530 likes | 676 Views
HIPAA, HITECH, Hi-jinks What are the Feds up to now?. Presented by: Jeniece Poole, CIPP, CIPP/G U of A Privacy Officer. August 18, 2010 College of Nursing. HIPAA Privacy. Keeping It To Ourselves! Protecting Patient Confidentiality…. Topics of Discussion. Quick HIPAA Refresher
E N D
HIPAA, HITECH, Hi-jinksWhat are the Feds up to now? Presented by: Jeniece Poole, CIPP, CIPP/G U of A Privacy Officer August 18, 2010 College of Nursing
HIPAA Privacy Keeping It To Ourselves! Protecting Patient Confidentiality…
Topics of Discussion • Quick HIPAA Refresher • What’s the HITECH Act? • New Responsibilities under HITECH • Research
What is HIPAA? • HIPAA is the Health Insurance Portability and Accountability Act of 1996 (PL 104-191) • Also referred to as the Kennedy-Kassebaum Act • HIPAA was enacted by the federal government on August 21, 1996 with the intent to: • Assure health insurance portability • Reduce healthcare fraud and abuse • Guarantee security and privacy of health information • Enforce standards for health information
Why was HIPAA Created? • To establish minimum federal standards for safeguarding the privacy of individually identifiable health information
The History of HIPAA • The regulation has 3 areas of focus • Portability of/and access to Health Benefits • Preventing Fraud and Abuse • Administrative Simplification
Fraud and Abuse • HIPAA expands the False Claims Act to include healthcare claims and • Intentional fraud is a criminal act • To be guilty of fraud, you need only to engage in a pattern or practice of presenting claims that you know will lead to greater payment
Feds probe alleged fraud at UT Southwestern, Parkland Sunday, May 30, 2010 Federal authorities are investigating whether UT Southwestern Medical Center and Parkland Memorial Hospital committed fraud by falsely billing Medicare and Medicaid for patient care, The Dallas Morning News has learned. The probe already has identified millions of dollars in potential fraud in the government health insurance programs for the elderly, disabled and poor, sources said.
Fraudulent Billing Investigators are focusing on whether UT Southwestern, one of the nation's leading medical schools, billed the government for services that faculty physicians did not actually provide while working at Parkland. A key question is whether faculty physicians properly supervised doctors in training, known as residents. Warnings that UT Southwestern's handling of government insurance claims could be fraudulent date back nearly two decades, court records and interviews show. Nevertheless, the taxpayer-supported medical school and hospital failed to effectively guard against abuses, according to audits and former employees.
Fraud and Abuse in Billing Practices is Serious Business • U of A Dermatology Clinic dismissed two physicians who were found in violation of the Medicare regulations • Medicare was billed for services where the resident examined the patient and treatment was billed as if the physician was providing the care • CMS has a settlement agreement that includes a three year payment schedule including repayment of overcharges and fines
Identity Theft • Arizona is #1 in the nation in cases of identity theft • Identity theft of health information is the fastest growing area of theft
Medical Identity Theft • Can be costly • Can cause loss of insurance coverage • Can cause physical harm
Medical Identity Theft Illegal and bogus treatment • Medical ID thieves bill your health plan for fake or inflated treatment claims • The crooks often are doctors and other medical personnel who know how the insurance billing system works • Organized theft rings also are involved • They buy stolen patient information on the black market, and set up fake clinics to make bogus claims against the health policies of honest consumers
Medical Identity Theft Obtain free treatment • Medical ID thieves who don’t have their own health coverage often receive free medical treatment, courtesy of your policy • They assume your identity at a hospital or clinic, and your insurer receives the bills
Medical Identity Theft Strikes American Children & Adults • Involves stolen insurance card information or costs related to medical care and equipment give to others using the victims name • 29% of surveyed victims discovered the problem a year after the incident • The average cost to resolve was $20,160 • 48% lost coverage due to medical ID theft
Why do we need Health Care Privacy? • Gives patients more control over their health information • Sets boundaries on the use and disclosure of health records • Establishes appropriate safeguards for all people who participate in or are associated with the provision of health care • Holds violators accountable through civil and criminal penalties
The term “HIPAA Privacy” refers to accessing and the sharing the patient’s Protected Health Information (PHI) ….This is DATA HIPAA Privacy is CONFIDENTIALITY Remember!
Confidentiality • Confidentiality refers to data, not to the person • Confidentiality limits who can access the data • Confidentiality defines how the data will be stored
Multiple Users May Access Health Information • Admitting Clerks • Caregivers from the ED to the morgue • Physical Therapists • Nutritionists • Lab Personnel • Pharmacists • Receptionists in physician offices • Transport Techs • Respiratory Therapist • Billing Clerks • Insurance processors • School personnel • Home Health Agencies • Medical Records Clerks • Researchers • Website Managers
Personal Identifiers This information can be in various forms and must be protected • Electronic - computer, video, audio • Paper - “hard-copy”, labels, films • Oral - verbal, sign-language
What are Personal Identifiers? • Names • Geographic subdivisions smaller than a state, including street address, city, county, precinct, zip code and equivalent geocodes, except for the initial five digits of a zip code to 000 • All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death, and all ages over 89 • Telephone numbers • Fax numbers • Electronic mail addresses • Social security numbers • Medical record numbers
More Personal Identifiers • Account numbers • Certificate/license numbers • Vehicle identifiers and serial numbers including license plate numbers • Device identifiers and serial numbers • Web Universal Resource Locator (URL) • Biometric identifiers, including finger or voice prints • Full face photographic images and any comparable images • Internet protocol address numbers • Any other unique identifying number characteristic or code
Remember the Minimum Necessary Rule • Role based access • Need to know • Patient authorization to use and disclose • De-identification
Hospital Employees Fired • Two University of New Mexico hospital workers have been fired after they posted patient pictures on MySpace. The workers used their cell phone cameras to take close-up pictures of injuries and then posted them to their private MySpace pages for their friends and coworkers to see. The photos did not contain the faces of the patients. So far no charges have been filed and the photos have been deleted from MySpace and from the workers' cell phones.
N.J. Hospital Workers Suspended in Clooney Breach More than two dozen hospital workers have been suspended for four weeks after allegedly looking at George Clooney's confidential medical information when he was admitted to Palisades Medical Center, in North Bergen, New Jersey, for a motorcycle-related injury that resulted in a broken rib and scrapes. No physicians were among the twenty-seven hospital employees suspended. Also, as many as seven of the suspended employees may have been authorized to view the records. "This is the first I've heard of it," Clooney said in a statement, "and while I very much believe in a patient's right of privacy, I would hope that this could be settled without suspending medical workers." ASSOCIATED PRESS, N.J. Workers Suspended in Clooney Breach, Modern Healthcare's Daily Dose (Oct. 10, 2007)
Oakwood Hospital Employee Fired for Facebook Posting Another employee fired for allegedly violating HIPAA by a posting on Facebook. Like so many others, James was emotional following the shooting death of Taylor Police Corporal Matthew Edwards. She worked for the hospital organization that treated the police officer and the shooting suspect, Tyress Mathews. One night, while at home, she posted on Facebook that she came face-to-face with a cop killer and hoped he rotted in hell.
Health Information Technology for Economic and Clinical Health (HITECH) Act
American Recovery and Reinvestment Act of 2009 • On February 17, 2009, President Obama signed the ARRA (stimulus bill) • A portion of the bill created the Health Information Technology for Economic and Clinical Health Act (HITECH Act)
New HIPAA Regulations 2009 and 2010 • Phase-in process • Funding for technology • Electronic Health Records • Stricter enforcement
Stimulus Bill Contains New HIPAA Patient Privacy Measures • Changes for Covered Entities Business Associates and organizations that perform services on behalf of Covered Entities • Provides over $19 billion to support and promote adoption of electronic health records (EHRs) for all Americans by 2014
Greater Emphasis on Information Security • Expands obligations for compliance • Enhanced Enforcement by HHS and Office of Civil Rights (OCR) • OCR will have the authority to investigate and fine Covered Entities for security breaches
Additional HIPAA Requirements • Adds new individual rights • Further restrictsuses and disclosures of PHI • Enacts federal security breach notification law
New Individual Rights • Right to electronic copy of medical records and have copy sent to third parties • May restrict disclosure of PHI to health plan when self pay • Right to accounting for disclosures for treatment payment and healthcare operations
New Security Breach Notice Laws • Covered Entities must notify individuals and HHS • BA must notify CE • If more than 500 individuals are affected, must also notify the media • HHS will post all breaches on its website • Data is unsecured if it is not encrypted or destroyed
More Privacy Requirements • BAs are required to report certain breaches and violations by the CE to DHHS • BAs are subject to the same civil and criminal penalties for privacy violations as the CE • No longer a breach of contract issue
Enhanced Enforcement and Liability • FTC and HHS are collaborating on regulation and enforcement • Plaintiff’s lawyers are looking for class action opportunities • All state Attorney Generals may now enforce HIPAA • HHS is required to audit, investigate and impose penalties • Civil penalties have increased and criminal penalties may be imposed on employees • Fines go to fund enforcement and compensate victims
Additional Requirements • Selling PHI to vendors • Limitation of 50 years from date of death for decedent privacy • Re-issuing Notice of Privacy Practices • Must include opt-out process for marketing and fundraising • Permits use of a single authorization to use for research and treatment
Business Associate Requirements • The HITECH act places additional requirements on Business Associates. • A Business Associate is a person or organization that performs functions on behalf of a Covered Entity that involve the use of Protected Health Information (PHI). • Depending on the kind of work being performed, the UA sometimes serves as a Business Associate of UPH, as well as other Covered Entities. (now UAHC)
But Wait, There’s More!Civil & Criminal Penalties Too • Business Associates are subject to the HIPAA civil and criminal penalties associated with violations of the HIPAA Security Rules. The Secretary of HHS is required to impose penalties for “willful” violations. State Attorneys General are permitted to enforce violations.
Snooping in Patient Records? Federal definition of breach: “The unauthorized acquisition, access, use or disclosure of protected health information which compromises ;the security or privacy of such information, except where an unauthorized person to who such information is disclosed would not reasonably have been able to retain such information.”
Penalties • Fines – Civil monetary penalties are tiered based on knowledge and are $1.5 million maximum annually for the same type of violation • HHS is required to conduct audits • Fines and/or imprisonment up to 10 years for knowing misuse of individually identifiable health information
Kaiser Permanente’s Bellflower Medical Center was fined for failing to protect patient information • For failing “to prevent unauthorizedaccessto confidential patient information” Kaiser paid $187,500 • 8 employees accessed the electronic medical records of 4 patients • This was at the time Nadya Sulmeman and her octuplets were at the facility HIPAA Fines • Kaiser Permanente’s Bellflower Medical Center was fined for failing to protect patient information • For failing “to prevent unauthorizedaccessto confidential patient information” Kaiser paid $187,500 • 8 employees accessed the electronic medical records of 4 patients • This was at the time Nadya Sulmeman and her octuplets were at the facility
HIPAA Convictions • Hospital employees plead guilty to charges of accessing, but not disclosing, a patient's protected health information (PHI) • An Arkansas physician and two employees of St. Vincent Infirmary Medical Center (SVIMC) pleaded guilty July 20 to violating HIPAA by accessinga patient’s PHI without a legitimate purpose • Although the defendants admitted to accessing the records, none of them disclosed the patient's information to other sources or tried to sell the information - the heart of past HIPAA cases
Research & HIPAA • When PHI is involved, the IRB requires a PHI Authorization form signed by the research subject. • If data is being stored on a laptop or a flash drive, encrypt the data. • Only research staff that is listed on the VOTF should have access to study information.
Research &HIPAA • The IRB may issue a waiver of PHI Authorization. • Decedents have rights under HIPAA. Decedent research is not considered human subject’s research by the Common Rule, so the research will not need IRB approval. • Individual case studies may require PHI Authorization. • Recruiting and consenting of subjects must be conducted as stated in the Project Review Form and approved by the IRB prior to beginning the study.
Envelopes for UF Study of Girls had Personal Data with Address Tuesday, July 6, 20110 Gainesville, FL University of Florida officials have notified more than 2,000 adolescent girls that their Social Security numbers or Medicaid identification numbers were mistakenly printed on address labels sent on letters inviting them to take part in a research study. The letters were mailed May 24 to the parents of the girls seeking their participation in a study about human papillomavirus, or HPV, vaccination. After the problem was discovered June 6, UF officials said that they launched an investigation and notified state and federal officials of the breach. The study was conducted through the UF College of Medicine’s Department of Epidemiology and Health Policy Research The letters were sent to parents or guardians of girls listed in a statewide database to seek participation. The study included girls ages 11 to 17 who had received the HPV vaccine and a control group of girls ages 9 to 17 who had not been vaccinated.