HOW TO REALLY IMPLEMENT HIPAA. Presented by: Melissa Skaggs Provider Resources Group

Similar documents
Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc.

OCR Reports on the Enforcement. Learning Objectives 4/1/2013. HIPAA Compliance/Enforcement (As of December 31, 2012) HCCA Compliance Institute

OCR Reports on the Enforcement. Learning Objectives

HIPAA Enforcement. Emily Prehm, J.D. Office for Civil Rights U.S. Department of Health and Human Services. December 18, 2013

Why Lawyers? Why Now?

HIPAA Compliance and the Protection of Patient Health Information

Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions

Overview of the HIPAA Security Rule

HIPAA Compliance: Are you prepared for the new regulatory changes?

HIPAA Omnibus Rule Overview. Presented by: Crystal Stanton MicroMD Marketing Communication Specialist

Aug. Sept. Oct. Nov. Dec. Jan. Feb. March April May-Dec.

HIPAA Security Rule Compliance

What s New with HIPAA? Policy and Enforcement Update

Lessons Learned from Recent HIPAA and Big Data Breaches. Briar Andresen Katie Ilten Ann Ladd

OCR UPDATE Breach Notification Rule & Business Associates (BA)

HIPAA & HITECH AND THE DISCOVERY PROCESS

HIPAA PRIVACY AND SECURITY AWARENESS

HIPAA Omnibus Rule Practice Impact. Kristen Heffernan MicroMD Director of Prod Mgt and Marketing

HIPAA and Mental Health Privacy:

Healthcare Compliance Solutions

HIPAA Compliance The Time is Now Changes on the Horizon: The Final Regulations on Privacy and Security. May 7, 2013

HIPAA: Bigger and More Annoying

HIPAA and the HITECH Act Privacy and Security of Health Information in 2009

The HIPAA Security Rule Primer A Guide For Mental Health Practitioners

Can Your Diocese Afford to Fail a HIPAA Audit?

HIPAA 101. March 18, 2015 Webinar

HIPAA: Protecting Your. Ericka L. Adler. Practice and Your Patients

Isaac Willett April 5, 2011

HIPAA COMPLIANCE AND DATA PROTECTION Page 1

HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What?

This presentation focuses on the Healthcare Breach Notification Rule. First published in 2009, the final breach notification rule was finalized in

Security Is Everyone s Concern:

HIPAA PRIVACY AND SECURITY FOR EMPLOYERS

The HIPAA Security Rule Primer Compliance Date: April 20, 2005

Mobile Medical Devices and BYOD: Latest Legal Threat for Providers

HIPAA Training for Staff and Volunteers

HIPAA Information Security Overview

HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)

Other terms are defined in the Providence Privacy and Security Glossary

Are You Still HIPAA Compliant? Staying Protected in the Wake of the Omnibus Final Rule Click to edit Master title style.

HIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE

HIPAA Compliance: Efficient Tools to Follow the Rules

Nationwide Review of CMS s HIPAA Oversight. Brian C. Johnson, CPA, CISA. Wednesday, January 19, 2011

M E M O R A N D U M. Definitions

Trust 9/10/2015. Why Does Privacy and Security Matter? Who Must Comply with HIPAA Rules? HIPAA Breaches, Security Risk Analysis, and Audits

Appendix 4-2: Sample HIPAA Security Risk Assessment For a Small Physician Practice

HIPAA Security. 1 Security 101 for Covered Entities. Security Topics

C.T. Hellmuth & Associates, Inc.

Neither You Nor Your Business Associates Can Afford to be Lax About Complying with HIPAA Requirements

HIPAA Training for Hospice Staff and Volunteers

Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification

HIPAA COMPLIANCE AND

SCHOOL DISTRICT OF BLACK RIVER FALLS HIPAA PRIVACY AND SECURITY POLICY

Lessons Learned from Recent HIPAA Enforcement Actions, Breaches, and Audit. Iliana L. Peters, J.D., LL.M. April 23, 2014

Lessons Learned from HIPAA Audits

You Probably Don t Even Know

CHIS, Inc. Privacy General Guidelines

Hosting for Healthcare: ADDRESSING THE UNIQUE ISSUES OF HEALTH IT & ACHIEVING END-TO-END COMPLIANCE

HIPAA initially went into effect April 14, HIPAA is a set of rules that is to be followed by doctors, hospitals and other health care providers.

Security Compliance, Vendor Questions, a Word on Encryption

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

HIPAA Security Alert

BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO

OCRA Spring Convention ~ 2014 Phyllis Craver Lykken, RPR, CLR, CCR Court Reporters and HIPAA

HIPAA Happenings in Hospital Systems. Donna J Brock, RHIT System HIM Audit & Privacy Coordinator

Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

Data Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, :15pm 3:30pm

BREVIUM HIPAA BUSINESS ASSOCIATE TERMS AND CONDITIONS

HIPAA Security Overview of the Regulations

Implementing Electronic Medical Records (EMR): Mitigate Security Risks and Create Peace of Mind

The Basics of HIPAA Privacy and Security and HITECH

Privacy Officer Job Description 4/28/2014. HIPAA Privacy Officer Orientation. Cathy Montgomery, RN. Presented by:

HIPAA SECURITY RULES FOR IT: WHAT ARE THEY?

CREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy

HIPAA WEBINAR HANDOUT

HIPAA Privacy & Security Training for Clinicians

HIPAA Secure Now! How MSPs Can Profit From Selling HIPAA security services

Ensuring HIPAA Compliance with AcclaimVault Online Backup and Archiving Services

DATA SECURITY HACKS, HIPAA AND HUMAN RISKS

Proofpoint HIPAA Breach Report:

HIPAA/HITECH: A Guide for IT Service Providers

OCR/HHS HIPAA/HITECH Audit Preparation

HIPAA Compliance Guide

The HIPAA Audit Program

Joe Dylewski President, ATMP Solutions

Guadalupe Regional Medical Center

HIPAA Update. Presented by: Melissa M. Zambri. June 25, 2014

INFORMATION SECURITY & HIPAA COMPLIANCE MPCA

Patient Privacy and HIPAA/HITECH

Ensuring HIPAA Compliance with Pros 4 Technology Online Backup and Archiving Services

MIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)

Disclaimer 8/8/2014. Current Developments in Privacy and Security Rule Enforcement

Network Security and Data Privacy Insurance for Physician Groups

Ensuring HIPAA Compliance with eztechdirect Online Backup and Archiving Services

Montclair State University. HIPAA Security Policy

HIPAA Privacy & Security Rules

Preparing for the HIPAA Security Rule

Healthcare Compliance Solutions

What do you need to know?

Transcription:

HOW TO REALLY IMPLEMENT HIPAA Presented by: Melissa Skaggs Provider Resources Group

WHAT IS HIPAA The Health Insurance Portability and Accountability Act of 1996 (HIPAA; Pub.L. 104 191, 110 Stat. 1936, enacted August 21, 1996) was enacted by the United States Congress and signed by President Bill Clinton in 1996. It has been known as the Kennedy- Kassebaum Act after two of its leading sponsors. Title I of HIPAA protects health insurance coverage for workers and their families when they change or lose their jobs. Title II of HIPAA, known as the Administrative Simplification (AS) provisions, requires the establishment of national standards for electronic health care transactions and national identifiers for providers, health insurance plans, and employers. This act gives the right to privacy to individuals from age 12 through 18. The provider must have a signed disclosure from the affected before giving out any information on provided health care to anyone, including parents. The administrative simplification provisions also address the security and privacy of health data. The standards are meant to improve the efficiency and effectiveness of the nation's health care system by encouraging the widespread use of electronic data interchange in the U.S. health care system. www.wikipedia.com

WHO IS IMPACTED? DO I NEED TO CARE? Health care providers A provider of medical, psychiatric, or other health services, and any other person or entity furnishing health care services or supplies. Health plans an individual or group health plan that provides or pays the cost of medical care. Clearinghouses A public or private entity that processes or facilitates the processing of non-standard data elements of health information into standard data elements and who transmits any health information in electronic form in connection with a transaction covered in the legislation. Business Associates and Trading Partners

WHAT IS PROTECTED HEALTH INFORMATION A person s name, address, birth date, age, phone and fax numbers, e-mail address Medical records, diagnosis, x-rays, photos, prescriptions, lab work, test results Billing records, claim data, referral authorizations, explanation of benefits Research records Past, Present or Future condition or payment

Covered Entity (CE) Any business entity that must comply with HIPAA regulations, which includes health-care providers, health plans and health-care clearinghouses. For purposes of HIPAA, health-care providers include hospitals, physicians and other caregivers. This would include: County Boards of DD Private Providers Agency Providers Therapy Providers Nursing Providers Behavioral Support Providers

Business Associate (BA) A person or organization that performs a function or activity on behalf of a covered entity, but is not part of the covered entity's workforce. A business associate can also be a covered entity in its own right. This would include any VENDOR or CONTRACTOR that comes in contact with individuals or their information. Some examples Billing Agents IT Providers Software Providers (Intellinetics, Gatekeeper, CareTracker, Solona to name a few) Shredding Companies Contracted Service Providers COGS Housing Providers A Covered Entity must have a Business Associate Agreement on file for all vendors classified as a Business Associate

BUSINESS ASSOCIATES CONTRACTS MUST Must establish the permitted and required uses and disclosures of protected health information by the business associate and may not authorize further disclosure in violation of the regulations If the covered entity knows of a practice or pattern of activity that constitutes a material breach of the business associate s obligations under the contract, the covered entity must take reasonable steps to ensure cure of the breach or terminate the contract or report the problem to the Office of Civil Rights

BUSINESS ASSOCIATES OBLIGATIONS Must not use or disclose protected health information in violation of the law or contract. Implement safeguards against improper use or disclosure. Ensure that any agents or subcontractors agree to fulfill contractual and legal obligations. Afford individual access to records; make available records for amendment by the individual; account to the individual for use or disclosure other than for payment, treatment, or operations. At termination of the contract, return or destroy protected health information.

What do We Need to Be Thinking About???????

JUST GIVE ME THE POLICIES ALREADY Policies should reflect how your organization is handling the requirements of HIPAA These policies should be reviewed annually at a minimum to ensure that the policy is staying current with the organization and technology Staff MUST be trained on HIPAA policies at least annually; keeping it out in front on staff needs to be on going

Hardware, Software and Transmission Security Organizations should have a hardware firewall in place. Transmission of personal information should be encrypted and comply with HIPAA. Policies should cover the updating of hardware, firmware, operating systems and applications. Disaster Backup and Recovery Plans Policies and Procedures should include a Disaster Backup and Recovery plan to ensure the business can continue operations in the event of a disaster. This includes keeping the business running, recovering lost data, testing of backup procedures and replacement of equipment. Training of Staff Organizations should provide a training program to raise awareness of HIPAA rights. Every individual in the organization must be trained on a regular basis. Training should be provided to include employee awareness, password safeguarding and changing, workstation access, software use, virus and malware information and other mission critical operations. Record and Information Access Policies should define roles on who can have what access to programs and information. These policies should further define the roles in information technology of the IT personnel who have the rights to modify the access.

Some things to think about with Data Security Secure Email System - Encryption Secure File Transfer Secure Website for Data transfer (if applicable) Do we have a written Disaster Backup and Recovery Plan Where is it Who s in charge of the plan Have you tested your plan Do you provide HIPAA training to all new staff and ongoing refresher trainings (so it s always kept out in front of staff) do you test your staff Who has access to staff and consumer information Secure passwords(complex, set change schedule) Systems set up so a user can access only needed information Files saved with Password Protection

DO YOU AUDIT YOUR HIPAA PROCESS An audit process should be in place for your HIPAA process. It should include Hardware Software Data Controls Department of Health and Human Services requires the Office of Civil Rights (OCR) to audit covered entities and business associates compliance with HIPAA Privacy, Security and Breach Notification Rules (See Audit Program Protocol) Organizations responsible for HIPAA-covered data now face one-in-20 odds of facing a HIPAA audit

SHREDDING PAPER THE HIPAA WAY In general, examples of proper disposal methods may include, but are not limited to: For PHI in paper records, Shredding Burning Pulping Pulverizing PHI is rendered essentially unreadable, indecipherable, and otherwise cannot be reconstructed. Maintaining labeled prescription bottles and other PHI in opaque bags in a secure area and using a disposal vendor as a business associate to pick up and shred or otherwise destroy the PHI. For PHI on electronic media, clearing (using software or hardware products to overwrite media with non-sensitive data), purging (degaussing or exposing the media to a strong magnetic field in order to disrupt the recorded magnetic domains), or destroying the media (disintegration, pulverization, melting, incinerating, or shredding).

SECURITY FOR THOSE ON THE Step 1: Assess your mobile users Understanding your users and their use cases is the first step toward HIPAA compliance. Mobile devices are becoming increasingly common as the industry rapidly converts from paper to electronic media. Because of this, IT must now support a wide variety of ephi, including electronic patient records, email, multiple provider health care records and clinical drug trial results. This mission is complicated by device ownership. In typical scenarios, IT supports staff using personal devices to access sensitive information. Now, in some cases IT also issues user devices. Documenting the flow of health care information to and from users and their mobile devices is the upfront work that has to be completed before IT can develop a comprehensive security strategy for remote access of ephi.

Step 2: Bulletproof your security strategy Privacyrights.org reported that in 2007 46 health care data breaches occurred, involving 62 stolen or lost laptops with five million identities compromised. The publicity surrounding these breaches has motivated many IT organizations to develop a strategy to secure their laptops with data encryption and password protection. Unfortunately, the same cannot be said for handheld devices. What organizations may miss is that rapidly evolving smartphones and PDAs are quickly becoming the everyday PC, with multiple modes of communication, significant processing power and large storage capabilities. This by itself makes today's mobile devices subject to the same risks as laptops. However, handheld mobile devices have several characteristics that make them even more vulnerable than laptops. Their small size makes them substantially more likely to be lost or stolen, and their low cost enables users to easily replace them if lost. Unlike IT-issued laptops, users do not have a compelling reason to report a data breach if they can easily replace the device for a low cost.

Step 3: Build your security solution Unfortunately, the CMS guidance creates multiple technical challenges for IT departments including endpoint security, network access control and user compliance. So what should IT look for in a solution? Laptop support is a must, but ultimately full HIPAA compliance also requires robust support across a diverse set of handheld mobile devices, use cases and ownership scenarios. The ideal system must include: A self-service portal to allow end-users to load security software and policies on personal devices. A flexible device agent that enables IT to secure and manage a wide variety of device platforms for phones and tablets. Policy-controlled security that protects against hacker access and device loss. A centralized management console with integrated help desk capabilities to simplify policy implementation and user support. A compliance management and reporting facility to ensure users adhere to IT policy

Step 4: Enforce your policies An organization's HIPAA security policies are only effective if users comply with them so make sure that your mobile device security policies are understood, by all users and enforced. OCR will be looking to ensure that policies were followed if there is a data breach. Policies need to be enforced with no respect to person/position.

Step 5: Go public Advertise your efforts in HIPAA compliance Marketing Material Website County and State agencies Individuals and Families served

SO WHAT ARE THEY REALLY LOOKING FOR Employee training and review Vigilant implementation of policies and procedures Regular internal audits Prompt action plan to respond to incidents Risk analysis and ongoing risk management (Security Rule) OCR Presentation February 2014

SCAN..ITS A BIG DEAL One sure fire way of protecting yourself in a disaster, audits or HIPAA is to scan documents Lots of options out there for scanning and Protecting the information Any IMPORTANT paper that cannot be recreated needs to be scanned Some are here at the conference check them out

HIPAA BREACH

REAL LIFE VIOLATIONS Initial early penalties for HIPAA violations were described as a "joke," with most enterprises unmoved by the risk of paying out potential settlements. However, the passage of the Health Information Technology for Economic and Clinical Health (HITECH) Act in February 2009 completely changed this attitude, with HIPAA penalties now reaching millions of dollars. Cases in point: Cignet's $4.3 million fine in 2011 for denying patients access to medical records $1.5 million fine to Massachusetts Eye and Ear Infirmary for a data compromise involving a lost laptop. http://www.hhs.gov/ocr/privacy/hipaa/administrative/ breachnotificationrule/breachtool.html

HIPAA COMPLIANCE/ENFORCEMENT (AS OF DECEMBER 31, 2012) TOTAL (since 2003) Complaints Filed 77,200 Cases Investigated 27,500 Cases with Corrective Action 18,600 Civil Monetary Penalties & Resolution Agreements (since 2008) $14.9 million Information from OCR Presentation to Tech Alliance February 2014

Unauthorized Access or Disclosure Improper Disposal Theft Loss Unknown Hacking

Location of Breach Laptop Paper Records Desktop Computer Portable Devices Network Server Other Email EMR

ONE FINAL THOUGHT FROM OCR OCR Investigator Wandah Hardy

IT s A WRAP

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information