HIPAA IN 2021: OVERVIEW AND UPDATES - MISTI HILL CARTER, JD, PHD A&M RURAL & COMMUNITY HEALTH INSTITUTE (ARCHI) - OPTIMIZING RURAL HEALTH
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
HIPAA in 2021: Overview and Updates Misti Hill Carter, JD, PhD A&M Rural & Community Health Institute (ARCHI)
Objectives:
Describe HIPAA provisions and Texas rules
Discuss HIPAA updates for telehealth and COVID
Identify recent examples of HIPAA violations and
related fines
Legal Concepts
Privacy & Confidentiality
Privacy is a broader term.
Physical seclusion
Protection of personal information
Protection of personal identity
Ability to make choices without interference
Confidentiality is narrower. Refers to the
protection of personal information
Medical context à duty not to disclose
information
Acronyms • CE à Covered Entity
• PHI à Protected Health Information
• TPO à Treatment, payment, health care
operations
• EHR à Electronic Health Record
• HHS à U.S. Department of Health &
Human Services (“The Secretary”)
• HHSC à Texas Health and Human
Services Commission (“The Commission”)
• THSA à Texas Health Services
Authority
• AG à Texas Attorney General
Overview
of HIPAA
Image: http://rylkov-fond.org/files/2016/04/back-to-basics.jpg
Federal Law: • Privacy Rule
Set standards regarding how we use and disclose
HIPAA (Health PHI
Insurance Covers ALL Protected Health Information (PHI)
Portability and • Security Rule
Accountability Protects electronic Protected Health Information
(ePHI)
Act) Required ”Covered Entities” (CEs) & their
“Business Associates” (BAs) to ensure that ePHI is
secure
• Breach Notification Rule
Requires CEs & BAs to notify consumers and HHS
• Enforcement Rule
Sets enforcement standards & civil penalties
2013 HIPAA Omnibus Rule (the “Final Rule”) –
modified the four HIPAA rules
Privacy Rule
• Establishes a set of rules to protect all PHI (Protected Health Information)
Note à De-identified information is not protected
All “individually identifiable health
What is PHI? information" held or transmitted by
a covered entity or its business
associate, in any form or media,
whether electronic, paper, or oral.
Source: https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html
Privacy Rule
• Establishes a set of rules to protect all PHI (Protected Health Information)
Note à De-identified information is not protected
• Applies to:
Covered Entities (CEs) – Health Plans, Health Care Clearinghouses, & Health Care
Providers
Business Associates (BAs) – individual or entity acting on behalf of a CE (the CE
should have a Business Associates Contract, or BAC, with every BA)
• CEs and BAs may not use or disclose protected information unless:
Permitted Use/Disclosure à for “TPO” or “treatment, payment, or healthcare operations”
Requests à the protected individual authorizes disclosure in writing
• Follows the principle of “minimum necessary” use and disclosure.
• Gives patients rights to their PHI
• Requires notice to patientsSecurity Rule
• Established a national set of security standards for ePHI (Electronic
Protected Health Information)
Goal is to protect the confidentiality, integrity, and availability of
ePHI
• Requires three specific types of safeguards to secure ePHI:
Administrative safeguards
Technical safeguards
Physical safeguardTexas Law:
The Texas Medical Records Privacy Act
(or HB 300)
• Effective September 1, 2012
• Broader reach than HIPAA:
Broader definition of “Covered Entity” or CE
New operational requirements:
Notice & Authorization
Training
Disclosure
Patient Record Requests
Auditing
Special breach notification rules
Greater enforcement and increased penalties181.001 – • CE under HIPAA or under Texas law à you must
comply with the Texas Medical Records Privacy Act
Covered Entity • Texas defines CE as “any person who…
(A) for commercial, financial, or professional gain,
monetary fees, or dues, or on a cooperative, nonprofit, or pro
bono basis, engages, in whole or in part, and with real or
constructive knowledge, in the practice of assembling,
collecting, analyzing, using, evaluating, storing, or
transmitting protected health information.
The term includes a business associate, health care payer,
governmental unit, information or computer management
entity, school, health researcher, health care facility, clinic,
health care provider, or person who maintains an Internet
site;
(B) comes into possession of protected health information;
(C) obtains or stores protected health information under this
chapter; or
(d) is an employee, agent, or contractor of a person described
by Paragraph (A), (B), or (C) insofar as the employee, agent, or
contractor creates, receives, obtains, maintains, uses, or
transmits protected health information.”181.154(a) – • CEs must provide individuals with
Notice general notice that the individual’s
PHI may be electronically disclosed.
• Notice may be provided in any of the
following ways:
Posted in the CE’s place of business
On the CE’s website
Any other place an individual is
likely to see the notice181.154(a) – Notice Example Source: https://www.disabilityrightstx.org/files/HB_300_HIPPA_notice.pdf
181.154(b-c) – • General Rule – CEs may not electronically
disclose an individual’s PHI to any person
Authorization without a separate authorization from the
individual (or the individual’s legally
authorized representative) for each
disclosure.
Note à authorization may be given:
In writing,
Electronically, OR
Verbally (*must be documented in
writing by the CE).
• Exceptions – Authorization is not required if:
Disclosure is made to another CE for
purposes of treatment, payment, health
care operations or performing an insurance
or HMO function; OR
Otherwise required by state or federal law.181.154(d-e) –
Authorization
The Texas AG has created a
standard authorization form
Final Note about CE definitions
The notice and authorization
requirements do not apply to
“covered entity” as defined in the
Tex. Ins. Code Sec. 602.001; only
CEs as defined by HIPAA and
Sec. 181 must comply.
Source:
https://texasattorneygeneral.gov/files/agency/hb300_auth_f
orm.pdf181.101 Training
• Requires CEs to train employees:
Content à State & Federal law concerning PHI “as
necessary and appropriate for the employees to carry out the
employees’ duties for the covered entity”
Timing à Training must be completed within 90 days of
hiring.
Material changes in State or Federal law à employee
must have training within one year of the date the
material change takes effect.
HHS says, “Industry best practices suggest that the
entire workforce should be trained at least once every
year and any time your practice changes its policies or
procedures, systems, location, infrastructure, etc.”
Proof à Employees must sign a verification (electronically or
in writing) to show that they completed the training. CE
must keep the verification for 6 years.
Image: http://www.imarketingbiz.net/wp-
content/themes/revolution_tech-30/images/chuks/computer-training.jpg181.153
Disclosure of PHI • General Rule: A CE may not disclose PHI
for direct or indirect remuneration.
• Exceptions: Disclosure of PHI to another
CE for remuneration is allowed for:
1. “Treatment, Payment, or Health care
operations”
2. Performing an insurance or HMO
function; or
3. As otherwise authorized by or
required by state or federal law.
Note à direct or indirect payments
for PHI may not exceed the CE’s
“reasonable costs of preparing or
transmitting the PHI.”181.102 Patient • General Rule à offices have 15 business days
to provide electronic records (Federal Rule is
Access to Records 30 days).
Office is using an EHR system that is
“capable of fulfilling the request”
Person sends a “written request”
Person can agree to accept another form
• Exceptions: Federal exceptions to release of
PHI under HIPAA apply.
• Standard electronic format could be
recommended
Health Information Exchange (HIE) Texas
http://hietexas.org/providers181.103 –
Consumer
Website
Created
Source: https://texasattorneygeneral.gov/cpd/texas-health-information-privacy-laws-2013181.206 Auditing • Texas HHSC may request that the U.S.
Secretary of Health and Human Services
perform an audit of a CE in Texas to
determine HIPAA compliance. HHSC must
monitor results of request.
• If Texas HHSC has evidence that a CE has
committed violations that are egregious and
constitute a pattern or practice, HHSC may:
Require the CE to perform and submit a
risk analysis OR
Texas HHSC may, alternatively, refer a CE
to a licensing agency for an audit
• Texas HHSC must report to the Texas
Legislature on the number of federal audits
conducted.Breach
Notification
Image: https://upload.wikimedia.org/wikipedia/commons/thumb/9/90/Mail-notification.svg/1024px-Mail-notification.svg.pngHIPAA – Breach • Definition of Breach à “the acquisition,
access, use, or disclosure of [PHI] in a manner
Notification Rule not permitted…which compromises the
security or privicay of the [PHI].
• Breach Analysis
Breach is presumed UNLESS the CE or BA
can prove that there is a low probability
that the PHI has been compromised
based on a risk assessment (four parts):
Type or nature and extent of the PHI
Who was the unauthorized person
involved
Whether the PHI was actually acquired
or viewed
Extent to which any risk has been
mitigatedHIPAA – Breach Notification Rules – required if the
Notification Rule breach involved unsecured PHI
Individuals à within 60 days
HHS Secretary
More than 500 affected à within
60 days
Less than 500 affected à annual
reporting
Media
More than 500 affected à within
60 daysEnforcement Image: http://healthinformatics.wikispaces.com/file/view/funny1.jpg/32738200/301x251/funny1.jpg
Civil Penalties
HIPAA TEXAS HB 300
$100 per unknowing violation, up to $50,000 $5,000 per negligent violation
$1,000 per violation without willful neglect, up to $50,000 $25,000 per knowing or intentional violation
$10,000 per violation due to willful neglect, up to $50,000 $250,000 per violation made for financial gain
Penalty capped at $1.5 million annually Penalty capped at $250,000 annually if certain mitigating
factors are met or $1.5 million annually if there is a
pattern of violations
Civil PenaltiesRecent
Examples
Image: http://illinoisreview.typepad.com/.a/6a00d834515c5469e201bb082b926d970d-500wiSource: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
Recent HIPAA Violations
Entity Individuals Type of Breach Fine
Affected
Bayfront Health to Varied Right to Access Varied ($200,000 to
Sharp Health $3,500)
Excellus Health Plan Over 9.3 Million Cyber-attack $5.1 Million
City Health 498 Unauthorized Access $202,400
Department
Aetna 5,002; 11,887; 1,600 Online Disclosure and $1 Million
Mail Disclosures
CHSPSC Over 6 Million Cyber-attack $2.3 Million
Athens Orthopedic 208,557 Cyber-attack $1.5 Million
Premera Blue Cross Over 10.4 Million Cyber-attack $6.85 Million
Source: https://www.hhs.gov/about/news/index.htmlRecent HIPAA Violations
Entity Individuals Type of Breach Fine
Affected
Lifespan 20,431 Stolen Laptop $1.040 Million
Dr. Porter Over 3,000 No Risk Analysis $100,000
Sentara Hospitals 577 Mail Disclosures $2.175 Million
TX HHSC 6,617 Online Disclosures $1.6 Million
Medical Informatics 3.5 Million Compromised $100,0000
Engineering Employee ID
Touchstone Medical Over 300,000 Online Disclosures $3 Million
Imaging
Allergy Associates 1 Public Disclosure $125,000
Boston Medical Varied Public Disclosure $999,000
Center
Source: https://www.hhs.gov/about/news/index.htmlCOVID-19 Federal Updates
• HIPAA Enforcement and COVID
(February 3, March 28, & April 2, 2020)
HIPAA Privacy Rule allows disclosure of PHI for treatment and to
public health authorities. This does not extend to media outlets and
the “minimum necessary” rule should be followed.
• Telehealth
(March 17 and March 20, 2020)
OCR will not impose penalties for the good faith use of telehealth
during COVID-19 public health emergency. Any “non-public facing
remote communication product” can be used. Allowed: Apple
FaceTime, Facebook Messenger, and Skype. Not allowed: Facebook
Live, Twitch, and TikToc.
• Media Access Limited
(May 5, 2020)
Guidance for media outlets regarding capturing patients.
• Using Health Information Exchanges (HIE)
(December 18, 2020)
HIPAA permits some disclosure of PHI to an HIE for reporting to a
public health authority engaged in public health activities.
• Enforcement discretion for online scheduling
(January 19, 2021)
OCR will not impose penalties for HIPAA violations in connection
with the good faith use of online or web-based scheduling applications
for COVID-19 vaccinations.
Source: Source: https://www.hhs.gov/hipaa/for-professionals/special-topics/hipaa-covid19/index.htmlCOVID-19 Texas Updates
• Telehealth
(March 14, 2020; updated September 2020)
Phone only encounters may establish a doctor-patient
relationship and be used for continuing care.
Same “standard of care” and “documentation”
requirements apply to telemedicine visits.
Follow HIPAA guidance regarding platforms.
• Chronic Pain RX Refills
(March 19, 2020; updated March 1, 2021)
Telephone refills of certain prescriptions to established
chronic pain patients allowed if the patient has been
“seen” (in-person or telemedicine using audio and video
two-way communication) in the last 90 days.
TAC 174.5 Update went into effect on March 3, 2021 at
12:01 a.m.
Source: https://www.tmb.state.tx.us/page/coronavirusCitations • Giederman, J. M., Moskop, J.C., & Derse, A.R. (2006). Privacy and
confidentiality in emergency medicine: Obligations and challenges.
Emergency Medicine Clinics of North America, 24, 633-656.
• Kulwicki, B. S. (2015). It’s five o’clock; do you know where your
records are? Obligations of individuals and entities to secure
protected health information. 18 SMU Sci & Tech. L. Rev. 455.
• U.S. Department of Health and Human Services (HHS). HIPAA for
Professionals. http://www.hhs.gov/hipaa/for-professionals/index.html
(retrieved 8/8/16).
• HIPAA Basics for Providers: Privacy, Security, and Breach
Notification Rules. https://www.cms.gov/Outreach-and-
Education/Medicare-Learning-Network-
MLN/MLNProducts/Downloads/HIPAAPrivacyandSecurityTextOnly.p
df (retrieved 8/8/16).
• U.S. Department of Health and Human Services (HHS), Office of
Civil Rights (OCR) Breach Portal.
https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf (retrieved
8/8/16)You can also read
