Welcome to today's HIPAA compliance training provided by Doctors' Management. Today's training will give you a comprehensive overview of privacy and security regulations to ensure your practice fulfills the requirements established by HIPAA. Doctors' Management is a full-service consulting firm that helps physicians and healthcare professionals increase profits and productivity, mitigate compliance risks, and reduce stress for providers and staff. OSHA and HIPAA compliance is just one of the service lines we offer to assist practices by simplifying the business of medicine. The Health Insurance Portability and Accountability Act of 1996 was originally established to require the Department of Health and Human Services to adopt national standards for electronic healthcare transactions per the Administrative Simplification Rule. With the advancements in electronic technology in healthcare, Congress recognized the need to protect the privacy and security of health information and the rights for the individuals that are the subject of that information. Over a period of years, certain rules were developed and published in order to establish these protections and rights. We're going to review each of these rules and then dive deeper into the specifics and how they affect you. But first, let's look at the definitions at who must comply with HIPAA. Covered entities and businesses that provide their services must follow certain privacy standards for how PHI can be used and disclosed. Covered entities include healthcare providers, health plans, and healthcare clearinghouses. These are organizations that translate written doctor's notes into computerized data. Business associates are entities that perform functions, activities, or services on behalf of a covered entity that may involve the use or disclosure of protected health information. An example would be a third party that provides services such as information technology, claims processing, or legal and financial services. Covered entities must have business associate agreements with all business associates. Hybrid entities are organizations that offer some healthcare related and some non-healthcare related services. An example would be a grocery store that also has a pharmacy. Anyone that has exposure to PHI is responsible for complying with HIPAA. Exchanging health information between providers, clearinghouses, and health plans is not always easy. The goal of administrative simplification is to standardize healthcare transactions to make data more easily accessible and to reduce potential costs through automation. Administrative simplification also serves to improve the patient experience by giving consumers a clearer understanding of their payments and financial liability. A transaction is defined as an electronic exchange of information between two parties to carry out financial or administrative activities related to healthcare. An example would be a provider sending a claim to a health plan for payment of medical services. The Department of Health and Human Services adopted standard transactions for the electronic exchange of healthcare data related to claims, benefits, and payments. Covered entities who conduct any of these transactions electronically must use an adopted standard from one of the organizations accredited by the American National Standards Institute. Health and Human Services adopted specific code sets for diagnoses and procedures used in all transactions. Code sets inform diverse healthcare functions from billing to tracking public health. Code sets classify diagnosis, procedures, diagnostic tests, treatments, and equipment and supplies. HIPAA requires that employers have standard national numbers that identify them on standard transactions. The Employer Identification Number, issued by the Internal Revenue Service, was selected as the identifier for employers. The NPI is a unique 10-digit identification number for covered healthcare providers. This number remains the same, even if a provider has a change of name, address, or other information. The purpose of a privacy rule is to protect individually identifiable information that relates to condition, treatment, or payment. Privacy is the foundation of HIPAA and is the underlying principle that determines how and when we can use or disclose an individual's PHI. It also grants patients the rights to keep their information confidential. Provided health information, or PHI, is any data that can be linked to an individual concerning their health or payment. In general, PHI cannot be shared without authorization unless it is shared with the patient themselves for treatment, payment, or healthcare operations, when the patient gives informal consent, is incapacitated, or in an emergency situation if it is in the best interest of the patient public interest and benefit activities such as a court order or the unintentional disclosure as a result of permitted uses or disclosures. All other reasons to disclose PHI would require an authorization. HIPAA gives individuals very important rights that must be respected. These include the right to access electronic copies of their PHI, amend or update their information, account for all disclosures of information, and trust that PHI will be transmitted with the appropriate restrictions and safeguards. As a covered entity, you have the responsibility to share these rights with individuals by providing written notice of rights, obtaining signed acknowledgment, and directing patient questions and concerns to your practice's HIPAA Privacy Officer. As a covered entity, your organization has a responsibility to provide notice to patients including what PHI is used and how it is shared. Practices must attempt to get a signature acknowledging the offer of or receipt of the notice of privacy practices. Should a patient or personal representative request access to records, you should verify the identity of the requester, require the request in writing, have the provider review the request, and respond within 30 days of the request. Patients also have the right to file complaints, and the notice of privacy practices must inform patients how to do so. The name or title and phone number of a contact person at the Office of the Covered Entity and the contact information for the Office for Civil Rights should also be included. The Department of Health and Human Services issued this final rule to the Privacy Rule under HIPAA and the HITECH Act. Specifically, it prevents information about an individual's reproductive health care from being shared without the individual's permission in certain circumstances. The final rule became effective on June 25, 2024. The compliance date with the exception of the Notice of Privacy Practice Language became effective December 23, 2024. Compliance with the Privacy Practice Language is required by February 16, 2026. The Office of Civil Rights plans to finalize changes to the HIPAA Notice of Privacy Practices to address uses and disclosures regarding the confidentiality of substance use disorder that is also protected by Part 2 in an upcoming final rule modifying the HIPAA Privacy Rule. The Supreme Court's overturning of Roe v. Wade placed lawmaking in the hands of the states in regard to abortion. If an individual lives in one state and travels to another state to receive lawful health care, neither the provider nor the health plan can share that information if someone tries to investigate that individual for obtaining that health care. The rule's new protections are intended to ensure that patients can obtain care without fear that their medical records will be used against them or their providers. It also ensures that providers can speak freely with their patients to deliver high-quality care. HHS recognizes that there may be times when individuals are legally or otherwise incapable of exercising their rights or simply choose to designate another to act on their behalf with respect to these rights. Under the Privacy Rule, a person authorized under state, tribal, or military law to act on behalf of the individual in making health care-related decisions is considered the individual's personal representative. Provided health information includes any information that would allow the matching of someone's identity with the information about that person's health or payment for health care. The Minimum Necessary Principle is a cornerstone of the Privacy Rule and is based on confidentiality practices in common use today. The Minimum Necessary Principle requires covered entities to evaluate their practices and enhance safeguards as needed to limit unnecessary or inappropriate access to and disclosure of PHI. This would include keeping uses and disclosures to the minimum necessary to perform the function and using limited data sets where possible. PHI may be found in health care records, demographic information, payment information, or insurance claims. The list is endless. This slide shows an example of a billing statement from a health care provider, which includes a patient's identifiable information. Those identifiers have been highlighted. This slide shows an example of an appointment email, and again the patient identifiers have been highlighted. This slide shows an example of a patient's X-ray. The personal identifiers have been highlighted. It is important to minimize screens and monitors that expose a patient's information to prevent unauthorized access. Patients expect that their medical records and data will be kept safe and secure, regardless of how many hands touch it. The purpose of the Security Rule is to maintain integrity of medical records, ensure availability of PHI, and to protect patient confidentiality. As a covered entity, you have responsibility to secure any confidential information related to a patient, such as names, dates, diagnoses, and medications. You are also expected to safeguard information from misuse. The designated privacy officer is responsible for developing and implementing the security policies and procedures for the practice or facility, and employees should know who that person is for their location. In today's technology-driven world, it's necessary for information to be shared electronically to perform essential operating functions. This presents a greater possibility for the information to be leaked or misused. There are three major security safeguards covered under the Security and Omnibus Rule of HIPAA and include administrative, technical, and physical safeguards. Anyone who comes into contact with electronic PHI must follow these safeguards to protect the confidentiality, integrity, and availability of health care information. This Security Rule defines administrative safeguards as actions and policies and procedures designed to manage the security measures to protect electronic PHI, and to guide the conduct of the covered entity's workforce to protect that information. Administrative safeguards consist of two segments, standards and implementation specifications. Standards are high-level objectives defined under the safeguard, and implementation specifications are actionable objectives needed to meet the standard requirements. A covered entity must limit physical access to its facilities while ensuring that authorized access is allowed, and a covered entity must implement policies and procedures to specify proper use of and access to workstations and electronic media. Physical safeguards are a crucial piece of a health care organization's larger data security plan. They must be implemented in a way that balances and works with administrative and technical safeguards. Under the HIPAA Security Rule, covered entities must implement technical policies and procedures for computing systems that maintain personal data to limit access to only authorized individuals with access rights. Access control is carefully regulating access to electronic PHI. Electronic control refers to the use of systems to record and monitor all activity related to electronic PHI. Integrity controls involve ensuring that electronic PHI and other health data are not destroyed or altered by human or electronic error. Person or entity authentication basically requires users to provide authentication before having access to electronic PHI, and transmission security aims to prevent unauthorized access while it is being transmitted electronically. A security risk analysis is required by HIPAA, but that doesn't mean you can conduct only one analysis and be compliant. Covered entities must implement policies and procedures to detect, prevent, contain, and correct security violations. There are four implementation specifications in this standard that outline what a covered entity needs to do to ensure compliance. HIPAA Security Risk Analysis is the most commonly cited HIPAA deficiency by the OCR. The Omnibus Rule of 2014 gave more rights for individuals to access their own personal health information. The Omnibus Rule also required health care providers to update their business associate agreements, gain assurance from business associates that they are in compliance with the HIPAA Security Rule, and that the business associates have updated their notice of privacy practices. The tiered penalties against organizations that violate HIPAA and HITECH were updated, and the extent of enforcement was increased. The Hydek Act was more of a sweeping reform than the modifications made by the Omnibus Rule. Among other measures, the Hydek Act extended the reach of the HIPAA Security Rule to business associates of covered entities, who also had to comply with certain privacy rule standards and the new Breach Notification Rule. The Act also introduced tougher penalties for HIPAA compliance failures. While many health care providers wanted to transition to electronic from paper records, the cost was prohibitively expensive. Prior to the Hydek Act, only 10% of hospitals had adopted electronic health records. The Hydek Act introduced incentives to encourage hospitals and other health care providers to make the change and had the Act not been passed, many health care providers would still be using paper records. A breach is the impermissible use or disclosure that compromises the security or privacy of unsecured PHI. Unsecured PHI is any personal health information that is not secured through a technology or methodology specified by Health and Human Services that renders the PHI unusable, unreadable, or indecipherable to unauthorized individuals. The only two approved methods to secure PHI are encryption and destruction. Breaches should be reported without delay, and a practice must establish guidelines for reporting the breach. There are three exceptions to the Breach Notification Rule. Number 1 – Unintentional Acquisition, Access, or Use of PHI In good faith within the scope of their authority, and they do not further disclose the PHI. An example of this would be a technician that opens the wrong patient chart while carrying out authorized duties. The viewing of PHI was unintentional and during the course of normal duties, so the exception applies. Number 2 – Inadvertent Disclosure to an Authorized Person at the Same Organization and PHI is not further disclosed in a manner not permitted by the rule. An example would be if a nurse emails the wrong lab results to a doctor, and the doctor notifies the nurse and deletes the email. The exception applies as both doctor and nurse are authorized to access PHI, and they work at the same practice, and the doctor did not further share the information. Number 3 – Inability to Retain PHI is when an organization disclosing PHI believes, in good faith, that the unauthorized person receiving the information would not have been able to retain it. An example would be if a clinic mails explanation of benefit letters to the wrong people, and the post office returns some of the letters unopened. The addressees that returned the letters did not see or retain the information inside these envelopes, so the exception applies. However, the explanation of benefits that were not returned should be treated as potential breaches. A HIPAA risk assessment assesses threats to the privacy and security of PHI, the likelihood of a threat occurring, and the potential impact of each threat so it is possible to determine whether existing policies, procedures, and security mechanisms are adequate to reduce risk to a reasonable and appropriate level. It is recommended to review risk assessments and risk management practices once every three years or whenever there is any significant change to workplace processes or design. If you do have a confirmed, done, authorized disclosure of protected health information, you should conduct an assessment to determine what type of PHI was involved, who was the unauthorized person or organization, was the PHI viewed or acquired, and to what extent have you mitigated the risk of a breach. The Breach Notification Rule requires you to notify affected patients, HHS, and, in some cases, the media. When notifying affected individuals following the discovery of a breach, covered entities must provide this notice in written form by first-class mail or by email if the affected individual has agreed to receive such notices electronically. You must notify authorities of most breaches without reasonable delay and no later than 60 days after discovering the breach. If a breach affects fewer than 500 patients, notifications can be submitted to HHS annually, but if the breach affects 500 or more individuals, the breach report must be sent within 60 days Your practices, policies, and procedures may be modified to keep up with the specifics of HIPAA requirements when changing industry practice standards and technological advancements. For example, one of our practices recently updated their Notice of Privacy practices provided to patients to include language regarding the use of recording devices during intake as this has become more common at that practice. It's important to know and review the HIPAA requirements frequently. Inspections may result from a response to a complaint and may be random or routine. HIPAA does provide advance notification for inspections. Take a moment to look at this interaction between employees. The second employee's response is inaccurate. We are contractually and legally obligated to comply with HIPAA policies and regulations. Failure to protect health information can result in fines or penalties associated with violating federal medical privacy laws, medical identity theft, and loss of customer or patient trust. To remain HIPAA compliant, your organization must apply appropriate sanctions against employees who fail to comply with security policies and procedures. This means an organization can discipline employees up to and including terminating employment for failing to follow HIPAA policies and procedures. Criminal penalties are usually issued in cases where the offender was unaware they were committing a HIPAA violation. There are four categories used for the civil penalty structure. A penalty amounts are adjusted annually to account for the cost of living increases. There are four tiers of violations based on the level of culpability. The last update applies to cases assessed on or after the date of August 8, 2024. Criminal penalties are usually issued in cases where individuals knowingly obtain or use PHI without permission, and those violations and penalties fall under three tiers. Criminal penalties can include jail time and monetary fines. Even in instances of unintentional HIPAA violations, the consequences can be severe. HIPAA compliance involves many different tasks, policy management, contract management, breach, and incident reporting, but the step that makes the biggest difference in creating compliance day-to-day is training. HIPAA is a civil right, and members of the team have responsibility to protect PHI. HIPAA's training requirements are not as rigid as those of OSHA, but most practices find it helpful to create a training schedule that is consistent for both. Both the Privacy and Security Rule have training requirements for security reminders, the handling of PHI, and documentation of this training. A covered entity must train all members of its workforce on the policies and procedures with respect to PHI, soon after they start their job. HIPAA also does not require annual training, but recommends making training an ongoing part of regular operations to ensure the team retains the information. It's not enough to train your team. If it is not documented, it may as well not have happened. Providing documentation proves compliance should there be an audit or investigation. The key to HIPAA training is that employees are given the information they need to successfully do their job and comply with HIPAA regulations. This concludes the HIPAA compliance training provided by Doctors' Management in collaboration with the American Academy of Dermatology. Thank you again for partnering with us to ensure your practice maintains HIPAA-compliant policies and procedures within your organization.

HIPAA compliance

privacy regulations

security regulations

health information

breach notifications

compliance culture