HIPAA: In Plain English



Similar documents
An Introduction to HIPAA and how it relates to docstar

HIPAA Compliance Guide

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc.

HIPAA PRIVACY AND SECURITY AWARENESS

HIPAA 203: Security. An Introduction to the Draft HIPAA Security Regulations

HIPAA Information Security Overview

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)

Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification

HIPAA Security Alert

HIPAA Compliance Guide

HIPAA Security. 4 Security Standards: Technical Safeguards. Security Topics

Datto Compliance 101 1

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

HIPAA Security COMPLIANCE Checklist For Employers

HIPAA Security Rule Compliance

The HIPAA Security Rule Primer A Guide For Mental Health Practitioners

Appendix 4-2: Sample HIPAA Security Risk Assessment For a Small Physician Practice

Healthcare Compliance Solutions

C.T. Hellmuth & Associates, Inc.

VMware vcloud Air HIPAA Matrix

HIPAA Compliance: Are you prepared for the new regulatory changes?

PRIVACY POLICIES AND FORMS FOR BUSINESS ASSOCIATES

HIPAA/HITECH PRIVACY & SECURITY CHECKLIST SELF ASSESSMENT INSTRUCTIONS

HIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE

The HIPAA Security Rule Primer Compliance Date: April 20, 2005

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics

Policies and Compliance Guide

DRAFT. HIPAA Impact Determination Questionnaire (Gap Analysis)

HIPAA and Mental Health Privacy:

CHIS, Inc. Privacy General Guidelines

HIPAA Security. 5 Security Standards: Organizational, Policies. Security Topics. and Procedures and Documentation Requirements

SECURITY RISK ASSESSMENT SUMMARY

How To Write A Health Care Security Rule For A University

Securing the FOSS VistA Stack HIPAA Baseline Discussion. Jack L. Shaffer, Jr. Chief Operations Officer

Montclair State University. HIPAA Security Policy

Technical Safeguards is the third area of safeguard defined by the HIPAA Security Rule. The technical safeguards are intended to create policies and

HIPAA Security. 1 Security 101 for Covered Entities. Security Topics

HIPAA Audit Processes HIPAA Audit Processes. Erik Hafkey Rainer Waedlich

HIPAA Security. assistance with implementation of the. security standards. This series aims to

HIPAA Security Series

IBM Internet Security Systems. The IBM Internet Security Systems approach for Health Insurance Portability and Accountability Act compliance overview

State HIPAA Security Policy State of Connecticut

Data Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, :15pm 3:30pm

What Virginia s Free Clinics Need to Know About HIPAA and HITECH

HIPAA Security Checklist

An Oracle White Paper December Leveraging Oracle Enterprise Single Sign-On Suite Plus to Achieve HIPAA Compliance

SAMPLE HIPAA/HITECH POLICIES AND PROCEDURES MANUAL FOR THE SECURITY OF ELECTRONIC PROTECTED HEALTH INFORMATION

Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES

HIPAA Compliance The Time is Now Changes on the Horizon: The Final Regulations on Privacy and Security. May 7, 2013

HIPAA Audit Risk Assessment - Risk Factors

HIPAA/HITECH: A Guide for IT Service Providers

UNIVERSITY OF CALIFORNIA, SANTA CRUZ 2015 HIPAA Security Rule Compliance Workbook

ITS HIPAA Security Compliance Recommendations

The Second National HIPAA Summit

BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO

CREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy

HIPAA Compliance and the Protection of Patient Health Information

HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant

HealthStream Regulatory Script

Security Is Everyone s Concern:

Healthcare Management Service Organization Accreditation Program (MSOAP)

HIPAA Security. Jeanne Smythe, UNC-CH Jack McCoy, ECU Chad Bebout, UNC-CH Doug Brown, UNC-CH

Protecting Patient Information in an Electronic Environment- New HIPAA Requirements

2/9/ HIPAA Privacy and Security Audit Readiness. Table of contents

HIPAA Compliance (DSHS and HCA) Preamble: This section of the Contract is the Business Associate Agreement as

Joseph Suchocki HIPAA Compliance 2015

Privacy Officer Job Description 4/28/2014. HIPAA Privacy Officer Orientation. Cathy Montgomery, RN. Presented by:

HIPAA COMPLIANCE AND DATA PROTECTION Page 1

Research and the HIPAA Security Rule Prepared for the Association of American Medical Colleges by Daniel Masys, M.D. Professor and Chairman,

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) TERMS AND CONDITIONS FOR BUSINESS ASSOCIATES

Preparing for the HIPAA Security Rule

New HIPAA regulations require action. Are you in compliance?

FINAL May Guideline on Security Systems for Safeguarding Customer Information

WHITE PAPER. HIPAA-Compliant Data Backup and Disaster Recovery

WHITEPAPER XMEDIUSFAX CLOUD FOR HEALTHCARE AND HIPAA COMPLIANCE

SCDA and SCDA Member Benefits Group

Overview of the HIPAA Security Rule

SCHOOL DISTRICT OF BLACK RIVER FALLS HIPAA PRIVACY AND SECURITY POLICY

M E M O R A N D U M. Definitions

BUSINESS ASSOCIATE AGREEMENT ( BAA )

HIPAA Security and HITECH Compliance Checklist

A How-To Guide for Updating HIPAA Policies & Procedures to Align with ARRA Health Care Provider Edition Version 1

SAMPLE TEMPLATE. Massachusetts Written Information Security Plan

Transcription:

HIPAA: In Plain English Material derived from a presentation by Kris K. Hughes, Esq. Posted with permission from the author. The Health Insurance Portability and Accountability Act of 1996 (HIPAA), Pub. L. 104-191, was enacted in an effort to redress rising levels of healthcare fraud, ensure portability of health insurance, and facilitate administrative simplification and privacy of patient information within the healthcare delivery industry. The final regulations promulgated under HIPAA's authority include Standards for Electronic Transactions and Code Sets; Standards for Privacy of Individually Identifiable Health Information. Proposed standards include the forthcoming Security Regulation and Employer and Provider Identifier Standards. More About the Rules: Electronic Transaction Standards (Final) By October 16, 2002, Electronic Transactions must use standardized code sets for encoding data elements when used in connection with "covered transactions." Electronic Transactions are defined as: "The exchange of information between two parties to carry out financial or administrative activities related to health care." These transactions include: Health care claims or equivalent encounter information Health care payment and remittance advice Benefit coordination Enrollment in and withdrawal from a health plan Eligibility for a health plan Health plan premium payments First report of injury Health claim attachments Privacy Standards (Final) The Privacy Rule, effective April 14, 2001, requires compliance by April 14, 2003 for most covered entities. Small health plans have an additional 12 months in which to comply. Requirements under the Privacy Regulation include: Business Associate Agreements Consent Authorization Notice Disclosure Audits Minimum Necessary Requirements Privacy Officer Appointment Written Privacy Procedures Grievance Procedures Patient rights granted by the Privacy Rule include: Access to health information Disclosure accounting Notification of Privacy Practices Notice of intention and manner in which protected information may be used

Security Standards (Proposed) The security standards are intended to protect the confidentiality, integrity and availability of healthcare information. To that end, the Rule requires covered entities engaging in the electronic transmission of protected information to implement administrative, technical and physical measures. While the Final Security Standard is not expected to drastically differ from the proposed version, the information herein references the requirements as found in the Proposed Security Rule. Key Points: Documentation is key to successful evaluation and implementation of the security requirements. Memorializing the steps taken throughout the compliance process will provide a point of reference for future implementation efforts, as well as offer explanatory rationale for both action and inaction with respect to modifications, assessments, and implementation strategies. Develop "living" policies and procedures. Stacks of static procedure manuals and guidelines will not be enough to reach adequate levels of compliance. Policies must be regularly reviewed, tested, and revised when necessary. The Security Standards were intended to be "technologically neutral" ad scalable in order to provide for future technological and medical advancement. The government could not adequately anticipate, nor subsequently modify the standards to address the technologies available to address the security requirements. Further, the Security standards were intended to affect "covered entities" on a broad scale-each with differing financial, technological and personnel resources. Administrative Procedures Administrative procedures are required to guard data integrity, confidentiality and availability. These procedures are documented, formal practices to manage the selection and execution of security measures to protect data and to manage the conduct of personnel in relation to data protection. Administrative Procedure Requirements: Certification (internal or external) Chain of Trust Partner Agreements Contingency Plan: A routinely updated plan for responding to a system emergency that includes: o Applications and data criticality analysis (assessment of sensitivity, vulnerabilities, and security of programs and information received, manipulated, stored, and/or transmitted). o Data backup plan (documented and routinely updated plan to create and maintain, for a specific period of time, retrievable, exact copies of information). o Disaster recovery plan (part of an overall contingency plan that contains a process enabling an enterprise to restore any loss of data in the event of fire, vandalism, natural disaster, or system failure). o Emergency mode operation plan (part of an overall contingency plan that contains a process enabling an enterprise to continue to operate in the event of a fire, vandalism, natural disaster, or system failure). o Testing and revision procedures (the documented process of periodic testing of written contingency plans to discover weaknesses and the subsequent process of revising the documentation, if necessary). Records processing mechanism (documented policies and procedures for the routine, and nonroutine, receipt, manipulation, storage, dissemination, transmission, and/or disposal of health information). Information access control (documented policies and procedures that establish the rules for granting different levels of access). o Access authorization (information-use policies and procedures that establish rules for granting access-terminal, transaction, program process, or some other use). o Access establishment (security policies and rules that determine a entity's initial right of access to a terminal, transaction, program, process or some other use). o Access modification (security policies and rules that determine the types of, and reasons for, modification to an entity's established right of access, to a terminal transaction, program, process, or some other use).

Internal audit (in-house review of records of system activity (login access, file accesses, security incidents). Personnel security o Supervision of personnel by authorized, knowledgeable person. o Maintaining a record or access authorizations. o Assuring that operating and maintenance personnel have proper access authorization. o Establishing personnel clearance procedures. o Establishing and maintaining personnel security policies and procedures o Awareness training Security configuration management o Documentation o Hardware and software installation and maintenance review and testing for security features o Inventory o Security testing o Virus checking Security incident procedures o Reporting procedures o Response procedures Security management processes o Risk analysis (cost/potential loss balance) o Risk management o Sanction policies/procedures o Security policies Termination procedures o Changing locks o Removal from access lists Training o Periodic security reminders o User education Importance of monitoring login success and failure User responsibility for security of healthcare information Password management o Awareness training Password maintenance Incident Reporting Viruses Technical Security Services In addition to administrative requirements, technical security services must be deployed to guard data integrity, confidentiality and availability. Technical security services include: Access Control Procedures for emergency access-documented instructions for obtaining necessary information during an emergency Audit Controls Authorization Controls-mechanism to record and examine system activity Data Authentication Controls-mechanisms employed to record and examine system activity Entity Authentication-(for example, Digital Signatures) o Automatic logoff o Unique user identifier o At least one of the following: Biometric ID Password PIN Telephone callback procedure Token

Technical Security Mechanisms If using communications or network controls, security standards for technical security mechanisms must include: Integrity controls Message authentication And one of the following: Access controls (transmission protection) Encryption If using network controls for protecting sensitive communication transmitted over open networks, technical security mechanisms must include all of the following: Alarm Audit trails Entity authentication Event reporting (networking message indicating operating irregularities Physical Safeguards Assigned security responsibility Media controls o Access control o Accountability o Data backup (a retrievable, exact copy of information) o Data storage (retention of HCI pertaining to an individual in electronic format). o Disposal Physical Access Controls o Disaster recovery o Emergency mode operation o Equipment control (hard/software in and out of facility) o Facility security plan (guarding against unauthorized access) o Access authorization verification procedures o Maintenance records o Need-to-know procedures (information accessibility limited to necessary, task-specific functions). o Sign-in visitor procedures o Testing and revision o Policy/Guidelines on workstation use o Secure workstation location o Security awareness training Third Party Relationships Trading Partner Agreements-Electronic Transaction Standards A Trading Partner Agreement is an agreement between business partners, relating to the exchange of information through electronic transactions. This agreement may be part of an existing comprehensive agreement addressing similar issues concerning information use and privacy or may be a separate agreement, particular to the requirements of the Electronic Transaction Standard.

Business Associate Agreements- Privacy Rule This is the method by which covered entities ensure that their business associates, to whom they discloseprotected Health Information (PHI), will handle the information appropriately. Business Associate Agreements require third parties to use PHI in a manner consistent with the purposes for which the information was provided. Business Associate Agreements (BAA's) must contain, among others, the following provisions: Covered Entities must retain the ability to terminate the agreement in the event that a material term of the agreement is violated. Covered Entities must retain the authority to terminate the agreement in the event that a material breach cannot be cured otherwise. If termination of the agreement is infeasible, Covered Entities are required to contact the DHHS. Chain of Trust Agreements- Security Standard This is a contract by which parties agree to electronically exchange data and to protect the transmitted data. Both the sender and the receiver must maintain the integrity and confidentiality of the transmitted information. Each "link in the chain" must maintain the same level of security. HIPAA Enforcement Enforcement of HIPAA rules is handled by: Office for Civil Rights (civil) Department of Justice (criminal) "Voluntary Compliance"-the Department has indicated its willingness to work with covered entities to attain compliance, voluntarily. The common goal intended to benefit the healthcare delivery industry, rather than unduly burden it. The Department of Health and Human Services recently released official "Guidelines" for assistance in implementing and understanding the Privacy Regulation Civil Penalties Criminal Penalties - Fines of up to $100,000.00 per violation Wrongful disclosure of IIHI: - Maximum fine: $25,000.00 per individual, per $50,000.00/ 1 year violation, per year. $100,000.00/ 5 years $250,000.00/ 10 years Existing Contracts Inventory of existing agreements between covered entities and third parties (i.e. vendors). May require renegotiation and/or addendums. New Contracts HIPAA Considerations: Burden Sharing: Administration Maintenance Training Liability Third-party agreements- regulation violations Where will the blame fall? Who will be responsible for ensuring accountability and redress for breaches? Contractual provisions should anticipate potential liability.

Internal safeguards Documentation. Continuous Review. Thorough Training. Reporting Procedures. Sanction/ Termination Procedures. State Law Issues Preemption- HIPAA Regulations to serve as a FLOOR. State and Federal Law intersection requires careful legal evaluation. Causes of Action- Breach of privacy. Violation of statute as evidence of breach of duty. Standard of Care The level at which information is developed, transmitted, accessed, stored and protected will have a profound impact on health care in terms of standard of care. The purpose of the Act is to heighten the quality of health care delivery through the simplifying and streamlining of the process.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information