What is HIPAA?
HIPAA is the acronym for the Health Insurance Portability and Accountability Act.
The HIPAA was passed by Congress in 1996.
What is HIPAA Privacy Rule?
The HIPAA Privacy Rules was published in 2000 and effective in 2003.
The HIPAA Privacy Rule, or Standards for Privacy of Individually Identifiable Health Information, establishes national standards for the protection of certain health information.
The HIPAA Privacy Rule applies to
- Health plans
- Health care clearinghouses
- Health care providers that conduct certain health care transactions electronically
What is HIPAA Security Rule?
The Security Rule, Security Standards for the Protection of Electronic Protected Health Information, establish a national set of security standards for protecting certain health information that is held or transferred in electronic form.
Why do these HIPAA laws and regulations exist?
Before HIPAA
- Health records processing was a nightmare
- No standards for electronic data handling
- No agreement between medical providers/insurers
- No consistent security requirements on handling
- Very expensive and time consuming to process paper document
- No consistent breach reporting
- Lack of controls on fraud
- No insurance portability
- Group Health Plan Requirements not set out well
-
Health care administrative overhead estimated at 26 cents of every healthcare dollar
Other laws and regulations
- The Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act (ARRA) of 2009, was signed into law on February 17, 2009, to promote the adoption and meaningful use of health information technology.
- State Data Privacy Laws
- 48 states/territories have data privacy laws that protect very similar data
- IRS Regulations for ACA
- Every single client contract
- 48 states/territories have data privacy laws that protect very similar data
What is covered entities?
We call the entities that must follow the HIPAA regulations "covered entities."
Covered Entities (CE) include:
- Health Plans—including health insurance companies, HMOs, company health plans, and certain government programs that pay for health care, such as Medicare and Medicaid.
- Most Health Care Providers—those that conduct certain business electronically, such as electronically billing your health insurance—including most doctors, clinics, hospitals, psychologists, chiropractors, nursing homes, pharmacies, and dentists.
- Health Care Clearinghouses—entities that process nonstandard health information they receive from another entity into a standard (i.e., standard electronic format or data content), or vice versa.
Who is covered?
HIPAA/ARRA
- Covered Entities (CE)
- Health care providers who transmit protected health information (PHI) electronically
- Health plans & health care clearinghouses
- Business Associates (BA)
- Someone who performs functions or services to a CE and accesses protected health information.
- A subcontractor that creates, receives, maintains, or transmits PHI for another BA.
State Data Privacy
Varies!
What is PHI?
Individually-identifiable health information created or received by a covered entity, that relates to the past, present, or future physical or mental health condition, the delivery of health care or payment for health care.
- Health Information: Created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse, PLUS
- Past, present, or future physical or mental health condition, the delivery of health care or payment for health care, PLUS
- Individually identifiable health information includes many common identifiers such as name, address, birth date, social security number
HIPAA Individually Identifiable Information
The 18 Points You Need to Know
1. Names |
2. All geographical subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code, if according to the current publicly available data from the Bureau of the Census: |
3. All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older |
4. Phone numbers |
5. Fax numbers |
6. Electronic mail addresses |
7. Social Security numbers |
8. Medical record numbers |
9. Health plan beneficiary numbers |
10. Account numbers |
11. Certificate/license numbers |
12. Vehicle identifiers and serial numbers, including license plate numbers |
13. Device identifiers and serial numbers |
14. Web Universal Resource Locators (URLs) |
15. Internet Protocol (IP) address numbers |
16. Biometric identifiers, including finger and voice prints |
17. Full face photographic images and any comparable images |
18. Any other unique identifying number, characteristic, or code |
What is Required 1
The answer for a post-ACA world
- PHI can only be used for treatment, payment, or health care operations unless patient written consent or federal law allows. Other use may be breach.
- Disclose ‘minimum necessary’ to accomplish the intended purpose. Other use may be breach.
- Have written BA Agreements with contractors and CEs to ensure compliance. Breach to transfer data without.
- HIPAA training for everyone.
- Keep privacy policies/procedures/notices/complaints for 7 years after effective date.
What is Required 2
The answer for a post-ACA world.
- Timely notify of breaches
- Risk based security/privacy policies/procedures.
- Role Based Access Controls (RBAC)
- Authorized for that specific data
- Physical Security
-
Badge
-
No Tailgating!
-
Clean Desk
-
- Data Security
What is Required 3
The answer for a post-ACA world.
- Strong Passwords
- Passwords must be protected as least as well as the data they protect!
- Changed every 90 days
- No dictionary words or easily guessable passwords
- Complexity requires at least one each from
- Upper Case Letters
- Lower Case Letters
- Numbers
- Special Characters
Who enforces these requirements?
HIPAA/HITECH
- HHS (Criminal, Civil)
- State Attorneys General (Criminal, Civil)
- Private Right of Action (Civil)
State Data Privacy Laws: Varies!
- State Attorneys General (Criminal, Civil)
- State Agencies (e.g., California Board of Managed Health Care)(Criminal, Civil)
- Private Right of Action (Civil)
Our Clients!
- Breach of Contract
What happens if I don't comply?
- HIPAA
- Noncompliance (HHS OCR)
- Civil offense: $100 - $50,000 per violation with caps of $25,000 to 1.5M for all violations of single requirement, in calendar year
- Unauthorized disclosure or misuse of patient information (DOJ)
- Criminal offense: under false pretenses or intent to sell, transfer, use for personal gain, or malicious harm
- Fines up to $250,000/sentence up to 10 years
- State Laws
- Breach of Contract
- Company Policy for enterprise and by audit scope
- Civil offense: $100 - $50,000 per violation with caps of $25,000 to 1.5M for all violations of single requirement, in calendar year
- Criminal offense: under false pretenses or intent to sell, transfer, use for personal gain, or malicious harm
- Fines up to $250,000/sentence up to 10 years
How do I...
- Report a Maestro privacy/security incident/ask a security/compliance/privacy question:
- Jim Martin, HIPAA Security Officer,
- Email: [email protected]
- Phone: 872-215-1767
- Tony Dillon, HIPAA Privacy Officer
- Email: [email protected]maestrohealth.com
- Phone: 847-926-7793
- Report Maestro Lost Laptop:
- Immediately Call 813-956-8913 and send email to [email protected]
- Jim Martin, HIPAA Security Officer,
- Email: [email protected]
- Phone: 872-215-1767
- Tony Dillon, HIPAA Privacy Officer
- Email: [email protected]maestrohealth.com
- Phone: 847-926-7793
- Immediately Call 813-956-8913 and send email to [email protected]
Resources
Centers for Medicare and Medicaid Services Services (CMS)
http://www.cms.gov/hipaa/hipaa2/default.asp
US Department of Health and Human Services (HHS)
http://aspe.os.dhhs.gov/admnsimp
Developer’s Guide to HIPAA Compliance
https://github.com/truevault/hipaa-compliance-developers-guide
Open Web Application Security Project (OWASP)
https://www.owasp.org/index.php/Main_Page
What's in the works?
- Common Service Desk
- Maestro Privacy/Security Policies
- Maestro Password Policies
- Maestro Security Incident Response Team
- Maestro SDLC/SSDLC
- Maestro Security “Punchlist”: Required security controls for HIPAA applications
- Data De-identification/Sterilization Standard