Building Trust and Confidence in Healthcare Information. How TrustNet Helps

Transcription

1

2 Building Trust and Confidence in Healthcare Information The management of healthcare information in the United States is regulated under the HIPAA (Health Insurance Portability and Accountability Act) and HITECH Act (Health Information Technology for Economic and Clinical Health Act). The HIPAA Privacy and Security Rules established national standards to protect individuals medical records and other personal health information and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically. The Rules requires appropriate safeguards to protect the privacy of personal health information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. The Rules also gives patient s rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections. The HITECH Act expands Federal privacy and security protections for healthcare information. As healthcare providers move toward exchanging large amounts of health information electronically, this legislation aims to ensure that such information remains private and secure. How TrustNet Helps TrustNet provides services and solutions to ensure compliance with the HIPAA Privacy Rule and HITECH Act. We don t take a cookie-cutter approach. We listen to each client s unique needs and develop an approach that meets their objectives and expectations. Our clients rely on us to help them fulfill their regulatory and compliance goals so they can focus their resources on patient care and other objectives. HIPAA Compliance Validation Service HIPAA Gap Assessment HIPAA Policies and Procedures Development HIPAA Incident Response Planning HIPAA Awareness Training

3 Other HIPAA Related Services WebTrust TrustShield IDS iscan Incident Response Planning Penetration Testing Risk Assessments Policies and Procedures Development TrustAgent itrust SaaS xscan Security Assessments Wireless Security Assessments Security Awareness Training SaaS Security Awareness Communication AirTrust Security Awareness Posters

4 Who must be compliant? Organizations that must comply with HIPAA include healthcare providers, health care clearinghouses, such as billing services and community health information systems, and any provider that transmits healthcare data in a way that is regulated by HIPAA. The HITECH Act expands the scope of HIPAA, ensuring that entities that were not established when the Federal Privacy Rules were written, as well as those entities that do work on behalf of providers and insurers, are subject to the same privacy and security rules as providers and health insurers. The cost of compliance and validating compliance with HIPAA and HITECH depends on several factors. This includes the nature of the covered entity, volume of transactions managed each year, data handling and storage practices, and the IT infrastructure within the organization. Many organizations have faced sanctions, regulatory oversight, and heavy fines because they did not properly protect sensitive healthcare information. The cost of being compliant significantly outweighs the cost of doing nothing. Non-compliance Non-compliance may result in: Incidental violations with fines from $100 per incident up to $25,000 for the same violation per calendar year. Wrongful disclosure, prosecuted by the Department of Justice, with penalties for responsible parties ranging from $50,000 and 1 year in prison up to $250,000 and 10 years in prison. Lawsuits, including class action lawsuits, by parties claiming that they have been damaged or suffered loss can be extremely costly. Ongoing Federal oversight Loss of customers Loss of patient confidence Termination of contracts

5 Overview of the Act The Health Insurance Portability and Accountability Act (HIPAA) is a law mandated by the US congress to address the protection of healthcare information. The HIPAA Privacy Rule and Security Rule provide federal protections for personal health information (PHI) held by covered entities and give patients an array of rights with respect to that information. The Privacy Rule provided the first nationally-recognizable regulations for the use and disclosure of an individual's health information. The Security Rule established a national set of security standards for protecting certain health information that is held or transferred in electronic form. The Security Rule developed the mechanics for implementing the protections contained in the Privacy Rule by addressing technical and non-technical safeguards that covered entities must put in place to secure individuals electronic protected health information. The Health and Human Services (HHS) Office for Civil Rights (OCR) has responsibility for enforcing the Privacy and Security Rules and imposing money penalties for non-compliance. Overview of the Privacy Rule Gives patients control over the use of their health information Defines boundaries for the use and disclosure of health records by covered entities Establishes US national-level compliance standards for healthcare providers Helps to limit the use of PHI and minimizes chances of inappropriate and unauthorized disclosure Provides authority to investigate compliance-related issues and hold violators accountable with civil and criminal penalties Enables authority to disclosure PHI for individual healthcare needs, public benefit, and national interests

6 Overview of the Security Rule Requires covered entities to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting e-phi. This includes: Ensure the confidentiality, integrity, and availability of all e-phi created, received, maintained or transmitted Identify and protect against reasonably anticipated threats to the security or integrity of the information Protect against reasonably anticipated, unauthorized uses or disclosures Ensure compliance by the entities workforce Covered Entities and Business Associates Under the HIPAA laws the Privacy and Security Rules apply only to covered entities health plans, health care clearinghouses, and certain health care providers. Most health care providers and health plans use the services of a variety of other persons or businesses. The Privacy Rule allows covered providers and health plans to disclose protected health information to these business associates if the providers obtain satisfactory assurances that the business associate will use the information only for legitimate purposes and safeguard the information from misuse. The HITECH Act of 2009 expanded the responsibilities of business associates under the Privacy and Security Rules. Covered Entities Health Care Providers Chiropractors Clinics Dentists Doctors Nursing Homes Pharmacies Psychologists Health Plans Health insurance companies HMO s Company health plans Government programs that pay for health care Health Care Clearinghouses Includes entities that process or convert health information

7 Business Associates Some examples of Business Associates: Attorneys whose legal services to a health provider involve access to protected health information Consultants that perform utilization reviews for a hospital CPA firms whose accounting services to a health care provider involve access to protected health information Medical transcriptionists Pharmacy benefit managers that manage a health plan s pharmacist network Third party administrator that assists a health plan with claims processing. What are the requirements? The requirements for HIPAA are expansive, but the major requirements fall into the categories below: Administrative Safeguards - Administrative actions, including policies and procedures, to manage the selection, development, implementation, and maintenance of security measures that protect electronic health information and manage the conduct of the covered entity s workforce in relation to the protection of that information. Physical Safeguards - Physical measures, including policies, and procedures, to protect a covered entity s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion. Technical Safeguards - Technology and the related policy and procedures to protect and control access to electronic protected health information.

8 The HITECH Act has expanded the reach and scope to include: Breach Notification - Establishment of a Federal breach notification requirement. Requires that an individual be notified if there is an unauthorized disclosure or use of their health information. Audit Trails - Providing transparency to patients by allowing them to request an audit trail showing all disclosures of their health information made through an electronic record. Patient Information Authorization - Shutting down the secondary market that has emerged around the sale and mining of patient health information by prohibiting the sale of an individual s health information without their authorization. Requiring that providers attain authorization from a patient in order to use their health information for marketing and fundraising activities. Enforcement - Strengthening enforcement of Federal privacy and security laws by increasing penalties for violations and providing greater resources for enforcement and oversight activities.

9 About TrustNet TrustNet is a leading provider of on-demand IT security and compliance management solutions including software-as-aservice, compliance, security services, and awareness training. The itrust SaaS is a security management platform that is quickly and easily deployed into any existing network and provides clients with immediate measurable benefits and a low total cost of ownership. TrustNet is PCI Qualified Security Assessor and provides compliance assessments and security services for PCI, HIPAA, SOX, and SOC/SSAE16. Since 2003 TrustNet has been a strategic partner helping clients ensure the security and integrity of their businesses. From our headquarters in Atlanta, Georgia TrustNet serves mid-size and large organizations, both public and private, across multiple industries, in the United States and around the world. Visit us on the web at Sales: TRUST [email protected] Atlanta, Georgia 127 Peachtree Road Suite 500 Atlanta, GA Roswell, Georgia Alpharetta Highway Suite G1 Roswell, GA Fort Lauderdale, Florida 3580 NE 12th Avenue Fort Lauderdale, FL Johannesburg, South Africa 14 Boschendal Street Hurlingham Manor Sandton 2196 [email protected] [email protected] [email protected] [email protected] No portion of this document may be copied or distributed outside of the above mentioned entity without the express written consent of TrustNet. Copyright TrustNet All rights reserved. The PCI Security Standards Council Qualified Security Assessor logo is a trademark or service mark of The PCI Security Standards Council in the United States and in other countries.