HIPAA Training Overview

Overview

• PRIVACY

• CONFIDENTIALITY

• SECURITY

• AUTHORIZATION/CONSENT

• CONSENT: IMPLIED/EXPRESSED

• “MINIMUM NECESSARY RULE” AND “NEED TO KNOW BASIS”

• NOTICE OF PRIVACY PRACTICES

HIPAA Privacy Rule

• Effective Date: April 14, 2003

• OCR: oversees HIPAA privacy compliance.

• CMS oversees HIPAA security compliance.

• PHI: Protected Health Information

• Covered Entity (CE)

• Business Associate (BA)

• Relationship with Health Information

• Applicability

• De-identification

HIPAA Security Rule

• Applicability

• Safeguards:

-Administrative: Examples. -Policies and Procedures, and Documented Processes

-Physical: Examples. -Positioning of Computers Screens Preventing Public Views, Locks,

-Technical: Examples. -Passwords, PINs, Firewalls, Software Updates

• Contracts must be in place.

The Omnibus Final Rule

• 563 pages long

• Effective Date: March 26, 2013

• Compliance Date for HIPAA CEs and BAs: September 23, 2013

• Enhancements: consumers privacy protections

Understanding Breaches

• Chatting about consumers in public places (Cafeteria, elevators, lobby, waiting area)

• Social networks: Facebook (Meta), LinkedIn, Twitter, etc...

• Portable devices: Cell phones, laptop, flash drive, …

• Emails: Encryption/Decryption (Phishing)

• Fax: Security policies

• Phone: Voicemails

• Breach of Confidentiality

• Breach of Privacy

HIPAA Violation and Minimum Civil Penalty

• Reasonable Diligence, (did not know)

• Reasonable Cause

• Willful Neglect, (violation is corrected)

• Willful Neglect, (violation is not corrected)

"Adjustments to CMP amounts for 2022 For violations on or after November 3, 2015

Penalty Amount Per Violation: $127 - $63,973* per violation

Calendar Year Cap for Violation of Identical Requirement or Prohibition: $25,000 - $1,919,173***

The Department of Health and Human Services may make annual adjustments to the CMP amounts pursuant to the Federal Civil Penalties Inflation Adjustment Act Improvement Act of 2015. The annual inflation amounts are found at 45 CFR § 102.3.

**Pursuant to HHS's Notification of Enforcement Discretion, https://www.federalregister.gov/documents/2019/04/30/2019-08530/enforcement-discretion-regarding-hipaa-civil-money-penalties"

Criminal Penalties

• Fines (up to $250,000),

• Imprisonment (up to 10 years)

• Direct Liability: Covered entity

“Corporate Criminal Liability”: Individuals such as directors, employees, officers of the covered entity(organization) can be directly criminally liable under HIPAA.

Reporting

-Report privacy breaches to the Privacy Officer.

-If 500 or more individuals’ health records have been breached, it is a MUST to:

• notify each individual whose health information has been breached,

• report the breach to the Secretary of the Department of Health and Human Services (HHS),

• as well as notifying the media.

-If less than 500 individuals’ health records have been breached, it is a MUST to:

• notify each individual whose health information has been breached,

• and report the breach to the Secretary of the Department of Health and Human Services (HHS).

.

Recommendations

1. Faxed documents containing protected health information shall be disposed securely upon receipt.

2. Faxed documents shall be routed securely to the appropriate recipient upon receipt.

3. When faxing documents containing PHI within the facility the sender shall alert the receiver of the transmission via phone and/or email.

4. PHI transmitted via email shall be de-identified or encrypted.

5. Avoid printing documents containing PHI from electronic systems, unless absolutely necessary.

6. Printed documents containing PHI shall be shredded immediately after use.

7. Documents containing PHI shall not be taken home under any circumstances.

8. Computers shall be locked when left unattended.

9. IDs and passwords shall not be saved or stored on computers, or sticky notes.

References

#HIPAA