HIPAA How It Is Affecting Information Systems Within Companies Around Us
Team Lexi Marlene Reischman Marlene Reischman Denise Pope Denise Pope Johnny Lepschat Johnny Lepschat Jared Cheney Jared Cheney William Paugh William Paugh
Why HIPAA Came About Define HIPAA Define HIPAA –Health Information Portability and Accountability Act (1996) –Healthcare related companies –Non-healthcare related companies
Steps To Compliance Does the Legislation Apply? Does the Legislation Apply? Appoint a “Privacy Official” Appoint a “Privacy Official” Privacy Policy Privacy Policy –Who –When –What –Why –How Instructions Instructions Verification Verification
Steps to Compliance, Cont. Training Training –Regulations –Documentation Process –Computers Procedures Procedures –Protected –Identifiable –IS department
Electronic Compliancy Constantly Changing Legislation Constantly Changing Legislation Modifications to Existing Systems Modifications to Existing Systems Systems Must: Systems Must: –Monitor and control access to protected information –Include security features such as passwords and regulated access –Have extra security and monitoring of electronic transfers of information to another entity –Have easy access to complete medical records at patient’s request –Be easy to upgrade
HIPAA Compliance Impact Impact on Becoming Compliant Impact on Becoming Compliant –Capital Outlay –Security Development –Departmental Changes
Capital Outlay Medium to Large Organizations Can Spend Tens of Thousands of Dollars This Year Medium to Large Organizations Can Spend Tens of Thousands of Dollars This Year Some Small Organizations Unable to Handle the Added Expense Some Small Organizations Unable to Handle the Added Expense Federal Aid Funding Stretched Thin Federal Aid Funding Stretched Thin
Penalties For Non Compliance $100 Per Offense $100 Per Offense $25,000 Maximum Penalty $25,000 Maximum Penalty If Misused With Intent, If Misused With Intent, –$50,000 to $250,000 Fine –1 to 10 Years in Prison
Security Development The Four Major Areas of Security Development The Four Major Areas of Security Development –Administrative Procedures –Physical Safeguards –Technical Security Services –Technical Security Mechanisms
Security Continued All Electronic Information Has to Be Secured in All of the Following Ways: All Electronic Information Has to Be Secured in All of the Following Ways: –Access –Transmission –Maintenance –Storage
Departmental Changes IT Challenges IT Challenges HR Restructuring HR Restructuring Other Departments Other Departments
IT Challenges Assess Needs Assess Needs Implement New Systems Implement New Systems Implement New Procedures Implement New Procedures Develop New Security Strategies Develop New Security Strategies
HR Restructuring Change in Database to Dissociate Name From Information Change in Database to Dissociate Name From Information Change in Forms Change in Forms Change in Information Gathering Process Change in Information Gathering Process Change in Staff Training Change in Staff Training
Other Departments New Procedures New Procedures –Require Training For Many Employees New Policies New Policies –Require Attention By All Employees
Real World Cases Bank Bank Rehab Facility Rehab Facility Other Organizations Other Organizations
Bank Hybrid Entity Hybrid Entity –Provides Medical Insurance –Provides Employee Assistance Program (EAP) Bank Requests Information (Insurance Company) Bank Requests Information (Insurance Company) –Formal Documentation Bank Provides Information (EAP) Bank Provides Information (EAP) –Requests Documentation
Rehab Facility Staff Training Staff Training Information System Security Information System Security Physical Security Physical Security New Policies and Procedures New Policies and Procedures
Other Organizations Healthcare Related Healthcare Related Non-Healthcare Related Non-Healthcare Related
HIPAA Privacy Rule and Public Health: Balancing Individual Needs with Those of Society U.S. Department of Health and Human Services: Office for Civil Rights has responsibility for enforcing the Privacy Rule U.S. Department of Health and Human Services: Office for Civil Rights has responsibility for enforcing the Privacy Rule Center for Disease Control and Severe Acute Respiratory Syndrome (SARS): When can information be released? Center for Disease Control and Severe Acute Respiratory Syndrome (SARS): When can information be released?
Protected Health Information (PHI) That Does Not Require Authorization Under the Privacy Rule: Reporting of disease, injury, and vital events Reporting of disease, injury, and vital events Conducting public health surveillance, investigations and interventions Conducting public health surveillance, investigations and interventions Report child abuse or neglect to public health Report child abuse or neglect to public health A person subject to jurisdiction of the Food and Drug Administration (FDA) A person subject to jurisdiction of the Food and Drug Administration (FDA)
PHI, Cont. Exposure to a communicable disease, or at risk for contracting or spreading a disease or condition Exposure to a communicable disease, or at risk for contracting or spreading a disease or condition An employer, as needed to meet the requirements of the Occupational Safety and Health Administration, Mine Safety and Health Administration, or a similar state law An employer, as needed to meet the requirements of the Occupational Safety and Health Administration, Mine Safety and Health Administration, or a similar state law Source: Adapted from [45CFR § (b)]
Questions to answer Are companies being successful at being compliant with HIPAA? Are companies being successful at being compliant with HIPAA? What emphasis changes may need to happen to push compliance? What emphasis changes may need to happen to push compliance? Is the goal of HIPAA being met? Is the goal of HIPAA being met?