Maestro Health - HIPAA Orientation

HIPAA is the acronym for the Health Insurance Portability and Accountability Act.

The HIPAA was passed by Congress in 1996.

The HIPAA Privacy Rules was published in 2000 and effective in 2003.

The HIPAA Privacy Rule, or Standards for Privacy of Individually Identifiable Health Information, establishes national standards for the protection of certain health information.

The HIPAA Privacy Rule applies to

• Health plans
• Health care clearinghouses
• Health care providers that conduct certain health care transactions electronically

The Security Rule, Security Standards for the Protection of Electronic Protected Health Information, establish a national set of security standards for protecting certain health information that is held or transferred in electronic form. 

Before HIPAA

• Health records processing was a nightmare
• No standards for electronic data handling
• No agreement between medical providers/insurers
• No consistent security requirements on handling
• Very expensive and time consuming  to process paper document
• No consistent breach reporting
• Lack of controls on fraud
• No insurance portability
• Group Health Plan Requirements not set out well

• Health care administrative overhead estimated at 26 cents of every healthcare dollar 

• The Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act (ARRA) of 2009, was signed into law on February 17, 2009, to promote the adoption and meaningful use of health information technology. 
• State Data Privacy Laws
  • 48 states/territories have data privacy laws that protect very similar data
• IRS Regulations for ACA
• Every single client contract

We call the entities that must follow the HIPAA regulations "covered entities."

Covered Entities (CE) include:

• Health Plans—including health insurance companies, HMOs, company health plans, and certain government programs that pay for health care, such as Medicare and Medicaid.
• Most Health Care Providers—those that conduct certain business electronically, such as electronically billing your health insurance—including most doctors, clinics, hospitals, psychologists, chiropractors, nursing homes, pharmacies, and dentists.
• Health Care Clearinghouses—entities that process nonstandard health information they receive from another entity into a standard (i.e., standard electronic format or data content), or vice versa.

HIPAA/ARRA

• Covered Entities (CE)
  • Health care providers who transmit protected health information (PHI) electronically
  • Health plans & health care clearinghouses
• Business Associates (BA)
  • Someone who performs functions or services to a CE and accesses protected health information. 
  • A subcontractor that creates, receives, maintains, or transmits PHI for another BA.

State Data Privacy

Varies!

 

Individually-identifiable health information created or received by a covered entity, that relates to the past, present, or future physical or mental health condition, the delivery of health care or payment for health care.

• Health Information: Created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse, PLUS
• Past, present, or future physical or mental health condition, the delivery of health care or payment for health care, PLUS
• Individually identifiable health information includes many common identifiers such as name, address, birth date, social security number

The 18 Points You Need to Know

1. Names

2. All geographical subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code, if according to the current publicly available data from the Bureau of the Census: A. The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people and B. The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000.

3. All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older

4. Phone numbers

5. Fax numbers

6. Electronic mail addresses

7. Social Security numbers

8. Medical record numbers

9. Health plan beneficiary numbers

10. Account numbers

11. Certificate/license numbers

12. Vehicle identifiers and serial numbers, including license plate numbers

13. Device identifiers and serial numbers

14. Web Universal Resource Locators (URLs)

15. Internet Protocol (IP) address numbers

16. Biometric identifiers, including finger and voice prints

17. Full face photographic images and any comparable images

18. Any other unique identifying number, characteristic, or code

 

The answer for a post-ACA world

• PHI can only be used for treatment, payment, or health care operations unless patient written consent or federal law allows. Other use may be breach.
• Disclose ‘minimum necessary’ to accomplish the intended purpose. Other use may be breach.
• Have written BA Agreements with contractors and CEs to ensure compliance. Breach to transfer data without.
• HIPAA training for everyone.
• Keep privacy policies/procedures/notices/complaints for 7 years after effective date. 

The answer for a post-ACA world.

• Timely notify of breaches  
• Risk based security/privacy policies/procedures.
• Role Based Access Controls (RBAC)
  • Authorized for that specific data
  • Physical Security

    • Badge

    • No Tailgating!

    • Clean Desk

• Data Security

The answer for a post-ACA world.

• Strong Passwords
• Passwords must be protected as least as well as the data they protect!
• Changed every 90 days
• No dictionary words or easily guessable passwords
• Complexity requires at least one each from
  • Upper Case Letters
  • Lower Case Letters
  • Numbers
  • Special Characters

HIPAA/HITECH

• HHS (Criminal, Civil)
• State Attorneys General (Criminal, Civil)
• Private Right of Action (Civil)

State Data Privacy Laws: Varies!

• State Attorneys General (Criminal, Civil)
• State Agencies (e.g., California Board of Managed Health Care)(Criminal, Civil)
• Private Right of Action (Civil)

Our Clients!

• Breach of Contract

• HIPAA
• Noncompliance (HHS OCR)
  • Civil offense: $100 - $50,000 per violation with caps of $25,000 to 1.5M for all violations of single requirement, in calendar year
• Unauthorized disclosure or misuse of patient information (DOJ)
  • Criminal offense: under false pretenses or intent to sell, transfer, use for personal gain, or malicious harm
  • Fines up to $250,000/sentence up to 10 years
• State Laws
• Breach of Contract
• Company Policy for enterprise and by audit scope

 

• Report a Maestro privacy/security incident/ask a security/compliance/privacy question:
  • Jim Martin, HIPAA Security Officer,
    • Email: [email protected]
    • Phone: 872-215-1767
  • Tony Dillon, HIPAA Privacy Officer
    • Email: [email protected]maestrohealth.com
    • Phone: 847-926-7793
• Report Maestro Lost Laptop:
  • Immediately Call 813-956-8913 and send email to [email protected]

 

Centers for Medicare and Medicaid Services Services (CMS) 

http://www.cms.gov/hipaa/hipaa2/default.asp

US Department of Health and Human Services (HHS) 

http://aspe.os.dhhs.gov/admnsimp

Developer’s Guide to HIPAA Compliance

https://github.com/truevault/hipaa-compliance-developers-guide

Open Web Application Security Project (OWASP)

https://www.owasp.org/index.php/Main_Page

 

 

 

• Common Service Desk
• Maestro Privacy/Security Policies
• Maestro Password Policies
• Maestro Security Incident Response Team
• Maestro SDLC/SSDLC
• Maestro Security “Punchlist”: Required security controls for HIPAA applications
• Data De-identification/Sterilization Standard

 

• Health Insurance Portability and Accountability Act of 199619992000 (HIPAA)
• HIPAA Privacy Rules was published in 201020092000 and effective in 199020032010 
• HIPAA Security Rules was effective in 200520002010 
• American Recovery and Reinvestment Act (ARRA)/HITECH in 201020092001
• State Data Privacy Laws in 505148 states/territories have data privacy laws that protect very similar data
• IRS Regulations for ACAIRSTax