HIPAA Workshop Ensuring PHI: Creating a Comprehensive Office Policy

Transcription

1 HIPAA Workshop Ensuring PHI: Creating a Comprehensive Office Policy 2014 OP User Conference Presented by: Sue Kressly, MD, FAAP and Leann DiDomenico, MBA

2 Goal: Develop your Strategy to Ensure the Safety of PHI! Objectives: Understand the difference between HIPAA Privacy and HIPAA Security Define the 3 categories of HIPAA safeguards Outline steps required to perform a risk analysis Learn to identify and rank current risks in your practice Learn what constitutes a breach and how to report Identify available resources to assist your practice

3 Agenda: HIPAA Workshop 3:20-4:40 Introduction/Overview (10 minutes) Small Workgroups (15 minutes) Small Groups Each Report 5 minutes (20 minutes) Brief Overview of Safeguard Examples on ONC Security Risk Assessment Tool (5 minutes) Performance Pediatrics Case Study (10 minutes) Questions Quick Look at Security Risk Assessment Tool (time permitting)

4 What is HIPAA? Health Insurance Portability and Accountability Act 1996 National standards for the use and disclosure of individually identifiable health information Two Rules: HIPAA Privacy Rule: protects individual s health information across all mediums: electronic, paper and oral HIPAA Security Rule: protect individuals e- PHI that is created, received, used, or maintained by a HIPAA covered entity.

5 Why does it matter? Required by Law Required to meet Meaningful Use It s good business practice HIPAA HIPAA Audit Program is part of the HITECH Act

6 Getting Started Phase 1: Preparation Confirm you are a covered entity Provide Leadership Define Security Team Hire? Use Outside Resources? Document Findings Processes Actions

7 Phase 2: Inventory Assets (all devices with ephi) Identify Business Associates Conduct Risk Analysis Develop Action Plan for Identified Threats Vulnerabilities

8 Phase 3: Risk Management Manage and Mitigate Risks Prevent with Education and Training Communicate with Patients Update Business Associate Agreements

9 Phase 4: MU Attestation? Perform Security Risk at least 90 days prior to Reporting Period Other Outside Entity Reporting? NCQA: PCMH

10 Phase 5: Ongoing Risk Assessment

11 Assessing Risk Level of Threats and Vulnerabilities: Likelihood and Impact

12 What Safeguards need to be in place? 3 Categories: Administrative Standards/Specifications for PHI Security Program Physical Access to Office and Computer Systems Technical Hardware/Software that limits access to ephi

13 Let s See how we do

14 What Safeguards Need to Be in Place? Administrative Examples Physical Examples Technical Examples Examples to follow taken directly from the Health IT.gov Security Risk Assessment Tool

15 Administrative Safeguards Security management processes to identify and analyze risks to ephi Implementing security measures to reduce risks Staff training to ensure knowledge of and compliance with your policies and procedures Information access management to limit access to protect health information Contingency plan to respond to emergencies or restore lost data

16 Physical Safeguards Secure access to the office such as locks and alarms, to ensure only authorized peronnel have access to facilities that house systems and data Workstation security measures, such as cable locks and computer monitor privacy filters, to guard against theft and restrict access Workstation use policies to ensure proper access and use

17 Technical Safeguards Access controls to restrict access to ephi to only authorized personnel Audit controls to monitor activity on systems containing ephi Integrity controls to prevent improper ephi alteration or destruction Transmission security measures to protect ephi when transmitted over an electronic network

18

19 HIPAA/OP Case Study: Performance Pediatrics Micro-practice in Plymouth, Massachusetts In 2006 purchased HIPAA product McDermott, Will & Emery ( $375 + calls to our lawyer Policy and Forms No training No updates In 2010 switched/added online solution Based on MGMA recommendation, chose Healthcare Compliance Solutions ( $325/year for 5 employees Feel confident in their policy, forms, training and newsletter No MU risk assessment

20 HIPAA/OP Case Study: Performance Pediatrics MedSafe ( Colleague experience with grandparents HIPAA complaint filed MedSafe handled the whole thing Our experience with CVS CVS faxing to wrong number Sent two certified letters Online, yet local Able to conduct MU risk assessment Higher cost Find your partner Talk to colleagues/op-manager user group Check with local AAP chapter and medical society MGMA

21 How OP Helps Us with HIPAA Compliance New patients Utilize an OP Order Worksheet for standard tasks Parent signs NPP Front desk marks as complete Scan NPP in chart OP pop-up windows Whenever HIPAA requires that we record what we printed OP system eases the burden Drop downs Open text fields

22 How OP Helps Us with HIPAA Compliance Audit employees Performance reviews every 3 months Random audit of the employee To ensure that printed records are being properly documented How to: Records Audit Log Set the Date Range Disclosure Tracking Isolate to one staff name Cross reference this with the Event Chronology to ensure there is detailed documentation

23 How OP Helps Us with HIPAA Compliance Privacy Tab on the OP Patient Register Useful for patients with unusual situations Biological parent with a restraining order Foster children Give employees pause pop ups in the notes Watch for bright red color PHI is being picked up Parent calls to request a Rx refill Provider records details in a message; sets task At pick up, the receptionist verifies the identity of the parent and marks the task as complete Written requests for PHI are scanned into OP

24 How OP Helps Us with HIPAA Compliance Adolescent concerns In the notes, providers mark items clinical staff only or exempt from reporting Ensures mental and reproductive health documentation for adolescents is properly protected

25 BREACH: An impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of protected health information

26 Impermissible use or disclosure of PHI is assumed to be a breach unless... The covered entity or BA demonstrates there is a low probability that PHI has been compromised based on: The nature/extent of the PHI, including the types of identifiers and likelihood of re-identification The unauthorized person who used the PHI or to whom the disclosure was made Whether the PHI was actually acquired or viewed; and The extent to which the risk to the PHI has been mitigated

27 Breach Notification Requirements Following a breach of unsecured PHI, covered entities must provide notification of the breach to affected individuals the HHS Secretary of Breaches in certain circumstances to the media Business associates must notify covered entities if a breach occurs at or by the business associate More information is available at the HHS website on breach notification

28 Security Risk Assessment Tool available for download from Health IT.gov

29 Action Items Identify your security team including leadership Document your findings, processes and actions Inventory your assets Identify your Business Associates Conduct your risk analysis Managing your risk on an ongoing basis

30 Resources Security Risk Assessment Tool HealthIT.gov: Privacy and Security HIPAA Summary Remote User's Guide Cybersecurity: 10 Best Practices For The Small Healthcare Environment Tip Sheet for Using Mobile Devices Model Privacy Notices form ONC and OCR HIPAA Security Games

31