Health Insurance Portabililty & Accountability Act (HIPAA) part 3

Introduction

HIPAA (cont)

A Covered Entity must designate a privacy official, called the HIPAA Privacy Officer

• must be an individual - not a board or committee
• skill sets
  • knowledge & experience of information privacy laws & HIPAA
  • should have a basic understanding of information technology
  • should have some sensitivity to public relations
• covered entity must designate a contact cerson to receive privacy complaints if they arise
• conducts certain healthcare business transactions in electronic form
  • the privacy officer may also be the contact person

Duties of HIPAA Privacy Officer

• performs initial & ongoing information privacy risk assessments
• conducts compliance monitoring activities
• ensures & maintains:
  • appropriate privacy consent & authorization forms are used
  • appropriate notices and materials are used for:
    • organization practices
    • legal practices & requirements
• ensures, maintains, & monitors business associate agreements
  • establishes, manages, & monitors tracking system for qualified individuals to review or receive a report on their PHI disclosures, as required by HIPAA

The Privacy Officer oversees, ensures, tracks & manages education & training in a covered entity

• initial privacy & security awareness training
• ongoing privacy & security training program
  • change management training (if appropriate)
• the privacy officer is accountable for training:
  • employees
  • volunteers
  • medical & professional staff
  • contractors (if appropriate)
  • alliances (if appropriate)
  • business associates (if appropriate)
  • all new employees

The HIPAA Privacy Officer

• establishes & manages the process for complaints
  • receiving complaints
  • documenting complaints
  • tracking complaints
  • investigating complaints
  • acting on complaints
• manages & ensures compliance
• deals with sanctions for non-compliance & violations
• establishes, promotes, & maintains activities to foster privacy & security awareness
• monitors & reviews all information system-related security plans to ensure alignment with HIPAA

Responsibilities:

• the privacy officer is the 'knowledge officer' for:
  • applicable federal & state privacy laws
  • accreditation standards
  • industry 'best practices'.
• the privacy officer accepts resposibilityfor the entity's privacy plans, policies, & overall HIPAA compliance with HIPAA & other applicable laws

The Security Rule

• creates & regulates 'ePHI' 'Electronic Protected Health Information' i.e. PHI in digital form
• covers all electronic, individually identifiable data that is transmitted or stored by a HIPAA covered entity
• covers administrative operations, financial healthcare transactions, & internal transactions
• only regulates ePHI, while the privacy rule covers all PHI.
• applies to all covered entities covered by HIPAA's privacy rule
  • healthcare providers
  • clearinghouses
  • health plans
• covers nearly every electronic device in a covered entity's facilities that can transmit, receive, store, process, display, or print PHI
• purposes
  • protects systems & data from unauthorized access & misuse
• encompasses
  • nearly everything in a covered entity's facility, including
    • information systems (hardware, software)
    • personnel policies
    • information practice policies
    • disaster preparedness

Electronic PHI (ePHI) is increasingly at risk

• the age of 'point & click' hacking is here.
  • formerly:
    • expert hackers - the 'old days' (Unix machines)
    • to 'script kiddies' - less knowledge required
    • to 'click kiddies' - no knowledge required
• vast & growing base of Windows PC's
• universal dependence of society on computers
• universal connectedness of computer systems
• proliferation of hacker websites, newsgroups, & IRC channels

Risk for abuse of PHI? (losses in 2005 in millions of dollars)

• virus = 42
• unauthorized access = 31
• denial of service = 7.9
• insider net abuse = 6.8
• laptop theft = 4.1
• financial fraud = 2.5
• miuses of public web application = 2.2
• system pentration = 0.8
• abuse of wireless network = 0.5
• sabotage = 0.3
• telecom fraud = 0.2
• website defacement 0.1

HIPAA's Security Rule contains 36 specifications for implementing specific security standards (2 kinds)

• 'required' standards (14 Specs)
  • essential & must be implemented
• 'addressable' standards (22 Specs) - offers 3 choices
  • if 'reasonable & appropriate', must be implemented.
  • if not 'R&A',then Covered Entity must
    • document why, &
    • must implement a comparable security measure that accomplishes the same purpose
  • if not 'R&A', & the Standard can be met without an alternative measure, then covered entity must:
    • document that decision, &
    • document why it's not 'reasonable & appropriate', &
    • document how the standard is being met

HIPAA Security Standards: administrative, physical, & technical standards

• administrative procedures
  • certification review
  • chain of trust agreement
  • policies & procedures
  • access authorization
  • proactive internal audit
  • personal authorization
  • security management process
  • termination process
  • training
• physical safeguards
  • assigned responsibility
  • media controls: hardware/software
  • access controls
  • workstation policies e secure workstations
  • training
• technical mechanisms
  • access Controls
  • audit Controls
  • authorization Controls
  • use & disclosure
  • data authentication
  • entity authentication

HIPAA's Legal Risks: Legal attacks can come from many directions

• from patients & the public
• from employees & whistleblowers
• from boards, directors, & management
• from regulators & law enforcement
• from others (business associates, affiliates, etc.)

Legal Attacks may be founded on many things

• privacy violations
• security violations
• transactions & code sets violations
• multitude of other Federal, State, County, & Local Laws
• may be for 'Acts of Omission' or 'Acts of Commission'

Under HIPAA, the 'Secretary of Health and Human Services' (HHS) can audit & investigate nearly any part of a covered entity's operations or records

• for oversight purposes
• to determine compliance
• to investigate alleged HIPAA violations

Legal Insights for Privacy Officers

• having no disaster recovery plan violates fiduciary standards of care & due diligence (& HIPAA)
• there is no direct 'private cause of action' under HIPAA for patients to sue CE's - but there are other ways
• injured plaintiffs will argue that HIPAA is 'a de facto federal standard of care' for privacy & security
• plaintiffs may seek punitive damages, in addition to compensatory damages, for HIPAA violations
• jurors & Judges will look to see if defendants had 'knowledge' & 'control' regarding offenses
• if 'outside experts' are consulted, jurors tend to place less blame on the company if a problem occurs

HIPAA Success Strategies

• document everything
  • decisions, & the people & processes behind them
  • keep minutes of all important meetings
  • policies, procedures, guidelines, templates, etc.
• involve legal counsel at every stage of compliance
• create 'summary compliance documentation' for your entire HIPAA project
  • tells everything you did, when, why, & who was involved
  • understandable to laypeople (JURORS)
• periodically play devil's advocate & analyze possible legal weaknesses an attacker could exploit
  • 'tiger teams' simulate hackers & attackers, & reveal weaknesses or gaps in compliance

Security: Verification of Identity for PHI Releases

• by telephone
  • example: individual
    • should provide SSN and DOB, checked against internal records
  • example: guardian or personal representative requesting patient records
    • must be on record as a personal rep or guardian
    • must give SSN and DOB of individual they represent
    • check representative status and individual information against record
  • example: another provider (covered entity) requesting patient records
    • should give their health provider I.D. number
    • determine if this is a permitted disclosure under HIPAA?
    • check against records carefully
  • example: business associate requesting patient records
    • get a phone number to return the call; call the requestor back to verify
    • check records carefully for a match
• in-person
  • requestor should provide driver's license, work ID badge or other picture ID.
  • if personal representative, they must be on record as such

HIPAA Success Strategies use 'guerilla' tactics - think outside the box

• find PHI-related activities inside & outside your practice
  • STOP, LOOK, LISTEN
• act like the enemy - civil attorneys, National Inquirer, etc.
• conduct 'clip board' & 'fly on the wall' assessments
• sign in sheets - should have limited info (no 'reason for visit' entries)
• medical charts - should be face down or faced away from sight
• plastic chart holders - are OK if chart's face pages are covered
• daily schedule - most of these contain PHI
• sticky notes - don't use these for passwords
• telephone & Fax - verify the numbers you call are correct
• transporting of files - use lockboxes, out-of-sight in trunk, have policies
• computer screens, fax machines, printers, voice mail devices
• staff taking work home is risky - policies & procedures are critical
• conversations at restaurants, church, soccer games, etc. can be overheard

HIPAA Success Strategies

• top-level 'buy-in' is critical
• see HIPAA as a Business Initiative, not an 'IT problem'.
• incorporate HIPAA requirements into transaction/code set solutions
• develop a basic understanding of HIPAA regulations
• thoroughly assess your 'state of the union'
• understand effort required & the complexity
• acquire necessary expertise to address HIPAA
• develop a clear work-plan & timeline for compliance
• communicate with business partners.
  • train & educate all employees

Additional terms

• Health Insurance Portabililty & Accountability Act (HIPAA)
• Health Insurance Portabililty & Accountability Act (HIPAA) part 2

References