1 / 76

HIPAA, HITECH, Hi-jinks What are the Feds up to now?

HIPAA, HITECH, Hi-jinks What are the Feds up to now?. Presented by: Jeniece Poole, CIPP, CIPP/G U of A Privacy Officer. August 15, 2011 College of Nursing RISE Program. HIPAA Privacy. Keeping It To Ourselves! Protecting Patient Confidentiality…. Topics of Discussion.

rock
Download Presentation

HIPAA, HITECH, Hi-jinks What are the Feds up to now?

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. HIPAA, HITECH, Hi-jinksWhat are the Feds up to now? Presented by: Jeniece Poole, CIPP, CIPP/G U of A Privacy Officer August 15, 2011 College of Nursing RISE Program

  2. HIPAA Privacy Keeping It To Ourselves! Protecting Patient Confidentiality…

  3. Topics of Discussion • What’s in the News? • HIPAA Privacy and Security • What’s the HITECH Act? • New Responsibilities under HITECH • Research

  4. Cignet Health & Massachusetts General Hospital • Since Health Insurance Portability and Accountability Act of 1996, violations resulted in few consequences • In 2009 HITECH strengthen provisions for civil monetary enforcement, was minimal until now

  5. Cignet Fines • The Office for Civil Rights (OCR) exacted heavy financial obligations for the first time • $4.3 million against Cignet for violation of HIPAA Privacy Rule • $1 million by Mass General for potential violations of HIPAA • Mass General exhibited a spirit of cooperation with OCR and therefore settled for less that ¼ of the monetary penalty assessment imposed on Cignet

  6. Cignet Reports case involved 41 patients • In a separate incident Mass reports 192 patients involved • OCR shows a list of hundreds of thousands, or even more than a million affected individuals

  7. This case highlights that health care providers should carefully evaluate their: • Medical privacy • Patient access policies and procedures • Training programs • Also prompt and effective action necessary following any potential violation

  8. Nurse Prosecuted Over HIPAA Breach An Arkansas woman who pled guilty to disclosing a patient’s health information was the first in her state to be convicted under the Health Insurance Portability and Accountability Act (HIPAA). Andrea Smith, a 25-year-old woman from Trumann, AR, admitted to wrongfully disclosing individually identifiable health information for personal gain, according to a statement from Jane W. Duke, United States Attorney for the Eastern District of Arkansas. Smith, a licensed practical nurse, accessed an unidentified patient’s medical record on November 28, 2006, while working at Northeast Arkansas Clinic (NEAC) in Jonesboro, AR. Andrea Smith then gave the private medical information to her husband, Justin Smith, who called the patient and said he intended to use the information against the patient in “an upcoming legal proceeding,” according to the statement. Upon discovery of the HIPAA breach, NEAC fired Andrea Smith.

  9. In the News…. • Smith faces a maximum of 10 years in prison, a fine of no more than $250,000, or both, as well as a term of supervised release of not more than three years, the statement said. The Arkansas State Board of Nursing has opened a complaint against Smith after learning of the federal conviction, according to the Arkansas Democrat Gazette

  10. Computer with patient data stolen from Jefferson A laptop computer with health and personal information on 21,000 patients was stolen from an office at Thomas Jefferson University Hospital in Philadelphia in June. The patients whose unencrypted records were on the password-protected laptop were notified last Friday of the theft in a letter from hospital president Thomas J Lewis, who offered identity-theft protection. Protected health information including Social Security numbers had been exposed. The breach at Jefferson is part of a national problem. A federal database has documented 121 such lapses nationwide since September, 2009.

  11. Thousands of Personal Record Files Dumped in Recycling Bin Curious, they pulled out a couple and were stunned to see that they appeared to be medical records, Karen Keith said. The information inside the files included some that couldn’t be more personal – or dangerous: Social Security numbers, copies of drivers’ license numbers and even credit card numbers.

  12. Prison for HIPAA Privacy Violator • oHuping Zhou, a cardiothoracic surgeon in China before immigrating to the United States, was employed at UCLA in 2003. On Oct. 23, 2003, he received a notice of intent to dismiss him for performance reasons that did not include illegal access of medical records. That evening, he accessed medical records of his superior and co-workers, and during three other periods during the next four weeks many of them involving celebrities, a total of 323 times, according to the FBI office in Los Angeles.

  13. Charges were filed in 2009 and Zhou pleaded guilty in January 2010 to four misdemeanor counts of illegally reading private and confidential medical records. He faced up to four years in prison. A FBI spokesperson did not have information on why charges were not filed until six years after patient records were accessed. There is no evidence Zhou improperly used or attempted to sell the information he accessed, according to the FBI.

  14. What is a Breach? A breach is, generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information such that the use or disclosure poses a significant risk of financial, reputational, or other harm to the affected individual. 

  15. Privacy Breaches • Federal List of major health info breaches included 253 incidents • Affects more than 6.5 million individuals • 22% of all incidents involve business associates and more than 50% involve theft or loss of computer

  16. The many types of breaches… • New York City Health and Hospitals Corp • 1.7 million people affected • Theft of back-up tapes from unlocked unattended truck • Largest single incident so far • St. Francis Health System in Oklahoma • 84,000 people affected • Breach from a stolen computer

  17. Seacoast Radiology in New Hampshire • 231,000 people affected • Hackers using a server to gain bandwidth to play a video game • Ankle and Foot Center in Tampa, Fl • 156,000 people affected • Reported hacking incident after server containing practice management system was accessed

  18. HSS Breach Website • http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html • 7 breaches have occurred in Arizona • 24,726 people have had information lost or stolen • 6 of the 7 involve loss or theft of an electronic portable device • 1 is loss of paper • University of Arkansas, UCSF, Yale University, Georgetown University Hospital, University of Louisville, University of Massachusetts, Johns Hopkins University, St Louis University, University of Nebraska, University of New Mexico

  19. What is HIPAA? • HIPAA is the Health Insurance Portability and Accountability Act of 1996 (PL 104-191) • Also referred to as the Kennedy-Kassenbaum Act • HIPAA was enacted by the federal government on August 21, 1996 with the intent to: • Assure health insurance portability • Reduce healthcare fraud and abuse • Guarantee security and privacy of health information • Enforce standards for health information

  20. Why was HIPAA Created? • To establish minimum federal standards for safeguarding the privacy of individually identifiable health information

  21. The History of HIPAA • The regulation has 3 areas of focus • Portability of/and access to Health Benefits • Preventing Fraud and Abuse • Administrative Simplification

  22. Fraud and Abuse • HIPAA expands the False Claims Act to include healthcare claims and • Intentional fraud is a criminal act • To be guilty of fraud, you need only to engage in a pattern or practice of presenting claims that you know will lead to greater payment

  23. Feds probe alleged fraud at UT Southwestern, Parkland Sunday, May 30, 2010 Federal authorities are investigating whether UT Southwestern Medical Center and Parkland Memorial Hospital committed fraud by falsely billing Medicare and Medicaid for patient care, The Dallas Morning News has learned. The probe already has identified millions of dollars in potential fraud in the government health insurance programs for the elderly, disabled and poor, sources said.

  24. Fraudulent Billing Investigators are focusing on whether UT Southwestern, one of the nation's leading medical schools, billed the government for services that faculty physicians did not actually provide while working at Parkland. A key question is whether faculty physicians properly supervised doctors in training, known as residents. Warnings that UT Southwestern's handling of government insurance claims could be fraudulent date back nearly two decades, court records and interviews show. Nevertheless, the taxpayer-supported medical school and hospital failed to effectively guard against abuses, according to audits and former employees.

  25. Fraud and Abuse in Billing Practices is Serious Business • U of A Dermatology Clinic dismissed two physicians who were found in violation of the Medicare regulations • Medicare was billed for services where the resident examined the patient and treatment was billed as if the physician was providing the care • CMS has a settlement agreement that includes a three year payment schedule including repayment of overcharges and fines

  26. Identity Theft • Arizona is #1 in the nation in cases of identity theft • Identity theft of health information is the fastest growing area of theft

  27. Medical Identity Theft • Can be costly • Can cause loss of insurance coverage • Can cause physical harm

  28. Medical Identity Theft Illegal and bogus treatment • Medical ID thieves bill your health plan for fake or inflated treatment claims • The crooks often are doctors and other medical personnel who know how the insurance billing system works • Organized theft rings also are involved • They buy stolen patient information on the black market, and set up fake clinics to make bogus claims against the health policies of honest consumers

  29. Medical Identity Theft Obtain free treatment • Medical ID thieves who don’t have their own health coverage often receive free medical treatment, courtesy of your policy • They assume your identity at a hospital or clinic, and your insurer receives the bills

  30. Medical Identity Theft Strikes American Children & Adults • Involves stolen insurance card information or costs related to medical care and equipment give to others using the victims name • 29% of surveyed victims discovered the problem a year after the incident • The average cost to resolve was $20,160 • 48% lost coverage due to medical ID theft

  31. Why do we need Health Care Privacy? • Gives patients more control over their health information • Sets boundaries on the use and disclosure of health records • Establishes appropriate safeguards for all people who participate in or are associated with the provision of health care • Holds violators accountable through civil and criminal penalties

  32. The term “HIPAA Privacy” refers to accessing and the sharing the patient’s Protected Health Information (PHI) ….This is DATA HIPAA Privacy is CONFIDENTIALITY Remember!

  33. Confidentiality • Confidentiality refers to data, not to the person • Confidentiality limits who can access the data • Confidentiality defines how the data will be stored

  34. Multiple Users May Access Health Information • Admitting Clerks • Caregivers from the ED to the morgue • Physical Therapists • Nutritionists • Lab Personnel • Pharmacists • Receptionists in physician offices • Transport Techs • Respiratory Therapist • Billing Clerks • Insurance processors • School personnel • Home Health Agencies • Medical Records Clerks • Researchers • Website Managers

  35. Personal Identifiers This information can be in various forms and must be protected • Electronic - computer, video, audio • Paper - “hard-copy”, labels, films • Oral - verbal, sign-language

  36. What are Personal Identifiers? • Names • Geographic subdivisions smaller than a state, including street address, city, county, precinct, zip code and equivalent geocodes, except for the initial five digits of a zip code to 000 • All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death, and all ages over 89 • Telephone numbers • Fax numbers • Electronic mail addresses • Social security numbers • Medical record numbers

  37. More Personal Identifiers • Account numbers • Certificate/license numbers • Vehicle identifiers and serial numbers including license plate numbers • Device identifiers and serial numbers • Web Universal Resource Locator (URL) • Biometric identifiers, including finger or voice prints • Full face photographic images and any comparable images • Internet protocol address numbers • Any other unique identifying number characteristic or code

  38. How can a Covered Entity Use and Disclose PHI? • REMEMBER, every time you look at, touch, share , disclose or do anything else with PHI, you must either have the patient’s authorization or meet a HIPAA exception • The exception you use will depend on the purpose for which you are looking at, touching ,sharing or disclosing the PHI • Exception • TPO • Other statutory exceptions

  39. Use and Disclosure Without Patient’s Explicit Permission • Treatment, Payment & Health Care Operations • As Required by Law • Marketing & Fundraising (pursuant to strict limitations) • Examples: • A health care provider can discuss the patient’s case with colleagues to determine the best course of treatment • A health plan can share information with the nursing home regarding payment for services • A compliance office can obtain charts for compliance audits

  40. Use and Disclosures that Do Not Require Authorization • Mandatory Disclosure: • HIPAA only Mandates disclosures in two instances: • To the patient • To the Secretary of DHHS to investigate an alleged privacy violation

  41. Other Permitted Disclosures • Public Health Activities • Health Oversight • Law Enforcement • Organ & Tissue Donation • Avert Serious Threat • Workers Compensation • Report Abuse • Legal Proceedings • Information regarding decedents • Research • Specialized Government Functions

  42. Report Abuse or Neglect • Report to authorities authorized by law to receive information about victims of abuse, neglect or domestic violence • Based on reasonable belief • CE must inform the individual of the disclosure unless • There is reasonable belief this would place the individual at risk for serious harm or it would mean informing a personal representative who is believed to be responsible for the abuse or neglect

  43. Law Enforcement • Report Crime in an Emergency • Victims of a Crime • Crime on the Premises • Decedents- if suspicion that death was the result of criminal conduct • Identification & Location • Pursuant to a process required by law

  44. Research • Waiver or alteration of authorization approved by IRB or Privacy Board • Reviews Preparatory to Research • Research on Decedent Information • De-Identified Data • Limited Data Set (with Data Use Agreement)

  45. Patient’s Rights Under HIPAA • Access and copy information • Request restriction of use for TPO • Request confidential communication • Accounting of Disclosures • Receive a copy of the Notice of Privacy Practices • Request amendments to records

  46. Request Restrictions • Only applies to PHI used or disclosed for TPO or to family, friends or others involved in the patient’s care. • A Covered Entity (CE) is not required to agree • If the CE agrees, it is bound by the restriction *Under HITECH – must agree to request if restriction meets certain criteria

  47. Psychotherapy Restrictions • Psychotherapy notes are not kept in the medical record • Require an Authorization for uses and disclosures even for TPO • Verification Process Must verify that individuals to whom you are disclosing information are whothey say they are.

  48. Administrative Requirements • Designate a Privacy Official • Departmental Liaison • Train members of the workforce on Privacy Requirements • Safeguard PHI • Develop Sanctions for Violations of the Privacy Policies and Procedures • Establish a means for individuals to complain about privacy violations

  49. Remember the Minimum Necessary Rule • Role based access • Need to know • Patient authorization to use and disclose • De-identification

More Related