Most medical practices are aware of the HIPAA HITECH requirements that affect their organizations, and the fines that they face if they are not compliant in the ways they handle patient health information (PHI).
What a lot of professionals don’t know is that HIPAA HITECH regulations also hold business associates, (i.e. other professionals from other companies who could also have access to PHI) just as responsible for protecting the data as the medical practices who own that information.
3. PRESENTER
Brian Rosenfelt, CPA
Skoda Minotti Risk Advisory Services
• Former controller, CFO and operations
executive in a variety of industries
• Served as business process engineer with
Kaiser Permanente
• Leads Skoda Minotti’s HIPAA consulting
practice
• Deep understanding of accounting,
technology and compliance
5. WHAT IS HIPAA?
• HIPAA: Health Insurance Portability & Accountability Act
• Signed into law in 1996
• Federal law protecting the privacy of Protected Health Information
(PHI)
• The overall purpose is to ensure the security and privacy of
individual health information
6. HIPAA HITECH ACT OF 2009
Origins
• Prior to 2009, HIPAA regulations were not
being enforced consistently (if at all)
• New act was meant to:
Strengthen controls and oversight of PHI
Improve breach notification requirements
Expand the definition of covered entities and business associates
• Built on the heels of providing incentives for doctors and hospitals
to implement Electronic Medical Record (EMR) systems
8. PROTECTED HEALTH
INFORMATION (PHI)
What is PHI?
• Oral or written information created by a healthcare provider or other
entity that relates to someone’s health or condition, healthcare
received, or healthcare payment
• Unsecured PHI is data that is not encrypted
Examples of PHI
•
•
•
•
Medical information and records
Billing information and records
Medical insurance forms
Lab results
9. COVERED ENTITY VS.
BUSINESS ASSOCIATE
Covered Entities
• Health Care Provider (dentist, doctor,
nursing home, pharmacy)
• Health Plan (HMO, company health
plan, health insurance companies)
• Health Care Clearinghouse
10. COVERED ENTITY VS.
BUSINESS ASSOCIATE
Business Associates
•
•
•
•
Attorneys
Accountants
Consultants
Third Party Administrator
(claims processing, etc.)
• Anyone who does, or could come into
contact with PHI
• Others
Document shredding company
Cleaning company
Software company
Business associates
can be anyone with
access to or potential
access to health
information.
12. PRIVACY RULE
• Applies to use and disclosure of PHI
• Reason for HIPAA language and
forms you sign at your doctor’s office
• Requires patient authorization for
certain disclosures (release of
medical information to employer,
relative, etc.)
• Disclosure permitted for treatment
and/or payment purposes
13. SECURITY RULE
• Applies to the securing of ePHI
(electronic protected health
information)
• Requires implementation of three
types of safeguards:
Administrative (policies and
procedures)
Physical (access to server room,
access to patient paper records)
Technical (email encryption, password
policies, technical auditing)
14. BREACH NOTIFICATION
RULE
• Risk of Harm evaluation (old rule)
• Risk Assessment and “Low
Probability” (new rule)
• What should the Risk Assessment
look for?
Type of PHI compromised
Who compromised the PHI
Was the PHI actually viewed
How was the breach/violation
mitigated
15. A LONG TIME COMING …
• Health Information Technology for
Economic and Clinical Health (HITECH)
Act was enacted on February 17, 2009
• Proposed Regulations: July 14, 2010
• Final “Omnibus” HIPAA Regulations:
January 25, 2013
Effective Date: March 26, 2013
Compliance Date: September 23, 2013
• Copy of final regulations:
http://1.usa.gov/Wl60lE
138 pages
16. MAJOR CHANGES
WITH THE NEW RULES
Business Associate Liability Increased
• Business Associates are now covered DIRECTLY under HIPAA
(same rules and regulations as Covered Entities)
• Security and privacy rules now apply to Business Associates
• Information can only be used per contract language
• Penalties now apply to Business Associates
• Business Associates are now responsible for sub-Business Associates
18. KEY CHANGES
DUE TO HIPAA HITECH
Breach Notification Rules
• Requires Covered Entities and
Business Associates to provide
notification following a breach of unsecured
PHI
• Similar breach notification rules for
vendors of personal health records and
their 3rd party service providers
• Covered Entities must notify affected individuals within 60
calendar days of the discovery
• If the breach effects more than 500 individuals, the media and
Department of Health and Human Services must be notified
• Business Associates are obligated to report breaches to
Covered Entity
19. KEY CHANGES
DUE TO HIPAA HITECH
Business Associate Responsibilities
• Must implement applicable privacy provisions
• Must implement all of the HITECH security
provisions
• Now subject to the same civil and criminal
penalties as Covered Entities
• Contracts between Covered Entities and
Business Associates must be amended to
include new HITECH provisions
20. HIPAA COMPLIANCE
& ENFORCEMENT
Original Rule
• U.S. Department of Health & Human Services regulates and
enforces HIPAA through its Office of Civil Rights (OCR)
• Civil penalties: Fines start at $100 and can increase up to $25,000
• Criminal penalties: Could include up to 10 years in prison and
$250,000
HIPAA HITECH ACT of 2009
• State Attorneys General can also bring
civil action in federal court if the
interest of residents has been threatened
or affected by a HIPAA violation
21. HIPAA COMPLIANCE
& ENFORCEMENT
Potential Civil Penalties
Violation Category
Section 1176(a)(1)
Each Violation
All such violations of an
identical provision in a
calendar year
$100-$50,000
Up to $1,500,000
(B) Reasonable cause
$1,000-$50,000
Up to $1,500,000
(C)(i) Willful neglect –
Corrected
$10,000-$50,000
Up to $1,500,000
(C)(ii) Willful neglect – Not
Corrected
$50,000 or more
Up to $1,500,000
(A) Did not know
SUMMARY: Fines are mandatory when failure to have training
and reasonable procedures on proper disposal is discovered.
HHS goes on to say that had they found proper training in the
same case, the same incident would not have been deemed a
case of willful neglect.
22. HIPAA COMPLIANCE
& ENFORCEMENT
Potential Criminal Penalties
Type of Violation
Potential Jail Sentence
Unknowingly, or with
reasonable cause
Up to one year
Under false pretenses
Up to five years
For personal gain or
malicious reasons
Up to ten years
23. HIPAA COMPLIANCE
& ENFORCEMENT
Consequences
• October 26, 2009: (Little Rock, Arkansas)
sentencing of three healthcare workers who
pled guilty to misdemeanor HIPAA violations
based on accessing patient records without any
reason
• April 27, 2010: (California) press release
entitled “Ex-UCLA Healthcare Employee
Sentenced to Federal Prison for Illegally
Peeking at Patient Records” – first person to be
convicted and imprisoned for HIPAA offenses
based only on unauthorized access of PHI
24. HIPAA COMPLIANCE
& ENFORCEMENT
Consequences
• January 9, 2012: Minnesota Attorney General
brought action against Accretive Health, Inc.
(a business associate, NOT a covered entity), in
the wake of the theft of a company laptop
computer that contained over 23,500 patient
records
• April 17, 2012: Phoenix Cardiac Surgery, P.C.
agreed to pay $100,000 and take corrective
action after they were found to have posted a
patient appointment calendar online
25. HOW TO GET COMPLIANT
Begin with a thorough
RISK ASSESSMENT
• Essential component of HIPAA compliance
• Can help your organization identify its most
critical areas of vulnerability
• The Risk Assessment will form the basis of
determining how risks should be managed
and/or minimized
• This is a necessary strategy to identify
potential gaps in your security environment
(physical and electronic)
• Required by HIPAA
26. HOW TO GET COMPLIANT
• Risk exposure decreases significantly when an
organization knows where its PHI is stored and
what procedures are in place to access it
• A complete risk assessment examines four critical
areas:
Process
Governance
People
Technology
27. UPDATING
POLICIES & PROCEDURES
• Assess the current policies and procedures (if
they exist)
Breach notification requirements
Incident management procedures
Training requirements and procedures
• Prior to HITECH, Business Associates did not
need to produce documentation
28. UPDATING
POLICIES & PROCEDURES
• Update documentation – address high risk areas
first
• A strong disciplinary policy is a necessity
Training without enforcement is of little value
Establish consequences for violation of HIPAA
security policies
Take strong action against employees who violate
policies and procedures (especially those that
relate to security policies)
29. UPDATING
POLICIES & PROCEDURES
• Training on policies and procedures is critical
Train based on the highest risk area according to
your assessment
Regular, ongoing training for the entire workforce
(no exceptions) is a must
Training focus on remote access and removable
media is important (movement of ePHI)
30. UPDATING
POLICIES & PROCEDURES
• Require all those with remote access or who use
portable media of any type, to sign an attestation
stating they:
Received the education
Agree to abide by the policies of the organization
Understand the risk to ePHI inherent in electronic
use
Know the degree of discipline they face for
violating the policies
31. UPDATING
POLICIES & PROCEDURES
• HIPAA requires documentation to be retained for
six years
• The organization must be able to show that the
documentation was available to the persons
responsible for implementing the procedure
• A procedure is required for reviewing
documentation and ensuring it remains up-todate
• Evidence of employee training and an
acknowledgement of policies and procedures are
also required
32. INVOLVE EVERYONE
• Interview department directors to
understand their risk concerns and
controls in place
• Including them in the HIPAA security
processes helps to ensure they will be
educated and “on-board” with the
controls you recommend
• People are the most important
component of an effective security
program
33. QUESTIONS?
For additional information about Skoda
Minotti’s HIPAA consulting and compliance
services, contact us at:
Brian Rosenfelt, CPA
Skoda Minotti Technology Partners
brosenfelt@skodaminotti.com
(440) 449-6800
Website: www.skodaminotti.com
Other Services:
• Audit
• Tax
• IT Consulting
• Phone
Systems
• Marketing
• Investments
• Security