Special Presentation: HIPAA Survival. Dr. Ty Talcott CHPSE PH:

Transcription

1 Special Presentation: HIPAA Survival Dr. Ty Talcott CHPSE PH:

2 A Little about me.

3

4 Ski Lift Acrobatics

5 Do you know the Four New Threats to chiropractors for 2014?

6 HIPAA Regulatory Compliance Manual [Clinic Name] Index 1. Audit Schedule for 20, Plus Physical Plant Audit 2. Compliance Officer Job Description Notification of Officer Appointment/Posting Policy and Procedure Filing a complaint

7 3. Notice of Patient Privacy Policy 4. Forms Consent to use PHI Restricted Consent Patient Authorization Revocation of Authorization Approve Request to Copy Deny Request to Copy Accounting Log Corrective Action Forms

8 5. 1st Quarter Audits Confidentiality Statements Business Associate Confidentiality Contracts Staff In-Service Physical Plant Audit 6. 2nd Quarter Audits Follow up on first quarter audits Security Rules In-Service 7. 3rd Quarter Audits Security Rules Risk Audit/Analysis

9 Annual Compliance Audit/evaluation 8. 4th Quarter BONUS Audits Claim Denial Review Medicare ABN Compliance Clinical File Review 9. Policies and Procedures for Security Rules 10. Annual in-service presentation outline 11. Required Risk Analysis/Evaluation 12. Annual compliance program review/evaluation

10 Policies and procedures Policies are considered high-level documents that require input, preparation and/or approval from senior management/owner. They do not change often and are general in nature. They are technology neutral and do not lay out details of technology utilization or office procedures. THESE SHOULD BE BRIEF AND TO THE POINT AS YOU HAVE TO WRITE A LOT OF THEM AND THE STAFF MUST BE TRAINED RELATIVE TO THE ONES THAT IMPACT THEIR JOB.

11 Procedures, on the other hand, are extremely detailed, often written by the front line individuals performing the task in question and are changed frequently every time a workaround needs to be fixed or a better way to accomplish a task is identified.

12 If you found non compliant areas You must complete a corrective action. Do you know how to write a compliant corrective action? Highlights

13 There are multiple government websites that must be accessed and orchestrated if you are going to build your own compliance program. Let s look at them now;

14 Annual Required In-Service

15 There are more than a dozen required topics that must be covered and documented annually or you are in violation. We will cover all of them today

16 Disciplinary Standards & Enforcement required to develop a written policy- key components;

17 Release of Patient Information Confidential information includes: Any communication between a patient and the doctor. Any communication between a patient and other clinical persons regarding: All clinical data, i.e., diagnosis, treatment; Patient transfer to a facility for treatment of drug abuse, alcoholism, mental/psychiatric problem;

18 Telephone Requests for Release of Confidential Patient Information - when is this allowed?

19 Fax Requests for Release of Confidential Patient Information WHEN IS THIS ALLOWED?

20 Policies & Procedures : there are over 35 required policies you must have authored and be in your HIPAA MANUAL IT IS USUALLY ABOUT 80 PAGES IN A TYPICAL OFFICE. THEY ARE AVAILABLE IN THE SURVIVAL KIT- A COUPLE SAMPLES BELOW: PRIVACY OFFICER/COMPLIA NCE OFFICER PRODUCTION OF DOCUMENTS AND DATA RETENTION OF DOCUMENTS AND DATA SANCTION POLICY CONFIDENTIALITY AGREEMENTS AND B.A. CONTRACTS SCOPE OF PROTECTION UNDER THE SECURITY RULES

21 Special Offer HIPAA Survival Kit Retail Price of $ Discounted Association Price of $ Call or

22 Break

23 Risk Analysis THE NEWEST AND BIGGEST THREAT

24 Risk analysis Date performed Participants TO BE COMPLIANT AND AVIOD REVOCATION OF YOUR ATTESTATION CHECK AND/OR A HIPAA audit you must have an Inventory of ASSETS

25

26 Item from inventory list: Threats and vulnerabilities: At risk for theft while being transported 6.

27 Present controls in place:

28 Gap analysis- Still needed- required: 1.

29 Potential solutions- required component

30 Mitigation of risk- the most often missed critical component of a compliant analysis:

31 Who is going to follow up

32 Equipment Maintenance- required

33 Data Recovery:. Emergency Mode Function: Required components of documentation

34 The key components of evaluating the level of risk are Considering the likelihood of having an occurrence /breach and - The value to the organization of that which could be damaged.

35 They can be ranked as low, medium or high risk by taking their critical nature into account and considering the key components of evaluation mentioned above.

36 Sample of needed evaluation audit question required. Approx. fifty questions make up the audit. I have completed a list of clinic/practice assets, prioritized them relative to high risk and have the list available to proceed to part two of risk analysis. yes no

37 Best Friend

38 Privacy Posting is now called the Notice of Patient Privacy Policy

39 Business Associate Contracts

40 Suggested website

41 The right to restrict certain disclosures of Protected Health Information to a health plan where the individual pays out of pocket in full for the healthcare item or service.

42 Coming up ABN Physical Plant & Top Security Rules

43 Special Offer HIPAA Survival Kit Retail Price of $ Discounted Association Price of $ Call or

44 Break

45 A. Notifier: B. Patient Name: C. Identification Number: Advance Beneficiary Notice of Noncoverage (ABN) NOTE: If Medicare doesn t pay for D. below, you may have to pay. Medicare does not pay for everything, even some care that you or your health care provider have good reason to think you need. We expect Medicare may not pay for the D. below. D. E. Reason Medicare May Not Pay: F. Estimated Cost WHAT YOU NEED TO DO NOW: Read this notice, so you can make an informed decision about your care. Ask us any questions that you may have after you finish reading. Choose an option below about whether to receive the D. listed above. Note: If you choose Option 1 or 2, we may help you to use any other insurance that you might have, but Medicare cannot require us to do this. G. OPTIONS: Check only one box. We cannot choose a box for you. OPTION 1. I want the D. listed above. You may ask to be paid now, but I also want Medicare billed for an official decision on payment, which is sent to me on a Medicare Summary Notice (MSN). I understand that if Medicare doesn t pay, I am responsible for payment, but I can appeal to Medicare by following the directions on the MSN. If Medicare does pay, you will refund any payments I made to you, less co-pays or deductibles. OPTION 2. I want the D. listed above, but do not bill Medicare. You may ask to be paid now as I am responsible for payment. I cannot appeal if Medicare is not billed. OPTION 3. I don t want the D. listed above. I understand with this choice I am not responsible for payment, and I cannot appeal to see if Medicare would pay. H. Additional Information: This notice gives our opinion, not an official Medicare decision. If you have other questions on this notice or Medicare billing, call MEDICARE ( /TTY: ). Signing below means that you have received and understand this notice. You also receive a copy. I. Signature: J. Date: According to the Paperwork Reduction Act of 1995, no persons are required to respond to a collection of information unless it displays a valid OMB control number. The valid OMB control number for this information collection is The time required to complete this information collection is estimated to average 7 minutes per response, including the time to review instructions, search existing data resources, gather the data needed, and complete and review the information collection. If you have comments concerning the accuracy of the time estimate or suggestions for improving this form, please write to: CMS, 7500 Security Boulevard, Attn: PRA Reports Clearance Officer, Baltimore, Maryland Form CMS-R-131 (03/11) Form Approved OMB No

46 Physical Plant Walk Through Audit Office: Date: Area of review Compliant - Y/N Comments Patient charts located in secure area. Y/N Names on charts protected. Y/N

47 Information at front desk protected. Y/N Insurance/Collection calls not able to be heard from patient area. Y/N Computer screens with rapid time out/password protected. Y/N Additional 20 required questions/points

48 Blackout screens Computer Passwords Rapid time out screensavers Relocation of Computers Relocation of staff member New Sign In sheet

49 You must have policies/procedures relative to disposal of PHI records and all staff agree to abide by them. Need to document an audit trail to prove policies followed to complete destruction by outsourcing to a service, physically destroying or use of a software to sanitize (not recommended for USB/flash media due to sector sparing).

50 Pay special attention to disposal of problem devices like printers, fax machines that store information, flash drives, etc. NIST, at government site, is a good resource for proper disposal.

51 Physical access control ** Policies must be in place and agreed to by staff, prescribing the physical safety and security of devices. All devices must be inventoried and accounted for. All computers are protected from environmental hazards. Physical access to secured areas is limited to authorized persons.

52 Sample of one point I have written a P & P to cover physical safety and security of devices and have a plan to enforce same. yes no

53 Securing electronic transmissions and network utilization **It is required to have integrity controls and encryption in place. Policies need to be in place prescribing network configuration and who has access and all staff agree to abide by them. How do we go about this?

54 Back up and Securing Encryption methods for offsite electronic media, backup tapes, data at rest, text messaging, etc. **Back up policies and procedures for backup and recovery are in place and agreed to by staff, all staff understand their duties during recovery. The entire system restore process is known to at least one person outside the practice.

55 A copy of recovery plan is safely stored offsite, files that are critical are documented and listed in the backup configuration. There is a timely and regular backup schedule and every run is tested for its ability to restore data accurately. Backup media are secured or encrypted- if offsite. Back ups are unreadable prior to disposal. Multiple backups are maintained. How do we make this happen?

56 **Access control policies must be in place and all staff agree to abide by (document this). What to do at termination of employee, every user account must be documented to be tied to a currently authorized individual, minimum necessary states an individual may only access what is needed to perform their work, all files must be set to allow only authorized individuals to use. Computers running health care data are not allowed for other uses. Writing a policy for this>>>>>

57 Awareness training relative to these and all other issues is required (annual and ongoing). How often and what is required?

58 Determining which audit logs to activate

59 Auditing your use of logins/trails How?

60 Special Offer HIPAA Survival Kit Retail Price of $ Discounted Association Price of $ Call or