Build a HIPAA- Compliant Prac5ce. Wes Strickling, Founder & CEO

Transcription

1 Build a HIPAA- Compliant Prac5ce Wes Strickling, Founder & CEO

2 Agenda What is HIPAA Compliance? What does it mean to your prac5ce? What should you do? Q & A

3 What Is HIPAA Compliance? Health Insurance Portability & Accountability Act (1996) HIPAA Privacy Rule (2003) Protects ALL iden5fiable pa5ent informa5on writen, verbal, electronic (PHI) Security Rule (2005) protects electronic Protected Health Informa5on (ephi) HITECH Act (2009) funded electronic medical records and changed HIPAA HIPAA Omnibus Final Rule released January, 2013 COMPLIANCE DEADLINE September 23, 2013

4 HIPPA Omnibus Final Rule January 2013 Changed data breach law Proof of harm no longer required Loss of device presumed to be a breach, with few exceptions Changed patient access to data requirements Changed authorization requirements for sale of health info, and using it for marketing and fundraising Genetic info cannot be used for underwriting And big changes for Business Associates Download your copy here! htp:// publica5on- search.cfm?pub_id=912091

5 What Is ephi? Protected Health InformaKon Iden5fiable Plus treatment and/or diagnos5c informa5on Electronic Protected Health InformaKon PHI in electronic form Words, images, voice files On any media

6 Covered En55es Providers that bill electronically doctors, hospitals, den5sts, chiropractors, physical therapists, nursing homes, pharmacies, labs etc.) Payers Medicare, insurance Self- insured businesses of any type Clearinghouses

7 Business Associates NOT Covered EnKKes but do come in contact with PHI and ephi Shredding Companies, Paper Records Storage IT companies, EHR vendors, copier vendors Lawyers, accountants, collec5ons agencies, etc. NEW data centers, online backup companies, Cloud vendors If they maintain data Even if they don t look at it Even if it is encrypted, in locked cabinets, sealed boxes

8 Administra5ve Safeguards Security Management Process Assigned Security Responsibility Workforce Security Informa5on Access Management Security Awareness & Training Security Incident Procedures Con5ngency Plan Evalua5on Business Associate Contracts

9 Physical Safeguards Facility Access Controls WorkstaKon Use WorkStaKon Security Device and Media Controls

10 Technical Safeguards Access Control Unique User Iden5fica5on Emergency Access Procedure Automa5c Logoff Encryp5on & Decryp5on (data at rest) Audit Controls Integrity Person or EnKty AuthenKcaKon Transmission Security Integrity Encryp5on (data in transit)

11 Risk Analysis Business ConKnuity Risk Analysis Iden5fy all risks that may affect the survival of the organiza5on Basis for Business Con5nuity plan HIPAA Security Rule Risk Analysis IdenKfy all risks that may affect ephi Basis for HIPAA Risk Management Meaningful Use Security Risk Analysis IdenKfy all risks to ephi in EHR system Basis for Meaningful Use IncenKve Payment

12 Meaningful Use Core Measure 15 EHR Incen5ve Program (ARRA) to fund electronic records Part of ARRA, not Obamacare or HIPAA Requirements to get the $ 44,000 incen5ve for implemen5ng Electronic Health Records Core Measures plus other requirements Core Measure 15 = HIPAA Risk Analysis & RemediaKon RemediaKon must take place prior to or during the reporkng period Many doctors think it is new when it has been a requirement since 2005

13 What Does It Mean to YOUR Prac5ce? Prevent downkme from viruses & intrusions Down5me can be very costly With electronic medical records you can risk pa5ent care Security of pakent data is regulated by HIPAA Fines and penalkes for unauthorized releases Embarrassment from bad publicity Criminal prosecukon for some offenses

14 What Does It Mean to YOUR Prac5ce? How many screens (laptops, desktop PCs, tablets and phones) access, interface or communicate with pa5ents and their health related informa5on? Of those how many Have virus/malware/spyware protec5on? Have all sopware automa5cally patched & updated? Scan for & stop malicious sopware before it gets to your network? Are protected from SPAM, Malicious & Phishing s? Keeps a log of all individuals in your organiza5on who access ephi? Are included in your comprehensive back up disaster and recovery protocol?

15 Incidents ANY poten5al loss or unauthorized release May be reported by anyone Should be inves5gates quickly Lost devices are breaches unless recovered Excep5ons forensic proof that data was not accessed

16 Breaches Loss of unencrypted device containing ephi Improper disposal of PHI & ephi PHI sent to wrong pa5ent Thep of pa5ent data to defraud payers Selling pa5ent data to personal injury atorneys Pos5ng ephi on a public website Snooping in pa5ent records

17 Repor5ng Data breaches of more than 500 records must be reported to OCR within 60 days California within 5 days Data breaches of more than 500 records must be reported to OCR in an annual report Pa5ents must be no5fied Directly Through Media if direct not possible

18 Recent HIPAA Penal5es $ 100,000 for sending pa5ent data through online mail $ 1.5 million for a lost laptop $ 1.7 million for a lost backup drive $ 50,000 for a lost laptop HIPAA Data Breaches - - Wall of Shame hup:// breachnokficakonrule/breachtool.html

19 What Should You Do? Assessment Your Practice Documentation Remediation

20 Ques5ons? Visit Call Wes Strickling

21

22 NOW: EHR Breakouts #1 Room 1 Revolu5onEHR Fundamentals Room 2 Care Plan Use and Con5nuity of Care Room 3 Making the Most of the Interview Room 4 Test Editor Customiza5ons General Session Room Meaningful Use 101