2 Building Trust and Confidence in Healthcare Information The management of healthcare information in the United States is regulated under the HIPAA (Health Insurance Portability and Accountability Act) and HITECH Act (Health Information Technology for Economic and Clinical Health Act). The HIPAA Privacy and Security Rules established national standards to protect individuals medical records and other personal health information and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically. The Rules requires appropriate safeguards to protect the privacy of personal health information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. The Rules also gives patient s rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections. The HITECH Act expands Federal privacy and security protections for healthcare information. As healthcare providers move toward exchanging large amounts of health information electronically, this legislation aims to ensure that such information remains private and secure. How TrustNet Helps TrustNet provides services and solutions to ensure compliance with the HIPAA Privacy Rule and HITECH Act. We don t take a cookie-cutter approach. We listen to each client s unique needs and develop an approach that meets their objectives and expectations. Our clients rely on us to help them fulfill their regulatory and compliance goals so they can focus their resources on patient care and other objectives. HIPAA Compliance Validation Service HIPAA Gap Assessment HIPAA Policies and Procedures Development HIPAA Incident Response Planning HIPAA Awareness Training
3 Other HIPAA Related Services WebTrust TrustShield IDS iscan Incident Response Planning Penetration Testing Risk Assessments Policies and Procedures Development TrustAgent itrust SaaS xscan Security Assessments Wireless Security Assessments Security Awareness Training SaaS Security Awareness Communication AirTrust Security Awareness Posters
4 Who must be compliant? Organizations that must comply with HIPAA include healthcare providers, health care clearinghouses, such as billing services and community health information systems, and any provider that transmits healthcare data in a way that is regulated by HIPAA. The HITECH Act expands the scope of HIPAA, ensuring that entities that were not established when the Federal Privacy Rules were written, as well as those entities that do work on behalf of providers and insurers, are subject to the same privacy and security rules as providers and health insurers. The cost of compliance and validating compliance with HIPAA and HITECH depends on several factors. This includes the nature of the covered entity, volume of transactions managed each year, data handling and storage practices, and the IT infrastructure within the organization. Many organizations have faced sanctions, regulatory oversight, and heavy fines because they did not properly protect sensitive healthcare information. The cost of being compliant significantly outweighs the cost of doing nothing. Non-compliance Non-compliance may result in: Incidental violations with fines from $100 per incident up to $25,000 for the same violation per calendar year. Wrongful disclosure, prosecuted by the Department of Justice, with penalties for responsible parties ranging from $50,000 and 1 year in prison up to $250,000 and 10 years in prison. Lawsuits, including class action lawsuits, by parties claiming that they have been damaged or suffered loss can be extremely costly. Ongoing Federal oversight Loss of customers Loss of patient confidence Termination of contracts
5 Overview of the Act The Health Insurance Portability and Accountability Act (HIPAA) is a law mandated by the US congress to address the protection of healthcare information. The HIPAA Privacy Rule and Security Rule provide federal protections for personal health information (PHI) held by covered entities and give patients an array of rights with respect to that information. The Privacy Rule provided the first nationally-recognizable regulations for the use and disclosure of an individual's health information. The Security Rule established a national set of security standards for protecting certain health information that is held or transferred in electronic form. The Security Rule developed the mechanics for implementing the protections contained in the Privacy Rule by addressing technical and non-technical safeguards that covered entities must put in place to secure individuals electronic protected health information. The Health and Human Services (HHS) Office for Civil Rights (OCR) has responsibility for enforcing the Privacy and Security Rules and imposing money penalties for non-compliance. Overview of the Privacy Rule Gives patients control over the use of their health information Defines boundaries for the use and disclosure of health records by covered entities Establishes US national-level compliance standards for healthcare providers Helps to limit the use of PHI and minimizes chances of inappropriate and unauthorized disclosure Provides authority to investigate compliance-related issues and hold violators accountable with civil and criminal penalties Enables authority to disclosure PHI for individual healthcare needs, public benefit, and national interests
6 Overview of the Security Rule Requires covered entities to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting e-phi. This includes: Ensure the confidentiality, integrity, and availability of all e-phi created, received, maintained or transmitted Identify and protect against reasonably anticipated threats to the security or integrity of the information Protect against reasonably anticipated, unauthorized uses or disclosures Ensure compliance by the entities workforce Covered Entities and Business Associates Under the HIPAA laws the Privacy and Security Rules apply only to covered entities health plans, health care clearinghouses, and certain health care providers. Most health care providers and health plans use the services of a variety of other persons or businesses. The Privacy Rule allows covered providers and health plans to disclose protected health information to these business associates if the providers obtain satisfactory assurances that the business associate will use the information only for legitimate purposes and safeguard the information from misuse. The HITECH Act of 2009 expanded the responsibilities of business associates under the Privacy and Security Rules. Covered Entities Health Care Providers Chiropractors Clinics Dentists Doctors Nursing Homes Pharmacies Psychologists Health Plans Health insurance companies HMO s Company health plans Government programs that pay for health care Health Care Clearinghouses Includes entities that process or convert health information
7 Business Associates Some examples of Business Associates: Attorneys whose legal services to a health provider involve access to protected health information Consultants that perform utilization reviews for a hospital CPA firms whose accounting services to a health care provider involve access to protected health information Medical transcriptionists Pharmacy benefit managers that manage a health plan s pharmacist network Third party administrator that assists a health plan with claims processing. What are the requirements? The requirements for HIPAA are expansive, but the major requirements fall into the categories below: Administrative Safeguards - Administrative actions, including policies and procedures, to manage the selection, development, implementation, and maintenance of security measures that protect electronic health information and manage the conduct of the covered entity s workforce in relation to the protection of that information. Physical Safeguards - Physical measures, including policies, and procedures, to protect a covered entity s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion. Technical Safeguards - Technology and the related policy and procedures to protect and control access to electronic protected health information.
8 The HITECH Act has expanded the reach and scope to include: Breach Notification - Establishment of a Federal breach notification requirement. Requires that an individual be notified if there is an unauthorized disclosure or use of their health information. Audit Trails - Providing transparency to patients by allowing them to request an audit trail showing all disclosures of their health information made through an electronic record. Patient Information Authorization - Shutting down the secondary market that has emerged around the sale and mining of patient health information by prohibiting the sale of an individual s health information without their authorization. Requiring that providers attain authorization from a patient in order to use their health information for marketing and fundraising activities. Enforcement - Strengthening enforcement of Federal privacy and security laws by increasing penalties for violations and providing greater resources for enforcement and oversight activities.
9 About TrustNet TrustNet is a leading provider of on-demand IT security and compliance management solutions including software-as-aservice, compliance, security services, and awareness training. The itrust SaaS is a security management platform that is quickly and easily deployed into any existing network and provides clients with immediate measurable benefits and a low total cost of ownership. TrustNet is PCI Qualified Security Assessor and provides compliance assessments and security services for PCI, HIPAA, SOX, and SOC/SSAE16. Since 2003 TrustNet has been a strategic partner helping clients ensure the security and integrity of their businesses. From our headquarters in Atlanta, Georgia TrustNet serves mid-size and large organizations, both public and private, across multiple industries, in the United States and around the world. Visit us on the web at Sales: TRUST Atlanta, Georgia 127 Peachtree Road Suite 500 Atlanta, GA Roswell, Georgia Alpharetta Highway Suite G1 Roswell, GA Fort Lauderdale, Florida 3580 NE 12th Avenue Fort Lauderdale, FL Johannesburg, South Africa 14 Boschendal Street Hurlingham Manor Sandton No portion of this document may be copied or distributed outside of the above mentioned entity without the express written consent of TrustNet. Copyright TrustNet All rights reserved. The PCI Security Standards Council Qualified Security Assessor logo is a trademark or service mark of The PCI Security Standards Council in the United States and in other countries.
OCR/HHS HIPAA/HITECH Audit Preparation 1 Who are we EHR 2.0 Mission: To assist healthcare organizations develop and implement practices to secure IT systems and comply with HIPAA/HITECH regulations. Education
INTRODUCTION This guidance is composed of a series of fact sheets that clarify how the HIPAA Privacy Rule applies to, and can be used to help structure the privacy policies behind, electronic health information
Vol. 78 Friday, No. 17 January 25, 2013 Part II Department of Health and Human Services Office of the Secretary 45 CFR Parts 160 and 164 Modifications to the HIPAA Privacy, Security, Enforcement, and Breach
Montclair State University HIPAA Security Policy Effective: June 25, 2015 HIPAA Security Policy and Procedures Montclair State University is a hybrid entity and has designated Healthcare Components that
U.S. Department of Health and Human Services U.S. Department of Education Joint Guidance on the Application of the Family Educational Rights and Privacy Act (FERPA) And the Health Insurance Portability
Data Protection Act 1998 Guidance on the use of cloud computing Contents Overview... 2 Introduction... 2 What is cloud computing?... 3 Definitions... 3 Deployment models... 4 Service models... 5 Layered
Corporate Policy. Data Protection for Data of Customers & Partners. 02 Preamble Ladies and gentlemen, Dear employees, The electronic processing of virtually all sales procedures, globalization and growing
Event Log Management & Compliance Best Practices: For Government & Healthcare Industry Sectors By Ipswitch, Inc. Network Managment Division www.whatsupgold.com September 2010 Table of Contents Compliance
2013 HIPAA/HITECH AMENDMENTS: HOW THE CHANGES IMPACT THE ediscovery PROCESS Brian Brown Danny Tijerina RenewData, an LDiscovery Company Austin, TX Introduction Maintaining compliance with government regulations
Online Lead Generation: Data Security Best Practices Released September 2009 The IAB Online Lead Generation Committee has developed these Best Practices. About the IAB Online Lead Generation Committee:
This article was originally published in the November 2010 issue of the Intellectual Property & Technology Law Journal. ARTICLE Insights into Cloud Computing The basic point of cloud computing is to avoid
GPO Box 2343 Adelaide SA 5001 Tel (+61 8) 8204 8773 Fax (+61 8) 8204 8777 DX:336 email@example.com www.archives.sa.gov.au Cloud Computing and Records Management June 2015 Version 1 Version
Frequently Asked Questions : Personal Health Information Protection Act February 2005 Information and Privacy Commissioner/Ontario Ann Cavoukian, Ph.D Commissioner. Dr. Ann Cavoukian, the Information and
Minnesota Society for Healthcare Risk Management September 22, 2011 Cyber and Privacy Risk What Are the Trends? Is Insurance the Answer? Melissa Krasnow, Partner, Dorsey & Whitney, and Certified Information
AskAvanade: Answering the Burning Questions around Cloud Computing There is a great deal of interest in better leveraging the benefits of cloud computing. While there is a lot of excitement about the cloud,
A Privacy Handbook for Lawyers PIPEDA AND YOUR PRACTICE Table of Contents Introduction...1 Privacy Issues in Managing a Law Practice...6 Privacy issues in Civil Litigation...16 Conclusion...26 Endnotes...28
PARTICIPATION AGREEMENT For ELECTRONIC HEALTH RECORD TECHNICAL ASSISTANCE THIS AGREEMENT, effective, 2011, is between ( Provider Organization ), on behalf of itself and its participating providers ( Providers
After Hours Triage Answering Services (AHTAS) RFP 15-573757-MW Date Issued: July 30, 2015 *QUESTION DUE DATE: August 4, 2015 Buyer Contact: Michael Wegmann *SUBMITTAL DUE DATE: August 13, 2015 Tel # (916)
Privacy and Security of Electronic Health Information Version 2.0 April 2015 The information contained in this Guide is not intended to serve as legal advice nor should it substitute for legal counsel.
ISMS User s Guide for Medical Organizations Guidance on the Application of ISMS Certification Criteria (Ver.2.0) ISMS: Information Security Management System 8 November 2004 Japan Information Processing
Data Protection Policy. Data Protection Policy Foreword 2 Foreword Ladies and Gentlemen, In the information age, we offer customers the means to be always connected, even in their cars. This requires data
Why HIPAA Compliance Should Scare You and What You Should Ask Your Business Phone Service Provider NOW By Mike McAlpen, 8x8 Executive Director of Privacy, Security and Compliance The Champion For Business
HIPAA Security Risk Analysis Toolkit In January of 2013, the Department of Health and Human Services Office for Civil Rights (OCR) released a final rule implementing a wide range of HIPAA privacy and security
Adopting Electronic Medical Records: What Do the New Federal Incentives Mean to Your Individual Physician Practice? U John M. Neclerio, Esq.,* Kathleen Cheney, Esq., C. Mitchell Goldman, Esq., and Lisa