What do you need to know?

Similar documents
HIPAA Hot Topics. Audits, the Latest on Enforcement and the Impact of Breaches. September Nashville Knoxville Memphis Washington, D.C.

New HIPAA Breach Notification Rule: Know Your Responsibilities. Loudoun Medical Group Spring 2010

Arizona Physicians Group To Pay $100,000 To Settle HIPAA Charges

Data Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, :15pm 3:30pm

Overview of the HIPAA Security Rule

OCR Reports on the Enforcement. Learning Objectives 4/1/2013. HIPAA Compliance/Enforcement (As of December 31, 2012) HCCA Compliance Institute

OCR Reports on the Enforcement. Learning Objectives

Are You Still HIPAA Compliant? Staying Protected in the Wake of the Omnibus Final Rule Click to edit Master title style.

BUSINESS ASSOCIATE AGREEMENT

Updated HIPAA Regulations What Optometrists Need to Know Now. HIPAA Overview

HIPAA WEBINAR HANDOUT

Trust 9/10/2015. Why Does Privacy and Security Matter? Who Must Comply with HIPAA Rules? HIPAA Breaches, Security Risk Analysis, and Audits

BUSINESS ASSOCIATE AGREEMENT

COMPLIANCE ALERT 10-12

BUSINESS ASSOCIATE AGREEMENT. Recitals

HIPAA Update. Presented by: Melissa M. Zambri. June 25, 2014

12/19/2014. HIPAA More Important Than You Realize. Administrative Simplification Privacy Rule Security Rule

HIPAA Omnibus Rule Practice Impact. Kristen Heffernan MicroMD Director of Prod Mgt and Marketing

Security Is Everyone s Concern:

Checklist for HITECH Breach Readiness

Sample Business Associate Agreement Provisions

The ReHabilitation Center Buffalo Street. Olean. NY

HIPAA Enforcement. Emily Prehm, J.D. Office for Civil Rights U.S. Department of Health and Human Services. December 18, 2013

BUSINESS ASSOCIATE AGREEMENT. Business Associate. Business Associate shall mean.

HIPAA Privacy and Security

HIPAA Omnibus Rule Overview. Presented by: Crystal Stanton MicroMD Marketing Communication Specialist

University Healthcare Physicians Compliance and Privacy Policy

My Docs Online HIPAA Compliance

HIPAA Business Associate Contract. Definitions

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA: Breach Notification By: Office of University Counsel For: Jefferson IRB Continuing Education. September 2014

BUSINESS ASSOCIATE AGREEMENT

SECURITY RISK ASSESSMENT SUMMARY

REPRODUCTIVE ASSOCIATES OF DELAWARE (RAD) NOTICE OF PRIVACY PRACTICES PLEASE REVIEW IT CAREFULLY.

SAMPLE BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT. (Contractor name and address), hereinafter referred to as Business Associate;

Business Associate Agreement

Disclaimer: Template Business Associate Agreement (45 C.F.R )

Presented by Jack Kolk President ACR 2 Solutions, Inc.

Everett School Employee Benefit Trust. Reportable Breach Notification Policy HIPAA HITECH Rules and Washington State Law

Implementing Electronic Medical Records (EMR): Mitigate Security Risks and Create Peace of Mind

HIPAA in an Omnibus World. Presented by

Business Associates and Breach Reporting Under HITECH and the Omnibus Final HIPAA Rule

HHS Issues New HITECH/HIPAA Rule: Implications for Hospice Providers

8/3/2015. Integrating Behavioral Health and HIV Into Electronic Health Records Communities of Practice

STANDARD ADMINISTRATIVE PROCEDURE

Medical Privacy Version Standard. Business Associate Agreement. 1. Definitions

HIPAA Privacy Rule Policies

The Basics of HIPAA Privacy and Security and HITECH

This presentation focuses on the Healthcare Breach Notification Rule. First published in 2009, the final breach notification rule was finalized in

HIPAA Compliance, Notification & Enforcement After The HITECH Act. Presenter: Radha Chanderraj, Esq.

OCR UPDATE Breach Notification Rule & Business Associates (BA)

HIPAA BUSINESS ASSOCIATE AGREEMENT

SaaS. Business Associate Agreement

Business Associates, HITECH & the Omnibus HIPAA Final Rule

HIPAA BUSINESS ASSOCIATE ADDENDUM (Privacy & Security) I. Definitions

Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

HIPAA PRIVACY AND SECURITY RULES BUSINESS ASSOCIATE AGREEMENT BETWEEN. Stewart C. Miller & Co., Inc. (Business Associate) AND

Business Associate Agreement

Privacy Officer Job Description 4/28/2014. HIPAA Privacy Officer Orientation. Cathy Montgomery, RN. Presented by:

The HIPAA Audit Program

UNDERSTANDING THE HIPAA/HITECH BREACH NOTIFICATION RULE 2/25/14

You Probably Don t Even Know

HIPAA/HITECH PRIVACY & SECURITY CHECKLIST SELF ASSESSMENT INSTRUCTIONS

BUSINESS ASSOCIATE ADDENDUM. WHEREAS, Provider (as defined below) has a contractual relationship with FHCCP requiring this Addendum;

BUSINESS ASSOCIATE AGREEMENT

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) TERMS AND CONDITIONS FOR BUSINESS ASSOCIATES

HIPAA Data Breaches: Managing Them Internally and in Response to Civil/Criminal Investigations

BREACH NOTIFICATION FOR UNSECURED PROTECTED HEALTH INFORMATION

ADMINISTRATIVE REGULATION EFFECTIVE DATE: 1/1/2016

BUSINESS ASSOCIATE AGREEMENT TERMS

OCRA Spring Convention ~ 2014 Phyllis Craver Lykken, RPR, CLR, CCR Court Reporters and HIPAA

Five Rivers Medical Center, Inc Medical Center Drive Pocahontas, AR Notification of Security Breach Policy

MMA SAMPLE FORM *REVIEW CAREFULLY & ADAPT TO YOUR PRACTICE*

HIPAA Omnibus & HITECH Rules: Key Provisions and a Simple Checklist.

Lessons Learned from HIPAA Audits

The Institute of Professional Practice, Inc. Business Associate Agreement

Appendix : Business Associate Agreement

Transcription:

What do you need to know?

DISCLAIMER Please note that the information provided is to inform our clients and friends of recent HIPAA and HITECH act developments. It is not intended, nor should it be used, as a substitute for specific legal advice

HIPAA Regula,ons What do you need to know? Rate your practice s current compliance. Are you HIPAA Compliant right now? Privacy Rule compliance requirements Security Rule compliance requirements Breach notifications requirements Documentation Audits

Recent Breaches in the News Recent Breaches and their Costs! Experts: Lack of HIPAA basics cost BCBST $18.5 million Basic compliance 101 policies, training, monitoring, and risk assessments may have saved Blue Cross Blue Shield of Tennessee (BCBST) millions, experts say. Instead, the health insurer agreed to a $1.5 million settlement with the Office for Civil Rights (OCR) over potential HIPAA security violations and spent another $17 million in breach response costs. In the fall of 2009, BCBST reported to OCR that 57 unencrypted computer hard drives were stolen from a leased facility in Tennessee. The hard drives contained protected health information (PHI) for more than one million individuals, including member names, Social Security numbers, diagnosis codes, birthdates, and health plan identification numbers.

WHY SHOULD I CARE? OCR's investigation of Phoenix Cardiac Surgery PC (2 physician practice) http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/ pcsurgery_agreement.pdf failed to implement adequate policies and procedures to appropriately safeguard patient information; failed to document that it trained any employees on its policies and procedures on the Privacy and Security Rules; failed to identify a security official and conduct a risk analysis failed to obtain business associate agreements with Internet- based email and calendar services where the provision of the service included storage of and access to its ephi. Corrective Action Plan required Penalty - $100,000 Reputation Impact?

OCR Findings from 2005-2010 Does your practice have a Designated HIPAA Privacy Officer? Failure to demonstrate adequate policies and procedures or safeguards to address response and reporting of security incidents Security awareness and training Access controls Information access management Work station security

HIPAA Privacy Rule 45 CFR Part 160 and Part 164, Subparts A and E. Designate a HIPAA Privacy Officer Update your Notice of Privacy Practices http://www.hhs.gov/ocr/ privacy/hipaa/understanding/coveredentities/contractprov.html New additional patient rights related to Privacy of their information and their access to it. Conduct Compliance Audits Conduct Annual Training of Staff on Privacy Rule policies and procedures Document all disclosures according to the Privacy Rule.

HIPAA Security Rule 45 CFR Part 160 and Part 164, Subparts A and E. Accountability, Penalty, and Persecution for disclosure of/access to ephi Protecting ephi at rest, in transit, and in destruction. Breach Reporting Auditing 3 sets of Safeguards (standards) Administrative Physical Technical

BREACH NOTIFICATION RULE HITECH ACT SECTION 13402 Definition of a Breach. A breach is, generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information such that the use or disclosure poses a significant risk of financial, reputational, or other harm to the affected individual. Requirements Following a breach of unsecured protected health information covered entities must provide notification of the breach to affected individuals, the Secretary of HHS and, in certain circumstances, to the media. In addition, Business Associates must now notify covered entities of a breach if it occurred due to their actions or processes.

BREACH NOTIFICATION RULE Individual Notice - within 60 days of breach First class mail Include description of the breach, description of the data involved, Protective steps for individuals, an action plan to resolve, mitigate and prevent further breaches. For unknown or out of date information on affected individuals. Notification should be done via an announcement on Covered Entities Website or in local media where the affected individual resides. Media Notice - within 60 days of breach For Breaches of more than 500 patients Include description of the breach, description of the data involved, Protective actions for individuals, Action plan to resolve, mitigate and prevent further breaches.

BREACH NOTIFICATION RULE Notice to Secretary of Health and Human Services For breaches of less than 500 individuals File a report on HHS website annually For breaches of more than 500 individuals File a report on the HHS website within 60 of the breach. Notification by Business Associates Business Associates required to notify the Covered Entity upon discovery of any breach within 60 days Business associate should provide the covered entity with the identification of each individual affected by the breach as well as any information required to be provided by the covered entity in its notification to affected individuals

DocumentaUon HIPAA Privacy Rule Policies and Procedures Accounting of disclosures Notice of Privacy Practices Record of periodic workforce training HIPAA Security Rule Policies and Procedures Documentation of periodic risk assessments Record of Security Audits Record of periodic workforce training

AudiUng Need to have written policies and procedures stating how often and what you will be monitoring, reviewing Audit Logs Access Reports Security incident tracking reports. Documentation of user access roles and granting/ revocation of access upon termination or change in user role.

HIPAA Audits Protocol http://www.hhs.gov/ocr/privacy/hipaa/enforcement/ audit/protocol.html 78 Privacy Rule Audit protocols 77 Security Rule Audit protocols 10 Breach Notification Rule Audit protocols

A Few Last Thoughts Form a TEAM at your practice, Include one member from each area, Providers, Nursing, Billing, front desk Perform a Risk Assessment to identify how ephi is created, used, transmitted, and disposed of. Designated a HIPAA Privacy and Security Officer Create and Maintain Updated policies and procedures Develop and document your practice s Breach Notification procedures Periodically monitor your systems (Audit) Consider Email encryption if you need to email ephi

Resources HIPAA Privacy Rule http://www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/ index.html HIPAA Security Rule http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/ index.html HIPAA Breach Notification Rule http://www.hhs.gov/ocr/privacy/hipaa/administrative/ breachnotificationrule/index.html HIPAA Audit Protocols http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/ protocol.html HIPAA Consultants (education, training, consulting) HCPRO Blogs - http://blogs.hcpro.com/hipaa/ ecfirst - http://www.ecfirst.com/ Clearwater Compliance - http://clearwatercompliance.com/

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information