Understanding HIPAA Regulations and How They Impact Your Organization!

Similar documents
Presented by Jack Kolk President ACR 2 Solutions, Inc.

HIPAA Compliance Guide

HIPAA Omnibus & HITECH Rules: Key Provisions and a Simple Checklist.

HIPAA Compliance Guide

Data Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, :15pm 3:30pm

Datto Compliance 101 1

New HIPAA regulations require action. Are you in compliance?

FIVE EASY STEPS FOR HANDLING NEW HIPAA REQUIREMENTS & MANAGING YOUR ELECTRONIC COMMUNICATIONS

12/19/2014. HIPAA More Important Than You Realize. Administrative Simplification Privacy Rule Security Rule

THE HIPAA TANGO CHOREOGRAPHING PRIVACY AND SECURITY UNDER THE FINAL RULE

HIPAA Compliance: Are you prepared for the new regulatory changes?

OCR UPDATE Breach Notification Rule & Business Associates (BA)

HIPAA Privacy and Security Rules: A Refresher. Marilyn Freeman, RHIA California Area HIPAA Coordinator California Area HIM Consultant

HIPAA Omnibus Rule Overview. Presented by: Crystal Stanton MicroMD Marketing Communication Specialist

Ethics, Privilege, and Practical Issues in Cloud Computing, Privacy, and Data Protection: HIPAA February 13, 2015

HIPAA OMNIBUS RULE: EXPANDED COMPLIANCE REQUIREMENTS

Why Lawyers? Why Now?

HIPAA Security Rule Compliance

Welcome to the Privacy and Security PowerPoint presentation in the Data Analytics Toolkit. This presentation will provide introductory information

Protecting Patient Information in an Electronic Environment- New HIPAA Requirements

HIPAA Omnibus Rule Practice Impact. Kristen Heffernan MicroMD Director of Prod Mgt and Marketing

HIPAA 101. March 18, 2015 Webinar

Dissecting New HIPAA Rules and What Compliance Means For You

Isaac Willett April 5, 2011

Welcome to ChiroCare s Fourth Annual Fall Business Summit. October 3, 2013

HIPAA Omnibus Compliance How A Data Loss Prevention Solution Can Help

HIPAA Privacy & Breach Notification Training for System Administration Business Associates

What is HIPAA? The Health Insurance Portability and Accountability Act of 1996

INFORMATION SECURITY & HIPAA COMPLIANCE MPCA

Key HIPAA HITECH Changes. Gina Kastel, Partner, Health and Life Sciences

Overview of the HIPAA Security Rule

HIPAA Compliance The Time is Now Changes on the Horizon: The Final Regulations on Privacy and Security. May 7, 2013

Tools to Prepare and Protect Your Practice for HIPAA and Meaningful Use Audits

HHS announces sweeping changes to the HIPAA Privacy and Security Rules in the final HIPAA Omnibus Rule

HIPAA in an Omnibus World. Presented by

HHS Issues New HITECH/HIPAA Rule: Implications for Hospice Providers

Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions

OCR/HHS HIPAA/HITECH Audit Preparation

M E M O R A N D U M. Definitions

HIPAA and HITECH Compliance Under the New HIPAA Final Rule. HIPAA Final Omnibus Rule ( Final Rule )

My Docs Online HIPAA Compliance

Trust 9/10/2015. Why Does Privacy and Security Matter? Who Must Comply with HIPAA Rules? HIPAA Breaches, Security Risk Analysis, and Audits

8/3/2015. Integrating Behavioral Health and HIV Into Electronic Health Records Communities of Practice

HIPAA/HITECH and Texas Privacy Laws Comparison Tool Updated 2013

Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification

Legislative & Regulatory Information

Privacy Officer Job Description 4/28/2014. HIPAA Privacy Officer Orientation. Cathy Montgomery, RN. Presented by:

HIPAA and HITECH Compliance for Cloud Applications

Business Associates, HITECH & the Omnibus HIPAA Final Rule

Lessons Learned from Recent HIPAA Enforcement Actions, Breaches, and Audit. Iliana L. Peters, J.D., LL.M. April 23, 2014

Am I a Business Associate? Do I want to be a Business Associate? What are my obligations?

HIPAA/HITECH: A Guide for IT Service Providers

Are You Still HIPAA Compliant? Staying Protected in the Wake of the Omnibus Final Rule Click to edit Master title style.

White Paper THE HIPAA FINAL OMNIBUS RULE: NEW CHANGES IMPACTING BUSINESS ASSOCIATES

Information Security and Privacy. WHAT is to be done? HOW is it to be done? WHY is it done?

Updated HIPAA Regulations What Optometrists Need to Know Now. HIPAA Overview

HIPAA WEBINAR HANDOUT

COMPLIANCE ALERT 10-12

HIPAA Security Education. Updated May 2016

OCR Reports on the Enforcement. Learning Objectives 4/1/2013. HIPAA Compliance/Enforcement (As of December 31, 2012) HCCA Compliance Institute

OCR Reports on the Enforcement. Learning Objectives

Vendor Management Challenges and Solutions for HIPAA Compliance. Jim Sandford Vice President, Coalfire

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc.

The HIPAA Audit Program

OCRA Spring Convention ~ 2014 Phyllis Craver Lykken, RPR, CLR, CCR Court Reporters and HIPAA

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)

Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

Network Security and Data Privacy Insurance for Physician Groups

Statement of Policy. Reason for Policy

HIPAA Compliance, Notification & Enforcement After The HITECH Act. Presenter: Radha Chanderraj, Esq.

University Healthcare Physicians Compliance and Privacy Policy

HIPAA Violations Incur Multi-Million Dollar Penalties

HIPAA OVERVIEW ETSU 1

Health Information Privacy Refresher Training. March 2013

Developing HIPAA Security Compliance. Trish Lugtu CPHIMS, CHP, CHSS Health IT Consultant

HIPAA Compliance for Students

HIPAA 100 Training Manual Table of Contents. V. A Word About Business Associate Agreements 10

HIPAA, HIPAA Hi-TECH and HIPAA Omnibus Rule

Breaches. Complying with the HIPAA Omnibus Final Rule. Important Definitions. Protected Health Information Includes HIPAA PRIVACY 3/2/2014

HIPAA and the HITECH Act Privacy and Security of Health Information in 2009

Creating Stable Security & Compliance Relationships

Healthcare Compliance Solutions

HHS Finalizes HIPAA Privacy and Data Security Rules, Including Stricter Rules for Breaches of Unsecured PHI

HIPAA PRIVACY AND SECURITY FOR EMPLOYERS

HIPAA TRAINING. A training course for Shiawassee County Community Mental Health Authority Employees

SaaS. Business Associate Agreement

HIPAA ephi Security Guidance for Researchers

HIPAA Violations Incur Multi-Million Dollar Penalties

HIPAA AND MEDICAID COMPLIANCE POLICIES AND PROCEDURES

HIPAA Compliance Issues and Mobile App Design

Greenway Marketplace. Hear from GSG Compliance & White Plume November 14, 2013

OFFICE OF CONTRACT ADMINISTRATION PURCHASING DIVISION. Appendix A HEALTHCARE INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPPA)

HIPAA Update Focus on Breach Prevention

HIPAA Training Study Guide July 2015 June 2016

Implementation Business Associates and Breach Notification

SECURITY RISK ASSESSMENT SUMMARY

Business Associate Considerations for the HIE Under the Omnibus Final Rule

Surviving a HIPAA violation One Agency s Experience Presented by: Roger Shindell. Topics Covered Part One. Topics Covered Part Two.

HIPAA Update. Presented by: Melissa M. Zambri. June 25, 2014

You Probably Don t Even Know

Transcription:

Understanding HIPAA Regulations and How They Impact Your Organization! Presented by: HealthInfoNet & Systems Engineering! April 25 th 2013!

Introductions! Todd Rogow Director of IT HealthInfoNet Adam Victor Director of Operations Systems Engineering 2!

What is HealthInfoNet?! HealthInfoNet operates Maine s statewide health information exchange (HIE), a secure, standardized electronic system where providers can share important patient health information.! The use of this system:! Saves time and reduces paperwork! Facilitates more informed treatment decision-making! Leads to improved care coordination, higher quality of care, and better health outcomes!

Clinical Exchange Highlights! Hospitals Connected: 34 Hospitals Under Contract: All 38 within Maine Practices Connected: ~400 Others Connected: 2 Long-term Care, 3 Home Health Agencies and 15 Behavioral Health Organizations Individual Lives with Records in the HIE: 1,175,749 Patient s who have opted-out: 1% HIE user accounts: 7,284 User Logins: 1,781 patient lookup & 463 unique users per week Patient Crossover: 64% 4!

HIPAA Trivia! What does HIPAA stand for? ü Health Insurance Portability and Accountability Act When did HIPAA start? ü 1996 What is the maximum penalty for a single HIPAA violation? ü $1.5 million per violation category per calendar year 5!

Agenda! HIPAA Review Compliance Requirements Omnibus Rule Recommendations/Best Practices Q/A 6!

HIPAA Review! The Health Insurance Portability and Accountability Act of 1996 ("HIPAA") and its regulations (the "Privacy Rule" Dec. 2000 and the "Security Rule Feb. 2003) protect the privacy of an individual s health information and govern the way certain health care providers and benefits plans collect, maintain, use and disclose protected health information ( PHI ). 7!

What is the Privacy Rule?! Establishes national standards to protect individuals medical records and other personal health information. Requires safeguards to protect the privacy of personal health information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. Gives patients rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections. 8!

What is the Security Rule?! Requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information. Establishes national standards to protect individuals electronic personal health information that is created, received, used, or maintained by a covered entity. 9!

Personal Health Information (PHI)! PHI includes all individually identifiable health information (including information in research databases and tissue bank samples with identifiers) relating to the:! Past, present, or future physical or mental condition of an individual! Provision of health care to an individual! Past, present or future payment for the provision of health care to an individual! 10!

PHI Eighteen Identifiers! Name! Address -- street address, city, county, zip code (more than 3 digits) or other geographic codes! Dates directly related to patient! Telephone Number! Fax Number! E-mail addresses! Social Security Number! Medical Record Number! Health Plan Beneficiary Number! Account Number! Certificate/License Number! Any vehicle identifier! Any device identifier! Web URL! Internet Protocol (IP) Address! Finger or voice prints! Photographic images! Any other unique identifying number, characteristic, or code (whether generally available in the public realm or not)! 11!

PHI Continued! ephi: Data in an electronic format that contains any of the 18 identifiers! This may include but is not limited to the following:! Data stored on the network, internet, or intranet! Data stored on a personal computer or personal digital assistant (e.g. a smartphone)! Data stored on a USB drive, DVD, or other external media! Data stored on your HOME computer! Data utilized for research! 12!

Recommendations for Compliance! Keep all files containing PHI protected! Place computer screens so they are not readily visible by people passing by! Use of home computers is not a good idea! Ensure your vendors are in compliance with HIPAA regulations! Eliminate all names and other identifiers when doing presentations including PHI! Don t share subject names and other identifiers in conversations with colleagues outside of your department or lab! Don t send PHI by e-mail if at all possible. When necessary, be sure it is encrypted!! 13!

Who Is Systems Engineering?! Maine s largest IT Services provider, with over 100 employees serving hundreds of businesses throughout northern New England, including numerous Maine health organizations.! A provider of technical security that provides HIPAA-compliance services and documentation! 14!

General HIPAA Security Rules! Ensure confidentiality, integrity, and availability of all ephi you create, receive, maintain, or transmit! Identify/Protect against reasonably anticipated threats or hazards to the security or integrity of ephi! Protect against reasonably anticipated uses or disclosures of ephi! Ensure compliance by your workforce! 15!

Risk Analysis/Management! CE s Must Conduct a Risk Analysis as Part of Their Security Management Processes. It includes, but is not limited to:!! Evaluation of likelihood and impact of potential risks to ephi! Implementation of appropriate security measures to address identified risks! Documentation of security measures! Maintenance of continuous, reasonable, and appropriate security protections! 16!

Administrative Safeguards! Security Management Process! Based on Risk Analysis! Assigned official responsibility for developing/implementing security policies/procedures.! Information Access Management Appropriate process for role-based access to ephi.! Workforce Training and Management! Training isn t optional.! Sanctions must exist for policy violations.! Evaluation Periodic assessment of how procedures comply with HIPAA!! 17!

Physical Safeguards! Facility Access and Control! Limit physical access to necessary individuals! Workstation and Device Security! Policies and procedures to specify proper use of and access to workstations and electronic media.! Policies and procedures regarding the transfer, removal, disposal, and reuse of electronic media.! 18!

Technical Safeguards! Access Control Reiterating, only authorized personnel have access to ephi! Audit Controls - CE s must implement hardware, software, and/or procedural mechanisms to record and examine access and other activity in systems that contain or use ephi.! Integrity Controls Policies/procedures, along with electronic measures to ensure that ephi is not improperly altered or destroyed.! Transmission Security CE s must implement technical security measures that guard against unauthorized access to electronically transmitted ephi.! 19!

9/22/2009 to 07/04/2012! Compliance and Safety LLC! 20!

The Omnibus Rule! A volume containing several novels or other items previously published separately.! 21!

HIPAA Omnibus Final Rule! Final modifications to the HIPAA Privacy, Security, and Enforcement Rules:!! Make Business Associates of Covered Entities directly liable for compliance with certain aspects of the HIPAA Privacy and Security Rules requirements.! Strengthen the limitations on the use and disclosure of protected health information for marketing and fundraising purposes, and prohibit the sale of protected health information without individual authorization.! Expand individuals' rights to receive electronic copies of their health information and to restrict disclosures to a health plan concerning treatment for which the individual has paid out of pocket in full.!! 22!

HIPAA Omnibus Final Rule! Require modifications to, and redistribution of, a Covered Entity's notice of privacy practices.! Modify the individual authorization and other requirements to facilitate research and disclosure of child immunization proof to schools, and to enable access to deceased information by family members or others.! Increased and tiered civil money penalty structure provided by the HITECH Act! Course reversal: Guilty until proven innocent for data breaches! Prohibits most health plans from using or disclosing genetic information for underwriting purposes! 23!

The Omnibus Rule! Office of Civil Rights (OCR) Director Leon Rodriguez: These changes not only greatly enhance a patient s privacy rights and protections, but also strengthen the ability of my office to vigorously enforce the HIPAA privacy and security protections 24!

When Does It Take Effect?! The Omnibus Rules are effective as of March 26, 2013! Effective Date: Date on which a rule or regulation becomes law! All CEs and BAs need to be in full compliance by September 23, 2013! Compliance Date: Date by which all affected entities must comply! 25!

Business Associates! Old Rule:! The HIPAA Rules define business associate to mean a person who performs functions or activities on behalf of, or certain services for, a CE that involve the use or disclosure of PHI.! New Rule:! The definition of business associate was modified to include a person who creates, receives, maintains, or transmits PHI on behalf of a CE.! Extends to subcontractors 26!

Patient Empowerment! Old Rule: Individuals could request a CE to restrict uses or disclosures of their PHI. But, CEs were not required to agree to such restrictions. If the CE did agree, however, than they were required to abide by the restriction. New Rule: Individuals can request a restriction on disclosure of PHI to a health plan and the CE must agree if the restriction applies to PHI that pertains solely to a health care item or service for which the health care provider has been paid out of pocket in full (unless such disclosure is otherwise required by law). 27!

Breach Notification! Previously, CEs and BAs were required to perform a risk assessment to determine if there was a significant risk of harm to the individual as a result of the impermissible use or disclosure. Now, an impermissible use or disclosure of PHI is presumed to be a breach unless the CE or BA demonstrates that there is a low probability that the PHI has been compromised. Unless the PHI was unreadable or undecipherable 28!

Enforcement! Largest HIPAA fine: $4.3M against Cignet Health in MD in February 2011 ($3M was for willful neglect)! HIPAA jail time: In April 2010 Dr. Huping Zhou of UCLA Health System was sentenced to 4 months in prison! Smallest provider enforcement: In April 2012, a practice owned by 2 physicians paid $100,000 to settle HIPAA violations! 29!

Enforcement!!!! Violation! Penalty! Max Calendar Year! Did Not Know! $100 - $50,000! $1,500,000! Reasonable Cause! $1,000 - $50,000! $1,500,000! Willful Neglect (Corrected)! Willful Neglect! (Not Corrected)! $10,000 - $50,000! $1,500,000! $50,000! $1,500,000! A CE or BA may be liable for multiple violations of multiple requirements, and a violation of each requirement may be counted separately.! A CE or BA may be subject to multiple violations of up to a $1.5 million cap for each violation, which would result in a total penalty above $1.5 million.! 30!

Suggested Next Steps! Update Notice of Privacy Practices! Review and identify all Business Associates and update Business Associate Agreements! Update breach notification policies and procedures! Develop and train employees on new policies (patient requested PHI restrictions, breach notification, etc.)! Review and update authorization and other forms as necessary! 31!

Recommendations! All EHRs will need to be encrypted at rest to be certified in 2014! Encrypt your office computers using a free software, TrueCrypt: www.truecrypt.org! Evaluate your technology posture, and seek assistance where necessary! 32!

Helpful Resources! For more information on Privacy/Security, go to provider section at: www.healthit.gov! HealthInfoNet s Website:! Sample Risk Assessment! Sample Policy and Procedures Templates! Privacy and Security Guide! Omnibus Press Release: http://www.hhs.gov/news/press/2013pres/01/20130117b.html Omnibus Final Rule: http://www.gpo.gov/fdsys/pkg/fr-2013-01-25/pdf/ 2013-01073.pdf BAA Sample Language: http://www.hhs.gov/ocr/privacy/hipaa/understanding/ coveredentities/contractprov.html 33!

Helpful Webinar! HIT "ASK THE EXPERTS" ROUNDTABLE WEBINAR SERIES! HIPAA Rules Have Changed: Are You Ready?! HIPAA covered entities and business associates have until September 23, 2013, to become compliant with changes to the Privacy and Security Rules.! Join us on Thursday, May 9 at 12N to learn about the modifications to the HIPAA law, including:! What are the Key Changes Under the Omnibus Rule?! Who do the Changes Affect?! What Action is Required?! What's at Stake?! What are the Mechanisms for Minimizing the Risk of HIPAA Liability?! ABOUT OUR SPEAKER: Kathleen Healy, a Partner with the law firm Verrill Dana! 34!

Questions?! 35!

Contact Information! Todd Rogow, Director of IT, HealthInfoNet! trogow@hinfonet.org!!! HealthInfoNet Website: www.hinfonet.org!! Adam Victor, Director of Operations, Systems Engineering, Inc.! avictor@syseng.com!!! Systems Engineering Website: www.syseng.com! 36!

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information