This presentation discusses how to comply with HIPAA and HITECH privacy laws. Learn key terms such as Protected Health Information, the Privacy Rule and the Security Rule as well as major changes brought by HIPAA and HITECH.
2. Today's Presenters
Andrew Lenardon, Director of National Accounts Indirect Solutions for North America at Shred-it
Andrew Lenardon is the Director of National Accounts Indirect Solutions for North America at Shred-it
International,Inc., where he brings over 15 years of sales and leadership experience. In his role, Lenardon
leads a team of professionals in helping Healthcare and Enterprise client improve the security of how they
handle confidential records and identify wasteful spending that can be shifted to priorities such as information
security, compliance efforts and business efficiency. Lenardon has worked at Shred-it since 2006. A graduate
from McMaster University, Lenardon holds a B.Sc. in Biochemistry and currently resides in Toronto, Canada.
Chris Sheehan, Compliance Agent, Providence, Rhode Island
Chris has a combined 17 years of experience in the Records Management & Information Security industries. In
the past he has served on the Board of Directors and Vice President for ARMA (Association for Records Managers
& Administrators). For the last five years Chris has worked with the Federal & State governments in implementing
policies to assist with the prevention of Fraud and the protection of Identity. Certified in Mass Law with regard to
Mass Reg 201 CMR 17:00 Chris conducts Compliance Training for clients and assists with developing their Written
Information Security Plan (WISP). Chris conducts Information Sessions for a number of Colleges and Universities
to future educate Administrators, faculty and the student body on information security and sustainability for
saving the Environment.
David Pinter, National Accounts Executive
David began his career at Shred-it over 12 years ago. He has been assisting healthcare organizations
with their compliance and document security efforts since 2003 when HIPAA was first launched. David is
a member of Shred-it’s National Accounts Healthcare Team where he provides new business
development support and consulting activities for customers in the Healthcare and Group Purchase
Organization spaces.
2
4. What is HIPAA?
• Health Insurance Portability and Accountability Act (HIPAA) HIPAA
requires health care organizations to have and maintain safeguards to
prevent intentional or unintentional use or disclosure of protected
health information.
• The Federal law that requires health care organizations to, “maintain
reasonable and appropriate, technical, and physical safeguards to
prevent intentional or unintentional use or disclosure of protected
health information.”
• Specifically, the management of private information is detailed
through the Privacy Rule and the Security Rule. Both rules are
designed to protect an individual’s private and confidential information
by standardizing the rules for how it is used, handled, stored, etc.
4
5. What is HITECH?
• The Health Information Technology for Economic and Clinical Health
(HITECH) Act includes rules that impact organizations that operate
within HIPAA legislation.
• It is in direct relation to HIPAA because it imposes standards on
medical and healthcare organizations (business associates) in addition
to those that are imposed by HIPAA (CE’s). It was part of the
Reinvestment Act of 2009.
• This act requires that all organizations in the medical field apply
“meaningful use” of technology that demonstrates security efforts.
This ensures that the confidentiality, integrity and availability of
protected data is not compromised.
5
6. Major Changes Brought on by HITECH Since 2009
•Enforcement has become more proactive; meaning there are
more penalties for smaller breaches and more parties.
•Data that falls under the scope of protection is now grown to
include other personal information beyond EPHI.
•Stricter audits are now in practice.
•Every consumer now has a right to own a copy of their PHI
without paying a fee.
•Business Associates are now required to comply with this act,
not just Covered Entities.
•There are now more restrictions on the use of protected health
information for marketing purposes.
6
7. Key Terms
• PHI and EPHI
• Covered Entity and Business Associate
• Security Rule and Privacy Rule
• Common Control
• Willful Neglect
7
8. PHI and EPHI
PHI: Protected Health Information
EPHI: PHI that has been
converted in some way to
electronic media
8
9. What is Considered PHI?
• Medical records
• Diagnosis of a certain condition
• Procedure codes on claim forms
• Claims data or information
• Explanation of Benefits (EOB)
• Pre-authorization forms
• Crime reports
• Coordination of benefit forms
• Enrolment information and forms
• Election forms
• Reimbursement request forms
• Records indicating payment
• Claims denial and appeal information
9
10. Covered Entity and Business
Associate
Covered Entities (CE’s) include health
care providers, health care
clearinghouses, and health plans that
electronically store, process or transmit
electronic protected information (EPHI).
Business Associates (BA’s) are
parties that include any person or
group that provides or facilitates for a
covered entity in some way.
10
11. Privacy Rule & Security Rule
• The Privacy Rule
• Establishes national standards to protect individuals’ medical records and
other personal health information
• Applies to health plans, health care clearinghouses, and those health care
providers that conduct certain health care transactions electronically
• Requires appropriate safeguards to protect the privacy of personal health
information
• Sets limits and conditions on the uses and disclosures that may be made of
such information without patient authorization
• Gives patients rights over their health information, including rights to
examine and obtain a copy of their health records, and to request
corrections
• The Security Rule
• Establishes national standards to protect individuals’ electronic personal
health information that is created, received, used, or maintained by a
covered entity
• Requires appropriate administrative, physical and technical safeguards to
ensure the confidentiality, integrity, and security of electronic protected
health information
11
12. What is Common Control?
•A situation where a covered entity has indirect or direct
power or influence over another entity’s actions or
policies.
•It places the onus on the CE to ensure that the outside
BA they contracted is taking the necessary safe guards
and actions to protect the PHI of individuals.
12
13. What is Willful Neglect?
• Defined as “A tendency to be negligent and uncaring”
• In the context of HIPAA and HITECH the terms differs from
case to case.
• With regards to the health care industry, willful neglect is a
failure to comply or perform certain necessary tasks that is
either intentional or conscious.
• HITECH brought in harsher penalties for willful neglect.
13
14. How do organizations and
individuals comply?
• Companies should explore the requirements of HIPAA Privacy
and Security Rules.
• Health care organizations must implement policies and
procedures related to accessing information.
• Business associates must adopt HIPAA-compliant practices.
14
15. Why is compliance important?
Patient privacy is very important and people have the
expectation that health care organizations keep their
information secure and private. They expect that their
information will be safe from breaches.
Not only is compliance important for the patient’s sake, but
for the company’s own interests as well. Not only is your
reputation at risk of being damaged, but cases of willful
neglect in HITECH can be vulnerable to a penalty of
AT LEAST $50,000.00 per violation for a total of $1.5
million in a calendar year.
Compliance is important on many levels regardless of the
circumstances.
15
16. What happens if you don’t comply?
There are different penalties
put into place by HIPAA and
HITECH depending on the
circumstances and situation.
Since HITECH came into the
picture in 2009, the penalties
have become harsher and less
forgiving.
16
17. Security Breach
A major insurance coverer in Tennessee had a massive breach in 2009 which
affected over 1 million people. They settled in court as of this year with a
settlement of $1.5 million
•It involved the theft of 57 unencrypted computer hard-drives
On those hard-drives were:
•Members names
•Social Security Numbers
•Diagnosis Codes
•Date of birth’s
•Health plan ID numbers
•The investigation showed a lack of and failure of implementation of an
appropriate safe guards for information. Not only digital but physical safe
guards are required by HIPAA/HITECH and were missing in this situation.
•The Company spent almost $17 million attempting to rectify the
situation
17
19. If a person… They will be fined… Or face
Imprisonment of…
Causes, uses or Up to $50,000.00 1 Year
obtains individually
identifiable information
Commits an offense Up to $100,000.00 5 Years
under false pretences
If a person Commits Up to $250,000.00 10 Years
an offense with intent
to sell, transfer, or use
individually identifiable
health information for
commercial advantage,
personal gain, or
malicious harm.
19
20. What are some ways that you can avoid a
violation or a breach?
Here are Some Tips for Best
Practice…
20
21. Best Practices
Stay informed Learn about HIPAA and HITECH and other
privacy laws that impact your
organization, and how to stay compliant.
Establish a security Document the flow of confidential
plan information in your workplace, and make
sure that you have formal security policies
in place.
Educate and enforce Train your employees to understand and
follow your information security policies.
Update staff on a regular basis and post
your policy and guidelines as frequent
reminders.
21
22. Best Practices
Limit access Only authorized personnel should handle
confidential documents.
Create a retention Determine which documents you must
policy keep and for how long. Clearly mark a
destruction date on all records in storage.
Eliminate risk Introduce a Shred-All policy for all
documents that are no longer needed, so
that your employees do not have to
decide what is – or isn’t – confidential.
Secure destruction Partner with a knowledgeable industry
leader that specializes in secure
information destruction.
22
23. Who is Shred-it?
• Shred-it specializes in providing a tailored information
destruction service that allows businesses to comply with
legislation and ensure that the client, employee and
confidential business information is kept secure at all times.
• Through our strict chain-of-custody processes, reliable on-time
service and a global network of local service centers, Shred-it
provides the most secure and efficient confidential information
destruction service in the industry.
23
25. Where can you find more information?
Sources
http://resource.shredit.com/LegislativeFactSheets
http://www.healthcareinfosecurity.com/
http://www.hipaasurvivalguide.com/
http://www.hhs.gov/
http://www.datamountain.com/resources/hipaa-
hitech-compliance/hipaa-hitech-faq/
25