HIPAA Regulations What do you need to know?.

Slides:

Advertisements

Similar presentations

THE DEPARTMENT OF HEALTH AND HUMAN SERVICES (HHS) OFFICE FOR CIVIL RIGHTS (OCR) ENFORCES THE HIPAA PRIVACY, SECURITY, AND BREACH NOTIFICATION RULES HIPAA.

Advertisements

HIPAA: An Overview of Transaction, Privacy and Security Regulations Training for Providers and Staff.

HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.

“Reaching across Arizona to provide comprehensive quality health care for those in need” Our first care is your health care Arizona Health Care Cost Containment.

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.

HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.

Health Insurance Portability and Accountability Act HIPAA Education for Volunteers and Students.

HIPAA. What Why Who How When What Is HIPAA? Health Insurance Portability & Accountability Act of 1996.

National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.

HIPAA What’s New? What Is HIPAA Health Insurance Portability and Accountability Act of 1996 Health Insurance Portability and Accountability Act.

Changes to HIPAA (as they pertain to records management) Health Information Technology for Economic Clinical Health Act (HITECH) – federal regulation included.

Health Insurance Portability and Accountability Act (HIPAA)HIPAA.

Key Changes to HIPAA from the Stimulus Bill (ARRA) Children’s Health System Department Leadership Meeting October 28, 2009 Kathleen Street Privacy Officer/Risk.

HIPAA CHANGES: HITECH ACT AND BREACH NOTIFICATION RULES February 3, 2010 Kristen L. Gentry, Esq. Catherine M. Stowers, Esq.

NAU HIPAA Awareness Training

Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.

Importance of the Information Risk Assessment. Compliance Programs are intended to proactively audit and assess an organization’s operations to detect.

COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.

Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.

HIPAA Security Risk Overview Lynne Shoemaker, RHIA, CHP, CHC OCHIN Integrity Officer Daniel M. Briley, CISSP, CIPP Summit Security Group.

Privacy, Security and Compliance Concerns for Management and Boards November 15, 2013 Carolyn Heyman-Layne, Esq. 1.

Health information security & compliance

March 19, 2009 Changes to HIPAA Privacy and Security Requirements Joel T. Kopperud Scott A. Sinder Rhonda M. Bolton.

Walking Through the Breach Notification Process - Beginning to End HIPAA COW Presentation and Panel April 8, 2011.

© Copyright 2014 Saul Ewing LLP The Coalition for Academic Scientific Computation HIPAA Legal Framework and Breach Analysis Presented by: Bruce D. Armon,

2015 User Conference HIPAA and Patient Safety: Why It Matters April 24, 2015 (GEN-AO1) Presented by: Susan J. Kressly, MD, FAAP Medical Director, Office.

HIPAA COMPLIANCE IN YOUR PRACTICE MARIBEL VALENTIN, ESQUIRE.

1 HIPAA Security Overview Centers for Medicare & Medicaid Services (CMS)

Columbia University Medical Center Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy & Information Security Training 2009.

ARRA/HITECH Update HIPAA COW Webinar February 23, 2010 Welcome! Everyone please mute your phone at this time by pressing *6 This session is being recorded.

Health Information Technology for Economic and Clinical Health Act (HITECH)

HIPAA PRIVACY AND SECURITY AWARENESS.

“ Technology Working For People” Intro to HIPAA and Small Practice Implementation.

Dealing with Business Associates Business Associates Business Associates are persons or organizations that on behalf of a covered entity: –Perform any.

Quality Integrity Stewardship Courtesy Care Accountability Medical Records ARMA Florida Gulf Coast Chapter Michael Spake Lakeland Regional Medical Center.

LAW SEMINARS INTERNATIONAL CLOUD COMPUTING: LAW, RISKS AND OPPORTUNITIES Developing Effective Strategies for Compliance With the HITECH Act and HIPAA’s.

Privacy and Security Laws for Health Care Organizations Presented by Robert J. Scott Scott & Scott, LLP

2012 Audits of Covered Entity Compliance with HIPAA Privacy, Security and Breach Notification Rules Initial Analysis February 2013.

How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.

Arkansas State Law Which Governs Sensitive Information…… Part 3B

HIPAA Michigan Cancer Registrars Association 2005 Annual Educational Conference Sandy Routhier.

Privacy and Security Risks to Rural Hospitals John Hoyt, Partner December 6, 2013.

LeToia Crozier, Esq., CHC Vice President, Compliance & Regulatory Affairs Corey Wilson Director of Technical Services & Security Officer Interactive Think.

Eliza de Guzman HTM 520 Health Information Exchange.

HIPAA BASIC TRAINING Presented by Anderson Health Information Systems, Inc.

HIPAA PRACTICAL APPLICATION WORKSHOP Orientation Module 1B Anderson Health Information Systems, Inc.

The Culture of Healthcare Privacy, Confidentiality, and Security Lecture d This material (Comp2_Unit9d) was developed by Oregon Health and Science University,

Rhonda Anderson, RHIA, President  …is a PROCESS, not a PROJECT 2.

Working with HIT Systems

HITECH and HIPAA Presented by Rhonda Anderson, RHIA Anderson Health Information Systems, Inc

A Road Map to Research at Jefferson: HIPAA Privacy and Security Rules for Researchers Presented By: Privacy Officer/Office of Legal Counsel October 2015.

Lessons Learned from Recent HIPAA Breaches HHS Office for Civil Rights.

We’ve Had A Breach – Now What? Garfunkel Wild, P.C. 411 Hackensack Avenue 6 th Floor Hackensack, New Jersey Broadway Albany,

Top 10 Series Changes to HIPAA Devon Bernard AOPA Reimbursement Services Coordinator.

HIPAA: Breach Notification By: Office of University Counsel For: Jefferson IRB Continuing Education September 2014.

AND CE-Prof, Inc. January 28, 2011 The Greater Chicago Dental Academy 1 Copyright CE-Prof, Inc

How to Survive a HIPAA Audit Compliance Counsel February 2014.

HIPAA TRIVIA Do you know HIPAA?. HIPAA was created by?  The Affordable Care Act  Health Insurance companies  United States Congress  United States.

The Health Insurance Portability and Accountability Act (HIPAA) requires Plumas County to train all employees in covered departments about the County’s.

PHASE II OF HIPAA AUDIT PROGRAM June 2016 Presented by John P. Murdoch II, Esq. of Wilentz, Goldman & Spitzer, P.A. Two Industrial Way West Two Industrial.

HIPAA: So You Think You’re Compliant September 1, 2011 Carolyn Heyman-Layne, J.D.

PHI Breach PHI Breach Dealing Breach With HIPAA Guidelines Guidelines.

Privacy & Information Security Basics

Enforcement, Business Associates and Breach Notification. Oh my!

Health Information Privacy & Security

By: Eamon Callahan and Wilston Johnston

HIPAA PRIVACY AWARENESS, COMPLIANCE and ENFORCEMENT

County HIPAA Review All Rights Reserved 2002.

Presentation transcript:

HIPAA Regulations What do you need to know?

DISCLAIMER Please note that the information provided is to inform our clients and friends of recent HIPAA and HITECH act developments. It is not intended, nor should it be used, as a substitute for specific legal advice

HIPAA Regulations What do you need to know? Rate your practice’s current compliance. Are you HIPAA Compliant right now? Privacy Rule compliance requirements Security Rule compliance requirements Breach notifications requirements Documentation Audits First question.

Recent Breaches in the News Recent Breaches and their Costs! Experts: Lack of HIPAA basics cost BCBST $18.5 million Basic compliance 101—policies, training, monitoring, and risk assessments—may have saved Blue Cross Blue Shield of Tennessee (BCBST) millions, experts say. Instead, the health insurer agreed to a $1.5 million settlement with the Office for Civil Rights (OCR) over potential HIPAA security violations and spent another $17 million in breach response costs. In the fall of 2009, BCBST reported to OCR that 57 unencrypted computer hard drives were stolen from a leased facility in Tennessee. The hard drives contained protected health information (PHI) for more than one million individuals, including member names, Social Security numbers, diagnosis codes, birthdates, and health plan identification numbers.

WHY SHOULD I CARE? OCR's investigation of Phoenix Cardiac Surgery PC (2 physician practice) http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/pcsurgery_agreement.pdf failed to implement adequate policies and procedures to appropriately safeguard patient information; failed to document that it trained any employees on its policies and procedures on the Privacy and Security Rules; failed to identify a security official and conduct a risk analysis failed to obtain business associate agreements with Internet-based email and calendar services where the provision of the service included storage of and access to its ePHI. Corrective Action Plan required Penalty - $100,000 Reputation Impact?

OCR Findings from 2005-2010 Does your practice have a Designated HIPAA Privacy Officer? Failure to demonstrate adequate policies and procedures or safeguards to address response and reporting of security incidents Security awareness and training Access controls Information access management Work station security

HIPAA Privacy Rule 45 CFR Part 160 and Part 164, Subparts A and E. Designate a HIPAA Privacy Officer Update your Notice of Privacy Practices http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html New additional patient rights related to Privacy of their information and their access to it. Conduct Compliance Audits Conduct Annual Training of Staff on Privacy Rule policies and procedures Document all disclosures according to the Privacy Rule.

HIPAA Security Rule 45 CFR Part 160 and Part 164, Subparts A and E. Accountability, Penalty, and Persecution for disclosure of/access to ePHI Protecting ePHI at rest, in transit, and in destruction. Breach Reporting Auditing 3 sets of Safeguards (standards) Administrative Physical Technical Need to add line about risk assessment. To this slide.

BREACH NOTIFICATION RULE HITECH ACT SECTION 13402 Definition of a “Breach”. A breach is, generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information such that the use or disclosure poses a significant risk of financial, reputational, or other harm to the affected individual. Requirements Following a breach of unsecured protected health information covered entities must provide notification of the breach to affected individuals, the Secretary of HHS and, in certain circumstances, to the media. In addition, Business Associates must now notify covered entities of a breach if it occurred due to their actions or processes. Question: Has anyone written a Breach notification procedure for you practice.

BREACH NOTIFICATION RULE Individual Notice - within 60 days of breach First class mail Include description of the breach, description of the data involved, Protective steps for individuals, an action plan to resolve, mitigate and prevent further breaches. For unknown or out of date information on affected individuals. Notification should be done via an announcement on Covered Entities Website or in local media where the affected individual resides. Media Notice - within 60 days of breach For Breaches of more than 500 patients Include description of the breach, description of the data involved, Protective actions for individuals, Action plan to resolve, mitigate and prevent further breaches.

BREACH NOTIFICATION RULE Notice to Secretary of Health and Human Services For breaches of less than 500 individuals File a report on HHS website annually For breaches of more than 500 individuals File a report on the HHS website within 60 of the breach. Notification by Business Associates Business Associates required to notify the Covered Entity upon discovery of any breach within 60 days Business associate should provide the covered entity with the identification of each individual affected by the breach as well as any information required to be provided by the covered entity in its notification to affected individuals

Documentation HIPAA Privacy Rule Policies and Procedures Accounting of disclosures Notice of Privacy Practices Record of periodic workforce training HIPAA Security Rule Policies and Procedures Documentation of periodic risk assessments Record of Security Audits

Auditing Need to have written policies and procedures stating how often and what you will be monitoring, reviewing Audit Logs Access Reports Security incident tracking reports. Documentation of user access roles and granting/revocation of access upon termination or change in user role.

HIPAA Audits Protocol http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/protocol.html 78 Privacy Rule Audit protocols 77 Security Rule Audit protocols 10 Breach Notification Rule Audit protocols

A Few Last Thoughts Form a TEAM at your practice, Include one member from each area, Providers, Nursing, Billing, front desk Perform a Risk Assessment to identify how ePHI is created, used, transmitted, and disposed of. Designated a HIPAA Privacy and Security Officer Create and Maintain Updated policies and procedures Develop and document your practice’s Breach Notification procedures Periodically monitor your systems (Audit) Consider Email encryption if you need to email ePHI

Resources HIPAA Privacy Rule http://www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/index.html HIPAA Security Rule http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/index.html HIPAA Breach Notification Rule http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/index.html HIPAA Audit Protocols http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/protocol.html HIPAA Consultants (education, training, consulting) HCPRO Blogs -http://blogs.hcpro.com/hipaa/ ecFirst - http://www.ecfirst.com/ Clearwater Compliance - http://clearwatercompliance.com/