[PPT] - Sources s of Law HIPAA AA (Health Insurance Portability and PowerPoint Presentation

SLIDE 1

 

How the City of Lewisville Has Complied in a Paperless World

SLIDE 2

Sources s of Law

 HIPAA

AA (Health Insurance Portability and Accountability Act of 1996)

Privacy Rule
Security Rule
Enforcement Rule
Genetic Information Nondiscrimination Act of 2008
Health Information Technology for Economic and Clinical Health Act
Omnibus Rule (General Compliance Date = September 23, 2013)

 Overseen by Centers for Medicare and Medicaid Services (CMS)  A federal law designed to:

Give patients control over all Protected Health Information (PHI) that

might be shared between health care providers & other covered entities

Ensure confidentiality of PHI

SLIDE 3

 The privacy rules issued under the Health Insurance Portability

and Accountability Act of 1996 (“HIPAA AA”) restrict the use and disclosure of protected health information (“PHI”) by covered entities, including group health plans, without express authorization except when necessary for treatment, payment or health care operations.

 The security rules issued under HIPAA set forth the requirements

for protecting PHI when it is in electronic form.

 Final regulations were recently issued that implement

amendments to HIPAA made by the Health Information Technology for Economic and Clinical Health Act (“HITECH”) and the Genetic information Nondiscrimination Act (“GI GINA”).

These regulations impact employers who sponsor self-insured group

health plans, including medical, dental, vision, health care flexible spending accounts and health reimbursement arrangements, and certain employee assistance plans.

SLIDE 4

 Protected Health Information (PHI or ePHI) includes:

Individually Identifiable Health Information that is transmitted or

maintained in electronic or any other media relating to:

a covered individual’s past, present or future physical or mental health
r condition,
the provision of health care to the individual, or the past, present,
or future payment for the provision of health care to the individual

 City of Lewisville Examples

Enrollment Forms
Cobra Letters
Emails to employees with PHI
Claim files
Monthly bills

SLIDE 5

 Removal of certain identifiers so that the individual who is

subject of the PHI may no longer be identified

Names
Geographic subdivisions
Dates of service
SSNs

 Not discussing PHI with anyone, other than the employee or

those directly responsible for administering the plan including payment of claims

SLIDE 6

 Privacy and Security Rules apply directly to “Covered

Entities” defined as Health Plan

Defined as an individual or group health

th plan that provides (or pays the cost of) medical care

Group

up Health th Plan

Defined as an employee welfare benefit plan to the extent that it

provides “medical care” to employees or dependents, if plan has 50 or more participants or is administered by person other than employer and includes insured and self-insured arrangements.

Includes:
Medical, dental and vision coverage
Health flexible spending accounts
Health reimbursement arrangements
Some employee assistance plans and wellness programs
Governmental Plans and church plans

SLIDE 7

A Hybrid rid Entity tity is a single legal entity:

 That is a Covered Entity and whose Covered Functions are

not its primary functions

 Whose business activities include both covered and non-

covered functions

 That designates healthcare components in accordance with

the Privacy Rule

Lewi

wisville sville is a s a Hyb ybrid rid Entity ntity co cover ering ing

n
nly

y th the Health alth Plan lan and nd th the EMS S program rogram

SLIDE 8

The City of Lewisville retains administrative and

legal responsibilities and must ensure that:

Designated healthcare components comply with the

privacy rule (“erect firewalls”)

Designated healthcare components do not disclose

PHI to non-designated components ( Human Resources to City Management)

Employees who have responsibilities that include

protected health information must not use or disclose PHI inappropriately and must all receive formal training

SLIDE 9

In February 2009, Congress and the President took the opportunity to add teeth to HIPAA. Buried in the mass of spending was the HITECH act, a $19 billion program to promote IT data protection in the health care services.

SLIDE 10

 Health and Human Services Office of Civil Rights

can impose civil penalties for violations regardless

f intent

 Department of Justice can impose criminal

penalties if a person knowingly obtains or discloses individually identifiable health information in violation of the Privacy Rule

Up to $50,000 and 1 year imprisonment
Up to $100,000 and 5 years imprisonment if done

under false pretenses

Up to $250,000 and 10 years imprisonment if intent is

to sell, transfer or use the individually identifiable health information for commercial advantage, personal gain or malicious harm

SLIDE 11

 Contracted with Spohn Consulting to conduct a Security

Audit

 The purpose of the audit was to evaluate the City of

Lewisville infrastructure against a set of criteria defined in the HIPAA Final Security Rule.

 The Audit consisted of reviewing policies, procedures

and practices to evaluate the administrative, physical and technical controls in place at the City of Lewisville. The audit examined all systems that either house or have access to ePHI.

SLIDE 12

SLIDE 13

 Administrative Controls

Formal Policy and

Procedures

Legal Review of all

BBA’s

 Physical Controls

Physical Security
Disposal of Media and

Reuse

 Technical Controls

Network Topology
Firewall Audit
Antivirus Audit

 Security Management

Practices

Defined Roles and

Responsibilities

Access to Information
Audit Trail

SLIDE 14

 Administrative Controls

ePHI not addressed in

Business Continuity and Disaster Recovery Plan

Lack of Risk

Management Plan

Lack of Incident

Response Plan

 Physical Controls

None

 Technical Controls

Missing Patches and

Updates on Tested Systems

 Security Management

Practices

Separation of Duties

and Responsibilities

SLIDE 15

 Include HIPAA ePHI in the Formal Policy of the Business

Continuity and Disaster Recovery Plan (BCDR) that describes the creation, review, and testing of the HIPAA specific sections of the BCDR Plan and test the plan on an annual basis.

 Create and formalize Policy for an incident response plan

and ensure the plan covers HIPAA security related issues as well as performance issues

SLIDE 16

 Ensure Telnet is disabled for remote administrative access  Use HTTPS instead of HTTP for remote administrative

access

 In the configuration, specify the hosts (IP addresses) that

are allowed to access the administrative console.

 Upgrade all software used to the latest versions.  Make sure to keep all servers and systems patched to the

latest patch levels.

 Create and implement encryption policy that addresses the

current procedures for encryption

SLIDE 17

 Create and implement Audit Trail policy and procedures  Regularly review logs on all systems that contain ePHI  Ensure security related logging and auditing occurs on a

regular basis.

 Turn on "Audit Policy Change" for all Successful Policy

Changes

SLIDE 18

Policy review policy
Security awareness and

training policy

Risk manage policy
Adjust BCDR policy in

include ephi

Policy for the creation of an

incident response plan

Testing of BCDR and incident

response policy

Firewall policy
Antivirus policy

 Software updates and patches

policy

 Physical security policy  Disposable and media reuse

policy

 Data classification policy  Access to information policy  Include ephi in remote access

policy

 EPHI backup policy  Audit trail policy  Monitoring policy

Create and formalize the following policies:

SLIDE 19

SLIDE 20

SLIDE 21

 The server that houses HIPAA ePHI is located in a locked

room in the HR Department. The room also houses additional PHI in paper form as well. Only authorized employees are allowed access to the room and the room is monitored by the employees who work around the room. There is a locked bin where sensitive information is stored that is destroyed on a regular basis.

 Room with PHI and ePHI is recorded 24 hours a day, seven

days a week.

 Anytime the door is opened after 5:00 or before 8:00 on

weekdays or on weekends, an email is sent to the HR Directors phone with pictures. The tape is then pulled and the reviewed to ensure that we did not have a breech.

SLIDE 22

SLIDE 23

 Lewisville HR is paperless. We have a separate Laserfiche Server

where all medical records and PHI is stored and only three HR employees have access.

 All other information that is created or downloaded is maintained

n a separate drive that is housed on the same server.

 Only the ITS Security Administrator has access to Medical Server.  HR staff opens all mail that comes to our central mail room that

is not addressed to a specific individual or department/division.

 All electronic communications are sent using ZixMail encrypted

mail system.

 Lewisville has adopted HIPAA policies and ITS Security policies to

comply in compliance with HIPAA.

SLIDE 24

 Telephones – How do you know the person you are talking to is

authorized to receive an employee’s PHI?

 Disposing of PHI – When you dispose of PHI (both hard copy and

electronic) how can you be certain that it is appropriately destroyed?

 E-mail – How can you be sure PHI is secure when it’s sent via e-

mail?

 Fax machines – When faxing PHI, how can you be sure the right

person will read it on the other end?

 Mail – Sending PHI through the mail may have restrictions  Storing PHI – Safeguarding PHI on computer databases, file

cabinets, even laptop computers will have to follow procedure

SLIDE 25

 Do not let anyone use

your username and password

 Log off of your computer,

when you walk away from it,

 Do not use anyone else’s

username and password

 Do not discuss private

health information of any employee

 Make sure your HIPAA

policies are up-to-date

 Make sure you have

BAA’s in place with all necessary third parties

 Make sure you update

your privacy notice

 Make sure you provide

you privacy notice to all employees, dependents and retirees

SLIDE 26

 The regulations are generally effective March 26, 2013, but group health

plans and business associates have until September 23, 2013, to comply. Also, there is a special one-year transition period for implementing business associate agreements that comply with the regulations. This extension until September 23, 2014, is available to group health plans and business associates that have existing written agreements in place before January 25, 2013, assuming those agreements complied with the prior HIPAA privacy and security rules. The transition period will automatically terminate if the agreement is renewed or modified between March 26, 2013, and September 23, 2014.

 In order to comply with the regulations, group health plans will need to:

Enter into new or modified business associate contracts
Update their Breach notification procedures
Modify and make available their notice of privacy practices
Revise their HIPAA policies and procedures to reflect the new HITECH requirements
Train the plan’s work force on the new requirements

SLIDE 27