The Fourth National HIPAA Summit, April 26, 2002 A SURVEY OF 10 HEALTH SYSTEMS’ HIPAA COMPLIANCE STRATEGIES Presented by: Margret Amatayakul, RHIA, FHIMSS.

Slides:



Advertisements
Similar presentations
HIPAA Privacy Practices. Notice A copy of the current DMH Notice must be posted at each service site where persons seeking DMH services will be able to.
Advertisements

Minimum Necessary Standard Version 1.0
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
Health Insurance Portability and Accountability Act HIPAA Education for Volunteers and Students.
Copyright Eastern PA EMS Council February 2003 Health Information Portability and Accountability Act It’s the law.
National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.
The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
Managing Access to Student Health Information per Federal HIPAA Guidelines Joan M. Kiel, Ph.D., CHPS Duquesne University Pittsburgh, Penna
Presents: Weekly HIPAA Teleconference Revised
NAU HIPAA Awareness Training
Reviewing the World of HIPAA Stephanie Anderson, CPC October 2006.
HIPAA Privacy Rule Compliance Training for YSU April 9, 2014.
Are you ready for HIPPO??? Welcome to HIPAA
Improving Efficiency and Increasing Patient Satisfaction by Leveraging HIPAA Standards, Including Privacy and Transactions and Data Code Sets Presented.
HCCA HIPAA Readiness Survey Results Jody Noon Principal Deloitte & Touche Portland, OR November, 2002 John Steiner Esq. Chief Compliance Officer Cleveland.
HIPAA PRIVACY AND SECURITY AWARENESS.
“ Technology Working For People” Intro to HIPAA and Small Practice Implementation.
Approaches to Implementation of the Transactions and Codes Sets Addendum Presented by: Steven S. Lazarus, PhD, FHIMSS President Boundary Information Group.
Health Insurance Portability and Accountability Act (HIPAA)
Copyright ©2011 by Pearson Education, Inc. Upper Saddle River, New Jersey All rights reserved. Health Information Technology and Management Richard.
Health Insurance Portability and Accountability Act of 1996 (HIPAA) Proposed Rule: Security and Electronic Signature Standards.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
Working with Health IT Systems Protecting Privacy, Security, and Confidentiality in HIT Systems Lecture a This material (Comp7_Unit7a) was developed by.
April 14, A Watershed Date in HIPAA Privacy Compliance: Where Should You Be in HIPAA Security Compliance and How to Get There… John Parmigiani National.
Medical Law and Ethics, Third Edition Bonnie F. Fremgen Copyright ©2009 by Pearson Education, Inc. Upper Saddle River, New Jersey All rights reserved.
Copyright Boundary Information Group 2002 HIPAA CASE STUDIES: A SURVEY OF 10 HEALTH SYSTEMS’ HIPAA COMPLIANCE EFFORTS Steven S. Lazarus, PhD, FHIMSS President,
Health Insurance Portability and Accountability Act (HIPAA) CCAC.
© 2013 The McGraw-Hill Companies, Inc. All rights reserved. Ch 8 Privacy Law and HIPAA.
The Fifth National HIPAA Summit – October 30, 2002 What to Do Now: Operational Implementation of HIPAA Privacy and Security Training Presented by: Steven.
HIPAA THE PRIVACY RULE. 2 HISTORY In 2000, many patients that were newly diagnosed with depression received free samples of anti- depressant medications.
Working with HIT Systems
HIPAA Health Insurance Portability and Accountability Act of 1996.
Copyright © Emerson Strategic Group, Inc. All Rights Reserved 1 Ninth National HIPAA Summit Auditing for Privacy Compliance: A Case Study September.
1 Privacy Plan of Action © HIPAA Pros 2002 All rights reserved.
Vendor and Clearinghouse Requirements for HIPAA Compliance HIPAA Summit Audio Conference Presented By: Steven S. Lazarus, PhD, FHIMSS Boundary Information.
Copyright © 2015 by Saunders, an imprint of Elsevier Inc. All rights reserved. Chapter 3 Privacy, Confidentiality, and Security.
March 19, 2003 Audioconference Approaches to Compliance with the HIPAA Privacy and Security Workforce Training Requirements Presented by: Steven S. Lazarus,
ASCA Transaction Extension and Resources to Help Extending Your Compliance Deadline for Transactions & Code Sets April 19, 2002 Steven S. Lazarus, PhD,
HIPAA TRIVIA Do you know HIPAA?. HIPAA was created by?  The Affordable Care Act  Health Insurance companies  United States Congress  United States.
HIPAA Training. What information is considered PHI (Protected Health Information)  Dates- Birthdays, Dates of Admission and Discharge, Date of Death.
COMMUNITY-WIDE HEALTH INFORMATION EXCHANGE: HIPAA PRIVACY AND SECURITY ISSUES Ninth National HIPAA Summit September 14, 2004 Prepared by: Robert Belfort,
The Health Insurance Portability and Accountability Act (HIPAA) requires Plumas County to train all employees in covered departments about the County’s.
April 14, 2003 – HIPAA Privacy Audioconference The Importance of April 14, 2003: Where you should be regarding HIPAA privacy policies and procedures and.
HIPAA Training Workshop #3 Individual Rights Kaye L. Rankin Rankin Healthcare Consultants, Inc.
Health Insurance Portability and Accountability Act (HIPAA) Primer for Observers, Volunteers, Medical Students Dr. Michael Palumbo- Privacy Officer/ EVP.
The Health Insurance Portability and Accountability Act 
Acknowledgement The presenters acknowledge the contributions and suggestions of Margret Amatayakul, RHIA, CHPS, FHIMSS, President, Margret\A Consulting,
HIPAA Privacy & Security
Moderated by: Steven S. Lazarus, PhD, FHIMSS President
Paul T. Smith Davis Wright Tremaine LLP
EMPLOYER HIPAA COMPLIANCE STRATEGIES HIPAA Summit Audio Conference
HIPAA PRIVACY AWARENESS, COMPLIANCE and ENFORCEMENT
Disability Services Agencies Briefing On HIPAA
Final HIPAA Security Rule
Countdown to Compliance
HIPAA Transactions and Code Sets Implementation June 6, 2003
County HIPAA Review All Rights Reserved 2002.
Health Care: Privacy in a Digital Age
Presented by: Steven S. Lazarus, PhD, FHIMSS
Thursday, June 5 10: :45 AM Session 1.01 Tom Walsh, CISSP
HIPAA Privacy and Security Summit 2018 HIPAA Privacy Rule: Compliance Plans, Training, Internal Audits and Patient Rights Widener University Delaware.
OVERVIEW OF CMS GUIDANCE
HIPAA Privacy & Security
HIPAA SECURITY RULE Copyright © 2008, 2006, 2004 by Saunders an imprint of Elsevier Inc. All rights reserved.
Making Your IRBs and Clinical Investigators HIPAA-Ready
The Importance of April 16, 2003: Where You Should be in HIPAA Data Code Sets/Transactions Testing and Compliance Presented by: Steven S. Lazarus, PhD,
HIPAA Compliance Services CTG HealthCare Solutions, Inc.
Strategies to Comply with the HPAA Privacy Rule Before the HIPAA Security and Enforcement Rules are Final Presented by: Steven S. Lazarus, PhD, FHIMSS.
Introduction to the PACS Security
Presentation transcript:

The Fourth National HIPAA Summit, April 26, 2002 A SURVEY OF 10 HEALTH SYSTEMS’ HIPAA COMPLIANCE STRATEGIES Presented by: Margret Amatayakul, RHIA, FHIMSS Margret\A Consulting, LLC Steven S. Lazarus, PhD, FHIMSS Boundary Information Group

Copyright © Boundary Information Group BOUNDARY INFORMATION GROUP  Virtual Consortium of health care information systems consulting firms founded in 1995  Internet-Based –Company website: –BIG HIPAA Resources:  Senior Consultants with HIPAA Leadership Experience Since 1992  Clients include: –Hospitals and multi-hospital organizations –Medical groups –Health plans –Vendors

Copyright © Boundary Information Group  Nonprofit Trade Association, founded 1991  206 organizational members –Consumers, Government, Mixed Payer/Providers, Payers, Providers, Standards Organizations, Vendors  Named in 1996 HIPAA Legislation as an Advisor to the Secretary of DHHS  Website:  Strategic National Implementation Process (SNIP) -  WEDI Foundation formed in 2001  Steven Lazarus, WEDI Chair Workgroup on Electronic Data Interchange

Copyright © Boundary Information Group BIG HIPAA ASSESSMENT PROCESS  Interviews –Individuals & groups - all workforce members –Purpose: Ensure awareness Respond to questions/concerns Obtain information about current practices Learn about future plans  Observations –Tour data center(s), file area(s), and key areas where transactions and individually identifiable health information used/disclosed –Purpose: Validate policy and procedure Assess overall workflow Establish context within which to make recommendations

Copyright © Boundary Information Group BIG HIPAA ASSESSMENT PROCESS  Limited testing for privacy and security –Impersonation w/case studies to determine: Help desk response Release of information response –Shoulder surfing –Various logs and records reviewed –Key door locks tested –Check paper waste in trash bins –Third party authorization –Test workstations for: Location Password Virus protection Internet use, screen savers, etc.

Copyright © Boundary Information Group BIG HIPAA ASSESSMENT PROCESS  Document review –Comprehensive review of policies, procedures, forms, agreements, etc. Determine existence Determine revision date Determine internal consistency Compare to HIPAA standards  Comparison to industry practice –Results of readiness assessment are compared with findings from consultants’ pool of other covered entities: current

Copyright © Boundary Information Group DISCLAIMER  None of the findings described herein should be attributed to any one specific BIG client or to or all BIG clients.  These findings are representative of those commonly found in

Copyright © Boundary Information Group TRANSACTIONS FINDINGS  Significant reliance on and belief in vendor/clearinghouse to solve the problem.  Focus primarily on 837 (claim) and 835 (remittance) to preserve cash flow  Significantly less focus on other transactions that would improve cash flow; little C/B analysis  Primary focus is IT and not applications: –Which are source for data content –Which will require significant work flow changes  Some reluctance to file an extension; lack of understanding concerning DSMO modification delay impact

Copyright © Boundary Information Group COMMON SECURITY FINDINGS  Information Access Control (§ (a)(5))  Technical Access Control (§ (c)(1) (i)) –Who authorizes access to information? –How is access established? –When is access modified? –Is there emergency mode access? –On what is access based?  Common Findings –IS assigns network access –Mix of formal (supervisor) authorization and less formal verification approaches used for applications –Access modification (when workforce members change jobs) often not performed –Minimal role-based access is most common; user- based for physicians (and no “break glass” access)

Copyright © Boundary Information Group COMMON SECURITY FINDINGS  Entity Authentication (§ (c)(1) (v)) –Is there automatic logoff? –Is there two-tiered authentication?  Common Findings –Automatic logoff is generally in use, though often set for fairly long time in clinical areas –UserID and password most common Virtually no training on strong password selection Multiple passwords for applications; virtually no single sign on Often too frequent password change or no password change Often weakest passwords and no change for network access

Copyright © Boundary Information Group COMMON SECURITY FINDINGS  Security Incident Procedures (§ (a)(9)) –Is there a central place to report security incidents? –Is it used? –Written policy, training?  Common Findings –Several places to report information security incidents Help desk Security Officer Compliance Officer Supervisor (Often not risk management) –No written policy –No training –No incident tracking, trending, or monitoring

Copyright © Boundary Information Group COMMON SECURITY FINDINGS  Termination Procedures (§ (a)(11)) –How are workforce user accounts removed? –Is there continuity of confidentiality requirement?  Common Findings –Employment Exit check lists often not used –No or ineffective communication between Human Resources and I.S. –Check list and notification process not automated –Best for involuntary terminations –Often months to remove voluntary and contractor terminations –Rarely exit interview includes: Reaffirmation of confidentiality agreement Solicitation of security issues

Copyright © Boundary Information Group COMMON SECURITY FINDINGS  Media Controls (§ (b)(2)) –Are all systems backed up? Where are backups stored? –How is confidential paper handled? trash handled? –Is fax receipt verified?  Common Findings –Often only some systems are backed up –Usually critical system backups are stored off site; some backups stored in (removable) fireproof box on site, or even “laying around” server –“Bee Alert” system in a few locations; most everyone has addressed white boards, marquees, and sign-ins –Very good PHI trash control in California, lax in other areas –Fax machine acknowledgement  recipient verification –One fax best practice: return cover sheet to acknowledge receipt

Copyright © Boundary Information Group COMMON PRIVACY FINDINGS  Sanctions (§ (e)(1)) –Are workforce sanctions for breaches applied fairly and consistently? –Are they documented?  Common Findings –“Subject to disciplinary action, up to and including termination” standard statement –Escalation more common than zero tolerance Usually no specific escalation procedures documented –In hospitals, sanctions process is different for physicians than for the rest of the workforce –Volunteers are usually subject to the same sanction as employees

Copyright © Boundary Information Group COMMON PRIVACY FINDINGS  Individual Rights (§ ) –Are individual rights afforded today? –How are individuals informed of their rights? –Is there documentary evidence of due process? –What technical measures support privacy rights?  Common Findings –(.520) No one has instituted Notice of Privacy Practices (Patients Rights and Responsibilities Notice) –(.522(a)) Restrictions not well-accommodated in systems –(.522(b)) Confidential communications (not well understood) and not well-accommodated in systems –(.524) Access is most commonly granted right (although somewhat begrudgingly); but no policy on or due process for denial –(.526) Amendment is occasionally granted; but no policy on or due process for denial –(.528) Accounting for disclosure is least common

Copyright © Boundary Information Group COMMON PRIVACY FINDINGS  Consent (§ )  Authorization (§ )  Opportunity to Agree/Object (§ )  Uses & Disclosures Not Requiring (§ ) –Are these documents consistent with HIPAA? –Do individuals understand these documents?  Common Findings –Virtually everyone has a consent, though generally for release of information for payment –Virtually everyone has authorization forms and policies/procedures when authorization is not required –Virtually no one gives patients opportunity to object

Copyright © Boundary Information Group COMMON PRIVACY FINDINGS  Minimum Necessary (§ (b)) –Is PHI limited to intended purpose?  Common Findings –Most still are confused as to what this pertains to –Few understand how they will carry out minimum necessary

Copyright © Boundary Information Group COMMON PRIVACY FINDINGS  Organizational Relationships (§ ) –Are organizational relationships clear? –Are they documented?  Common Findings –Most providers understand they are covered entities –Many organizations are confused concerning relationships to other organizations vis-à-vie business associates, especially affiliated physician groups

Copyright © Boundary Information Group COMMON SECURITY/PRIVACY ADMINISTRATIVE FINDINGS  Information Security Responsibility (§ (b)(1))  Information Privacy Official (§ ) –Have these been appointed? –To whom do they report? –Do all members of workforce know who they are?  Common Findings –Appointment and reporting relationship varies –Many seem to think they know who they are!  Training and Awareness –Little information security training or awareness –Good information privacy awareness; less training

The Fourth National HIPAA Summit, April 26, 2002 HIPAA READINESS Steve Lazarus Margret Amatayakul