(c) 2013 James J. Eischen, Jr., Esq.

Slides:

Advertisements

Similar presentations

HIPAA: An Overview of Transaction, Privacy and Security Regulations Training for Providers and Staff.

Advertisements

HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.

“Reaching across Arizona to provide comprehensive quality health care for those in need” Our first care is your health care Arizona Health Care Cost Containment.

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.

Steps to Compliance: Managing Business Associates PRESENTED BY.

HIPAA Basics November 1, 2014.

HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.

National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.

HIPAA What’s New? What Is HIPAA Health Insurance Portability and Accountability Act of 1996 Health Insurance Portability and Accountability Act.

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group

What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,

Health Insurance Portability and Accountability Act (HIPAA)HIPAA.

1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.

HIPAA CHANGES: HITECH ACT AND BREACH NOTIFICATION RULES February 3, 2010 Kristen L. Gentry, Esq. Catherine M. Stowers, Esq.

NAU HIPAA Awareness Training

CHAPTER © 2011 The McGraw-Hill Companies, Inc. All rights reserved. 2 The Use of Health Information Technology in Physician Practices.

Reviewing the World of HIPAA Stephanie Anderson, CPC October 2006.

W W W. L E C L A I R R Y A N. C O M Revisiting the PHI Breach Under HIPAA and HITECH and Considerations for Ophthalmologists Neil H. Ekblom, Esq. 885 Third.

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.

HIPAA Regulations What do you need to know?.

Importance of the Information Risk Assessment. Compliance Programs are intended to proactively audit and assess an organization’s operations to detect.

COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.

2014 HIPAA Refresher Omnibus Rule & HIPAA Security.

Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.

Are you ready for HIPPO??? Welcome to HIPAA

HIPAA Privacy of Health Information Claudia Allen, Esq. General Counsel HealthBridge.

What You Don’t Know Can Cost You HIPAA in a HITECH World Alaina N. Crislip, Esq. October 10, 2013.

Health information security & compliance

Health IT Privacy and Security Policy Jodi Daniel, J.D., M.P.H. Director, Office of Policy and Research, Office of the National Coordinator for Health.

Health Insurance Portability & Accountability Act (HIPAA)

© Copyright 2014 Saul Ewing LLP The Coalition for Academic Scientific Computation HIPAA Legal Framework and Breach Analysis Presented by: Bruce D. Armon,

Version 6.0 Approved by HIPAA Implementation Team April 14, HIPAA Learning Module The following is an educational Powerpoint presentation on the.

HIPAA COMPLIANCE IN YOUR PRACTICE MARIBEL VALENTIN, ESQUIRE.

COMPLYING WITH HIPAA BUSINESS ASSOCIATE REQUIREMENTS Quick, Cost Effective Solutions for HIPAA Compliance: Business Associate Agreements.

1 HIPAA Security Overview Centers for Medicare & Medicaid Services (CMS)

HIPAA PRIVACY AND SECURITY AWARENESS.

California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. :: 1 NEW OBLIGATIONS.

“ Technology Working For People” Intro to HIPAA and Small Practice Implementation.

Dealing with Business Associates Business Associates Business Associates are persons or organizations that on behalf of a covered entity: –Perform any.

LAW SEMINARS INTERNATIONAL CLOUD COMPUTING: LAW, RISKS AND OPPORTUNITIES Developing Effective Strategies for Compliance With the HITECH Act and HIPAA’s.

Copyright ©2011 by Pearson Education, Inc. Upper Saddle River, New Jersey All rights reserved. Health Information Technology and Management Richard.

How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.

HITECH Act and HIPAA: Important Compliance Update Susan E. Ziel Gerald “Jud” DeLoss.

HIPAA Michigan Cancer Registrars Association 2005 Annual Educational Conference Sandy Routhier.

LeToia Crozier, Esq., CHC Vice President, Compliance & Regulatory Affairs Corey Wilson Director of Technical Services & Security Officer Interactive Think.

Eliza de Guzman HTM 520 Health Information Exchange.

FleetBoston Financial HIPAA Privacy Compliance Agnes Bundy Scanlan Managing Director and Chief Privacy Officer FleetBoston Financial.

HIPAA BASIC TRAINING Presented by Anderson Health Information Systems, Inc.

HIPAA THE PRIVACY RULE. 2 HISTORY In 2000, many patients that were newly diagnosed with depression received free samples of anti- depressant medications.

HealthBridge is one of the nation’s largest and most successful health information exchange organizations. Tri-State REC: Privacy and Security Issues for.

Rhonda Anderson, RHIA, President  …is a PROCESS, not a PROJECT 2.

HITECH and HIPAA Presented by Rhonda Anderson, RHIA Anderson Health Information Systems, Inc

1 Privacy Plan of Action © HIPAA Pros 2002 All rights reserved.

Lessons Learned from Recent HIPAA Breaches HHS Office for Civil Rights.

Copyright © 2015 by Saunders, an imprint of Elsevier Inc. All rights reserved. Chapter 3 Privacy, Confidentiality, and Security.

Top 10 Series Changes to HIPAA Devon Bernard AOPA Reimbursement Services Coordinator.

Finally, the Final HIPAA/HITECH Regulations are Here! By LYNDA M. JOHNSON Friday, Eldredge & Clark.

HIPAA Guidance API Security Task Force February 22, 2016 Office for Civil Rights 1.

Functioning as a Business Associate Under HIPAA William F. Tulloch Director, PCBA March 9, 2004.

AND CE-Prof, Inc. January 28, 2011 The Greater Chicago Dental Academy 1 Copyright CE-Prof, Inc

HIPAA TRIVIA Do you know HIPAA?. HIPAA was created by?  The Affordable Care Act  Health Insurance companies  United States Congress  United States.

HIPAA Training. What information is considered PHI (Protected Health Information)  Dates- Birthdays, Dates of Admission and Discharge, Date of Death.

PHASE II OF HIPAA AUDIT PROGRAM June 2016 Presented by John P. Murdoch II, Esq. of Wilentz, Goldman & Spitzer, P.A. Two Industrial Way West Two Industrial.

HIPAA: So You Think You’re Compliant September 1, 2011 Carolyn Heyman-Layne, J.D.

1 HIPAA’s Impact on Depository Financial Institutions 2 nd National Medical Banking Institute Rick Morrison, CEO Remettra, Inc.

Privacy & Information Security Basics

HIPAA PRIVACY AWARENESS, COMPLIANCE and ENFORCEMENT

Disability Services Agencies Briefing On HIPAA

Presentation transcript:

(c) 2013 James J. Eischen, Jr., Esq. FIVE “EASY” STEPS FOR HANDLING NEW HIPAA REQUIREMENTS & MANAGING YOUR ELECTRONIC COMMUNICATIONS James J. Eischen, Jr., Esq. October 2013 Chicago, Illinois (c) 2013 James J. Eischen, Jr., Esq.

(c) 2013 James J. Eischen, Jr., Esq. Partner at Higgs, Fletcher & Mack, LLP 26+ years of experience as an attorney in California Experience in the healthcare field: medical groups, EHR firms, health coaching enterprises and healthcare products. Graduated from the University of California at Davis School of Law. Professional Memberships: San Diego County Bar Association Law & Medicine Section, Attorney-Client Relations Committee, State Bar Of California Section Member, AAPP Corporate Secretary (c) 2013 James J. Eischen, Jr., Esq.

Understand The Purpose Of HIPAA STEP ONE Understand The Purpose Of HIPAA (c) 2013 James J. Eischen, Jr., Esq.

(c) 2013 James J. Eischen, Jr., Esq. WHAT IS HIPAA? The Health Insurance Portability and Accountability Act of 1996 (HIPAA) required the Secretary of the U.S. Department of Health and Human Services (HHS) to develop regulations protecting the privacy and security of certain health information. To fulfill this requirement, HHS published what are commonly known as the HIPAA Privacy Rule and the HIPAA Security Rule. The Privacy Rule (Standards for Privacy of Individually Identifiable Health Information) establishes national standards for the protection of certain health information. The Security Rule (Security Standards for the Protection of Electronic Protected Health Information) establishes a national set of security standards for protecting certain health information that is held or transferred in electronic form. The Security Rule operationalizes the protections contained in the Privacy Rule by addressing the technical and non-technical safeguards that organizations called “covered entities” must put in place to secure individuals’ “electronic protected health information” (e-PHI). Within HHS, the Office for Civil Rights (OCR) has responsibility for enforcing the Privacy and Security Rules with voluntary compliance activities and civil money penalties. (c) 2013 James J. Eischen, Jr., Esq.

(c) 2013 James J. Eischen, Jr., Esq. KEY TERMS “Unsecured” PHI PHI that is not rendered unusable, unreadable or indecipherable to unauthorized persons specified by HHS Encryption and destruction ePHI Electronic PHI Breach Acquisition, access, use or disclosure of PHI PHI security or privacy is compromised (c) 2013 James J. Eischen, Jr., Esq.

Look At Basic HIPAA Compliance (Privacy And Security Rules) STEP TWO Look At Basic HIPAA Compliance (Privacy And Security Rules) (c) 2013 James J. Eischen, Jr., Esq.

(c) 2013 James J. Eischen, Jr., Esq. SECURITY RULE Prior to HIPAA, no generally accepted federal security standards or general requirements for protecting health information. New technologies evolving. Health care industry moves away from paper processes to electronic information systems to pay claims, answer eligibility questions, provide health information and conduct a host of other administrative and clinically based functions. Providers use clinical applications such as computerized physician order entry (COPE) systems, electronic health records (EHR), and radiology, pharmacy, and laboratory systems. Security Rule: Protects the privacy of individuals’ health information while allowing covered entities to adopt new technologies to improve the quality and efficiency of patient care. Security Rule is designed to be flexible and scalable so a covered entity can implement policies, procedures, and technologies that are appropriate for the entity’s particular size, organizational structure, and risks to consumers’ ePHI. (c) 2013 James J. Eischen, Jr., Esq.

(c) 2013 James J. Eischen, Jr., Esq. SECURITY RULE APPLIED Security Rule requires covered entities to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting ePHI. Specifically, covered entities must: Ensure the confidentiality, integrity, and availability of all ePHI they create, receive, maintain or transmit; Identify and protect against reasonably anticipated threats to the security or integrity of the information; Protect against reasonably anticipated, impermissible uses or disclosures; and Ensure compliance by their workforce. (c) 2013 James J. Eischen, Jr., Esq.

PRIVACY RULE: CONFIDENTIALITY The Privacy Rule defines “confidentiality” to mean that ePHI is not available or disclosed to unauthorized persons. The Privacy Rule prohibits improper uses and disclosures of ePHI. (c) 2013 James J. Eischen, Jr., Esq.

SO, WHAT SECURITY MEASURES MUST BE IMPLEMENTED? Security Rule does not dictate measures, but requires the covered entity to consider: Its size, complexity, and capabilities, Its technical, hardware, and software infrastructure, The costs of security measures, and The likelihood and possible impact of potential risks to e-PHI. Covered entities must review and modify their security measures to continue protecting e-PHI in a changing environment. (c) 2013 James J. Eischen, Jr., Esq.

(c) 2013 James J. Eischen, Jr., Esq. http://www.ama-assn.org/resources/doc/washington/hipaa-phi-encryption.pdf (c) 2013 James J. Eischen, Jr., Esq.

Evaluate What Changed With The Omnibus/Final Rule STEP THREE Evaluate What Changed With The Omnibus/Final Rule (c) 2013 James J. Eischen, Jr., Esq.

BEFORE AND AFTER OMNIBUS RULE BA regulated through BAAs After BAs and subcontractors regulated directly under HIPAA BAs are CEs, and must comply with Security Rule (c) 2013 James J. Eischen, Jr., Esq.

EXPANDED DEFINITION OF CE CE: On behalf of a covered entity (CE), creates, receives, maintains or transmits PHI Subcontractor of a BA Role + responsibilities of BA = CE BA requirements/exposure not defined simply because it is a party to a BAA (c) 2013 James J. Eischen, Jr., Esq.

(c) 2013 James J. Eischen, Jr., Esq. NOT A BA Those who simply provide “transmission services” Digital couriers or “mere conduits” But if you store personalized ePHI, even if you do not view it, you are a BA/CE (c) 2013 James J. Eischen, Jr., Esq.

(c) 2013 James J. Eischen, Jr., Esq. SUBCONTRACTORS Contract between the CE’s BA and the BA’s subcontractor must satisfy the BAA requirements Subcontractor of a subcontractor of a subcontractor of a subcontractor all BAS HIPAA/HITECH obligations apply to subcontractors (c) 2013 James J. Eischen, Jr., Esq.

(c) 2013 James J. Eischen, Jr., Esq. OMNIBUS/FINAL RULE All covered entities must review documentation including business associate agreements, notice of privacy practices, and their policies and procedures to ensure compliance with the Final Rule BAA and NPP MUST BE UPDATED (c) 2013 James J. Eischen, Jr., Esq.

(c) 2013 James J. Eischen, Jr., Esq. PRESUMPTION OF BREACH Interim Final Rule Risk assessment to determine if unauthorized ePHI access, use or disclosure caused harm No presumption of a breach Final Rule Unauthorized access, use or disclosure presumed to be a breach unless CE determines low probability ePHI was compromised (c) 2013 James J. Eischen, Jr., Esq.

POTENTIAL BREACH EVALUATION CE must evaluate Nature and extent of ePHI Unauthorized person who used ePHI Whom disclosure was made ePHI actually viewed or acquired How risk was mitigated DOCUMENT, DOCUMENT, DOCUMENT AND THEN DOCUMENT SOME MORE (c) 2013 James J. Eischen, Jr., Esq.

(c) 2013 James J. Eischen, Jr., Esq. BREACH NOTIFICATION BA must provide notice of breach To CE Breach treated as discovered as of 1st day when known or would have been known When by exercising reasonable diligence would have breach been known? Subcontractor BA gives notice to BA (c) 2013 James J. Eischen, Jr., Esq.

(c) 2013 James J. Eischen, Jr., Esq. ELECTRONIC ACCESS “Reasonable” safeguards If PHI owner wants PHI sent unencrypted, CE needs to let individual know of risks DOCUMENT ePHI OWNER’S CONSENT Secure mechanism Electronic “machine readable copy” Can be used on a computer PDFs If a PHI owner asks for specific format, CE needs to accommodate when possible (c) 2013 James J. Eischen, Jr., Esq.

FEES CHARGED FOR ELECTRONIC RECORDS? Labor costs only Retrieval costs or capital costs not allowed to be charged Supplies upon request can be charged Best practice is to list fees on authorization/consent form itself (c) 2013 James J. Eischen, Jr., Esq.

ACCESS TO THIRD PARTIES Individual can request CE to send ePHI to another individual In writing Electronic OK but verification needed Identify who is the receiver PHI must still be protected when sent to third party (c) 2013 James J. Eischen, Jr., Esq.

RESTRICTIONS/ACCOUNTING RULE Individual can restrict ePHI to health plan when paying out of pocket in full for a service (Accounting Rule) CE need to develop how to track restrictions CEs submit restricted ePHI for required audits when “required by law” (c) 2013 James J. Eischen, Jr., Esq.

Identify Necessary HIPAA Compliance Steps STEP FOUR Identify Necessary HIPAA Compliance Steps (c) 2013 James J. Eischen, Jr., Esq.

Update Your Documentation! (c) 2013 James J. Eischen, Jr., Esq.

HIPAA COMPLIANCE: BASIC DOCUMENTATION Notice of Privacy Practices (NPP) Business Associate Agreement (BAA) Internal risk analysis memo Practice’s written office procedures and processes must be examined thoroughly Evaluate risks and decide how to address those risks (c) 2013 James J. Eischen, Jr., Esq.

(c) 2013 James J. Eischen, Jr., Esq. SO, WHAT DO I DO? Update BAA Update NPP Update internal risk assessment memo Ensure electronic records access not subject to unlawful charges (c) 2013 James J. Eischen, Jr., Esq.

Electronic Communications, Scheduling & Records Management STEP FIVE Electronic Communications, Scheduling & Records Management (c) 2013 James J. Eischen, Jr., Esq.

HIPAA/PRIVACY COMPLIANCE WITH ELECTRONIC COMMUNICATIONS Electronic data storage of any kind = HIPAA (c) 2013 James J. Eischen, Jr., Esq.

(c) 2013 James J. Eischen, Jr., Esq. SHOULD MY PHYSICIAN-PATIENT AGREEMENT DEAL WITH ELECTRONIC COMMUNICATIONS Not recommended! Need separate ePHI agreement for risk management/HIPAA compliance HIPAA Final Rule: Non-compound ePHI consent (c) 2013 James J. Eischen, Jr., Esq.

CHECK MARKETING/PRACTICE COMMUNICATION PLATFORMS FOR COMPLIANCE Website Calendar/Scheduling FAQs Patient letters Staff training!!! Is this all really necessary? (Hint—The correct answer is not “no”) (c) 2013 James J. Eischen, Jr., Esq.

So What Can Go Wrong Anyway? Case Study: Arizona Cardiologist Fined $100,000 and ordered to take corrective action to implement policies and procedures to safeguard the protected health information of its patients. (c) 2013 James J. Eischen, Jr., Esq.

(c) 2013 James J. Eischen, Jr., Esq. WHAT WENT WRONG? Inadequate internal risk analysis Lack of staff training No BAA with outside IT vendor for web calendar Bottom Line: an internal risk analysis memo and awareness of patient privacy rights can avoid fines/penalties http://www.healthcareitnews.com/news/phoenix-practice-pay-100000-settle-hipaa-case (c) 2013 James J. Eischen, Jr., Esq.

(c) 2013 James J. Eischen, Jr., Esq. Questions? James J. Eischen, Jr., Esq. Office: (619) 819-9655 Email: eischenj@higgslaw.com Skype: jeischenjr http://www.assessmentandplan.com http://www.higgslaw.com (c) 2013 James J. Eischen, Jr., Esq.