Identify potential impacts of a failure to log off or exit from the patient record.
Identify potential impacts of a failure to log off or exit from the patient record.
Read and Review Chapter 10 that is attached below
Pay special attention to the topics relating to workforce security, information access management, security awareness and training, and security incident procedures.
Based on these areas, define at least four different specific threats to our information security (beyond the example given), plus a way of managing or mitigating that threat and a plan for response in case the information does become breached by that threat type. Complete a table such as the following as part of your essay. The completed table needs to show the ability to apply the principles named in a real-life scenario. Your assignment should be at least three pages long. The first row has been completed as an example.
Type of standard or threat Method to reduce threat Response plan if threat is encountered
Access Establishment and modification: The facility considers how access to EPHI is established and modified. Each system user has a unique ID and password assigned by the institution. Passwords are not shared and must be changed every 90 days to prevent unauthorized access.
Employees are trained in appropriate access and password usage. Employee shared their ID and password with fellow employee who forgot theirs:
1. The relevant user’s ID and password are immediately disabled upon issue discovery. A new user ID will be established for that user.
2. The staff member is disciplined and given official warning to never share passwords.
3. System use and audit logs for that user are reviewed by IT and HIM manager.
4. Repeated breach will result in employee dismissal
Chapter 10 Privacy and Security of Health Records
Learning Outcomes
After completing this chapter, you should be able to:
? List HIPAA transactions and uniform identifiers
? Understand HIPAA privacy and security concepts
? Apply HIPAA privacy policy in a medical facility
? Discuss HIPAA security requirements and safeguards
? Follow security policy guidelines in a medical facility
? Explain electronic signatures
Understanding HIPAA
In Chapter 11 we will discuss various ways the Internet is being used for healthcare, including various implementations of EHR on the Internet, Internet-based personal health records (PHR), and remote access. In Chapter 12 we will explore the relationship of the EHR data to the determination of codes required for medical billing. Before moving to those topics it is prudent to understand HIPAA. HIPAA is an acronym for the Health Insurance Portability and Accountability Act, passed by Congress in 1996.
The HIPAA law was intended to:
? Improve portability and continuity of health insurance coverage.
? Combat waste, fraud, and abuse in health insurance and healthcare delivery.
? Promote use of medical savings accounts
? Improve access to long-term care
? Simplify administration of health insurance
HIPAA law regulates many things. However, a portion known as the Administrative Simplification Subsection1 of HIPAA covers entities such as health plans, clearinghouses, and healthcare providers. HIPAA refers to these as covered entities or a covered entity. This means a healthcare facility or health plan and all of its employees. If you work in the healthcare field, these regulations likely govern your job and behavior. Therefore, it is not uncommon for healthcare workers to use the acronym HIPAA when they actually mean only the Administrative Simplification Subsection of HIPAA.
Note Covered Entity
HIPAA documents refer to healthcare providers, plans, and clearing-houses as covered entities. In the context of this chapter, think of a covered entity as a healthcare organization and all of its employees.
As someone who will work with patients? health records, it is especially important for you to understand the regulations regarding privacy and security. However, let us begin with a quick review of HIPAA, then study the privacy and security portions in more depth.
HIPAA implementation and enforcement is under the jurisdiction of several entities within the U.S. Department of Health and Human Services (HHS). This chapter will make extensive use of documents prepared by HHS.
Administrative Simplification Subsection
The Administrative Simplification Subsection has four distinct components:
1. Transactions and code sets
2. Uniform identifiers
3. Privacy
4. Security
HIPAA Transactions and Code Sets
The first section of the regulations to be implemented governed the electronic transfer of medical information for business purposes such as insurance claims, payments, and eligibility. When information is exchanged electronically, both sides of the transaction must agree to use the same format in order to make the information intelligible to the receiving system. Before HIPAA, transactions for nearly every insurance plan used a format that contained variations that made it different from another plan?s format. This meant that plans could not easily exchange or forward claims to secondary payers and that most providers could only send to a few plans electronically.
Eight HIPAA Transactions
HIPAA standardized these formats by requiring specific transaction standards for eight types of EDI or Electronic Data Interchange. Two additional EDI transactions are not yet finalized. The HIPAA transactions are:
1. Claims or Equivalent Encounters and Coordination of Benefits (COB)
2. Remittance and Payment Advice
3. Claims Status
4. Eligibility and Benefit Inquiry and Response 1Health Insurance Portability and Accountability Act, Title 2, subsection f.
5. Referral Certification and Authorization
6. Premium Payments
7. Enrollment and De-enrollment in a Health Plan
8. Retail Drug Claims, Coordination of Drug Benefits and Eligibility Inquiry
9. Health Claims Attachments (Not Final)
10. First Report of Injury (Not Final)
Standard Code Sets
In an EDI transaction, certain portions of the information are sent as codes. For the receiving entity to understand the content of the transaction, both the sender and the receiver must use the same codes. In most cases, these are not the nomenclature codes discussed in Chapter 2, but rather standardized codes used to effectively communicate demographic and billing information.
For example, in an insurance claim, charges for patient visits are sent as procedure codes instead of their long descriptions. The medical reasons for the procedure are sent in the claim as diagnosis codes. HIPAA requires the use of standard sets of codes. Two of those standards are:
? Diagnoses (ICD-9-CM) codes
? Procedure (CPT-4 and HCPCS) codes
You have already been introduced to the ICD-9-CM codes. CPT-4 and HCPCS codes will be discussed in Chapter 12.
There are additional codes sets for demographic and payment information. Under HIPAA, any coded information within a transaction is also subject to standards. Just a few examples of the hundreds of other codes include codes for sex, race, type of provider, and relation of the policyholder to the patient.
HIPAA Uniform Identifiers
You can see the importance of both the sending and receiving system using the same formats and code sets to report exactly what was done for the patient. Similarly, it is necessary for multiple systems to identify the doctors, nurses, and healthcare businesses sending the claim or receiving the payment. ID numbers are used in a computer processing instead of names because, for example, there could be many providers named John Smith.
However, before HIPAA, all providers had multiple ID numbers assigned to them for use on insurance claims, prescriptions, and so on. A provider typically received a different ID from each plan and sometimes multiple numbers from the same plan. This created a problem for the billing office to get the right ID on the right claim and made electronic coordination of benefits all but impossible.
HIPAA established uniform identifier standards to be used on all claims and other data transmissions. These include:
? National Provider Identifier This type of identifier is assigned to doctors, nurses, and other healthcare providers.
? Employer Identifier This identifier is used to identify employer-sponsored health insurance. It is the same as the federal Employer Identification Number (EIN) employers are assigned for their taxes by the Internal Revenue Service.
? National Health Plan Identifier This identifier has not yet been implemented, but when it is it will be a unique identification number assigned to each insurance plan and to the organizations that administer insurance plans, such as payers and third-party administrators.
HIPAA Privacy Rule
The HIPAA privacy standards are designed to protect a patient?s identifiable health information from unauthorized disclosure or use in any form, while permitting the practice to deliver the best healthcare possible. When the HIPAA legislation was passed, ?Congress recognized that advances in electronic technology could erode the privacy of health information. Consequently, Congress incorporated into HIPAA provisions that mandated the adoption of Federal privacy protections for individually identifiable health information.?2
Note PHI
HIPAA privacy rules frequently refer to PHI or Protected Health Information. PHI is the patient?s personally identifiable health information.
Healthcare providers have a strong tradition of safeguarding private health information and have established privacy practices already in effect for their offices. For instance:
? ?By speaking quietly when discussing a patient?s condition with family members in a waiting room or other public area;
? By avoiding using patients? names in public hallways and elevators, and posting signs to remind employees to protect patient confidentiality;
? By isolating or locking file cabinets or records rooms; or
? By providing additional security, such as passwords, on computers maintaining personal information.
However, The Privacy Rule establishes, for the first time, a foundation of federal protections for the privacy of protected health information. The Rule does not replace federal, state, or other law that grants individuals even greater privacy protections, and covered entities are free to retain or adopt more protective policies or practices.?3
To comply with the law, privacy activities in the average medical facility might include:
? Providing a copy of the office privacy policy informing patients about their privacy rights and how their information can be used. 2 Guidance on HIPAA Standards for Privacy of Individually Identifiable Health Information (Washington, DC: U.S. Department of Health and Human Services Office for Civil Rights, December 3, 2002, and revised April 3, 2003). 3Ibid.
? Asking the patient to acknowledge receiving a copy of the policy or signing a consent form.
? Obtaining signed authorization forms and in some cases tracking the disclosures of patient health information when it is to be given to a person or organization outside the practice for purposes other than treatment, billing, or payment purposes.
? Adopting clear privacy procedures for its practice.
? Training employees so that they understand the privacy procedures.
? Designating an individual to be responsible for seeing that the privacy procedures are adopted and followed.
? Securing patient records containing individually identifiable health information so that they are not readily available to those who do not need them.
Let us examine each of these points.
Privacy Policy
?The HIPAA Privacy Rule gives individuals a fundamental new right to be informed of the privacy practices of their health plans and of most of their healthcare providers, as well as to be informed of their privacy rights with respect to their personal health information. Health plans and covered healthcare providers are required to develop and distribute a notice that provides a clear explanation of these rights and practices. The notice is intended to focus individuals on privacy issues and concerns, and to prompt them to have discussions with their health plans and healthcare providers and exercise their rights.
?Covered entities are required to provide a notice in plain language that describes:
? How the covered entity may use and disclose protected health information about an individual.
? The individual?s rights with respect to the information and how the individual may exercise these rights, including how the individual may complain to the covered entity.
? The covered entity?s legal duties with respect to the information, including a statement that the covered entity is required by law to maintain the privacy of protected health information.
? Whom individuals can contact for further information about the covered entity?s privacy policies.?4
The privacy policy must meet the requirements of HIPAA law and the use or disclosure of PHI must be consistent with the privacy notice provided to the patient.
Consent
The term consent has multiple meanings in a medical setting. Informed consent refers to the patient?s agreement to receive medical treatment having been provided sufficient information to make an informed decision. Consent for medical procedures must still be obtained by the practice.
4Ibid.
Figure 10-1 The patient acknowledges receipt of the medical facility?s privacy policy.
Under the Privacy Rule the term consent is only concerned with use of the patient?s information, and should not be confused with consent for the treatment itself. The Privacy Rule originally required providers to obtain patient ?consent? to use and disclose PHI except in emergencies. The rule was almost immediately revised to make it easier to use PHI for the purposes of treatment, payment, or operation of the healthcare practice.
Under the revised Privacy Rule, the patient gives consent to the use of their PHI for the purposes of treatment, payment, and operation of the healthcare practice. The patient does this by signing a consent form or signing an acknowledgment that he or she has received a copy of the office?s privacy policy. Figure 10-1 shows a patient receiving a copy of the medical facility?s privacy policy. The patient signs a form acknowledging receipt of the privacy policy.
Although most healthcare providers who see patients obtain HIPAA ?consent? as part of the routine demographic and insurance forms that patients sign, the rule permits some uses of PHI without the individual?s authorization:
? A healthcare entity may use or disclose PHI for its own treatment, payment, and healthcare operations activities. For example, a hospital may use PHI to provide healthcare to the individual and may consult with other healthcare providers about the individual?s treatment.
? A healthcare provider may disclose PHI about an individual as part of a claim for payment to a health plan.
? A healthcare provider may disclose PHI related to the treatment or payment activities of any healthcare provider (including providers not covered by the Privacy Rule). Consider these examples:
A doctor may send a copy of an individual?s medical record to a specialist who needs the information to treat the individual. A hospital may send a patient?s healthcare instructions to a nursing home to which the patient is transferred. A physician may send an individual?s health plan coverage information to a laboratory that needs the information to bill for tests ordered by the physician. A hospital emergency department may give a patient?s payment information to an ambulance service that transported the patient to the hospital in order for the ambulance provider to bill for its treatment.
? A health plan may use protected health information to provide customer service to its enrollees.
Others within the office can use PHI also. For example, doctors and nurses can share the patient?s chart to discuss what the best course of care might be. The doctor?s administrative staff can access patient information to perform billing, transmit claims electronically, post payments, file the charts, type up the doctor?s progress notes, and print and send out patient statements.
The office administrators can also use PHI for operation of the medical practice?for example, to determine how many staff they will need on a certain day, whether they should invest in a particular piece of equipment, what types of patients they are seeing the most of, where most of their patients live, and any other uses that will help make the office operate more efficiently.
The HHS Guidance document states: ?A covered entity may voluntarily choose, but is not required, to obtain the individual?s consent for it to use and disclose information about him or her for treatment, payment, and healthcare operations. A covered entity that chooses to have a consent process has complete discretion under the Privacy Rule to design a process that works best for its business and consumers.?5
Modifying HIPAA Consent
?Individuals have the right to request restrictions on how a covered entity will use and disclose protected health information about them for treatment, payment, and healthcare operations. A covered entity is not required to agree to an individual?s request for a restriction, but is bound by any restrictions to which it agrees.
?Individuals also may request to receive confidential communications from the covered entity, either at alternative locations or by alternative means. For example, an individual may request that her healthcare provider call her at her office, rather than her home. A healthcare provider must accommodate an individual?s reasonable request for such confidential communications.?6
Authorization
?A consent document is not a valid permission to use or disclose protected health information for a purpose that requires an authorization under the Privacy Rule.?7
Authorization differs from consent in that it does require the patient?s permission to disclose PHI.
Some instances that would require an authorization include sending the results of an employment physical to an employer and sending immunization records or the results of an athletic physical to the school.
5Ibid.
6Ibid.
7Ibid.
Figure 10-2 Sample authorization form with elements required by HIPAA.
The appearance of an authorization form is up to the practice, but the Privacy Rule requires that it contain specific information. Specific elements required by HIPAA are highlighted in yellow on the sample form shown in Figure 10-2. The required elements are:
? Date signed
? Expiration date
? To whom the information may be disclosed
? What is permitted to be disclosed
? For what purpose the information may be used
Unlike the Privacy Rule concept of consent, authorizations are not global. A new authorization is signed each time there is a different purpose or need for the patient?s information to be disclosed.
Research
Authorizations are usually required for researchers to use PHI. The only difference in a research authorization form is that it is not required to have an expiration date. The authorization may be combined with consent to participate in a clinical trial study for example.
Research Exceptions
To protect the patient?s information while at the same time ensuring that researchers continue to have access to medical information necessary to conduct vital research, the Privacy Rule does allow some exceptions that permit researchers to access PHI without individual authorizations. Typically, these are cases where the patients are deceased; where the researcher is using PHI only to prepare a research protocol; or where a waiver has been issued by an internal review board, specifying that none of the information will be removed or used for any other purpose.
Marketing
The Privacy Rule specifically defines marketing and requires individual authorization for all uses or disclosures of PHI for marketing purposes with limited exceptions. These exceptions are generally when information from the provider is sent to all patients in the practice about improvements or additions to the practice; or when the information is sent to the patient about their own treatments. For example, a reminder about an annual checkup is not marketing.
Government Agencies
One area that permits the disclosure of PHI without a patient?s authorization or consent is when it is requested by an authorized government agency. Generally, such requests are for legal (law enforcement, subpoena, court orders, and so on) or public health purposes. A request by the FDA for information on patients who are having adverse reactions to a particular drug might be an example. Another example might be an audit of medical records by CMS to determine if sufficient documentation exists to justify Medicare claims.
The Privacy Rule also permits the disclosure of PHI, without authorization, to public health authorities for the purpose of preventing or controlling disease or injury as well as maintaining records of births and deaths. This would include, for example, the reporting of a contagious disease to the CDC or an adverse reaction to a regulated drug or product to the FDA.
Similarly, providers are also permitted to disclose PHI concerning on-the-job injuries to workers? compensation insurers, state administrators, and other entities to the extent required by state workers? compensation laws.
To ensure that covered entities protect patients? privacy as required, the Privacy Rule requires that health plans, hospitals, and other covered entities cooperate with efforts by the HHS Office for Civil Rights (OCR) to investigate complaints or otherwise ensure compliance.
Minimum Necessary
The Privacy Rule minimum necessary standard is intended to limit unnecessary or inappropriate access to and disclosure of PHI beyond what is necessary. For example, if an insurance plan requests the value of a patient?s hematocrit test to justify a claim for administering a drug, then the minimum necessary disclosure would be to send only the hematocrit result, not the patient?s entire panel of tests.
No Restrictions on PHI for Treatment of the Patient
The minimum necessary standard does not apply to disclosures to or requests by a healthcare provider for PHI used for treatment purposes.
?The Privacy Rule generally requires covered entities to take reasonable steps to limit the use or disclosure of, and requests for, protected health information to the minimum necessary to accomplish the intended purpose. The minimum necessary standard does not apply to the following:
? Disclosures to or requests by a healthcare provider for treatment purposes.
? Disclosures to the individual who is the subject of the information.
? Uses or disclosures made pursuant to an individual?s authorization.
? Uses or disclosures required for compliance with the Health Insurance Portability and Accountability Act (HIPAA) Administrative Simplification Rules.
? Disclosures to the Department of Health and Human Services (HHS) when disclosure of information is required under the Privacy Rule for enforcement purposes.
? Uses or disclosures that are required by other law.
The implementation specifications for this provision require a covered entity to develop and implement policies and procedures appropriate for its own organization, reflecting the entity?s business practices and workforce.?8
Incidental Disclosures
8Ibid.
?Many customary healthcare communications and practices play an important or even essential role in ensuring that individuals receive prompt and effective healthcare. Due to the nature of these communications, as well as the various environments in which individuals receive healthcare, the potential exists for an individual?s health information to be disclosed incidentally.
For example, a hospital visitor may overhear a provider?s confidential conversation with another provider or a patient, or may glimpse a patient?s information on a sign-in sheet or nursing station whiteboard.
The HIPAA Privacy Rule is not intended to impede customary and essential communications and practices and, thus, does not require that all risk of incidental use or disclosure be eliminated to satisfy its standards. In fact the Privacy Rule permits certain incidental uses and disclosures of protected health information to occur where there is in place reasonable safeguards and minimum necessary policies and procedures that normally protect an individual?s privacy?9
Incidental disclosure is one of the exceptions to the Breach Notification Requirements discussed later in the chapter.
Critical Thinking Exercise 60: What Is Required?
You are employed at a medical facility. One of your patients is being treated as a result of an accident. The doctor asks you to take the patient?s x-rays to a colleague for an opinion on the best treatment.
1. What HIPAA form does the patient need to sign to permit you to do this? The same patient is suing the company responsible for the accident. His attorney has asked for copies of the x-rays to prepare his case.
2. What HIPAA form does the patient need to sign to permit you to do this?
A Patient?s Right to Know about Disclosures
Whether the practice has disclosed PHI based on a signed authorization or to comply with a government agency, the patient is entitled to know about it. Therefore, in most cases the medical facility must track the disclosure.
The Privacy Rule gives individuals the right to receive a report of all disclosures made for purposes other than treatment, payment, or operation of the healthcare facility. The report must include the date of the disclosure, to whom the information was provided, a description of the information, and the stated purpose for the disclosure. The patient can request the report at any time and the practice must keep the records for at least six years.
Furthermore, Breach Notification Requirements, discussed later in the chapter, require the patient to be notified in writing when a breach of his or her PHI has occurred.
Patient Access to Medical Records
9Ibid.
In addition to protecting privacy, the law generally allows patients to be able to see and obtain copies of their medical records and request corrections if they identify errors and mistakes. Health plans, doctors, hospitals, clinics, nursing homes, and other covered entities generally must provide access to these records within 30 days of a patient request, but may charge patients for the cost of copying and sending the records.
Personal Representatives
?There may be times when individuals are legally or otherwise incapable of exercising their rights, or simply choose to designate another to act on their behalf with respect to these rights. Under the Rule, a person authorized to act on behalf of the individual in making healthcare related decisions is the individual?s personal representative.
?The Privacy Rule requires covered entities to treat an individual?s personal representative as the individual with respect to uses and disclosure of the individual?s protected health information, as well as the individual?s rights under the Rule.
?The personal representative stands in the shoes of the individual and has the ability to act for the individual and exercise the individual?s rights?. In addition to exercising the individual?s rights under the Rule, a personal representative may also authorize disclosures of the individual?s protected health information.?10
In general, the personal representative?s authority over privacy matters parallels his or her authority to act on other healthcare decisions.
? Where the personal representative has broad authority in making healthcare decisions, the personal representative is treated as the individual for all purposes under the Privacy Rule.
? Examples include a parent with respect to a minor child or a legal guardian of a mentally incompetent adult.
? Where the representative?s authority is limited to particular healthcare decisions, his or her authority concerning PHI is limited to the same area.
? For example, a person with limited healthcare power of attorney about artificial life support could not sign an authorization for the disclosure of protected health information for marketing purposes.
Figure 10-3 Persons automatically recognized as personal representatives for patients.
10Ibid.
? When the patient is deceased, a person who has authority to act on the behalf of the deceased or the deceased?s estate is the personal representative for all purposes under the Privacy Rule.
Figure 10-3 provides a chart of who must be recognized as the personal representative for a category of individuals.
Minor Children
In most cases, the parent, guardian, or other person acting as parent is the personal representative and acts on behalf of the minor child with respect to PHI. Even if a parent is not the child?s personal representative, the Privacy Rule permits a parent access to a minor child?s PHI when and to the extent it is permitted or required by state or other laws.
Conversely, regardless of the parent?s status as personal representative, the Privacy Rule prohibits providing access to or disclosing the child?s PHI to the parent, when and to the extent it is expressly prohibited under state or other laws.
However, the Privacy Rule specifies three circumstances in which the parent is not the personal representative with respect to certain health information about the minor child. ?The three exceptional circumstances when a parent is not the minor?s personal representative are:
? When State or other law does not require the consent of a parent or other person before a minor can obtain a particular healthcare service, and the minor consents to the healthcare service; Example: A State law provides an adolescent the right to obtain mental health treatment without the consent of his or her parent, and the adolescent consents to such treatment without the parent?s consent.
? When a court determines or other law authorizes someone other than the parent to make treatment decisions for a minor; Example: A court may grant authority to make healthcare decisions for the minor to an adult other than the parent, to the minor, or the court may make the decision(s) itself.
? When a parent agrees to a confidential relationship between the minor and the physician. Example: A physician asks the parent of a 16-year-old if the physician can talk with the child confidentially about a medical condition and the parent agrees.
If state or other laws are silent or unclear about parental access to the minor?s PHI, the Privacy Rule grants healthcare professionals the discretion to allow or deny a parent access to a minor?s PHI based on their professional judgment.?11
Critical Thinking Exercise 61: Comparison of Privacy Policy
The purpose of this exercise is let you compare what you have learned in this chapter to an example from the real world. Visit a medical office or other healthcare facility and ask for a copy of their HIPAA Privacy Policy. Some providers have their privacy policy on their web site as well. You may print a copy of that as an acceptable alternative for the purpose of this exercise.
11Ibid.
Figure 10-4 provides a summary of patient rights under the Privacy Rule. It is published by HHS Office of Civil Rights, which enforces the HIPAA Privacy Rule.
Compare the contents of the privacy policy you obtained with the points in the sample CMS brochure shown in Figure 10-4. Write a brief paper comparing the points of the government document with the copy of the privacy policy you obtained. Give your instructor a copy of the privacy policy you obtained along with your paper.
Figure 10-4 Patient Privacy Summary published by the U.S. Department of Health and Human Services Office for Civil Rights.
Business Associates
?The HIPAA Privacy Rule applies only to covered entities?healthcare providers, plans, and clearinghouses. However, most healthcare providers and health plans do not carry out all of their healthcare activities and functions by themselves. Instead, they often use the services of a variety of other persons or businesses. The Privacy Rule allows covered providers and health plans to disclose protected health information to these business associates if the providers or plans obtain written satisfactory assurances that the business associate will use the information only for the purposes for which it was engaged by the covered entity, will safeguard the information from misuse, and will help the covered entity comply with some of the covered entity?s duties under the Privacy Rule.
?The covered entity?s contract or other written arrangement with its business associate must contain the elements specified in the privacy rule. For example, the contract must:
? Describe the permitted and required uses of protected health information by the business associate;
? Provide that the business associate will not use or further disclose the protected health information other than as permitted or required by the contract or as required by law; and
? Require the business associate to use appropriate safeguards to prevent a use or disclosure of the protected health information other than as provided for by the contract.?12
It will generally fall to the privacy officer (or in larger healthcare organizations, the legal department) to ensure that business associate agreements are on file for clearinghouses, transcription services, and other businesses with whom your employer will exchange PHI.
Civil and Criminal Penalties
?Congress provided civil and criminal penalties for covered entities that misuse personal health information. For civil violations of the standards, OCR may impose monetary penalties up to $100 per violation, up to $25,000 per year, for each requirement or prohibition violated. Criminal penalties apply for certain actions such as knowingly obtaining protected health information in violation of the law. Criminal penalties can range up to $50,000 and one year in prison for certain offenses; up to $100,000 and up to five years in prison if the offenses are committed under ?false pretenses?; and up to $250,000 and up to 10 years in prison if the offenses are committed with the intent to sell, transfer or use protected health information for commercial advantage, personal gain or malicious harm.?13
Note HIPAA Duties of OCR versus CMS
OCR within HHS oversees and enforces the Privacy Rule, whereas CMS oversees and enforces all other Administrative Simplification requirements, including the Security Rule.
The Health Information Technology and Economic Clinical Health (HITECH) Act, introduced in Chapter 1, also addressed privacy and security concerns associated with the electronic transmission of health information, in part through several provisions that strengthen the civil and criminal enforcement of the HIPAA rules. Subtitle D of the HITECH Act strengthens the civil and criminal enforcement of the HIPAA rules by establishing:
? Four categories of violations that reflect increasing levels of culpability
? Four corresponding tiers of penalty amounts that significantly increase the minimum penalty amount for each violation
? A maximum penalty amount of $1.5 million for all violations of an identical provision
12Ibid.
13Fact Sheet: Protecting the Privacy of Patients? Health Information (Washington, DC: U.S. Department of Health and Human Services Press Office, April 14, 2003).
Real-Life Story The First HIPAA Privacy Case
From the United States Attorney?s Office, Western District of Washington 14
The first legal case under the privacy rule concerned the theft of patient demographic information (name, address, date of birth, Social Security number) by an employee in a medical office.
The former employee of a cancer care facility pled guilty in federal court in Seattle, Washington, to wrongful disclosure of individually identifiable health information for economic gain. This is the first criminal conviction in the United States under the health information privacy provisions of the Health Insurance Portability and Accountability Act (HIPAA), which became effective in April 2003. Those provisions made it illegal to wrongfully disclose personally identifiable health information.
The former employee admitted that he obtained a cancer patient?s name, date of birth, and Social Security number while employed at the medical facility, and that he disclosed that information to get four credit cards in the patient?s name. He also admitted that he used several of those cards to rack up more than $9,000 in debt in the patient?s name. He used the cards to purchase various items, including video games, home improvement supplies, apparel, jewelry, porcelain figurines, groceries, and gasoline for his personal use. He was fired shortly after the identity theft was discovered.
?Too many Americans have experienced identity theft and the nightmare of dealing with bills they never incurred. To be a vulnerable cancer patient, fighting for your life, and having to cope with identity theft is just unconscionable,? stated United States Attorney John McKay. ?This case should serve as a reminder that misuse of patient information may result in criminal prosecution.?
The case was investigated by the Federal Bureau of Investigation (FBI) and prosecuted by the United States Attorney?s Office. The man was sentenced to a term of 10 to 16 months. He also has agreed to pay restitution to the credit card companies, and to the patient for expenses he incurred as a result of the misuse of his identity.
Although identity theft is serious, the consequences are much greater in a medical setting than if the same information had been stolen from an ordinary business. Why? Because even the patient?s name and date of birth are part of the PHI. Additionally, the disclosure of medical information for financial gain could have resulted in a sentence of 10 years for each violation. The case serves as a reminder for everyone in the healthcare field of the personal responsibility for protecting PHI.
Although the patient privacy rule under HIPAA does not restrict the internal use of health information by the staff for treatment, payment, and office operations, you should make every effort to protect your patients? privacy and always follow the privacy policy of the practice.
14Press release, United States Attorney?s Office, Western District of Washington, August 19, 2004.
HIPAA Security Rule
To fully comply with the Privacy Rule, it is necessary to understand and implement the requirements of the Security Rule. There are clearly areas in which the two rules supplement each other because both the HIPAA Privacy and Security rules are designed to protect identifiable health information. However, the Privacy Rule covers PHI in all forms of communications, whereas the Security Rule covers only electronic information. Because of this difference, security discussions are assumed to be about the protection of electronic health records, but the Security Rule actually covers all PHI that is stored electronically. This is called EPHI.
Note PHI?EPHI
The Security Rule applies only to EPHI, whereas the Privacy Rule applies to PHI, which may be in electronic, oral, and paper form.
In this section, you will learn about the Security Rule. As with the previous section, much of the information provided is drawn directly from HHS documents. HHS regulates and enforces HIPAA using two different divisions for enforcement. OCR or Office of Civil Rights enforces the Privacy Rule whereas CMS enforces the Security Rule. As an employee of a covered entity, it is important that you participate in the security training and follow the security policy and procedures of your healthcare organization.
Why a Security Rule?
Before HIPAA, no generally accepted set of security standards or general requirements for protecting health information existed in the healthcare industry. At the same time, new technologies were evolving, and the healthcare industry began to move away from paper processes and rely more heavily on the use of computers to pay claims, answer eligibility questions, provide health information, and conduct a host of other administrative and clinically based functions.
In order to provide more efficient access to critical health information, covered entities are using web-based applications and other ?portals? that give physicians, nurses, medical staff as well as administrative employees more access to electronic health information. Although this means that the medical workforce can be more mobile and efficient (i.e., physicians can check patient records and test results from wherever they are), the rise in the adoption rate of these technologies creates an increase in potential security risks. As the country moves towards its goal of a National Health Information Infrastructure (NHII), and greater use of electronic health records, protecting the confidentiality, integrity, and availability of EPHI becomes even more critical.
The security standards in HIPAA were developed for two primary purposes.
? First, and foremost, the implementation of appropriate security safeguards protects certain electronic healthcare information that may be at risk.
? Second, protecting an individual?s health information, although permitting the appropriate access and use of that information, ultimately promotes the use of electronic health information in the industry.
The Privacy Rule and Security Rule Compared
The Privacy Rule sets the standards for, among other things, who may have access to PHI, while the Security Rule sets the standards for ensuring that only those who should have access to EPHI will actually have access. The primary distinctions between the two rules follow:
? Electronic versus oral and paper: The Privacy Rule applies to all forms of patients? protected health information, whether electronic, written, or oral. In contrast, the Security Rule covers only protected health information that is in electronic form. This includes EPHI that is created, received, maintained, or transmitted.
? ?Safeguard? requirement in Privacy Rule: While the Privacy Rule contains provisions that currently require covered entities to adopt certain safeguards for PHI, the Security Rule provides for far more comprehensive security requirements and includes a level of detail not provided in the Privacy Rule section.
Security Standards
The security standards are divided into the categories of administrative, physical, and technical safeguards. Each category of the safeguards is comprised of a number of standards, which generally contain a number of implementation specifications.
? Administrative safeguards: In general, these are the administrative functions that should be implemented to meet the security standards. These include assignment or delegation of security responsibility to an individual and security training requirements.
? Physical safeguards: In general, these are the mechanisms required to protect electronic systems, equipment and the data they hold, from threats, environmental hazards and unauthorized intrusion. They include restricting access to EPHI and retaining off-site computer backups.
? Technical safeguards: In general, these are primarily the automated processes used to protect data and control access to data. They include using authentication controls to verify that the person signing onto a computer is authorized to access that EPHI, or encrypting and decrypting data as it is being stored and/or transmitted.
In addition to the safeguards (listed above), the Security Rule also contains several standards and implementation specifications that address organizational requirements, as well as policies and procedures and documentation requirements.15
Implementation Specifications
An implementation specification is an additional detailed instruction for implementing a particular standard. Implementation requirements and features within the categories were listed in the Security Rule by alphabetical order to convey that no one item was considered to be more important than another.
Implementation specifications in the Security Rule are either ?Required? or ?Addressable.? Addressable does not mean optional.
To help you understand the organization of safeguards, security standards, and implementation specifications, a matrix of the HIPAA Security Rule is provided in Figure 10-5. The matrix is a part of the official rule and published as an appendix to the rule.16 You may wish to refer to Figure 10-5 as we discuss each of the following sections.
15Adapted from Security 101 for Covered Entities, HIPAA Security Series (Baltimore, MD: Centers for Medicare and Medicaid Services, November 2004 and revised March 2007).
16Figure adapted from Appendix A to Subpart C of Part 164, Health Insurance Reform: Security Standards; Final Rule.
Figure 10-5 HIPAA Security Standards Matrix.
Administrative Safeguards
The name Security Rule sounds like it might be very technical, but the largest category of the rule is Administrative Safeguards. The Administrative Safeguards comprise over half of the HIPAA security requirements.
Administrative Safeguards are the policies, procedures, and actions to manage the implementation and maintenance of security measures to protect EPHI. The Administrative Standards are as follows:
17Adapted from Security Standards: Administrative Safeguards, HIPAA Security Series #2 (Baltimore, MD: Centers for Medicare and Medicaid Services, May 2005 and revised March 2007).
Security Management Process
The Security Management Process is the first step. It is used to establish the administrative processes and procedures. There are four implementation specifications in the Security Management Process standard.
1. Risk Analysis Identify potential security risks and determine how likely they are to occur and how serious they would be.
2. Risk Management Make decisions about how to address security risks and vulnerabilities. The risk analysis and risk management decisions are used to develop a strategy to protect the confidentiality, integrity, and availability of EPHI.
3. Sanction Policy Define for employees what the consequences of failing to comply with security policies and procedures are.
4. Information System Activity Review Regularly review records such as audit logs, access reports, and security incident tracking reports. The information system activity review helps to determine if any EPHI has been used or disclosed in an inappropriate manner.
Assigned Security Responsibility
Similar to the Privacy Rule, which requires an individual be designated as the privacy official, the Security Rule requires one individual be designated the security official. The security official and privacy official can be the same person, but do not have to be. The security official has overall responsibility for security; however, specific security responsibilities may be assigned to other individuals. For example, the security official might designate the IT Director to be responsible for network security. Figure 10-6 shows a staff meeting at which security policy is being reviewed.
Figure 10-6 Medical office staff review security policy and appoint security officer.
Workforce Security
Within Workforce Security there are three addressable implementation specifications:
1. Authorization or Supervision Authorization is the process of determining whether a particular user (or a computer system) has the right to carry out a certain activity, such as reading a file or running a program.
2. Workforce Clearance Procedure Ensure members of the workforce with authorized access to EPHI receive appropriate clearances.
3. Termination Procedures Whether the employee leaves the organization voluntarily or involuntarily, termination procedures must be in place to remove access privileges when an employee, contractor, or other individual previously entitled to access information no longer has these privileges.
Information Access Management
Restricting access to only those persons and entities with a need for access is a basic tenet of security. By managing information access, the risk of inappropriate disclosure, alteration, or destruction of EPHI is minimized. This safeguard supports the ?minimum necessary standard? of the HIPAA Privacy Rule.
The Information Access Management standard has three implementation specifications.
1. Access Authorization In the Workforce Security standard (see preceding section) the healthcare organization determines who has access. This section requires the organization to identify who has authority to grant that access and the process for doing so.
2. Access Establishment and Modification Once a covered entity has clearly defined who should get access to what EPHI and under what circumstances, it must consider how access is established and modified.
3. Isolating Healthcare Clearinghouse Functions A clearinghouse is a unique HIPAA-covered entity whose function is to translate nonstandard transactions into HIPAA standards. In the very rare case that your healthcare organization also operates a clearinghouse, the rule requires the isolation of clearinghouse computers from other systems in the organization.
Security Awareness and Training
Security awareness and training for all new and existing members of the workforce is required. Figure 10-7 illustrates training an employee. In addition, periodic retraining should be given whenever environmental or operational changes affect the security of EPHI.
Figure 10-7 Training a new employee on security policy and procedures.
Regardless of the Administrative Safeguards a covered entity implements, those safeguards will not protect the EPHI if the workforce is unaware of its role in adhering to and enforcing them. Many security risks and vulnerabilities within covered entities are internal. This is why the Security Awareness and Training standard is so important.
The Security Awareness and Training standard has four implementation specifications.
1. Security Reminders Security reminders might include notices in printed or electronic form, agenda items and specific discussion topics at monthly meetings, focused reminders posted in affected areas, as well as formal retraining on security policies and procedures.
2. Protection from Malicious Software One important security measure that employees need to be reminded of is that malicious software is frequently brought into an organization through email attachments and programs that are downloaded from the Internet. As a result of an unauthorized infiltration, EPHI and other data can be damaged or destroyed or, at a minimum, can require expensive and time-consuming repairs.
3. Log-In Monitoring Security awareness and training also should address how users log onto systems and how they are supposed to manage their passwords. Typically, an inappropriate or attempted login is when someone enters multiple combinations of user names or passwords to attempt to access an information system. Fortunately, many information systems can be set to identify multiple unsuccessful attempts to log in. Other systems might record the attempts in a log or audit trail. Still other systems might disable a password after a specified number of unsuccessful log in attempts. Once capabilities are established, the workforce must be made aware of how to use and monitor them.
4. Password Management In addition to providing a password for access, entities must ensure that workforce members are trained on how to safeguard the information. Train all users and establish guidelines for creating passwords and changing them during periodic change cycles.
Security Incident Procedures
Security incident procedures must address how to identify security incidents and provide that the incident be reported to the appropriate person or persons. Examples of possible incidents include:
? Stolen or otherwise inappropriately obtained passwords that are used to access EPHI
? Corrupted backup tapes that do not allow restoration of EPHI
? Virus attacks that interfere with the operations of information systems with EPHI
? Physical break-ins leading to the theft of media with EPHI
? Failure to terminate the account of a former employee that is then used by an unauthorized user to access information systems with EPHI
? Providing media with EPHI, such as a PC hard drive or laptop, to another user who is not authorized to access the EPHI before removing the EPHI stored on the media
There is one required implementation specification for this standard:
1. Response and Reporting Establish adequate response and reporting procedures for these and other types of events.
Contingency Plan
What happens if a healthcare facility experiences a power outage, a natural disaster, or other emergency that disrupts normal access to healthcare information? A contingency plan consists of strategies for recovering access to EPHI should the organization experience a disruption of critical business operations. The goal is to ensure that EPHI is available when it is needed.
The Contingency Plan standard includes five implementation specifications:
1. Data Backup Plan Data backup plans are an important safeguard and a required implementation specification. Most covered entities already have backup procedures as part of current business practices.
2. Disaster Recovery Plan These are procedures to restore any loss of data.
3. Emergency Mode Operation Plan When operating in emergency mode because of a technical failure or power outage, security processes to protect EPHI must be maintained.
4. Testing and Revision Procedures Periodically test and revise contingency plans.
5. Application and Data Criticality Analysis Analyze software applications that store, maintain, or transmit EPHI and determine how important each is to patient care or business needs. A prioritized list of specific applications and data will help determine which applications or information systems get restored first or that must be available at all times.
Evaluation
Ongoing evaluation of security measures is the best way to ensure all EPHI is adequately protected. Periodically evaluate strategy and systems to ensure that the security requirements continue to meet the organization?s operating environments.
Business Associate Contracts and Other Arrangements
The Business Associate Contracts and Other Arrangements standard is comparable to the Business Associate Contract standard in the Privacy Rule, but is specific to business associates that create, receive, maintain, or transmit EPHI. The standard has one implementation specification:
1. Written Contract or Other Arrangement Covered entities should have a written agreement with business associates ensuring the security of EPHI. Government agencies that exchange EPHI should have a Memorandum of Understanding.
Real-Life Story Contingency Plans Ensure Continued Ability to Deliver Care
By Tanya Townsend
Chief information Officer at HSHS?Eastern Division in Greenbay, Wisconsin.
Several years ago I had the opportunity to set up a new hospital that used all-digital health records?that is, there were no paper patient records, charts, or orders. As I talked to other hospitals and IT professionals about our accomplishments, one question I was frequently asked was, ?What are your contingency plans in case of a power or system failure??
Much of our plan was designed to avoid an outage in the first place. We had several redundancies in place to prevent that. For example, there are two WAN (wide-area network) connections?completely separate links going out different sides of the building to our core data center. The idea is that if one of those lines were to become disconnected for any reason, the other would seamlessly continue to function. In actual capacity they are balanced to make sure that can be accomplished. We also have redundancies on the LAN (local-area network) with wireless access points. As mobile as we are, we are very dependent on wireless.
For data protection we have multiple data centers. On the hospital side we have two different data centers that are redundant. On the ambulatory side there are three. In addition to these data centers, we also back up all the data in real time to another off-site location in Madison, which is a couple of hours away.
Should we lose connectivity because both links are down, we have a satellite antenna on the roof that can access the backup data in Madison. So as long as you can still power up your computer, you can get to the historical information. Electrical power can be supplied by an emergency generator that is designed to come online automatically in the event of a power loss.
Should the systems ever be completely down, we still need to take care of patients. In that event, we have downtime procedures for using paper forms that would allow us to continue to function. The necessary forms can be printed on demand but we have some preprinted copies on hand in case a power loss prevented us from printing. Once the system again becomes available, we have a policy and process for incorporating that paper documentation back into the system so we are not forced to carry that paper record forward.
The other area where we have built redundancy is our voice communications. We are using Voice-over-IP technology for our telecommunications, so a power or network outage would mean our phones would not work either. We plan for that by having cell phones and radios available. We also have certain phones that use traditional phone lines so we can continue to communicate.
We do a practice run, a mock downtime situation twice a year. One run is just simulated, but for the second one we actually take the systems down to make sure that we know how we are going to function. We also have planned outages, where we need to take the system down because we are upgrading it or doing maintenance on it. We continue to strive to keep those outages as brief as possible, but in those events we go to our downtime procedures and we continuously learn and improve on these.
Physical Safeguards18
The Security Rule defines physical safeguards as physical measures, policies, and procedures to protect a covered entity?s electronic information systems and related buildings and equipment from natural and environmental hazards, and unauthorized intrusion.
18Adapted from Security Standards: Physical Safeguards, HIPAA Security Series #3 (Baltimore, MD: Centers for Medicare and Medicaid Services, February 2005 and revised March 2007).
Figure 10-8 Review facility security and emergency contingency plans periodically.
Facility Access Controls
Facility Access Controls are policies and procedures to limit physical access to electronic information systems and the facility or facilities in which they are housed. Figure 10-8 illustrates a staff meeting on facility security.
There are four implementation specifications.
1. Access Control and Validation Procedures Access Control and Validation are procedures to determine which persons should have access to certain locations within the facility based on their role or function.
2. Contingency Operations Contingency operations refer to physical security measures to be used in the event of the activation of contingency plans.
3. Facility Security Plan The Facility Security Plan defines and documents the safeguards used to protect the facility or facilities. Some examples include:
? Locked doors, signs warning of restricted areas, surveillance cameras, alarms
? Property controls such as property control tags, engraving on equipment
? Personnel controls such as identification badges, visitor badges, or escorts for large offices
? Private security service or patrol for the facility
In addition, all staff or employees must know their roles in facility security.
4. Maintenance Records Document facility security repairs and modifications such as changing locks, making routine maintenance checks, or installing new security devices.
Workstation Use
Inappropriate use of computer workstations can expose a covered entity to risks, such as virus attacks, compromise of information systems, and breaches of confidentiality. Specify the proper functions to be performed by electronic computing devices.
Workstation use also applies to workforce members using off-site workstations that can access EPHI. This includes employees who work from home, in satellite offices, or in another facility.
Workstation Security
Although the Workstation Use standard addresses the policies and procedures for how workstations should be used and protected, the Workstation Security standard addresses how workstations are to be physically protected from unauthorized users.
Device and Media Controls
Device and Media Controls are policies and procedures that govern the receipt and removal of hardware and electronic media that contain EPHI, into and out of a facility, and the movement of these items within the facility.
The Device and Media Controls standard has four implementation specifications, two required and two addressable.
1. Disposal When disposing of any electronic media that contains EPHI, make sure it is unusable or inaccessible.
2. Media Reuse Instead of disposing of electronic media, covered entities may want to reuse it. The EPHI must be removed before the media can be reused.
3. Accountability When hardware and media containing EPHI are moved from one location to another, a record should be maintained of the move. Portable computers and media present a special challenge. Portable technology is getting smaller, is less expensive, and has an increased capacity to store large quantities of data, making accountability even more important and challenging.
4. Data Backup and Storage This specification protects the availability of EPHI and is similar to the Data Backup Plan for the contingency plan.
Technical Safeguards19
The Security Rule defines technical safeguards as ?the technology and the policy and procedures for its use that protect electronic protected health information and control access to it.?
19Adapted from Security Standards: Technical Safeguards, HIPAA Security Series #4 (Baltimore, MD: Centers for Medicare and Medicaid Services, May 2005 and revised March 2007).
Because security technologies are likely to evolve faster than legislative rules, specific technologies are not designated by the Security Rule. Where the CMS guidance documents provide examples of security measures and technical solutions to illustrate the standards and implementation specifications, these are just examples. The Security Rule is technology neutral; healthcare organizations have the flexibility to use any solutions that help them meet the requirements of the rule.
Access Control
The Access Control standard outlines the procedures for limiting access to only those persons or software programs that have been granted access rights by the Information Access Management administrative standard (discussed earlier). Figure 10-9 shows one of the most common methods of access control.
Figure 10-9 A clinician logs on Allscripts Enterprise using a unique user ID and secure password.
Courtesy of Allscripts, LLC.
Four implementation specifications are associated with the Access Controls standard.
1. Unique User Identification Unique User Identification provides a way to identify a specific user, typically by name or number. This allows an entity to track specific user activity and to hold users accountable for functions performed when logged into those systems.
2. Emergency Access Procedure Emergency Access procedures are documented instructions and operational practices for obtaining access to necessary EPHI during an emergency situation. Access Controls are necessary under emergency conditions, although they may be very different from those used in normal operational circumstances.
3. Automatic Logoff As a general practice, users should log off the system they are working on when their workstation is unattended. However, there will be times when workers may not have the time, or will not remember, to log off a workstation. Automatic logoff is an effective way to prevent unauthorized users from accessing EPHI on a workstation when it is left unattended for a period of time. Many applications have configuration settings for automatic logoff. After a predetermined period of inactivity, the application will automatically log off the user. Some systems that may have more limited capabilities may activate an operating system screen saver that is password protected after a period of system inactivity. In either case, the information that was displayed on the screen is no longer accessible to unauthorized users.
4. Encryption and Decryption Encryption is a method of converting regular text into code. The original message is encrypted by means of a mathematical formula called an algorithm. The receiving party uses a key to convert (decrypt) the coded message back into plain text. Encryption is part of access control because it prevents someone without the key from viewing or using the information.
Audit Controls
Audit Controls are ?hardware, software, and/or procedural mechanisms that record and examine activity in information systems.?
Most information systems provide some level of audit controls and audit reports. These are useful, especially when determining if a security violation occurred. This standard has no implementation specifications.
Integrity
Protecting the integrity of EPHI is a primary goal of the Security Rule. EPHI that is improperly altered or destroyed can result in clinical quality problems, including patient safety issues. The integrity of data can be compromised by both technical and nontechnical sources.
There is one addressable implementation specification in the Integrity standard.
1. Mechanism to Authenticate Electronic Protected Health Information Once risks to the integrity of EPHI data have been identified during the risk analysis, security measures are put in place to reduce the risks.
Person or Entity Authentication
The Person or Entity Authentication standard has no implementation specifications. This standard requires ?procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.?
There are several ways to provide proof of identity for authentication.
? Require something known only to that individual, such as a password or PIN.
? Require something that individuals possess, such as a smart card, a token, or a key. An example of a smart card is shown in Figure 10-10.
? Require something unique to the individual, such as a biometric. Examples of biometrics include fingerprints, voice patterns, facial patterns, or iris patterns.
Most covered entities use one of the first two methods of authentication. Many small provider offices rely on a password or PIN to authenticate the user.
Figure 10-10 A staff ID card that uses smart card technology.
Courtesy of Digital Identification Solutions, LLC.
Transmission Security
Transmission Security procedures are the ?measures used to guard against unauthorized access to electronic protected health information that is being transmitted.?
The Security Rule allows for EPHI to be sent over an electronic open network as long as it is adequately protected. This standard has two implementation specifications.
1. Integrity Controls Protecting the integrity of EPHI maintained in information systems was discussed previously in the Integrity standard. Integrity in this context is focused on making sure the EPHI is not improperly modified during transmission. A primary method for protecting the integrity of EPHI being transmitted is through the use of network communications protocols. Using these protocols, the computer verifies that the data sent is the same as the data received.
2. Encryption As previously described in the Access Control standard, encryption is a method of converting an original message of regular text into encoded or unreadable text that is eventually decrypted into plain comprehensible text. Encryption is necessary for transmitting EPHI over the Internet. There are various types of encryption technology available, but for encryption technologies to work properly both the sender and receiver must be using the same or compatible technology. Currently no single interoperable encryption solution for communicating over open networks exists.
Organizational, Policies and Procedures, and Documentation Requirements20
In addition to the standards in the Administrative, Physical, and Technical Safeguards categories of the Security Rule, there also are four other standards that must be implemented. These are not listed in the Security Standards Matrix (Figure 10-5), but they must not be overlooked.
20Adapted from Security Standards: Organizational, Policies and Procedures, HIPAA Security Series #5 (Baltimore, MD: Centers for Medicare and Medicaid Services, May 2005, and revised March 2007).
Organizational Requirements
There are two implementation specifications of this standard.
1. Business Associate Contracts The Business Associate Contracts are used if the business associate creates, receives, maintains, or transmits EPHI must meet the Security Rule requirements.
2. Other Arrangements The Other Arrangements implementation specifications apply when both parties are government entities. There are two alternative arrangements:
? A memorandum of understanding (MOU), which accomplishes the objectives of the Business Associate Contracts section of the Security Rule
? A law or regulations applicable to the business associate that accomplishes the objectives of the Business Associate Contracts section of the Security Rule
Policies and Procedures
Although this standard requires covered entities to implement policies and procedures, the Security Rule does not define either ?policy? or ?procedure.? Generally, policies define an organization?s approach. Procedures describe how the organization carries out that approach, setting forth explicit, step-by-step instructions that implement the organization?s policies. Policies and procedures may be modified as necessary.
Documentation
The Documentation standard has three implementation specifications.
1. Time Limit Retain the documentation required by the rule for 6 years from the date of its creation or the date when it last was in effect, whichever is later.
2. Availability Make documentation available to those persons responsible for implementing the procedures to which the documentation pertains.
3. Updates Review documentation periodically, and update as needed, in response to environmental or operational changes affecting the security of the electronic protected health information.
The Security Rule also requires that a covered entity document the rationale for all security decisions.
Breach Notification Requirements21
The HITECH Act also added new requirements regarding the occurrence of a breach of unsecured protected health information. A breach is defined as an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the PHI such that the use or disclosure poses a significant risk of financial, reputation, or other harm to the affected individual.
21Breach Notification Interim Final Regulation (45 CFR 164.408).
There are three exceptions to the definition of ?breach?:
? Unintentional acquisition, access, or use of PHI by an employee of a covered entity or business associate
? Inadvertent disclosure of PHI from an authorized person to another authorized person at the covered entity or business associate
? If the covered entity or business associate has a good faith belief that the unauthorized individual, to whom the impermissible disclosure was made, would not have been able to retain the information
Covered entities must notify affected individuals, the Secretary of Health and Human Services, and, in certain circumstances, the media following the discovery of a breach of unsecured PHI. Business associates must notify covered entities if a breach has occurred. The OCR must post a list of breaches that affect 500 or more individuals.
Individual Notice
Covered entities must provide affected individuals written notice by first-class mail, or alternatively, by e-mail if the affected individual has agreed to receive such notices electronically. If the covered entity has insufficient or out-of-date contact information for 10 or more individuals, the covered entity must provide substitute individual notice by either posting the notice on the home page of its web site or by providing the notice in major print or broadcast media where the affected individuals likely reside. If the covered entity has insufficient or out-of-date contact information for fewer than 10 individuals, the covered entity may provide substitute notice by an alternative form of written, telephone, or other means.
These individual notifications must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach and must include, to the extent possible, a description of the breach, a description of the types of information that were involved in the breach, the steps affected individuals should take to protect themselves from potential harm, a brief description of what the covered entity is doing to investigate the breach, mitigate the harm, and prevent further breaches, as well as contact information for the covered entity. Additionally, for substitute notice provided via web posting or major print or broadcast media, the notification must include a toll-free number for individuals to contact the covered entity to determine if their PHI was involved in the breach.
Media Notice
Covered entities that experience a breach affecting more than 500 residents of a State or jurisdiction are, in addition to notifying the affected individuals, required to provide notice to prominent media outlets serving the State or jurisdiction. Covered entities will likely provide this notification in the form of a press release to appropriate media outlets serving the affected area. Like individual notice, this media notification must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach and must include the same information required for the individual notice.
Notice to the Secretary
In addition to notifying affected individuals and the media (where appropriate), covered entities must notify the Secretary of Health and Human Services of breaches of unsecured PHI. Covered entities will notify the Secretary by visiting the HHS web site and filling out and electronically submitting a breach report form. If a breach affects 500 or more individuals, covered entities must notify the Secretary without unreasonable delay and in no case later than 60 days following a breach. If, however, a breach affects fewer than 500 individuals, the covered entity may notify the Secretary of such breaches on an annual basis. Reports of breaches affecting fewer than 500 individuals are due to the Secretary no later than 60 days after the end of the calendar year in which the breaches occurred.
Notification by a Business Associate
If a breach of unsecured PHI occurs at or by a business associate, the business associate must notify the covered entity following the discovery of the breach. A business associate must provide notice to the covered entity without unreasonable delay and no later than 60 days from the discovery of the breach. To the extent possible, the business associate should provide the covered entity with the identification of each individual affected by the breach as well as any information required to be provided by the covered entity in its notification to affected individuals.
Electronic Signatures for Health Records
The HIPAA Security Rule was originally titled ?Security and Electronic Signature Standards.? The original Security Rule also proposed a standard for electronic signatures. The final rule covered only security standards.
The Electronic Signatures in Global and National Commerce Act22 made digital signatures as binding as their paper-based counterparts for commerce. However, HIPAA does not yet require the use of electronic signatures, because HIPAA does not yet have a Rule for Electronic Signature standards. Electronic Signature standards eventually will be necessary to achieve a completely paperless EHR. In this section, we will discuss electronic signatures and the criteria required for successful implementation.
What Is an Electronic Signature and What Is Not?
Compare Figure 10-11 and Figure 10-12. Which of these has an electronic signature? If you said Figure 10-12, you would be correct. An electronic signature is not a scanned image of someone?s paper signature. Valid electronic signatures must meet three criteria.
1. Message Integrity Message Integrity means the recipient must be able to confirm that the document has not been altered since it was signed.
2. Nonrepudiation The signer must not be able to deny signing the document.
3. User Authentication The recipient must be able to confirm that the signature was in fact ?signed? by the real person.
22Electronic Signatures in Global and National Commerce Act (ESIGN, Pub.L. 106-229, 14 Stat. 464, enacted June 30, 2000, 15 U.S.C. ch. 96.
Figure 10-11 Scanned document with an image of signature.
Figure 10-12 Electronically signed document with a PKI signature.
The electronic signature process involves the successful identification and authentication of the signer at the time of the signature, binding of the signature to the document, and nonalterability of the document after the signature has been affixed. Only ?digital signatures? meet all three of these criteria.
How Digital Signatures Work
Digital signatures use a branch of mathematics called cryptography and PKI, which stands for Public Key Infrastructure. Each PKI user has two ?keys,? a private key for signing documents and a public key for verifying his or her signature. Only you know your private key, whereas your public key is available to all through a public directory.
Usually the directory for your public key is maintained by a certificate authority. The certificate authority is a trusted third party who has validated your identity and issued a certificate to that effect. A certificate is an electronic record of your public key, which has been digitally signed by the certificate authority. The certificate can be validated by its own key. This provides reasonable assurance that the signer and their public key are genuine.
Figure 10-13 How a digital signature works.
23Figure adapted from Digital Signature Standard, published By U.S. Department of Commerce/National Institute of Standards and Technology, 2000.
Figure 10-13 illustrates the electronic signature and verification process of PKI.23 Compare Figure 10-13 with the following steps:
1. A computer software program performs a mathematical calculation on the entire contents of the electronic document to be signed.
2. The result is a unique code referred to as the ?message digest.?
3. This code is encrypted using your ?private? key. Your private key might be similar to a password, which you must keep secret so that no one else can ?forge? your signature. The digital signature is then typically attached to or sent with the document. When the recipient wishes to validate your signature, that person uses a computer program that decodes the signature with your public key, and determines if the message digest is identical to that which was originally sent.
4. The validation process uses the same algorithm as the original program to produce a ?message digest? of the text of the document.
5. The public key is retrieved from a public directory or certificate authority.
6. The signature verification process decodes the digital signature using your public key and compares it to the message digest. If the results of the algorithm match, the signature is verified.
PKI digital signatures not only confirm that you are the signer but also that the document has not been altered since you signed it.
Some EHR Signatures Are Not True Electronic Signatures
Even though HIPAA has not adopted an official standard for electronic signatures, they are already necessary in the EHR. Prescriptions are sent to a pharmacy, dictation and electronic medical records are ?signed,? and orders are issued from EHR systems every day. However, most of the systems currently in use do not use the process described earlier to produce and store an electronic signature.
Many systems have a process to ?sign? their records with a PIN, a password, or even a fingerprint, but the underlying software simply sets a field in the database indicating the provider ?signed? the record. This is adequate to the particular EHR system, but it would not meet the criteria of an electronic signature if it were necessary to send a copy of the record to an outside entity. Partly this is the fault of HHS. Until there is a national infrastructure for issuing certificates and national standards for signing and validating digital signatures, EHR software cannot comply.
Whether electronic signatures in your office are true digital signatures or just mechanisms for locking and protecting EHR system records, it is important that you follow the policies and procedures of your facility. Most EHR systems have an internal audit trail detailing who has created each document and medical record.
? Always log on to the EHR as yourself.
? Always log off when you are through.
? Always keep your passwords or PIN numbers private.
This will prevent someone else from signing medical records under your ID.
The Future of Electronic Signatures
The Joint Commission (JCAHO) accepts the use of electronic signatures in hospital, ambulatory care, home care, long-term care, and mental health settings.
The Joint Commission requirement for electronic signatures and computer key signatures is simple: ?The practitioner must sign a statement that he or she alone will use it.?24
Currently, CMS permits the authentication of medical records by computer key but does not specify methods. The President of the United States directed the U.S. Department of Commerce, National Institute of Standards and Technology to develop a set of standards for Digital Signatures. HHS will likely adopt the same cryptographically based digital signature for the HIPAA standard.
State laws vary on electronic signatures for medical records and some do not address it at all. States will likely come into alignment only after HHS publication of HIPAA standards for electronic signatures. If you have any question about regulations in your state, check with the medical licensing authority in your state.
Critical Thinking Exercise 62: Your Electronic Signature
1. What is the legal status of the electronic signature in the EHR in your state?
2. How can you protect your own electronic signature?
3. Identify potential impacts of a failure to log off or exit from the patient record.
HIPAA Privacy, Security, and You
As someone who will work with patients? health records, it is especially important for you to understand the regulations regarding privacy and security. Follow the privacy policy and security rules at your place of work. Know who the privacy and security officials are. Ask them if you have any questions regarding policies at your practice or if you feel that you need additional training.
It is especially important not to give others your password and to always log out of a medical records computer when you are not using it. Remember to treat every medical record (paper or electronic) in a confidential manner.
Chapter Ten Summary
The Health Insurance Portability and Accountability Act, or HIPAA, was passed in 1996. The Administrative Simplification Subsection (Title 2, f) (hereafter just called HIPAA) has four distinct components:
1. Transactions and code sets
2. Uniform identifiers
3. Privacy
4. Security
HIPAA regulates health plans, clearinghouses, and healthcare providers as ?covered entities? or a ?covered entity? with regard to these four areas.
24Comprehensive Accreditation Manual for Hospitals (CAMH), Standard IM. 6.10, Joint Commission on Accreditation of Healthcare Organizations, 2004.
HIPAA standardized formats for EDI or Electronic Data Interchange by requiring specific Transaction Standards. These currently are used for eight types of transactions between covered entities. This was the first of the Administrative Simplification Subsection to be implemented. This section also requires standardized code sets such as HCPCS, CPT-4, ICD-9-CM, and others to be used.
HIPAA also established uniform identifier standards, which will be used on all claims and other data transmissions. These will include:
? National provider identifier for doctors, nurses, and other healthcare providers
? Federal employer identification number used to identify employer-sponsored health insurance
? National health plan identifier, a unique identification number that will be assigned to each insurance plan, and to the organizations that administer insurance plans, such as payers and third-party administrators
The privacy and security rules use two acronyms: PHI, which stands for Protected Health Information, and EPHI, which stands for Protected Health Information in an Electronic Format.
The HIPAA privacy standards are designed to protect a patient?s identifiable health information from unauthorized disclosure or use in any form, while permitting the practice to deliver the best healthcare possible. To comply with the law, privacy activities in the average medical office might include:
? Providing a copy of the office privacy policy informing patients about their privacy rights and how their information can be used
? Asking the patient to acknowledge receiving a copy of the policy or signing a consent form
? Obtaining signed authorization forms and in some cases tracking the disclosures of patient health information when it is to be given to a person or organization outside the practice for purposes other than treatment, billing, or payment
? Adopting clear privacy procedures for its practice
? Training employees so that they understand the privacy procedures
? Designating an individual to be responsible for seeing that the privacy procedures are adopted and followed
? Securing patient records containing individually identifiable health information so that they are not readily available to those who do not need them
When the Privacy Rule initially was issued, it required providers to obtain patient ?consent? to use and disclose PHI for the purposes of treatment, payment, and healthcare operations, except in emergencies. The rule was almost immediately revised to make consent optional. In general, the practice can use PHI for almost anything related to treating the patient, running the medical practice, and getting paid for services. This means doctors, nurses, and other staff can share the patient?s chart within the practice.
Authorization differs from consent in that it does require the patient?s permission to disclose PHI. Some examples of instances that would require an authorization would include sending the results of an employment physical to an employer, immunization records, or the results of an athletic physical to the school.
The authorization form must include a date signed, an expiration date, to whom the information may be disclosed, what is permitted to be disclosed, and for what purpose the information may be used. The authorization must be signed by the patient or a representative appointed by the patient. Unlike the open concept of consent, authorizations are not global. A new authorization is signed each time there is a different purpose or need for the patient?s information to be disclosed.
Practices are permitted to disclose PHI without a patient?s authorization or consent when it is requested by an authorized government agency. Generally, such requests are for legal (law enforcement, subpoena, court orders, and so on) public health purposes, or for enforcement of the Privacy Rule itself. Providers also are permitted to disclose PHI concerning on-the-job injuries to workers? compensation insurers, state administrators, and other entities to the extent required by state law.
Whether the practice has disclosed PHI based on a signed authorization or to comply with a government agency, the patient is entitled to know about it. The Privacy Rule gives the individuals the right to receive a report of all disclosures made for purposes other than treatment, payment, or operations. Therefore, in most cases the medical office must track the disclosure and keep the records for at least six years.
Most healthcare providers and health plans use the services of a variety of other persons or businesses. The Privacy Rule allows covered providers and health plans to disclose protected health information to these ?business associates.? The Privacy Rule requires that a covered entity obtain a written agreement from its business associate, which states the business associate will appropriately safeguard the protected health information it receives or creates on behalf of the covered entity.
Congress provided civil and criminal penalties for covered entities that misuse personal health information. The privacy rule is enforced by the HHS Office for Civil Rights (OCR).
The Privacy Rule sets the standards for, among other things, who may have access to PHI, whereas the Security Rule sets the standards for ensuring that only those who should have access to EPHI actually will have access. The Privacy Rule applies to all forms of patients? protected health information, whether electronic, written, or oral. In contrast, the Security Rule covers only protected health information that is in electronic form.
Security standards were designed to provide guidelines to all types of covered entities, while affording them flexibility regarding how to implement the standards. Covered entities may use appropriate security measures that enable them to reasonably implement a standard.
Security standards were designed to be ?technology neutral.? The rule does not prescribe the use of specific technologies, so that the healthcare community will not be bound by specific systems or software that may become obsolete.
The security standards are divided into the categories of administrative, physical, and technical safeguards.
Administrative safeguards.
In general, these are the administrative functions that should be implemented to meet the security standards. These include assignment or delegation of security responsibility to an individual and security training requirements.
Physical safeguards.
In general, these are the mechanisms required to protect electronic systems, equipment, and the data they hold, from threats, environmental hazards, and unauthorized intrusion. They include restricting access to EPHI and retaining off-site computer backups.
Technical safeguards.
In general, these are primarily the automated processes used to protect data and control access to data. They include using authentication controls to verify that the person signing onto a computer is authorized to access that EPHI, or encrypting and decrypting data as it is being stored or transmitted.
Breach Notification Requirements require covered entities to notify affected individuals, the Secretary of Health and Human Services, and in certain circumstances the media, the occurrence of a breach of unsecured PHI. Business associates must notify covered entities if a breach has occurred. The OCR must post a list of breaches that affect 500 or more individuals.
The original Security Rule also proposed a standard for electronic signatures. The final rule covered only security standards.
The Electronic Signatures in Global and National Commerce Act made digital signatures as binding as their paper-based counterparts. Although the law made digital signatures valid for commerce, HIPAA does not require the use of electronic signatures. Electronic signature standards will eventually be necessary to achieve a completely paperless EHR. A Rule for Electronic Signature standards may be proposed at a later date.
A valid electronic signature must meet three criteria.
1. Message Integrity?the recipient must be able to confirm that the document has not been altered since it was signed.
2. Nonrepudiation?the signer must not be able to deny signing the document.
3. User Authentication?the recipient must be able to confirm that the signature was in fact ?signed? by the real person.
Digital signatures meet all three of these criteria. Digital signatures use a branch of mathematics called cryptography and PKI, which stands for Public Key Infrastructure.
Each PKI user has two ?keys,? a private key for signing documents and a public key for verifying his or her signature. A computer software program performs a mathematical calculation on the entire contents of the electronic document to be signed. The result is a unique ?message digest,? which is then encrypted using the ?private? key.
The digital signature is then attached to or sent with the document. When the recipient wishes to validate the signature, a similar computer program regenerates the ?message digest? and decodes the digital signature with the public key. Comparing the two, the program determines if the message digest is identical to that which was originally sent. In this way digital signatures not only confirm that you are the signer but also that the document has not been altered since it was signed.
. .
Buy Nursing Papers
The post Identify potential impacts of a failure to log off or exit from the patient record. appeared first on NURSING HOMEWORKS.
