Huseman Health Law Group 3733 University Blvd. West, Suite 305-A Jacksonville, Florida Telephone (904) Facsimile (904)

Transcription

1 Huseman Health Law Group 3733 University Blvd. West, Suite 305-A Jacksonville, Florida Telephone (904) Facsimile (904) use e Health care law firm fighting for Florida s Physicians Written Compliance Plans Medicare HIPAA Audit Assistance Medicare (PCA Probe Audit) Medicaid Contract Drafting Employment Agreement Hospital Provider Agreement Independent Contractor Agreement Etc. Contract Review Contract Negotiation Insurance reimbursement Assistance Third Party Payors (Aetna, United, etc) Medicare/Medicaid PIP Employer/Employee disputes Corporate Representation Real Estate Title and Closing Medical Staff Fair Hearings Licensure Defense Department of Health Medical Malpractice Defense

2 HIPAA Privacy Effective - April 14, 2003 Transaction/Code set October 16, 2003 HIPAA Security Effective April 21, 2005

3 Does HIPAA Security apply to YOU? Yes... If you... Furnish, bill or receive payment for health care services; Perform any of the following as a provider: Complete encounter information Advise on payment/reimbursement of claims Coordinate benefits Give status updates on claims Obtain certification/authorization for services File claims with or without attachments Do any of the above electronically What does that make you???

4 COVERED ENTITY!!

5 PHI same meaning as defined under the Privacy Rule: Any health information created/received by provider which relates to past, present or future physical or mental health condition of a patient, the provision of health care to the patient t or payment related to the provision o of health care to the patient and that identifies or can be reasonably used to identify a patient.

6 General requirements of Security Rule Regarding EPHI you must ensure: Integrity Data/information has not been altered or destroyed in an unauthorized manner; Confidentiality Data/information is not made available or disclosed in an unauthorized manner; Availability Data/information is accessible & useable upon demand by authorized persons.

7 General Requirements (cont.) Protect against reasonably anticipated threats to security or integrity Protect against reasonably anticipated uses/disclosures of information not permitted/required by Privacy Rule Ensure workforce compliance

8 Implementation Standards Required ( R ) Practice must implement/comply py with the specific stated standards of the Rule. Addressable ( A ) Practice MAY implement the specific standard or elect to use an alternative specification (or combination between the two) as set forth under the Rule.

9 Under an alternative approach practice must consider: Its size, capabilities and the complexity of the implementation i Its technical infrastructure Hardware, software and existing security capabilities Cost of security measures Probability/criticality of potential risks to EPHI

10 If you elect to use an alternative approach: DOCUMENT!!! DOCUMENT!!! DOCUMENT!!!

11 Implementation Specification Categories: Administrative Safeguards Physical Safeguards Technical Safeguards

12 Administrative Safeguards Security Management Process: Risk Analysis (R) Risk Management (R) Sanction Policy (R) Information System Activity Review (R) Assigned Security Responsibility Assign Security Officer (R)

13 Administrative Safeguards (cont.) Workforce Security Authorization and/or Supervision Workforce Clearance Procedure Termination Procedures Information Access Management Isolating Clearinghouse Function (R) Access Authorization ti Access Establishment and Modification

14 Administrative Safeguards (cont.) Security Awareness & Training Security Reminders Protection from Malicious Software Log-in Monitoring Password Management Security Incident Procedures Response and Reporting (R)

15 Administrative Safeguards (cont.) Contingency Plan Data Backup Plan (R) Disaster Recovery Plan (R) Emergency Mode Operation Plan (R) Testing and Revision i Procedure Applications and Data Criticality Analysis Evaluation (R) BAA & Other Arrangements (R)

16 Physical Safeguards Facility Access Controls Contingency Operations Facility Security Plan Access Control and Validation Procedures Maintenance Records Workstation Use (R) Workstation Security (R)

17 Physical Safeguards (cont.) Device and Media Controls Disposal (R) Media Re-Use (R) Accountability Data Backup and Storage

18 Technical Safeguards Access Control Unique User Identification Emergency Access Procedure Automatic Logoff Encryption and Decryption (R) (R) Audit Control (R)

19 Technical Safeguards (cont.) Integrity Mechanism to authenticate EPHI Person/Entity Authentication (R) Transmission Security Integrity Controls Encryption

20 WORKFORCE TRAINING Administrative Safeguards: Implement a Security Awareness and training program: Step 1 Identify your workforce Step 2 Determine the best method of training i Step 3 Ensure the comprehensiveness of the content Step 4 Document compliance Step 5 Train ALL new employees Step 6 Reeducate employees

21 Step 1 Identify Your workforce Does the owner of the practice need training? Physician Owner Layperson Owner Yes Yes Does the janitor need training? Employee of practice Contracted worker Yes Maybe Depends on the type of janitorial service he/she provides.

22 Step 2 Method of Training Who should do training? Security Officer Privacy Officer Same person as Security Officer? Physician Consultant/Attorney Knowledgeable in HIPAA Computer Software Reputable & Reliable Company Yes Maybe No Maybe Maybe

23 Method of Training (cont.) Classroom setting Maybe Adequate space Attentive Audience Cost Computer-based Maybe Paying overtime? Software must certify Cost

24 Step 3 Content of the Training What is the absolute minimum level of competence that all Workforce members should have regarding the Security Rule? Awareness Training What types of information are protected? What are some situation that might arise where a potential ti security risk regarding EPHI could occur? What steps should be taken when an accidental disclosure of EPHI has occurred?

25 Step 3 Content of the Training (cont.) Use scenarios and specific examples Application of Security Rule to specific Workforce occurrences The door to the computer room is left unlocked at night A nurse looks up the record of a close friend to see how she is doing An employee downloads a program from the internet for his/her home computer

26 Step 3 Content of the Training (cont.) Job specific training IT employees vs. Workstation workers Workforce employees with computer access Monitoring log-in success/failure reporting of discrepancies Malicious software protection Viruses and worms Password management

27 Step 4 Documenting Completion of T i i Training Classroom setting Sign in/out sheet Provide training certification Maintain copy in HR record Computer-based Should certify Maintain copy in HR record

28 Step 5 Training of New Employees Prepare a new employee presentation in advance Temporary employees Still require training Provide copy of Security policies and procedures Business Associates Training not necessary Associate should know Security policies and procedures

29 Step 6 Continuing Education Training is a full time process Reeducate on changes in response to environmental and operational changes affecting EPHI Security Rule Preamble States» Training should be an on-going, evolving process Security Officer Keep up with changes to Security Rule Keep up with changes in technology

30 Workforce Compliance Violations of covered entity s policies and procedures Three-tiered approach Inadvertent breach Leaving computer on without logging off when leaving workstation Intentional breach without malice Sharing a password with coworkers Intentional ti breach with malice Using EPHI for personal/financial gain. Document Violations

31 What should you be doing NOW? Evaluate current security protections Assess security risks and vulnerabilities Consider size, capabilities and costs Take an organizational approach Get staff involved Share ideas/experiences with others OMF Members

32 What else should you do to prepare? Plan for implementation Train & manage workforce for compliance Continue to audit process of compliance Bottom Line: Assess Analyze Implement

33 Civil Penalties Enforcement and Non-Compliance Penalties $100 per incident, not to exceed $25,000 per person per year for all violation of an identical requirement Criminal Penalties Up to $50,000 for knowingly or improperly obtaining or disclosing PHI Up to $100,000 and 5 years in prison if the offense is committed under false pretenses Up to $250,000 and 10 years for obtaining or disclosing with the intent to sell or use the information to cause malicious harm

34 THANK YOU!