Where to start Ben Burton, JD, MBA, RHIA, CHP, CHC.

Slides:



Advertisements
Similar presentations
HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
Advertisements

Presented by Elena Chan, UCSF Pharm.D. Candidate Tiffany Jew, USC Pharm.D. Candidate March 14, 2007 P HARMACEUTICAL C ONSULTANTS, I NC. P RO P HARMA HIPAA.
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
Managing Access to Student Health Information per Federal HIPAA Guidelines Joan M. Kiel, Ph.D., CHPS Duquesne University Pittsburgh, Penna
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.
HIPAA Regulations What do you need to know?.
COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.
2014 HIPAA Refresher Omnibus Rule & HIPAA Security.
Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.
HIPAA Security Risk Overview Lynne Shoemaker, RHIA, CHP, CHC OCHIN Integrity Officer Daniel M. Briley, CISSP, CIPP Summit Security Group.
Privacy, Security and Compliance Concerns for Management and Boards November 15, 2013 Carolyn Heyman-Layne, Esq. 1.
Privacy, Security, Confidentiality, and Legal Issues
Karen D. Smith, Esq. Partner Bricker & Eckler LLP 100 S. Third Street Columbus, OH (614)
1 HIT Standards Committee Privacy and Security Workgroup: Recommendations Dixie Baker, SAIC Steven Findlay, Consumers Union August 20, 2009.
Your HIPAA rules Ben Burton, JD, MBA, RHIA, CHP, CHC Notice of Privacy Practices.
© Copyright 2014 Saul Ewing LLP The Coalition for Academic Scientific Computation HIPAA Legal Framework and Breach Analysis Presented by: Bruce D. Armon,
Security Controls – What Works
Version 6.0 Approved by HIPAA Implementation Team April 14, HIPAA Learning Module The following is an educational Powerpoint presentation on the.
Steps to Compliance: Risk Assessment PRESENTED BY.
HIPAA COMPLIANCE IN YOUR PRACTICE MARIBEL VALENTIN, ESQUIRE.
ELECTRONIC MEDICAL RECORDS By Group 5 members: Kinal Patel David A. Ronca Tolulope Oke.
CAMP Med Mapping HIPAA to the Middleware Layer Sandra Senti Biological Sciences Division University of Chicago C opyright Sandra Senti,
COMPLYING WITH HIPAA BUSINESS ASSOCIATE REQUIREMENTS Quick, Cost Effective Solutions for HIPAA Compliance: Business Associate Agreements.
1 HIPAA Security Overview Centers for Medicare & Medicaid Services (CMS)
IT’S OFFICIAL: GOVERNMENT AUDITING OF SECURITY RULE COMPLIANCE Nancy Davis, MS, RHIA Director of Privacy/Security Officer, Ministry Health Care & Catherine.
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.
HIPAA PRIVACY AND SECURITY AWARENESS.
“ Technology Working For People” Intro to HIPAA and Small Practice Implementation.
Dealing with Business Associates Business Associates Business Associates are persons or organizations that on behalf of a covered entity: –Perform any.
The Implementation of HIPAA Joan M. Kiel, Ph.D., C.H.P.S. Duquesne University Pittsburgh, Pennsylvania.
Copyright ©2011 by Pearson Education, Inc. Upper Saddle River, New Jersey All rights reserved. Health Information Technology and Management Richard.
2012 Audits of Covered Entity Compliance with HIPAA Privacy, Security and Breach Notification Rules Initial Analysis February 2013.
Health Insurance Portability and Accountability Act of 1996 (HIPAA) Proposed Rule: Security and Electronic Signature Standards.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
Working with Health IT Systems Protecting Privacy, Security, and Confidentiality in HIT Systems Lecture a This material (Comp7_Unit7a) was developed by.
HIPAA Michigan Cancer Registrars Association 2005 Annual Educational Conference Sandy Routhier.
LeToia Crozier, Esq., CHC Vice President, Compliance & Regulatory Affairs Corey Wilson Director of Technical Services & Security Officer Interactive Think.
Eliza de Guzman HTM 520 Health Information Exchange.
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.
The Culture of Healthcare Privacy, Confidentiality, and Security Lecture d This material (Comp2_Unit9d) was developed by Oregon Health and Science University,
Rhonda Anderson, RHIA, President  …is a PROCESS, not a PROJECT 2.
Working with HIT Systems
Component 8/Unit 6aHealth IT Workforce Curriculum Version 1.0 Fall Installation and Maintenance of Health IT Systems Unit 6a System Security Procedures.
1 Security Planning (From a CISO’s perspective) by Todd Plesco 24OCT2007
1 Privacy Plan of Action © HIPAA Pros 2002 All rights reserved.
HIPAA Security Final Rule Overview
Top 10 Series Changes to HIPAA Devon Bernard AOPA Reimbursement Services Coordinator.
Configuring Electronic Health Records Privacy and Security in the US Lecture b This material (Comp11_Unit7b) was developed by Oregon Health & Science University.
Working with HIT Systems Unit 7a Protecting Privacy, Security, and Confidentiality in HIT Systems This material was developed by Johns Hopkins University,
How to Survive a HIPAA Audit Compliance Counsel February 2014.
HIPAA Security Best Practices Clint Davies Principal BerryDunn
COMMUNITY-WIDE HEALTH INFORMATION EXCHANGE: HIPAA PRIVACY AND SECURITY ISSUES Ninth National HIPAA Summit September 14, 2004 Prepared by: Robert Belfort,
HIPAA: So You Think You’re Compliant September 1, 2011 Carolyn Heyman-Layne, J.D.
Installation and Maintenance of Health IT Systems System Security Procedures and Standards Lecture a This material Comp8_Unit6a was developed by Duke University,
The Health Insurance Portability and Accountability Act 
Paul T. Smith Davis Wright Tremaine LLP
HIPAA.
HIPAA PRIVACY AWARENESS, COMPLIANCE and ENFORCEMENT
Disability Services Agencies Briefing On HIPAA
Final HIPAA Security Rule
County HIPAA Review All Rights Reserved 2002.
Thursday, June 5 10: :45 AM Session 1.01 Tom Walsh, CISSP
HIPAA Privacy and Security Summit 2018 HIPAA Privacy Rule: Compliance Plans, Training, Internal Audits and Patient Rights Widener University Delaware.
HIPAA Security Standards Final Rule
HIPAA SECURITY RULE Copyright © 2008, 2006, 2004 by Saunders an imprint of Elsevier Inc. All rights reserved.
HIPAA Privacy and Security Update - 5 Years After Implementation
Introduction to the PACS Security
Presentation transcript:

Where to start Ben Burton, JD, MBA, RHIA, CHP, CHC

What is the rule? State vs. Federal laws – How does that work? What goes in the Notice of Privacy Practices? What tools are available to help?

idx?SID=f edcaaff61071d30ec1ba&tpl=/ecfr browse/Title45/45cfr164_main_02.tpl idx?SID=f edcaaff61071d30ec1ba&tpl=/ecfr browse/Title45/45cfr164_main_02.tpl

e22sec1711-C.html

Health Information Technology for Economic and Clinical Health (HITECH) Omnibus Rule Case Law

MeHIMA Legal Resource Manual AHIMA (members) Engage/ Communities of Practice Body of Knowledge HHS – OCR General Information FAQs

/coveredentities/index.html /coveredentities/index.html

Gap analysis Define current state Determine goal Develop a plan to meet your goals Update and Reevaulate

Fully compliant Compliant, but just need to update for HITECH Partially compliant, but have a plan Partially compliant, and don’t know where to go Not sure? What is HITECH?

Read the rule Know the sections Don’t memorize but be familiar with the language Know your internal rule How to use your risk assessment(s)? Applicable P&P What to do if …

udit/protocol.html udit/protocol.html “Please be aware that the protocol has not yet been updated to reflect the Omnibus Final Rule but a version reflecting the modifications will be available in the future.” website– regarding audit tool The rule has been updated to include 78 FR 5695, January 25, 2013 (the Omnibus Final Rule)

If you wait until you are audited its too late … Create documents that comply with each performance criteria Risk Analysis Create practical P&Ps (cite the rule in the policy e.g. 45 CFR §…) Create a table of contents or summary log Publish internally Train your workforce and other applicable people Give people access to the tools as necessary

Section Established performance criteria Key activity Audit Procedures What questions auditors are likely to ask? Implementation Specification Required vs. Addressable (need documentation and support) HIPAA compliance area Breach, security, or privacy

Conduct Risk Assessment (Security and Privacy) Audit only looks to security IT Systems and Services security - capability Purchase equipment Certified eMR P&P (monitor activity) Reduce Risks (identified in risk assessment) Risk Management

Assign Security Responsibility Select a security officer Define and document duties Workforce security Establish access and supervision Role based security Limit access to need to know Clearance process Access termination process Information Access P&P related to access When, who, how long, etc. Consistent with the rules

Train (everyone) Plan and strategy When Who What (log-in, password management, organizational tools, etc.) Document

Response plan Identify Investigate Correct Mitigate Contingency Plan Disaster Recovery Data Backup Emergency Operations Plan Test and Revise

Maybe internal or external Look at entire system (document method) Document Make changes as necessary Rinse and Repeat

Assess Create/Document/Develop/Approve Implement Monitor Respond

HITECH requires BAs to be bound by HIPAA – CEs still need BAAs BAA Updated to reflect Jan. 25, overedentities/contractprov.html overedentities/contractprov.html

Protect the place where the information is kept Card access, etc. HR and safety issues can also be addressed here Address emergencies, maintenance, housekeeping, etc. Identify Workstations Access Surroundings Proper purpose and use

Disposal of PHI including ePHI Assign accountability Backup, storage, disposal, everything related to media devices Mobile and remote access devices

Assess need and capabilities (patients have a right to get information in electronic form) Encryption Addressable? Unique identifier for each user Technical controls Emergency Access Auto log off and other security related issues

Use system to audit activity Track specific activities based on risk (e.g. break the glass) Document process and audit results

Integrity Protect information Track modifications Determine methods for proper authentication Methods to properly authenticate ePHI Addressable Legal risk Transmission security Data sent from the organization

Risk Assessment Define the process (what constitutes a low risk of compromise) nts/ahima/bok1_ hcsp?dDocName=bok1_ nts/ahima/bok1_ hcsp?dDocName=bok1_ Notification Individual Others as applicable

45 CFR § General Rule (a) Standard. A covered entity or business associate may not use or disclose protected health information, except as permitted or required by this subpart or by subpart C of part 160 of this subchapter. Notice of Privacy Practices (NPP) 45 CFR § Notice of privacy practices for protected health information. Defines your HIPAA rules

Training Sanctions Protect data Mitigate damages Non-retaliation Process for things listed in NPP (Accounting of disclosures, opt. out, copies of records, amendment, restrictions, etc.)

idx?SID=f edcaaff61071d30ec1ba&tpl=/ecfr browse/Title45/45cfr164_main_02.tpl (45 CFR § 164, retrieved 8/6/2014) idx?SID=f edcaaff61071d30ec1ba&tpl=/ecfr browse/Title45/45cfr164_main_02.tpl

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.