GRIC HIPAA PDF

Summary

This document details the HIPAA guidelines, including the different titles of the HIPAA act and its coverage. It also covers cyber security, and phishing, and prevention techniques.

Full Transcript

HIPAA/HITECH, FWA, NSA, and Phishing - a covered entity and business March 2013 - Effective Date of the Final
associates may use and disclose PHI Omnibus Rule.
HIPAA - enforced by Office for Civil Rights — for its own treatment, payment, and
a division of Health and Human Services healthcare operations activities. Protected Health Information (PHI)
PHI is any health information that can
PURPOSE: COVERED ENTITY be related to the past, present, or
An individual or group who electronically future health status of an individual.
1. Ensures that employees continue transmits any health information as per the This could be created, collected, or
receiving health insurance coverage standards mentioned by HHS ( Health and transmitted, or maintained by a
when they are between jobs. Human Services). HIPAA-covered entity.
2. Secures patient data to prevent There are 18 PHl identifiers.
healthcare fraud Examples of covered entities are Health
3. To adopt standards to reduce plans, Clearinghouses, Healthcare providers Names
paperwork burden for healthcare Numbers
organizations. BUSINESS ASSOCIATE Dates
4. Guarantee security and privacy of A person or entity that performs certain URLS
health information. functions or activities that involve the use or Addresses / Zip Codes /Geocodes
disclosure of protected health information Account Numbers
HEALTH INSURANCE PORTABILITY AND on behalf of, or provides services to, a IP Addresses
ACCOUNTABILITY ACT - 1996 covered entity Phone Numbers
Certificate / License Numbers
- HIPAA requires to adopt processes AGS Health is a Business Associate, and our Social Security Numbers
and procedures to ensure CIA clients are covered entities Medical Record Numbers
(Confidentiality, Integrity, Health Plan Beneficiary Numbers
Availability) of Patient Information HIPAA HISTORY TIMELINE Fax Numbers
- It is our responsibility to secure Device Identifiers
information in every form and keep August 1996 - HIPAA Signed into Law by Facial Images
patient information safe. President Bill Clinton. Email Addresses
April 2003 - Effective Date of the HIPAA Vehicle Identifiers
NPP (Notice of Privacy Practices) Privacy Rule. Any other unique Identifiers
- document that tells patients, April 2005 - Effective Date of the HIPAA
employees, or clients how their Security Rule. HIPAA TITLE INFORMATION
health information may be used and March 2006 - Effective Date of the HIPAA Title I: HIPAA Health Insurance
shared and lists their health privacy Breach Enforcement Rule. Reform
rights related to Protected Health September 2009 - Effective date of the Protects health insurance coverage for
Information (PHI). Breach Notification Rule. workers and their families who change or
lose their jobs. It limits new health plans' It also addresses the security and privacy of - Taking appropriate Disciplinary
ability to deny coverage due to a pre-existing health data action, for non-compliance/violation.
condition. - Risk analysis and management is
Title Il: HIPAA Administrative required.
Simplification Privacy Rule
Prevents Health Care Fraud and Abuse; Protect all individually identifiable health TECHNICAL SAFEGUARDS
Medical Liability Reform; Administrative information (IIHI) or Protected Health - practices need procedures and the
Simplification that requires the Information (PHI) held or transmitted by a right software and equipment to
establishment of national standards for covered entity or its business associate, in protect the PHI. This must include
electronic health care transactions and any form or media, whether electronic, technical policies and procedures to
national identifiers for providers, employers, paper, or oral. allow access only to required
and health insurance plans. individuals based on job
Title III: HIPAA Tax Related Health Security Rule responsibilities.
Provisions Protect all individually identifiable health - e.g. Role-based access
Provides guidelines for pre-tax medical information (IIHI) or Protected Health - Encrypting PHI before transmitting
spending accounts. It provides changes to Information(PHI) in electronic form (ePHI) over electronic network
health insurance law and deductions for created, used, received, maintained or - Integrity of data - to protect from
medical insurance. transmitted by a covered entity / business improper alteration.
Title IV: Application and Enforcement associate.
of Group Health Plan Requirements PHYSICAL SAFEGUARDS
Provides guidelines for group health plans. 3 REQUIRED SAFEGUARDS TO BE - physical measures, policies, and
It provides modifications for health coverage. IMPLEMENTED: (Security Rule): procedures to protect a covered
Title V: Revenue Offsets entity’s or a business associate’s
Governs company-owned life insurance ADMINISTRATIVE SAFEGUARDS electronic information systems and
policies. Makes provisions for treating people - policies and procedures related buildings and equipment,
without United States Citizenship and implemented to protect the sanctity from natural and environmental
repeals financial institution rule to interest of ePHI. These cover training and hazards, and unauthorized intrusion.
allocation rules. procedures for employees regardless - e.g. All employees must wear
of whether the employee has access ID/Access card while in Office
Title Il of HIPAA is relevant for AGS to PHI or not. premises
Health. - e.g. Acceptable use policy, GRIC - Ensure emergency escape route
Policies in Pulse: map/ERT members/Emergency
HIPAA's Administrative Simplification https://pulse.agshealth.com/docs.htm Contact Numbers are displayed.
Requires HHS to establish national standards l?screen=gric, Awareness training to A covered entity is permitted, but not
for electronic health care transactions for all employees about GRIC policies & required, to use and disclose protected
Providers, Healthcare plans and employers. procedures. health information, without an individual's
authorization, for the following purposes or Covered entities are required by law to
situations: provide patiets a list of all the disclosures of Code sets
To Individuals: A covered entity may be their PHI made outside of TPO. Under HIPAA, HHS adopted specific code
permitted to disclose protected health The maximum disclosure accounting sets for diagnoses and procedures used in all
information to the individual who is the period is six years immediately preceding transactions
subject of the information. the accounting request. Code sets classify medical:
Treatment, Payment, and Healthcare Diagnoses
Operations: A covered entity may use and Authorized Disclosure Procedures
disclose PHI for its own treatment, payment, A covered entity must obtain the individual's - Diagnostic tests
and health care operations activities. written authorization for any use or Treatments
Public Interest and Benefit Activities: The disclosure of protected health information Equipment and supplies
Privacy Rule permits use and disclosure of that is not for treatment, payment or health
protected health information, without an care operations or otherwise permitted or Unique Identifiers
individual's authorization or permission, for required by the Privacy Rule. HIPAA establishes and requires unique
public interest purposes, and for benefit identifiers for:
activity purposes. Example, when required To reduce paperwork and streamline Employers -EIN, or Employer
by law, when needed for public health business processes across the health care Identification Number, is issued by the
activities etc., system HIPAA set national standards for Internal Revenue Service andis used to
Electronic transactions, Code sets, Unique identity employers in electronic
HIPAA Minimum Necessary Rule identifiers, Operating Rules. transactions.
Under the HIPAA minimum necessary rule, Providers - NPI, or National Provider
HIPAA-covered entities are required to make Electronic Transactions Identifier, is a unique 10 digit number used
reasonable efforts to ensure that uses and to identify health care providers.
disclosures of PHl is limited to the minimum A health care transaction is an exchange of Health plans - There is no longer an
necessary information to accomplish the information between two parties to carry out adopted standard to identify hepth
intended purpose of a particular uses or financial or administrative activities. Orate
disclosure. Patients - There is no adopted standard to
Examples of transaction code sets are: identify patients.
HIPAA Disclosure Accounting Payment and remittance advice NPIs and EINs must be used on all
HIPAA Disclosure Accounting or Claims status HIPAA transactions.
Accounting of Disclosures (AOD) is the Eligibility
action or process of keeping records of Coordination of benefits Operating Rules
disclosures of PHI for purposes other than Claims and encounter information Operating rules specify the Information that
Treatment, Payment, or Healthcare Enrollment and disenrollment must be included when conducting
Operations. Referrals and authorizations standard transactions, making it easier for
Premium payment
providers to use electronic means to handle increasingly digital world. The Omnibus Rule and must also be reported to DHHS no later
administrative transaction contains edits and updates to HIPAA Privacy, than 60 days after discovery of the breach
Compliance date for Eligibility of a Security, Breach Notification, and
Health Plan and Health Claim Enforcement Rules.
Status Gave more rights for individuals to Check the four-factor evaluation while
Compliance date for Health Care access their own ePHI. analyzing a breach
Electronic Funds Transfers (EFT) and Broadened the definition of Business
Remittance Advice (ERA) associates, they can now be audited 1. The nature and extent of the PHl
or fined dire fly for noncompliance. involved
Expanded the requirements of the 2. Whether the PHI was actually
privacy and security rules to acquired or viewed
HIPAA HITECH physicians' business associates and 3. The extent to which the risk to the
The HIPAA Privacy Rule was modernized their subcontractors. PHl has been mitigated
with the inception of the Health Information Established new limitations on how 4. The unauthorized person who
Technology for Economic and Clinical Health organizations could use personal received the PHI
(HITECH) Act. health information for marketing and
This act was passed by Congress in 2009. fundraising. We are required to take steps as per the BAA
Some of the key updates to HIPAA by (Business Associate Agreement), notify our
HITECH are: What is a breach? clients and end clients and must take
Business Associates are directly A breach is, generally, an impermissible use appropriate steps to address such breach
accountable for HIPAA Violations. or disclosure under the Privacy Rule that
Increased Penalties for HIPAA compromises the security or privacy of the PREVENTION TECHNIQUES FROM
Violations protected health information UNAUTHORIZED DISCLOSURE
Patients were given the option of It is crucial to exercise caution when
obtaining health and medical records Who needs to be notified? sending patient information via email or fax.
in electronic form if the covered Client needs to be notified immediately after The approved fax cover sheet must be used
entities maintained it in electronic the identification or discovery of a breach when faxing information containing PHI.
form. after discussing with the GRIC Team. Confirm and verify the intended recipient's
Provided rules for addressing data contact information before sending.
breaches When is notification mandatory? If using pre-programmed numbers or email
Any breach identified needs to be reported addresses, verify that they are still correct.
to Notify the recipient to expect the fax or
HIPAA OMNIBUS Rule GRIC Team and analyzed using four factor email and secure the email when sending.
HIPAA Omnibus Rule of 2013, aimed evaluation and keep the client informed
to safeguard patient privacy and protect Breaches affecting more than 500
patients' health information in an individuals must be reported to the media
Use Encryption when sharing email with PHI b) There will be a delay in obtaining me OTHER COMMON HIPAA VIOLATIONS
using keywords Encrypt, Encrypt:, Secure, Auth for the patient
Secure: onto the subject line. 1) Uploading incorrect medical records to
c) Unauthorized disclosure of sensitive payor website/ sharing unnecessary medical
Other Common HIPAA Violations information and potential HIPAA records to payor
violation
Scenarios that can result in a BREACH 2) Claims sent to incorrect payor/ address
Per the security rule, the privacy of
1. Updating/changing patient details individual health information should be 3) Improper access to medical records
without proper validations protected and here we have sent the
clinicals to an income payer. 4) Loss of devices such as laptops, storage
Daniel updates the mail address of an devices etc.
incorrect patient on the billing system. What PREVENTION TECHNIQUES FROM
would this result in? UNAUTHORIZED DISCLOSURE HIPAA - WORK FROM HOME

a) Unauthorized disclosure of sensitive Ø It is crucial to exercise caution when As you encounter PHI in the workplace here
information and potential HIPAA sending patient information via are a few guidelines to keep in mind:
violation email/fax. The approved fax cover sheet
Ø Always follow GRIC policies
must be used when faxing information
b) No disclosure of sensitive information containing PHI
Ø Never connect any external devices to the
c) Incorrect billing system
Ø Confirm and verify the intended
recipient's contact info before sending
All the patient correspondence will be Ø Use a dedicated workspace and do not
received by an incorrect patient, which will share your system to your family/friends
Ø If using a pre-programmed numbers or
result in an unauthorized person receiving email addresses, verify that they are still
Ø Ensure to log off/lock your system when
sensitive information correct
moving away from your desk
2. Sending FAX to incorrect number Ø Notify the recipient to expect the
Ø Report any violation breaches
fax/email and secure the email when
Many incorrectly faxed the clinicals or the immediately to GRIC team
sending
medical records to an incorrect payer while
working on an unauthorized initiation for the Ø Use Encryption when sharing email with
patient. What would this result in? PHI using Keywords: Encrypt, Encypt:,
Secure, Secure onto subject line
a) The payer will not be able to recognize
the patient, hence wall not appear for
auth
 CIVIL PENALTY SYSTEM FOr VIOLATING Committed under false pretenses - Fine up To minimize unforeseen or surprise medical
HIPAA to $100,000, imprisonment up to 5 years, or bills for patients.
both Surprise Billing / Balance Billing
MAX. ANNUAL PENALTY: $1,919,173 The out-of-network provider could bill
Committed with intent to sell, transfer, or consumers for the difference between the
Tier 1: Lack of Knowledge to use PHI for commercial advantage, charges the provider billed, and the amount
personal gain or malicious harm - Fine up paid by the consumer's health plan.
$127 - $63,973 to $250,000, imprisonment up to 10 years, or
both What are the protections the patient will
Tier 2 - Reasonable Cause
have under NO Surprise Billing Act?
FRAUD, WASTE & ABUSE No Surprise bills for emergency services,
$ 1,280 - $63,973
even when they are received from out of
1. Fraud – intentionally submitting false
Tier 3 = Willful Neglect - Corrected network provider.
information to the government
No out of network charges for services like
contractor to get money/benefit (ex.
$12, 794 - $63,973 anesthesiology and radiology when they are
Billing for services not rendered, billing
furnished by out of network providers for
Tier 4 – Willful Neglect - Not Corrected for nonexistent prescriptions, knowingly
patients visit to an in-network facility.
altering claim forms to receive a higher
Providers / Facilities are required to provide
$63,973 payment)
the applicable billing protections and inform
the process in case of billing violation.
CRIMINAL PENALTIES FOR VIOLATING 2. Waste – overusing healthcare services
The patient's consent should be obtained for
HIPAA carelessly/unnecessarily (ex. Ordering
being balance billed by out of network
excessive diagnostic tests, prescribing
provider
The criminal penalties for knowingly medications without validating if the
violating HIPAA are imposed on individuals member still needs them)
Cyber Security and Phishing
who have obtained or disclosed PHI without
authorization (usually) from their covered 3. Abuse - actions that may directly /
indirectly result in unnecessary costs to What is Cyber security?
entity employer
the Medicare program Cyber security or information technology
Penalty structure for Department of security is defined as the technical measures
Justice NSA and its Purpose that are followed to protect computers,
NSA - The federal No Surprises Act became networks, programs, services and data from
Basic Penalty - Fine up to $50,000, effective on Jan. 1, 2022. unauthorized access or attacks
imprisonment up to 1 year, or both Purpose of NSA
To help patients understand healthcare
costs
When does it occur? name of From address, Domain names could Email to [email protected]
Cyber attacks occurs due the vulnerabilities be closely like known domain names. Call the Compliance Hotline
in the assets or in process of which we It is possible to receive email as On behalf of India Hotline# 1800 102 0129 | US Hotline# 1
perform our daily operations like [email protected] or 877 235 3570
Jaganathan T [email protected] Any issue / complaint identified by client or
WHY IS CYBERSECURITY IMPORTANT FOR Attachment - Unexpected attachment. Use internally, which can be a potential HIPAA
US? Preview option to check the attachment violation or breach needs to reported to GRIC
It safeguards all types of data against before opening the attachment from the team immediately
theft and damage. email
Bulk Emails - Addressed to a group, Not EVERYDAY DO'S AND DON'TS
Examples of Cyber attacks Personalized Greeting Always encrypt email when sharing
Brute force attack URLs -Phishing Emails will invariably ask sensitive information using any of the
Social engineering/cyber fraud the recipient to click a URL, normally linked keywords in Email subject - Encrypt,
Phishing attacks in a button. Hover the mouse over the box to Encrypt:, Secure, Secure:
Malware, spyware, adware check the URL linked or better never click a Ensure Antivirus software is up-to-date
Ransomware URL from emails. Copy the URL and paste in Always ensure that system is updated with
a new browser window so that you will be latest Security updates (Patches)
PHISHING aware of the website Keep your usernames and passwords
Phishing is a common type of cyber attack Lousy Spelling and Grammar mistakes. secure
in which criminals create authentic-looking Phishers usually make mistakes Shred PHl information if in paper form if
emails or websites in order to trick victims Unsecure Website - Landing websites will unattended
into disclosing personal or financial invariably be http and not https. Don't login Use Login credential manager (LCM) for
information. or submit any information if the website managing the login credentials
Phishing scams can be carried out via does not show Lock symbol Follow the client guidelines and policies
phone, text, or social networking sites, but Story - Will revolve around a pertinent story, while working or accessing their systems
email is the most used method. WFH currently. Income Tax Refund around Report any violation or breaches
Be wary of any official-looking email or Tax Filing due date, 0365 maintenance, etc. immediately to GRIC Team
phone call that requests personal or financial
information. INCIDENT REPORTING
All employees and vendor staff are
FABULOUS CHECK FOR IDENTIFYING encouraged to report incidents/ Events/
PHISHING EMAILS Vulnerabilities in the system as and when
From email Address - Be careful before they come across. They can report the
actioning emails from an Unknown Sender incidents via
or a sender masquerading as a known GRIC CRM in Pulse (Anonymous reporting
person, Check name as well as domain is also available)