
  • New restrictions on use of genetic information by health plans 
  • Change in the way to determine whether or not a breach must be reported
  • Expansion of rules to Business Associates
  • PHI not protected > 50 years after individual’s death

Individuals Rights to Access

  • Must have a process for individual to request access and for a reasonable cost-based fee
  • Must provide the entire record in the Designated Record Set if requested:
    • Medical and billing records used in whole or in part to make decisions related to health care
    • New- Information kept electronically must be available electronically if requested.
    • Exceptions for Psychotherapy notes, CLIA, others
    • Changes to HIPAA and CLIA proposed to allow access of lab information by individuals (not finalized yet)
  • New- 30-day extension to provide records held off-site no longer allowed-must retrieve within 30 days

Revisions to the Notice of Privacy Practices

  • HIPAA Notices of Privacy Practices must reflect individual rights and controls on uses and disclosures
    • New right of access to electronic PHI
    • New right of restriction of disclosures
    • New right to be notified in the event of a breach
    • Changing to marketing
    • Changes to Fundraising
    • GINA notice for health plan NPPs
  • Must update policies and NPP together, by deadline
  • Start using (and post) new version; no requirement for providers to redistribute to all patients

The U.S Department of Health & Human Services Office for Civil Rights, or OCR, Investigates complaints of possible violations of HIPAA security and privacy rules. The OCR also conducts compliance reviews and provides outreach and educational programs.

The 2009 HITECH Act mandated many changes to the HIPAA regulations. One such change requires the Office of Civil Rights (“OCR”) of the Department of Health and Human Services to conduct “periodic audits” on covered entities and business associates to ensure HIPAA compliance. The goal for the audits is to help covered entities and business associates improve compliance with the HIPAA Privacy and Security Rules. The OCR plans to conduct comprehensive and desk audits of covered entities and business associates starting in 2016. Audits are a proactive approach to evaluating and ensuring HIPAA compliance with both the privacy and security rules. Facilities need to be prepared by ensuring they conduct their own HIPAA Risk Assessments.