2. HIPAA Background
• 1996. Health Insurance Portability and Accountability Act (HIPAA), Public
Law 104-191.
– Department of Health and Human Services (HHS) adopts national standards for
electronic health care transactions and code sets, unique health identifiers, and security.
• 2009. Health Information Technology for Economic and Clinical Health Act
(HITECH) enacted as part of the American Recovery and Reinvestment Act
of 2009 (ARRA).
• 2010. Patient Protection and Affordable Care Act of 2010 (ACA).
• 2013. HIPAA Omnibus Rule makes changes to existing privacy, security and
breach notification requirements.
2
3. HIPAA Regulations
• CFR 45 PART 160: General administrative requirements
• CFR 45 PART 162: Administrative requirements
• CFR 45 PART 164: Security and privacy rules
3
5. Business Associate
• Business Associate includes the partners that may provide
legal, actuarial, accounting, consulting, data aggregation,
management, administration or financial services wherein the
services require the disclosure of individually identifiable
health information.
• A key concern, among many, is that some software vendors
almost certainly will be categorized as Business Associates.
5
6. Covered Entity & Electronic Media
• Covered Entity means:
– A health plan
– A health care clearinghouse
– A health care provider who transmits any health information in electronic
form in connection with a transaction covered by this subchapter.
• Electronic media means:
– Electronic storage material on which data is or may be recorded electronically.
– Transmission media used to exchange information already in electronic
storage media.
6
7. Health Care & Health Care Provider
& Health information
• Health care means:
– Care, services, or supplies related to the health of an individual.
• Health care provider means:
– A provider of medical or health services, and any other person or organization
who furnishes, bills, or is paid for health care in the normal course of business.
• Health information means:
– Any information, whether oral or recorded in any form or medium.
7
8. Individual &
Individually Identifiable Health Information &
Protected Health Information (PHI)
• Individual means:
– The person who is the subject of protected health information.
• Individually identifiable health information that
– Identifies the individual
– Or with respect to which there is a reasonable basis to believe the information
can be used to identify the individual.
• Protected health information means:
– Individually identifiable health information that is
• Transmitted by electronic media
• Maintained in electronic media
• Transmitted or maintained in any other form or medium
8
9. PHI Includes One or More of Identifiers
(§164.514(b)(2)(i))
– Names
– Addresses including Zip
Codes
– All Dates
– Telephone & Fax Numbers
– Email Addresses
– Social Security Numbers
– Medical Record Numbers
– Health Plan Numbers
– License Numbers
– Vehicle Identification
Numbers
– Account Numbers
– Biometric Identifiers
– Full Face Photos
– Any Other Unique
Identifying Number,
Characteristic, or Code
9
10. Use and Disclosure of PHI
• Use of PHI refers to how PHI is internally accessed, shared and
utilized by the covered entity that maintains such information.
• Disclosure of PHI refers to how PHI is shared with individuals
or entities externally.
10
11. Notice of Privacy Practices (NPP)
• Notice of Privacy Practices means:
– Providers and Health Plans must have a Notice of Privacy Practices (NPP)
• It provides a detailed description of the various uses and disclosures of PHI that are
permissible without obtaining a patient’s authorization.
– In general, anytime you release patient information for a reason unrelated to
treatment, payment (e.g., billing) or healthcare operations (TPO), an
authorization is required.
11
12. Treatment, Payment and Operations (TPO)
• Treatment: Various activities related to patient care.
• Payment: Various activities related to paying for or getting
paid for health care services.
• Health Care Operations: Generally refers to day-to-day
activities of a covered entity, such as planning, management,
training, improving quality, providing services, and education.
• NOTE:
– Research is not considered TPO.
– Written patient authorization is required to access PHI for research unless
authorization waiver is approved by the Institutional Review Board (IRB).
12
14. General Rule (§164.306)
• General requirements:
– Ensure the confidentiality, integrity, and availability of all its ePHI.
– Protect against any reasonably anticipated threats or hazards of its ePHI.
– Protect against any reasonably anticipated uses or disclosures of ePHI not
permitted.
• Implementation specifications.
– Required specifications must be implemented.
– Addressable specifications must be assessed and implemented as specified if
reasonable and appropriate to the Covered Entity.
• Maintenance.
14
15. Administrative Safeguards (§164.308(a))
– Security management process
– Assigned security
responsibility
– Workforce security
– Information access
management
– Security awareness and
training
– Security incident procedures
– Contingency plan
– Evaluation
15
16. Physical Safeguards (§164.310)
• Facility access controls.
• Workstation use.
• Workstation security.
• Device and media controls.
16
17. Policies and Procedures and Documentation
Requirements. (§164.316(b)(2))
• Time limit.
– Retain the documentation required for 6 years from the date of its
creation or the date when it last was in effect, whichever is later.
• Availability
• Updates
17
20. Required/Addressable Specifications of
Security Standards
Standards Specifications Sections
Risk Analysis 164.308(a)(1)(ii)(A)
Risk Management 164.308(a)(1)(ii)(B)
Sanction Policy 164.308(a)(1)(ii)(C)
Information System Activity Review 164.308(a)(1)(ii)(D)
Assigned Security
Responsibility
Assigned Security Responsibility 164.308(a)(2)
Authorization and/or Supervision 164.308(a)(3)(ii)(A)
Workforce Clearance Procedure 164.308(a)(3)(ii)(B)
Termination Procedures 164.308(a)(3)(ii)(C)
Isolating Health care Clearinghouse Function 164.308(a)(4)(ii)(A)
Access Authorization 164.308(a)(4)(ii)(B)
Access Establishment and Modification 164.308(a)(4)(ii)(C)
Security Reminders 164.308(a)(5)(ii)(A)
Log-in Monitoring 164.308(a)(5)(ii)(B)
Protection from Malicious Software 164.308(a)(5)(ii)(C)
Password Management 164.308(a)(5)(ii)(D)
Security Incident Procedures Response and Reporting 164.308(a)(6)
Data Backup Plan 164.308(a)(7)(ii)(A)
Disaster Recovery Plan 164.308(a)(7)(ii)(B)
Emergency Mode Operation Plan 164.308(a)(7)(ii)(C)
Testing and Revision Procedure 164.308(a)(7)(ii)(D)
Applications and Data Criticality Analysis 164.308(a)(7)(ii)(E)
Evaluation Evaluation 164.308(a)(8)
Business Associate Contracts
and Other Arrangement
Written Contract or Other Arrangement 164.308(b)(3)
Security Management Process
Workforce Security
Information Access
Mangement
Security Awareness and
Training
Contingency Plan
20
21. Required/Addressable Specifications of
Security Standards
Standards Specifications Sections
Contingency Operations 164.310(a)(2)(i)
Facility Security Plan 164.310(a)(2)(ii)
Access Control and Validation Procedures 164.310(a)(2)(iii)
Maintenance Records 164.310(a)(2)(iv)
Workstation Use Workstation Use 164.310(b)
Workstation Security Workstation Security 164.310(c)
Disposal 164.310(d)(2)(i)
Media Re-use 164.310(d)(1)(2)(ii)
Accountability 164.310(d)(2)(iii)
Data Backup and Storage 164.310(d)(2)(iv)
Unique User Identification 164.312(a)(2)(i)
Emergency Access Procedure 164.312(a)(2)(ii)
Automatic Logoff 164.312(a)(2)(iii)
Encryption and Decryption 164.312(a)(2)(iv)
Audit Controls Audit Controls 164.312(b)
Integrity Mechanism to Authenticate Electronic Protecte164.312(c)(1)
Person or Entity
Authentication
Person or Entity Authentication 164.312(d)
Integrity Controls 164.312(e)(2)(i)
Encryption 164.312(e)(2)(ii)
Time Limit 164.316(b)(2)(i)
Avilability 164.316(b)(2)(ii)
Update 164.316(b)(2)(iii)
Documentation
Device and Media Control
Access Control
Transmission Security
Facility Access Control
21
22. Minimum Necessary Rule (§164.502(b))
• Generally, the amount of PHI used, shared, accessed or
requested must be limited to only what is needed.
• Workers should access or use only the PHI necessary to carry
out their job responsibilities.
22
23. Authorization (§164.508)
• A covered entity may not use or disclose protected health
information for reasons generally not related to treatment,
payment or healthcare operations without an authorization.
• The Authorization must include:
– A detailed description of the PHI to be disclosed, who will make the disclosure,
to whom the disclosure will be made, expiration date, the purpose of the
disclosure, and signature.
– The individual's right to revoke, the ability or inability to condition usage, and
the potential for information disclosed.
23
24. Types of Disclosures
• No Authorization Required (§ 164.512)
• Authorization Required, but Must Give Opportunity to Object
(§ 164.510)
• Authorization Required (§ 164.508)
24
25. Uses and Disclosures for Which An Authorization or
Opportunity to Agree or Object Is Not Required
• To disclose PHI to the patient (§ 164.502)
• To use or disclose PHI for treatment, payment or healthcare
operations. (§ 164.502)
• Certain disclosures required by law (for example, public health
reporting of diseases, child abuse/neglect cases, etc.)
(§ 164.512(a)-(l))
25
26. Uses and Disclosures for Which An Authorization
Is Required
• A covered entity may not use or disclose protected health
information without an authorization. (§ 164.508(a)(1))
• To access, use or disclose PHI for research (§ 164.512(i)(1)(i))
• For marketing activities and sale of PHI (§ 164.508(a)(3))
26
27. Uses and Disclosures Requiring An Opportunity
for The Individual to Agree or to Object
• The Patient must be offered an opportunity to object before
discussing PHI with a patient’s family or friends.
(§ 164.510(b)(1)(i))
• Limited PHI (e.g., patient’s hospital room/location number) is
included in the “Hospital Directory” but patients are offered
an “Opt Out” opportunity and certain disclosures to clergy
members. (§ 164.510(b)(3))
• Exception: Emergency circumstances (§ 164.510(a)(3))
27
28. Breach (§164.402(b))
• Breach means the acquisition, access, use, or disclosure of
protected health information in a manner not permitted
under privacy rules.
• Amount of a civil money penalty.
– In the amount of less than $100 or more than $50,000 for each violation
– In excess of $1,500,000 for identical violations during a calendar year
• Criminal Liability
– Offenses committed with the intent to sell, transfer, or use individually
identifiable health information for commercial advantage, personal gain or
malicious harm permit fines of $250,000 and imprisonment for up to ten
years.
28
29. Companies & Fines
Entity Fined Fine Violation
CIGNET (Feb, 2011) $4,300,000 Online database application error.
Alaska Department of Health
and Human Services (June, 2012)
$1,700,000 Unencrypted USB hard drive stolen, poor policies and
risk analysis.
WellPoint (Sep, 2012) $1,700,000 Did not have technical safeguards in
place to verify the person/entity seeking access to PHI
in the database. Failed to conduct a technical evaluation
in response to software upgrade.
Blue Cross Blue Shield of
Tennessee (Mar, 2012)
$1,500,000 57 unencrypted hard drives stolen.
Massachusetts Eye and Ear Infirmary and
Massachusetts Eye and Ear Associates
(Sep, 2012)
$1,500,000 Unencrypted laptop stolen, poor risk
analysis, policies.
Affinity Health Plan (Aug, 2013) $1,215,780 Returned photocopiers without erasing the hard drives.
South Shore Hospital (May, 2012) $750,000 Backup tapes went missing on the way to contractor.
Idaho State University (May, 2013) $400,000 Breach of unsecured ePHI.
29