INFORMATION SECURITY & HIPAA COMPLIANCE MPCA

Transcription

1 INFORMATION SECURITY & HIPAA COMPLIANCE MPCA Annual Conference August 5, 201 Agenda 1 HIPAA 2 The New Healthcare Paradigm Internal Compliance 4 Conclusion 2 1 HIPAA 1

2 Earning Their Trust 4 HIPAA 5 Health Insurance Portability & Accountability Act (HIPAA) Privacy individuals rights of privacy and Standard Security security of ephi Breach Notification reporting breach information Sets standards to assure the Confidentiality, Integrity, and Availability of PHI HIPAA 6 PHI and Personally Identifiable Information Any information (verbal, electronic, or written) that relates to a person s physical or mental health or payment information Name Postal Address All elements of Date Telephone Number Fax Number Address URL IP Address Social Security Number Account Numbers License Number Medical Record Number Health Plan Number Device Identifier Vehicle Identifier Biometric Identifier Full-face Photos Any other unique identifying number Genetic information 2

3 HIPAA Privacy Rule Establishes rights of privacy and standards for disclosure Permitted Disclosures Personal Representatives Treatment, Payment and Healthcare Operations Written Authorization/Verbal Consent De-identified Data Required Disclosures Public Health Activities Law Enforcement Verification Requirements Notice of Privacy Practices 7 HIPAA Security Rule Requires control measures to safeguard the confidentiality, integrity and availability of electronic Protected Health Information (ephi) Organizational Requirements Business Associate Agreements (BAAs) Security Standards 1. Administrative 2. Physical. Technical Security Management Process Information Access Management Security Awareness and Training 8 HIPAA Breach Notification Rule Requires notifications to authorities and patients when unsecured PHI has been breached Defines Breach as the impermissible use or disclosure that compromises the security and privacy of unsecured PHI Exceptions 1. Unintentional Acquisition by a workforce member 2. Inadvertent Disclosure between workforce members. Recipient can not reasonably retain the information Unsecured PHI is PHI that has not been rendered unreadable or indecipherable to unauthorized persons 9

4 HIPAA Omnibus Final Rule Released on January 17, 201; effective on March 26, 201; and Compliance required by September 2, 201. Broadened the definition of a Business Associate & Subcontractors Direct and Expanded Liabilities for Privacy and Security Rules Civil Monetary Penalties (capped at $1.5 million for all) 1. Did not know - $100 - $50,000/violation, 2. Reasonable Cause - $1,000 - $50,000/violation,. Willful Neglect Corrected - $10,000 - $50, Willful Neglect Not Corrected - $50, HIPAA Omnibus Final Rule Breach is now defined as impermissible use or disclosure of PHI. Established four tests for Risk Assessment following a breach: 1. Nature and Extent of PHI 2. Party to Whom PHI may have been disclosed. Actual or Possible viewing or acquisition of PHI 4. Extent to which Risk to PHI has been Mitigated Breach Notification is now necessary in all situations except where low probability of compromise is shown. Individual Rights of Access 11 HIPAA Omnibus Final Rule Disclosures not Requiring Authorization TPO Public Health and Legal Requirements Required modifications to Notice of Privacy Practices 1. Authorization required for: Most uses and disclosures of psychotherapy notes Uses and disclosures for marketing purposes Disclosures that constitute a sale of PHI Other uses or disclosures not described in the NPP 2. Individual Rights to Authorize or Restrict Disclosure. Provider may choose not to comply with a restriction request 4. Notify individuals of breaches of their PHI 12 4

5 2 The New Healthcare Paradigm 1 The New Healthcare Paradigm 14 Internal Compliance 15 5

6 Define Boundary Train Employees Assess Risk Implement Control Measures Plan Corrective Actions 16 Information Security Policy & Technical Controls 1. Organization of Information Security 2. Acceptable Use. Access controls & Physical Security 4. Secure Software & Malicious Code 5. Management & Exchange of Information 6. Security Incident Management 7. Breach Notification 8. Workforce Security 9. Sanctions 10. Security Awareness and Training 11. Business Continuity & Disaster Recovery 2 1 Proper Conduct and Authorized Disclosures Organization & Management of Information Security 1. Compliance Officer is designated 2. Acceptable Use 1. Proper Use: No sharing of user credentials, leaving passwords on sticky notes 2. Removable media. Access Control & Physical Security 1. Unique and Secure Credentials 2. Job functions, need to know, and Minimum Necessary. Logoff when leaving work area 4. Visitor logs 18 6

7 19 4. Secure Software & Malicious Code 1. Only authorized software is allowed 5. Management & Exchange of Health Information 1. Modification of PHI must be for authorized purposes 2. Sending PHI via electronic means must be secure 6. Security Incident Management 1. Breach of Security or Privacy 2. Incident Report Form Breach Notification 1. Clients and/or Patients 2. Apply the four tests 8. Workforce Security 1. Background verification 9. Sanctions 1. Accountability 21 7

8 Impacts of Non-Compliance Regulatory Fines Reputational Damage Legal Actions Loss of Business 22 Current Examples Hospice of North Idaho - $50,000 Massachusetts Eye and Ear Associates Inc. - $1.5 Million River Falls Medical Clinic 2,400 Patient Records stolen Shands Jacksonville Clinic 261 Patient Records photographed Goldthwait Associates, a Billing Service Provider - $140,000 Phoenix Cardiac Surgery, P.C. - $100,000 WellPoint 612,402 records - $1.7 Million 2 4 Conclusion 24 8

9 Conclusion HIPAA seeks to protect the: 1. Confidentiality 2. Integrity. Availability of PHI Compliance is not optional 1. Privacy, Security, Breach Notification Rules 2. Information Security Control Measures Understand your Role Earn and Maintain the Trust of your clients 25 Questions Xcellent Technologies 4155 Main Street Suite 2210-D Novi, MI 4875 (248)