Maestro Health - HIPAA Orientation

The federal government has established a series of rules designed to protect the rights of patients and ensure that their personal information stays private. Enforced by the Office of Civil Rights, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) establishes procedures that must be followed in order to ensure the privacy of protected health information (PHI). Maintaining HIPAA compliance is critical to avoid major government fines, reduce risk and protect patient privacy.

This online course HIPAA Compliance explains business and regulatory reasons for complying with HIPAA Privacy and Security regulations. It provides definitions and explains what and who is covered under the HIPAA law and potential business impact on healthcare providers or business associates. This course also provides an overview of HIPAA Privacy and Security rule standards, implementation specifications and gives examples of how the regulatory requirements can be satisfied. 

Maestro Health - HIPAA Orientation

What is HIPAA?

HIPAA is the acronym for the Health Insurance Portability and Accountability Act.

The HIPAA was passed by Congress in 1996.

What is HIPAA Privacy Rule?

The HIPAA Privacy Rules was published in 2000 and effective in 2003.

The HIPAA Privacy Rule, or Standards for Privacy of Individually Identifiable Health Information, establishes national standards for the protection of certain health information.

The HIPAA Privacy Rule applies to

  • Health plans
  • Health care clearinghouses
  • Health care providers that conduct certain health care transactions electronically

What is HIPAA Security Rule?

The Security Rule, Security Standards for the Protection of Electronic Protected Health Informationestablish a national set of security standards for protecting certain health information that is held or transferred in electronic form

Why do these HIPAA laws and regulations exist?

Before HIPAA

  • Health records processing was a nightmare
  • No standards for electronic data handling
  • No agreement between medical providers/insurers
  • No consistent security requirements on handling
  • Very expensive and time consuming  to process paper document
  • No consistent breach reporting
  • Lack of controls on fraud
  • No insurance portability
  • Group Health Plan Requirements not set out well
  • Health care administrative overhead estimated at 26 cents of every healthcare dollar 

Other laws and regulations

  • The Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act (ARRA) of 2009, was signed into law on February 17, 2009, to promote the adoption and meaningful use of health information technology. 
  • State Data Privacy Laws
    • 48 states/territories have data privacy laws that protect very similar data
  • IRS Regulations for ACA
  • Every single client contract

What is covered entities?

We call the entities that must follow the HIPAA regulations "covered entities."

Covered Entities (CE) include:

  • Health Plans—including health insurance companies, HMOs, company health plans, and certain government programs that pay for health care, such as Medicare and Medicaid.
  • Most Health Care Providers—those that conduct certain business electronically, such as electronically billing your health insurance—including most doctors, clinics, hospitals, psychologists, chiropractors, nursing homes, pharmacies, and dentists.
  • Health Care Clearinghouses—entities that process nonstandard health information they receive from another entity into a standard (i.e., standard electronic format or data content), or vice versa.

Who is covered?

HIPAA/ARRA

  • Covered Entities (CE)
    • Health care providers who transmit protected health information (PHI) electronically
    • Health plans & health care clearinghouses
  • Business Associates (BA)
    • Someone who performs functions or services to a CE and accesses protected health information. 
    • A subcontractor that creates, receives, maintains, or transmits PHI for another BA.

State Data Privacy

Varies!

 

What is PHI?

Individually-identifiable health information created or received by a covered entity, that relates to the past, present, or future physical or mental health condition, the delivery of health care or payment for health care.

  • Health Information: Created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse, PLUS
  • Past, present, or future physical or mental health condition, the delivery of health care or payment for health care, PLUS
  • Individually identifiable health information includes many common identifiers such as name, address, birth date, social security number

HIPAA Individually Identifiable Information

The 18 Points You Need to Know

1. Names

2. All geographical subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code, if according to the current publicly available data from the Bureau of the Census:
A. The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people and
B. The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000.

3. All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older

4. Phone numbers

5. Fax numbers

6. Electronic mail addresses

7. Social Security numbers

8. Medical record numbers

9. Health plan beneficiary numbers

10. Account numbers

11. Certificate/license numbers

12. Vehicle identifiers and serial numbers, including license plate numbers

13. Device identifiers and serial numbers

14. Web Universal Resource Locators (URLs)

15. Internet Protocol (IP) address numbers

16. Biometric identifiers, including finger and voice prints

17. Full face photographic images and any comparable images

18. Any other unique identifying number, characteristic, or code

 

What is Required 1

The answer for a post-ACA world

  • PHI can only be used for treatment, payment, or health care operations unless patient written consent or federal law allows. Other use may be breach.
  • Disclose minimum necessary’ to accomplish the intended purpose. Other use may be breach.
  • Have written BA Agreements with contractors and CEs to ensure compliance. Breach to transfer data without.
  • HIPAA training for everyone.
  • Keep privacy policies/procedures/notices/complaints for 7 years after effective date. 

What is Required 2

The answer for a post-ACA world.

  • Timely notify of breaches  
  • Risk based security/privacy policies/procedures.
  • Role Based Access Controls (RBAC)
    • Authorized for that specific data
    • Physical Security
      • Badge

      • No Tailgating!

      • Clean Desk

  • Data Security

What is Required 3

The answer for a post-ACA world.

  • Strong Passwords
  • Passwords must be protected as least as well as the data they protect!
  • Changed every 90 days
  • No dictionary words or easily guessable passwords
  • Complexity requires at least one each from
    • Upper Case Letters
    • Lower Case Letters
    • Numbers
    • Special Characters

Who enforces these requirements?

HIPAA/HITECH

  • HHS (Criminal, Civil)
  • State Attorneys General (Criminal, Civil)
  • Private Right of Action (Civil)

State Data Privacy Laws: Varies!

  • State Attorneys General (Criminal, Civil)
  • State Agencies (e.g., California Board of Managed Health Care)(Criminal, Civil)
  • Private Right of Action (Civil)

Our Clients!

  • Breach of Contract

What happens if I don't comply?

  • HIPAA
  • Noncompliance (HHS OCR)
    • Civil offense: $100 - $50,000 per violation with caps of $25,000 to 1.5M for all violations of single requirement, in calendar year
  • Unauthorized disclosure or misuse of patient information (DOJ)
    • Criminal offense: under false pretenses or intent to sell, transfer, use for personal gain, or malicious harm
    • Fines up to $250,000/sentence up to 10 years
  • State Laws
  • Breach of Contract
  • Company Policy for enterprise and by audit scope

 

How do I...

  • Report a Maestro privacy/security incident/ask a security/compliance/privacy question:
  • Report Maestro Lost Laptop:

 

Resources

Centers for Medicare and Medicaid Services Services (CMS) 

http://www.cms.gov/hipaa/hipaa2/default.asp

US Department of Health and Human Services (HHS) 

http://aspe.os.dhhs.gov/admnsimp

Developer’s Guide to HIPAA Compliance

https://github.com/truevault/hipaa-compliance-developers-guide

Open Web Application Security Project (OWASP)

https://www.owasp.org/index.php/Main_Page

 

 

 

What's in the works?

  • Common Service Desk
  • Maestro Privacy/Security Policies
  • Maestro Password Policies
  • Maestro Security Incident Response Team
  • Maestro SDLC/SSDLC
  • Maestro Security “Punchlist”: Required security controls for HIPAA applications
  • Data De-identification/Sterilization Standard

 

Untitled content

Test Your Understanding

Before HIPAA

  • Health records processing was easy
  • No standards for electronic data handling
  • No agreement between medical providers/insurers
  • Consistent security requirements on handling
  • Very expensive and time consuming to process paper document
Select all that apply.

Before HIPAA (continued)

  • No consistent breach reporting
    breach reporting
  • Lack of controls
    on fraud
  • No insurance
    portability
  • Group Health Plan Requirements
    not set out well
  • Health care administrative overhead estimated at
    26 cents of every healthcare dollar

Laws and Regulations

  • Health Insurance Portability and Accountability Act of (HIPAA)
  • HIPAA Privacy Rules was published in  and effective in  
  • HIPAA Security Rules was effective in  
  • American Recovery and Reinvestment Act (ARRA)/HITECH in 
  • State Data Privacy Laws in  states/territories have data privacy laws that protect very similar data
  • IRS Regulations for  

 

Which are Covered Entities?

  • Health care providers who transmit protected health information (PHI) electronically
  • Health plans & health care clearinghouses

Which are Business Associates (BA)?

  • Someone who performs functions or services to a CE and accesses protected health information.
  • A subcontractor that creates, receives, maintains, or transmits PHI for another BA.