Building Trust and Confidence in Healthcare Information. How TrustNet Helps



Similar documents
SOC Readiness Assessments. SOC Report - Type 1. SOC Report - Type 2. Building Trust and Confidence in Third-Party Relationships

HIPAA, HIPAA Hi-TECH and HIPAA Omnibus Rule

HIPAA Security Rule Compliance

HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc.

Data Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, :15pm 3:30pm

HIPAA PRIVACY AND SECURITY AWARENESS

HIPAA Compliance and the Protection of Patient Health Information

ELECTRONIC HEALTH RECORDS

HIPAA Compliance: Are you prepared for the new regulatory changes?

The Impact of HIPAA and HITECH

The Basics of HIPAA Privacy and Security and HITECH

Bridging the HIPAA/HITECH Compliance Gap

How To Understand And Understand The Benefits Of A Health Insurance Risk Assessment

Welcome to the Privacy and Security PowerPoint presentation in the Data Analytics Toolkit. This presentation will provide introductory information

Joe Dylewski President, ATMP Solutions

HIPAA and HITECH Compliance for Cloud Applications

Trust 9/10/2015. Why Does Privacy and Security Matter? Who Must Comply with HIPAA Rules? HIPAA Breaches, Security Risk Analysis, and Audits

12/19/2014. HIPAA More Important Than You Realize. Administrative Simplification Privacy Rule Security Rule

HIPAA COMPLIANCE AND DATA PROTECTION Page 1

Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

My Docs Online HIPAA Compliance

White Paper THE HIPAA FINAL OMNIBUS RULE: NEW CHANGES IMPACTING BUSINESS ASSOCIATES

2/9/ HIPAA Privacy and Security Audit Readiness. Table of contents

COMPLIANCE ALERT 10-12

REGULATORY CHANGES DEMAND AN ENTERPRISE-WIDE APPROACH TO DISCLOSURE MANAGEMENT OF PHI

Overview of the HIPAA Security Rule

Nationwide Review of CMS s HIPAA Oversight. Brian C. Johnson, CPA, CISA. Wednesday, January 19, 2011

Somansa Data Security and Regulatory Compliance for Healthcare

3/13/2015 HIPAA/HITECH WHAT S YOUR COMPLIANCE STATUS? Daniel B. Mills Pretzel & Stouffer, Chartered WHAT IS HIPAA?

New Privacy Laws Impacting the Health Care Work Place

HIPAA Privacy Summary for Fully-insured Employer Groups

HIPAA Privacy Summary for Self-insured Employer Groups

HIPAA Violations Incur Multi-Million Dollar Penalties

University Healthcare Physicians Compliance and Privacy Policy

BUSINESS ASSOCIATE AGREEMENT

Updated HIPAA Regulations What Optometrists Need to Know Now. HIPAA Overview

Preparing for the HIPAA Security Rule Again; now, with Teeth from the HITECH Act!

Information Protection Framework: Data Security Compliance and Today s Healthcare Industry

Our Commitment to Information Security

Please Read. Apgar & Associates, LLC apgarandassoc.com P. O. Box Portland, OR Fax

HIPAA COMPLIANCE AND

SAMPLE BUSINESS ASSOCIATE AGREEMENT

OFFICE OF CONTRACT ADMINISTRATION PURCHASING DIVISION. Appendix A HEALTHCARE INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPPA)

PROTECTING PATIENT PRIVACY and INFORMATION SECURITY

New HIPAA Breach Notification Rule: Know Your Responsibilities. Loudoun Medical Group Spring 2010

Regulatory Update with a Touch of HIPAA

New HIPAA regulations require action. Are you in compliance?

HIPAA Happenings in Hospital Systems. Donna J Brock, RHIT System HIM Audit & Privacy Coordinator

BUSINESS ASSOCIATE AGREEMENT ( BAA )

HIPAA COMPLIANCE PLAN FOR 2013

M E M O R A N D U M. Definitions

BUSINESS ASSOCIATE AGREEMENT. Recitals

OCR/HHS HIPAA/HITECH Audit Preparation

Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions

BUSINESS ASSOCIATE AGREEMENT

OCRA Spring Convention ~ 2014 Phyllis Craver Lykken, RPR, CLR, CCR Court Reporters and HIPAA

Securing Patient Portals. What You Need to Know to Comply With HIPAA Omnibus and Meaningful Use

HFS DATA SECURITY TRAINING WITH TECHNOLOGY COMES RESPONSIBILITY

General HIPAA Implementation FAQ

Well-Documented Controls Reduce Risk and Support Compliance Initiatives

Ethics, Privilege, and Practical Issues in Cloud Computing, Privacy, and Data Protection: HIPAA February 13, 2015

Business Associate Management Methodology

HHS Finalizes HIPAA Privacy and Data Security Rules, Including Stricter Rules for Breaches of Unsecured PHI

HIPAA and the HITECH Act Privacy and Security of Health Information in 2009

HIPAA and Mental Health Privacy:

The HIPAA Security Rule Primer Compliance Date: April 20, 2005

STATE OF NEVADA DEPARTMENT OF HEALTH AND HUMAN SERVICES BUSINESS ASSOCIATE ADDENDUM

Health Information Privacy Refresher Training. March 2013

Arizona Physicians Group To Pay $100,000 To Settle HIPAA Charges

HIPAA 100 Training Manual Table of Contents. V. A Word About Business Associate Agreements 10

Isaac Willett April 5, 2011

Privacy & Security Matters: Protecting Personal Data. Privacy & Security Project

Privacy Compliance Health Occupations Students

HIPAA Security. 1 Security 101 for Covered Entities. Security Topics

Transcription:

Building Trust and Confidence in Healthcare Information The management of healthcare information in the United States is regulated under the HIPAA (Health Insurance Portability and Accountability Act) and HITECH Act (Health Information Technology for Economic and Clinical Health Act). The HIPAA Privacy and Security Rules established national standards to protect individuals medical records and other personal health information and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically. The Rules requires appropriate safeguards to protect the privacy of personal health information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. The Rules also gives patient s rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections. The HITECH Act expands Federal privacy and security protections for healthcare information. As healthcare providers move toward exchanging large amounts of health information electronically, this legislation aims to ensure that such information remains private and secure. How TrustNet Helps TrustNet provides services and solutions to ensure compliance with the HIPAA Privacy Rule and HITECH Act. We don t take a cookie-cutter approach. We listen to each client s unique needs and develop an approach that meets their objectives and expectations. Our clients rely on us to help them fulfill their regulatory and compliance goals so they can focus their resources on patient care and other objectives. HIPAA Compliance Validation Service HIPAA Gap Assessment HIPAA Policies and Procedures Development HIPAA Incident Response Planning HIPAA Awareness Training

Other HIPAA Related Services WebTrust TrustShield IDS iscan Incident Response Planning Penetration Testing Risk Assessments Policies and Procedures Development TrustAgent itrust SaaS xscan Security Assessments Wireless Security Assessments Security Awareness Training SaaS Security Awareness Communication AirTrust Security Awareness Posters

Who must be compliant? Organizations that must comply with HIPAA include healthcare providers, health care clearinghouses, such as billing services and community health information systems, and any provider that transmits healthcare data in a way that is regulated by HIPAA. The HITECH Act expands the scope of HIPAA, ensuring that entities that were not established when the Federal Privacy Rules were written, as well as those entities that do work on behalf of providers and insurers, are subject to the same privacy and security rules as providers and health insurers. The cost of compliance and validating compliance with HIPAA and HITECH depends on several factors. This includes the nature of the covered entity, volume of transactions managed each year, data handling and storage practices, and the IT infrastructure within the organization. Many organizations have faced sanctions, regulatory oversight, and heavy fines because they did not properly protect sensitive healthcare information. The cost of being compliant significantly outweighs the cost of doing nothing. Non-compliance Non-compliance may result in: Incidental violations with fines from $100 per incident up to $25,000 for the same violation per calendar year. Wrongful disclosure, prosecuted by the Department of Justice, with penalties for responsible parties ranging from $50,000 and 1 year in prison up to $250,000 and 10 years in prison. Lawsuits, including class action lawsuits, by parties claiming that they have been damaged or suffered loss can be extremely costly. Ongoing Federal oversight Loss of customers Loss of patient confidence Termination of contracts

Overview of the Act The Health Insurance Portability and Accountability Act (HIPAA) is a law mandated by the US congress to address the protection of healthcare information. The HIPAA Privacy Rule and Security Rule provide federal protections for personal health information (PHI) held by covered entities and give patients an array of rights with respect to that information. The Privacy Rule provided the first nationally-recognizable regulations for the use and disclosure of an individual's health information. The Security Rule established a national set of security standards for protecting certain health information that is held or transferred in electronic form. The Security Rule developed the mechanics for implementing the protections contained in the Privacy Rule by addressing technical and non-technical safeguards that covered entities must put in place to secure individuals electronic protected health information. The Health and Human Services (HHS) Office for Civil Rights (OCR) has responsibility for enforcing the Privacy and Security Rules and imposing money penalties for non-compliance. Overview of the Privacy Rule Gives patients control over the use of their health information Defines boundaries for the use and disclosure of health records by covered entities Establishes US national-level compliance standards for healthcare providers Helps to limit the use of PHI and minimizes chances of inappropriate and unauthorized disclosure Provides authority to investigate compliance-related issues and hold violators accountable with civil and criminal penalties Enables authority to disclosure PHI for individual healthcare needs, public benefit, and national interests

Overview of the Security Rule Requires covered entities to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting e-phi. This includes: Ensure the confidentiality, integrity, and availability of all e-phi created, received, maintained or transmitted Identify and protect against reasonably anticipated threats to the security or integrity of the information Protect against reasonably anticipated, unauthorized uses or disclosures Ensure compliance by the entities workforce Covered Entities and Business Associates Under the HIPAA laws the Privacy and Security Rules apply only to covered entities health plans, health care clearinghouses, and certain health care providers. Most health care providers and health plans use the services of a variety of other persons or businesses. The Privacy Rule allows covered providers and health plans to disclose protected health information to these business associates if the providers obtain satisfactory assurances that the business associate will use the information only for legitimate purposes and safeguard the information from misuse. The HITECH Act of 2009 expanded the responsibilities of business associates under the Privacy and Security Rules. Covered Entities Health Care Providers Chiropractors Clinics Dentists Doctors Nursing Homes Pharmacies Psychologists Health Plans Health insurance companies HMO s Company health plans Government programs that pay for health care Health Care Clearinghouses Includes entities that process or convert health information

Business Associates Some examples of Business Associates: Attorneys whose legal services to a health provider involve access to protected health information Consultants that perform utilization reviews for a hospital CPA firms whose accounting services to a health care provider involve access to protected health information Medical transcriptionists Pharmacy benefit managers that manage a health plan s pharmacist network Third party administrator that assists a health plan with claims processing. What are the requirements? The requirements for HIPAA are expansive, but the major requirements fall into the categories below: Administrative Safeguards - Administrative actions, including policies and procedures, to manage the selection, development, implementation, and maintenance of security measures that protect electronic health information and manage the conduct of the covered entity s workforce in relation to the protection of that information. Physical Safeguards - Physical measures, including policies, and procedures, to protect a covered entity s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion. Technical Safeguards - Technology and the related policy and procedures to protect and control access to electronic protected health information.

The HITECH Act has expanded the reach and scope to include: Breach Notification - Establishment of a Federal breach notification requirement. Requires that an individual be notified if there is an unauthorized disclosure or use of their health information. Audit Trails - Providing transparency to patients by allowing them to request an audit trail showing all disclosures of their health information made through an electronic record. Patient Information Authorization - Shutting down the secondary market that has emerged around the sale and mining of patient health information by prohibiting the sale of an individual s health information without their authorization. Requiring that providers attain authorization from a patient in order to use their health information for marketing and fundraising activities. Enforcement - Strengthening enforcement of Federal privacy and security laws by increasing penalties for violations and providing greater resources for enforcement and oversight activities.

About TrustNet TrustNet is a leading provider of on-demand IT security and compliance management solutions including software-as-aservice, compliance, security services, and awareness training. The itrust SaaS is a security management platform that is quickly and easily deployed into any existing network and provides clients with immediate measurable benefits and a low total cost of ownership. TrustNet is PCI Qualified Security Assessor and provides compliance assessments and security services for PCI, HIPAA, SOX, and SOC/SSAE16. Since 2003 TrustNet has been a strategic partner helping clients ensure the security and integrity of their businesses. From our headquarters in Atlanta, Georgia TrustNet serves mid-size and large organizations, both public and private, across multiple industries, in the United States and around the world. Visit us on the web at www.trustnetinc.com Sales: 1-877-TRUST-10 1-877-878-7810 404-567-4488 Email: Sales@TrustNetInc.com Atlanta, Georgia 127 Peachtree Road Suite 500 Atlanta, GA 30303 Roswell, Georgia 11205 Alpharetta Highway Suite G1 Roswell, GA 30076 Fort Lauderdale, Florida 3580 NE 12th Avenue Fort Lauderdale, FL 33334 Johannesburg, South Africa 14 Boschendal Street Hurlingham Manor Sandton 2196 Sales@TrustNetInc.com Sales@TrustNetInc.com Sales@TrustNetInc.com SAsales@TrustNetInc.com No portion of this document may be copied or distributed outside of the above mentioned entity without the express written consent of TrustNet. Copyright TrustNet 2003 2011. All rights reserved. The PCI Security Standards Council Qualified Security Assessor logo is a trademark or service mark of The PCI Security Standards Council in the United States and in other countries.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information