HIPAA Changes Mike Jennings & Jonathan Krasner BEI For MCMS 07/23/13

Transcription

1 HIPAA Changes 2013 Mike Jennings & Jonathan Krasner BEI For MCMS 07/23/13

2 BEI Who We Are DC Metro IT Service Provider since 1987 Network Design/Upgrade Installation/Managed IT Services for small to medium-sized organizations with a focus on ambulatory healthcare IT Elite Microsoft Gold Partner Most Comprehensive Healthcare IT Service Provider in DC Currently support >25 practices, 200 providers, 2000 staff, variety of EHR s GE, NextGen, Allscripts, eclinicalworks, Meditab/IMS, and more HIPAA compliant Business Associate EHR selection assistance (RFQ, analysis, recommendation) HIPAA security experts (security review, recommendations) Meaningful use assistance (assisted clients in obtaining >$1M in Stage 1 reimbursements) Community education on healthcare IT topics through monthly HIT newsletter and events such as today!

3 Alternative Title HIPAA really? You re going to make me deal with HIPAA? Isn t Meaningful Use and ICD-10 enough? And what about healthcare reform? What is that? Chopped liver? And in my spare time I run my practice? HIPAA really? C mon give me a break.

4 Today s Seminar HIPAA Refresher HIPAA Changes Overview HIPAA Security Rule & EHRs/MU NPP Changes Risks of Non-Compliance Developing a framework for dealing with HIPAA

5 HIPAA Refresher Health Insurance Portability and Accountability Act Passed in 1996 Title I: Health Care Access, Portability, and Renewability Title II: Preventing Health Care Fraud and Abuse; Administrative Simplification; Medical Liability Reform Privacy Rule Transactions and Code Sets Rule Security Rule Administrative Safeguards Physical Safeguards Technical Safeguards

6 HIPAA Definitions PHI Protected Health Information Individually identifiable health information CE Covered Entity A health plan, healthcare clearinghouse or a healthcare provider that transmits any PHI in electronic form BA Business Associate An entity who creates, receives, maintains, or transmits PHI on behalf of a CE

7 HITECH Amendments 2009 HITECH Act required HHS to amend HIPAA Interim/Draft Rules based on HITECH Act have been in effect since October 2009 After receiving comments for 3 years some changes were made and Final Rules were created These Final Rules were published on January 25, 2013, effective on March 26, 2013 all CEs and BAs must be compliant by September 23, 2013 The key changes in the rules affect Notice or Privacy Practices, Breach Notification & applicability of HIPAA regulations to Business Associates Many other smaller changes that generally do not affect ambulatory practices

8 Recent HIPAA Changes - Breach Notification Breach is still the "unauthorized acquisition, access, use, or disclosure" of PHI that can compromise the privacy and/or security of this information If, however, the PHI is "unusable, unreadable, or indecipherable ( secured ), no notification is required (this is unchanged) Rule change is that this is NOT a breach if it can be proved there is a low probability that the information was compromised Previously had to prove there was no significant risk of harm to individual Burden is on CE (and, now, BA) to prove this low probability

9 Breach Notification Defining Low Probability Low probability determined/proved by performing a formal, documented risk analysis that includes at least these factors: Nature and extent of PHI involved Who received the impermissible disclosure Whether the PHI was actually acquired or viewed The extent to which the risk to PHI has been mitigated Bottom Line Don t put yourself in a potential position where unsecured PHI can be compromised

10 "unusable, unreadable, or indecipherable = Secured = ENCRYPTED ENCRPYT YOUR DATA!!!!!!!!!!!!!!!!!!!!!!

11 Recent HIPAA Changes - Rule Applicability to BA s A BA is a person who creates, receives, maintains, or transmits protected health information on behalf of a covered entity (unchanged although definition of maintain has been modified/broadened) Typical BAs legal; actuarial; accounting; consulting; data aggregation; management; administrative; accreditation; and financial. Rule change is that BAs must now by law have their own HIPAA compliance programs implemented and in place including the appropriate documented policies and procedures BAs required to comply with the use and disclosure requirements when unsecured PHI is inappropriately released or obtained. This includes complying with all the breach notification rules BAs must also enter into BA Agreements with any subcontractors they employ who have exposure to PHI

12 Why Should You Care Whether Your BAs Are HIPAA Compliant? BAs should know how to and actually treat PHI properly Reputational harm if BA causes a breach Possible induction into the Office of Civil Rights Hall of F(sh)ame CE could be sued Could be a huge distraction to the practice

13 NPP Changes Changes are considered material therefore you will need a new NPP New NPP required for new patients only Existing patients do not need to sign new NPP However, must post new NPP for all patients to see NPP changes: Psychotherapy notes Fundraising communications Restrictions on sharing PHI if individual pays out of pocket Communication if there is a breach

14 Risks of non-compliance: Penalties HIPAA Violation Minimum Penalty Maximum Penalty Individual did not know (and by exercising reasonable diligence would not have known) that he/she violated HIPAA $100 per violation, with an annual maximum of $25,000 for repeat violations (Note: maximum that can be imposed by State Attorneys General regardless of the type of violation) $50,000 per violation, with an annual maximum of $1.5 million HIPAA violation due to reasonable cause and not due to willful neglect $1,000 per violation, with an annual maximum of $100,000 for repeat violations $50,000 per violation, with an annual maximum of $1.5 million HIPAA violation due to willful neglect but violation is corrected within the required time period $10,000 per violation, with an annual maximum of $250,000 for repeat violations $50,000 per violation, with an annual maximum of $1.5 million HIPAA violation is due to willful neglect and is not corrected $50,000 per violation, with an annual maximum of $1.5 million $50,000 per violation, with an annual maximum of $1.5 million

15 HIPAA Breaches by Type

16 HIPAA Audit Program Run by Office of Civil Rights (OCR) Pilot Program as of now Audited all types of Covered Entities, including ambulatory practices Covers: Privacy Rule Security Rule Breach Notification Rule

17 How Do I Become Security Compliant?

18 HIPAA Security Rule HIPAA Security Rule is not new Much more important when dealing with EHRs than paper records Must perform Security Rule Gap analysis for MU Must attest to performing a Gap analysis to get MU $$ The major emphasis of the Security Rule is to make sure that you are properly protecting PHI Need to also have a good backup and disaster recovery plan

19 Good Business Practice & HIPAA Security Rule Compliance ALL businesses need to protect their data from security issues and inappropriate access HIPAA Security Rule is simply a regulatory requirement that specifies how this should be done for medical practices Consider the Security Rule is something that is helping protect your business and not just something to comply with See our recent article in Maryland Medicine for specifics (in your handouts)

20 What Does Good IT Security Look Like? 1. Policies set standards for responsibilities and behavior Gap: Plan and Teamwork suffer, waste of resources 2. Procedures that are documented make policy implementation consistent and repeatable Gap: Unreliable results 3. Implementation of Procedures protects the organization Gap: creates weak points 4. Monitoring sustains protection over time Gap: Degraded security with time

21 A framework for implementing HIPAA 1 1. Clearly Stated Objectives A Plan to Reach Them 3. Realistic Resource Allocation 4. Team Work 5. Way to Measure Outcomes 4 3

22 A framework for implementing HIPAA HIPAA compliance is a process, not a transaction Must be worked on a periodic basis Should be imbedded into your practice workflows General process: 1. Develop policies 2. Implement procedures in support of the policies 3. Perform gap analysis to insure that: 1. Policies meet all HIPAA requirements 2. Procedures are being followed 4. Remediate gaps 5. Go back to step 1 You have to select the pace at which you implement HIPAA in your practice

23 IT Security Risk Management Risk Analysis Monitoring Risk Management Program Gap Analysis Remediation

24 How Do You Do This? Brute force Read all the government documents Create your own policies, procedures, etc. Use tools/templates already created Lots of companies offer templates Are also some software tools to assist As one example we would like to show you a software tool we ve found that is very simple yet thorough

25 HIPAA HITECH EXPRESS Online/ Cloud tool for becoming compliant Simplified, Intuitive Approach with Built In Training End to End, Turbo Tax Like How to Guide All in One Affordable Risk Management Rapid Risk Analysis 4 6 weeks to Remediation Start Prioritized Gap Analysis Focus on What s Important First Automated Workflow to Quickly Remediate Risks and Gaps Concise Library of Policies and Procedures

26 How it Works Rapid Risk Analysis Questionnaire with approx. 35 guided questions Yes/No Built-in help/explanatory guidance Gap Analysis Expert guided Built-in gap prioritization based on risk, cost and impact Risk Remediation Detailed task-by-task work plan to fix gaps Assign task ownership across organization Templates of all necessary polices and procedures included Results in on-line repository of HIPAA documents

27 Thanks for your attention! BEI And if you require assistance with any of your IT needs, give us a call No Obligation Network Assessment Day-to-day IT support/help desk Network setup/upgrade EHR installation support (we work with all EHR vendors) EHR selection assistance (RFQ, analysis, recommendation) HIPAA security review Meaningful use assistance

28 Question? Comments? Are you still awake? (admittedly, HIPAA is not the most interesting subject in the world) If you are not awake, but would like to ask a question later, please jkrasner@beinetworks.com