How the City of Lewisville Has Complied in a Paperless World
Sources s of Law HIPAA AA (Health Insurance Portability and Accountability Act of 1996) o Privacy Rule o Security Rule o Enforcement Rule o Genetic Information Nondiscrimination Act of 2008 o Health Information Technology for Economic and Clinical Health Act o Omnibus Rule (General Compliance Date = September 23, 2013) Overseen by Centers for Medicare and Medicaid Services (CMS) A federal law designed to: o Give patients control over all Protected Health Information (PHI) that might be shared between health care providers & other covered entities o Ensure confidentiality of PHI
The privacy rules issued under the Health Insurance Portability and Accountability Act of 1996 (“ HIPAA AA ”) restrict the use and disclosure of protected health information (“ PHI ”) by covered entities, including group health plans, without express authorization except when necessary for treatment, payment or health care operations. The security rules issued under HIPAA set forth the requirements for protecting PHI when it is in electronic form. Final regulations were recently issued that implement amendments to HIPAA made by the Health Information Technology for Economic and Clinical Health Act (“ HITECH ”) and the Genetic information Nondiscrimination Act (“ GI GINA ”). o These regulations impact employers who sponsor self-insured group health plans, including medical, dental, vision, health care flexible spending accounts and health reimbursement arrangements, and certain employee assistance plans.
Protected Health Information (PHI or ePHI) includes: o Individually Identifiable Health Information that is transmitted or maintained in electronic or any other media relating to: • a covered individual’s past, present or future physical or mental health or condition, • the provision of health care to the individual, or the past, present, • or future payment for the provision of health care to the individual City of Lewisville Examples o Enrollment Forms o Cobra Letters o Emails to employees with PHI o Claim files o Monthly bills
Removal of certain identifiers so that the individual who is subject of the PHI may no longer be identified o Names o Geographic subdivisions o Dates of service o SSNs Not discussing PHI with anyone, other than the employee or those directly responsible for administering the plan including payment of claims
Privacy and Security Rules apply directly to “Covered Entities” defined as Health Plan • Defined as an individual or group health th plan that provides (or pays the cost of) medical care o Group up Health th Plan • Defined as an employee welfare benefit plan to the extent that it provides “medical care” to employees or dependents, if plan has 50 or more participants or is administered by person other than employer and includes insured and self-insured arrangements. • Includes: • Medical, dental and vision coverage • Health flexible spending accounts • Health reimbursement arrangements • Some employee assistance plans and wellness programs • Governmental Plans and church plans
A Hybrid rid Entity tity is a single legal entity: That is a Covered Entity and whose Covered Functions are not its primary functions Whose business activities include both covered and non- covered functions That designates healthcare components in accordance with the Privacy Rule • Lewi wisville sville is a s a Hyb ybrid rid Entity ntity co cover ering ing on only y th the Health alth Plan lan and nd th the EMS S program rogram
The City of Lewisville retains administrative and legal responsibilities and must ensure that: o Designated healthcare components comply with the privacy rule (“erect firewalls”) o Designated healthcare components do not disclose PHI to non-designated components ( Human Resources to City Management) o Employees who have responsibilities that include protected health information must not use or disclose PHI inappropriately and must all receive formal training
In February 2009, Congress and the President took the opportunity to add teeth to HIPAA. Buried in the mass of spending was the HITECH act, a $19 billion program to promote IT data protection in the health care services.
Health and Human Services Office of Civil Rights can impose civil penalties for violations regardless of intent Department of Justice can impose criminal penalties if a person knowingly obtains or discloses individually identifiable health information in violation of the Privacy Rule o Up to $50,000 and 1 year imprisonment o Up to $100,000 and 5 years imprisonment if done under false pretenses o Up to $250,000 and 10 years imprisonment if intent is to sell, transfer or use the individually identifiable health information for commercial advantage, personal gain or malicious harm
Contracted with Spohn Consulting to conduct a Security Audit The purpose of the audit was to evaluate the City of Lewisville infrastructure against a set of criteria defined in the HIPAA Final Security Rule. The Audit consisted of reviewing policies, procedures and practices to evaluate the administrative, physical and technical controls in place at the City of Lewisville. The audit examined all systems that either house or have access to ePHI.
Administrative Controls Technical Controls o Formal Policy and o Network Topology Procedures o Firewall Audit o Legal Review of all o Antivirus Audit BBA’s Security Management Physical Controls Practices o Physical Security o Defined Roles and o Disposal of Media and Responsibilities Reuse o Access to Information o Audit Trail
Administrative Controls Technical Controls o ePHI not addressed in o Missing Patches and Business Continuity and Updates on Tested Disaster Recovery Plan Systems o Lack of Risk Management Plan Security Management o Lack of Incident Practices Response Plan o Separation of Duties Physical Controls and Responsibilities o None
Include HIPAA ePHI in the Formal Policy of the Business Continuity and Disaster Recovery Plan (BCDR) that describes the creation, review, and testing of the HIPAA specific sections of the BCDR Plan and test the plan on an annual basis. Create and formalize Policy for an incident response plan and ensure the plan covers HIPAA security related issues as well as performance issues
Ensure Telnet is disabled for remote administrative access Use HTTPS instead of HTTP for remote administrative access In the configuration, specify the hosts (IP addresses) that are allowed to access the administrative console. Upgrade all software used to the latest versions. Make sure to keep all servers and systems patched to the latest patch levels. Create and implement encryption policy that addresses the current procedures for encryption
Create and implement Audit Trail policy and procedures Regularly review logs on all systems that contain ePHI Ensure security related logging and auditing occurs on a regular basis. Turn on "Audit Policy Change" for all Successful Policy Changes
Create and formalize the following policies: Software updates and patches o Policy review policy policy o Security awareness and Physical security policy training policy Disposable and media reuse o Risk manage policy policy o Adjust BCDR policy in Data classification policy include ephi Access to information policy o Policy for the creation of an Include ephi in remote access incident response plan policy o Testing of BCDR and incident EPHI backup policy response policy Audit trail policy o Firewall policy Monitoring policy o Antivirus policy
The server that houses HIPAA ePHI is located in a locked room in the HR Department. The room also houses additional PHI in paper form as well. Only authorized employees are allowed access to the room and the room is monitored by the employees who work around the room. There is a locked bin where sensitive information is stored that is destroyed on a regular basis. Room with PHI and ePHI is recorded 24 hours a day, seven days a week. Anytime the door is opened after 5:00 or before 8:00 on weekdays or on weekends, an email is sent to the HR Directors phone with pictures. The tape is then pulled and the reviewed to ensure that we did not have a breech.
Lewisville HR is paperless. We have a separate Laserfiche Server where all medical records and PHI is stored and only three HR employees have access. All other information that is created or downloaded is maintained on a separate drive that is housed on the same server. Only the ITS Security Administrator has access to Medical Server. HR staff opens all mail that comes to our central mail room that is not addressed to a specific individual or department/division. All electronic communications are sent using ZixMail encrypted mail system. Lewisville has adopted HIPAA policies and ITS Security policies to comply in compliance with HIPAA.
Recommend
More recommend
