HIPAA Privacy and Security Update - 5 Years After Implementation

Slides:

Advertisements

Similar presentations

Tamtron Users Group April 2001 Preparing Your Laboratory for HIPAA Compliance.

Advertisements

Todd Frech Ocius Medical Informatics 6650 Rivers Ave, Suite 137 North Charleston, SC Health Insurance Portability.

Presented by Elena Chan, UCSF Pharm.D. Candidate Tiffany Jew, USC Pharm.D. Candidate March 14, 2007 P HARMACEUTICAL C ONSULTANTS, I NC. P RO P HARMA HIPAA.

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.

National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.

Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.

What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,

1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.

Managing Access to Student Health Information per Federal HIPAA Guidelines Joan M. Kiel, Ph.D., CHPS Duquesne University Pittsburgh, Penna

Where to start Ben Burton, JD, MBA, RHIA, CHP, CHC.

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.

HIPAA Privacy Rule Compliance Training for YSU April 9, 2014.

COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.

HIPAA THE PRIVACY RULE Reviewed December HISTORY In 2000, many patients that were newly diagnosed with depression received free samples of anti-

Are you ready for HIPPO??? Welcome to HIPAA

NCVHS: Privacy and Confidentiality Leslie P. Francis, Ph.D., J.D. Distinguished Professor of Law and Philosophy Alfred C. Emery Professor of Law University.

Introduction to the APPs and the OAIC’s regulatory approach Presented by: Este Darin-Cooper Director, Regulation and Strategy May 2015.

HIPAA COMPLIANCE IN YOUR PRACTICE MARIBEL VALENTIN, ESQUIRE.

HIPAA Health Insurance Portability & Accountability Act of 1996.

Taking Steps to Protect Privacy A presentation to Hamilton-area Physiotherapy Managers by Bob Spence Communications Co-ordinator Office of the Ontario.

Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.

Columbia University Medical Center Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy & Information Security Training 2009.

© by Seclarity Inc. 2005, Slide: 1 Seclarity, Inc Lightfall Court Columbia, MD A Blumberg Capital, Valley Ventures and Intel Capital Funded.

HIPAA PRIVACY AND SECURITY AWARENESS.

“ Technology Working For People” Intro to HIPAA and Small Practice Implementation.

PricewaterhouseCoopers Transaction Compliance Date Extension & Privacy Standards NPRM Audioconference April 19, 2002 HIPAA Administrative Simplification.

Copyright ©2011 by Pearson Education, Inc. Upper Saddle River, New Jersey All rights reserved. Health Information Technology and Management Richard.

How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.

HIPAA Michigan Cancer Registrars Association 2005 Annual Educational Conference Sandy Routhier.

Medical Law and Ethics, Third Edition Bonnie F. Fremgen Copyright ©2009 by Pearson Education, Inc. Upper Saddle River, New Jersey All rights reserved.

Building a Privacy Foundation. Setting the Standard for Privacy Health Insurance Portability and Accountability Act (HIPAA) Patient Bill of Rights Federal.

Copyright © 2009 by The McGraw-Hill Companies, Inc. All Rights Reserved. McGraw-Hill Chapter 6 The Privacy and Security of Electronic Health Information.

Health Insurance Portability and Accountability Act of 1996 HIPAA Privacy Training for County Employees.

© 2013 The McGraw-Hill Companies, Inc. All rights reserved. Ch 8 Privacy Law and HIPAA.

PricewaterhouseCoopers 1 Administrative Simplification: Privacy Audioconference April 14, 2003 William R. Braithwaite, MD, PhD “Doctor HIPAA” HIPAA Today.

HIPAA THE PRIVACY RULE. 2 HISTORY In 2000, many patients that were newly diagnosed with depression received free samples of anti- depressant medications.

The Culture of Healthcare Privacy, Confidentiality, and Security Lecture d This material (Comp2_Unit9d) was developed by Oregon Health and Science University,

Copyright ©2014 by Saunders, an imprint of Elsevier Inc. All rights reserved 1 Chapter 02 Compliance, Privacy, Fraud, and Abuse in Insurance Billing Insurance.

HIPAA Privacy The Morning After Panel What do we do now? William R. Braithwaite, MD, PhD (moderator) Washington, DC Ross Hallberg, Corporate Compliance.

C HAPTER 34 Code Blue Health Sciences Edition 4. Confidentiality of sensitive information is an important issue in healthcare. Breaches of confidentiality.

Welcome….!!! CORPORATE COMPLIANCE PROGRAM Presented by The Office of Corporate Integrity 1.

HIPAA Privacy for Pharma Audioconference 5/29/2002 pwC.

Copyright © 2015 by Saunders, an imprint of Elsevier Inc. All rights reserved. Chapter 3 Privacy, Confidentiality, and Security.

1 Demonstration of Health - IT Benefits: Access to PHI in India Presented by Mr. Amitava Chakraborty IPR, Space Law & Health-IT Consultant (India, US,

Roundtable on Privacy in Transition: Is Privacy Policy Working in the Healthcare Sector?

HIPAA Overview Why do we need a federal rule on privacy? Privacy is a fundamental right Privacy can be defined as the ability of the individual to determine.

Human Subjects Update E. Wethington, Chair, UCHS.

1 Administrative Simplification: The Last Word National HIPAA Summit 8 Baltimore, MD March 9, 2004 William R. Braithwaite, MD, PhD “Doctor HIPAA”

Introduction to the Australian Privacy Principles & the OAIC’s regulatory approach Privacy Awareness Week 2016.

The Health Insurance Portability and Accountability Act of 1996 “HIPAA” Public Law

Copyright © 2009 by The McGraw-Hill Companies, Inc. All Rights Reserved. McGraw-Hill/Irwin Chapter 6 The Privacy and Security of Electronic Health Information.

Health Insurance Portability and Accountability Act of 1996

iSecurity Compliance with HIPAA

HIPAA THE PRIVACY RULE Reviewed December 2012.

Enforcement, Business Associates and Breach Notification. Oh my!

HIPAA Administrative Simplification

MIT HIT Symposium How HIPAA Applies to HIT

HIPAA PRIVACY AWARENESS, COMPLIANCE and ENFORCEMENT

Disability Services Agencies Briefing On HIPAA

Final HIPAA Security Rule

HIPAA Privacy and Security Summit 2018 HIPAA Privacy Rule: Compliance Plans, Training, Internal Audits and Patient Rights Widener University Delaware.

HIPAA Security Standards Final Rule

National Congress on Health Care Compliance

HIPAA SECURITY RULE Copyright © 2008, 2006, 2004 by Saunders an imprint of Elsevier Inc. All rights reserved.

Enforcement and Policy Challenges in Health Information Privacy

Making Your IRBs and Clinical Investigators HIPAA-Ready

Issues in HIPAA Research Compliance

HIPAA Do’s and Don'ts: What is Really Behind Protected Health Information (PHI) and Health Care Privacy Rules Paul Sisler, Director, Information Services;

Presentation transcript:

HIPAA Privacy and Security Update - 5 Years After Implementation William R. “Bill” Braithwaite, MD, PhD Health Information Policy Consulting Washington, DC May 14, 2008

Timetables Privacy Security Administrative Simplification - 1994 HIPAA - 1996 NPRM - 1999 Final – 2000 Modification NPRM - 2002 Final Final - 2002 OCR Enforcement - 2003 Security Administrative Simplification - 1994 HIPAA - 1996 NPRM -1998 Final - 2003 CMS Enforcement - 2005 Copyright © 2007

Principles of Fair Information Practice Notice Existence and purpose of record-keeping systems must be known. Choice – information is: Collected only with knowledge and permission of subject. Used only in ways relevant to the purpose for which the data was collected. Disclosed only with permission or overriding legal authority. Access Individual right to see records and assure quality of information. accurate, complete, and timely. Security Reasonable safeguards for confidentiality, integrity, and availability of information. Enforcement Violations result in reasonable penalties and mitigation. Copyright © 2007

HIPAA Privacy Rule of Thumb Don’t surprise the patient with a use or disclosure they don’t expect! (or should know to expect) Tell the patient about all uses and disclosures that are part of normal operations of the healthcare enterprise (TPO). Give the patient the opportunity to object to limited disclosures in common practice for the good of the patient. Follow procedure for a public policy exception. e.g., required reporting of contagious disease. Get explicit permission for anything else. Copyright © 2007

Controversial Areas Minimum Necessary Disclosure Log Consent Marketing Enforcement Copyright © 2007

OCR Privacy Enforcement Year Complaints Resolved after Review Investigated No Violation Found Corrective Action Obtained 2003 3,744 1,169 339 79 260 2004 6,534 3,372 1,392 359 1,033 2005 6,853 3,818 1,803 642 1,161 2006 7,332 4,001 2,466 895 1,571 2007 8,132 4,977 2,199 715 1,484 Totals 32,595 17,337 8,199 2,690 5,509 Copyright © 2007

New Privacy Issues HSA PHR HIE On-line services New Law Banks handling PHI to pay medical expenses PHR Non Covered Entities HIE Consent granularity more than opt-in/opt-out On-line services BA chain to off-shore services Marketing banners and pop-ups New Law Federal v. State law Regulations Copyright © 2007

CMS Security Complaints Total 302 as of March 2008 Open = 73 Closed with Corrective Action = 47 Closed otherwise = 182 Examples: Patient data visible to any user on a provider's appointment scheduling website A pharmacy allowed multiple employees to use a single login ID and password to access systems containing EPHI Copyright © 2007

Most Common Security Complaints Information Access Management Security Awareness and Training Access Control Workstation Use Device and Media Controls Copyright © 2007

New Security Risks Portable devices are being stolen Portable media must be encrypted Consider lo-jack features Single factor authentication is inadequate for remote access to sensitive information Second factor authentication is now a requirement Health information is now a target for identity theft Security must be a dynamic program responding constantly to new risks Copyright © 2007

Privacy Conclusions Uses and disclosures come in many flavors. Different flavors are treated differently by HIPAA based on principles of fair information practice. HIPAA Privacy Rule intent is to protect individual privacy while allowing most current practices to continue with transparency. Most current practices are beneficial but often poorly understood by patients. HIPAA Privacy Rule is clear when applied to covered cases. Complexity of healthcare environment and diversity of desired secondary uses makes it difficult to apply simple rules. Current rule in inadequate to cover new developments in healthcare. Copyright © 2007

Security Conclusions Security risks are constantly changing New and serious risks are being introduced at a very rapid rate; the unprepared are suffering. Security services, tools, and methods are constantly changing. What was impossible or too costly to implement last year is now possible and cost-effective. HIPAA Security Rule is clear. Security must include processes of risk assessment and management, repeated regularly, forever. With appropriate risk assessment, the security rule can cover the new risks without needing to be changed. Copyright © 2007

William R. “Bill” Braithwaite, MD, PhD Thank you! William R. “Bill” Braithwaite, MD, PhD Washington, DC bill@braithwaites.com Copyright © 2007