Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions

Similar documents
Why Lawyers? Why Now?

White Paper THE HIPAA FINAL OMNIBUS RULE: NEW CHANGES IMPACTING BUSINESS ASSOCIATES

My Docs Online HIPAA Compliance

Are You Still HIPAA Compliant? Staying Protected in the Wake of the Omnibus Final Rule Click to edit Master title style.

What Health Care Entities Need to Know about HIPAA and the American Recovery and Reinvestment Act

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc.

Ethics, Privilege, and Practical Issues in Cloud Computing, Privacy, and Data Protection: HIPAA February 13, 2015

12/19/2014. HIPAA More Important Than You Realize. Administrative Simplification Privacy Rule Security Rule

Business Associates, HITECH & the Omnibus HIPAA Final Rule

Dissecting New HIPAA Rules and What Compliance Means For You

OCR Reports on the Enforcement. Learning Objectives 4/1/2013. HIPAA Compliance/Enforcement (As of December 31, 2012) HCCA Compliance Institute

OCR Reports on the Enforcement. Learning Objectives

HIPAA and Mental Health Privacy:

Faster, Smarter, More Secure: IT Services Geared for the Health Care Industry A White Paper by CMIT Solutions

OCR UPDATE Breach Notification Rule & Business Associates (BA)

HIPAA Happenings in Hospital Systems. Donna J Brock, RHIT System HIM Audit & Privacy Coordinator

Welcome to ChiroCare s Fourth Annual Fall Business Summit. October 3, 2013

University Healthcare Physicians Compliance and Privacy Policy

HIPAA and HITECH Compliance for Cloud Applications

Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

HIPAA PRIVACY AND SECURITY AWARENESS

COMPLIANCE ALERT 10-12

HIPAA Omnibus & HITECH Rules: Key Provisions and a Simple Checklist.

HIPAA 101. March 18, 2015 Webinar

Updated HIPAA Regulations What Optometrists Need to Know Now. HIPAA Overview

HIPAA Audits: How to Be Prepared. Lindsey Wiley, MHA, CHTS-IM, CHTS-TS HIT Manager Oklahoma Foundation for Medical Quality

OCRA Spring Convention ~ 2014 Phyllis Craver Lykken, RPR, CLR, CCR Court Reporters and HIPAA

HIPAA Violations Incur Multi-Million Dollar Penalties

Welcome to the Privacy and Security PowerPoint presentation in the Data Analytics Toolkit. This presentation will provide introductory information

New HIPAA regulations require action. Are you in compliance?

HIPAA COMPLIANCE AND DATA PROTECTION Page 1

HIPAA, HIPAA Hi-TECH and HIPAA Omnibus Rule

The Basics of HIPAA Privacy and Security and HITECH

HIPAA and the HITECH Act Privacy and Security of Health Information in 2009

Tools to Prepare and Protect Your Practice for HIPAA and Meaningful Use Audits

HIPAA Privacy & Breach Notification Training for System Administration Business Associates

HIPAA Security Rule Compliance

HIPAA BUSINESS ASSOCIATE AGREEMENT

6/17/2013 PRESENTED BY: Updates on HIPAA, Data, IT and Security Technology. June 25, 2013

HIPAA Orientation. Health Insurance Portability and Accountability Act

HIPAA Omnibus Rule Overview. Presented by: Crystal Stanton MicroMD Marketing Communication Specialist

Please Read. Apgar & Associates, LLC apgarandassoc.com P. O. Box Portland, OR Fax

HIPAA compliance audit: Lessons learned apply to dental practices

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA Omnibus Rule Practice Impact. Kristen Heffernan MicroMD Director of Prod Mgt and Marketing

HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What?

Art Gross President & CEO HIPAA Secure Now! How to Prepare for the 2015 HIPAA Audits and Avoid Data Breaches

HIPAA PRIVACY AND SECURITY FOR EMPLOYERS

Business Associate Management Methodology

Am I a Business Associate? Do I want to be a Business Associate? What are my obligations?

HIPAA TRAINING. A training course for Shiawassee County Community Mental Health Authority Employees

Trust 9/10/2015. Why Does Privacy and Security Matter? Who Must Comply with HIPAA Rules? HIPAA Breaches, Security Risk Analysis, and Audits

HIPAA Omnibus Compliance How A Data Loss Prevention Solution Can Help

Health Information Privacy Refresher Training. March 2013

HIPAA COMPLIANCE AND

Shipman & Goodwin LLP. HIPAA Alert STIMULUS PACKAGE SIGNIFICANTLY EXPANDS HIPAA REQUIREMENTS

OCR HIPAA Audit Readiness. ISACA - North Texas Chapter April 11, 2013

AGREEMENT FOR ACCESS TO PROTECTED HEALTH INFORMATION BETWEEN WAKE FOREST UNIVERSITY BAPTIST MEDICAL CENTER AND

HIPAA Hot Topics. Audits, the Latest on Enforcement and the Impact of Breaches. September Nashville Knoxville Memphis Washington, D.C.

Name of Other Party: Address of Other Party: Effective Date: Reference Number as applicable:

Data Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, :15pm 3:30pm

HIPAA Compliance Annual Mandatory Education

HIPAA Compliance and the Protection of Patient Health Information

HIPAA PRIVACY OVERVIEW

BUSINESS ASSOCIATE AGREEMENT

HIPAA Myths. WEDI Regional Affiliates. Chris Apgar, CISSP Apgar & Associates

BUSINESS ASSOCIATE AGREEMENT ( BAA )

HIPAA. New Breach Notification Risk Assessment and Sanctions Policy. Incident Management Policy. Focus on: For breaches affecting 1 3 individuals

Texas House Bill 300 & HIPAA. A MainNerve Whitepaper

Protecting Patient Information in an Electronic Environment- New HIPAA Requirements

Data Breach, Electronic Health Records and Healthcare Reform

Nine Network Considerations in the New HIPAA Landscape

HIPAA privacy and security toolkit: Helping your practice meet new compliance requirements

OCR/HHS HIPAA/HITECH Audit Preparation

Somansa Data Security and Regulatory Compliance for Healthcare

HIPAA Violations Incur Multi-Million Dollar Penalties

Aug. Sept. Oct. Nov. Dec. Jan. Feb. March April May-Dec.

Introducing the NASW Updated Sample HIPAA Privacy Forms and Policies

INFORMATION SECURITY & HIPAA COMPLIANCE MPCA

OCTOBER 2013 PART 1. Keeping Data in Motion: How HIPAA affects electronic transfer of protected health information

FIVE EASY STEPS FOR HANDLING NEW HIPAA REQUIREMENTS & MANAGING YOUR ELECTRONIC COMMUNICATIONS

THE HIPAA TANGO CHOREOGRAPHING PRIVACY AND SECURITY UNDER THE FINAL RULE

What Virginia s Free Clinics Need to Know About HIPAA and HITECH

Getting Hip to the HIPAA and HITECH Act Compliance

Definitions: Policy: Duties and Responsibilities: The Privacy Officer will have the following responsibilities and duties:

White Paper #6. Privacy and Security

The HITECH Act: Implications to HIPAA Covered Entities and Business Associates. Linn F. Freedman, Esq.

Overview of the HIPAA Security Rule

THE STATE OF HEALTHCARE COMPLIANCE: Keeping up with HIPAA, Advancements in EHR & Additional Regulations

The Impact of HIPAA and HITECH

HHS Issues New HITECH/HIPAA Rule: Implications for Hospice Providers

The benefits you need... from the name you know and trust

Lessons Learned from HIPAA Audits

HIPAA Update. Presented by: Melissa M. Zambri. June 25, 2014

Our Commitment to Information Security

Community First Health Plans Breach Notification for Unsecured PHI

Zip It! Feds, State Strengthen Privacy Protection. Practice Management Feature July Tex Med. 2012;108(7):33-37.

HIPPA Goes HITECH. Data Protection for Agents

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) TERMS AND CONDITIONS FOR BUSINESS ASSOCIATES

HIPAA Compliance: Are you prepared for the new regulatory changes?

Transcription:

Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions

Table of Contents Understanding HIPAA Privacy and Security... 1 What Has Changed?... 3 1) The Privacy Rule... 3 2) The Security Rule... 4 3) Breach Notification Rule... 4 4) Compliance deadlines... 5 5) Government audits... 5 Do the New Rules Apply to Your Practice?... 6 What Actions Should You Take First?... 7 How Can You Evaluate Your IT Provider?... 8 How Can You Identify Significant Risks?... 10 2) Failure to comply... 10 3) Failure to protect ephi... 11 Who Do You Ask for Trusted Advice?... 13

What Has Changed? HIPAA the Health Insurance Portability and Accountability Act HIPAA, the Health Insurance Portability and Accountability Act, has been updated with sweeping changes resulting from the HITECH Act (Health Information Technology for Economic and Clinical Health), enacted as part of the American Recovery and Reinvestment Act of 2009. The HITECH Act defined HIPAA Privacy, Security, and Breach Notification Rules with which nearly all physicians must comply. These new rules, if not followed, can result in serious financial penalties and criminal prosecution. The Department of Health and Human Services Office of Civil Rights enforcement performs audits of physician s practices and may assess fines as high as $1.5 million, even in cases where no harm has resulted from the loss of protected health information. In addition, many states have additional requirements above and beyond those the federal government has established. Starting in September 2013, those states attorney generals are now charged with the responsibility to bring criminal prosecutions. These new requirements fall into three major compliance areas: 1) The Privacy Rule The Privacy Rule restricts the use and disclosure of an individual s protected health information (PHI). Both the physician s practice (e.g. the covered entity, or CE) and any business associate (BA) of that physician s practice are each responsible for adhering to the HIPAA HITECH requirements. Business associates include anyone hired by the physician or practice with access to patient PHI, including IT consultants, billing services, accountants, attorneys, or anyone else with access to the information and data.

Patient protected health information (PHI) can be either electronic, paper, or oral, and relates to the past, present, or future physical or mental health of an individual, the health care services related to an individual, or the payment for those health care services. With the HITECH requirements, patients now have individual rights to access their own PHI, restrict disclosures, request amendments or an accounting of disclosures, and a right to complain without retaliation. 2) The Security Rule The Security Rule requires physician practices to implement administrative, technical, and physical safeguards to ensure the confidentiality, integrity, and availability of electronic protected health information (ephi). ephi refers to all individually identifiable health information that a physician practice or business associate creates, receives, maintains, or transmits in electronic form, including data at rest and data in transit. The Security Rule does not apply to PHI transmitted orally or in paper form. 3) Breach Notification Rule If patient electronic protected health information is breached, the physician practices must notify affected individuals. If more than 500 patient records are breached, the physician practice must report the situation to the U.S. Department of Health and Human Services (HHS) and the local media. The federal government requires reporting of breaches within 30 days, but many states have more restrictive time limits, with some states requiring a breach notification and report within five days of the actual data breach.

Now that you have a better understanding of the new requirements, let s consider two other areas of concern: compliance deadlines and government audits. 4) Compliance deadlines Additional changes to the HITECH Act were adopted in the recent HIPAA Omnibus Rule. The HIPAA Omnibus Rule requires that all physician practices (e.g. covered entities) must update their HIPAA policies and procedures and otherwise implement the changes required by these regulations no later than the September 23, 2013 compliance deadline. Most physician offices may have a HIPAA compliance plan, but those existing plans may not meet the new standards based on the requirements and rule changes mandated by the HIPAA Omnibus Rule and the HITECH Act. Every physician s office will be well served to review and evaluate his or her HIPAA compliance plan in light of these more stringent requirements. 5) Government audits The HHS Office of Civil Rights (OCR), the federal agency with the responsibility to oversee the HIPAA privacy, security, and breach notification requirements, has created a comprehensive audit program protocol with 170 audit areas. Seventy-nine of these audit areas refer to the Security Rule, which emphasizes administrative, physical, and technical safeguards. First on the list of the audit program protocol is the key activity, Conduct Risk Assessment. A Security Rule Risk Assessment is the key element in preparing for a government audit.

Do the New Rules Apply to Your Practice? HHS has developed a tool to help physicians understand whether or not these new requirements apply to their practice. Simply stated, if you or your practice furnishes, bills, or receives payment for health care in the normal course of business, and you or your practice transmits (sends) any covered transactions electronically, then you or your practice is a covered entity. This means the new privacy, security, and breach requirements mandated by the HHS Omnibus Rule and the HITECH Act apply to you or your practice.

What Actions Should You Take First? The following five-step guide is provided to help you streamline and prioritize your HIPAA compliance activities. 1) Assign responsibility for HIPAA compliance as a role namely a HIPAA Privacy and Security Officer. Assure this individual has received updated training on the new requirements, including the HHS Omnibus Rule and HITECH Act privacy, security, and breach rules. 2) Identify any state-mandated requirements that supersede federal rules in the areas of privacy, security, and breach notification. Pay special attention to breach notification timeframes. 3) Evaluate which of your business associates has access to your inventory systems that hold or transfer electronic protected health information (ephi) by enlisting an IT professional to perform a network scan. This is the foundation from which to make risk judgments. 4) Perform a HIPAA Privacy Rule Risk Assessment and a HIPAA Security Rule Risk Assessment. Use the results of these assessments as the basis for the HIPAA Compliance Risk Mitigation Plan. 5) Determine whether all of the business associates identified in this five-step process are HIPAA compliant; if not, replace with business associates that are HIPAA compliant. Execute new business associate agreements (BAAs) with existing and/or new business associates

How Can You Evaluate Your IT Provider? Since the primary focus of the HITECH Act requirements is electronic protected health information (ephi), you will need to evaluate your current information technology support provider and determine whether or not that IT provider can meet the new requirements. The HHS Omnibus Rule and HITECH Act placed new privacy, security, and breach notification requirements on business associates with access to electronic protected health information. Since electronic data is at the core of many of these new requirements, it is imperative that your IT provider understands the changes and also provide the support your practice will need. Direct these questions toward an officer or owner of your IT service provider: Does your IT firm have a well-trained HIPAA Privacy and Security Officer that is aware of the Omnibus Rule changes? Has your IT firm recently completed a HIPAA Security Rule Risk Assessment? What were the results of your assessment, and what is your company focused on improving? What types of written policies and procedures do you have to protect the administrative, technical, and physical security of user accounts and data access? Is your staff routinely provided with HIPAA awareness and training programs? Do you have business associate agreements with your vendors, suppliers, and subcontractors? These questions are designed to demonstrate whether your IT service provider understands their regulatory obligations and is committed to your practice. Being HIPAA compliant means your IT provider complies with HIPAA requirements for privacy, security, and

breach notification and has taken steps to assure the privacy and security of ephi throughout the entire IT infrastructure. A relationship with your IT service provider based on competence and integrity has never been more critical for excellent patient care. Protecting your patient s electronic protected health information requires that your IT provider be as committed to HIPAA compliance as you and your practice.

How Can You Identify Significant Risks? With the new Omnibus Rule and HITECH Act privacy, security, and breach notification requirements, the significant risks to your practice can be divided into several areas. 1) First, ask these questions of your practice before deciding whether you might be facing a failure to comply or failure to protect ephi. a. Have you completed a privacy and security risk assessment in the last year? b. Are copies of this and previous assessments kept for six years? c. Have all service providers executed a BAA with your practice? d. Are old computers stored in a closet? e. Is there an older version of a practice management or electronic health record (EHR) application maintained online to aid in looking up old information? f. Does anyone use a laptop or tablet that is not encrypted to access or download ephi? g. Are providers given remote access to systems? h. Can email be used to send or receive messages containing ephi? i. Are passwords kept secret and changed on a frequent basis? j. Are tapes or other storage devices stored in secure vaults at the practice? 2) Failure to comply Changes to the Omnibus Rule specifically removed ignorance as a possible excuse or defense against civil and criminal penalties. The HHS Wall of Shame lists those organizations with ephi data breaches affecting 500 or more individuals. The list is filled with health care organizations of all shapes and sizes. The following table shows the types of penalties that may be assessed when a physician or practice fails to comply.

HIPAA Violation Individual did not know (and by exercising reasonable diligence would not have known) that he/she violated HIPAA Individual knew, or by exercising reasonable diligence would have known of the violation, but did not act with willful neglect HIPAA violation due to willful neglect but violation is corrected HIPAA violation due to willful neglect but violation is not corrected Penalty Amount (per violation) $100- $50,000 $1,000 - $50,000 Annual Maximum Penalty $1.5M $1.5M $10,000 - $1.5M $50,000 $50,000 $1.5M In addition to civil monetary penalties, criminal penalties may apply, including imprisonment of up to one year for those covered entities and specific individuals that knowingly obtain or disclose individually identifiable protected health information. These criminal penalties may extend to the directors, employees, or officers of a covered entity. These civil and criminal penalties should cause any covered entity, physician, or corporate officer to recognize the immediate need to follow the HIPAA privacy, security, and breach notification requirements. 3) Failure to protect ephi The greatest risk for a physician or practice is the failure to protect ephi from unauthorized access and large-scale data breach. Many physician practices never stop to consider the various methods a bad actor could use to access ephi during the course of the normal delivery of health care services. Regardless of the policies, procedures, awareness, and training that a practice may use, there is still an absolute need to

protect against the unauthorized access, copying, and transmission of ephi by member of the physician s team. In many common situations, ephi can be inadvertently lost. The following table shows some of the situations you will need to protect against in order to protect ephi. How do you protect against Unauthorized copying of ephi by staff? Copy and transmission of ephi over the Internet from the practice office to an unauthorized email address? Upload of ephi to an unauthorized cloud storage location? Access of ephi when a laptop or other device is stolen? Comments All it takes is one disgruntled employee and a USB drive to cause a data breach. Staff may send ephi to a private email address. How long before your data is on Facebook? What happens when senior staff copies data to an unauthorized cloud storage location and the data is hacked? Laptops are routinely lost or stolen. With ephi, this can be the shortest path to a massive data breach. Protecting ephi requires more than policies and procedures it requires diligence and technical infrastructure designed to keep the data safe. It takes the proper combination of user access control, device management, data encryption, firewall and network security, and strong systems and network management to protect ephi.

Who Do You Ask for Trusted Advice? In his book The Speed of Trust: The One Thing That Changes Everything, Stephen M. R. Covey defines trust in the business sphere as pertaining to both character and competence or what a business stands for, what its strengths are, and what results it produces. CMIT Solutions adheres to that motto, bringing expert care and dedication to the protection of ephi and management of underlying IT systems and networks. We understand the Omnibus Rule and the HITECH Act requirements and stand ready to provide the technical expertise you need to meet the challenge.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information