Northern Indiana Health Information Management Association

Slides:

Advertisements

Similar presentations

THE DEPARTMENT OF HEALTH AND HUMAN SERVICES (HHS) OFFICE FOR CIVIL RIGHTS (OCR) ENFORCES THE HIPAA PRIVACY, SECURITY, AND BREACH NOTIFICATION RULES HIPAA.

Advertisements

Presented by Elena Chan, UCSF Pharm.D. Candidate Tiffany Jew, USC Pharm.D. Candidate March 14, 2007 P HARMACEUTICAL C ONSULTANTS, I NC. P RO P HARMA HIPAA.

HIPAA Basics November 1, 2014.

National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.

Changes to HIPAA (as they pertain to records management) Health Information Technology for Economic Clinical Health Act (HITECH) – federal regulation included.

Managing Access to Student Health Information per Federal HIPAA Guidelines Joan M. Kiel, Ph.D., CHPS Duquesne University Pittsburgh, Penna

Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.

HIPAA Regulations What do you need to know?.

© 2011 The McGraw-Hill Companies, Inc. All rights reserved. 2.5 HIPAA Legislation and its Impact on Physician Practices 2-15 The Health Insurance Portability.

COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.

HIPAA THE PRIVACY RULE Reviewed December HISTORY In 2000, many patients that were newly diagnosed with depression received free samples of anti-

2014 HIPAA Refresher Omnibus Rule & HIPAA Security.

Are you ready for HIPPO??? Welcome to HIPAA

Karen D. Smith, Esq. Partner Bricker & Eckler LLP 100 S. Third Street Columbus, OH (614)

Health Insurance Portability Accountability Act of 1996 HIPAA for Researchers: IRB Related Issues HSC USC IRB.

Health IT Privacy and Security Policy Jodi Daniel, J.D., M.P.H. Director, Office of Policy and Research, Office of the National Coordinator for Health.

OCR HITECH Enforcement Tips: Prevent, Detect and Quickly Correct HIPAA COW 2010 Spring Conference Privacy/Security Session 1 HIPAA Privacy Best Practices:

Electronic Health Records Danielle P. Berthelot, RHIA Director, Health Information Management and Cancer Registry Privacy Officer Woman’s Hospital.

© Copyright 2014 Saul Ewing LLP The Coalition for Academic Scientific Computation HIPAA Legal Framework and Breach Analysis Presented by: Bruce D. Armon,

2 HIPAA, HITECH, and Medical Records. Learning Outcomes When you finish this chapter, you will be able to: 2.1Discuss the importance of medical records.

HIPAA COMPLIANCE IN YOUR PRACTICE MARIBEL VALENTIN, ESQUIRE.

1 HIPAA Security Overview Centers for Medicare & Medicaid Services (CMS)

IT’S OFFICIAL: GOVERNMENT AUDITING OF SECURITY RULE COMPLIANCE Nancy Davis, MS, RHIA Director of Privacy/Security Officer, Ministry Health Care & Catherine.

Notice of Privacy Practices Nebraska SNIP Privacy Subgroup July 18, 2002 Michael J. Brown, MHA, CPA Vice-President, Administrative & Regulatory Affairs,

HIPAA PRIVACY AND SECURITY AWARENESS.

Dealing with Business Associates Business Associates Business Associates are persons or organizations that on behalf of a covered entity: –Perform any.

2012 Audits of Covered Entity Compliance with HIPAA Privacy, Security and Breach Notification Rules Initial Analysis February 2013.

HIPAA Michigan Cancer Registrars Association 2005 Annual Educational Conference Sandy Routhier.

Privacy and Security Risks to Rural Hospitals John Hoyt, Partner December 6, 2013.

© 2009 The McGraw-Hill Companies, Inc. All rights reserved. 1 McGraw-Hill Chapter 2 The HIPAA Privacy Standards HIPAA for Allied Health Careers.

Understanding HIPAA (Health Insurandce Portability and Accountability Act)

Eliza de Guzman HTM 520 Health Information Exchange.

HIPAA PRACTICAL APPLICATION WORKSHOP Orientation Module 1B Anderson Health Information Systems, Inc.

HIPAA THE PRIVACY RULE. 2 HISTORY In 2000, many patients that were newly diagnosed with depression received free samples of anti- depressant medications.

Rhonda Anderson, RHIA, President  …is a PROCESS, not a PROJECT 2.

Copyright ©2014 by Saunders, an imprint of Elsevier Inc. All rights reserved 1 Chapter 02 Compliance, Privacy, Fraud, and Abuse in Insurance Billing Insurance.

Component 8/Unit 6aHealth IT Workforce Curriculum Version 1.0 Fall Installation and Maintenance of Health IT Systems Unit 6a System Security Procedures.

C HAPTER 34 Code Blue Health Sciences Edition 4. Confidentiality of sensitive information is an important issue in healthcare. Breaches of confidentiality.

HITECH and HIPAA Presented by Rhonda Anderson, RHIA Anderson Health Information Systems, Inc

Top 10 Series Changes to HIPAA Devon Bernard AOPA Reimbursement Services Coordinator.

HIPAA Privacy Rule Implementation Status Report Richard M. Campanelli, J.D. Director, Office for Civil Rights Before the The Tenth National HIPAA Summit.

Configuring Electronic Health Records Privacy and Security in the US Lecture b This material (Comp11_Unit7b) was developed by Oregon Health & Science University.

HIPAA TRIVIA Do you know HIPAA?. HIPAA was created by?  The Affordable Care Act  Health Insurance companies  United States Congress  United States.

Office of the Secretary Office for Civil Rights (OCR) Enforcement and Policy Challenges in Health Information Privacy Linda Sanches HIPAA Summit Special.

Board of Directors – March 24, 2016 Denise Mannon, AHFI, CHPC Corporate Compliance Officer.

HIPAA THE PRIVACY RULE Reviewed December HISTORY In 2000, many patients that were newly diagnosed with depression received free samples of anti-

PHASE II OF HIPAA AUDIT PROGRAM June 2016 Presented by John P. Murdoch II, Esq. of Wilentz, Goldman & Spitzer, P.A. Two Industrial Way West Two Industrial.

Installation and Maintenance of Health IT Systems System Security Procedures and Standards Lecture a This material Comp8_Unit6a was developed by Duke University,

Health Insurance Portability and Accountability Act of 1996

Protecting access to healthcare for immigrants

UNDERSTANDING WHAT HIPAA IS AND IS NOT

HIPAA THE PRIVACY RULE Reviewed December 2012.

Privacy & Information Security Basics

Enforcement, Business Associates and Breach Notification. Oh my!

Patient Privacy for the Life Sciences Industry: 2012 Update Drew Gantt and David Sclar Cooley LLP 1.

Health Information Privacy & Security

Rational HIPAA Woes for the CFO and Business Leaders

HIPAA Administrative Simplification

By: Eamon Callahan and Wilston Johnston

HIPAA/HITECH Training

HIPAA PRIVACY AWARENESS, COMPLIANCE and ENFORCEMENT

Disability Services Agencies Briefing On HIPAA

HIPAA Privacy and Security Summit 2018 HIPAA Privacy Rule: Compliance Plans, Training, Internal Audits and Patient Rights Widener University Delaware.

National Congress on Health Care Compliance

Enforcement and Policy Challenges in Health Information Privacy

The Health Insurance Portability and Accountability Act

Objectives Describe the purposes of the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 Explore how the HITECH Act.

HIPAA Privacy and Security Update - 5 Years After Implementation

Presentation transcript:

From HIPAA to IFHIMA Nationwide & Worldwide Privacy & Security Initiatives Northern Indiana Health Information Management Association March 29, 2019 Dorinda Sattler, MJ, RHIA, CHPS, CPHRM Clinical Assistant Professor/HIT Program Director Owner/Consultant – Sattler Healthcare Consulting, Inc.

The good ole days… There was a patchwork of privacy laws. From HIPAA to IFHIMA March 29, 2019 The good ole days… There was a patchwork of privacy laws. Health Insurance Portability and Accountability Act enacted 1996 compliance with Privacy Rule required by 4.14.2003 compliance with Security Rule by 4.20.2005 Initially, little enforcement “teeth”.

HIPAA Gets Tough Omnibus final rule 1.25.2013 From HIPAA to IFHIMA March 29, 2019 HIPAA Gets Tough Omnibus final rule 1.25.2013 implemented HITECH Act changes and GINA changes to HIPAA. Strengthened HIPAA’s Privacy and Security protections Extended applicability of certain provisions to BAs Established breach notification requirements Required periodic audits by HHS. Compliance by 9.23.13 OCR charged with oversight and enforcement of HIPAA Privacy and Security Rules

From HIPAA to IFHIMA March 29, 2019 Breach notification With HITECH’s breach notification requirement implemented into HIPAA, CEs and BAs are now having to notify the OCR about breaches of PHI or ePHI. The notifications become triggers for future audits.

OCR Enforcement Process From HIPAA to IFHIMA March 29, 2019 OCR Enforcement Process Investigates complaints received Conducts compliance reviews of circumstances brought to its attention Conducts audits Provides education and outreach to assist with compliance May issue subpoenas to compel cooperation with investigations Enters into resolution agreements, assesses CMPs Required to submit a report to Congress annually

From complaints to audits From HIPAA to IFHIMA March 29, 2019 From complaints to audits Initially OCR was reactionary in determining compliance: Responded due to complaints received, or Responded if made aware of situations where compliance was suspect.

Phase 1 Audits Proactive audits began in 2011 From HIPAA to IFHIMA March 29, 2019 Phase 1 Audits Proactive audits began in 2011 Pilot audits performed 2011-12 Audit findings analyzed and the pilot audit program was evaluated throughout 2013 Planning activities for next phase 2014-15

Phase 2 Audits Full implementation 2016 From HIPAA to IFHIMA March 29, 2019 Phase 2 Audits Full implementation 2016 CEs and BAs chosen for audit based on history of complaints and self-reported breaches Desk audits begin for randomly chosen CEs and BAs. Focus is on key non-compliance areas identified in Phase I. Also includes areas related to security

Phase 2 Audit Results (so far) From HIPAA to IFHIMA March 29, 2019 Phase 2 Audit Results (so far) Desk audits completed 2017 166 covered entities 41 business associates Failure to implement effective risk analysis and RM strategies per the Security Rule Failure to adequately safeguard PHI and ensure individual access to PHI Incomplete NPPs Aggregate findings to be published 2019!

Totality of all enforcement actions = From HIPAA to IFHIMA March 29, 2019 Totality of all enforcement actions =

OCR Stats as of 12.31.18* Complaints received: 197,049+ From HIPAA to IFHIMA March 29, 2019 OCR Stats as of 12.31.18* Complaints received: 197,049+ Compliance reviews initiated: 924 Cases resolved: 192,350 26,558 cases resolved by requiring changes in privacy practices 62 cases resulted in CMPs or settlements totaling $96,581,582.00 11,653 cases: No violation found *https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/data/enforcement-highlights/2018-december/index.html

OCR Stats as of 12.31.18* (continued) From HIPAA to IFHIMA March 29, 2019 OCR Stats as of 12.31.18* (continued) Of the 197,049+ complaints: 122,019 were not eligible for enforcement OCR lacked jurisdiction (entity not a CE or BA) Untimely complaint or complaint withdrawn Activity described did not violate HIPAA (permitted privacy disclosures) *https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/data/enforcement-highlights/2018-december/index.html

OCR Stats as of 12.31.18* (continued) From HIPAA to IFHIMA March 29, 2019 OCR Stats as of 12.31.18* (continued) Issues investigated most: Impermissible uses and disclosures Lack of safeguards of PHI Lack of patient access to their PHI Lack of administrative safeguards for ePHI Use or disclosure of more than the minimum necessary PHI *https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/data/enforcement-highlights/2018-december/index.html

OCR Stats as of 12.31.18* (continued) From HIPAA to IFHIMA March 29, 2019 OCR Stats as of 12.31.18* (continued) Most common types of CEs required to take corrective action: General Hospitals Private Practices and Physicians Outpatient Facilities Pharmacies Health Plans (group health plans and health insurance issuers) *https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/data/enforcement-highlights/2018-december/index.html

In the in 2018 Jan. - Filefax, Inc. $100,000 From HIPAA to IFHIMA March 29, 2019 In the in 2018 Jan. - Filefax, Inc. $100,000 Jan. - Fresenius Medical Care $3,500,000 Jun. - MD Anderson Ca. Center* $4,300,000 Sep. - Boston Medical Center, with Brigham and Women’s Hospital, and Massachusetts General Hospital $999,000 *Judgment, whereas others were settlements

In the in 2018 (still!) Oct. – Allergy Assoc. of Hartford $125,000 From HIPAA to IFHIMA March 29, 2019 In the in 2018 (still!) Oct. – Allergy Assoc. of Hartford $125,000 Oct. – Anthem, Inc. $16,000,000 Nov. – Pagosa Springs $111,400 Dec. – Cottage Health $3,000,000 Total (Settlements and Judgments) $28,683,400

Onward and upward OCR Outreach Efforts Print materials Website From HIPAA to IFHIMA March 29, 2019 Onward and upward OCR Outreach Efforts Print materials Website On-line provider education training Raise awareness of individuals’ rights

From HIPAA to IFHIMA March 29, 2019 So we can relax, right?

From HIPAA to IFHIMA March 29, 2019

HIPAA is not the only king! From HIPAA to IFHIMA March 29, 2019 LOL, nope. OCR finalizing a permanent audit plan and protocols Enforcement activities show no sign of slowing down HIPAA is not the only king! California and other state data privacy laws GDPR Possible US-like GDPR? Which brings me to...

From HIPAA to IFHIMA March 29, 2019 IFHIMA International Federation of Health Information Management Associations Member nations: 23 as of 3.11.19 representing 7 global regions Congress held every three years Work relative to HIM includes: ICD, EHR, HIM Education, IG and of course, Privacy!

IFHIMA Privacy Workgroup From HIPAA to IFHIMA March 29, 2019 IFHIMA Privacy Workgroup Currently writing privacy whitepaper Global perspective, HIM highlight Case studies from some member nations US, India, Australia, Qatar, and S. Korea White paper to be published and presented to IFHIMA Congress in Dubai November 2019 Privacy panel anticipated

From HIPAA to IFHIMA March 29, 2019

From HIPAA to IFHIMA March 29, 2019 References https://www.hhs.gov/sites/default/files/compliance-report-to-congress-2015-2016-2017.pdf IFHIMA